You are on page 1of 149

CISQUEROS.BLOGSPOT.

COM

presents

Hitchhikers Guide to the CCIE
v0.3


2
Hitchhikers Guide to the CCIE v0.3 [cisqueros.blogspot.com]

This page was intentionally left blank.

3
Hitchhikers Guide to the CCIE v0.3 [cisqueros.blogspot.com]

About

This is nothing more but a script of simple guidelines I made during my CCIE preparations, 2012-2014. Have in mind
that I created this script throughout the entire preparation period, so some topics might seem basic as my level was
CCNP, while some others require the reader to have the almost-CCIE level.
If you find my notes useful Im more than glad I could help. You can use it, share it, whatever, as long as you dont
try to sell it or publish it as your own.
4
Hitchhikers Guide to the CCIE v0.3 [cisqueros.blogspot.com]
Table of Contents

About ............................................................................................................................................................................. 3
LAN Switching ................................................................................................................................................................. 10
LAN Switching Tips and Tricks ..................................................................................................................................... 11
VLAN Filters for NON-IP Traffic ................................................................................................................................... 11
MEMORY OPTIMIZATION - SDM (Switch Database Management) ............................................................................ 12
INTERFACE Statuses .................................................................................................................................................... 13
CAM TABLE .................................................................................................................................................................. 13
VTP - VLAN Trunking Protocol ..................................................................................................................................... 13
VMPS - VLAN Membership Policy Server .................................................................................................................... 14
TRUNKS and DTP (Dynamic Trunking Protocol) .......................................................................................................... 14
PRIVATE VLANS ........................................................................................................................................................... 15
Dot1q Tunneling: 802.1q, QinQ Tunneling ................................................................................................................. 16
SPANNING TREE PROTOCOL (STP) .............................................................................................................................. 16
MULTIPLE SPANNING TREE (MSTP) ............................................................................................................................ 18
PORTFAST .................................................................................................................................................................... 18
BPDU GUARD .............................................................................................................................................................. 18
UDLD - Unidirectional Link Detection ......................................................................................................................... 19
SOURCE GUARD and DHCP SNOOPING ....................................................................................................................... 20
ETHERCHANNEL .......................................................................................................................................................... 20
DAI (Dynamic ARP Inspection) .................................................................................................................................... 22
SNMP - UDP 161,162 .................................................................................................................................................. 23
MONITORING .............................................................................................................................................................. 24
LOGGING ..................................................................................................................................................................... 24
STORM CONTROL ........................................................................................................................................................ 25
HTTP Server (HTTP access) on a Switch ...................................................................................................................... 25
Router on a STICK and IP BRIDGING ........................................................................................................................... 25
IP Services ....................................................................................................................................................................... 26
IP Services Tips and Tricks ........................................................................................................................................... 27
HSRP - Hot Standby Routing Protocol ......................................................................................................................... 27
VRRP - Virtual Routing Redundancy Protocol ............................................................................................................. 28
GLBP - Global Load Balancing Protocol ....................................................................................................................... 29
IRDP - ICMP Router Discovery Protocol ...................................................................................................................... 30
DRP - Cisco Distributed Route Processor .................................................................................................................... 31
WAAS and WCCP Protocol .......................................................................................................................................... 31
5
Hitchhikers Guide to the CCIE v0.3 [cisqueros.blogspot.com]
NTP - Network Time Protocol ..................................................................................................................................... 32
IP SLA - Monitor the Network Performance ............................................................................................................... 33
STATIC NAT .................................................................................................................................................................. 34
DYNAMIC NAT ............................................................................................................................................................. 35
Load Balancing using NAT ........................................................................................................................................... 35
PAT (NAT Overload) .................................................................................................................................................... 36
PAR - When you need to implement traffic redirections using NAT .......................................................................... 36
Static NAT redundancy with HSRP .............................................................................................................................. 37
Scalability for Stateful NAT (SNAT) ............................................................................................................................. 37
NAT Translations with the Outside Source ................................................................................................................. 38
NAT on a Stick ............................................................................................................................................................. 38
DHCP Server ................................................................................................................................................................ 39
CNS (Cisco Networking Services) ................................................................................................................................ 39
GRE Tunnels ................................................................................................................................................................ 40
Various IOS Tricks ........................................................................................................................................................ 40
IP Routing ........................................................................................................................................................................ 42
IPv4 Routing TIPS ........................................................................................................................................................ 43
PBR - Policy Based Routing ......................................................................................................................................... 43
EOT Enhanced Object Tracking ................................................................................................................................ 43
ODR - ON-DEMAND ROUTING .................................................................................................................................... 44
RIP ............................................................................................................................................................................... 44
RIP: Authentication ..................................................................................................................................................... 44
RIP: Timers .................................................................................................................................................................. 45
RIP: Updates Control ................................................................................................................................................... 46
RIP: OFFSET LISTS ........................................................................................................................................................ 46
RIP: Update Source Control ........................................................................................................................................ 46
RIP: Route Summarizing .............................................................................................................................................. 47
RIP: Route Filtering using Prefix Lists .......................................................................................................................... 47
OSPF ............................................................................................................................................................................ 48
OSPF over Frame-Relay, focus on Network Types ...................................................................................................... 48
OSPF: Configuration on INTERFACE LEVEL .................................................................................................................. 49
OSPF: Timers ............................................................................................................................................................... 49
OSPF: Authentication .................................................................................................................................................. 50
OSPF: Route Redistribution ......................................................................................................................................... 50
OSPF Route Summarization ........................................................................................................................................ 51
OSPF Virtual Link ......................................................................................................................................................... 51
6
Hitchhikers Guide to the CCIE v0.3 [cisqueros.blogspot.com]
OSPF Cost .................................................................................................................................................................... 52
Redirecting Traffic (FORCING A PATH) ........................................................................................................................ 52
OSPF and the GRE Tunnels .......................................................................................................................................... 53
OSPF LSA Types and AREA TYPES ................................................................................................................................ 53
OSPF STUBS ................................................................................................................................................................. 55
OSPF Route Filtering ................................................................................................................................................... 56
OSPF Non-Broadcast Networks ................................................................................................................................... 57
OSPF NBMA (Non Broadcast Multiple Access) Networks ........................................................................................... 58
OSPF BROADCAST vs. POINT-TO-POINT vs. POINT-TO-MULTIPOINT Networks ......................................................... 58
DNS Lookup in OSPF .................................................................................................................................................... 59
ISPF .............................................................................................................................................................................. 59
Forward Address Suppression .................................................................................................................................... 59
OSPF Sham Link ........................................................................................................................................................... 60
OSPF in MPLS .............................................................................................................................................................. 61
EIGRP ........................................................................................................................................................................... 62
EIGRP "show neighbors" command ............................................................................................................................ 62
EIGRP Metric - K Values .............................................................................................................................................. 63
EIGRP Route Summarization and Leak Maps .............................................................................................................. 64
EIGRP Default Gateway ............................................................................................................................................... 64
VARIANCE Command .................................................................................................................................................. 65
EIGRP Authentication .................................................................................................................................................. 65
EIGRP: Maximum Hops ............................................................................................................................................... 65
EIGRP Administrative Distance ................................................................................................................................... 66
EIGRP Updates BW Percent ........................................................................................................................................ 66
EIGRP Redistribute Routes into EIGRP ........................................................................................................................ 66
EIGRP offset-list [metric adjustments] ........................................................................................................................ 66
EIGRP Stub................................................................................................................................................................... 66
MP-EIGRP .................................................................................................................................................................... 67
EIGRP Route Filtering .................................................................................................................................................. 67
BGP TIPs and Best Practices ........................................................................................................................................ 68
BGP Version................................................................................................................................................................. 70
BGP Peer-Group .......................................................................................................................................................... 70
BGP Peer-Session and Peer-Policy Templates ............................................................................................................ 71
BGP Authentication ..................................................................................................................................................... 71
BGP Route Reflectors .................................................................................................................................................. 72
BGP BACKDOOR Route ................................................................................................................................................ 73
7
Hitchhikers Guide to the CCIE v0.3 [cisqueros.blogspot.com]
BGP CONDITIONAL Advertisements - Advertise Maps ............................................................................................... 73
BGP Route Dampening ................................................................................................................................................ 74
BGP Route Summarization .......................................................................................................................................... 75
BGP INJECT and EXIST map ......................................................................................................................................... 75
BGP Community Attribute .......................................................................................................................................... 75
BGP & Load Balancing ................................................................................................................................................. 76
1. AS-Path (The less ASs in the path - the Better) ....................................................................................................... 77
2. Weight (the Higher - the Better) ............................................................................................................................. 78
3. MED (Multi Exit Discriminator) ............................................................................................................................... 79
4. LOCAL PREFERENCE................................................................................................................................................. 79
BGP Filters: Distribution and Prefix lists ..................................................................................................................... 80
BGP: Regular Expressions ............................................................................................................................................ 80
BGP Confederations .................................................................................................................................................... 81
MP-BGP (Multi-Protocol BGP)..................................................................................................................................... 82
Route Redistribution TIPs ....................................................................................................................................... 83
QoS .................................................................................................................................................................................. 84
QoS TIPS ...................................................................................................................................................................... 85
QoS on Access Ports .................................................................................................................................................... 85
DSCP and COS MAPPING ............................................................................................................................................. 87
Map COS to DSCP on a device ..................................................................................................................................... 87
QoS POLICING - INDIVIDUAL and AGGREGATE POLICER ............................................................................................ 88
PRIORITY QUEUING (priority-list) & CUSTOM QUEUING (queue-list) ........................................................................ 88
WFQ - By default works with IP PRESEDENCE ............................................................................................................ 89
RSVP - Resource Reservation Protocol ....................................................................................................................... 89
IPv6 QoS ...................................................................................................................................................................... 90
Match MAC ADDRESS ................................................................................................................................................. 90
QoS Frame-Relay SHAPING ......................................................................................................................................... 90
QoS Frame-Relay PIPQ (PER-INTERFACE PRIORITY QUEUING) ................................................................................... 92
QoS Frame-Relay PAYLOAD and HEADER COMPRESSION .......................................................................................... 93
QoS CBWFQ - configured using MQC .......................................................................................................................... 93
QoS LLQ (Low Latency Queuing) - "priority" and "priority percent" command ......................................................... 93
Define the QoS Schedule (TIME-RANGE command) ................................................................................................... 94
QoS CAR (Committed Access Rate) - "rate-limit" Interface Command ...................................................................... 94
NBAR (match protocol XXX) - if you need to match the port without the ACL .......................................................... 94
DUAL RATE - DUAL BUCKET......................................................................................................................................... 95
WRED - Weighted Random Early Detection and CB-WRED ........................................................................................ 95
8
Hitchhikers Guide to the CCIE v0.3 [cisqueros.blogspot.com]
WAN ................................................................................................................................................................................ 96
Frame-Relay TIPS ........................................................................................................................................................ 97
FRAME RELAY QoS ...................................................................................................................................................... 97
PHYSICAL INTERFACE CONFIGURATION: .................................................................................................................... 98
POINT-TO-POINT SUB-INTERFACE: ............................................................................................................................. 98
POINT-TO-MULTIPOINT SUB-INTERFACE: ................................................................................................................... 99
VIRTUAL TEMPLATE .................................................................................................................................................... 99
FRAME RELAY AUTHENTICATION .............................................................................................................................. 100
FRAME RELAY End-to-End KEEPALIVE ....................................................................................................................... 101
FRAME-RELAY MULTILINKING ................................................................................................................................... 102
FRAME-RELAY AUTO-INSTALL ................................................................................................................................... 103
IP Multicast ................................................................................................................................................................... 104
Multicast TIPS ............................................................................................................................................................ 105
Multicast - IGMP ....................................................................................................................................................... 106
Configure PIM Multicast ........................................................................................................................................... 107
PIM Dense Mode, PIM-DM - For the applications EVERYONE wants ....................................................................... 109
STATIC RENDEZVOUZ POINT (RP) Configuration ...................................................................................................... 110
DESIGNATED ROUTER (DR) Configuration ................................................................................................................ 110
IP MULTICAST: AUTOMATIC RENDEZVOUZ POINT (Auto-RP) Configuration ............................................................ 111
IP MULTICAST: BSR (Bootstrap Router) Configuration ............................................................................................. 112
IP MULTICAST: MSDP (Multicast Source Discovery Protocol) Configuration ........................................................... 113
Multiprotocol BGP (MP-BGP) & IP Multicast ............................................................................................................ 113
IP MULTICAST: Configuring SSM (Source Specific Multicast) ................................................................................... 114
IP MULTICAST: Bidirectional PIM (Bidir-PIM) ........................................................................................................... 115
IP MULTICAST: Helper Map ....................................................................................................................................... 116
MULTICAST Helper Map & Helper-address .............................................................................................................. 117
Security ......................................................................................................................................................................... 118
Security TIPS .............................................................................................................................................................. 119
Layer 2 Security ......................................................................................................................................................... 120
Access Restrictions and Privilege Levels ................................................................................................................... 121
RBAC (Role Based Access Control) ............................................................................................................................ 121
Router Security - Best Practices ................................................................................................................................ 121
KNOWN ATTACKS and how to prevent ..................................................................................................................... 122
BANNER and MENU Configuration ........................................................................................................................... 123
Configure SSH Access ................................................................................................................................................ 123
ADVANCED Access Lists (ACL) Configuration ............................................................................................................ 124
9
Hitchhikers Guide to the CCIE v0.3 [cisqueros.blogspot.com]
DYNAMIC ACL (aka Lock and key ACL) ...................................................................................................................... 125
REFLEXIVE ACL - For Session Filtering ....................................................................................................................... 126
TCP INTERCEPT - To prevent TCP SYN DoS attacks ................................................................................................... 126
CBAC - Context Based Access Control Firewall ......................................................................................................... 127
PAM - Port to Application Mapping .......................................................................................................................... 128
uRPF - Unicast Reverse Path Forwarding .................................................................................................................. 128
Zone Based Firewall .................................................................................................................................................. 129
CONTROL Plane Policy (CPPr).................................................................................................................................... 130
IOS IPS (Intrusion Prevention System) ...................................................................................................................... 131
AAA Authentication .................................................................................................................................................. 132
MPLS.............................................................................................................................................................................. 134
MPLS Configuration .................................................................................................................................................. 135
MPLS LFIB and Labels (Label Spacing) ....................................................................................................................... 136
MPLS Session Protection ........................................................................................................................................... 137
MPLS VRFs, RD (Route Distinguisher) and RT (Route Target) ................................................................................... 138
L2VPN - AToM (Any Transport over MPLS) ............................................................................................................... 139
IPv6 ................................................................................................................................................................................ 140
IPv6 TIPS .................................................................................................................................................................... 141
IPv6 Basics ................................................................................................................................................................. 141
Convert MAC to Link Local IPv6 Address .................................................................................................................. 143
IPv6 Routing .............................................................................................................................................................. 144
RIPng ......................................................................................................................................................................... 145
OSPFv3 ...................................................................................................................................................................... 145
EIGRP IPv6 ................................................................................................................................................................. 146
MP-BGP, using a BGP-4 protocol extensions for IPv6 ............................................................................................... 147
IPv6 Tunnels .............................................................................................................................................................. 147
IPv6 Multicast Routing .............................................................................................................................................. 149



10
Hitchhikers Guide to the CCIE v0.3 [cisqueros.blogspot.com]




LAN Switching


11
Hitchhikers Guide to the CCIE v0.3 [cisqueros.blogspot.com]
____________________________________________________________________________________________________________________
LAN Switching Tips and Tricks
____________________________________________________________________________________________________________________
Remove a FOLDER from the flash: #delete /force /recursive flash:c3750-ipbase-mz.122-35.SE5
TIP: When there is a CISCO Phone attached to an access port- configure the "switchport voice vlan X" on an access port.
TIP: The maximum-aging time is the number of seconds a Switch waits without receiving spanning-tree configuration messages before
attempting a reconfiguration.
(config)#spanning-tree vlan 1 max-age 30

____________________________________________________________________________________________________________________
VLAN Filters for NON-IP Traffic
____________________________________________________________________________________________________________________
These are not used in the production environment very often, but in the CCIE exam this can be useful to know. On Cisco Docs can be found
under the "Network Security with ACLs" under the Switch Configuration Guide:
http://www.cisco.com/en/US/docs/switches/lan/catalyst3560/software/release/12.2_46_se/configuration/guide/swacl.html
STEP 1: Basically instead of IP ACL, we're creating the MAC ACL in order to later apply it. For example here there's an MAC Access-list created
to filter out BPDU-s of a certain type (check all the NON-IP stuff we can filter out):
(config)# mac access-list extended DENY_BPDU
(config-ext-macl)# permit host 000.0c00.0111 any
(config-ext-macl)# permit any any ?
<0-65535> An arbitrary EtherType in decimal, hex, or octal
aarp EtherType: AppleTalk ARP
amber EtherType: DEC-Amber
appletalk EtherType: AppleTalk/EtherTalk
cos CoS value
dec-spanning EtherType: DEC-Spanning-Tree
decnet-iv EtherType: DECnet Phase IV
diagnostic EtherType: DEC-Diagnostic
dsm EtherType: DEC-DSM
etype-6000 EtherType: 0x6000
etype-8042 EtherType: 0x8042
lat EtherType: DEC-LAT
lavc-sca EtherType: DEC-LAVC-SCA
lsap LSAP value
mop-console EtherType: DEC-MOP Remote Console
mop-dump EtherType: DEC-MOP Dump
msdos EtherType: DEC-MSDOS
mumps EtherType: DEC-MUMPS
netbios EtherType: DEC-NETBIOS
vines-echo EtherType: VINES Echo
vines-ip EtherType: VINES IP
xns-idp EtherType: XNS IDP

STEP 2: After the MAC ACL is created, we need to apply the MAC ACL to a Layer 2 Interface. This can be done in one of 2 ways:
1. Directly using the "mac access-group MACL in" command
2. Using the VLAN Maps
VLAN Maps are the only way to control filtering within a VLAN. You can define the DROP or FWD action:
(config)#vlan access-map VLANACM 10 <-10 IS THE SEQ NUMBER
(config-access-map)#action drop
(config-access-map)#match mac address DENY_BPDU <-MATCH THE DEFINED MAC ACL

IMPORTANT: ORDER IS IRRELEVANT HERE!!! First we're saying DROP, and then matching what to drop.
(config)#vlan access-map VLANACM 20
(config-access-map)#action forward <-TO PERMIT ALL OTHER TRAFFIC

STEP 3: At the end you need to APPLY the VLAN Access-Map to the VLAN (MEMORIZE THIS STUFF):
(config)#vlan filter VLANACM vlan-list 1-4074 <-Here its applied to ALL the VLANs
12
Hitchhikers Guide to the CCIE v0.3 [cisqueros.blogspot.com]
____________________________________________________________________________________________________________________
MEMORY OPTIMIZATION - SDM (Switch Database Management)
____________________________________________________________________________________________________________________
Cisco Docs: 3560->Consolidated Platform Configuration Guides->SystemManagement->SDM Templates
Depending on the Switch purpose (L2 Switching that uses CEF or IP Routing or IPv6), Memory allocations can be optimized using the SDM
(Switch Database Management), and there are 4 templates:
- ACCESS - For QoS and Security
- ROUTING - for IP Routing
- VLAN - Sets Switch to L2 and disables IP Routing
- Extended Match - for WCCP and multiple VRF (reformats memory space to allow 144-bit L3 TCAM support)
(config)#sdm prefer [routing | dual-ipv4-and-ipv6 | vlan]
(config)#sdm prefer ?
access Access bias
default Default bias
dual-ipv4-and-ipv6 Support both IPv4 and IPv6 <-USE THIS MODE WHEN YOU HAVE BOTH, IPv4 and IPv6
ipe IPe bias
routing Unicast bias <-SWITCH TO YOU USE AS A ROUTER, ONLY IPv4
vlan VLAN bias <-ONLY L2 SWITCH

Check the achieved results:
#show sdm prefer
The current template is "desktop default" template. <--- COMMAND NOT ACTIVE BEFORE THE SWITCH HAS BEEN
REBOOTED
The selected template optimizes the resources in
the switch to support this level of features for
8 routed interfaces and 1024 VLANs.
number of unicast mac addresses: 6K
number of IPv4 IGMP groups + multicast routes: 1K
number of IPv4 unicast routes: 8K
number of directly-connected IPv4 hosts: 6K
number of indirect IPv4 routes: 2K
number of IPv4 policy based routing aces: 0
number of IPv4/MAC qos aces: 0.5K
number of IPv4/MAC security aces: 1K

#show sdm prefer
The current template is "desktop routing" template. <--- AFTER THE REBOOT SWITCH CHANGES THE SDM MODE
The selected template optimizes the resources in
the switch to support this level of features for
8 routed interfaces and 1024 VLANs.
number of unicast mac addresses: 3K
number of IPv4 IGMP groups + multicast routes: 1K <--- MEMORY ALLOCATION HAS BEEN CHANGED
number of IPv4 unicast routes: 11K
number of directly-connected IPv4 hosts: 3K
number of indirect IPv4 routes: 8K
number of IPv4 policy based routing aces: 0.5K
number of IPv4/MAC qos aces: 0.5K
number of IPv4/MAC security aces: 1K
It can happen that you need to use IPv6 on a switch, and the command "ipv6 unicast routing" is not working. If the switch seems not to
support the command, in reality you only need to change the buffer allocation first (Apply a different SDM template). The problem is that you
have to SAVE and RELOAD, so be sure you do it before the LAB if you know you'll be using both ipv4 and ipv6. Make sure you need to
reconfigure by checking the current SDM:
settings "show SDM prefer"
(config)#sdm prefer dual-ipv4-and-ipv6 routing

13
Hitchhikers Guide to the CCIE v0.3 [cisqueros.blogspot.com]
____________________________________________________________________________________________________________________
INTERFACE Statuses
____________________________________________________________________________________________________________________
INTERFACE "no shut" BUT NOT CONNECTED TO ANYTHING:
GigabitEthernet3/0/1 unassigned YES unset down down

INTERFACE "shutdown":
GigabitEthernet3/0/17 unassigned YES unset administratively down down

INTERFACE "no shut" and CONNECTED:
GigabitEthernet3/0/19 unassigned YES unset up up
____________________________________________________________________________________________________________________
CAM TABLE
____________________________________________________________________________________________________________________
You can set up the MAC Aging Time, and Security (enable the known and secure MAC addresses)
(config)#mac address-table aging-time 600 <--- if not active for 10 minutes REMOVE from the CAM table
(config)#mac-address-table secure 48BIT_MAC_ADDRESS Gi3/0/15
____________________________________________________________________________________________________________________
VTP - VLAN Trunking Protocol
____________________________________________________________________________________________________________________
Most commands can be configured in PRIVILEGED, CONFIGURE or DATABASE mode. Have in mind that there is no way to dis-configure the VTP
DOMAIN NAME (by default its NULL). You have to delete flash:vlan.dat and erase the startup-config and reload the router.
You can configure the source IP of all the VTP messages:
(config)#vtp interface Loopback 1 [only] <- It will not be propagated

To restrict FLOOD TRAFFIC to TRUNK Interfaces, use VTP PRUNING.
4 types of VTP Advertisements are being exchanged between the switches:
1. Summary Advertisements - every time VTP database changes (every 300 ms)
2. Subset Advertisements - sent right after SUMMARY, includes what exactly changed
3. Advertisements requested from clients - client requests info to update the VTP database, server responds
4. VTP Membership announcements - when PRUNING is enabled, they tell the neighbor WHAT VLANs they want (if the VLAN is not
announced with this message, it is not on the trunk)
You can adjust the VLANs that are being pruned on the interface, so for example to PRUNE ALL BUT VLAN 8:
(config-if)#switchport trunk pruning vlan 2-7,9-1001
OR
(config-if)#switchport trunk pruning vlan remove 8

Check the PRUNING STATUS:
#show interfaces pruning
Port Vlan traffic requested of neighbor <-!!!THE ALLOWED VLANS ARE DISPLAYED HERE!!!
Fa1/0/13 1,6-8,12,36,43,45,77,255,258
Fa1/0/14 1,6-7,12,36,43,45,77,88,255,258
Fa1/0/15 1,6-7,12,36,43,45,77,88,255,258
Fa1/0/19 1,7,12,36,45,77,88,255,258
Fa1/0/20 1,6-7,12,36,43,45,77,88,255,258
Fa1/0/21 1,6-7,12,36,43,45,77,88,255,258

14
Hitchhikers Guide to the CCIE v0.3 [cisqueros.blogspot.com]
ENABLE PRUNING (can be done ONLY ON VTP SERVER Switch):
#vtp pruning <--- PROPAGATED TO ALL SWITCHES WITHIN THE VTP DOMAIN
Pruning switched on

*VLAN 1 CANNOT BE PRUNED!!!
**VLANs that are used locally also CANNOT BE PRUNED. VLANs that are ELIGIBLE for Pruning are 2-1001 only

____________________________________________________________________________________________________________________
VMPS - VLAN Membership Policy Server
____________________________________________________________________________________________________________________
VLAN Membership Policy Server - provides a centralized server for selecting the VLAN for a port dynamically based on the MAC address of the
device connected to the port. VMPS uses a UDP port to listen to VQP (VLAN Query Protocol) requests from clients, so, it is not necessary for
VMPS clients to know if the VMPS resides on a local or remote device on the network. Upon receiving a valid request from a VMPS client, a
VMPS server searches its database for an entry of a MAC-address to VLAN mapping.
When a port is configured as "dynamic," it receives VLAN information based on the MAC-address that is on the port. The VLAN is not statically
assigned to the port; it is dynamically acquired from the VMPS based on the MAC-address on the port.
SECURE MODE: If MAC not found in VMPS Server - shut down the port
Configuration is done on a per-role basis, on Client and Server. On the VMPS Server:
(config)#vmps server [ipaddress | hostname] primary

And on all the switches in the LAN (VMPS Clients):
(config-if)#switchport access vlan dynamic

Define how many times you want Client to contact the Server, like if you want to retry 5 times:
(config)#vmps retry 5
(config)#vmps reconfirm 30 <--- RETRY IN 30 MINUTES IF 5 ATTEMPTS FAIL
____________________________________________________________________________________________________________________
TRUNKS and DTP (Dynamic Trunking Protocol)
____________________________________________________________________________________________________________________
Dynamic Trunking Protocol PRE-REQUISITE: BOTH sides MUST have THE SAME SPEED and DUPLEX CONFIGURED!!!
*You don't need to set the ENCAPSULATION on BOTH sides if you are using DTP
To turn the DTP OFF, set the PERMANENT TRUNK MODE, (TURNS DTP OFF) and negotiates to CONVERT the Neighbor. The interface becomes a
TRUNK even if the other side is not a trunk.
(config-if)#switchport mode trunk

Dynamic Desirable - Actively attempts to convert to TRUNK, but it's NOT in PERMANENT TRUNK mode:
(config-if)#switchport mode dynamic desirable

Dynamic Auto - Negotiate TRUNK ONLY if Negotiation Packet received from a Neighbour
(config-if)#switchport mode dynamic auto

Nonegotiate - Prevents the interface from generating DTP frames. You can use this command only when the interface
switchport mode is access or trunk
(config-if)#switchport mode nonegotiate
15
Hitchhikers Guide to the CCIE v0.3 [cisqueros.blogspot.com]
____________________________________________________________________________________________________________________
PRIVATE VLANS
____________________________________________________________________________________________________________________
*REQUIRES VTP MODE TO BE SET TO TRANSPARENT, which disables VTP!!!
(config-if)#vtp mode transparent

This topic belongs to L2 SECURITY rather than L2 SWITCHING.
Primary VLAN can have MANY COMMUNITIES but ONLY ONE ISOLATED VLAN!!!
1. Promiscuous - belongs to PRIMARY VLAN, can communicate with EVERYONE
(config)#vlan 10
(config-vlan)#private-vlan primary
(config-vlan)#private-vlan association add 20,30,40 <-DONT FORGET TO ASSOCIATE EVEN WITH ISOLATED

Then configure the interface:
(config-if)#switchport mode private-vlan promiscuous
(config-if)#switchport private-vlan mapping 10 add 30,40,50 <-Map Promiscuous VLAN 10 to Community and
Isolated VLANs

2. Isolated - can only communicate with Promiscuous
(config)#vlan 40
(config-vlan)#private-vlan isolated

(config-if)#switchport mode private-vlan host
(config-if)#switchport private-vlan host-association 10 40

3. Community - Can communicate within the SAME community or with Promiscuous
(config)#vlan 30
(config-vlan)#private-vlan community
(config-if)#switchport mode private-vlan host
(config-if)#switchport private-vlan host-association 10 20 <-Associate Community VLAN 20 with Promiscuous
VLAN 10

DONT FORGET TO ASSOCIATE Secondary VLANs to the Primary, so that they can all communicate with Promiscuous:
(config-vlan)#private-vlan association add 20,30,40

#show vlan private-vlan
Primary Secondary Type Ports
------- --------- ----------------- ------------------------------------------
10 20 community Et0/2
10 30 community Et0/0
10 40 isolated Et0/0

GREAT Example of PRIVATE VLANs is 2 HOSTS on a SWITCH that should NOT communicate to each other, and 1 router that should
communicate with BOTH HOSTS. You should do VLAN XXX for HOSTS as ISOLATED, and VLAN for the ROUTER as the PROMISCUOUS, and
associate it to the ISOLATED VLAN.

16
Hitchhikers Guide to the CCIE v0.3 [cisqueros.blogspot.com]
____________________________________________________________________________________________________________________
Dot1q Tunneling: 802.1q, QinQ Tunneling
____________________________________________________________________________________________________________________
When a TUNNEL port receives Customers Traffic, INGRESS PORT adds 2 Byte Ether Type field 0x8100 + 2 Bytes for CoS and
VLAN Egress tunnel port STRIPS THESE 4 BYTES
(config-if)#switchport access vlan 100
(config-if)#switchport mode dot1q-tunnel <-CHECK THE EXPLANATION BELOW

You can also configure L2 TUNNELING (CDP, STP and VTP can be tunnelled)
(config-if)#l2protocol-tunnel [cdp | stp | vtp]

#show l2protocol-tunnel summary

*Take SPECIAL CARE about the MTU SIZE on Switches (might need to set to 1504 due to the ADDED 4 BYTES IN THE TUNNEL)
(config)#system mtu 1504

Make sure if you need to define a TUNNEL PORT for QinQ!!! When is this necessary? When the ROUTER is TAGGING the traffic towards the
switch (using the 802.1Q TRUNK), you have to establish the DOT1Q TUNNEL, along with L2 tunnel. If you are using the NATIVE VLAN to do this,
make sure that the TRUNK port is also tagging the NATIVE VLAN:
(config-if)#switchport mode dot1q-tunnel
(config)#vlan dot1q tag native <-TO TAG THE NATIVE PORT ON 802.1q TRUNK WITH THE ROUTER

____________________________________________________________________________________________________________________
SPANNING TREE PROTOCOL (STP)
____________________________________________________________________________________________________________________
When setting the root, you can set the priority, or use the command "root primary" that sets the priority to:
If CURRENT ROOT PRIORITY > 24576 - sets the priority to 24576 (priority 24576 sys-id-ext 12)
If CURRENT ROOT PRIORITY =< 24576 - sets the priority to 4096
The "root secondary" command always sets the priority to 28762
GREAT COMMAND:
#show spanning-tree bridge <- See the MAC address of the Switch
#show version | i Base

#show spanning-tree vlan 12
VLAN0012
Spanning tree enabled protocol ieee
Root ID Priority 24588 <-ABOUT THE ROOT BRIDGE, 24588 = 32768 + 12 (vlan 12) - 8192
Address ec44.768a.6d80
This bridge is the root
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec

Bridge ID Priority 24588 (priority 24576 sys-id-ext 12) <--- ABOUT THIS SWITCH (LOCAL Bridge)
Address ec44.768a.6d80 <-- ON ROOT BridgeID and RootID have the same MAC
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
Aging Time 300

Interface Role Sts Cost Prio.Nbr Type <-ABOUT INTERFACES IN THIS VLAN
------------------- ---- --- --------- -------- ------
Gi3/0/19 Desg FWD 4 128.127 P2p <--- COST IS 4 CAUSE THIS IS GigabitEthernet Port
Gi3/0/20 Desg FWD 4 128.128 P2p (on FastEth is would be 19)

17
Hitchhikers Guide to the CCIE v0.3 [cisqueros.blogspot.com]
Great command to check the ROOT:
#show spanning-tree root
Root Hello Max Fwd
Vlan Root ID Cost Time Age Dly Root Port
---------------- -------------------- --------- ----- --- --- ------------
VLAN0001 32769 aabb.cc00.0600 200 2 20 15 Et2/2
VLAN0100 24676 aabb.cc00.0600 200 2 20 15 Et2/2
VLAN0200 24776 aabb.cc00.0700 100 2 20 15 Et2/2
VLAN0300 24876 aabb.cc00.0800 100 2 20 15 Et3/1
VLAN0400 24976 aabb.cc00.0900 0 2 20 15 <--- COST TO ROOT IS 0, SO I'm the ROOT!!!

BEST PRACTICE:
Change the COST on the interface level to change the PATH
Change the PORT PRIORITY to influence ONLY the NEIGHBORING SWITCH
!!!IMPORTANT: WHEN GOING TOWARDS THE STP ROOT - USE COST
WHEN GOING AWAY FROM THE ROOT - USE PORT-PRIORITY

UPLINKFAST: FAST Convergence in case of DIRECT failure of the ROOT port (Natively included in RSTP)
If a switch loses connectivity, it begins using the alternate paths as soon as the spanning tree selects a new root port. By enabling UPLINKFAST
Globally you SPEED UP the choice of NEW ROOT PORT when a link or switch fails or when the spanning tree reconfigures itself:
(config)#spanning-tree uplinkfast
*Transitions to FWD STATE without going through LISTENING or LEARNING STATE:
*Mar 1 08:46.476: %SPANTREE_FAST-7-PORT_FWD_UPLINK: VLAN0044 GigabitEthernet1/0/15 moved to Forwarding
(UplinkFast)

!!!UplinkFast is most useful in wiring-closet switches at the access or edge of the network. It is not appropriate for backbone devices
BACKBONEFAST: Complementary feature to UPLINKFAST, detects indirect failures in the core of the backbone.
When a switch receives an inferior BPDU from the designated port of another switch, the BPDU is a signal that the other switch might have lost
its path to the root, and BackboneFast tries to find an alternate path to the root.
(config)#spanning-tree backbonefast


18
Hitchhikers Guide to the CCIE v0.3 [cisqueros.blogspot.com]
____________________________________________________________________________________________________________________
MULTIPLE SPANNING TREE (MSTP)
____________________________________________________________________________________________________________________
Supports up to 4096 instances of Spanning Tree
(config)#spanning-tree mode mst
(config)#spanning-tree mst configuration
(config-mst)#revision 1
(config-mst)#instance 1 vlan 12, 34
(config-mst)#instance 2 vlan 56, 90
(config-mst)#name CCIE <--- MST REGION NAME

SW2#show spanning-tree mst configuration
Name []
Revision 1 Instances configured 3

Instance Vlans mapped
-------- ---------------------------------------------------------------------
0 1-11,13-33,35-55,57-89,91-4094
1 12,34
2 56,90
-------------------------------------------------------------------------------

Check the ROOT:
#show spanning-tree root
Root Hello Max Fwd
MST Instance Root ID Cost Time Age Dly Root Port
---------------- -------------------- --------- ----- --- --- ------------
MST0 32768 aabb.cc00.0600 0 2 20 15
MST1 1 aabb.cc00.0600 0 2 20 15
MST2 4098 aabb.cc00.0600 0 2 20 15

____________________________________________________________________________________________________________________
PORTFAST
____________________________________________________________________________________________________________________
Quick transition, BYPASS LISTENING & LEARNING
(config-if-range)#spanning-tree portfast
%Warning: portfast should only be enabled on ports connected to a single host. Connecting hubs, concentrators, switches, bridges, etc... to
this interface when portfast is enabled, can cause temporary bridging loops.
PORTFAST reduces significantly the overhead, because TCN (Topology Change Notification) BPDUs will not be generated.
____________________________________________________________________________________________________________________
BPDU GUARD
____________________________________________________________________________________________________________________
This feature is used to disable anything but a Workstation to be connected to a port we are configuring with PortFast. It should be configured
on the Interfaces where BPDU should NEVER be received. If BPDU received go into "ERRDISABLE" state (disable the port)
(config-if-range)#spanning-tree bpduguard enable

There are to options to return to the normal state. One is to manually type shut and no shut command. Another option is to define an
ERRDISABLE RECOVERY:
(config)#errdisable recovery cause bpduguard <-MANY CAUSES CAN BE DEFINED HERE, do show errdisable recovery
(config)#errdisable recovery cause interval 360

19
Hitchhikers Guide to the CCIE v0.3 [cisqueros.blogspot.com]
____________________________________________________________________________________________________________________
UDLD - Unidirectional Link Detection
____________________________________________________________________________________________________________________
UDLD is used to detect the SEND part of the cable as DOWN, while the RECEIVE part is still active. This happens on a Fiber Optic cable quite
often. UDLD sends L2 pings between neighbors to check if it's responding. To enable Unidirectional Link Detection on an Interface:
(config-if)#udld port aggressive

GLOBAL COMMAND "udld enable" ONLY APPLIES TO FIBER OPTIC INTERFACES!!!
ITS RECOMMENDED TO USE UDLD WITH LOOPGUARD!!! (For the port to enter the DISABLE state when BPDU are no longer received)
Normally when unidirectional link occurs, the other side stops receiving BPDUs, and assumes that STP ROOT is no longer available, so - it
declares itself as a NEW STP ROOT. Loopguard prevents this.
(config-if)#spanning-tree guard loop <-CONFIGURE ON UPLINK PORTS

If its a TWISTED PAIR - use AGGRESSIVE mode!
To automatically recover from err-disable state in x seconds (x=120 in this case)
(config)#errdisable recovery cause udld
(config)#errdisable recovery interval 120

To RESET all ports from the ERRSISABLE state:
#udld reset

#show errdisable recovery
ErrDisable Reason Timer Status
----------------- --------------
arp-inspection Disabled
bpduguard Disabled
channel-misconfig Disabled
dhcp-rate-limit Disabled
dtp-flap Disabled
gbic-invalid Disabled
inline-power Disabled
l2ptguard Disabled
link-flap Disabled
mac-limit Disabled
loopback Disabled
pagp-flap Disabled
port-mode-failure Disabled
psecure-violation Disabled
security-violation Disabled
sfp-config-mismatch Disabled
small-frame Disabled
storm-control Disabled
udld Enabled <--- UDLD CAUSE IS ON FOR ERRDISABLE
vmps Disabled

Timer interval: 120 seconds


20
Hitchhikers Guide to the CCIE v0.3 [cisqueros.blogspot.com]
____________________________________________________________________________________________________________________
SOURCE GUARD and DHCP SNOOPING
____________________________________________________________________________________________________________________
!!!! SOURCE GUARD WILL NOT WORK IF DHCP SNOOPING IS NOT ENABLED!!!
(config)#ip dhcp snooping <--- DONT FORGET TO ENABLE IT FIRST!!!
(config)#ip dhcp snooping vlan 2

When configuring the DHCP Snooping, make sure you set the DHCP TRUST on all the UPLINK TRUNKS, or the DHCP responses will be
IGNORED!!!
(config-if)#ip dhcp snooping trust

!!!DONT FORGET TO EITHER DISABLE INFORMATION OPTION (option 82), OR CONFIGURE DHCP SERVER TO REJECT TRANSIT DHCP
MESSAGES, because DHCP SNOOPING can insert EMPTY GIADDR FIELD!!!
(config)#ip dhcp relay information trust-all

First Enable Source Guard directly on the interface, WILL VERIFY IP ADDRESS ONLY!
(config-if)#ip verify source
(config-if)#ip verify source port-security <--- TO VERIFY MAC AND IP
(config-if)#SWItchport PORT-security <--- MUST ENABLE (permits L3 checks on a pure L2 interface)

Then add Dynamic or Static IP-to-MAC bindings. Static:
(config)#ip source binding 0000.2222.2222 vlan 2 10.1.1.2 interface e0/1

#show ip source binding
MacAddress IpAddress Lease(sec) Type VLAN Interface
------------------ --------------- ---------- ------------- ---- --------------------
00:00:22:22:22:22 10.1.1.2 infinite static 2 Ethernet0/1
00:00:33:33:33:33 10.1.1.3 infinite static 2 Ethernet0/2
00:00:11:11:11:11 10.1.1.1 infinite static 2 Ethernet0/0
Total number of bindings: 3

____________________________________________________________________________________________________________________
ETHERCHANNEL
____________________________________________________________________________________________________________________
PAgP (Port Aggregation Protocol) - Cisco Prop. DESIRABLE or AUTO or NONEGOTIATE
*in case the link is configured as ACCESS, or the "switchport nonegotiate" command
- Protocol Value: 0x0104
- Same multicast group MAC like CDP
LACP (Link Aggregation Control Protocol) - 802.3ad - ACTIVE or PASSIVE
- Multicast MAC: 01-80-C2-00-00-02
- During Detection transmits packets every second
TIP: To make SW1 Priority higher to allow it control the BUNDLE CREATION:
(config)#lacp system-priority 1
21
Hitchhikers Guide to the CCIE v0.3 [cisqueros.blogspot.com]
Check the DEFAULT PARAMETERS:
2#show lacp 1 internal
Flags: S - Device is requesting Slow LACPDUs
F - Device is requesting Fast LACPDUs
A - Device is in Active mode P - Device is in Passive mode

Channel group 1
LACP port Admin Oper Port Port
Port Flags State Priority Key Key Number State
Gi3/0/19 SA bndl 32768 0x1 0x1 0x7F 0x3D
Gi3/0/20 SA bndl 32768 0x1 0x1 0x80 0x3D

"ON" - Doesnt use LACP or PaGP. BOTH sides MUST BE ON!!!
#do show etherch protocol
Channel-group listing:
----------------------
Group: 13
----------
Protocol: - (Mode ON)

You can configure MAX 16 PORTS, out of which: MAXIMUM 8 ACTIVE PORTS, and the other HOT STANDBY (activate if one of the first 8 fail).
Which ones belong to the ACTIVE group depends on the LACP PRIORITY that can be configured:
(config-if)#lacp port-priority 1 <--- LOWER IS BETTER!!! (default is 32768)


L3 ETHERCHANNEL: Configure the Port-Channel interface statically, and all L3 configuration under it
Summary: 32 Po32(RU) - Gi1/0/23(P) Gi1/0/24(P)

L2 ETHERCHANNEL: LOGICAL INTERFACE CREATED AUTOMATICALLY. Best Practice (CONFIGURATION):
- Default Interface
- Channel Protocol and Group on physical interface (this creates Port Channel)
- Configure TRUNKING ENCAPSULATION under the PORT CHANNEL directly
- SHUT -> NO SHUT on PHYSICAL INTERFACES
Summary: 24 Po24(SU) PAgP Gi1/0/21(P) Gi1/0/22(P)

* "show interface trunk" Will show only Port Channel, but "show interface XX switchport" will show that the INT IS TRUNK
LOAD BALANCE the Etherchannel (CONFIGURED in the Global Config mode):
(config)#port-channel load-balance ?
dst-ip Dst IP Addr
dst-mac Dst Mac Addr
src-dst-ip Src XOR Dst IP Addr
src-dst-mac Src XOR Dst Mac Addr
src-ip Src IP Addr
src-mac Src Mac Addr

#show etherchannel load-balance
Ether Channel Load-Balancing Configuration:
dst-mac

Ether Channel Load-Balancing Addresses Used Per-Protocol:
Non-IP: Destination MAC address
IPv4: Destination MAC address
IPv6: Destination MAC address
Spanning Tree treats the Etherchannel Link as a SINGLE LINK, by sending the BPDUs only over one of the physical links
22
Hitchhikers Guide to the CCIE v0.3 [cisqueros.blogspot.com]
____________________________________________________________________________________________________________________
DAI (Dynamic ARP Inspection)
____________________________________________________________________________________________________________________
(config)#ip arp inspection vlan 2 <--- Inspect ARP within the VLAN 2

You can create an ARP Access List and map the IP to MAC, and apply it to DAI:
(config)#arp access-list ARP_ACL_20
(config-arp-nacl)#permit ip host 20.1.1.2 mac host 0000.1111.1111
(config-arp-nacl)#permit ip host 20.1.1.3 mac host 0000.3333.3333

And now APPLY:
(config)#ip arp inspection filter ARP_ACL_20 vlan 2

#show ip arp inspection
Source Mac Validation : Disabled
Destination Mac Validation : Disabled
IP Address Validation : Disabled

Vlan Configuration Operation ACL Match Static ACL
---- ------------- --------- --------- ----------
2 Enabled Active ARP_ACL_20 No

Vlan ACL Logging DHCP Logging Probe Logging
---- ----------- ------------ -------------
2 Deny Deny Off

Vlan Forwarded Dropped DHCP Drops ACL Drops
---- --------- ------- ---------- ---------
2 0 0 0 0

The switch CPU performs dynamic ARP inspection validation checks; therefore, the number of incoming ARP packets is rate-limited to prevent
a denial-of-service attack.
(config-if)#ip arp inspection limit rate 5 <--- DEFAULT IS 15 PPS (packets per second)


#show ip arp inspection interfaces
Interface Trust State Rate (pps) Burst Interval
--------------- ----------- ---------- --------------
Gi3/0/1 Untrusted 5 1 <--- THE CHANGED ONE
Gi3/0/2 Untrusted 15 1 <--- 15 pps IS THE DEFAULT VALUE

To monitor the DROPPED packets due to DAI:
(config)#ip arp inspection log-buffer logs 0 interval 5 <--- LOG 0 - NO SYSTEM MESSAGE GENERATED

Check the log for details:
#show ip arp inspection log
Total Log Buffer Size : 32
Syslog rate : 0 entries per 5 seconds.


23
Hitchhikers Guide to the CCIE v0.3 [cisqueros.blogspot.com]
____________________________________________________________________________________________________________________
SNMP - UDP 161,162
____________________________________________________________________________________________________________________
Two ways to configure it:
1. SNMP polling, where the NMS asks the Router what is the status of the MIB
2. SNMP Walk - where NMP pull every MIB that the device is sending and filters out what it needs
Send the SNMP traps, Community "Public" to the NMS Server:
(config)#snmp-server host 192.168.1.1 traps [Public | Private]

If you need to define the VERSION and the COMMUNITY STRING:
(config)#snmp-server host 192.168.1.100 traps version 2c cisco

To define RO and RW COMMUNITY:
(config)#snmp-server community TST-RO ro <--- READ ONLY COMMUNITY STRING
(config)#snmp-server community TST-RW rw <--- RE-WRITE COMMUNITY STRING

Specify the TRAPS TYPE:
(config)#snmp-server enable traps [mac-notification | bgp | pim | ...] <-FIRST ENABLE TRAPS OF A TYPE
(config)#snmp-server host 192.168.1.100 traps version 2c cisco [mac-notification | bgp | pim] <-SEND TRAPS

When the traps contain MAC Address Add/Remove notifications, have in mind the QUANTITY, so control it with:
(config)#mac address-table notification change history-size 150 <--- LIMIT THE TABLE CAPACITY TO 150
(config)#mac address-table notification change interval 1800 <--- SEND TRAP EVERY 30 MINUTES (1800 seconds)

DO NOT FORGET to ENABLE the CAM notifications in Global Configure mode:
(config)#mac address-table notification change

And to make sure:
#show mac address-table notification change interface Gi3/0/1
MAC Notification Feature is Enabled on the switch
Interface MAC Added Trap MAC Removed Trap
--------- -------------- ----------------
GigabitEthernet3/0/1 Enabled Enabled

#show mac address-table notification change
MAC Notification Feature is Enabled on the switch
Interval between Notification Traps : 1800 secs
Number of MAC Addresses Added : 0
Number of MAC Addresses Removed : 0
Number of Notifications sent to NMS : 0
Maximum Number of entries configured in History Table : 150
Current History Table Length : 0
MAC Notification Traps are Enabled
History Table contents
----------------------

And apply to the interface to GENERATE A TRAP when something happens:
(config-if)#snmp trap mac-notification change added

If you need to configure some deeper changes, or set timers, they are done within each particular COMMAND/TRAP, so;
(config)#mac address-table notification [more options like INTERVAL...]
24
Hitchhikers Guide to the CCIE v0.3 [cisqueros.blogspot.com]

____________________________________________________________________________________________________________________
MONITORING
____________________________________________________________________________________________________________________
RSPAN - Dont forget to CREATE the VLAN specially for the RSPAN
(config)#vlan 22
(config-vlan)#remote-span

____________________________________________________________________________________________________________________
LOGGING
____________________________________________________________________________________________________________________
Remote IP:
(config)#logging x.y.z.w

Or Localy in a FILE:
(config)#logging file flash:syslog 7 <--- 7 is DEBUGGING, so LOG EVERYTHING 0-7
emergencies System is unusable (severity=0)
alerts Immediate action needed (severity=1)
critical Critical conditions (severity=2)
errors Error conditions (severity=3)
warnings Warning conditions (severity=4)
notifications Normal but significant conditions (severity=5)
informational Informational messages (severity=6)
debugging Debugging messages (severity=7)

Set SEVERITY level:
(config)#logging trap 4 <--- FROM WARNING-4 (INCLUDING 4) TO MORE CRITICAL (ALERT-1, CRITICAL-2, ERROR-3)

Add SEQUENCE numbers:
(config)#service sequence-numbers <--- "SERVICE" command IS FOR SYSTEM GENERAL SETTINGS

Add/Remove TIMESTAMPS
(config)#no service timestamps debug
(config)#no service timestamps log

Set the LOGGING messages to be saved in Local:
(config)#logging facility local4

Specific (more GRANULAR) logging settings can be configured on the INTERFACE LEVEL:
(config-if)#logging event ?
bundle-status BUNDLE/UNBUNDLE messages
link-status UPDOWN and CHANGE messages
nfas-status NFAS D-channel status messages
power-inline-status Inline power messages
spanning-tree Spanning-tree Interface events
status Spanning-tree state change messages
subif-link-status Sub-interface UPDOWN and CHANGE messages
trunk-status TRUNK status messages


25
Hitchhikers Guide to the CCIE v0.3 [cisqueros.blogspot.com]

____________________________________________________________________________________________________________________
STORM CONTROL
____________________________________________________________________________________________________________________
To LIMIT the type of traffic (BROADCAST or MULTICAST or UNICAST). To limit the Broadcast to 50%:
(config-if)#storm-control broadcast level 50.00 <-LIMIT THIS TYPE OF TRAFFIC (also valid for MULTICAST or
UNICAST)
(config-if)#storm-control action [shutdown | trap] <-DEFINE THE ACTION

OR LIMIT the number of packets per second:
(config-if)#storm-control unicast level pps 250
#sh storm-control unicast
Interface Filter State Upper Lower Current
--------- ------------- ----------- ----------- ----------
Fa1/0/1 Forwarding 250 pps 250 pps 1 pps

____________________________________________________________________________________________________________________
HTTP Server (HTTP access) on a Switch
____________________________________________________________________________________________________________________
This is a simple feature, which we dont really recommend in the production environment.
(config)#ip http server
(config)#ip http path flash: <-- define the PATH where files are

#show ip http server status
HTTP server status: Enabled
HTTP server port: 80
HTTP server authentication method: enable
HTTP server access class: 0
HTTP server base path: flash:
____________________________________________________________________________________________________________________
Router on a STICK and IP BRIDGING
____________________________________________________________________________________________________________________
Integrated Routing and Bridging enables a user to route a given protocol between routed interfaces and bridge groups or route a given
protocol between the bridge groups. Normally the protocol can be ROUTED or BRIDGED. By using IRB (INTEGRATED ROUTING and BRIDGING) -
we overcome this. So the first step here is to define the BRIDGE MODE to be the IRB:
(config)#bridge irb

*BRIDGE GROUP is a VIRTUAL BRIDGE inside the Router, with its own MAC address table.
To configure a VLAN associated with a bridge group with a default native VLAN:
(config)#interface FastEthernet0/0.16
(config-subif)#encapsulation dot1Q 16 <-FOR VLAN 16
(config-subif)#bridge-group 1

You need to define the BRIDGING PROTOCOL, and set it to ROUTE the IP traffic:
(config)#bridge 1 protocol ieee
(config)#bridge 1 route ip

If, for example, VLAN 16 ends on the other side in a SVI, and you want it to be PING-able from the local router.

26
Hitchhikers Guide to the CCIE v0.3 [cisqueros.blogspot.com]







IP Services


27
Hitchhikers Guide to the CCIE v0.3 [cisqueros.blogspot.com]
____________________________________________________________________________________________________________________
IP Services Tips and Tricks
____________________________________________________________________________________________________________________
IMPORTANT:
HSRP: UDP to Multicast Address 224.0.0.2 (all routers), VRRP: Directly over IP, Protocol 112
HSRPv2: Also UDP, solves the conflict between the CGMP Leave Messages, Multicast Address 224.0.0.105
TIP: When a CLIENT sends a request for an IP which is out of that segment, the router responds with its own MAC address. This is called the
ARP Proxy, it's ON by default on Fast Ethernet, and it can be disabled:
(config-if)#no ip proxy-arp

____________________________________________________________________________________________________________________
HSRP - Hot Standby Routing Protocol
____________________________________________________________________________________________________________________
HSRP is a Cisco Proprietary protocol. There are 3 types of HSRP messages: HELLO, COUP (used by a router with the highest priority, which is
currently NOT ACTIVE, to tell others that it should be ACTIVE) and RESIGN
Configuration is quite straight-forward, but there are many ways to tune it, in accordance with your needs:
interface FastEthernet0/0
ip address 172.25.25.2 255.255.255.0
standby 1 ip 172.25.25.22 <- Group 1 VIRTUAL IP Address
standby 1 timers 5 15 <- Can also be done in milliseconds using "standby 1 timers msec 250 800"
standby 1 priority 150 <- Default it 100
standby 1 preempt <-TAKE BACK THE ACTIVE ROLE
standby 1 authentication Cisco
standby 1 name R2-Act <-Name of the HSRP Group 1
standby 2 ip 172.25.25.55
standby 2 timers 5 15
standby 2 authentication Cisco
standby 2 name R5-Act <-Name of the HSRP Group 2

"07-ac" is the SIGNARURE part of Virtual MAC Address of the HSRP:
#sh standby | i 07
Active virtual MAC address is 0000.0c07.ac01
Local virtual MAC address is 0000.0c07.ac01 (v1 default)

To check the current configuration, including the HSRP Status and whether the preempt option is configured:
#sh standby brief
P indicates configured to preempt.
Interface Grp Prio P State Active Standby Virtual IP
Fa0/0 1 100 Standby 172.25.25.2 local 172.25.25.22
Fa0/0 2 200 P Active local 172.25.25.2 172.25.25.55

If you need to TRACK an interface, be sure to define for how much you want to decrease the HSRP priority in order to fail over to the HSRP
Peer, and be sure that the active neighbor has Preempt configured:
(config-if)#standby 1 track serial 0/1/0.21 60


28
Hitchhikers Guide to the CCIE v0.3 [cisqueros.blogspot.com]
____________________________________________________________________________________________________________________
VRRP - Virtual Routing Redundancy Protocol
____________________________________________________________________________________________________________________
The VRRP configuration is similar to the HSRP, with a few slight differences. For example, there are no ACTIVE and STANDBY, but MASTER
and BACKUP router, as shown below:
#show vrrp brief
Interface Grp Pri Time Own Pre State Master addr Group addr
Fa0/0 1 200 3218 Y Master 172.25.12.1 172.25.12.22
Fa0/0 2 100 3609 Y Backup 172.25.12.2 172.25.12.11

TIMERS are a bit different to configure. You need to tell Master to ADVERTISE the Hello Timer value to the Backup, and tell the Backup to
LEARN the Hello Timer from the Master:
(config-if)#vrrp 1 timers advertise 10
(config-if)#vrrp 2 timers learn
*Router is Master for VRRP Group 1 and Backup for VRRP Group 2

VRRP Authentication is configured PER GROUP using the command "vrrp X authentication text PASSWORD", and the debug on the VRRP Pair
router is as follows (before the authentication is configured on BOTH):
#debug vrrp
*13 15:04:37.585: VRRP: Grp 2 Advertisement from 172.25.12.1 has incorrect authentication type 1 expected 0
*13 15:04:38.001: VRRP: Grp 1 sending Advertisement checksum EBE4
*13 15:04:38.585: VRRP: Grp 2 Advertisement from 172.25.12.1 has incorrect authentication type 1 expected 0
*13 15:04:39.001: VRRP: Grp 1 sending Advertisement checksum EBE4
*13 15:04:39.585: VRRP: Grp 2 Advertisement from 172.25.12.1 has incorrect authentication type 1 expected 0
*13 15:04:40.585: VRRP: Grp 2 Advertisement from 172.25.12.1 has incorrect authentication type 1 expected 0
*13 15:04:40.973: VRRP: Grp 2 sending Advertisement checksum 87E5
*13 15:04:41.001: VRRP: Grp 1 sending Advertisement checksum EBE4
*13 15:04:41.585: VRRP: Grp 2 Advertisement from 172.25.12.1 has incorrect authentication type 1 expected 0
*13 15:04:42.001: VRRP: Grp 1 sending Advertisement checksum EBE4
#u all
All possible debugging has been turned off

The configuration on the interface will look similar to the HSRP:
interface FastEthernet0/0
ip address 172.25.12.2 255.255.255.0
vrrp 1 description MAT1
vrrp 1 ip 172.25.12.22
vrrp 1 timers learn
vrrp 1 authentication cisco
vrrp 2 description MAT2
vrrp 2 ip 172.25.12.11
vrrp 2 timers advertise 10
vrrp 2 priority 200
end

!!!IMPORTANT DIFFERENCE between HSRP and VRRP: VRRP has Preempt enabled by default!

29
Hitchhikers Guide to the CCIE v0.3 [cisqueros.blogspot.com]
____________________________________________________________________________________________________________________
GLBP - Global Load Balancing Protocol
____________________________________________________________________________________________________________________
GLBP is different from HSRP and VRRP, as in - it's more complex and gives more possibilities, such as Load Balancing Feature.
It's got 1 VIRTUAL IP, and VARIOUS MACs, where the AVG (defined below) is deciding the times when to announce which MAC of the
destination router to the client.
You can have UP TO 4 ROUTERS IN A GLBP GROUP!!!
GLBP Group Members communicate using HELLOs 224.0.0.102, UDP/3222, by default Hello Timer = 3 sec
Basically there are 2 roles:
AVG (Active Virtual Gateway) MASTER Router in charge of Assigning Virtual MAC Addresses to other Routers and it has to know ALL the
MACs of the AVFs
AVFs (Active Virtual Forwarders) the rest of the Routers, which take AVG function if AVG dies.
#sh glbp br
Interface Grp Fwd Pri State Address Active router Standby route
Fa0/0 1 - 100 Standby 10.1.1.100 10.1.1.2 local
Fa0/0 1 1 7 Active 0007.b400.0101 local -
Fa0/0 1 2 7 Listen 0007.b400.0102 10.1.1.2 -

You can tune GLBP as you like, which means that (besides all the stuff you can also do in HSRP and VRRP) you can choose the Load Balancing
method:
(config-if)#glbp 1 load-balancing ?
host-dependent Load balance equally, source MAC determines forwarder choice
round-robin Load balance equally using each forwarder in turn
weighted Load balance in proportion to forwarder weighting (GLBP places WEIGHT on each router)
<cr>

As an additional GLBP feature, there is a REDIRECT timer, which sets the time-out for assigning the Virtual MAC of AVF that has failed.
(config-if)#glbp 1 timers ?
<1-60> Hello interval in seconds
msec Specify hello interval in milliseconds
redirect Specify time-out values for failed forwarders

Tracking is also different on GLBP, as in - it's configured in the Global Configuration mode, with a global Track Object. The advantage is that
you can track 2 interfaces at once!!!
(config)#track 1 interface fa0/0 ?
ip IP parameters <- TO TRACK IP ROUTING
line-protocol Track interface line-protocol <- TRACK IF THE INTERFACE IS DOWN

(config)#track 1 interface fa0/0 line-protocol
(config)#track 2 interface s0/1/0 line-protocol

#show track
Track 1
Interface FastEthernet0/1 line-protocol
Line protocol is Up
1 change, last change 00:02:39
Track 2
Interface Serial0/1/0 line-protocol
Line protocol is Up
1 change, last change 00:02:10
Now the TRACK OBJECTS need to be applied to the Interface where GLBP is configured (If any of the tracked interfaces go DOWN, the WEIGHT
will be decremented by 10, but these values can be tuned):
(config-if)#glbp 1 weighting track 1 <-MEMORIZE as it's a bit NON-INTUITIVE
(config-if)#glbp 1 weighting track 2
30
Hitchhikers Guide to the CCIE v0.3 [cisqueros.blogspot.com]

____________________________________________________________________________________________________________________
IRDP - ICMP Router Discovery Protocol
____________________________________________________________________________________________________________________
IRDP enables Routers to automatically discover the IP of their potential Default Gateway. It uses ICMP and Solicitation Messages.
Potential GW Routers periodically announce the IP address of their IRDP configured interface to a broadcast destination. IRDP Preference
value is advertised with these messages, along with the IP Address.
Step 1:
The configuration is pretty straight-forward. First you MUST turn the Routing off on the router that you want to discover its own GW:
(config)#no ip routing

Step 2:
IRDP needs to be enabled on the Router:
(config)#ip gdp ?
eigrp Discover routers transmitting EIGRP router updates
irdp Discover routers transmitting IRDP router updates <- THIS ONE is the one we want here
rip Discover routers transmitting RIP router updates

Step 3:
Here is what needs to be defined on the interface:
(config-if)#ip irdp <- ENABLE IRDP ON THE INTERFACE
(config-if)#ip irdp maxadvertinterval 5 <- DEFINE THE ADVERTISING TIMERS
(config-if)#ip irdp minadvertinterval 3
(config-if)#ip irdp holdtime 15
(config-if)#ip irdp preference 600 <- DEFINE THE ROUTER PREFERENCE

Step 4:
TEST by pinging the IP behind the routers that are supposedly advertising the GW. PING will work ONLY if Proxy-ARP is enabled on the IP
Interface:
#sh ip inter fa0/0 | i ARP
Proxy ARP is enabled <- THIS ONE MATTERS
Local Proxy ARP is disabled
#show ip route
Gateway Using Interval Priority Interface
10.187.117.2 IRDP 4 600 FastEthernet0/0
10.187.117.1 IRDP 4 200 FastEthernet0/0

When you do a DEBUG of ICMP, you see that IRDP is using the ICMP Type 9 Code 0 messages to advertise the GW:
#debug ip icmp
ICMP packet debugging is on
*Nov 14 16:03:08.288: ICMP: rdp advert rcvd type 9, code 0, from 10.187.117.2
*Nov 14 16:03:09.340: ICMP: rdp advert rcvd type 9, code 0, from 10.187.117.1
*Nov 14 16:03:12.288: ICMP: rdp advert rcvd type 9, code 0, from 10.187.117.2
*Nov 14 16:03:12.340: ICMP: rdp advert rcvd type 9, code 0, from 10.187.117.1
*Nov 14 16:03:16.288: ICMP: rdp advert rcvd type 9, code 0, from 10.187.117.2
*Nov 14 16:03:16.340: ICMP: rdp advert rcvd type 9, code 0, from 10.187.117.1
*Nov 14 16:03:19.340: ICMP: rdp advert rcvd type 9, code 0, from 10.187.117.1
*Nov 14 16:03:20.288: ICMP: rdp advert rcvd type 9, code 0, from 10.187.117.2
*Nov 14 16:03:23.288: ICMP: rdp advert rcvd type 9, code 0, from 10.187.117.2
*Nov 14 16:03:23.340: ICMP: rdp advert rcvd type 9, code 0, from 10.187.117.1



31
Hitchhikers Guide to the CCIE v0.3 [cisqueros.blogspot.com]
____________________________________________________________________________________________________________________
DRP - Cisco Distributed Route Processor
____________________________________________________________________________________________________________________
It's a UDP based application, which enables Cisco Distributed Director to QUERY ROUTES (DRP Agent). It transparently REDIRECTS end-user
service requests to CLOSEST RESPONSIVE SERVER. The configuration is straight-forward:
Step 1: Enable the DRP Server Agent:
(config)#ip drp server

Step 2: Define the ACL to define who will be able to send queries to DRP
(config)#access-list 11 permit 10.182.131.15

Step 3: Attach the ACL to the DRP:
(config)#ip drp access-group 11

Step 4: Create the key-chain and set the DRP to use it for authentication:
(config)#ip drp authentication key-chain DRP_CHAIN

____________________________________________________________________________________________________________________
WAAS and WCCP Protocol
____________________________________________________________________________________________________________________
WCCP is a Web Cache Communication Protocol, and it enables the redirection of client web requests to one or more Web Cache Engines,
which improves Web Browsing on the slow links. The only INTERFACE command to allow this for the users of that VLAN is "ip wccp web-
cache redirect [in | out]" If you set OUT - the Router is listening to the HTTP requests going OUT of that interface, and it's most
commonly enabled on the WAN interface.
First you need to enable the WCCP (protocol for web caching) globally on a router:
(config)#ip wccp web-cache

On the WAN interface enable checking if the packets need to be redirected to a web cache. Enable the redirection of outgoing destination
port 80 packets on the interface:
(config-if)#ip wccp web-cache redirect out

Define the ACL that only contains the Cache Engine IP:
(config)#access-list 11 permit 10.182.131.15

Attach the configured ACL to the WCCP configuration:
(config)#ip wccp web-cache group-list 11


32
Hitchhikers Guide to the CCIE v0.3 [cisqueros.blogspot.com]
____________________________________________________________________________________________________________________
NTP - Network Time Protocol
____________________________________________________________________________________________________________________
First there is an "old school" method of setting time on your IOS Device, which is fine if you're one of those :)
#clock set 16:50:00 15 NOVEMBER 2013
*%SYS-6-CLOCKUPDATE: System clock has been updated from 15:50:31 UTC Fri Nov 15 2013 to 16:50:00 UTC
Fri Nov 15 2013, configured from console by console.

Now if you set this time really well, and the Switch is new generation and you really trust it, then in order to have an entire network to be
synchronized (and absolutely no external NTP available), set the most awesome switch to be a NTP Server:
(config)#ntp master ?
<1-15> Stratum number <- STRATUM Number, all DOWNFLOW routers shall have SERVER + Number of HOPS

#show ntp status
Clock is synchronized, stratum 2, reference is 127.127.7.1
nominal freq is 250.0000 Hz, actual freq is 250.0000 Hz, precision is 2**18
reference time is D630D0D3.99A45AAB (16:56:51.600 UTC Fri Nov 15 2013)
clock offset is 0.0000 msec, root delay is 0.00 msec
root dispersion is 0.02 msec, peer dispersion is 0.02 msec

Then configure ALL the other Devices to synchronize their time based on the Awesome NTP Master Switch:
(config)#ntp server 131.1.13.1

Dont forget to configure the NTP BROADCAST on the Interfaces of the NTP Master/Client Switches:
(config-if)#ntp broadcast <- On the NTP MASTER
(config-if)#ntp broadcast client <-ON NTP CLIENTS

If you want to PEER two switches within the network, so that they synchronize the time together:
(config)#ntp peer 150.1.2.2

Make sure that it "worked":
#sh ntp associations
address ref clock st when poll reach delay offset disp
~150.1.2.2 .INIT. 16 - 64 0 0.000 0.000 16000.
~150.1.3.3 .INIT. 16 - 64 0 0.000 0.000 15937.
* sys.peer, # selected, + candidate, - outlyer, x falseticker, ~ configured


33
Hitchhikers Guide to the CCIE v0.3 [cisqueros.blogspot.com]
____________________________________________________________________________________________________________________
IP SLA - Monitor the Network Performance
____________________________________________________________________________________________________________________
Probably the most typical usage of IP SLA is to measure the UDP Jitter and Echo, in order to make sure that the path is good enough to
send the sensitive VoIP traffic. Two sides need to be configured, CLIENT and SERVER (RESPONDER).
IP SLA can be configured without configuring a specific PROBE, just configure sending a generated packet to the RESPONDER, where the
RESPONDER is configured to respond with a TIME STAMP information, so the source can calculate the performance values. CAREFULL with
the times, configure NTP if you're not certain the devices are synced.
To configure the RESPONDER with the IP and PORT of the RESPONDER:
(config)#ip sla monitor responder

Make sure you configure the CLIENT device in accordance with these defined parameters:
(config)#ip sla monitor 10
(config-sla-monitor)#type udpEcho dest-ipaddr 10.187.122.2 dest-port 500
(config-sla-monitor-udp)#frequency 5 <- IN SECONDS
(config-sla-monitor-udp)#hours-of-statistics-kept 1 <-HOW MUCH TIME THE STATISCICS ARE KEPT
(config-sla-monitor-udp)#request-data-size 1500 <- PACKET SIZE

And then just START the IP SLA on the CLIENT (in this case starts immediately and lasts for 100 seconds only):
(config)#ip sla monitor schedule 10 start-time now life 100

Check the statistics:
#sh ip sla monit statistics
Round trip time (RTT) Index 10
Latest RTT: 2 ms <- THIS IS WHAT YOU WANT TO KNOW, the ROUND TRIP TIME (RTT)
Latest operation start time: *14:47:06.923 UTC Fri Dec 6 2013
Latest operation return code: OK
Number of successes: 10
Number of failures: 0
Operation time to live: 52 sec

And on the RESPONDER:
#sh ip sla monit responder
IP SLA Monitor Responder is: Enabled
Number of control message received: 17 Number of errors: 0
Recent sources:
10.187.122.1 [14:25:11.241 UTC Fri Dec 6 2013]
10.187.122.1 [14:25:06.241 UTC Fri Dec 6 2013]
10.187.122.1 [14:25:01.237 UTC Fri Dec 6 2013]
10.187.122.1 [14:24:56.237 UTC Fri Dec 6 2013]
10.187.122.1 [14:24:51.237 UTC Fri Dec 6 2013]

If you are using IP SLA for ROUTING, meaning - you want to TRACK a certain route using ICMP (ping), and depending on the result - "tune" the
routing table, you have 2 options:
OPTION 1: Use a simple TRACK object to track a certain route, and attach it to the STATIC ROUTE:
(config)#track 10 ip route 10.1.12.0 255.255.255.0 reachability
(config)#ip route 1.0.0.0 255.0.0.0 10.1.12.2 track 10

Check the status of the TRACK 10 object, and based on that - you can know if your STATIC route is UP:
#sh track 10
Track 10
IP route 10.1.12.0 255.255.255.0 reachability
Reachability is Up (connected)
3 changes, last change 00:04:04
First-hop interface is Serial0/1/0
Tracked by:
STATIC-IP-ROUTING 0

IMPORTANT: Make sure that the prefix you are tracking isn't available using some other protocol, like OSPF:

34
Hitchhikers Guide to the CCIE v0.3 [cisqueros.blogspot.com]
#sh track 10
Track 10
IP route 10.1.12.0 255.255.255.0 reachability
Reachability is Up (OSPF) <- THIS IS NOT WHAT WE WANTED TO ACHIEVE HERE
3 changes, last change 00:03:59
First-hop interface is FastEthernet0/0
Tracked by:
STATIC-IP-ROUTING 0

OPTION 2: Use the IP SLA ICMP ECHO (ipIcmpEcho) to monitor end-to-end response
STEP 1: DEFINE THE IP SLA OBJECT
(config)#ip sla monitor 10
(config-sla-monitor)#$type echo protocol ipIcmpEcho 10.1.12.2 source-ipaddr 10.1.12.1
(config-sla-monitor-echo)#frequency 5

STEP 2: DONT FORGET TO LAUNCH THE IP SLA:
(config)#ip sla monitor schedule 10 start-time now life forever

STEP 3: DEFINE THE TRACK Object using the defined IP SLA:
(config)#track 15 rtr 10 reachability <- 15 is RTR NUMBER, 10 is the IP SLA we're attaching

Make sure the TRACK is UP before you attach it to the route:
#sh track 15
Track 15
Response Time Reporter 10 reachability
Reachability is Up
2 changes, last change 00:00:18
Latest operation return code: OK
Latest RTT (millisecs) 36
Tracked by:
STATIC-IP-ROUTING 0

STEP 4: Attach the TRACK OBJECT to the STATIC ROUTE, like in the option 1.
____________________________________________________________________________________________________________________
STATIC NAT
____________________________________________________________________________________________________________________
You can do STATIC NAT and just "go out" of the router with a different IP address:
(config)#ip nat inside source static 10.2.2.1 131.1.12.3 [extendable]
*Traffic sourced from 10.2.2.1 sent to ALL destinations will seem from 131.1.12.3 to the outside world
*Extendable is used if you need 1 LOCAL IP to be mapped to Various Public IPs

Be sure to DEFINE the NAT INTERFACES:
(config)#int lo0 <- PRIVATE IP
(config-if)#ip nat inside

(config-if)#int s0/1/0.21 <- PUBLIC (Global) IP
(config-subif)#ip nat outside

#sh ip nat translations
Pro Inside global Inside local Outside local Outside global
--- 131.1.12.3 10.2.2.1 --- ---

Inside Local - Private IP of the host in your Network
Inside Global - Public IP that the outside network sees your hosts as
Outside Local - How the local network sees IP of the remote host
Outside Global - Public IP of the remote host
If you want to do static NAT for a SUBNET:
(config)#ip nat inside source static network 10.2.2.0 200.2.2.0 /24
35
Hitchhikers Guide to the CCIE v0.3 [cisqueros.blogspot.com]
____________________________________________________________________________________________________________________
DYNAMIC NAT
____________________________________________________________________________________________________________________
Step 1: Define the POOL of the Inside Global IPs (Public), which your Private IPs will be NAT-ed into:
(config)#ip nat pool INSIDE_GLOBAL 131.1.12.3 131.1.12.8 prefix-length 24

Step 2: Define the ACCESS-LIST of the PRIVATE IPs, which are the ones that will be NAT-ed (Inside Local)
(config)#access-list 1 permit 10.2.2.0 0.0.0.255

Step 3: Implement the NAT from-ACL-to-POOL IPs
(config)#ip nat inside source list 1 pool INSIDE_GLOBAL

Do not forget to specify the INSIDE and the OUTSIDE Interface (I often do, and the Troubleshooting is not as much fun as you might expect)
#sh ip nat translations <- BE SURE TO PING SOMETHING BEFORE YOU CHECK THE TRANSLATIONS:
Pro Inside global Inside local Outside local Outside global
icmp 131.1.12.3:2 10.2.2.2:2 15.10.1.1:2 15.10.1.1:2
--- 131.1.12.3 10.2.2.2 --- ---

DEBUG IP NAT:
*Oct 29 16:25:54.766: NAT: s=10.2.2.1->131.1.12.3, d=15.10.1.1 [64]
Meaning: source=10.2.2.1 (SOURCE ACL)->inside global 131.1.12.3 (NAT POOL)
*Oct 29 16:25:54.822: NAT*: s=15.10.1.1, d=131.1.12.3->10.2.2.1 [64]
*Oct 29 16:25:54.822: NAT: s=10.2.2.1->131.1.12.3, d=15.10.1.1 [65]
*Oct 29 16:25:54.878: NAT*: s=15.10.1.1, d=131.1.12.3->10.2.2.1 [65]
*Oct 29 16:25:54.878: NAT: s=10.2.2.1->131.1.12.3, d=15.10.1.1 [66]
*Oct 29 16:25:54.938: NAT*: s=15.10.1.1, d=131.1.12.3->10.2.2.1 [66]
*Oct 29 16:25:54.938: NAT: s=10.2.2.1->131.1.12.3, d=15.10.1.1 [67]
*Oct 29 16:25:54.994: NAT*: s=15.10.1.1, d=131.1.12.3->10.2.2.1 [67]
*Oct 29 16:25:54.994: NAT: s=10.2.2.1->131.1.12.3, d=15.10.1.1 [68]
*Oct 29 16:25:55.050: NAT*: s=15.10.1.1, d=131.1.12.3->10.2.2.1 [68]

If you need the HOST portion matched, add the "type match-host" argument to the NAT POOL definition:
(config)#ip nat pool LAB4 200.2.2.1 200.2.2.5 prefix-length 24 type match-host

If you need the SOURCE&DESTINATION matched, define it in the EXTENDED ACL, and match it in Route Map, do not attach the ACL directly to
the "ip nat" configuration line.
____________________________________________________________________________________________________________________
Load Balancing using NAT
____________________________________________________________________________________________________________________
Step 1: Create a POOL of all the INSIDE LOCAL IPs, and define the pool type "type rotary":
(config)#ip nat pool TASK1 10.2.2.1 10.2.2.5 prefix-length 24 type rotary

Step 2: Define an ACL with the Inside Global IP (Public ones, the one were NAT-ing into):
(config)#access-list 1 permit 200.2.2.2

Step 3: Do the inside NAT with the ACL 1 as the DESTINATION list, and the POOL or LOCAL IPs:
(config)#ip nat inside destination list 1 pool ?
WORD Pool name for local addresses


36
Hitchhikers Guide to the CCIE v0.3 [cisqueros.blogspot.com]
Step 4: Define the NAT inside and outside interfaces, exactly like in case of Static/Dynamic NAT:
(config)#int lo0
(config-if)#ip nat inside
(config-if)#
(config-if)#int s0/1/0.21
(config-subif)#ip nat outside

Be sure that the routing is in place (both, go and return path towards the NAT-ed IP, 200.2.2.2)!!!
Step 5: Make sure that the IP NAT Translations are correct, and that the sources VARY:
#sh ip nat translations
Pro Inside global Inside local Outside local Outside global
tcp 200.2.2.2:23 10.2.2.1:23 131.1.12.1:20186 131.1.12.1:20186
tcp 200.2.2.2:23 10.2.2.2:23 131.1.12.1:25096 131.1.12.1:25096
tcp 200.2.2.2:23 10.2.2.3:23 131.1.12.1:20389 131.1.12.1:20389
____________________________________________________________________________________________________________________
PAT (NAT Overload)
____________________________________________________________________________________________________________________
Port Address Translation (PAT) means using PORTS in order to NAT various Inside Local IPs to ONE SINGLE Inside Global IP.
Step 1: Create an ACL with all the Inside Local addresses:
(config)#access-list 1 permit 10.2.2.0 0.0.0.7

Step 2: There are 2 ways to configure PAT, described in Steps 2.1 and 2.2:
Step 2.1: Create the Inside Global IP Pool of any addresses from the Link towards the other Router and Configure the NAT Overload with the
defined pool:
(config)#ip nat pool OVERLOAD 15.10.1.2 15.10.1.2 prefix-length 24
(config)#ip nat inside source list 1 pool TASK2 overload

Step 2.2: Configure the NAT to point to the Interface you need the traffic to go out from:
(config)#ip nat inside source list 1 interface s0/1/0.21

*The system adds "overload" argument:
(config)#do sh run | i nat inside
ip nat inside
ip nat inside source list 1 interface Serial0/1/0.21 overload

____________________________________________________________________________________________________________________
PAR - When you need to implement traffic redirections using NAT
____________________________________________________________________________________________________________________
You can define the traffic redirection using Static Entries, but there is a trick. For example you want all the http traffic DESTINED FOR s0/0.5 of
R1 to be REDIRECTED to the IP 15.10.123.3 instead. You can configure this by defining the static NAT:
(config)#ip nat inside source static tcp 15.10.123.3 80 int s0/0.5 80
*MAKE SURE YOU UNDERSTAND THIS COMMAND, ITS A BIT BACKWORDS!!!

#telnet 131.1.14.1 80 (131.1.14.1 is the IP configured on the s0/0.5 interface of R1)
Trying 131.1.14.1, 80 ... Open

So when you try to telnet R1s IP using the port 80, from the router on the s0/0.5 side you see the following debug:
*Nov 6 15:54:48.703: NAT*: s=131.1.14.4, d=131.1.14.1->15.10.123.3 [23053] <- 131.1.14.4: Router from where
we telnet
*Nov 6 15:54:48.707: NAT*: s=15.10.123.3->131.1.14.1, d=131.1.14.4 [31747] <- NATed and FWD-ed to to
15.10.123.3
*Nov 6 15:54:48.735: NAT*: s=131.1.14.4, d=131.1.14.1->15.10.123.3 [23054]
*Nov 6 15:54:48.739: NAT*: s=131.1.14.4, d=131.1.14.1->15.10.123.3 [23055]
*Nov 6 15:55:48.739: NAT*: s=15.10.123.3->131.1.14.1, d=131.1.14.4 [31748]
*Nov 6 15:55:48.767: NAT*: s=131.1.14.4, d=131.1.14.1->15.10.123.3 [23056]
*Nov 6 15:56:48.763: NAT*: s=15.10.123.3->131.1.14.1, d=131.1.14.4 [31749]
*Nov 6 15:56:48.791: NAT*: s=131.1.14.4, d=131.1.14.1->15.10.123.3 [23057]
*Nov 6 15:57:12.959: NAT*: s=131.1.14.4, d=131.1.14.1->15.10.123.3 [23058]
37
Hitchhikers Guide to the CCIE v0.3 [cisqueros.blogspot.com]
____________________________________________________________________________________________________________________
Static NAT redundancy with HSRP
____________________________________________________________________________________________________________________
This approach is used when you want to configure NAT and integrate it with HSRP (enable the same NAT on all the routers that form the HSRP
group). In order to do this, it's necessary to NAME each of the HSRP groups:
Step 1: Name the already configured HSRP group:
(config-if)#standby name HSRP-1 <- HSRP Group Name is HSRP-1

Step 2: Configure NAT on the relevant interfaces
(config-if)#ip nat inside <- NAT inside interface

Step 3: Static NAT redundancy with HSRP. After you've named the HSRP group, configure the Redundancy NAT:
(config)#ip nat inside source static 10.185.117.1 152.168.13.9 redundancy HSRP-1

This means that the traffic originated from the IP 10.185.117.1 will be NAT-ed into 152.168.13.9
Tests:
In this example the router 10.185.117.1 is pinging the IP 10.185.117.4. The final router (232.32.32.4) does have the route back to 152.168.13.9.
When the DEBUG is done on the router, the PING done from 10.185.117.1 gives the following display:
*Nov 7 11:34:02.606: NAT*: s=10.185.117.1->152.168.13.9, d=232.32.32.4 [226]
*Nov 7 11:34:02.606: NAT*: s=232.32.32.4, d=152.168.13.9->10.185.117.1 [226]
*Nov 7 11:34:02.610: NAT*: s=10.185.117.1->152.168.13.9, d=232.32.32.4 [227]
*Nov 7 11:34:04.606: NAT*: s=10.185.117.1->152.168.13.9, d=232.32.32.4 [228]
*Nov 7 11:34:04.606: NAT*: s=232.32.32.4, d=152.168.13.9->10.185.117.1 [228]
*Nov 7 11:34:04.606: NAT*: s=10.185.117.1->152.168.13.9, d=232.32.32.4 [229]
*Nov 7 11:34:04.606: NAT*: s=232.32.32.4, d=152.168.13.9->10.185.117.1 [229]
*Nov 7 11:34:04.610: NAT*: s=10.185.117.1->152.168.13.9, d=232.32.32.4 [230]
*Nov 7 11:34:04.610: NAT*: s=232.32.32.4, d=152.168.13.9->10.185.117.1 [230]
____________________________________________________________________________________________________________________
Scalability for Stateful NAT (SNAT)
____________________________________________________________________________________________________________________
Scalability for Stateful NAT feature allows Stateful Network Address Translation (SNAT) to control the Hot Standby Router Protocol (HSRP)
state change until the NAT information is completely exchanged.
Reference: http://www.cisco.com/en/US/docs/ios/12_4/12_4_mainline/snatsca.html
Step 1: You need to create the SNAT group, and assign a unique identifier to each router within the group:
(config)#ip nat stateful id 1

Step 2: In order to configure the Stateful Failover, you need to have the HSRP previously configured. Within the Stateful NAT group
configuration, assign the HSRP redundancy name to the router:
(config-ipnat-snat)#redundancy HSRP-1

Step 3: The Active HSRP Router sends the NAT Translation to the Standby Routers. This translation is assigned an ID, which is called "mapping-
id" and it MUST BE THE SAME ON THE ENTIRE GROUP.
(config-ipnat-snat-red)#mapping-id 1

Step 4: Consider adding features such Asymmetric queuing, or define a specific protocol for the redundancy group. IP Stateful NAT
Redundancy mode configuration commands:
as-queuing Disable asymmetric process for this redundancy group
exit Exit from IP Stateful NAT Redundancy config mode
mapping-id Configure mapping-id for this redundancy group
no Negate or set default values of a command
protocol Select transport protocol for this redundancy group

38
Hitchhikers Guide to the CCIE v0.3 [cisqueros.blogspot.com]
Step 5: Configure the Dynamic NAT, as described in my previous posts, and just attach the configured mapping-id:
(config)#ip nat inside source route-map ROUTE_MAP_MATCHING_ACL pool INSIDE_GLOBAL mapping-id 1

Step 6: Check the translations
#sh ip snat distributed
Stateful NAT Connected Peers

No entries will appear until you perform a PING, and when you do, and do a debug, you'll see:
*Nov 7 14:47:12.081: SNAT (Add_node): Allocated database distributed-id 1
*Nov 7 14:47:12.081: SNAT (Add_node): Init RTree for distributed-id 1
*Nov 7 14:47:12.081: SNAT (Add_node): Allocate Node for nat-id 19, Router-id 1
*Nov 7 14:47:12.081: NAT: s=15.10.1.1->172.25.185.1, d=10.185.117.4 [271]
*Nov 7 14:47:12.081: NAT*: s=10.185.117.4, d=172.25.185.1->15.10.1.1 [271]
*Nov 7 14:47:12.085: NAT*: s=15.10.1.1->172.25.185.1, d=10.185.117.4 [272]
*Nov 7 14:47:12.085: NAT*: s=10.185.117.4, d=172.25.185.1->15.10.1.1 [272]
*Nov 7 14:47:12.085: NAT*: s=15.10.1.1->172.25.185.1, d=10.185.117.4 [273]
*Nov 7 14:47:12.085: NAT*: s=10.185.117.4, d=172.25.185.1->15.10.1.1 [273]
*Nov 7 14:47:12.089: NAT*: s=15.10.1.1->172.25.185.1, d=10.185.117.4 [274]
*Nov 7 14:47:12.089: NAT*: s=10.185.117.4, d=172.25.185.1->15.10.1.1 [274]
*Nov 7 14:47:12.089: NAT*: s=15.10.1.1->172.25.185.1, d=10.185.117.4 [275]
*Nov 7 14:47:12.089: NAT*: s=10.185.117.4, d=172.25.185.1->15.10.1.1 [275]

____________________________________________________________________________________________________________________
NAT Translations with the Outside Source
____________________________________________________________________________________________________________________
Just the other way around from the standard NAT, do the "ip nat outside" and define the interface from where the traffic will be coming with
"ip nat outside". This will translate the incoming traffic with the source 2.2.2.2 into the LOCAL traffic with the source 200.2.2.2:
(config)#ip nat outside source static 2.2.2.2 200.2.2.2

____________________________________________________________________________________________________________________
NAT on a Stick
____________________________________________________________________________________________________________________
When a NAT router has the same interface for both, INSIDE and OUTSIDE NAT, the trick is to use:
Step 1: Define the following:
- One normal interface, Fa0/0 for example for ip nat outside and PBR (ip policy-route map NAT_MAP) & "no ip redirect"
- One Loopback interface for ip nat inside
Step 2:
Define the Policy Map MATCHING the Source and Destination IP ACL, and SETTING the Loopback interface
(config)#route-map NAT_MAP
(config-rmap)#match ip add ACL_1
(config-rmap)#set interface lo0

Step 3: Define "inside" AND "outside" static NAT

39
Hitchhikers Guide to the CCIE v0.3 [cisqueros.blogspot.com]
____________________________________________________________________________________________________________________
DHCP Server
____________________________________________________________________________________________________________________
Using the DHCP Pool configured on an IOS device is somewhat obsolete, but in cases of smaller companies where this solution is inevitable (or
in a case such as mine, preparations for a CCIE exam) - you should know how to configure a full DHCP on a Cisco Router:
Step 1: Enable a DHCP Server on a Device (Dont forget this step!!!):
(config)#service dhcp

Step 2: Configure global DHCP options:
(config)#ip dhcp pool Cisco
(config-dhcp)#network 172.25.185.0 255.255.255.0 <- Network Range
(config-dhcp)#netbios-note-type h-node <- If you're using WINS, set the HYBRID TYPE
(config-dhcp)#netbios-name-server 172.25.185.253 <- WINS Server IP
(config-dhcp)#dns-server 172.25.185.200 172.25.185.201 <- Primary and Secondary IPs
(config-dhcp)#lease 3 5 <- The duration of the DHCP Lease (3 days 5 hours)
(config-dhcp)#update arp <-Router updates ARP table based on DHCP Database Contents
(config-dhcp)#default-router 172.25.185.254 <-GW to be ALLOCATED TO THE HOSTS

Step 3: Configure the IP Exclusions (IPs) you do not want to lease, in the Global Config mode:
(config)#ip dhcp excluded-address 172.25.185.252 172.25.185.254

Step 4: Disable the DSCP Logging of the Conflicts, because quite a few are likely to occur, and your log file can fill in the memory:
(config)#no ip dhcp conflict logging

Step 5: Static DHCP entries must be configured IN A SEPARATE POOL!!! This is a trick that you need to know by heart because there is no other
(more intuitive) way to do it. So - create another DHCP pool, and assign the hosts IP and the MAC address (THIS HOST WILL INHERIT THE
CONFIG FROM THE DEFAULT POOL):
(dhcp-config)#host 10.184.117.37
(dhcp-config)#hardware-address 0014.2526.ef46

Check if your manual entry was configured:
#sh ip dhcp binding
Bindings from all pools not associated with VRF:
IP address Client-ID/ Lease expiration Type
Hardware address/
User name
10.184.117.37 0014.2526.ef46 Infinite Manual

____________________________________________________________________________________________________________________
CNS (Cisco Networking Services)
____________________________________________________________________________________________________________________
KRON - The Command Scheduler (KRON) Policy for System Startup feature enables support for the Command Scheduler upon system startup.
STEP 1: Define the KRONE Policy Map, and enter the KRON configuration mode:
(config)#kron policy-list cns-weekly

STEP 2: Define the CLI command you want executed:
(config-kron-policy)#cli ?
LINE Exec level cli to be executed, E
Example: (config-kron-policy)#cli coy startup-config tftp//r4-config

40
Hitchhikers Guide to the CCIE v0.3 [cisqueros.blogspot.com]
STEP 3: Define when the KRON is being executed:
(config)#kron occurrence week in 7:1:30 recurring
(config-kron-occurrence)# policy-list cns-weekly

STEP 4: Check the KRON status:
#show kron schedule
Kron Occurrence Schedule
week inactive, will run again in 7 days 01:25:17

____________________________________________________________________________________________________________________
GRE Tunnels
____________________________________________________________________________________________________________________
Cisco Documentation: Interface and Hardware Component Configuration Guide->Implementing Tunnels
GRE is the Generic Encapsulation Tunnel, and it uses the IP Protocol 47. It's the basic one and the most simple to implement. For starters you
need to define the Tunnel interface:
(config)#interface tunnel 0
(config-if)#tunnel mode GRE IP

Define the IP Address of the Tunnel Interface, and assign it the SOURCE and DESTINATION IP (These must be mutually PINGable):
(config-if)#ip address 10.187.134.121
(config-if)#tunnel source 131.1.12.1 <-YOU CAN USE IP ADDRESS OR AN INTERFACE AS A SOURCE
(config-if)#tunnel destination 131.1.12.2
*you'll get a message that the interface went UP
**Check if you need to tune the routing protocols metrics on the Tunnel interfaces, if you want to prefer those, because by default the Tunnel
Interface will have a higher metric. BEST PRACTICE is to configure the tunnel using the Loopback Interfaces, and make sure you have enough
redundancy so that the Loopbacks are always PING-able
By default GRE keep-alives are off, but they can be turned on.
____________________________________________________________________________________________________________________
Various IOS Tricks
____________________________________________________________________________________________________________________
Define a name of a remote host:
(config)#ip host REMOTE_HOST 10.1.12.1

Configure a "Busy-message" (response when the hos/service is not available)
(config)#Busy-message REMOTE_HOST @NOT AVAILABLE@

To hide a hostname IP when doing a Telnet:
(config)#service hide-telnet-addresses

To use the decompressed IOS in the DRAM, and not the compressed one in the flash
(config)#warm-reboot

To make a prompt dissapear:
(config)#prompt New_prompt
(config)#no service prompt config

To prevent the stupid message "Password required but none set" (don't do this!!!):
(config)#line vty 0 4
(config-vty)#no login
(config-vty)#privilege level 15 <- TO GO TO PRIVILEGE MODE DIRECTLY

41
Hitchhikers Guide to the CCIE v0.3 [cisqueros.blogspot.com]
To avoid sending a packet for each keystroke typed:
(config)#service nagle

To "tune" CDP:
(config)#cdp timer 10

If you want to keep your configuration change logs in the NVRAM:
(config)#archive
(config-archive)#log config <- TO LOG ALL THE CONFIGURATION CHANGES
*"config" is the only option you will have here
(config-archive-log-config)#logging enable
(config-archive-log-config)#logging size SIZE <- in KB
(config-archive-log-config)#hidekeys
(config-archive-log-config)#notify syslog <- TO DISPLAY THE CONFIG CHANGE

To test:
#show archive config differences

42
Hitchhikers Guide to the CCIE v0.3 [cisqueros.blogspot.com]







IP Routing


43
Hitchhikers Guide to the CCIE v0.3 [cisqueros.blogspot.com]
____________________________________________________________________________________________________________________
IPv4 Routing TIPS
____________________________________________________________________________________________________________________
TIP: Remember that you can only DEBUG THE PROCESS SWITCHED TRAFFIC, not the "cache", so during the implementation it might be useful
to turn the CEF off on the router. Dont forget to turn it back on, once your debugs have been closed.
(config)#no ip route-cache
____________________________________________________________________________________________________________________
PBR - Policy Based Routing
____________________________________________________________________________________________________________________
First define the route-map and apply it on the interface level:
(config-if)#ip policy route-map PBR
*you can apply defined route-map to the local router using the command "ip local-policy route-map ROUTEMAP"

If you are setting the next hop where you are not sure that the next hop failure will be detected, use the "verify-availability" sub command
under the route-map, which is an old method and uses CDP, it would work only in frame-relay and not if there is a switch in between because
of CDP nature, and its not nearly as good as EOT (Enhanced Object Tracking):
(config-rmap)#Set IP next-hop verify-availability <-- track object can be attached to this, and then it's pretty advanced
The most important thing here is to know how to DEBUG the Policy Map:
#debug ip policy

To match the SOURCE IP use the standard ACL:
(config)#access-list 2 permit host 100.1.1.1

To match the FLOW use the EXTENDED ACL:
(config)#ip access-list extended FLOW1
(config-ext-nacl)#permit ip host 1.1.1.1 host 2.2.2.2 <-TO MATCH THE FLOW
(config-ext-nacl)#permit tcp any any eq 23 <- TO MATCH THE PROTOCOL (PORT)

ROUTE-MAP can be applied GLOBALLY on a router, to change the Routing Table:
(config)#ip local policy route-map ROUTE_MAP

This will not work for traffic transiting this router. For that you need to apply it on the interface
____________________________________________________________________________________________________________________
EOT Enhanced Object Tracking
____________________________________________________________________________________________________________________
EOT - ENHANCED OBJECT TRACKING, to track IP, interface, and when line protocol status isn't enough to determine certainly if the line is up.
Here is a configuration example from Cisco Docs:
http://www.cisco.com/en/US/docs/switches/lan/catalyst3750/software/release/12.2_55_se/configuration/guide/sweot.html
(config#track 33 interface gigabitethernet 1/0/1 line-protocol
(config)# track 33 interface gigabitethernet 1/1 line-protocol

# show track 33
Track 33
Interface GigabitEthernet1/0/1 line-protocol
Line protocol is Down (hw down)
1 change, last change 00:18:28



44
Hitchhikers Guide to the CCIE v0.3 [cisqueros.blogspot.com]
____________________________________________________________________________________________________________________
ODR - ON-DEMAND ROUTING
____________________________________________________________________________________________________________________
On-Demand Routing is not a routing protocol. It uses Cisco Discovery Protocol (CDP) to propagate the IP prefix. ODR is a perfect solution for
hub and spoke topology when the spoke routers act as stub routers by connecting to. ODR is a feature that provides IP routing for stub sites,
with minimum overhead. Configuration is quite simple:
Step 1: Enable ODR globally on a HUB router:
(config)#router odr <-HUB router begins installing stub network routes in the IP forwarding table
*dont configure ANY routing protocol on a STUB
Step 2: Adjust CDP timers, as ODR uses CDP as a transport protocol (Ensure CDP versions match)
(config)#cdp timer seconds
____________________________________________________________________________________________________________________
RIP
____________________________________________________________________________________________________________________
RIP Protocol uses the Multicast Address 224.0.0.9 to send Hellos/updates via port UDP-520. "no summary" - disables the CLASSFULL NATURE
of RIP, allows classless routing, so when you check the RIP database:
#show ip rip database
1.0.0.0/8 auto-summary *** <--- the AUTO SUMMARIES are not ADVERTISED
1.0.0.0/8 directly connected, Loopback0
10.0.0.0/8 auto-summary ***
10.1.1.0/24 directly connected, Serial1/0.123
Network Layer Reachability Information (NLRI) - Means pure reachability contained by ROUTING UPDATES
When you need to send the RIP Updates using the UNICAST instead of Multicast packets, the neighbor command is used. Be sure to check
the SPLIT HORIZON in the case of HUB-and-SPOKE configuration. If you need to DISABLE it for routing, BE SURE TO CONFIGURE FRAME-RELAY
IP-DLCI mappings manually!
* BY DEFAULT SPLIT HORIZON is DISABLED ON PHYSICAL, AND ENABLED ON MULTIPOINT INT.
#show ip inter s1/0.123 | i Split
Split horizon is enabled

To avoid the SPLIT HORIZON and ADDITIONAL IP-DLCI mappings, you can use PPP and VIRTUAL TEMPLATES
____________________________________________________________________________________________________________________
RIP: Authentication
____________________________________________________________________________________________________________________
TIP: If you configure a "neighbor" command, that neighbor will RECEIVE the RIP updates using UNICAST, because this way the router updates
are sent as UNICAST, not MULTICAST. Don't forget to define the "passive-interface default" to stop the MULTICAST updates.
RIP Version 2 supports clear text and MD5 Authentication. The key-chain needs to be defined, and applied to the physical interface using the
command:
(config-if)#ip rip authentication mode md5
(config-if)#ip rip authentication key-chain CISQUEROS_CHAIN

If configured on one side only, the DEBUG IP RIP EVENTS will show:
*Aug 18 08:57:04.391: RIP: ignored v2 packet from 10.1.1.1 (invalid authentication)
IT WILL TAKE A LOOONG TIME FOR RIP TO UPDATE THE DATABASE!!! So do the:
#clear ip route *


45
Hitchhikers Guide to the CCIE v0.3 [cisqueros.blogspot.com]
First step is to build a KEY-CHAIN
key chain RIP_12
key 1 <--- TEXT Authentication KEY NUMBERS DONT HAVE TO MATCH. MD5 - Numbers MUST MATCH!!!
key-string cisco

IMPORTANT: The passwords and the key numbers MUST be the same on all the routers for MD5.
In case the Key numbers are different:
- Router with the HIGHER key number will receive ALL the routes
- Router with the LOWER key number will IGNORE (reject) the received all routes received from the other router
____________________________________________________________________________________________________________________
RIP: Timers
____________________________________________________________________________________________________________________
*To see the default values:
#show ip protocol
...
Sending updates every 30 seconds, next due in 20 seconds
Invalid after 180 seconds, hold down 180, flushed after 240

(config-router)#timers basic ?
<1-4294967295> Interval between updates for RIP
(config-router)#timers basic 60 ?
<1-4294967295> Invalid
(config-router)#timers basic 60 360 ?
<0-4294967295> Holddown
(config-router)#timers basic 60 360 360 ?
<1-4294967295> Flush
(config-router)#timers basic 60 360 360 480 ?
<1-4294967295> Sleep time, in milliseconds
<cr>
(config-router)#timers basic 60 360 360 480

To AVOID COLLISIONS you can INSERT A DELAY every time updates are sent by adding the last attribute to the TIMER SETTING:
(config-router)#timers basic 60 360 360 480 ?
<1-4294967295> Sleep time, in milliseconds


Other RIP Specific Configuration parameters:
SUPRESS flash updates when the periodic update comes in less than configured time:
(config-router)#flash-update-threshold

Validate the Update Source:
(config-router)#validate-update-source
*Enabled by default, makes sure source IP of RIP advertising router matches connection IP. Needs to
be disabled when you are playing with LOOPBACKS

Change the unprocessed RIP queue depth. Good practice on SLOW ROUTERS, and also prevents routing info from being lost
(config-router)#input-queue 75 <-DEFAULT IS 50

Define the DELAY when sending the UPDATES, when FAST router is neighbors with the SLOW one:
(config-router)#output-delay 10 <-BY DEFAULT THERE IS NO INTER-PACKET DELAY, this timer is in range 8-50ms



46
Hitchhikers Guide to the CCIE v0.3 [cisqueros.blogspot.com]
____________________________________________________________________________________________________________________
RIP: Updates Control
____________________________________________________________________________________________________________________
By default Version 1 uses Broadcast to send its updates. Version 2 uses Multicast, with the destination address 224.0.0.9. If you need to send
the Updates only when something changes in the topology, there is an INTERFACE command "ip rip triggered":
(config-if)#ip rip triggered

There is a way to "force" the routing updates to only one of the neighbors (UNICAST UPDATES). To achieve this you need to manually define
the neighbor using the "neighbor" command, and define the interface towards the defined neighbor as PASSIVE, to prevent the Multicast
Updates that are sent by default (If the interface is not defined as passive, both UNICAST and MULTICAST Updates will be sent).
There is also a way to force Broadcast Updates (ip 255.255.255.255 instead of default multicast destination 224.0.0.9) in Version 2 of RIP, and
its achieved using the Interface Command:
(config-if)#ip rip v2-broadcast

Another RIP-specific feature is injecting the default route using the "ip default-network" command. This is done in the Global Configuration
mode. Dont forget to advertise the network into RIP protocol:
(config)#ip default-network 4.0.0.0
(config-router)#network 4.0.0.0

____________________________________________________________________________________________________________________
RIP: OFFSET LISTS
____________________________________________________________________________________________________________________
In the RIP Protocol the METRIC IS ACTUALLY the HOP COUNT, so if you want it to be UNREACHABLE - set METRIC to 16. RIP offset list is used to
INCREASE the Hop Count. Define the ACL (10 in this example), and set the Hop Count to be increased by a value, in this example 13:
(config-router)#offset-list 10 out 13 Fa0/0

Offset Lists work only with RIP and EIGRP
____________________________________________________________________________________________________________________
RIP: Update Source Control
____________________________________________________________________________________________________________________
RIP Validates the source for the Update packets, so they need to be from the same subnet as the interconnection is. If they are not, like in the
case the routes are sourced by a Loopback, you can force the route updates by turning off the Source IP Validation:
(config-router)#no validate-update-source

This way the RIP routes will be exchanged, but if the L3 Reachability is not established between the routers - the RIP routes will not be
reachable.
If you need to define the EXACT SOURCES (RIP Neighbors) you want to receive the RIP Updates from - use "gateway" word on a distribute-list.
This will work for RIP and EIGRP only.
Start by defining 2 PREFIX LISTS, one for WHERE you want updates from, another to filter UPDATES you want. Once youve got your Prefix Lists
configured, apply them via Distribute List in the Router Configuration Mode:
(config-router)#distribute-list UPDATE_PREFIXES gateway PREFIX_UPDATE_SOURCES in Fa0/0


47
Hitchhikers Guide to the CCIE v0.3 [cisqueros.blogspot.com]
____________________________________________________________________________________________________________________
RIP: Route Summarizing
____________________________________________________________________________________________________________________
Done on the interface level:
(config-if)#ip summary-address rip 150.1.0.0 255.255.252.0

#show ip rip database
150.1.0.0/22 int-summary <-MANUAL SUMMARY

____________________________________________________________________________________________________________________
RIP: Route Filtering using Prefix Lists
____________________________________________________________________________________________________________________
PREFIX LISTS are used to implement the Route Filtering in RIP, and are applied via the DISTRIBUTION LISTS. The main trick is to wait for the
timer to END before checking if the filter worked, or even better CLEAR THE ROUTING TABLE. The same principle applies to most of the
Routing Protocols.
#clear ip route *

Step 1: Define the IP Prefix List. In this example were allowing only the prefix 192.1.1.0/24, & denying everything else (remember this
structure of selecting ALL in the Prefix List: deny 0.0.0.0/0 le 32):
(config)#ip prefix-list TEST_MAT_2 seq 5 permit 192.1.1.0/24
(config)#ip prefix-list TEST_MAT_2 seq 10 deny 0.0.0.0/0 le 32
*NOTE that THERE IS A DEFAULT DENY ALL IN THE END, so the Second Entry was added ONLY FOR LOGGING

Step 2: Apply the filtering using the Distribution List within the Router Protocol configuration, in the INBOUND direction, meaning filter the
routes learned via RIP:
(config-router)#distribute-list prefix TEST_MAT_2 in

Step 3: Clear the routing table and check if the filtering has been applied correctly by reviewing the Routing Table
#clear ip route *

Also make sure how your Prefix List is doing:
#sh ip prefix-list detail
Prefix-list with the last deletion/insertion: TEST_MAT_2
ip prefix-list TEST_MAT_2:
count: 2, range entries: 1, sequences: 5 - 10, refcount: 3
seq 5 permit 192.1.1.0/24 (hit count: 37, refcount: 1)
seq 10 deny 0.0.0.0/0 le 32 (hit count: 595, refcount: 1) <-CHECK HOW MANY HITS PER ENTRY
*The HITS are actually from the ROUTING PROTOCOL UPDATE PACKETS
If you want to use PREFIX LISTS to filter, for example, all subnets that DO NOT belong to RFC 1918 class A:
ip prefix-list FILTER_A seq 5 permit 0.0.0.0/1 le 8 ge 8 <- CLASS A has a first bit 0, and Subnet Mask 8
So, check the following examples:
Class A would be: permit 0.0.0.0/1 ge 8 le 8
Class B would be: permit 128.0.0.0/2 ge 16 le 16
Class C would be: permit 192.0.0.0/3 ge 24 le 24

48
Hitchhikers Guide to the CCIE v0.3 [cisqueros.blogspot.com]
____________________________________________________________________________________________________________________
OSPF
____________________________________________________________________________________________________________________
OSPF Multicasts: 224.0.0.5 send Hello packets to all OSPF routers on a network segment, 224.0.0.6 Send info to the DR
TIP: When using BROADCAST and NON-BROADCAST in order to PEER you MUST ADJUST THE TIMERS!!!
TIP: When you need to do a CONDITION, like do something if a certain route exists in a routing table - just use the PREFIX-LIST, and match it
in the route-map "match ip address prefix-list ROUTE_EXISTS"
TIP: When you have the L2 tunnel directly attached to an OSPF interface, better configure ignoring of MTU:
(config-if)#ip ospf mtu-ignore

TIP: To IGNORE stuff in the ospf, like LSA6 (MOSPF), under the routing process:
(config-router)#ignore lsa mospf

WHEN you need to advertise Loopbacks with the CORRECT MASKS, be sure to do "ip ospf network point-to-point", otherwise it will be sent
with /32 (/32 Might be required for Multicast or MPLS, so be careful with this!)
____________________________________________________________________________________________________________________
OSPF over Frame-Relay, focus on Network Types
____________________________________________________________________________________________________________________
TIP: Revise DR->"neighbor" command->TIMERS
Don't forget that in Frame-Relay "broadcast" is defined ONLY DIRECTLY HUB AND A SPOKE, ON BOTH SIDES of the pvc!!! What this does is tell
the routers Hey if you have any broadcast messages, go ahead and send them down this DLCI as a unicast So basically it is a way to send
broadcast messages on a non-broadcast medium. Don't include "broadcast" between the SPOKEs, as the Hellos won't be able to traverse the
HUB.
Type 1: NON-BROADCAST - use "neighbor" command on HUB to use UNICAST for OSPF
OSPF uses Multicast, which Router considers to be a kind of Broadcast. Due to the non-broadcast nature of Frame-Relay it can be assumed
that this is the DEFULT OSPF network type over FR.
- Set the OSPF Priority to 0 on all the SPOKEs, so HUB is elected as the DR, and SPOKEs neither DR nor BDR
- Non-broadcast network type in OSPF uses slow timers meaning 30 second hello and 120 second dead-time. Here it will not affect us, as all
neighbor types match.
Type 2: BROADCAST - two important things:
- As BROADCAST is meant to be FASTER timers are 10/40 seconds by default
- Include the "broadcast" when mapping DLCI to IP. Also set the SPOKEs OSPF Priority to 0, we dont want them to be DR
Type 3: POINT-TO-POINT
- Really simple, POINT-TO-XXX (P2P or P2MP) does not do the DR/BDR election
- Timers 10/40 seconds
TIP: When doing a HUB-AND-SPOKE, configure Point-to-Multipoint on a HUB, and ADJUST THE TIMERS!!!


49
Hitchhikers Guide to the CCIE v0.3 [cisqueros.blogspot.com]
Type 4: POINT-TO-MULTIPOINT
No DR, no "neighbor" commands. Slow timers (120/30 seconds). "broadcast" is mandatory on FR Mappings!!!
HUB will just advertise the learned routes from ONE SPOKE to the other, like if it were the DR.
!!!HUB must have .multipoint Sub-interface, while on SPOKES you can do .multipoint or Physical Interface.
Type 5: POINT-TO-MULTIPOINT NON-BROADCAST
Cisco Proprietary, like P2MP, with NO BROADCASTS ALLOWED! Timers are still slow, 30 and 120 Seconds.
Next hop is ALWAYS the router you are directly connected to.
(config-if)#ip ospf network point-to-multipoint non-broadcast

____________________________________________________________________________________________________________________
OSPF: Configuration on INTERFACE LEVEL
____________________________________________________________________________________________________________________
The routes can be advertised using the "network" command, but there is also another way. You can do an entire OSPF configuration on the
Interface Level:
(config-if)#ip ospf network point-to-point
(config-if)#ip ospf 1 area 0

This will automatically CREATE the OSPF process on the router:
#sh run | s router ospf
router ospf 1
log-adjacency-changes

Even so, you should define "router ospf 1" process in the Global Configuration mode before the interface (it's not necessary for the OSPF
PEERING, but to avoid restarting the OSPF process later cause of Router ID change). Being defined as a P2P network - DR and BDR election will
not take place.
The state of all the OSPF Neighbors will be "FULL/-", as presented below:
#show ip ospf neighbor
Neighbor ID Pri State Dead Time Address Interface
3.3.3.3 0 FULL/ - 00:00:30 10.1.23.3 GigabitEthernet0/0
1.1.1.1 0 FULL/ - 00:00:34 10.1.12.1 Serial1/0

This way the interface is configured to automatically belong to the Area 0, and the interface Subnet will be "injected" into the OSPF Area. If
there is SECONDARY IP configured on the interface - it will also be advertised. If however you do NOT want to advertise the Secondary IP, you
can do the following specific OSPF command:
(config-if)#ip ospf 1 area 0 secondaries none

____________________________________________________________________________________________________________________
OSPF: Timers
____________________________________________________________________________________________________________________
Standard commands for setting the OSPF timers are "ip ospf hello-timer" and "ip ospf dead-timer" on the interface level. If you
need smaller values then 1 second for hello, you need to use the following (minimal means less then 1 second):
(config-if)#ip ospf dead-interval minimal hello-multiplier 4
*VALUE MUST MATCH BETWEEN THE NEIGHBORING INTERFACES
When ACK hasnt been received for the LSA, the router keeps LSA, and default is to wait 5 secs to re-send. To change:
(config-if)#ip ospf retransmit-interval 10
retransmit-interval Time between retransmitting lost link state advertisements

50
Hitchhikers Guide to the CCIE v0.3 [cisqueros.blogspot.com]
____________________________________________________________________________________________________________________
OSPF: Authentication
____________________________________________________________________________________________________________________
You can enable the OSPF Authentication:
1. Globally on the Router, in the "router ospf" configuration, so it's enabled on all the Interfaces:
(config-router)#area 0 authentication <- Plain Text Authentication
(config-router)#area 0 message-digest <- MD5 Authentication

2. Directly on the Interface
(config-if)#ip ospf authentication message-digest <-MD5 Authentication

OSPF supports two types of Authentication:
1. Plain Text (64-bit Password)
(config-if)#ip ospf authentication-key ^&*(^*&&%

2. MD5 (ID + 128-bit Password):
(config-if)#ip ospf message-digest-key 1 MD5 ^&*^&^*

To DISABLE the authentication on an interface:
(config-if)#ip ospf authentication null

Check what type of OSPF Authentication has been configured and what Key/Password is applied:
#show ip ospf interface s1/0.12 | b authentic
Simple password authentication enabled

When you need to CHANGE the PASSWORD without the service interruption, configure the 2nd KEY, and remove the 1st:
(config-if)#ip ospf message-digest-key 2 MD5 SECOND_KEY
*Authentication always uses the YOUNGEST KEY (the one that was configured last)
____________________________________________________________________________________________________________________
OSPF: Route Redistribution
____________________________________________________________________________________________________________________
(config-router)#redistribute eigrp 1 subnets
- Be sure to include the word "subnets", otherwise it's going to redistribute the classfull ONLY!
- By default the routes are being redistributed into OSPF with the Metric 20, Metric-type 2 (E2). AD is still 110.
You can define the MAXIMAL NUMBER of prefixes to be redistributed into OSPF, and the % when to give the first warning message. Here MAX
10 prefixes can be redistributed, and on 70% of that Warning Message is displayed:
(config-router)#redistribute maximum-prefix 10 70 warning-only


51
Hitchhikers Guide to the CCIE v0.3 [cisqueros.blogspot.com]
____________________________________________________________________________________________________________________
OSPF Route Summarization
____________________________________________________________________________________________________________________
This is to be done under the ROUTING PROCESS configuration. Routing process auto-injects DISCARD ROUTE (Null0) to avoid loops.
ABR for the Internal Routes, using the "AREA X RANGE" command
(config-router)#area 2 range 4.4.0.0 255.255.252.0 advertise cost 10

ASBR for the External (redistributed into OSPF) Routes, using the "summary-address" command
(config-router)#summary-address 4.4.0.0 255.255.252.0

If you want to prevent the route Null0 in the routing table, just exclude the discard-route:
(config-router)#no discard-route [internal | external] <- INTERNAL on ABR, EXTERNAL on ASBR

____________________________________________________________________________________________________________________
OSPF Virtual Link
____________________________________________________________________________________________________________________
Configure between two routers out of which none is in the Area 0 (Backbone Area). Once it's configured - a new OSPF neighbor will be added
as a Virtual-Link neighbor:
#show ip ospf neighbor
Neighbor ID Pri State Dead Time Address Interface
4.4.4.4 0 FULL/ - 00:00:05 10.1.34.4 OSPF_VL0 <--- VIRTUAL LINK NEIGHBOR
2.2.2.2 0 FULL/ - 00:00:30 10.1.23.2 Serial1/0.32
4.4.4.4 0 FULL/ - 00:00:34 10.1.34.4 Serial1/0.34

Can multiple Virtual Links be formed? YES!!! So for example if we have the following scenario:
Cisqueros_R1 - Area 0 - Cisqueros_R2 - Area 1 - Cisqueros_R3 - Area 2 - Cisqueros_R4 - Area 3 - Cisqueros_R5
We would need to create 2 virtual links:
- AREA 1 VIRTUAL LINK between Cisqueros_R2 and Cisqueros_R3 so that Area 2 would have the communication with the Area 0
- AREA 2 VIRTUAL LINK between Cisqueros_R3 and Cisqueros_R4 so that Area 3 could communicate with Area 1, and therefore with Area 0
Cisqueros_R2:
(config-router)#area 1 virtual-link 3.3.3.3

Cisqueros_R3:
(config-router)#area 1 virtual-link 2.2.2.2
(config-router)#area 2 virtual-link 4.4.4.4

Cisqueros_R4:
(config-router)#area 2 virtual-link 3.3.3.3
Let's check the OSPF Neighbors again on Cisqueros_R3 router:
#show ip ospf neighbor
Neighbor ID Pri State Dead Time Address Interface
2.2.2.2 0 FULL/ - - 10.1.23.2 OSPF_VL1
4.4.4.4 0 FULL/ - - 10.1.34.4 OSPF_VL0
2.2.2.2 0 FULL/ - 00:00:34 10.1.23.2 Serial1/0.32
4.4.4.4 0 FULL/ - 00:00:33 10.1.34.4 Serial1/0.34

52
Hitchhikers Guide to the CCIE v0.3 [cisqueros.blogspot.com]
Check the Virtual Link Details:
#show ip ospf virtual-links

Have in mind that routers Cisqueros_R3 and Cisqueros_R4 are now VIRTUALLY connected to Area 0, so if you enable the authentication on the
Cisqueros_R1 interface towards Cisqueros_R2, you also must enable it on Cisqueros_R3 and Cisqueros_R4 FOR AREA 0!!!
If you need AUTHENTICATION for the Virtual Link, configure in the continuation:
(config-router)#area 1 virtual-link 2.2.2.2 authentication [md5 | WORD]

____________________________________________________________________________________________________________________
OSPF Cost
____________________________________________________________________________________________________________________
NLRI - Network Layer Reachability Information
OSPF routes are mainly classified based on their metric, where the Metric and Cost are calculated based only on the Link Bandwidth.
Cost = 100/(BW[Mbps])
There are two things you could play with here:
1. Set the REFERENCE BW (because with the formula above the Max cost value is 1, and we dont want the same values for 100M and 10G
link). Dont forget to clear the OSPF process in order for the changes to take effect:
(config-router)#auto-cost reference-bandwidth 10000 <--- it's in Mbps
#clear ip ospf process

2. Directly change the COST in the Interface Configuration
(config-if)#ip ospf cost 20
#show ip ospf inter Lo0 | i Cost
Process ID 1, Router ID 1.1.1.1, Network Type POINT_TO_POINT, Cost: 20

Then check the metric on the OSPF Neighbor:
#show ip route 1.0.0.0
Routing entry for 1.0.0.0/8
Known via "ospf 1", distance 110, metric 84, type intra area
Last update from 10.1.12.1 on Serial1/0.21, 00:02:31 ago
Routing Descriptor Blocks:
* 10.1.12.1, from 1.1.1.1, 00:02:31 ago, via Serial1/0.21
Route metric is 84, traffic share count is 1

Metric is 84, which is the cost of the Serial interface between routers 1 and 2, and the Cost of the Loopback0 interface on Router 1. Default
cost of the Loopback interface is 1, so it actually increased for 20-1 = 19
____________________________________________________________________________________________________________________
Redirecting Traffic (FORCING A PATH)
____________________________________________________________________________________________________________________
http://www.cisco.com/en/US/docs/ios-xml/ios/iproute_ospf/configuration/12-4t/iro-stub-router.html
"max-metric" command is used for the router to originate LSAs with a max metric of 0xffff (INFINITY). This way the other routers DONT
PREFER this router as a TRANSIT HOP:
(config-router)#max-metric router-lsa <-Configured "ON-STARTUP" or on graceful shutdown (no argument)



53
Hitchhikers Guide to the CCIE v0.3 [cisqueros.blogspot.com]
____________________________________________________________________________________________________________________
OSPF and the GRE Tunnels
____________________________________________________________________________________________________________________
In this example there is a need to establish the connectivity between some OSPF Areas that are not connected to the Area 0, and we do not
want to use the Virtual Links. GRE is a pretty simple concept, where you basically create a TUNNEL between 2 points, and extend the Area 0 to
the other end of the tunnel. To configure it, do on BOTH ENDS of the tunnel:
Step 1. Create a Tunnel Interface and assign the IP Address
(config)#int tunnel 1
(config-if)#ip add 172.25.185.3 255.255.255.0

Step 2. Define the SOURCE and the DESTINATION of the tunnel, MAKE SURE THESE ARE REACHABLE
(config-if)#tunnel source 100.10.34.3
(config-if)#tunnel destination 100.10.34.4

If we are using OSPF then the Tunnel subnet needs to be advertised with the "network" command on both ends of tunnel:
(config-router)#network 172.25.185.0 0.0.0.255 area 0
*The IP Address of the Tunnel MUST be advertised into Area 0 on BOTH ENDS OF TUNNEL!!!

You will see that the OSPF Neighbor will be formed on the Tunnel 1 interface.
#show ip ospf neighbor
Neighbor ID Pri State Dead Time Address Interface
3.3.3.3 0 FULL/ - 00:00:38 172.25.185.3 Tunnel1
3.3.3.3 0 FULL/ - 00:00:38 100.10.34.3 Serial1/0.43
5.5.5.5 1 FULL/DR 00:00:38 100.10.45.5 GigabitEthernet5/12

____________________________________________________________________________________________________________________
OSPF LSA Types and AREA TYPES
____________________________________________________________________________________________________________________
First lets make sure we're comfortable with the LSA types, because you will not understand Stubs before you understand all the LSAs and who
exactly CREATES and ADVERTISES each type. LSA is the OSPF Link State Advertisement; Each LSA has a LSID (Link State ID, like Router-ID for the
LSAs)
LSA 1 - Router LSA, One per Router (Generated by Each Router)
LSA 2 - Network LSA, One per Network (Generated by DR)
LSA 3 - Summary LSA, One per Area (generated by ABR when LSAs 1 and 2 are injected into another Area).
LSA3 = Subnet + Mask + Cost to reach the Network
LSA 4 - Summary External LSA, One per Autonomous System (Generated by ASBR)
LSA 5 - External LSA, Injected into OSPF from another routing process (non-ospf), Generated by ASBR
LSA 6 - Grout Membership LSA, used for Multicast OSPF (MOSPF). Its not supported by Cisco
Cisco routers do not support LSA Type 6 Multicast OSPF (MOSPF), and they generate syslog messages if they receive such packets. If the router
is receiving many MOSPF packets, you might want to configure the router to ignore the packets and thus prevent a large number of syslog
messages. To disable SYSLOG generation (IGNORE LSA Type-6):
(config-router)#ignore lsa mospf

LSA 7 - NSSA External, Generated by ASBR inside the NSSA instead of LSA 5 (details explained below, NSSA Section)
54
Hitchhikers Guide to the CCIE v0.3 [cisqueros.blogspot.com]
LSA 8-11 - Not implemented by Cisco

Check the LSA Statistics using the command:
(config-router)#do show ip ospf stat
OSPF Router with ID (3.3.3.3) (Process ID 1)
Area 0: SPF algorithm executed 4 times
Summary OSPF SPF statistic
SPF calculation time
Delta T Intra D-Intra Summ D-Summ Ext D-Ext Total Reason
00:22:26 0 0 0 0 0 0 0 R
00:22:16 0 0 0 0 0 0 0 R
00:21:47 0 0 0 0 0 0 0 R, N, SN
00:20:01 0 0 0 0 0 0 0 R, SN

Check the OSPF DATABASE and all the LSAs currently in it:
#show ip ospf database
OSPF Router with ID (3.3.3.3) (Process ID 1)
Router Link States (Area 0) <- LSA1
Link ID ADV Router Age Seq# Checksum Link count
2.2.2.2 2.2.2.2 79 0x80000003 0x000E94 2
3.3.3.3 3.3.3.3 78 0x80000007 0x006F2C 4
4.4.4.4 4.4.4.4 52 0x80000004 0x007781 3
Net Link States (Area 0) <- LSA2
Link ID ADV Router Age Seq# Checksum
10.1.23.3 3.3.3.3 78 0x80000001 0x00658F
Summary Net Link States (Area 0) <- LSA3
Link ID ADV Router Age Seq# Checksum
1.1.1.0 2.2.2.2 124 0x80000002 0x00B33C
2.2.2.0 2.2.2.2 124 0x80000002 0x000D20
10.1.12.0 2.2.2.2 124 0x80000002 0x00BA22
10.1.45.0 4.4.4.4 43 0x80000001 0x00F5F4
44.4.4.0 4.4.4.4 43 0x80000001 0x008077
Router Link States (Area 1) <- LSA1
Link ID ADV Router Age Seq# Checksum Link count
3.3.3.3 3.3.3.3 89 0x80000007 0x00AC78 0
Router Link States (Area 2) <- LSA1
Link ID ADV Router Age Seq# Checksum Link count
3.3.3.3 3.3.3.3 90 0x80000006 0x00AE77 0

To LIMIT the LSAs that can be STORED IN THE LOCAL DATABASE:
(config-router)#max-lsa 900 ?
<1-100> Threshold value (%) at which to generate a warning msg
ignore-count maximum number of times adjacencies can be suppressed
ignore-time time during which all adjacencies are suppressed
reset-time time after which ignore-count is reset to zero
warning-only Only give warning message when limit is exceeded
<cr>





55
Hitchhikers Guide to the CCIE v0.3 [cisqueros.blogspot.com]
____________________________________________________________________________________________________________________
OSPF STUBS
____________________________________________________________________________________________________________________
STUB Area - Blocks OSPF External Routes (LSA4 and LSA5), so - all the LSAs are generated by the ASBR.
Totally-Stubby Area is a STUB Area, with no LSA3 (Summary LSAs originated by the ABR). ABR generates a DEFAULT ROUTE and advertises it
into the Totally Stubby area. The "no-summary" attribute is ONLY necessary on ABR, because the ABR is the only router that actually originates
the LSA 3.
NSSA Area - Like a STUB (blocks LSA4&5) where the REDISTRIBUTION is allowed from the NSSA area, using the LSA7. ASBR Generates the LSA
type 7 instead of LSA 5 because the LSA 5 is not supported by NSSA. Then the ABR transforms it into the LSA 5 on the ingress from NSSA to the
regular OSPF Area (shown as "N1 or N2" in the routing table):
(config-router)#do sh ip route | i E1|E2|N
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
O N2 11.1.0.0 [110/20] via 10.1.12.1, 00:01:27, Serial1/0.21
O N2 11.1.1.0 [110/20] via 10.1.12.1, 00:01:27, Serial1/0.21
O N2 11.1.2.0 [110/20] via 10.1.12.1, 00:01:27, Serial1/0.21
O N2 11.1.3.0 [110/20] via 10.1.12.1, 00:01:27, Serial1/0.21

When you need the ABR to also inject the DEFAULT ROUTE, use on the ABR:
(config-router)#area X nssa default-information-originate
*Default Route will be injected as N2 route, as in NSSA the LSA5 is not allowed
**When its a "Totally Stubby NSSA" no need for this, because "no-summary" ALLWAYS generates default route!

NOT-SO-Totally-Stubby Area - NSSA without LSA3, ALSO originates the default route by default
IMPORTANT: Stubby Areas DO NOT SUPPORT VIRTUAL LINKS!!! The only way to solve this is the Tunnel
No LSA 5 (E1 and E2) advertised on ABRs. ABR Injects the DEFAULT ROUTE (with Cost 1) to Stub Area, to reach external routes. You cannot use
a Virtual Link here, but GRE Tunnel is an option. STUB Area cannot contain an ASBR, because if it does its considered a NSSA. Backbone Area
cannot be a STUB. To configure an area as a Stub, configure on ALL ROUTERS in an Area:
(config-router)#area X stub

When you apply STUB configuration on 1 router within an AREA, the Neighbor goes down. Then apply it on the others, and observe the
ADJACENCY DEBUG:
319: OSPF: Rcv DBD from 2.2.2.2 on Serial1/0.12 seq 0x1001 opt0x50 flag 0x7 len 32 mtu 1500 state INIT
319: OSPF: 2 Way Communication to 2.2.2.2 on Serial1/0.12, state 2WAY
319: OSPF: Serial1/0.12 Nbr 2.2.2.2: Prepare dbase exchange
319: OSPF: Send DBD to 2.2.2.2 on Serial1/0.12 seq 0x1000 opt 0x50 flag 0x7 len 32
319: OSPF: NBR Negotiation Done. We are the SLAVE
319: OSPF: Serial1/0.12 Nbr 2.2.2.2: Summary list built, size 12
319: OSPF: Send DBD to 2.2.2.2 on Serial1/0.12 seq 0x1001 opt 0x50 flag 0x2 len 272
515: OSPF: Rcv DBD from 2.2.2.2 on Serial1/0.12 seq 0x1002 opt0x50 flag 0x1 len 272 mtu 1500 state EXCHANGE
515: OSPF: Exchange Done with 2.2.2.2 on Serial1/0.12
515: OSPF: Send LS REQ to 2.2.2.2 length 120 LSA count 10
515: OSPF: Send DBD to 2.2.2.2 on Serial1/0.12 seq 0x1002 opt 0x50 flag 0x0 len 32
735: OSPF: Rcv LS UPD from 2.2.2.2 on Serial1/0.12 length 328 LSA count 10
735: OSPF: Synchronized with 2.2.2.2 on Serial1/0.12, state FULL
735: %OSPF-5-ADJCHG: Process 1, Nbr 2.2.2.2 on Serial1/0.12 from LOADING to FULL, Loading Done
735: OSPF: Rcv LS REQ from 2.2.2.2 on Serial1/0.12 length 60 LSA count 3
*Oct 5 11:04:08.235: OSPF: Build router LSA for area 1, router ID 1.1.1.1, seq0x80000005, process 1
#u all
All possible debugging has been turned off

If you need to change the cost of the DEFAULT ROUTE Injected by default by ABR into the STUB Area:
(config-router)#area X default-cost 10 <- Change COST from 1 (default) to 10


56
Hitchhikers Guide to the CCIE v0.3 [cisqueros.blogspot.com]
____________________________________________________________________________________________________________________
OSPF Route Filtering
____________________________________________________________________________________________________________________
1. DISTRIBUTE LIST - Filters all LSAs from the Routing Table, but they stay in the OSPF Database. You can use IN or OUT filter, but have in
mind that the distribute-list OUT even though works on both, routing table and OSPF database, but ONLY on ASBR for LSA5 and
7!!! The easiest way to filter the OSPF routes from being added to the Routing Table is the distribute-list. DISTRIBUTE-LIST only affects the local
router!!! Meaning - the Update will be distributed to the other routers; the subnets will only be filtered out the local IP ROUTING TABLE
The advantage is that it's rather easy to implement, and it can filter any type of LSA:
(config-router)#distribute-list prefix MY_PREFIX_LIST in <-OUT would only work on ASBR TO FILTER LSA5 & LSA7

The big CON is that even though the Route is not added to the Routing Table - it will stay in the database, and it will be further propagated to
the other OSPF Neighbors. The route will therefore appear in the Routing Table, but it will not be reachable, as one of the routers along the
path does not have it in its Routing Table.
The second way is reserved ONLY for the External Routes, and it's the "not-advertised" applied to the "summary-address" command:
(config-router)#summary-address 172.29.189.0 255.255.255.0 not-advertise <--- NEEDS TO BE APPLIED ON ASBR

2. FILTER LIST - Filters only LSA3, so - only on ABR, but filters from OSPF Database. Filter-list can be applied: IN - into the area, OUT - out of
the area. This ONLY works for LSA-3 (Summary), and therefore needs to be configured on the ABR only. Lets say that we want to filter the
network 172.25.185.0/24 from the Area 2. Then on the ABR we define the prefix list that DENIES that network, and ALLOWS everything else
(config)#ip prefix-list JEDANES seq 10 deny 172.25.185.0/24
(config)#ip prefix-list JEDANES seq 20 permit 0.0.0.0/0 le 32

Then apply the prefix-list as a filter-list within a OSPF configuration process for Area 2:
(config-router)#area 2 filter-list prefix JEDANES in

This will prevent the network from being redistributed into Area 2. Note that IN/OUT means that the network is being advertised into or out-
from the AREA 2.
3. NOT-ADVERTISE - ONLY filter LSA Types 1 and 2, apply on ABR (filters both, routing table and OSPF Database). It can be used with both,
"area X range" (ABR) and "summary-address" (ASBR) commands. If you need to filter LSAs 1 and 2, you can use the "not-advertise" command,
but also ONLY ON ABR!
(config-router)#area 1 range 172.25.182.0 255.255.255.0 not-advertise

4. Tune the ADVERTISED DISTANCE - Set the AD of the advertised routes to 255, so that they are UNREACHABLE
(config-router)#distance 255 3.3.3.3 0.0.0.0 10 <- 10 is an ACL, it's OPTIONAL

5. DATABASE-FILTER - If you want to prevent ANY LSAs from being advertised (can be applied per neighbor or on INT):
(config-subif)#ip ospf database-filter all out <- PER INTERFACE
(config-router)#neighbor x.x.x.x database-filter all out <- PER NEIGHBOR

6. MATCH IP ROUTE-SOURCE in the Route-map - In OSPF it's not the NEXT HOP but the ORIGINATOR Router-ID of the PREFIX
(config-route-map)#match ip route-source 4 <- ACL 4 includes the Router-ID

Also the SOURCE PROTOCOL can be matched:
(config-route-map)#match source-protocol ?
bgp Border Gateway Protocol (BGP)
connected Connected
eigrp Enhanced Interior Gateway Routing Protocol (EIGRP)
isis ISO IS-IS
mobile Mobile routes
ospf Open Shortest Path First (OSPF)
rip Routing Information Protocol (RIP)
static Static routes
<cr>

57
Hitchhikers Guide to the CCIE v0.3 [cisqueros.blogspot.com]
Be sure which type of LSA you need to filter by making sure in which part of database the route is:
#show ip ospf database [router | network | summary | internal | external]

*If you need to reach the route without passing through the router that cannot reach it - define the route-map with the next hop pointing
towards an alternative path, and apply it in the Global Configuration mode:
(config-router)#ip local policy route-map ROUTE_MAP

7. Filter OSPF per Interface - If you wish to prevent LSAs to be sent via particular Interface:
(config-if)#ip ospf database-filter all out

* ALL and OUT are the only options, which means you cannot apply a specific filter on the OSPF interface
8. Filter OSPF per NEIGHBOR - Even though OSPF doesn't require that we manually configure the Neighbors, we do need to use the
"neighbor" command in order to configure the OSPF database filtering:
(config-router)#neighbor 5.5.5.5 database-filter all out
*Network MUST be configured as POINT-TO-POINT (on the Interface Configuration)
(config-if)#ip ospf network point-to-point

____________________________________________________________________________________________________________________
OSPF Non-Broadcast Networks
____________________________________________________________________________________________________________________
To check the NEIGHBOR NETWORK TYPE, do the following command and check the column "State":
#sh ip ospf interface brief
Interface PID Area IP Address/Mask Cost State Nbrs F/C
Lo0 1 0 1.1.1.1/8 1 P2P 0/0
Se0/1/0.14 1 2 10.1.12.1/24 64 P2P 1/1
Se0/1/0.13 1 3 10.1.13.1/24 64 P2P 1/1
Se0/1/0.41 1 4 10.1.14.1/24 64 DR 1/1

On the Multipoint Frame-Relay network the default OSPF type is NON-BROADCAST. This means that the OSPF Neighbors will not be formed
like on the standard Broadcast Network Segment.
#show ip ospf inter s1/0
Serial1/0 is up, line protocol is up
Internet Address 10.1.1.1/24, Area 0
Process ID 1, Router ID 1.1.1.1, Network Type NON_BROADCAST, Cost: 64
Topology-MTID Cost Disabled Shutdown Topology Name
0 64 no no Base
...

So in order to establish the OSPF Neighbors, we can for example use the "network" command in order to transform the OSPF link from
MULTICAST to UNICAST:
(config-router)#neighbor 172.128.185.66

No need to keep "broadcast" on frame relay configuration if you use "neighbor" command, as only UNICAST is then used, so also do this:
(config-if)#frame-relay map ip 10.1.1.4 104 broadcast -> frame-relay map ip 10.1.1.4 104 (REMOVE "broadcast")

*In HUB-AND-SPOKE the Spokes do not have the Layer 2 reachability, so this command makes no sense. Instead just be sure to set their
(HUBS) OSPF priority to 0, so that they dont participate the DR/BDR Election
(config-if)#ip ospf priority 0

The HUB Router will be elected as DR on every Link and exchange OSPF Database with each of the Spokes:
58
Hitchhikers Guide to the CCIE v0.3 [cisqueros.blogspot.com]
#show ip ospf neighbor <--- R1 IS THE HUB

Neighbor ID Pri State Dead Time Address Interface
2.2.2.2 0 FULL/DROTHER 00:01:51 10.1.1.2 Serial1/0
3.3.3.3 0 FULL/DROTHER 00:01:51 10.1.1.3 Serial1/0
4.4.4.4 0 FULL/DROTHER 00:01:56 10.1.1.4 Serial1/0

*In this kind of OSPF Topology - it's not necessary to have the Frame-Relay interface configured with the "broadcast" keyword, because we are
manually defining the OSPF Neighbor and turning the Links into UNICASTS.
____________________________________________________________________________________________________________________
OSPF NBMA (Non Broadcast Multiple Access) Networks
____________________________________________________________________________________________________________________
Once the interface is defined as NON-BROADCAST, the "neighbor" command should be used to establish OSPF peering. First you need to
define the interface as a OSPF non-broadcast:
(config)#interface Serial0/1/0.14 point-to-point
(config-if)# ip ospf network non-broadcast

Then under the OSPF process define the neighbor.
(config-router)#neighbor 10.1.12.2 [priority 0] <- PRIORITY 0 if you want the other side to not be the DR

!!!BE SURE TO ADJUST THE TIMERS ON BOTH SIDE INTERFACES, otherwise the Routers will establish the peering, but they will not exchange
the routes!!!
#sh ip ospf int s0/1/0.14 | i Hello|Network
Process ID 1, Router ID 1.1.1.1, Network Type POINT_TO_POINT, Cost: 64
Timer intervals configured, Hello 10, Dead 40, Wait 40, Retransmit 5
Hello due in 00:00:05

Also you need to match AREA ID and Area STUB FLAG and they must be of the SAME TYPE (Normal, BB, Stub or NSSA)
____________________________________________________________________________________________________________________
OSPF BROADCAST vs. POINT-TO-POINT vs. POINT-TO-MULTIPOINT Networks
____________________________________________________________________________________________________________________
If you wish to convert the previous network into the Broadcast Network, the following command needs to be applied:
(config-if)#ip ospf network broadcast

In HUB AND SPOKE topology you want to AVOID the SPOKE being elected as the DR, so set the OSPF priority to 0:
(config-if)#ip ospf priority 0 <- ON ALL THE SPOKE Routers

A router with a router priority set to zero is ineligible to become the DR or BDR, which is why its better to set the Priority on Spokes to 0,
otherwise we have to clear the OSPF process. Then check on the HUB router, and make sure all SPOKEs appear as DROTHERs:
#sh ip ospf nei
Neighbor ID Pri State Dead Time Address Interface
2.2.2.2 0 FULL/DROTHER 00:00:32 10.1.1.2 Serial1/0
3.3.3.3 0 FULL/DROTHER 00:00:38 10.1.1.3 Serial1/0
4.4.4.4 0 FULL/DROTHER 00:00:33 10.1.1.4 Serial1/0

And in case it needs to be Point-to-Point:
(config-if)#ip ospf network point-to-point


59
Hitchhikers Guide to the CCIE v0.3 [cisqueros.blogspot.com]
The main difference here is the NEXT HOP:
BROADCAST: Next Hop is the router that ORIGINATED the Route
POINT-TO-POINT: Next Hop is the router that ADVERTISED the Route
POINT-TO-MULTIPOINT: Next Hop is also the router that ADVERTISED the Route, but NLRI is achieved because it fixes the Spoke-to-Spoke
reachability from L3 perspective.
____________________________________________________________________________________________________________________
DNS Lookup in OSPF
____________________________________________________________________________________________________________________
Enable OSPF to lookup the names:
(config)#ip ospf name-lookup

And define the NAME-IP correlation:
(config)#ip host R5 5.5.5.5

____________________________________________________________________________________________________________________
ISPF
____________________________________________________________________________________________________________________
Incremental SPF is more efficient than the full SPF algorithm, thereby allowing OSPF to converge faster on a new routing topology in reaction
to a network event.
____________________________________________________________________________________________________________________
Forward Address Suppression
____________________________________________________________________________________________________________________
The aim is to SUPRESS the address of the router that originated the Prefix. When the area is NSSA, and you want CONTROL the remap process
of the LSA7 to LSA5, but use 0.0.0.0 as the forwarding address instead of the one specified in the LSA7:
(config-router)#area 1 nssa translate type7 suppress-fa ?
default-information-originate Originate Type 7 default into NSSA area
no-redistribution No redistribution into this NSSA area
no-summary Do not send summary LSA into NSSA
<cr>

Before the command has been applied the external (LSA5) subnet within the area 0 is seen as:
#sh ip ospf database external 6.0.0.0
OSPF Router with ID (1.1.1.1) (Process ID 1)
Type-5 AS External Link States
LS age: 557
Options: (No TOS-capability, DC)
LS Type: AS External Link
Link State ID: 6.0.0.0 (External Network Number )
Advertising Router: 3.3.3.3
LS Seq Number: 80000003
Checksum: 0x1286
Length: 36
Network Mask: /8
Metric Type: 2 (Larger than any link state path)
MTID: 0
Metric: 20
Forward Address: 200.1.36.6
External Route Tag: 0

60
Hitchhikers Guide to the CCIE v0.3 [cisqueros.blogspot.com]
While after the command has been implemented, we have:
#sh ip ospf database external 6.0.0.0
OSPF Router with ID (1.1.1.1) (Process ID 1)
Type-5 AS External Link States
Routing Bit Set on this LSA in topology Base with MTID 0
LS age: 41
Options: (No TOS-capability, DC)
LS Type: AS External Link
Link State ID: 6.0.0.0 (External Network Number )
Advertising Router: 3.3.3.3
LS Seq Number: 80000004
Checksum: 0x3952
Length: 36
Network Mask: /8
Metric Type: 2 (Larger than any link state path)
MTID: 0
Metric: 20
Forward Address: 0.0.0.0 <- THE FORWARD ADDRESS HAD CHANGED
External Route Tag: 0

If you add "no-summary" to this command, LSA3s are filtered, and the default route is advertised instead. You can use the similar approach to
NOT ADVERTISE THE SPECIFIC PREFIXES into the NSSA, but advertise only the default route on the ABR. In this example the Area 1 is NSSA:
(config-router)#area 1 nssa default-information-originate no-summary

Area 1 (NSSA Area) will learn the Default Route as the LSA7 (N2):
#sh ip route
...
Gateway of last resort is 205.1.36.3 to network 0.0.0.0
O*N2 0.0.0.0/0 [110/1] via 205.1.36.3, 00:05:21, Serial1/0.63
1.0.0.0/32 is subnetted, 1 subnets

The Default Route will be injected into that area regardless of whether youre using the "nssa default-information-originate" or the
"nssa no-summary" command in the OSPF Area. The difference is the route type:
NSSA NO-SUMMARY
Gateway of last resort is 10.1.34.3 to network 0.0.0.0
O*IA 0.0.0.0/0 [110/65] via 10.1.34.3, 00:04:22, Serial1/0.43
NSSA DEFAULT-INFORMATION-ORIGINATE
Gateway of last resort is 10.1.35.3 to network 0.0.0.0
O*N2 0.0.0.0/0 [110/1] via 10.1.35.3, 00:00:22, Serial1/0.53
1.0.0.0/32 is subnetted, 1 subnets
____________________________________________________________________________________________________________________
OSPF Sham Link
____________________________________________________________________________________________________________________
In an MPLS VPN configuration, when there are 2 ways for the CE routers to communicate:
1 over the PEs and the MPLS link
2 over the OSPF link
*It is assumed that Customer CEs and the PEs have the OSPF implemented between them.

61
Hitchhikers Guide to the CCIE v0.3 [cisqueros.blogspot.com]
The OSPF will always be preferred, simply because nothing beats the INTERNAL (Intra Area) OSPF route (O). Regardless of the COST and the AD
of E1/E2 and O IA (Inter-Area) Routes will never be preferred.
The way to solve this is using the SHAM links, that have been designed specifically for such a scenario. Namely the LINK is created between the
PE routers, so that ALL the OSPF Prefixes appear as INTERNAL OSPF routes on the CE routers, and that we can just influence the preferred path
using the OSPF COST on the Interface.

STEP 1: Create /32 Loopback Interfaces to the PE routers, and add them into the appropriate VRF:
PE1:
(config)#interface Loopback1
(config-if)#ip vrf forwarding CA
(config-if)#ip address 192.168.1.1 255.255.255.255

PE2:
(config)#interface Loopback1
(config-if)#ip vrf forwarding CA
(config-if)#ip address 192.168.1.1 255.255.255.255

STEP 2: Advertise these networks via the BGP process in the PEs, so that they are reachable:
(config)#address-family ipv4 vrf CA
(config-router)#redistribute ospf 15 vrf CA
(config-router)#network 192.168.1.1 mask 255.255.255.255

STEP 3: Create OSPF SHAM-LINK between the PR Routers, with the Loopback1 /32 addresses as SOURCE and DESTINATION (these should
already be reachable via BGP). Make sure that new OSPF adjacency appears between the PEs:
(config)#router ospf 15 vrf CA
(config-router)#area 0 sham-link 192.168.1.1 192.168.1.2 cost 1
*Dec 20 11:59:28.206: %OSPF-5-ADJCHG: Process 15, Nbr 10.1.45.4 on OSPF_SL2 from LOADING to FULL, Loading
Done

TIP: Filter these Loopbacks from the CUSTOMERS network, so that the Tunnel which is the Sham Link isnt routed through the Customers
routers.
STEP 4: The LAST step is now to tune the OSPF COST on the link between the CEs, so that it would be LESS PREFERRED:
(config-if)#ip ospf cost 500

____________________________________________________________________________________________________________________
OSPF in MPLS
____________________________________________________________________________________________________________________
TIP: Be sure the set the domain-id to match (default domain is based on the OSPF Process Number):
(config)#ip ospf 1 vrf VRF_XXX
(config-router)#domain-id 55.55.55.55
*this way the LSA Type 3 will be translated properly

62
Hitchhikers Guide to the CCIE v0.3 [cisqueros.blogspot.com]
____________________________________________________________________________________________________________________
EIGRP
____________________________________________________________________________________________________________________
EIGRP uses the IP Protocol 88 (doesn't use specific TCP or UDP port), HELLOs - Multicast to 224.0.0.10
TIP: When you need to FILTER EIGRP, you can do "permit eigrp any any" within the extended ACL
TIP: "default-information [ in|out ]" in EIGRP does NOT generate the Default Route, it only allows it to be sent to the neighbor or received, if
it already exists.
The EIGRP timers are configured on the interface towards the EIGRP neighbor. Set the Hello timer and the HOLD Time (which is actually the
Dead Timer) for the EIGRP 100 process:
(config-if)#ip hello-interval eigrp 100 30
(config-if)#ip hold-time eigrp 100 120

Check the configured Timers using the command:
#show ip eigrp interfaces detail
EIGRP-IPv4 Interfaces for AS(200)
Xmit Queue Mean Pacing Time Multicast Pending
Interface Peers Un/Reliable SRTT Un/Reliable Flow Timer Routes
Et0/0 1 0/0 12 0/2 80 0
Hello-interval is 30, Hold-time is 120 <--- TIMERS VALUES
Split-horizon is enabled
Next xmit serial <none>
Un/reliable mcasts: 0/2 Un/reliable ucasts: 1/6
Mcast exceptions: 2 CR packets: 0 ACKs suppressed: 1
Retransmissions sent: 0 Out-of-sequence rcvd: 0
Topology-ids on interface - 0
Authentication mode is not set

____________________________________________________________________________________________________________________
EIGRP "show neighbors" command
____________________________________________________________________________________________________________________
#show ip eigrp neighbors
EIGRP-IPv4 Neighbors for AS(100)
H Address Interface Hold Uptime SRTT RTO Q Seq
(sec) (ms) Cnt Num
0 10.1.12.2 Se1/0.12 115 00:10:04 26 200 0 32

How to interpret this output:
H - The order in which neighbors were formed, starting from 0
Address - Neighbors IP
Interface - From where we see the Neighbor
Holdtime - How long we have left before we declare the neighbor down (if no Hello is received)
Uptime - How long since we first found out about the neighbor
SRTT - Smooth Round Trip Time - time required for EIGRP packet to reach the neighbor and receive the ACK
RTO - Retransmission Time-Out - how long before the packet is re-transmitted
Q Count - Number of packets in the EIGRP queue
SeqNum - Sequence Number of the last received EIGRP packet
63
Hitchhikers Guide to the CCIE v0.3 [cisqueros.blogspot.com]

If you want to disable the logging of neighbor changes:
(config-router)#no eigrp log-neighbor-changes OR log-neighbor-warnings

Once it's enabled/disabled, define the TIMES for WARNINGS only:
(config-router)#eigrp log-neighbor-warnings X (X is seconds)

____________________________________________________________________________________________________________________
EIGRP Metric - K Values
____________________________________________________________________________________________________________________
5 K-Values are used to calculate the EIGRP Metric. Its pretty important to know at least which one is which of the K values:
K1 - Bandwidth
K2 - Load
K3 - Delay
K4 - Reliability
K5 - Reliability

Metric = (K1*BW + (K2*BW)/(256-Load) + K3*Delay) * 256
Little better explained: Metric = (10.000.000/LowestPathBW + Sum of all DELAYS/10)*256

By default K2 = K4 = K5 = 0, so the Metric depends on the Bandwidth and Delay only. To check the parameters on the interface:
#SHOW Interfaces e0/0 | i BW
MTU 1500 bytes, BW 10000 Kbit, DLY 1000 usec

If you need the EIGRP Metric to depend on some other values the command is (ToS should be left 0):
(config-router)#metric weight tos k1 k2 k3 k4 k5

BE CAREFULL when you change this BECAUSE K VALUES NEED TO MATCH BETWEEN THE EIGRP NEIGHBORS!!! The following MUST match in
order for 2 routers to become EIGRP adjacent:
K values
AS numbers
They must share same L2 data link
Authentication

64
Hitchhikers Guide to the CCIE v0.3 [cisqueros.blogspot.com]
____________________________________________________________________________________________________________________
EIGRP Route Summarization and Leak Maps
____________________________________________________________________________________________________________________
The EIGRP route Summarization is done exactly the same like RIP Summarization, which makes sense because both protocols have the
Distance Vector nature. It can also be done on ANY of the routers within the same EIGRP process, unlike the Link State protocols. It's done on
the Interface using the command:
(config-if)#ip summary-address eigrp 100 3.0.0.0 255.0.0.0

And dont be afraid when you see the following message:
*Apr 27 12:53:32.203: %DUAL-5-NBRCHANGE: EIGRP-IPv4 100: Neighbor 10.1.12.1 (Serial1/0) is resync: summary
configured

The interface towards Null0 Interface is created automatically. So dont worry, because EIGRP adds this "discard route" for Loop Avoidance.
Check if "it worked":
#show ip route | i summ
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
D 3.0.0.0/8 is a summary, 00:02:52, Null0

If you wish to have greater granular control the solution presented since 12.3(13) is - the LEAK MAP (Its something like the SUPRESS Maps in
the BGP, but itp cannot be used under the SUB-Interface). If the Leak Map is configured, and it references a non-existing Route Map - The
summary route is advertised, more specific routes are suppressed. If the Route Map however exists, and references a non-existing ACCESS LIST
- both the summary route and the more specific routes are advertised. If the Access List also exists - it lets us define the routes that will be
advertised IN ADDITION to the Summarized Route! To configure the Leak Map just attach a route-map to the "eigrp summary" command:
(config-if)#ip summary-address eigrp 100 2.2.4.0 255.255.252.0 leak-map ROUTE_MAP

SUB-INTERFACE LEAK MAPS: Since the LEAK Maps are not available on the SUB-interface, there is a workaround, and its done using the
VIRTUAL TEMPLATE Interface. We would then configure the Route Summarization and a Leak Map under it:
(config-if)#interface Virtual-template 13
(config-if)#ip summary-address eigrp 100 2.2.4.0 255.255.252.0 leak-map ROUTE_MAP

And then under the SUB-Interface assign the Virtual Template (SUB-INTERFACE needs to be of a MULTIPOINT TYPE, or this will not work)
(config-subif)#no ip add
(config-subif)#frame-relay interface-dlci 103 ppp Virtual-template 13

____________________________________________________________________________________________________________________
EIGRP Default Gateway
____________________________________________________________________________________________________________________
The command we all know from OSPF and BGP "default-information originate [always]" will not work in EIGRP. Instead we need to:
Option 1: Configure the static route and redistribute it into the EIGRP
Option 2: Summarize the routes into a Default Route using the previously described summarization method (leak map is added if we wish to
inject another routes besides the default route)
(config-if)#ip summary-address eigrp 100 0.0.0.0 0.0.0.0 [leak-map ROUTE_MAP]


65
Hitchhikers Guide to the CCIE v0.3 [cisqueros.blogspot.com]
____________________________________________________________________________________________________________________
VARIANCE Command
____________________________________________________________________________________________________________________
Variance is an EIGRP feature that enables UNEQUAL load balancing. The only condition that needs to be met is that all the Paths need to be in
the routing table and MEAT THE FEASIBILITY CONDITION! (Routes ADVERTISED Distance must be lower than the local routes FAESIBLE
Distance). Its configured in the EIGRP configuration mode:
(config-router)#variance 2

This means that it will include the routes with the metric value up to 2 times greater than the Best Route metric. If you need more GRANULAR
control, or more precise variance, get the METRIC from the EIGRP TOPOLOGY:
#show ip ei 400 topology 10.1.56.0/24 | i metric
Composite metric is (2195456/281600), route is Internal
Vector metric:
Composite metric is (319545/281600), route is Internal
Vector metric:

There are 2 routes, 1 with metric 2195456, and the other with metric 319545, and both meet the Feasibility Condition. To get the VARIANCE
you need, divide them and circle up to the BIGGER value:
2195456/319545 = 6.87 => Variance will be 7!

____________________________________________________________________________________________________________________
EIGRP Authentication
____________________________________________________________________________________________________________________
Like in OSPF - the configuration is done in the Interface Configuration mode. Unlike OSPF - EIGRP supports only MD5 authentication. You need
to set the mode to MD5, even though it's the default mode on most devices. This is an example of Frame relay P2P Interface and EIGRP
authentication:
(config)#interface Serial4/1.25 point-to-point
(config-if)#ip authentication mode eigrp 100 md5
(config-if)#ip authentication key-chain eigrp 100 EIGRP_CHAIN

____________________________________________________________________________________________________________________
EIGRP: Maximum Hops
____________________________________________________________________________________________________________________
Another attribute that can be useful for controlling the routes is the "maximum-hops". To see each routes hop count:
#show ip route 172.28.185.0
Known via "eigrp 100", distance 90, metric 2297856, type internal
Redistributing via eigrp 100
Last update from 131.1.12.2 on Serial1/0.12, 00:13:47 ago
Routing Descriptor Blocks:
* 131.1.12.2, from 131.1.12.2, 00:13:47 ago, via Serial1/0.12
Route metric is 2297856, traffic share count is 1
Total delay is 25000 microseconds, minimum bandwidth is 1544 Kbit
Reliability 255/255, minimum MTU 1500 bytes
Loading 1/255, Hops 12 <-- 12 HOPS TO THIS ROUTE!!!

To change the Maximum number of Hops to, for example, 110 (Its 100 by Default):
(config-router)#metric maximum-hops 110

#show eigrp protocols | i hop
Maximum hopcount 110



66
Hitchhikers Guide to the CCIE v0.3 [cisqueros.blogspot.com]
____________________________________________________________________________________________________________________
EIGRP Administrative Distance
____________________________________________________________________________________________________________________
By default EIGRP has the following Administrative Distance values:
170 - External EIGRP Routes
90 - Internal EIGRP Routes
5 - EIGRP Summary Routes
You can make EIGRP External routes smaller if you need them to not be less preferred then, for example, OSPF, that has AD 110 for External
routes:
(config-router)#distance eigrp 90 100

____________________________________________________________________________________________________________________
EIGRP Updates BW Percent
____________________________________________________________________________________________________________________
The default configuration for EIGRP is to use up to 50 percent of the available bandwidth, but this can be changed with the following
command on the interface level:
(config-if)#ip bandwidth-percent eigrp 200 30
____________________________________________________________________________________________________________________
EIGRP Redistribute Routes into EIGRP
____________________________________________________________________________________________________________________
*YOU NEED TO DEFINE THE METRIC, either a DEFAULT one:
(config-router)#default-metric 1500 20000 255 1 1500

Or when configuring the redistribution:
(config-router)#redistribute static metric 150 20000 255 1 1500

____________________________________________________________________________________________________________________
EIGRP offset-list [metric adjustments]
____________________________________________________________________________________________________________________
Offset List is used to INCREASE or DECREASE an EIGRP or RIP metric for the OFFSET value you define:
(config-router)#offset-list 3 in 50 s1/1 <-Match ACL 3, INCREASE the metric for 50 on routes learned on s1/1

____________________________________________________________________________________________________________________
EIGRP Stub
____________________________________________________________________________________________________________________
First a heads up - it's a bit complicated because there are just too many details... Subjective impression! The command is rather straight
forward:
(config-router)#eigrp stub [connected | summary | static | receive-only | redistributed]

You can ALSO use LEAK-MAPS here, like in the SUMMARIZATION, to allow some subnets out (matched in route-map).
When the EIGRP process is configured as STUB on a router using the "stub connected" command:
(config-router)#eigrp stub connected

67
Hitchhikers Guide to the CCIE v0.3 [cisqueros.blogspot.com]
That Router will ONLY see the Summary (if configured), and also Static and Redistributed routes (because the STUB doesn't affect the Router
where it's configured). The EIGRP Neighbor(s) will NOT see the Summary, Static or Redistributed Routes, ONLY the specific routes BECAUSE
ONLY Connected Routes are advertised
If however we use the "stub summary" command to configure the STUB:
(config-router)#eigrp stub stub summary

The router will keep the same EIGRP routes in the routing table. The EIGRP Neighbor(s) will ONLY see the Summary
Now with the "stub static" or "stub redistributed":
(config-router)#eigrp stub stub [static | redistributed]

This router keeps behaving exactly the same, while the EIGRP Neighbors ONLY receive the Static OR Redistributed routes
With the "stub receive-only":
(config-router)#eigrp stub receive-only

This router keeps behaving exactly the same, while the EIGRP Neighbors stop receiving ANY routes from the Router
And finally the "eigrp stub" command can be configured without any attributes, so just:
(config-router)#eigrp stub

in which case the EIGRP neighbors ONLY receive the Summary Route
____________________________________________________________________________________________________________________
MP-EIGRP
____________________________________________________________________________________________________________________
When configuring the ADDRESS FAMILY within the EIGRP process, the most important thing to have in mind is to DEFINE THE AS NUMBER
AGAIN WITHIN THE AF CONFIGURATION, or the peering will not be established.
(config)#router eigrp 100
(config-router)#no auto-summary
!
(config-router)#address-family ipv4 vrf CA
(config-router-af)#network 4.4.4.4 0.0.0.0
(config-router-af)# network 10.1.45.4 0.0.0.0
(config-router-af)# no auto-summary
(config-router-af)#autonomous-system 200

____________________________________________________________________________________________________________________
EIGRP Route Filtering
____________________________________________________________________________________________________________________
EIGRP uses the DISTRIBUTE LIST to filter the prefixes, but there is also an advanced option - it also filters the PREFIX GATEWAYS (Originator
IPs). So if you configure 2 PREFIX LISTS:
PREFIX-LIST NOT_R4 to filter OUT the updates ORIGINATED by 10.10.1.4:
(config)#ip prefix-list NOT_R4 deny 10.10.1.4/32 Deny updates from this neighbor
(config)#ip prefix-list NOT_R4 permit 0.0.0.0/0 le 32 Allow updates from everyone else

PREFIX-LIST ALLOW_ALL - which you can play with to filter some incoming PREFIXES:
(config)#ip prefix-list ALLOW_ALL permit 0.0.0.0/0 le 32

Apply the 1st PREFIX-LIST as the GATEWAY to the second PREFIX-LIST route filter:
(config-router)#distribute-list prefix ALLOW_ALL gateway NOT_R4 in


68
Hitchhikers Guide to the CCIE v0.3 [cisqueros.blogspot.com]
____________________________________________________________________________________________________________________
BGP TIPs and Best Practices
____________________________________________________________________________________________________________________
Two first things that are considered the "BGP configuration best practice" are to disable the SYNCHRONIZATION and disable the Auto
Summarization. Why?
Auto-summary - to enable the CLASSLESS BGP behavior
(config-router)#no auto-summary

Synchronization - it's an old loop prevention mechanism that is no longer used, so there is no need to have it enabled. In the newer versions of
IOS it's disabled by default. It was originally created to prevent the BLACK HOLE Advertising. Basically the SYNC Logic is: Do not consider an
iBGP route in the BGP table BEST unless the EXACT PREFIX was learned via IGP and is currently in the routing table.
(config-router)#no synchronization

When adding a new NEIGHBOR, you need to specify their AS Number using the "remote-as":
(config-router)#neighbor 10.1.1.2 remote-as 100

Debug looks like this:
*Nov 23 12:34:55.223: BGP: 10.1.1.2 active OPEN has CAPABILITY code: 131, length 1
*Nov 23 12:34:55.223: BGP: 10.1.1.2 active OPEN has MULTISESSION capability, without grouping
*Nov 23 12:34:55.223: BGP: 10.1.1.2 active rcvd OPEN w/ optional parameter type 2 (Capability) len 6
*Nov 23 12:34:55.223: BGP: 10.1.1.2 active OPEN has CAPABILITY code: 65, length 4
*Nov 23 12:34:55.223: BGP: 10.1.1.2 active OPEN has 4-byte ASN CAP for: 100
*Nov 23 12:34:55.223: BGP: nbr global 10.1.1.2 neighbor does not have IPv4 MDT topology activated
*Nov 23 12:34:55.223: BGP: 10.1.1.2 active rcvd OPEN w/ remote AS 100, 4-byte remote AS 100
*Nov 23 12:34:55.223: BGP: 10.1.1.2 active went from OpenSent to OpenConfirm
*Nov 23 12:34:55.223: BGP: 10.1.1.2 active went from OpenConfirm to Established
*Nov 23 12:34:55.223: BGP: ses global 10.1.1.2 (0xAF0217D0:1) Up
*Nov 23 12:34:55.223: %BGP-5-ADJCHANGE: neighbor 10.1.1.2 Up

Once you've got the neighbors configured using the "neighbor" command, you should be able to identify the outputs:
(config-router)#do show ip bgp summary | b Neighbor
Neighbor V AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down State/PfxRcd
100.11.1.1 4 100 9 9 5 0 0 00:05:23 1
100.11.1.3 4 100 9 9 5 0 0 00:05:12 1
100.11.1.4 4 100 8 8 5 0 0 00:04:57 1
(config-router)#do show ip bgp
BGP table version is 5, local router ID is 192.168.2.2
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
r RIB-failure, S Stale
Origin codes: i - IGP, e - EGP, ? - incomplete
Network Next Hop Metric LocPrf Weight Path
*>i1.0.0.0 10.1.1.1 0 100 0 i
*> 2.0.0.0 0.0.0.0 0 32768 i
*>i4.0.0.0 10.1.1.4 0 100 0 i

* - The entry in the table is valid
> - It's the BEST entry for that prefix
i - learned via iBGP
Network - prefix entry, mask is assumed
Next Hop - Next Hop IP (if it's 0.0.0.0 - it's locally originated prefix)
Metric - MED Attribute
LocPrf - Local Preference, HIGHER IS BETTER, and default is 100. It can be changed by "bgp default local-preference"
Weight - No.1 Attribute for Path Determination, LOCAL will have 32768, Originated by NEIGHBOR will have 0
Path - iBGP will have "i", and eBGP will have all BGP AS Numbers you need to traverse to get to the prefix (max 255)
69
Hitchhikers Guide to the CCIE v0.3 [cisqueros.blogspot.com]

(config-router)#do show ip bgp <-CASE OF ONLY Ebgp ROUTES
BGP table version is 5, local router ID is 192.168.4.4
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
r RIB-failure, S Stale
Origin codes: i - IGP, e - EGP, ? - incomplete
Network Next Hop Metric LocPrf Weight Path
* 1.0.0.0 10.1.1.1 0 300 100 i
* 10.1.1.1 0 200 100 i
*> 10.1.1.1 0 0 100 i
* 2.0.0.0 10.1.1.2 0 100 200 i
* 10.1.1.2 0 300 200 i
*> 10.1.1.2 0 0 200 i
*> 3.0.0.0 10.1.1.3 0 0 300 i
*> 4.0.0.0 0.0.0.0 0 32768 i
Notice that the PATH is no longer marked as "i" for iBGP, but it shows an entire AS-PATH now (list of all the BGP Autonomous Systems the
route needs to pass in order to reach the route)
Also Local Preference is no longer marked as 100 (default for iBGP)
MED is 0 or BLANC. MED is set to 0 when the advertised by the originating AS, but when the SAME prefix is advertised by another AS, then
the MED value is removed.
If you are peering eBGP using the LOOPBACKS, don't forget to use the "ebgp-multihop" command!!!
From Cisco Docs: By design, a BGP routing process expects eBGP peers to be directly connected, for example, over a WAN connection.
However, there are many real-world scenarios where this rule would prevent routing from occurring. Peering sessions for multihop neighbors
are configured with the neighbor ebgp-multihop command:
(config-router)#neighbor 2.2.2.2 ebgp-multihop 2

ALTERNATIVE TO MULTIHOP:
If loopback interfaces are used to connect single-hop eBGP peers, you can configure the "neighbor disable-connected-check" command
before you can establish the eBGP peering session:
(config-router)#neighbor 10.1.12.1 disable-connected-check <-DISABLES CONNECTION VERIFICATION

When you want to DISABLE prefixes removed from the BGP table when the neighbor goes down:
(config-router)#fast-external-failover

When you want to advertise the prefixes and HIDE THE LOCAL AS number:
(config-router)#neighbor 10.1.45.5 remove-private-as

SECURITY in BGP can be also provided by TTL check, but it's considered a LIGHT security. It's done by DEFINING THE MAXIMAL TTL on the
received routes; lets say we want to define max 2 hops:
(config-router)#neighbor 10.1.45.5 ttl-security hops 2

Also the MAXIMUM AS NUMBER can be defined, so that routes that go through more than 10 ASs are rejected:
(config-router)#bgp maxas-limit 20

To CHANGE the ADMINISTRATIVE DISTANCE (AD):
(config-router)#distance bgp 150 200 1 <- OTHER AS : LOCAL AS : LOCALLY ORIGINATED


70
Hitchhikers Guide to the CCIE v0.3 [cisqueros.blogspot.com]

OR to change the AD of the PREFIXES originated by the PARTICULAR NEIGHBOR:
(config-router)#distance 150 10.1.23.3 0.0.0.0 [ACL] <- ATTACH AN ACL TO CHOOSE THE PREFIXES TO APPLY THE AD

There is another BGP TUNING, when you want to ADVERTISE the prefix to the AS, learn from the SAME AS:
(AS 100)-->(AS 200)-->(AS 100)
On the EGRESS of AS200 the route will not be advertised to AS100 due to the LOOP PREVENTION mechanism. If you need to correct this on
your network, there is a "allow-as" command which stops this loop prevention. On the EDGE router of AS 100 towards the AS 200 do:
(config-router)#neighbor 100.1.1.100 allowas-in <- WILL ALLOW THE PREFIXES WITH OUR OWN AS

___________________________________________________________________________________________________________________
BGP Version
____________________________________________________________________________________________________________________
Cisco IOS 12.0 support BGP versions 2, 3 and 4, but the NEWER IOS versions support ONLY BGP Version 4. In order to change that (on the IOS
models where it's allowed), in order to peer with, for example, different vendor routers:
(config-router)#neighbor version 4
____________________________________________________________________________________________________________________
BGP Peer-Group
____________________________________________________________________________________________________________________
It's a simple concept, just a group of neighbors we want to configure with the same group of parameters. It's defined in 3 steps:
Step 1. Define/Configure the Peer Group
(config-router)#neighbor CISQUEROS peer-group

Step 2. Add the individual neighbors into the configured peer group
*Be sure to configure the interface used as the UPDATE-SOURCE, using the "neighbor x.x.x.x update-source lo0"
(config-router)#neighbor 2.2.2.2 peer-group CISQUEROS
(config-router)#NEIghbor 3.3.3.3 PEER-group CISQUEROS

Be sure to configure ROUTER-ID Manually using "bgp router-id" command, or you will get this message:
*Nov 23 13:48:02.535: %BGP-4-NORTRID: BGP could not pick a router-id. Please configure manually.

Expect the following message:
*May 5 10:13:21.395: %BGP_SESSION-5-ADJCHANGE: neighbor 3.3.3.3 IPv4 Unicast topology base removed from
session
Member added to peergroup
*May 5 10:13:21.395: %BGP-5-ADJCHANGE: neighbor 3.3.3.3 Down Member added to peergroup
*May 5 10:13:22.283: %BGP-5-ADJCHANGE: neighbor 3.3.3.3 Up

Both neighbors remain UP!
If you CANNOT bring the BGP neighbors UP, use the PHYSICAL IPs. Then both Neighbors will appear. Once you've got the peering - you can
remove the neighbor added using the Physical IP.
Step 3. Apply the set of parameters to the Peer Group, and the parameters will apply to each of the Peers. For example, lets configure the
Password:
(config-router)#neighbor CISQUEROS password cisco

71
Hitchhikers Guide to the CCIE v0.3 [cisqueros.blogspot.com]
____________________________________________________________________________________________________________________
BGP Peer-Session and Peer-Policy Templates
____________________________________________________________________________________________________________________
Another way to make the BGP configuration easier by avoiding configuring the same command set on every router.
Step 1: Define the peer-session and give it a name:
(config-router)#template peer-session MYBGP

Step 2: Assign the attributes to the peer-session:
(config-router-stmp)#version 4
(config-router-stmp)#update-source lo0
(config-router-stmp)#password Cisqueros

Step 3: If you have more groups of neighbors, and they all have some common settings (for example the ones defined in the template IBGP),
and some different ones. Then create another template, and inherit the first template:
(config-router)#template peer-session GROUP_1
(config-router-stmp)#inherit peer-session MYBGP
(config-router-stmp)#remote-as 100

(config-router)#template peer-session GROUP_2
(config-router-stmp)#inherit peer-session MYBGP
(config-router-stmp)#remote-as 200

Step 4: Apply the LAST defined Template to RELEVANT NEIGHBORS, which inherited the settings of the initial Templates:
(config-router)#neighbor 1.1.1.1 inherit peer-session GROUP_1
(config-router)#neighbor 2.2.2.2 inherit peer-session GROUP_1
(config-router)#neighbor 3.3.3.3 inherit peer-session GROUP_2

Peer-Policy has the similar purpose. The difference is the commands inside, and Peer-Session CANNOT INHERIT Peer-Policy template. Here is
an example of a peer policy template:
(config)#router bgp 200
(config-router)#template peer-policy FORCE_SELF_AS_NEXT_HOP
(config-router-ptmp)#next-hop-self
(config-router-ptmp)#exit-peer-policy
____________________________________________________________________________________________________________________
BGP Authentication
____________________________________________________________________________________________________________________
It's configured on PER-NEIGHBOR, or as described in the Previous Post - on the PER-PEER-GROUP basis.
(config-router)#neighbor CISQUEROS password cisco

From Jeff Doyle ROUTING TCP/IP Vol2 (Routing Bible in my opinion, even though I hope it gets updated soon, it's been 12 years!): The IOS
uses MD5 authentication when a BGP neighbor password is configured. MD5 is a one-way message digest or secure hash function produced by
RSA Data Security, Inc. It also is occasionally referred to as a cryptographic checksum, because it works in somewhat the same way as an
arithmetic checksum. MD5 computes a 128-bit hash value from a plain-text message of arbitrary length (in this case, a BGP message) and a
password. This "fingerprint" is transmitted along with the message. The receiver, knowing the same password, calculates its own hash value. If
nothing in the message has changed, the receiver's hash value should match the sender's value transmitted with the message. The hash value is
impossible to decipher (without a huge amount of computing power) without knowing the password so that an unauthorized router cannot,
either maliciously or by accident, peer with a router running neighbor authentication.


72
Hitchhikers Guide to the CCIE v0.3 [cisqueros.blogspot.com]
____________________________________________________________________________________________________________________
BGP Route Reflectors
____________________________________________________________________________________________________________________
*Configuring Multi-protocol BGP (MP-BGP) Support for CLNS on Cisco Docs
Like the BGP Confederations - Route Reflectors REMOVE THE NEED FOR FULL-MESH iBGP peering. Route Reflectors let all the routers learn all
the iBGP routes, and prevent loops.
Route Reflector SERVERS: Allowed to learn the iBGP routes from their CLIENTS, and advertise them to other iBGP peers. RR Servers act as
normal BGP peers with the NON-RR-CLIENT peers and the eBGP peers; they send all the BGP Updates
Route Reflector CLUSTER - One or more RR Servers and their clients. With MULTIPLE Clusters - at least one of the RRs must be peered with
at least one RR in Each Cluster.
There are 3 implemented LOOP PREVENTION Mechanisms:
1. CLUSTER_LIST - The Cluster ID is automatically included into the BGP PA (path attribute) when generated, so the RR rejects the prefixes
where their own Cluster ID appears. It's similar to AS_PATH attribute, but instead of AS it has a list of CLUSTED IDs.
2. ORIGINATOR_ID - Attribute created by the RR. It's the Router ID of the first iBGP peer to advertise the route into the AS. RR will not
advertise the prefix back to the originator.
3. Only advertise BEST routes
The configuration is rather simple, and it contains of 2 steps:
Step 1: Define the CLUSTER ID on ALL the routers (this is NOT MANDATORY)
(config-router)#bgp cluster-id 3

Step 2: There is a difference between the RR SERVER and RR CLIENT (under the BGP configuration). On RR SERVER configure ALL the clients:
(config-router)#neighbor 172.25.185.22 route-reflector-client
(config-router)#neighbor 172.25.186.59 route-reflector-client

Step 3: Check the status of each Client on the RR SERVER ROUTER:
#show ip bgp neighbors 172.25.185.22 | i Reflector
Route-Reflector Client

Also make sure that the routes you expect to learn from RR Clients look like this:
#sh ip bgp 2.0.0.0/8
BGP routing table entry for 2.0.0.0/8, version 23
Paths: (1 available, best #1, table default)
Advertised to update-groups:
4
Local, (Received from a RR-client)

#sh ip bgp 6.6.6.6
BGP routing table entry for 6.0.0.0/8, version 7
Paths: (1 available, best #1, table default)
Not advertised to any peer
Local
10.1.46.6 (metric 2) from 10.1.13.1 (1.1.1.1)
Origin IGP, metric 0, localpref 100, valid, internal, best
Originator: 6.6.6.6, Cluster list: 1.1.1.1, 4.4.4.4 <- CLUSTER LIST

DONT forget to remove the iBGP sessions between CLIENTS, because... well, that's the point of implementing the RRs, to decrease the number
of BGP peering The Route Reflector will "reflect" the routes received from one iBGP peer to the others. In the normal configuration (without
root reflectors) the iBGP neighbors must be FULLY MESHED due to the SPLIT HORIZON rule (a prefix learned from iBGP peer will NEVER be
announced to another iBGP peer). Have in mind that the RR is a single point of failure in the Network, so - BEST PRACTICE is to have MULTIPLE
RR SERVERS, and make sure that RR SERVERS HAVE A FULL MESH.
73
Hitchhikers Guide to the CCIE v0.3 [cisqueros.blogspot.com]

____________________________________________________________________________________________________________________
BGP BACKDOOR Route
____________________________________________________________________________________________________________________
When you need to prefer LESS the eBGP route - you need a way to tune it, because not many routing protocols "beat" the eBGPs
Administrative Distance (20). The "backdoor" argument sets the routes AD to 200 (like it were an iBGP instead of eBGP route), and alters the
order of preference in the routing table.
It's quite easy to configure - you configure a regular network using a "network" command, but add a "backdoor" argument at the end. This will
advertise the route into the BGP process, but it will note add it to the routing table unless the same prefix doesnt appear in the routing table
at all.
*BE CAREFUL!!! The BACKDOOR argument is applied to the network advertised TO YOU, not from you like in the normal "network" command
application.
(config-router)#network 150.1.2.0 mask 255.255.255.0 backdoor

Note that you will not SEE this route in the routing table unless the route with the bigger AD is down. Also, in the BGP table it will have the "r"
symbol, meaning - not eligible to be added to the routing table
#sh ip bgp | i 150.1.2
r> 150.1.2.0/24 10.1.13.1 0 100 200 ?

____________________________________________________________________________________________________________________
BGP CONDITIONAL Advertisements - Advertise Maps
____________________________________________________________________________________________________________________
This is a simple feature, but you really need to know the BGP philosophy and maybe even have some basic experience in programming. The
trick is to change the behavior of the BGP advertisements depending on the routes that are being learned.
Step 1: Configure 2 Route Maps, one for the CHECK condition, and another for PREFIXES you will advertise if CHECK passes. For example we
want to CHECK if the 2.0.0.0 is learned:
(config)#access-list 2 permit 2.0.0.0
(config)#route-map CHECK permit 10
(config-rmap)#match ip address 2

And ONLY if it's NOT in the routing table, we want to advertise 2.0.0.0
(config)#access-list 1 permit 1.0.0.0
(config)#route-map ADVERTISE permit 10
(config-rmap)#match ip address 1

Step 2:
Configure the advertise map and the condition in the BGP routing process:
(config)#router bgp 65545
(config-router)#neighbor 10.1.12.2 advertise-map ADVERTISE ?
exist-map advertise prefix only if prefix is in the condition exists <- CHECK THESE OPTIONS
non-exist-map advertise prefix only if prefix in the condition does not exist
(config-router)#neighbor 10.1.12.2 advertise-map ADVERTISE non-exist-map CHECK

Intuitively we can see that the ADV_ROUTE_MAP is the route map that defines the routes that will be broadcast, in this case if the conditions
defined in the route-map CONDITION_ROUTE_MAP is NOT satisfied, meaning - if the prefixes are NOT in the table.



74
Hitchhikers Guide to the CCIE v0.3 [cisqueros.blogspot.com]
____________________________________________________________________________________________________________________
BGP Route Dampening
____________________________________________________________________________________________________________________
Cisco Docs: Advanced BGP Features
TIP: Don't forget to define the "set dampening ..." within the route-map configuration or you will be getting the following message when
checking the parameters:
#sh ip bgp dampening parameters
% dampening reconfiguration in progress for IPv4 Unicast

When you check the BGP prefixes using the "show ip bgp", besides the arguments that appeared so far (*, >, r) there is another "Tag" that can
appear, and it's a letter "d", which stands for DAMPENING.
#show ip bgp
BGP table version is 5, local router ID is 192.168.2.2
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal <- CHECK THIS LINE
r RIB-failure, S Stale

From Cisco Docs: "Route dampening is a BGP feature designed to minimize the propagation of flapping routes across an internetwork. A route
is considered to be flapping when its availability alternates repeatedly"
If you're configuring it without any parameter tuning, there is an enable command under the BGP process:
(config-router)#bgp dampening

If you want to use this feature - make sure you understand the concept of PENALTIES being "rewarded" to a route every time it FLAPS, and
make sure you're familiar with the PARAMETERS of BGP DAMPENING:
#sh ip bgp dampening parameters
dampening 15 750 2000 60 (DEFAULT)
Half-life time : 15 mins Decay Time : 2320 secs
Max suppress penalty: 12000 Max suppress time: 60 mins
Suppress penalty : 2000 Reuse penalty : 750

1. HALF-TIME (default 15 minutes): When the penalty is assigned to a route, the accumulated penalty is decreased every 5 seconds. When
the half-time expires, accumulated penalties are reduced by half. Default HALF-TIME is 15 minutes, and range 1-45 minutes.
2. REUSE (default 750): The route can be REUSABLE if the penalties for flapping route go BELOW THIS VALUE. By default it's 750, and the
range is 1 to 20000
3. SUPRESS: The route is SUPRESSED when the penalties REACH THIS VALUE. Default is 2000, and the range is 1-20000
4. MAX-SUPRESS-TIME: Max time that the route can STAY SUPRESSED. Default is 4 times Half-Time value (60 minutes), range is 1-255
If you need to configure the BGP DAMPENING for a certain routes, use the ROUTE-MAP:
(config-router)#route-map DAMPEN_1
(config-route-map)#match ip add 15 <- CONFIGURE THE ROUTES YOU ARE DAMPENING IN AN ACL
(config-route-map)#set dampening 15 700 2000 60 <- SET DESIRED DAMPENING PARAMETERS
*Parameters can be defined directly under the BGP process, or within the Route-Map like here

Then apply it within the BGP configuration process:
(config-router)#bgp dampening route-map DAMPEN_1

This configuration can get quite complicated, so you might need to MATCH THE AS-PATH, for this you need to be quite comfortable with META
CHARACTERS, so for example match prefixes originated in AS 300:
(config)#ip as-path access-list 15 permit ^300$

And then MATCH it in the route-map and SET the dampening parameters:
(config-router)#route-map DAMPEN_2
(config-route-map)#match as-path 15
(config-route-map)#set dampening 15 700 2000 60
75
Hitchhikers Guide to the CCIE v0.3 [cisqueros.blogspot.com]

____________________________________________________________________________________________________________________
BGP Route Summarization
____________________________________________________________________________________________________________________
BGP Routes can be summarized in the BGP process configuration using the "aggregate-address" command. AGGREGATE is ONLY created if
at least one of the specific prefixes exists in BGP table.
(config-router)#aggregate-address 2.2.0.0 255.255.0.0 ?
advertise-map Set condition to advertise attribute <- ASSIGN THE ROUTE-MAP
as-confed-set Generate AS confed set path information
as-set Generate AS set path information
attribute-map Set attributes of aggregate <- SET ATTRIBUTES such as COST/METRIC using ROUTE-MAP
route-map Set parameters of aggregate
summary-only Filter more specific routes from updates <- ONLY THE SUMMARY, SUPRESSES OTHER PREFIXES
suppress-map Conditionally filter more specific routes from updates
<cr>
*If you need to UN-SUPRESS some prefixes from the Summary route, the command is applied PER NEIGHBOR
Another way to achieve the same effect is to create STATIC ROUTE to Null0, and advertise using "network" command.
ATOMIC-AGGREGATE is an attribute that is assigned AUTOMATICALLY to the aggregate route if the "as-set" argument is NOT used in the
"aggregate-address" command (AS-SET reveals the AS number that some routes were originated from)
Additional arguments (route-maps) are a bit complicated, so you need to know exactly what which one is for:
Suppress-map - suppress the prefix defined in the ACL (it ADVERTISES prefixes DENIED by the ACL). The reverse (UNSUPRESS with the
REVERSE logic) can be configured on the NEIGHBOR basis:
(config-router)#neighbor x.x.x.x unsupress-map UNSUPP

____________________________________________________________________________________________________________________
BGP INJECT and EXIST map
___________________________________________________________________________________________________________________
This is not so common, and they are used for a more granular control of the advertised routes. For example if you want to make sure that a
certain prefix is learned (EXIST) from a certain router (match route-source), then inject the specific prefixes (INJECT) into the routers BGP table:
(config-router)#bgp inject-map INJECT exist-map EXIST

____________________________________________________________________________________________________________________
BGP Community Attribute
___________________________________________________________________________________________________________________
*Under SERVICE PROVIDER in the Cisco Docs
Community attribute is one of those non-standard BGP attributes that you really need to know well if you wish to use. The big advantage is
that from time to time you will just swoop in and solve a big architecture problem your colleague Network Engineers are having. The down
side is that it's a bit tacky. For example, these are the communities you can set within the route-map configuration:
(config-route-map)#set community ?
<1-4294967295> community number
aa:nn community number in aa:nn format
additive Add to the existing community
internet Internet (well-known community) <-ADVERTISE these networks to ALL neighbors
local-AS Do not send outside local AS (well-known community) <-ONLY advertise within the AS
no-advertise Do not advertise to any peer (well-known community) <-Do not advertise to any peer.
no-export Do not export to next AS (well-known community) <-Do not advertise to eBGP peers.
none No community attribute
<cr>
*IMPORTANT: Do not forget to actually SEND the community to the neighbor, or your configuration will not work!!!
(config-router)#neighbor x.x.x.x send-community

76
Hitchhikers Guide to the CCIE v0.3 [cisqueros.blogspot.com]

You can of course apply the BGP community attributes on the INBOUND and OUTBOUND direction, where you automatically override the
existing value. Besides these well-known community values, you can also assign a random community number and use them later as BGP
TAGS.
Extended community attributes are used to configure, filter, and identify routes for virtual routing and forwarding (VRF) instances and
Multi-protocol Label Switching (MPLS) Virtual Private Networks (VPNs)
COST is an example of an EXTENDED COMMUNITY Attribute. It allows you to customize the local route preference, and in that way influence
the best path selection. It's configured under the route-map:
(config-route-map)#set extcommunity cost ?
<0-255> Community ID
igp Compare following IGP cost comparison
pre-bestpath Compare before all other steps in bestpath calculation <-CHECK THIS OUT!!!

So if you need to influence the path ABSOLUTELY:
(config-route-map)#set extcommunity cost PRE-bestpath 100 ? <-COST ID) IS USED AS A TIE BREAKER
<0-4294967295> Cost Value (No-preference Cost = 2147483647) <-LOWER VALUE IS BETTER

There are 3 EXTENDED COMMUNITY attributes:
(config-route-map)#set extcommunity ?
cost Cost extended community
rt Route Target extended community <- FOR MPLS
soo Site-of-Origin extended community

____________________________________________________________________________________________________________________
BGP & Load Balancing
____________________________________________________________________________________________________________________
If you see the same route from 2 different sources:
#sh ip bgp | b Network
Network Next Hop Metric LocPrf Weight Path
* 10.1.23.0/24 10.1.12.2 0 0 300 i
*> 10.1.13.3 0 0 300 i

And in the routing table only one of them appears:
#sh ip route bgp
B 10.1.23.0/24 [20/0] via 10.1.13.3, 00:00:01

You can increase the MAXIMUM PATH number, and add 2 (or more) different paths to the routing table:
(config-router)#maximum-paths 2

Check if the parameter "took":
#sh ip protocols | i Maxim
Maximum path: 1

And make sure the routing table has been updated (happens intermediately)
#sh ip route bgp
B 10.1.23.0/24 [20/0] via 10.1.13.3, 00:00:04
[20/0] via 10.1.12.2, 00:00:04


77
Hitchhikers Guide to the CCIE v0.3 [cisqueros.blogspot.com]



UNIQUAL COST BALANCING When you wish to Load Balance based on each the Link BW. This feature is used together with BGP
MULTIPATH to advertise the exit links BW as EXTENDED COMMUNITY to iBGP peers. The configuration is somewhat weird:
Step 1: Enable DMZLINK-BW
(config-router)#bgp dmzlink-bw <ON BORDER AND INTERNAL ROUTERS

Step 2: Configure BGP to include the BW value to external interface on extended community, per neighbor:
(config-router)#neighbor 10.1.1.2 dmzlink-bw

BE SURE the neighbor is a SINGLE HOP eBGP PEER, or you will get a message:
%BGP: Propagation of DMZ-Link-Bandwidth is supported only for single-hop EBGP peers

Step 3: Send the COMMUNITY
(config-router)#neighbor 10.1.1.2 send-community extended

____________________________________________________________________________________________________________________
1. AS-Path (The less ASs in the path - the Better)
____________________________________________________________________________________________________________________
Used to influence another AS by adding or PREPENDING the AS's to the prefix using the Route Map:
(config-route-map)#set as-path prepend 111 <- WITHIN ROUTE-MAP CONFIG

When you want to NOT-PREPEND the LOCAL AS to the advertised prefixes:
(config-router)#neighbor 10.1.1.2 local-as 100 no-prepend

When you want to REPLACE the PREPENDED AS to the advertised prefixes:
(config-router)#nei 10.1.1.2 local-as 100 no-prepend replace-as
*"replace-as" Instructs NOT TO PREPEND the REAL AS

You can do a pretty granular control here using the AS-PATCH Access Lists. You do need a basic knowledge of META Language for this, so
basically if you need to match all the prefixes that pass through the AS 65505 you do this:
(config)#ip as-path access-list 10 permit ^65505$ <-you can go wild with the filters
*in this case we are filtering the prefixes originated and advertised directly by AS 65505
The AS-PATH ACL can also be applied to a neighbor as a FILTER-LIST
(config-router)#neighbor 172.25.185.45 filter-list 10 in


78
Hitchhikers Guide to the CCIE v0.3 [cisqueros.blogspot.com]
REMINDER of the META Characters:
^ - START of Line
$ - END of Line
| - Logical OR
_ - ANY DELIMETER (, or _ or whatever)
? - ZERO instances of the PRECEDING character
* - ZERO OR MODE instances of the PRECEDING character
+ - ONE OR MORE instances of the PRECEDING character
(x) - Combine the enclosed String as a single entity
[x] - Wildcard where any position can match the position in AS-Path
. - Any Character
After this you just match this condition in the route-map in order to set some parameter later:
(config-route-map)#match as-path 10

____________________________________________________________________________________________________________________
2. Weight (the Higher - the Better)
____________________________________________________________________________________________________________________
It's a CISCO Proprietary Attribute, Used ONLY LOCALY to influence the LOCAL AS by assigning the WEIGHT attribute to prefixes learned from a
BGP Neighbor.
First you need to set up the route-map. You can use the MATCH condition, but you dont have to. In this case we will apply the weight to all
the prefixes announced by a neighbor.
route-map SET_WEIGHT permit 10
match ...
set weight 500

And apply the route-map to a neighbor in the INBOUND direction (prefixes coming IN, meaning - are announced by that neighbor):
router bgp 65535
neighbor 172.21.12.2 remote-as 64500
neighbor 172.21.12.2 route-map SET_WEIGHT in

Or you can simply apply the WEIGHT attribute to the neighbor directly:
router bgp 65535
neighbor 172.21.12.2 remote-as 64500
neighbor 172.21.12.2 weight 500


79
Hitchhikers Guide to the CCIE v0.3 [cisqueros.blogspot.com]
____________________________________________________________________________________________________________________
3. MED (Multi Exit Discriminator)
____________________________________________________________________________________________________________________
* Attribute; RFC 1771 - Optional and Non-Transitive; The Smaller the Better
Router will compare the MED attribute for paths only from BGP peers that reside in the same autonomous system. In the CCIE the MED can be
used to also influence the ISP BGP Neighbors to prefer one or the other point of exit of your network, but in the real world most ISPs will
DISCARD the MED attribute to try and enforce the HOT POTATO strategy, where if the route is not destined for the providers network it
prefers sending the traffic out to another provider ASAP.
This is the most similar Attribute to the OSPF Metric that there is in BGP. The nature of this attribute is similar to the AS-Path, because they are
both used to influence the other AS by tuning the attributes of the Locally Originated and Advertised Prefixes. You can simply set it (set metric
X) within the route-map configuration, and apply it to the BGP Neighbor in the OUTBOUND direction
MED is used only for the routes from one AS to another. It makes no sense to compare MED values of the learned BGP routes from different
ASs.
If you wish to RE-ARRANGE the Attribute Comparison order, and for example wish to compare the MED value before the AS-Path (meaning -
prefer the lower MED, regardless of the AS-Path), you can use this command under the BGP configuration:
(config-router)#bgp always-compare-med <-to compare MED value even if there is higher ranked attribute
(config-router)#bgp bestpath as-path ignore <--- to IGNORE the AS-Path attribute, HIDDEN COMMAND on IOS!!!
*BE CAREFULL with the second command, the TAB key will not work and the "?" will not show you the "as-path" option

By default the MISSING MED value is considered the BEST one because on most IOS-s it picks up the value 0. To change this use:
(config-router)#bgp bestpath med missing-as-worst <- Treat the non-defined MED as the WORST

____________________________________________________________________________________________________________________
4. LOCAL PREFERENCE
____________________________________________________________________________________________________________________
It's used to PREFER AN EXIT POINT of a LOCAL BGP AS. Bigger is Better, DEFAULT: 100. There are 2 ways to configure the LOCAL PREFERENCE
WAY 1: TRY AND INFLUENCE DOWNSTREAM BGP NEIGHBORS.
If we configure this one, all the routes we announce will have Local Preference 500, unless RE-WRITTEN.
(config-router)#bgp default local-preference 500

The same effect is achieved by defining a ROUTE-MAP, setting the Local Preference and applying it OUTBOUND:
(config-router)#nei 10.1.34.4 route-map LOCPREF_PREFIXESRM out
*configuration similar to the one explained below, within the Way2.

WAY 2: SUPERSEEDS the 1st way
Applied INBOUND to the LEARNED routes we want to PREFER. It OVERWRITES the Local Preference announced by the upstream BGP
Neighbors.
Step 1: Define a PREFIX LIST with the PREFIXES you want to assign the Local preference to:
(config-router)#ip prefix-list LOCPREF_PREFIXES seq 5 permit 1.0.0.0/8

Step 2: Define a ROUTE-MAP to match the PREFIX and SET THE LOCAL PREFERENCE (in this case 500):
(config)#route-map LOCPREF_PREFIXESRM permit 10
(config-route-map)# match ip address prefix-list LOCPREF_PREFIXES
(config-route-map)#set local-preference 500

80
Hitchhikers Guide to the CCIE v0.3 [cisqueros.blogspot.com]
Step 3: Apply the ROUTE-MAP to the BGP process, INBOUND!!!
(config-router)#nei 10.1.34.4 route-map LOCPREF_PREFIXESRM in

Step 4: Clear the BGP process INBOUND, and check the BGP table:
#clear ip bgp * in
#sh ip bgp | i 1.0.0.0
Network Next Hop Metric LocPrf Weight Path
*>i1.0.0.0 10.1.14.1 0 500 0 100 i <- LOC.PREF IS 500

BE CAREFULL WITH THE NEXT HOP!!! So, if you cannot reach the IP in the Next Hop, do this:
(config-router)#neighbor 10.1.34.4 next-hop-self <-POINT TO ME TO REACH ALL THE PREFIXES I KNOW AND YOU DONT
The alternative to this is to add a ROUTE-MAP pointing to the neighbor, and within it alter the next hop.
____________________________________________________________________________________________________________________
BGP Filters: Distribution and Prefix lists
____________________________________________________________________________________________________________________
The main difference between applying the DISTRIBUTE list and the PREFIX list to the BGP neighbor is:
DISTRIBUTE LIST: You need to define the ACL, and apply it in the form of a Distribution List:
(config)#access-list 1 deny 172.12.25.0 0.0.0.255
(config-router)#neighbor 5.5.5.5 distribute-list 1 in

PREFIX LIST: You define the PREFIX list, and apply the same prefix list to the BGP neighbor
(config-router)#neighbor 5.5.5.5 prefix-list PREF_LIST in

____________________________________________________________________________________________________________________
BGP: Regular Expressions
____________________________________________________________________________________________________________________
!!!Additional and Legacy protocols>IOS Terminal Services Configuration Guide>APPENDIXES (within the Cisco Docs)
REMINDER of the META Characters
^ - START of Line
$ - END of Line
| - Logical OR
_ - ANY DELIMETER
? - ZERO instances of the PRECEDING character
* - ZERO OR MODE instances of the PRECEDING character
+ - ONE OR MORE instances of the PRECEDING character
(x) - Combine the enclosed String as a single entity
[x] - Wildcard where any position can match the position in AS-Path
. - Any Character

81
Hitchhikers Guide to the CCIE v0.3 [cisqueros.blogspot.com]
EXAMPLES (REMEMBER THESE!!!)
_65505$ - Prefixes that END with the AS 65505, meaning - they were originated by that AS
_65505_ - Prefixes that traversed the AS 65505
^$ - Locally Originated Prefixes (START and END of the line)
.* - ANY prefix (zero or more instances of ANY character)
^[0-9]+$ - All the prefixes from DIRECTLY CONNECTED ASs (meaning - they have only 1 AS in the AS PAth)
BEFORE CREATING THE AS-PATH ACL: If you want to STOP using the recursive algorithm in order to be able to control more complex regular
expressions
(config-router)#bgp regexp deterministic

Now you can actually DISPLAY the prefixes that match your condition in the AS-PATH before defining the AS-PATH ACL
#show ip bgp regexp REGULAR_EXPRESSION

*There is a TRICK here; you need to add a MEMORY location you want to temporarily place the results, so instead of the expression ^300$ you
would have to type
#show ip bgp regexp (^300$)(_\1)*$
You can also display the Filter List before applying it to the neighbor:
#show ip bgp filter-list 1


____________________________________________________________________________________________________________________
BGP Confederations
____________________________________________________________________________________________________________________
BGP Confederation Identifier is used to configure a GROUP OF SMALL ASs as a SINGLE AS. It's used to reduce iBGP mesh. On ALL the routers
within ALL ASs issue the command:
(config-router)#bgp confederation identifier 250

Once the Identifier is configured, you need to configure all the directly connected eBGP peers (this command is not needed if there are no
eBGP sub confederation peers):
(config-router)#bgp confederation peers 65505 65409 65111 <-DEFINE ALL ASs WITHIN CONFEDERATION, BUT LOCAL

If you want to create the NEIGHBOR with the confederation, use the CONFEDERATION IDENTIFIER AS THE AS:
(config-router)#neighbor 10.1.45.4 remote-as 250

Check the BGP table, and make sure all the prefixes are sourced by the VIRTUAL AS 250:
(config-router)#do sh ip bgp
BGP table version is 14, local router ID is 5.5.5.5
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
r RIB-failure, S Stale
Origin codes: i - IGP, e - EGP, ? - incomplete

Network Next Hop Metric LocPrf Weight Path
*> 1.0.0.0 10.1.45.4 0 250 i
*> 2.0.0.0 10.1.45.4 0 250 i
*> 3.0.0.0 10.1.45.4 0 250 i
*> 4.0.0.0 10.1.45.4 0 0 250 i
*> 5.0.0.0 0.0.0.0 0 32768 i

82
Hitchhikers Guide to the CCIE v0.3 [cisqueros.blogspot.com]
____________________________________________________________________________________________________________________
MP-BGP (Multi-Protocol BGP)
____________________________________________________________________________________________________________________
By default, commands entered under the router bgp command apply to the IPv4 address family. This will continue to be the case unless you
enter the "no bgp default ipv4-unicast" as the first command under the router bgp command:
(config-router)#no bgp default ipv4-unicast
*The PEERING will NOT be established, unless you do the ACTIVATE command under the BGP process:
(config-router)#address-family vpnv4
(config-router-af)#neighbor 3.3.3.3 activate

Make sure youre checking for the neighbors under the VPNv4 UNICAST Address Family:
#sh bgp vpnv4 unicast all summary
BGP router identifier 4.4.4.4, local AS number 65001
BGP table version is 1, main routing table version 1
Neighbor V AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down State/PfxRcd
3.3.3.3 4 65001 19 19 1 0 0 00:03:47 0

When you have various VRFs on the router, and youre configuring the BGP peering with the CLIENT router within the VRF assigned to that
client, note 2 things:
1. The separate IPv4 VRF process has been created under the BGP. When you configure the BGP PEERING with the CLIENT, you should
configure it under that specific AF:
router bgp 65001
no bgp default ipv4-unicast
bgp log-neighbor-changes
neighbor 3.3.3.3 remote-as 65001
neighbor 3.3.3.3 update-source Loopback0
!
address-family vpnv4
neighbor 3.3.3.3 activate
neighbor 3.3.3.3 send-community extended
exit-address-family
!
address-family ipv4 vrf CLIENT_VRF <-AUTOMATICALLY CREATED AF UNDER THE BGP
neighbor 10.1.45.5 remote-as 65015 <-ADD PEERING WITH THE CLIENT
neighbor 10.1.45.5 activate <-COMMAND ADDED AUTOMATICALLY STARTING FROM 12.4
no synchronization
exit-address-family

2. On the CLIENT side you will NOT LEARN the BGP routes announced by other CEs of the same client, due to the LOOP PREVENTION
mechanism implemented in BGP (routes that have the same AS in the AS-PATH will not be accepted in the routing table). To change this
behavior, on clients CE do:
(config-router)#neighbor 10.1.45.4 allowas-in ?
<1-10> Number of occurances of AS number (I RECOMMEND TO NOT EXAGERATE, SO - ONLY 1!)

Another way would be to OVERRIDE the AS number on the PE. This way the PE advertises BGP routes with its own AS number attached instead
of the ORIGINATING AS:
(config-router-af)#neighbor 10.1.13.1 as-override
83
Hitchhikers Guide to the CCIE v0.3 [cisqueros.blogspot.com]
____________________________________________________________________________________________________________________
Route Redistribution TIPs
____________________________________________________________________________________________________________________
RIP: Metric are HOPS, so if you want next router not to learn it set the HOPS to 16 (max):
(config-rmap)#set metric 16
!!!NOTE that RIP will not advertise a route if it didnt make the ROUTING TABLE
OSPF: You might need to TUNE THE ADMINISTRATIVE DISTANCE:
(config-router)#distance 150 3.3.3.3 0.0.0.0 10 <- 10 is an ACL, it's OPTIONAL, and 150 is the new AD

DISCARD ROUTE is a route injected automatically when we SUMMARIZE OSPF, for LOOP PREVENTION. To remove it:
(config-router)#no discard-route [internal | external] <- INTERNAL on ABR, EXTERNAL on ASBR

HAVE IN MIND that SOURCE IP and SOURCE PROTOCOL can be matched within the Route-maps. MATCH IP ROUTE-SOURCE in the Route-map -
In OSPF it's not the NEXT HOP but the ORIGINATOR Router-ID of the PREFIX
(config-route-map)#match ip route-source 4 <- ACL 4 includes the Router-ID

Also the SOURCE PROTOCOL can be matched, when we wont to PREVENT certain protocol prefixes in the Route Table:
(config-route-map)#match source-protocol ?
bgp Border Gateway Protocol (BGP)
connected Connected
eigrp Enhanced Interior Gateway Routing Protocol (EIGRP)
isis ISO IS-IS
mobile Mobile routes
ospf Open Shortest Path First (OSPF)
rip Routing Information Protocol (RIP)
static Static routes
<cr>

EIGRP: When you have a COMPOSITE METRIC, like 22222 and 44444, then the METRIC VALUE is the MIDDLE, so>
METRIC = 22222 + 44444 /2 = 33333
DEVIATION = (44444 - 22222)/2 = 11111
So when you're MATCHIN THE METRIC of the EIGRP within the Route Map:
(config-route-map)#match metric 33333 +- 11111
84
Hitchhikers Guide to the CCIE v0.3 [cisqueros.blogspot.com]







QoS


85
Hitchhikers Guide to the CCIE v0.3 [cisqueros.blogspot.com]
____________________________________________________________________________________________________________________
QoS TIPS
____________________________________________________________________________________________________________________
TIP: When you need to MAXIMIZE EFFICIENCY on a Serial Link, use the COMPRESS PREDICTOR or COMPRESS STACKER (STACKER is more CPU
consuming, but better for MEMORY, and PREDICTOR the other way around)
(config)#compress predictor | stacker

TIP: IntServ - integrated services model, end-to-end QoS, where the application needs to be aware of the entire path QoS details (application
does the reservation of the network)
DiffServ - differentiated services, where the QoS is handled per hop. Traffic is grouped into classes, and PHB (per hop behavior) defines how
each hop treats each of the classes
TIP: Traffic POLICING can be applied inbound or outbound, Traffic SHAPING - only outbound
CONFORM: BW is below Bc, EXCEED: between Bc and Be, VIOLATE: above Be
CIR - average BW
EIR - exceed BW
Tc - committed time segments where shaping is done, like - sample 4 times per second or Tc =250ms
Bc - BURST, how many bits are to be sent during the Tc interval to achieve the shaping
Be - excess traffic, if we didnt send all the traffic we could (defined by Bc) in a few intervals - we can compensate that by sending MORE later
(defined by the Be)
Transmit Ring - hardware queue of the interface
TIP: Shape AVERAGE - In the default conditions, Shape ADAPTIVE - when the notification was received, like BECN
(config-pmap-c)#shape ?
adaptive Enable Traffic Shaping adaptation to BECN
average configure token bucket: CIR (bps) [Bc (bits) [Be (bits)]],
send out Bc only per interval
fecn-adapt Enable Traffic Shaping reflection of FECN as BECN

If normal shaping is needed on a Frame-Relay link, just configure DIRECTLY ON THE INTERFACE AND configure the rest of the required
parameters within the Map-Class:
(config-if)#frame-relay traffic-shaping

TIP: QoS on 3560 Switch: If "mls QoS" isn't enabled, the DSCP marking stays the same. If it's enabled and not configured - it will put the DSCP
on all the packets to the default value. Switches have Interface queues, 3560 and 3750: 4 queues OUTBOUND and SRR (Shaped Round Robin)
is applied.
____________________________________________________________________________________________________________________
QoS on Access Ports
____________________________________________________________________________________________________________________
When there is a CISCO Phone behind, configure the port as ACCESS:
(config-if)#switchport access vlan 3 <--- data VLAN
(config-if)#switchport mode access
(config-if)#switchport voice vlan 5 <--- Cisco Phone VLAN

If you want to trust the Phone CoS markings:
(config-if)#mls qos trust device cisco-phone

86
Hitchhikers Guide to the CCIE v0.3 [cisqueros.blogspot.com]
Mark all incoming traffic:
(config-if)#mls qos cos 2 <-ONLY MARKS THE NON-MARKED TRAFFIC, use OVERRIDE to MARK ALL

And to REMARK the DATA traffic (VLAN 3 IN THIS CASE)
(config-if)#switchport priority extend CoS 1

If you want to check how the traffic is reaching the router from the configured switched interface, make the class map on a ROUTER matching
the DSCP or COS values you are interested in:
(config)#class-map cos2
(config-cmap)#match CoS 2

Then create a Policy Map that includes this Class:
(config)#policy-map QoS_test
(config-pmap)#Class cos2

And apply it to an Interface directly connected to the Switch that marks the traffic:
(config-if)#service-policy QoS_test in

#show policy-map interface Fa0/1.100
FastEthernet0/1.100
Service-policy input: QOS_IN
Class-map: COS1 (match-all)
0 packets, 0 bytes
5 minute offered rate 0 bps <--- LOAD INTERVAL is 5 Minutes by default, can be changed ON INTERFACE
Match: cos 1
Class-map: COS2 (match-all)
5 packets, 590 bytes
5 minute offered rate 0 bps
Match: cos 2
Class-map: COS4 (match-all)
0 packets, 0 bytes
5 minute offered rate 0 bps
Match: cos 4
Class-map: COS5 (match-all)
0 packets, 0 bytes
5 minute offered rate 0 bps
Match: cos 5

*Change LOAD INTERVAL, in this case set it to 30 seconds:
(config-if)#load-interval ?
<30-600> Load interval delay in seconds <--- DEFAULT IS 5 MINUTES, as shown above

#show policy-map interface
FastEthernet0/1
Service-policy input: MATCHES
Class-map: DSCP10 (match-all)
0 packets, 0 bytes
30 second offered rate 0 bps <--- TA-DAAAAA
Match: ip dscp af11 (10)

Make sure you have "mls qos trust cos" OR "mls qos cos override" configured!
#show mls qos interface GigabitEthernet 3/0/2
GigabitEthernet3/0/2
trust state: trust cos
trust mode: trust cos
trust enabled flag: ena
COS override: dis
default COS: 2
DSCP Mutation Map: Default DSCP Mutation Map
Trust device: none
qos mode: port-based

If you want all the traffic going out of a port to be marked with a particular DSCP value, use the "class-default":
(config)@policy-map SET-ALL-5
(config-pmap)#class class-default
(config-pmap-c)#set ip presedence 5

And then apply it in the OUTBOUND direction on the interface:
(config-if)#service-policy out SET-ALL-5
87
Hitchhikers Guide to the CCIE v0.3 [cisqueros.blogspot.com]
____________________________________________________________________________________________________________________
DSCP and COS MAPPING
____________________________________________________________________________________________________________________
QoS MUTATION: If you need to RE-MARK all the packets with the particular value of DSCP/CoS
Step 1: Check if the QoS has been globally enabled on the Switch:
QoS_UP_SW1#show mls qos
QoS is enabled
QoS ip packet dscp rewrite is enabled

Step 2: Define the DSCP Mutation Map:
(config)#mls qos map dscp-mutation MUTATION_NAME 1 to 60
This map will re-mark all the DSCP value to 60, but only of all the packets that have it set to 1
Step 3: Check if the "mls qos trust" command has been applied, its a must. Apply the Mutation Map to the Physical Interface:
(config-if)#mls qos dscp-mutation MUTATION_NAME

Note that for this to work, the DSCP REWRITE has to be enabled globally on a switch *IT IS ENABLED BY DEFAULT:
(config)#mls qos rewrite ip dscp <--- DISABLE IF YOU NEED TO CONFIGURE QoS, BUT DONT WANT TRAFFIC TO BE
REMARKED TO 0

Check if it "worked":
#show mls qos map dscp-mutation
Dscp-dscp mutation map (D1D2 = VALUE OF DSCP):
MUTATION_NAME:
d1 : d2 0 1 2 3 4 5 6 7 8 9
---------------------------------------
0 : 00 60 02 03 04 05 06 07 08 09 <--- HERE, THE D1:D2=0:1 MUTATES TO D1:D2=0:60
1 : 10 11 12 13 14 15 16 17 18 19
2 : 20 21 22 23 24 25 26 27 28 29
3 : 30 31 32 33 34 35 36 37 38 39
4 : 40 41 42 43 44 45 46 47 48 49
5 : 50 51 52 53 54 55 56 57 58 59
6 : 60 61 62 63

Dscp-dscp mutation map:
Default DSCP Mutation Map:
d1 : d2 0 1 2 3 4 5 6 7 8 9
---------------------------------------
0 : 00 01 02 03 04 05 06 07 08 09 <--- BY DEFAULT IT STAYS 0:1
1 : 10 11 12 13 14 15 16 17 18 19
2 : 20 21 22 23 24 25 26 27 28 29
3 : 30 31 32 33 34 35 36 37 38 39
4 : 40 41 42 43 44 45 46 47 48 49
5 : 50 51 52 53 54 55 56 57 58 59
____________________________________________________________________________________________________________________
Map COS to DSCP on a device
____________________________________________________________________________________________________________________
#show mls qos maps cos-dscp
Cos-dscp map:
cos: 0 1 2 3 4 5 6 7
--------------------------------
dscp: 0 8 16 24 32 40 48 56


(config)#mls qos map cos-dscp 0 8 16 24 32 40 48 7 <--- MAP COS 7 to DSCP 7
#show mls qos maps cos-dscp
Cos-dscp map:
cos: 0 1 2 3 4 5 6 7
--------------------------------
dscp: 0 8 16 24 32 40 48 7

88
Hitchhikers Guide to the CCIE v0.3 [cisqueros.blogspot.com]
____________________________________________________________________________________________________________________
QoS POLICING - INDIVIDUAL and AGGREGATE POLICER
____________________________________________________________________________________________________________________
! Be sure to do "no mls qos", and after a few seconds "mls qos" to be sure POLICING takes effect
INDIVIDUAL POLICER: Basic, per CLASS that matches a DSCP value
AGGREGATE POLICER: "mls aggregate-policer":
mls qos aggregate-policer AGGREG 500000 25000 exceed-action drop
(config)#policy-map CISQUEROS
(config-pmap)#class DSCP10 <--- APPLY TO ALL CLASSES YOU WANT TO AGGREGATE THE POLICY ON
(config-pmap-c)#police aggregate AGGREG

____________________________________________________________________________________________________________________
PRIORITY QUEUING (priority-list) & CUSTOM QUEUING (queue-list)
____________________________________________________________________________________________________________________
Uses 4 queues: high, medium, normal and low
Define the PRIORITY LIST. Priority-list works like an access-list, it's processed from top to bottom so define the MORE SPECIFFIC policies first:
(config)#priority-list 1 protocol http ?
high
medium
normal
low

(config)#priority-list 1 protocol ip normal udp tftp <--- for IP protocols
(config)#priority-list 1 default LOW

Then just apply it on an interface:
(config-if)#priority-group 1 <--- ITS ALLWAYS AN OUTBOUND DIRECTION

If you also need to LIMIT THE QUEUE sizes PER CLASS :
(config)#priority-list 1 queue-limit 80 60 40 20 <--- HIGH>80 , MEDIUM>60 , NORMAL>40 , DEFAULT>20
QUEUE LIST defines !!! 17 QUEUES!!! All queues have the SAME WEIGHT, and are serviced in ROUND ROBIN
Queue 1 - System or Priority queue (IP Routing UPDATES do NOT go here!!! only L2 Keepalives & Neighbor Discovery)
(config)#queue-list 1 protocol http 4
(config)#queue-list 1 protocol ip 3 tcp telnet
(config)#queue-list 1 protocol ip 6 udp tftp
(config)#queue-list 1 default 5

Also applied on the interface:
(config-if)#custom-queue-list 1 <--- ALWAYS OUTBOUND!!!

#show queueing custom
Current custom queue configuration:
List Queue Args
1 5 default
1 4 protocol http
1 3 protocol ip tcp port telnet
1 6 protocol ip udp port tftp

Also the BANDWIDTH can be allocated to each of the queues using the "byte-count" parameter:
(config)#queue-list 1 queue 1 byte-count 1500


89
Hitchhikers Guide to the CCIE v0.3 [cisqueros.blogspot.com]
____________________________________________________________________________________________________________________
WFQ - By default works with IP PRESEDENCE
____________________________________________________________________________________________________________________
DEDICATES MORE BANDWIDTH TO THE HIGHER IP PRECEDENCE TRAFFIC!!! Check the Interface Capabilities and Thresholds on a Router:
#show inter s0/1/0 | b Output
Output queue: 0/1000/64/0 (size/max total/threshold/drops)<-HOLD-QUEUE LIMIT is 1000,DISCARD THRESHOLD is 64
Conversations 0/2/256 (active/max active/max total) <--- MAX DYNAMIC QUEUE NUMBER IS 256
Reserved Conversations 0/0 (allocated/max allocated)
Available Bandwidth 1158 kilobits/sec

Check the current FAIR QUEUE settings:
#show queueing fair
Current fair queue configuration:
Interface Discard Dynamic Reserved Link Priority
threshold queues queues queues queues
Serial0/1/0 64 256 0 8 1
Serial0/1/1 64 256 0 8 1

And apply the changes on the INTERFACE level:
(config-if)#fair-queue 128 512 <-DISCARD THRESHOLD 128, DYNAMIC QUEUES 256
(config-if)#hold-queue 1200 out <-HOLD QUEUE, Max number of queues a system can hold
____________________________________________________________________________________________________________________
RSVP - Resource Reservation Protocol
____________________________________________________________________________________________________________________
SENDER sends PATH MESSAGES through the network. When RSVP is enabled, router receives PATH message:
| FROM | TO | PREV_HOP | BW | <--- PATH message, stored on the Router and forwarded down the PATH

RECEIVER receives the PATH MESSAGE and forms the RESERVATION MESSAGE (RSVP Reservation Request), which is propagated up the exactly
same route of the path message. Each ROUTER on the PATH either ACCEPTS or REJECTS the RSVP Reservation Request, based on its
RESOURCES. SENDER receives the RESERVATION MESSAGE and it's ready to start the transmission
First under the SOURCE and DESTINATION interface reserve the BW:
(config-if)#ip rsvp bandwidth 400 180 <--- 400 RESERVATION, AND 180 is SINGLE reservation

To define the SENDER and the RECEIVER:
(config)#ip rsvp sender-host 10.1.112.2 10.1.112.1 tcp 0 0 10 5 <-to GENERATE and SEND PATH MESSAGES,
These 0s mean - IGNORE THE PORT ADDRESSES
(config)#ip rsvp reservation-host 1.1.1.1 2.2.2.2 tcp 0 0 ?
ff Single Reservation
se Shared Reservation, Limited Scope
wf Shared Reservation, Unlimited Scope

(config)#ip rsvp reservation-host 10.1.112.2 10.1.112.1 tcp 0 0 ff rate 10 5 <-RECEIVER WITH SINGLE
RESERVATION

DEBUG RSVP:
*Aug 22 15:54:23.323: RSVP 10.1.112.1_0->10.1.112.2_0[0.0.0.0]: Refresh RESV, req=659606AC,
refresh interval=30000mSec [cleanup timer is not awake]
*Aug 22 15:54:23.323: RSVP 10.1.112.1_0->10.1.112.2_0[0.0.0.0]: Sending Resv message to 10.1.112.1
*Aug 22 15:54:33.595: RSVP 10.1.112.1_0->10.1.112.2_0[0.0.0.0]: Received Path message from 10.1.112.1
(on FastEthernet0/0)

If you want the Router to be the RSVP PROXY:
ip rsvp sender 10.1.112.2 1.1.1.1 tcp 0 0 1.1.1.1 lo0 10 5
90
Hitchhikers Guide to the CCIE v0.3 [cisqueros.blogspot.com]
____________________________________________________________________________________________________________________
IPv6 QoS
____________________________________________________________________________________________________________________
"match ip precedence" ONLY matches the IPv4, not IPv6 If you want IPv4 AND IPv6 to be matched - use "match precedence"
___________________________________________________________________________________________________________________
Match MAC ADDRESS
____________________________________________________________________________________________________________________
(config)#class-map SRV1
(config-cmap)#match sou
(config-cmap)#match source-address ?
mac MAC address

Be careful, because if you match the SOURCE MAC - you wont be able to apply the service-policy OUTBOUND!!! Therefore - create the ACL
matching the MAC, and match the ACCESS-GROUP
____________________________________________________________________________________________________________________
QoS Frame-Relay SHAPING
____________________________________________________________________________________________________________________
FRTS - Frame-Relay Traffic Shaping. There are 4 general ways to implement the TRAFFIC SHAPING:
1. Legacy Generic Traffic Shaping (GTS)
2. Legacy Frame-Relay Traffic Shaping (for FR it's the MOST USED method)
3. MQC-Based Frame-Relay Traffic Shaping
4. MQC-Based Class Based Traffic Shaping
Shaping is used only to "spread" the queue, it adds the delay and jitter, but it doesnt cause drops unless the entire queue is full. For LEGACY
FRTS to be implemented, frame relay traffic shaping must be enabled first:
(config-if)#frame-relay traffic-shaping

#show traffic-shape <--- SHOW THE FR TRAFFIC SHAPING
Interface Se0/1/0
Access Target Byte Sustain(Bc) Excess(Be) Interval(Tc) Increment Adapt
VC(DLCI)List Rate Limit bits/int bits/int (ms) (bytes) Active
103 56000 875 7000 0 125 875 -
104 56000 875 7000 0 125 875 -
102 56000 875 7000 0 125 875 -

AR, or AIR - Max number of bits that can be sent by a router (actual interface speed)
CIR - Average Speed, Target Rate
Mincir - This is a TELCO DEFINED CIR (Contracted Rate, Guaranteed by the Provider where the DE bit is set in the frames above this rate)
Bc - Committed Burst, by default it's CIR/8 because the default Tc is 125ms (Bc = CIR x Tc)
!!!Magic Formula is Bc = CIR x 1.5s because RTT is by average ~ 1.5 seconds over the big networks
Be - Number of NON-COMMITED bits accepted by Frame-relay switch. If Be is not configured in Class-Based FRTS - it's equal to Bc
Frame relay Congestion Control can be done using only 1 bit, FR-DE (discard eligibility)
91
Hitchhikers Guide to the CCIE v0.3 [cisqueros.blogspot.com]
For granular QoS Frame Relay control - use the MAP CLASS:
(config)#MAP-class frame-relay FRTS
(config-map-class)#frame-relay ?
adaptive-shaping Adaptive traffic rate adjustment, Default = none
bc Committed burst size (Bc), Default = 7000 bits
be Excess burst size (Be), Default = 0 bits
cir Committed Information Rate (CIR), Default = 56000 bps
congestion Congestion management parameters
custom-queue-list VC custom queueing
end-to-end Configure frame-relay end-to-end VC parameters
fair-queue VC fair queueing
fecn-adapt Enable Traffic Shaping reflection of FECN as BECN
fragment fragmentation - Requires Frame Relay traffic-shaping to be configured at the interface
level
holdq Hold queue size for VC
idle-timer Idle timeout for a SVC, Default = 120 sec
interface-queue PVC interface queue parameters
ip Assign a priority queue for RTP streams
mincir Minimum acceptable CIR, Default = CIR/2 bps
priority-group VC priority queueing
tc Policing Measurement Interval (Tc)
traffic-rate VC traffic rate
voice voice options

2. Legacy Frame-Relay Traffic Shaping (for FR it's the MOST USED method)
Normally you do something like this:
map-class frame-relay FRTS
frame-relay cir 64000 <-- AVERAGE BW
frame-relay mincir 32000 <-- MINIMUM GUARANTEED BW
frame-relay adaptive-shaping becn <-- Turn ADAPTIVE shaping with BECN marking enabled to indicate congestion
frame-relay bc 8000 <-- CIR*1/8
frame-relay be 16000 <-- Depends on the requirements

And then APPLY it under the INTERFACE:
(config-if)#frame-relay class FRTS

Or under the DLCI, if you need it to apply only to ONE DLCI:
(config-if)#frame-relay interface-dlci 102
(config-fr-dlci)#class FRTS

To check the configured shaping do:
#show frame-relay pvc 201
PVC Statistics for interface Serial0/1/0 (Frame Relay DTE)
DLCI = 201, DLCI USAGE = LOCAL, PVC STATUS = ACTIVE, INTERFACE = Serial0/1/0
input pkts 30 output pkts 31 in bytes 31120
out bytes 31154 dropped pkts 0 in pkts dropped 0
out pkts dropped 0 out bytes dropped 0
in FECN pkts 0 in BECN pkts 0 out FECN pkts 0
out BECN pkts 0 in DE pkts 0 out DE pkts 0
out bcast pkts 1 out bcast bytes 34
5 minute input rate 0 bits/sec, 0 packets/sec
5 minute output rate 0 bits/sec, 0 packets/sec
Shaping adapts to BECN <--- BECN SHAPING ENABLED
pvc create time 2d19h, last time pvc status changed 00:40:28
cir 64000 bc 8000 be 0 byte limit 1000 interval 125 <--- SHAPING ATTRIBUTES
mincir 32000 byte increment 1000 Adaptive Shaping BECN
pkts 0 bytes 0 pkts delayed 0 bytes delayed 0
shaping inactive
traffic shaping drops 0
Queueing strategy: fifo
Output queue 0/40, 0 drop, 0 dequeued

#show traffic-shape
Interface Se0/1/0
Access Target Byte Sustain Excess Interval Increment Adapt
VC List Rate Limit bits/int bits/int (ms) (bytes) Active
513 128000 800 6400 0 50 800 -
504 512000 12800 25600 76800 50 3200 -
503 56000 875 7000 0 125 875 -
502 56000 875 7000 0 125 875 -
501 56000 875 7000 0 125 875 -

92
Hitchhikers Guide to the CCIE v0.3 [cisqueros.blogspot.com]
3. MQC-Based Frame-Relay Traffic Shaping
If you want to do the same effect using the MQC method, the equivalent commands within the class map are:
policy-map FRTS
class class-default <-- ONLY ALLOWED CLASS ON FR VC
shape average 64000 8000 0 <-- CIR = 64 kbps, Bc = 8 kbps, Be = 0 kbps
shape adaptive 32000 <-- MINCIR (Minimum Guaranteed BW)
!!!ONLY CLASS-DEFAULT IS ALLOWED OVER FR VCs!!!

Now, STILL in Frame-Relay the ONLY WAY TO APPLY IS THROUGH THE MAP-CLASS:
(config)#map-class frame-relay FRTS
(config-mc)#service-policy out FRTS
(config-if)#frame-relay interface-dlci 102
(config-fr-dlci)#class FRTS

#show policy-map interface s0/1/0
Serial0/1/0: DLCI 201 -
Service-policy output: TASK2
Class-map: class-default (match-any)
0 packets, 0 bytes
5 minute offered rate 0 bps, drop rate 0 bps
Match: any
Traffic Shaping
Target/Average Byte Sustain Excess Interval Increment
Rate Limit bits/int bits/int (ms) (bytes)
64000/64000 1000 8000 0 125 1000 <--- SHAPING ATTRIBUTES
Adapt Queue Packets Bytes Packets Bytes Shaping
Active Depth Delayed Delayed Active
BECN 0 0 0 0 0 no

Frame-Relay FRAGMENTATION (define the largest packet size, end-to-end):
(config-if)#frame-relay fragment 80 end-to-end

4. MQC-Based Class Based Traffic Shaping
Like in the standard MQC configuration, with one difference - the policy-map can be directly applied to the DLCI:
(config-if)#frame interface-dlci 513
(config-fr-dlci)#service-policy output CBWFQ

____________________________________________________________________________________________________________________
QoS Frame-Relay PIPQ (PER-INTERFACE PRIORITY QUEUING)
____________________________________________________________________________________________________________________
First enable the PIPQ globally on the Router, and define the MAP-CLASSes:
(config)#frame-relay interface-queue priority
(config)#map-class frame-relay R2
(config-map-class)#frame-relay interface-queue priority ?
high
medium
normal
low

And then apply the map classes to different PVCs, and define the QUEUE SIZES on the interface:
(config-fr-dlci)#frame-relay interface-dlci 102
(config-fr-dlci)#class R2
(config-if)#frame-relay interface-queue priority ?
<1-1024> High limit
(config-if)#frame-relay interface-queue priority 40 ?
<1-1024> Medium limit
(config-if)#frame-relay interface-queue priority 40 80 ?
<1-1024> Normal limit
(config-if)#frame-relay interface-queue priority 40 80 120 ?
<1-1024> Lower limit

Now check the PRIORITY on the DLCI:
#sh frame-relay pvc 102 | i pri
priority low
93
Hitchhikers Guide to the CCIE v0.3 [cisqueros.blogspot.com]
____________________________________________________________________________________________________________________
QoS Frame-Relay PAYLOAD and HEADER COMPRESSION
____________________________________________________________________________________________________________________
(has to be configured on BOTH ENDS). PAYLOAD COMPRESSION POINT-TO-POINT LINK:
(config-subif)#frame-relay payload-compression ?
FRF9 FRF9 encapsulation
data-stream cisco proprietary encapsulation
packet-by-packet cisco proprietary encapsulation <--- WHEN THE SUB-INTERFACE IS POINT-TO-POINT

PAYLOAD COMPRESSION, MULTIPOINT LINK:
If the SUB-interface is MULTIPOINT:
(config-subif)#frame map ip 10.1.13.3 103 payload-compression packet-by-packet

HEADER COMPRESSION:
(config-subif)#frame-relay ip tcp header-compression ?
passive Compress for destinations sending compressed headers <--- COMPRESS IF THE RECEIVED TRAFFIS IS
COMPRESSED
<cr>

You can also configure RTP Header Compression, not only TCP:
(config-if)#frame-relay map ip 162.1.0.3 403 broadcast rtp header-compression

____________________________________________________________________________________________________________________
QoS CBWFQ - configured using MQC
____________________________________________________________________________________________________________________
MQC method: can be CBWFQ (older) or HQF (Hierarchical Queuing and Forwarding, modern)
Class-map: attributes within the same line are OR, so "match IP precedence 1 2 3" is to match either of the three
CBWFQ is used to guarantee a MINIMUM BANDWIDTH, multiple FIFO queues. It can be combined with WRED to prevent CONGESTION.
Default queue limit is 64, after this the packets are dropped, to change do:
(config-pmap-c)#queue-limit 128

- Only 75% of the BW can be defined (can be changed, "max-reserved bandwidth" command)
To define the Fair Queuing:
(config-pmap-c)#fair-queue [1024] <-1024 is the number of Dynamic Conversation Queues

____________________________________________________________________________________________________________________
QoS LLQ (Low Latency Queuing) - "priority" and "priority percent" command
____________________________________________________________________________________________________________________
LLQ Introduces STRICT PRIORITY to CBWFQ. Unlike PRIORITY-QUEUING it uses ONLY 1 QUEUE and is NOT subject to starvation "priority 256"
ensures that all traffic UP TO 256kbps is SERVED FIRST. The LLQ scheduler only triggers WHEN THERE IS CONGESTION (When Tx ring is FULL), so
in the non-congestion situations - this class CAN USE MORE BW!!!
"priority" - Guarantees the BW, during congestion the exceeded traffic is DROPPED
Can also be defined using the percentage using the command "priority percent X"
You can define the BURST bits, because for the VoIP traffic for example it's much better to burst in small packets:
(config-pmap-c)#priority 128000 6400 <-Bc is 6400 BYTES
If there is an unconditional LLQ (priority command without percentage) - the CBWFQ on other classes can only be configured with the
"remaining percent" command
94
Hitchhikers Guide to the CCIE v0.3 [cisqueros.blogspot.com]
____________________________________________________________________________________________________________________
Define the QoS Schedule (TIME-RANGE command)
____________________________________________________________________________________________________________________
Start by defining the time using the "time-range" command:
(config)#time-range WEEKDAYS
(config-time-range)#periodic weekdays 11:00 to 15:00

and ATTACH it to the ACL:
(config)#access-list 100 permit tcp any any eq www time-range WEEKDAYS

____________________________________________________________________________________________________________________
QoS CAR (Committed Access Rate) - "rate-limit" Interface Command
____________________________________________________________________________________________________________________
It is another way of defining the CIR/Bc/Be and EXCEED, CONFORM and VIOLATE Action directly on interface.
Instead of CLASS-MAP the ACL needs to be defined to match the traffic, in this case ACCESS-LIST 100
(config-if)#rate-limit output access-group 100 24000 3750 3750
(3750 is the BURST, and ITS IN BYTES not bites!!! Consult the proctor about this!)
#show interface Fa0/0 rate-limit <-- Check the PARAMETERS

____________________________________________________________________________________________________________________
NBAR (match protocol XXX) - if you need to match the port without the ACL
____________________________________________________________________________________________________________________
The QoS policy can also be applied in order to filter traffic of some protocol. For example if oyu want to filter URL of the HTTP request, first
define the class map where you match the protocol HTTP and the URL:
(config)#class-map match-all FILTER_HTTP:
(config-cmap)#match protocol http url *.mp3|*.avi <-- THIS WILL FILTER ALL THE MP3 AND AVI FILES VIA HTTP

and then configure the DROP action within the policy:
policy-map FILTER_HTTP_POLICY
class FILTER_HTTP
drop

CEF must be enabled to run NBAR!!!
(config)#ip cef
First time it will take some time to MATCH the PROTOCOL as NBAR is DOWNLOADING PDLMs (Signature Files) into memory, but then it will go
faster.
IMPORTANT: If the Bc isnt specified - it will match the CIR/32 or 1500 Bytes (Whichever is HIGHER!!!) with Tc = 250 ms
SINGLE RATE - SINGLE BUCKET: Be is DISABLED (If its configure the system will ignore it)
BURST: Minimal Amount:
(config-pmap-c)#police 10000000 bc ?
<1000-512000000> Burst bytes <--- so 1000 is the MINIMAL BURST
conform-action action when rate is less than conform burst
pir Peak Information Rate
<cr>
(config-pmap-c)#police 10000000 bc 1000 conform-action transmit exceed-actio$
Conform burst size increased to 5000 <--- SETS IT TO THE MINIMUM DEPENDING ON THE BW

95
Hitchhikers Guide to the CCIE v0.3 [cisqueros.blogspot.com]
____________________________________________________________________________________________________________________
DUAL RATE - DUAL BUCKET
____________________________________________________________________________________________________________________
DUAL RATE traffic contract: supply customer with two sending rates (CIR and PIR), but only guarantee the smaller one. In case of congestion in
the network, discard traffic that exceeds the committed rate more aggressively and signal the customer to slow down to the committed rate.
Peak Information Rate (PIR) is the Additional parameter compared to SINGLE BUCKET Traffic Contract. It defines the MAXIMUM average
sending rate for the customer.
Bc: If Bc is not configured - the HIGHEST value is chosen between 1500 Bytes and CIR/32
Be: If Be is not configured - the HIGHEST value is chosen between 1500 Bytes and PIR/32 (PIR-Peak Information Rate)
=> Either define PIR and CIR, or Bc and Be
!!!In DUAL RATE - Be has a different meaning, Be = PIR x Te
____________________________________________________________________________________________________________________
WRED - Weighted Random Early Detection and CB-WRED
____________________________________________________________________________________________________________________
THRESHOLDS need to be defined (how many packets from the end of the queue are to be dropped)
WRED drops SOME packets between MIN and MAX THRESHOLD (based on mark probability denominator)
WRED drops ALL packets above the MAX
(config-pmap-c)#random-detect precedence 4 ? <- PRECEDENCE VALUE 4
<1-4096> minimum threshold (number of packets)
(config-pmap-c)#random-detect precedence 4 24 ? <- MINIMUM THRESHOLD (DROPPED packet number in the queue)
<1-4096> maximum threshold (number of packets)
(config-pmap-c)#random-detect precedence 4 24 40 ? <- MAXIMUM THRESHOLD is 40
<1-65535> mark probability denominator
<cr>
(config-pmap-c)#random-detect precedence 4 24 40 10

Mark probability denominator means one in how many packets are dropped. So, by the time there are 40 packets in the queue ONE IN EVERY
10 PACKETS will be dropped if the mark probability denominator has a value of 10.
*To configure RED, rather than WRED, use the same parameters for each precedence.
96
Hitchhikers Guide to the CCIE v0.3 [cisqueros.blogspot.com]







WAN


97
Hitchhikers Guide to the CCIE v0.3 [cisqueros.blogspot.com]
____________________________________________________________________________________________________________________
Frame-Relay TIPS
____________________________________________________________________________________________________________________
TIP: Make sure KEEPALIVEs are ENABLED on a Frame-Relay interface!!! The MODE of the operation of the EEK (End to End Keepalive) requests
can be configured within the class-map:
(config)#map-class frame-relay KEEPALIVE
(config-map-class)#frame-relay end-to-end keepalive mode ?
bidirectional Set bidirectional mode
passive-reply Set passive-reply mode
reply Set unidirectional reply mode
request Set unidirectional request mode

TIP: BACKUP interface: defined on the interface level using the command "backup interface s0/1/0", and in the "show IP int brief" the status
will be: Interface STANDBY, protocol: down. The link goes into Standby/Disable when you shut down the primary link using "shut" command,
as a prevention of using the secondary link during configuration changes. When you want to configure one interface to be another's BACKUP,
just do this command on the primary interface:
(config-subif)#backup interface Serial 0/1/1
(config-subif)#backup delay 0 300 <-CONFIGURE A 5 MINUTE PREEMPT DELAY
____________________________________________________________________________________________________________________
FRAME RELAY QoS
____________________________________________________________________________________________________________________
QoS is different on Frame-relay links. First of all - about the QoS marking and how to collect this information. There is an implemented feature
called IP ACCOUNTING, used to collect various data.
(config-if)#ip accounting ?
access-violations Account for IP packets violating access lists on this interface
output-packets Account for IP packets output on this interface
precedence Count packets by IP precedence on this interface
(config-if)#ip accounting precedence input <-CHECK IP PRESEDENCE OF THE INCOMMING PACKETS

Define the THRESHOLD (how many packets to monitor), and check the accounted PRESEDENCE values:
(config)#ip accounting-threshold 5000

#sh inter s0/1/0 precedence
Serial0/1/0
Input
Precedence 0: 50 packets, 5200 bytes
Precedence 6: 16 packets, 850 bytes

To configure the traffic SHAPING on Frame Relay interface, you can use the MQC, CBTS or simplest- Legacy MAP-CLASS:
(config)#map-class frame-relay R4_504
frame-relay cir 512000
frame-relay bc 25600
frame-relay be 76800 <-SPECIAL ATTENTION WHEN CONFIGURING Be!!! *Be is a BURST when enough CREDIT has been
acumulated. Bc and Be together cannot exceed the PHYSICAL INTERFACE RATE (AIR) => (Bc+Be) x Tc <= AIR
frame-relay mincir 384000
frame-relay adaptive-shaping interface-congestion
(config)#map-class frame-relay R3_513
frame-relay cir 128000
frame-relay bc 6400
frame-relay be 0 <-YOU HAVE TO SET IT TO 0 IF NO BURST IT ALLOWED
frame-relay mincir 96000
frame-relay adaptive-shaping [interface-congestion | becn] <-BE SURE WHAT YOU'RE ASKED TO DO HERE
*BECN is a CONGESTION NOTIFICATION for the senders to slow down with SENDING RATE, so if you set BECN here this router will engage the
SHAPING feature upon receiving the BECN flag in the frame
And then apply it on the INTERFACE, or directly to the DLCI:
(config-if)#frame interface-dlci 513
(config-fr-dlci)#class R3_513
(config-if)#frame-relay interface-dlci 504
(config-fr-dlci)#class R4_504

98
Hitchhikers Guide to the CCIE v0.3 [cisqueros.blogspot.com]
____________________________________________________________________________________________________________________
PHYSICAL INTERFACE CONFIGURATION:
____________________________________________________________________________________________________________________
- Disable Inverse ARP because IP/DLCI Mapping is configured manually
- BROADCAST at the end of the MAPPING line
On a HUB Router:
interface Serial1/0
ip address 10.1.100.1 255.255.255.0
encapsulation frame-relay
frame-relay map ip 10.1.100.2 102 broadcast
frame-relay map ip 10.1.100.3 103 broadcast
frame-relay map ip 10.1.100.4 104 broadcast
no frame-relay inverse-arp

On SPOKE Routers:
interface Serial1/0
ip address 10.1.100.2 255.255.255.0
encapsulation frame-relay
frame-relay map ip 10.1.100.4 201 <--- NO NEED TO ""Broadcast" TO OTHER HUBS, creates extra traffic
frame-relay map ip 10.1.100.3 201
frame-relay map ip 10.1.100.2 201
frame-relay map ip 10.1.100.1 201 broadcast
no frame-relay inverse-arp

!!! Dont forget to check THE CONTROLLER on the interface, and see if we are DTE or DCE
#show controllers s1/0
If we are DCE - CLOCKRATE NEEDS TO BE SET or VC will not transition into UP/UP
LMI - Keepalives in Frame Relay, you can see them:
#show frame-relay lmi | i Status
Invalid Status Message 0 Invalid Lock Shift 0
Num Status Enq. Sent 108 Num Status msgs Rcvd 108

If you want to FORCE the DCE and provide the clocking:
(config-if)#frame-relay intf-type dce

Frame Relay Header - 2 BYTES:
| DLCI (6) | C/R (1) | EA(1) || DLCI(4) | FECN(1) | BECN(1) | DE(1) | EA(1) |
| Byte 1 || Byte 2 |
____________________________________________________________________________________________________________________
POINT-TO-POINT SUB-INTERFACE:
____________________________________________________________________________________________________________________
- No need for Inverse ARP disabling, as it's P2P Link so it's disabled by default
- Only define a INTERFACE DLCI, because it's a direct connection
interface Serial1/0.21 point-to-point
ip address 10.1.12.2 255.255.255.0
frame-relay interface-dlci 201

#show frame-relay map
Serial1/0.12 (up): point-to-point dlci, dlci 102(0x66,0x1860), broadcast
status defined, active
Serial1/0.13 (up): point-to-point dlci, dlci 103(0x67,0x1870), broadcast
status defined, active
Serial1/0.14 (up): point-to-point dlci, dlci 104(0x68,0x1880), broadcast
status defined, active

99
Hitchhikers Guide to the CCIE v0.3 [cisqueros.blogspot.com]
____________________________________________________________________________________________________________________
POINT-TO-MULTIPOINT SUB-INTERFACE:
____________________________________________________________________________________________________________________
- Configure the DLCI-to-IP mapping, without broadcast
____________________________________________________________________________________________________________________
VIRTUAL TEMPLATE (CAN ONLY BE DONE ON MULTIPOINT OR PHYSICAL INTERFACE)
____________________________________________________________________________________________________________________
If MAPPING is not allowed:
(config-if)#frame-relay interface-dlci 102 ?
ppp Use RFC1973 Encapsulation to support PPP over FR
switched Define a switched DLCI
<cr>

(config-if)#frame-relay interface-dlci 102 ppp ?
Virtual-Template Virtual Template interface

(config-if)#frame-relay interface-dlci 102 ppp Vir
(config-if)#frame-relay interface-dlci 102 ppp Virtual-Template ?
<1-200> Virtual-Template interface number

(config-if)#frame-relay interface-dlci 102 ppp Virtual-Template 1

And only assign the IP Address (L3) to the Virtual Template interface:
interface Virtual-Template1
ip address 10.1.100.1 255.255.255.0

OR, if you want to RE-USE the defined IP on a Loopback:
(config-if)#ip unnumbered lo0 <-under the Virtual Template interface

Now on the Routing Table the INJECTED HOST ROUTES can be found:
#show ip route
10.0.0.0/8 is variably subnetted, 3 subnets, 2 masks
C 10.1.100.0/24 is directly connected, Virtual-Access1
L 10.1.100.1/32 is directly connected, Virtual-Access1
C 10.1.100.2/32 is directly connected, Virtual-Access1

100
Hitchhikers Guide to the CCIE v0.3 [cisqueros.blogspot.com]
____________________________________________________________________________________________________________________
FRAME RELAY AUTHENTICATION
____________________________________________________________________________________________________________________
CONFIGURED IN THE VIRTUAL TEMPLATE (refer to the description above)
First in the Global Config mode define the credentials (username and password):
(config)#username R2 password 0 cisco12 <--- R2 is HOSTNAME of the OTHER SIDE!!!

Create a VIRTUAL TEMPLATE and assign IP ADDRESSES to VIRTUAL TEMPLATE:
(config-subif)#frame-relay interface-dlci 102 ppp Virtual-Template 1
*Aug 17 11:12:46.763: %LINK-3-UPDOWN: Interface Virtual-Access2, changed state to up

Then configure the authentication details:
(config-if)#ppp chap hostname R1
(config-if)#ppp authentication chap ? <---DEFINE WHEN TO AUTHENTICATE
WORD Use an authentication list with this name
callback Authenticate remote on callback only
callin Authenticate remote on incoming call only <---SEND CHALLENGE WHEN CALLED
callout Authenticate remote on outgoing call only
default Use the default authentication list
eap Extensible Authentication Protocol (EAP)
ms-chap Microsoft Challenge Handshake Authentication Protocol (MS-CHAP)
ms-chap-v2 Microsoft CHAP Version 2 (MS-CHAP-V2)
one-time Allow use of username*OTP for one-time passwords
optional Allow peer to refuse to authenticate
pap Password Authentication Protocol (PAP)
<cr>

On the other side of the P2P link, configure USERNAME as CHAP HOSTNAME:
(config)#username R1 password 0 cisco12

And here is some PPP Authentication DEBUG:
*Aug 17 11:42:23.371: Vi1 PPP: Using default call direction
*Aug 17 11:42:23.371: Vi1 PPP: Treating connection as a dedicated line
*Aug 17 11:42:23.371: Vi1 PPP: Session handle[C400010C] Session id[266]
*Aug 17 11:42:23.443: Vi1 CHAP: I CHALLENGE id 1 len 23 from "R1" <--- CHALLENGE INBOUND
*Aug 17 11:42:23.443: Vi1 PPP: Sent CHAP SENDAUTH Request
*Aug 17 11:42:23.447: Vi1 PPP: Received SENDAUTH Response PASS
*Aug 17 11:42:23.447: Vi1 CHAP: Using hostname from interface CHAP
*Aug 17 11:42:23.447: Vi1 CHAP: Using password from AAA
*Aug 17 11:42:23.447: Vi1 CHAP: O RESPONSE id 1 len 23 from "R2" <--- RESPONSE OUTBOUND
*Aug 17 11:42:23.463: Vi1 CHAP: I SUCCESS id 1 len 4

For PAP the HOSTNAME is sent outbound (as a Challenge) using:
(config-if)#ppp pap sent-username USERNAME password 0 Cisqueros


101
Hitchhikers Guide to the CCIE v0.3 [cisqueros.blogspot.com]
____________________________________________________________________________________________________________________
FRAME RELAY End-to-End KEEPALIVE
____________________________________________________________________________________________________________________
Routers depend on LMI to maintain the ACTIVE CONNECTION, but its not END-TO-END as intermediate switches may not support NNI LMIs. =>
FREEK (Frame Relay End-to-End Keepalive) is used to provide a local router status of the other end
FREEK Maintains 2 interval keepalives:
1. Send side> Send keepalive and handle the responses
2. Receive side> Handle and reply the requests
So it needs to be configured ON BOTH SIDES! It's configured within the MAP CLASS!!!
(config)#map-class frame-relay FREEK
(config-map-class)#frame-relay end-to-end keepalive ?
error-threshold End-to-end keepalive error threshold
event-window End-to-end keepalive event window
mode End-to-end keepalive mode
success-events End-to-end keepalive success events
timer End-to-end keepalive timer

(config-map-class)#frame-relay end-to-end keepalive mode ?
bidirectional Set bidirectional mode <--- BOTH SIDES REPLY AND REQUEST
passive-reply Set passive-reply mode
reply Set unidirectional reply mode <--- THE OTHER SIDE REQUESTS, THIS SIDE REPLIES
request Set unidirectional request mode <--- THIS SIDE REQUESTS, OTHER SIDE REPLIES

Once the MAP CLASS has been defined, apply under DLCI on the SUB-INF:
(config-map-class)#int s1/0.21
(config-subif)#frame-relay interface-dlci 201
(config-fr-dlci)#class FREEK <--- APPLY THE DEFINED MAP CLASS
*Aug 17 13:47:13.179: %FR_EEK-5-FAILED: Interface Serial1/0.21 - DLCI 201

Before applying the FREEK to the other side of the link:
#show frame-relay end-to-end keepalive

End-to-end Keepalive Statistics for Interface Serial1/0 (Frame Relay DTE)
DLCI = 102, DLCI USAGE = LOCAL, VC STATUS = ACTIVE (EEK DOWN)
SEND SIDE STATISTICS
Send Sequence Number: 7, Receive Sequence Number: 4
Configured Event Window: 3, Configured Error Threshold: 2
Total Observed Events: 9, Total Observed Errors: 3
Monitored Events: 3, Monitored Errors: 3
Successive Successes: 0, End-to-end VC Status: DOWN

RECEIVE SIDE STATISTICS

Send Sequence Number: 3, Receive Sequence Number: 2
Configured Event Window: 3, Configured Error Threshold: 2
Total Observed Events: 8, Total Observed Errors: 3
Monitored Events: 3, Monitored Errors: 3
Successive Successes: 0, End-to-end VC Status: DOWN

Failures Since Started: 1, Last Failure: 00:00:16

Once the FREEK has been applied to BOTH SIDES, the VC goes "UP" (both SEND and RECEIVE side). DEBUG FREEK:
#debug frame-relay end-to-end keepalive events
Frame-relay EEK events debugging is on
*Aug 17 13:51:42.775: EEK SUCCESS (reply, Serial1/0.12 DLCI 102)
*Aug 17 13:51:44.063: EEK SUCCESS (request, Serial1/0.12 DLCI 102)

FREEK TIMERS can also be tuned, using:
(config-map-class)#frame-relay end-to-end keepalive timer [send | receive] 3 <--- DEPENDS IF ITS SEND OR
RECEIVE SIDE
102
Hitchhikers Guide to the CCIE v0.3 [cisqueros.blogspot.com]
____________________________________________________________________________________________________________________
FRAME-RELAY MULTILINKING
____________________________________________________________________________________________________________________
If you need 2 LINKS to appear as ONE FRAME RELAY LINK => use PPP MULTILINK. This might seem a bit illogical in the beginning, but once
youve been through it a few times - you get the philosophy of it. This feature is also used when you need to implement the features not
supported natively on Frame Relay, such as Authentication, fragmentation schemes
Start by creating a MULTILINK INTERFACE, and define it as PPP Multilink:
(config)#interface multilink 12
(config-if)#ppp multilink

Define the MAX number of links within the MULTILINK, if you want:
(config-if)#ppp multilink links maximum 2
(config-if)#ppp multilink links minimum 1

Create the MULTILINK GROUP:
(config-if)#ppp multilink group 12 <--- PPP MULTILINK GROUP

Now, create a VIRTUAL-TEMPLATE interface and assign the created MULTILINK GROUP to it:
(config)#interface virtual-template 12
(config-if)#ppp multilink group 12

Lastly create the MULTIPOINT sub-interface, and connect it to the VIRTUAL TEMPLATE
(config)#inter serial 1/0.12 multipoint <--- ON ALL THE INTERFACES WE WANT "MULTILINKED"
(config-subif)#frame-relay interface-dlci 102 ppp virtual-Template 12

Check the Multilink:
#show ppp multilink
Multilink12
Bundle name: R2
Remote Endpoint Discriminator: [1] R2
Local Endpoint Discriminator: [1] R1
Bundle up for 00:01:10, total bandwidth 100000, load 1/255
Receive buffer limit 12000 bytes, frag timeout 1000 ms
0/0 fragments/bytes in reassembly list
0 lost fragments, 0 reordered
0/0 discarded fragments/bytes, 0 lost received
0x0 received sequence, 0x0 sent sequence
Member links: 1 active, 1 inactive (max 2, min not set)
Vi4, since 00:01:10
Vt12 (inactive)
No inactive multilink interfaces

*If you want AUTHENTICATION, be sure to configure it under the VIRTUAL TEMPLATE interface:
(config)#int Virtual-Template23
(config-if)#ppp authentication chap

NO FRAME RELAY SWITCH:
If there is NO FRAMERELAY SWITCH : THERE IS NO LMI, so KEEPALIVE needs to be DISABLED!!!
- DLCI should be identical on both sides
- clock rate HAS TO BE SET ON DCE SIDE



103
Hitchhikers Guide to the CCIE v0.3 [cisqueros.blogspot.com]
____________________________________________________________________________________________________________________
FRAME-RELAY AUTO-INSTALL
____________________________________________________________________________________________________________________
A router is a BOOTP server by default, unless the feature has been turned off. So if you need a FR interface to get the IP address from a remote
server, use the "ip helper-address", and POINT TO THE BROADCAST
(config-if)#ip helper-address 172.28.185.255

Make sure that the DIRECTED INTERFACE supports broadcast:
(config-if)#ip directed-broadcast

104
Hitchhikers Guide to the CCIE v0.3 [cisqueros.blogspot.com]







IP Multicast


105
Hitchhikers Guide to the CCIE v0.3 [cisqueros.blogspot.com]
____________________________________________________________________________________________________________________
Multicast TIPS
____________________________________________________________________________________________________________________
TIP: On Frame-Relay, besides the "pim sparse-mode" configure the "ip pim nbma-mode". This way there will not be a pseudo broadcast to
detect PIM neighbors, and multicast sources. Each node will be treated as a P2P connection, and its done ONLY on the interfaces that should
RECEIVE from ONE and SEND to ANOTHER PIM Neighbor on SAME INTERFACE
TIP: Use interface commands ip multicast boundary ACL and ip pim neighbor-filter ACL to filter out IGMP Groups and PIM Neighbors
TIP: To LIMIT the OUTBOUND Multicast RATE on the interface, in this example to 1Mbps, use the command:
(config-if)#ip multicast rate-limit out 1000

TIP:If you want the PIM register messages to go through a Router - set the DR priority to the MAX level:
(config-if)#ip pim dr-priority 10000

SHARED TREE - The traffic goes to the RP first
SOURCE BASED TREE - Directly send the traffic to the Multicast clients
If you need to define the BW limit to switch to the SOURCE BASED TREE:
(config)#ip pim spt-threshold 128

If RPF check fails - the router sends PRUNE message to the upstream router
DENSE mode - always the SOURCE BASED TREE, all The routers in the way install the S,G to their mroute table, super inefficient if there
are various multicast groups. For optimization there are GRAFT messages sent by clients to UNPRUNE.
SPARSE Mode uses the RP and the SHARED tree, which is the tree from the RP to the receiver. It also uses the DR (designated router).
There is a SPT built from the RP to the sender.
So from the point of view of RP - the traffic comes from the multicast source using the SPT and the (S,G) entry in the RP table, and it's being
sent out to the client using the RPT (TP tree, or SHARED tree)

IMPORTANT:
#show IP IGMP membership
(*,G) means we know about the receiver, but not about the sender (multicast server). When we get the server,
we'll see the (S,G) entry in the mroute table

DR is the device in charge do sending the REGISTRATION. IMPORTANT: you cannot test from the DR interface!!! You need to change the
priority and switch the other side of the link to be the DR if you need to test fr that particular router

When it seems that the RPF is failing - do the:
#show IP rpf
#debug IP mpacket - you have to process switch the traffic to do this, do the "no IP mroute-cache" on the
interface

When you need to change something, to avoid the RPF failure - use the STATIC MROUTE or the MBGP. These will override any dynamic routing
information, but be careful - the static route means that ALL the multicast traffic also must come in that path! Also in IGP we first look for the
LONGEST MATCH and then compare the AD, while here - we first compare the AD so the static route will be preferred over anything.




106
Hitchhikers Guide to the CCIE v0.3 [cisqueros.blogspot.com]
____________________________________________________________________________________________________________________
Multicast - IGMP
____________________________________________________________________________________________________________________
Applications that take advantage of multicast include video conferencing, corporate communications, distance learning and distribution of
software, stock quotes, and news.
IP multicast routing enables a host (source) to send packets to a group of hosts (receivers) anywhere within the IP network by using a special
form of IP address called the IP multicast group address. The sending host inserts the multicast group address into the IP destination address
field. Any host, regardless of whether it is a member of a group, can send to a group. However, only the members of a group receive the
message.
IOS supports the following protocols to implement IP multicast routing:
1. IGMP - used between hosts on a LAN and routers on that LAN to track multicast groups of which hosts are members.
2. PIM (Protocol Independent Multicast) - used between routers so that they can track which multicast packets to forward to each other and to
their directly connected LANs.
3. DVMRP (Distance Vector Multicast Routing Protocol) is used on the MBONE (the multicast backbone of the Internet). The software supports
PIM-to-DVMRP interaction.
4. CGMP (Cisco Group Management Protocol) perform tasks similar to IGMP
Any Source Multicast (ASM)
G group - a multicast group for ASM. By joining this group, the receiver HOST IS INDICATING THAT HE WANTS TO RECEIVE IP multicast traffic
SENT BY ANY SOURCE to group G.
ASM group should only be used by a single application!!!
Source Specific Multicast (SSM)
A datagram delivery model that best supports one-to-many applications (targeted for AUDIO and VIDEO) IP multicast receiver host must use
IGMP Version 3 (IGMPv3) to subscribe to channel (S,G) if he wants to receive IP MULTICAST TRAFFIC SENT BY SOURCE HOST S TO GROUP G.
IP multicast packets are delivered to all hosts in the network that have subscribed to the channel (S, G).

PIM (Protocol Independent Multicast)
PIM is not dependent on a specific unicast routing protocol; it is IP routing protocol independent and can leverage whichever unicast routing
protocols are used to populate the unicast routing table.
It uses the unicast routing table to perform the REVERSE PATH FORWARDING (RPF) check function instead of building up a completely
independent multicast routing table.
PIM can operate in dense mode or sparse mode.
PIM DENSE mode (PIM-DM) uses a push model to flood multicast traffic to every corner of the network. In dense mode, a router assumes
that all other routers want to forward multicast packets for a group. If a router receives a multicast packet and has no directly connected
members or PIM neighbors present, a prune message is sent back to the source.
*Dense mode is not often used and its use is not recommended.
PIM SPARSE mode (PIM-SM) uses a pull model to deliver multicast traffic. Only network segments with active receivers that have
EXPLICITLY requested the data will receive the traffic. Sparse mode interfaces are added to the multicast routing table only when periodic Join
messages are received from downstream routers, or when a directly connected member is on the interface.
If a group has no known RP and the interface is configured to be sparse-dense mode, the interface is treated as if it were in dense mode, and
data is flooded over the interface.
107
Hitchhikers Guide to the CCIE v0.3 [cisqueros.blogspot.com]
____________________________________________________________________________________________________________________
Configure PIM Multicast
____________________________________________________________________________________________________________________
PIM (Protocol Independent Multicast) sends HELLOs to 224.0.0.13 Multicast every 30s, uses the Protocol number 103
DENSE MODE - Sends to ALL unless the Prune Message received from the DOWNSTREAM ROUTER
SPARSE MODE - Sends ONLY if the downstream router JOINS the Multicast Group using IGMP Protocol
IGMP operates between the client computer and a local multicast router. Switches featuring IGMP snooping derive useful information by
observing these IGMP transactions. Protocol Independent Multicast (PIM) is then used between the local and remote multicast routers, to
direct multicast traffic from multicast server to many multicast clients.
Once you decide the Multicast mode you will be configuring, the configuration is rather simple.
STEP 1: Enable the Multicast Routing on a Device:
(config)#ip multicast-routing

STEP 2: Configure the PIM MODE on the Interface (or a range), in this case were doing the PIM, DENSE MODE:
(config-if-range)#ip pim dense-mode

You will see the MULTICAST NEIGHBORS getting up:
*Dec 9 14:37:26.975: %PIM-5-NBRCHG: neighbor 10.1.100.1 UP on interface FastEthernet0/0 (vrf default)
#sh ip pim neighbor
PIM Neighbor Table
Mode: B - Bidir Capable, DR - Designated Router, N - Default DR Priority,
S - State Refresh Capable
Neighbor Interface Uptime/Expires Ver DR
Address Prio/Mode
10.1.100.1 FastEthernet0/0 00:01:43/00:01:29 v2 1 / S

NOTE that there is still no RENDEZVOUZ POINT (RP):
#sh ip pim rp
NO OUTPUT

STEP 3: Check the MULTICAST ROUTING Table
NOTE that when PIM is enabled, IGMP is ALSO ENABLED!!!
#sh ip mroute
IP Multicast Routing Table
Flags: D - Dense, S - Sparse, B - Bidir Group, s - SSM Group, C - Connected,
L - Local, P - Pruned, R - RP-bit set, F - Register flag,
T - SPT-bit set, J - Join SPT, M - MSDP created entry,
X - Proxy Join Timer Running, A - Candidate for MSDP Advertisement,
U - URD, I - Received Source Specific Host Report,
Z - Multicast Tunnel, z - MDT-data group sender,
Y - Joined MDT-data group, y - Sending to MDT-data group
Outgoing interface flags: H - Hardware switched, A - Assert winner
Timers: Uptime/Expires
Interface state: Interface, Next-Hop or VCD, State/Mode
(*, 224.0.1.40), 00:17:16/00:02:23, RP 0.0.0.0, flags: DCL <-AUTOMATICALLY GENERATED WHEN PIM IS ENABLED
Incoming interface: Null, RPF nbr 0.0.0.0
Outgoing interface list:
FastEthernet0/0, Forward/Dense, 00:17:16/00:00:00

STEP 4: Check the IGMP on the interface:
#show ip igmp interface fa0/0
FastEthernet0/0 is up, line protocol is up
Internet address is 10.1.100.1/24
IGMP is enabled on interface <-THIS IS IMPORTANT, THAT IGMPv2 IS ON WHEN PIM IS ENABLED
Current IGMP host version is 2
Current IGMP router version is 2
IGMP query interval is 60 seconds<-FREQUENCY OF QUERIES, SET BY "ip igmp query-interval"
108
Hitchhikers Guide to the CCIE v0.3 [cisqueros.blogspot.com]
IGMP querier timeout is 120 seconds<-"ip igmp query-timeout"
IGMP max query response time is 10 seconds
Last member query count is 2
Last member query response interval is 1000 ms
Inbound IGMP access group is not set
IGMP activity: 1 joins, 0 leaves
Multicast routing is enabled on interface
Multicast TTL threshold is 0
Multicast designated router (DR) is 10.1.100.2<-LOWEST SOURCE IP AS THE IGMP QUERIER
IGMP querying router is 10.1.100.1 (this system)
Multicast groups joined by this system (number of users): 224.0.1.40(1)

STEP 5: IMPORTANT: Neither of the following 2 commands are not needed if the APPLICATION supports IGMP!!!
If you want the host to JOIN a specific MULTICAST GROUP, you can do it with 2 similar commands:
(config-if)#ip igmp join-group 224.1.1.1<-RESPONDS TO PING, EXPIRE TIMER WILL SHOW "STOPPED"
(ICMP: This device will respond to pings to 224.1.1.1, THROUGH THE RPF-FREE PATH)
OR
(config-if)#ip igmp static-group 224.1.1.1<-STATIC MEMBERSHIP,IT WILL CAUSE UPSTREAM ROUTERS TO MAINTAIN
MROUTE TABLE
*static-group cannot respond to PINGs, it doesn't cause the devices to process multicast packets themselves. Instead they just FORWARD the
packets out the interface. ALSO "static-group" command will cause the device to FAST-SWITCH the group, not like with "join-group" command
where the groups are PROCESS SWITCHED.
#sh ip igmp membership | b Uptime
Channel/Group Reporter Uptime Exp. Flags Interface
*,224.1.1.1 0.0.0.0 00:01:23 stop 2SA Fa0/0
*,224.0.1.39 136.1.245.5 1d17h 02:53 2A Se0/1/0
*,224.0.1.40 136.1.245.2 2d03h 02:43 2LA Se0/1/0

MULTICAST TIMERS AND STATE LIMITS
To IMMEDIATELY STOP any kind of MULTICAST upon receiving a LEAVE message apply the "immediate leave" command (if you apply it in a
Global Config mode, it will apply to ALL the interfaces), and define the ACL 1 to cover all the multicast IPs (224.0.0.0/4):
(config-if)#ip igmp immediate-leave group-list 1
(config)#access-list 1 permit 224.0.0.0 15.255.255.255


If you want to send some QUERY messages before the Router stops forwarding Multicast Traffic:
(config-if)#ip igmp last-member-query-count 2 <-SEND 2 QUERY MESSAGES
(config-if)#ip igmp last-member-query-interval 500 <-SEND QUERIES EVERY 500ms

Another interesting setting within the mroute table is the NUMBER OF STATE CHANGES (could be configured on the interface, or in the global
config more)
(config-if)#ip igmp limit 3

The other tune-able timers are:
(config-if)#ip igmp quer?
querier-timeout DEAD time of the querier
query-interval INTERVAL between each 2 queries
query-max-response-time - MAX time to wait between 2 queries

Have in mind that PIM-SM actually builds 2 TREES: UNIDIRECTIONAL SPT (Shortest Path Tree) from SOURCE to the RP and the
UNIDIRECTIONAL SHARED TREE from RP to RECEIVERS. Remember that the SOURCE BASED TREE is the DEFAULT type, and it's rooted at
the SOURCE of the Multicast Stream, while the SHARED TREE is where all the packets are sent to RP first, and then redistributed to the
receivers.


109
Hitchhikers Guide to the CCIE v0.3 [cisqueros.blogspot.com]
____________________________________________________________________________________________________________________
PIM Dense Mode, PIM-DM - For the applications EVERYONE wants
____________________________________________________________________________________________________________________
The DENSE mode would be a good choice if you're implementing the MULTICAST to support one of the applications that many users within
your network will use, because it forwards the traffic assuming that there are users on all routers. The basic configuration consists of 2 steps:
Enable the Multicast on the router and configure the Dense Mode on the interface:
(config)#ip multicast-routing
(config)#int lo0
(config-if)#ip pim dense-mode <-IGMPv2 IS ENABLED BY DEFAULT

#debug ip pim hello <-AND OBSERVE WHAT HAPPENS
*Dec 10 17:24:50.139: PIM(0): Send periodic v2 Hello on Serial0/1/0.34 with GenID = 3542869676
*Dec 10 17:24:50.159: PIM(0): Received v2 hello on Serial0/1/1 from 10.1.13.1
*Dec 10 17:24:50.159: PIM(0): Neighbor (10.1.13.1) Hello GENID = 4018201785
*Dec 10 17:24:50.199: PIM(0): Received v2 hello on Serial0/1/0.34 from 10.1.34.4
*Dec 10 17:24:50.199: PIM(0): Neighbor (10.1.34.4) Hello GENID = 6520
*Dec 10 17:24:51.075: PIM(0): Send periodic v2 Hello on Serial0/1/1 with GenID = 3542792495
*Dec 10 17:24:51.131: PIM(0): Send periodic v2 Hello on Loopback0 with GenID = 3542761484
*Dec 10 17:24:51.131: PIM(0): Received v2 hello on Loopback0 from 3.3.3.3
*Dec 10 17:25:19.455: PIM(0): Send periodic v2 Hello on Serial0/1/0.34 with GenID = 3542869676
*Dec 10 17:25:19.631: PIM(0): Received v2 hello on Serial0/1/1 from 10.1.13.1
*Dec 10 17:25:19.635: PIM(0): Neighbor (10.1.13.1) Hello GENID = 4018201785
*Dec 10 17:25:20.107: PIM(0): Received v2 hello on Serial0/1/0.34 from 10.1.34.4
*Dec 10 17:25:20.107: PIM(0): Neighbor (10.1.34.4) Hello GENID = 6520
*Dec 10 17:25:20.395: PIM(0): Send periodic v2 Hello on Serial0/1/1 with GenID = 3542792495

#sh ip pim neighbor | i v2 Prio/Mode
10.1.13.1 Serial0/1/1 00:14:14/00:01:17 v2 1 / S
10.1.34.4 Serial0/1/0.34 00:13:14/00:01:18 v2 1 / S

PRUNING
PIM-DM keeps a timer on a PRUNED INTERFACE, and when the timer expires - Multicast traffic runs again, until the new PRUNE message is
received from a DOWNSTREAM router. You can change how often the CONTROL PACKET is sent down it's PRUNED INTERFACE
(config-if)#ip pim state-refresh origination-interval 60

110
Hitchhikers Guide to the CCIE v0.3 [cisqueros.blogspot.com]
____________________________________________________________________________________________________________________
STATIC RENDEZVOUZ POINT (RP) Configuration
____________________________________________________________________________________________________________________
A rendezvous point (RP) is required in networks running Protocol Independent Multicast sparse mode (PIM-SM). In PIM-SM, traffic will be
forwarded only to segments with active receivers that explicitly requested multicast data.
STATIC RP CONFIGURATION NEEDS TO BE SAME ON ALL THE ROUTERS, including the RP!!!
Specify the router to be the RP for a specific group:
(config)#ip pim rp-address 192.168.0.0 [override] [access-list 1]
*If the override keyword is not specified and there is RP address conflict, dynamic group-to-RP mappings will take precedence over static
group-to-RP mappings.
*Dec 14 19:45:20.411: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel0, changed state to up

#sh ip pim rp map
PIM Group-to-RP Mappings
Acl: 1, Static
RP: 1.1.1.2 (?)
Group(s): 224.0.0.0/4, Static <-WHEN ACL IS NOT SPECIFIED, BEST PRACTICE: CONFIGURE ACL WITH GROUPS TO DENY
RP: 1.1.1.3 (?)

If two RPs have OVERLAPPING SCOPE of Groups - HIGHER SOURCE IP WINS
____________________________________________________________________________________________________________________
DESIGNATED ROUTER (DR) Configuration
____________________________________________________________________________________________________________________
If there are multiple routers on a LAN, a Designated Router (DR) must be elected to avoid duplicating multicast traffic for connected hosts. The
DR is responsible for the following tasks:
- Sending PIM register and PIM Join and Prune messages toward the rendezvous point (RP) to inform it about host group membership.
- Sending IGMP host-query messages.
- Sending host-query messages by default every 60 seconds in order to keep the IGMP overhead on hosts and networks very low.
IMPORTANT: Designated Router works ONLY with IGMPv1, and it determines the Router that sends the IGMP Queries. In IGMPv2 the Querier
is elected directly by the protocol (router with the LOWEST IP address), so no DR is needed. To check who the DR is currently, check for the
PIM neighbors:
#SH ip pim nei | i DR
10.1.12.2 FastEthernet0/0 2d01h/00:01:28 v2 1 / DR S

The criteria for determining the DR on the subnet is similar like in the OSPF:
- Choose the router with the HIGHEST DR PRIORITY (default is 1)
- If the priorities are the same - choose the router with the highest IP address
To change the DR priority, go to the interface configuration:
(config-if)#ip pim dr-priority 100

To FILTER and not become NEIGHBOR with certain IPs, use the "ip pim neighbor-filter 1", where 1 is an ACL.
(config-if)#ip pim neighbor-filter 1


111
Hitchhikers Guide to the CCIE v0.3 [cisqueros.blogspot.com]
____________________________________________________________________________________________________________________
IP MULTICAST: AUTOMATIC RENDEZVOUZ POINT (Auto-RP) Configuration
____________________________________________________________________________________________________________________
Auto-RP automates the distribution of group-to-rendezvous point (RP) mappings in a PIM network. IANA has assigned two group addresses,
224.0.1.39 and 224.0.1.40, for Auto-RP. NOTE that these will work ONLY IN A DENSE MODE, which is why SPARSE-DENSE mode is REQUIRED
for Auto-RP to be configured. If you need SPARSE mode you will need to manually configure the Auto-RP listener:
(config)#ip pim autorp listener

*If the interfaces have been configured in the SPARSE-DENSE mode, no need to manually configure the listener. You can configure 2 Routers as
the RP and have them ANNOUNCE themselves as the RPs, and aside you would have the MAPPING AGENT who will COLLECT the
announcements and DECIDE THE REAL RP. Auto-RP Configuration requires you to define the CANDIDATE RP, and MAPPING AGENT before you
get into the configuration.
STEP 1: Configure CANDIDATE-RP, so that the RP can announce itself as the RP to the other routers. The destination for these announcements
is by default 239.0.1.39. SCOPE CAN BE USED TO LIMIT THE RANGE THE RP IS ANNOUNCED.
(config)#ip pim send-rp-announce Loopback0 scope 2 group-list 1
*SCOPE defines the TTL, and 1 is the ACL for Multicast Groups you want the RP to announce

STEP 2: ALL routers receive the announcements; ONLY MAPPING AGENT will process them. Configure the MAPPING AGENT, that will PROCESS
the RP announce messages and decide RP to Group mapping.
If there are more than one RPs, the one with HIGHEST SOURCE IP wins and gets announced.
(config)# ip pim send-rp-discovery lo1 scope 31

When you DEBUG the Auto-RP on the MAPPING AGENT:
*Dec 14 11:42:26.019: Auto-RP(0): Received RP-announce packet of length 48, from 1.1.1.4, RP_cnt 1, ht 181
*Dec 14 11:42:26.019: (0): pim_add_prm:: 238.0.0.0/255.0.0.0,
rp=1.1.1.4, repl = 0, ver =3, is_neg =0, bidir = 0, crp = 0 create_new = 1
*Dec 14 11:42:26.019: Auto-RP(0): Added with
*Dec 14 11:42:26.019: prm_rp->bidir_mode = 0 vs bidir = 0 (238.0.0.0/8, RP:1.1.1.4), PIMv2 v1
*Dec 14 11:42:26.019: Auto-RP(0): Build RP-Discovery packet
*Dec 14 11:42:26.019: Auto-RP(0): Build mapping (238.0.0.0/8, RP:1.1.1.4), PIMv2 v1,
*Dec 14 11:42:26.019: Auto-RP(0): Send RP-discovery packet of length 48 on Ethernet0/0 (1 RP entries)
*Dec 14 11:42:26.019: Auto-RP(0): Send RP-discovery packet of length 48 on Serial1/0.53 (1 RP entries)
*Dec 14 11:42:26.019: Auto-RP(0): Send RP-discovery packet of length 48 on Serial1/0.45 (1 RP entries)
*Dec 14 11:42:26.019: Auto-RP(0): Send RP-discovery packet of length 48 on Loopback0(*) (1 RP entries)
*Dec 14 11:45:02.551: prm_rp->bidir_mode = 0 vs bidir = 0 (238.0.0.0/8, RP:1.1.1.3), PIMv2 v1
*Dec 14 11:45:02.551: Auto-RP(0): Received RP-announce packet of length 48, from 1.1.1.3, RP_cnt 1, ht 181
*Dec 14 11:45:02.551: (0): pim_add_prm:: 238.0.0.0/255.0.0.0,
rp=1.1.1.3, repl = 0, ver =3, is_neg =0, bidir = 0, crp = 0
*Dec 14 11:45:02.551: Auto-RP(0): Update

So if you have 2 CANDIDATE-RPs and check the MAPPING AGENT:
#sh ip pim rp mapping | b Group
Group(s) 238.0.0.0/8
RP 1.1.1.4 (?), v2v1
Info source: 1.1.1.4 (?), elected via Auto-RP <-ELECTED DUE TO THE HIGHER IP ADDRESS VALUE
Uptime: 00:01:52, expires: 00:02:05
RP 1.1.1.3 (?), v2v1
Info source: 1.1.1.3 (?), via Auto-RP
Uptime: 00:02:15, expires: 00:02:43

The other routers within the domain will learn the RP IP address with the Mapping Agent as the Source:
#sh ip pim rp mapp | i RP|source
RP 1.1.1.4 (?), v2v1
Info source: 1.1.1.5 (?), elected via Auto-RP

If you want to LIMIT (FILTER) WHERE the RP announcements are forwarded, define the MULTICAST BOUNDARY on the interface towards that
HOST, and add the known Auto-RP Multicast IP 224.0.1.40 in ACL 1:
(config)#access-list 1 deny host 224.0.1.40
(config-if)#ip multicast boundary 1
*NOTE that the DEAD TIMER is 3 minutes, so you have to be patient here
112
Hitchhikers Guide to the CCIE v0.3 [cisqueros.blogspot.com]
When you're filtering the MULTICAST GROUPS you're announcing to the other hosts, use ANNOUNCE-FILTER:
(config)#ip pim rp-announce-filter group-list 6 <-6 IS THE ACL OF ANNOUNCE DESTINATIONS

FILTERING of the RP Announcements can be done using the RP-LIST, BUT WATCH OUT, THESE HAVE THE OPPOSITE LOGIC:
(config)# ip pim rp-announce-filter rp-list 4 [group-list 5]<-ACL 4 PERMITS the RPs that will NOT be
advertised!!!
*GROUP-LIST is ACL with MULTICAST GROUPS for which you DONT want this RP to be advertised

You can set the ROUTER to run the STP (shortest path tree) SWITCH ONLY if group reaches certain BW, in this case we're analysing Multicast
groups in the ACL 1 if they reach 20kbps:
(config)#ip pim spt-threshold 20 group-list 1

If you want to FILTER THE INCOMING groups, define the ACL and apply it DIRECTLY on the incoming interface:
(config)#access-list 52 permit host 225.25.25.25 <-MULTICAST SOURCES WE WANT TO PERMIT
(config)#access-list 52 permit host 226.26.26.26
(config-if)#ip igmp access-group 52 <-YOU WILL NOT HAVE IN|OUT OPTION HERE, as logical

____________________________________________________________________________________________________________________
IP MULTICAST: BSR (Bootstrap Router) Configuration
____________________________________________________________________________________________________________________
PIM uses the BSR to discover and announce RP-set information for each group prefix to all the routers in a PIM domain. So, BSR has the same
function as the Auto-RP, but the BSR is part of the PIM Version 2 specification. BSR interoperates with Auto-RP on Cisco routers. A
BSR is elected among the candidate BSRs automatically; they use bootstrap messages to discover which BSR has the highest priority.
This router then announces to all PIM routers in the PIM domain that it is the BSR.
BSR ADVANTAGE: There is a PRIORITY COMMAND! Auto-RP doesn't have the option to set the Router with the Lower IP as the RP.
STEP 1: Enable Multicast Routing and configure all the relevant interfaces in PIM SPARSE MODE
STEP 2: Configures the router to announce its candidacy as a bootstrap router (BSR). Note that if you get the message "Warning: PIMv2 not
configured", you need to configure "ip pim sparse-mode" on the interface:
(config)#ip pim BSR-candidate lo0

STEP 3: Configure PIM Version 2 candidates to be the RP to the BSR, also defining the priority if needed:
(config)#ip pim RP-candidate lo0 priority 100 <-LOWER PRIORITY IS BETTER, default is 0

Once the CANDIDATE RPs know the BSR address - they send UNICAST messages to BSR identifying themselves as candidates.
To check the RP election, the command is the same like in Auto-RP:
#sh ip pim rp mapp | b Group
Group(s) 224.0.0.0/4
RP 1.1.1.3 (?), v2
Info source: 1.1.1.4 (?), via bootstrap, priority 0, holdtime 150 <-INFO SOURCE IS ALWAYS RP
Uptime: 00:14:16, expires: 00:02:18
RP 1.1.1.4 (?), v2
Info source: 1.1.1.4 (?), via bootstrap, priority 50, holdtime 150 <-INFO SOURCE IS ALWAYS RP
Uptime: 00:14:09, expires: 00:02:18



113
Hitchhikers Guide to the CCIE v0.3 [cisqueros.blogspot.com]
FILTERING WITH TTL is another option not to forget when working on MULTICAST. There is an interface command that sets the TTL
THRESHOLD for MULTICAST packets, so like SCOPE feature in Auto-RP - you can use this to control the remote Multicast packets. In these
example routers more than 3 hops away (255-252) will not reach local router.
(config-if)#ip multicast ttl-threshold 252

The same filter can be used OUTBOUND, using the SAME command, so if you want to make sure that no multicast packet with TTL<13 goes out
the interface, use:
(config-if)#ip multicast ttl-threshold 13
*This command is under "PIM>Using MSDP to Interconnect Multiple PIM-SM Domains" in Cisco Docs
(MSDP is a mechanism to connect multiple PIM-SM domains. The purpose of MSDP is to discover multicast sources in other PIM domains.)
____________________________________________________________________________________________________________________
IP MULTICAST: MSDP (Multicast Source Discovery Protocol) Configuration
____________________________________________________________________________________________________________________
MSDP is the mechanism to connect multiple PIM-SM domains. MSDP peering is configured BETWEEN THE RPs (RPs run port 639 to
synchronize the sources each one knows). In anycast RP, all the RPs are configured to be MSDP peers of each other. When MULTICAST
SOURCE is initiated - the first hop router encapsulates register messages and UNICASTSs it to the RP. RP de-encapsulates and sends towards
the last hop. SA (Source Active) messages identify the Source IP and the Group.
MSDP peering connections need to be established between all MSDP peers:
(config)#ip msdp peer 1.1.1.5 connect-source lo0

#sh ip msdp peer
MSDP Peer 1.1.1.5 (?), AS ?
Connection status:
State: Up, Resets: 0, Connection source: Loopback0 (1.1.1.2)
*SA messages are used to advertise active sources in a domain.
Anycast-IP
In anycast RP, two or more RPs are configured with the SAME IP ADDRESS on their loopback interfaces. The anycast RP loopback address
should be configured with a 32-bit mask, making it a host address. IP routing will automatically select the topologically closest RP.
IMPORTANT: In anycast RP, all the RPs are configured to be MSDP peers of each other
____________________________________________________________________________________________________________________
Multiprotocol BGP (MP-BGP) & IP Multicast
____________________________________________________________________________________________________________________
First you would need to DISABLE the default BGP behavior, which is IPv4-Unicast:
(config-router)#no bgp default ipv4-unicast

Now within the BGP process you can define the Address Families (AF) Configuration Commands apart, among them you can define the
"address-family ipv4 UNICAST" and "address-family ipv4 MULTICAST":
(config-router)#address-family ipv4 unicast
(config-router-af)#neighbor 100.1.34.4 activate
(config-router-af)#network 1.1.1.1 mask 255.255.255.255 <-CAN BE KNOWN VIA OTHER PROTOCOL
(config-router-af)#no auto-summary <-ALSO NEEDED WITHIN AF




114
Hitchhikers Guide to the CCIE v0.3 [cisqueros.blogspot.com]
____________________________________________________________________________________________________________________
IP MULTICAST: Configuring SSM (Source Specific Multicast)
____________________________________________________________________________________________________________________
Source Specific Multicast (SSM) is an extension of IP multicast where datagram traffic is forwarded to receivers from only those multicast
sources that the receivers have explicitly joined. For multicast groups configured for SSM, only source-specific multicast distribution trees (not
shared trees) are created.
SSM best supports ONE-TO-MANY applications, also known as BROADCAST applications. The following two components together support the
implementation of SSM:
- Protocol Independent Multicast source-specific mode (PIM-SSM)
- Internet Group Management Protocol Version 3 (IGMPv3), that introduces the ability for hosts to signal group membership that
allows filtering capabilities with respect to sources.
Default SSM Scope is 232.0.0.0/8. The router CLOSEST to the RECEIVING HOSTS should have SSM enabled. Configuration is quite simple,
define the ACL, and enable the SSM for that range in the Global Configuration mode:
(config-router)#access-list 1 permit 230.0.0.0 0.255.255.255
(config)#ip pim ssm [range ACL | default] <-DEFAULT COVERS STANDARD SSM RANGE 239.0.0.0/8

DO NOT FORGET to set the IGMP version to IGMPv3 on the interfaces:
(config-subif)#ip igmp version 3

Then in the Global Configuration mode set the DEFAULT mode to SSM:
(config)#ip pim ssm default <-SETS USAGE OF SSM DEDICATED RANGE 232.0.0.0/8 ON

Once the interface IGMP version is set, you can configure a SOURCE SPEFICIS Multicast:
(config-if)#ip igmp join-group 232.6.6.6 source 10.1.56.6

Now Verify in the Multicast Routing Table of the UPSTREAM ROUTER (interface towards this router must be IGMPv3):
#sh ip mroute | s 232.6.6.6
(10.1.56.6, 232.6.6.6), 00:00:27/00:02:32, flags: sTI
Incoming interface: Serial1/0.24, RPF nbr 10.1.24.4
Outgoing interface list:
Ethernet0/0, Forward/Sparse, 00:00:27/00:02:32

There is another option IGMPv3 allows you, and it's called "explicit-tracking" (IGMPv3 Interface command). It causes the router to TRACK ALL
REPORTERS and not only the last one, and it enables LEAVING (S,G) as soon as the last host leaves that (S,G) without sending a query:
(config-if)#ip igmp explicit-tracking

*Make sure you see the "T" flag in the MROUTE table:
#sh ip mroute | i 232.6.6.6
(10.1.56.6, 232.6.6.6), 00:09:16/00:02:25, flags: sTI <-T means TRACKED

115
Hitchhikers Guide to the CCIE v0.3 [cisqueros.blogspot.com]
____________________________________________________________________________________________________________________
IP MULTICAST: Bidirectional PIM (Bidir-PIM)
____________________________________________________________________________________________________________________
In bidirectional mode, traffic is routed only along a bidirectional shared tree that is rooted at RP for the group. Membership in a bidirectional
group is signaled by way of explicit Join messages. Traffic is ALWAYS sent to RP, and passed down the tree. PIM-SM has been improved, so now
traffic can go UPSTREAM if needed just to reach the RP.
The new concept was introduced as the LOOP PREVENTION within the BIDIR-PIM, it's called DESIGNATED FORWARDER (DF).
BIDIRECTIONAL PIM removes the RPF (Reverse Path Forwarding) rules, and it REMOVES (S,G) entries from the route table, leaves ALL (*,G)
entries
DESIGNATED FORWARDER (DF) is the Multicast Router that can forward (*,G) state in 2 DIFFERENT DIRECTIONS for the same group address.
DF winner is determined by IGP cost on a link by link basis.
STEP 1: First the Bidirectional PIM needs to be enabled on ALL THE ROUTERS:
(config)# ip pim bidir-enable

STEP 2: Statically configure the RP, also on ALL the routers (INCLUDING THE RP ITSELF):
(config)#ip pim rp-address 1.1.1.3 bidir

To make sure that the router 1.1.1.3 is REALLY the DF on the interface:
#sh ip pim inter s1/0.32 df 1.1.1.3
Designated Forwarder election for Serial1/0.32, 10.1.23.3, RP 1.1.1.3
State DF
Offer count is 0
Current DF ip address 10.1.23.3
DF winner up time 00:04:19
Last winner metric preference 0
Last winner metric 0
Next winner will be sent in 45360 ms

Once a host joins a Multicast Group, for example 234.1.2.3, in a network configured as BIDIR-PIM:
#sh ip mroute bidirectional | s 224.1.2.3
(*, 224.1.2.3), 00:00:41/00:02:48, RP 1.1.1.3, flags: B <-BIDIRECTIONAL FLAG
Bidir-Upstream: Serial1/0.53, RPF nbr 10.1.35.3
Outgoing interface list:
Ethernet0/0, Forward/Sparse, 00:00:41/00:02:48
Serial1/0.53, Bidir-Upstream/Sparse, 00:00:41/00:00:00

116
Hitchhikers Guide to the CCIE v0.3 [cisqueros.blogspot.com]
____________________________________________________________________________________________________________________
IP MULTICAST: Helper Map
____________________________________________________________________________________________________________________
Perform this task to convert broadcast traffic to IP multicast traffic on the first hop router. The first hop router is on the border between the
broadcast-only network and IP multicast network.
*NOTE that you MUST have Multicast configured between the two broadcast-only networks, even on the interfaces towards the BROADCAST-
ONLY network segments.
You can use this for ROUTING PROTOCOLS, but remember to change the updates to BROADCASTS, for example RIP:
(config-if)#ip rip v2-broadcast

STEP 1: Create an extended IP access list to control which UDP broadcast packets are translated. in this example the RIP protocol is configured,
and how the BROADCAST RIP packets going from source 10.1.12.1 are matched:
(config)#access-list 101 permit udp host 10.1.12.1 eq rip host 255.255.255.255 eq rip
(config)#ip forward-protocol udp rip <-SPECIFY HOW BROADCAST MESSAGES ARE FORWARDED

STEP 2: Define the HELPER MAP to convert the INCOMING BROADCAST traffic on the interface towards the incoming BROADCAST traffic INTO
the MULTICAST traffic sourced by 224.1.1.1 with TTL 3 (only 3 hops allowed):
(config-if)#ip multicast helper-map broadcast 224.1.1.1 101 ttl 3

STEP 3: On the LAST HOP router towards another BROADCAST network segment identify the RIP traffic using the ACL:
(config)#access-list 102 permit udp host 10.1.12.1 any eq rip
(config)#ip forward-protocol udp

STEP 4: Use the HELPER MAP on the LAST HOP INTERFACE towards the MULTICAST segment (to from where the MULTICAST traffic will be
coming) to CONVERT MULTICAST BACK TO BROADCAST (10.1.45.255 is the RIP packets final destination):
(config-subif)#ip multicast helper-map 224.1.1.1 10.1.45.255 102

STEP 5: On the INTERFACE towards the BROADCAST SEGMENT:
(config-if)#ip directed-broadcast

In this particular case we would also have to TUNE RIP a little bit, not to validate the UPDATE SOURCE:
(config-router)#no validate-update-source


117
Hitchhikers Guide to the CCIE v0.3 [cisqueros.blogspot.com]
____________________________________________________________________________________________________________________
MULTICAST Helper Map & Helper-address
____________________________________________________________________________________________________________________
Helper Map is used to convert the UDP BROADCAST to MULTICAST packets. So when by default the application is sending the BROADCAST, we
need to use this feature. Another option would be to convert BROADCAST to UNICAST packets, using the "ip helper-address". Two major steps
need to be taken here:
*Helper-Map is configured on BOTH INCOMING INTERFACES!!!
IMPORTANT: The traffic needs to be PROCESS SWITCHED in order for Helper Map to work, so if you're using the broadcasts on port UDP/3999,
on BOTH routers also configure:
(config)#ip forward-protocol udp 3999

STEP 1: On the BROADCAST SOURCE convert the BROADCAST traffic to MULTICAST
(config-if)#ip multicast helper-map broadcast MULTICAST_GROUP ACL_PERMITTING_THE_PORT

Example:
(config-if)#ip multicast helper-map broadcast 239.39.39.39 101
(config)#access-list 101 permit udp any any eq 3999

STEP 2: On the CLIENT, convert the traffic BACK TO BROADCAST for the client to receive it as the application was designed.
(config-if)#ip multicast helper-map MULTICAST_GROUP 192.168.1.255 101
*192.168.1.255 is the IP of the final interface, but in the broadcast form
(config-if)#ip directed-broadcast - TARGET INTERFACE MUST SUPPORT A DIRECTED BROADCAST

This feature is also used in a MULTICAST STUB. When the next router cannot (or we don't want it to) become a PIM neighbor, configure the
IGMP Helper Address in order to still receive the Multicast from that router:
(config-if)#ip igmp helper-address 10.1.15.66
*configure on the interface towards the receiver of Multicast

118
Hitchhikers Guide to the CCIE v0.3 [cisqueros.blogspot.com]







Security


119
Hitchhikers Guide to the CCIE v0.3 [cisqueros.blogspot.com]
____________________________________________________________________________________________________________________
Security TIPS
____________________________________________________________________________________________________________________
TIP - ICMP: When you want to prevent the router response with "Host Unreachable" messages (U.U.U), on the interface:
(config-if)#no ip unreachables
(config-if)#no ip mask-reply <-DONT REVEAL NETWORK MASK

TIP - TELNET: When you need to control only access to TELNET, apply directly to the VTY:
(config)#line vty 0 4
(config-line)#access-class 1 in <-1 IS THE LIST OF CLIENTS ALLOWED TO TELNET

TIP - SNMP: You can allow only some of the HOSTS to access the routers SNMP agent:
(config)#snmp-server community mYcOMMUNITY RO 22
(config)#access-list 22 permit host 11.187.123.11

TIP: 802.1x, Don't forget to enable the 802.1x GLOBALLY:
(config)#dot1x system-auth-control
#sh dot1x all | i auth <-CHECK IF IT WORKED
Sysauthcontrol Enabled

EAP - Extensible Authentication Protocol allows the device to forward authentication request to the server, bypassing the local security.
TIP: When creating a USER with only one function, or a MENU, implement the AUTOCOMMAND feature:
(config)#username TEST_USER autocommand menu NOC <-NOC IS A MENU NAME

TIP: When you want to DISABLE the DOMAIN LOOKUP, but only on the CONSOLE port, there is a TRICK:
(config)#line con 0
(config-line)#transport preferred none

TIP: Don't forget the POLICE RATE command within the Policy-Map when you need to polica by PPS:
(config-pmap-c)#police rate 100 pps

TIP: When you want to DISABLE SOURCE ROUTING, just do the global command:
(config)#no ip source-route

TIP: if you cannot remember a port number, define an ACL, and after the "eq" show the options using the "?"
TIP: deny any any doesn't affect the locally generated traffic on the router
TIP: be careful with the LOG, because the logged traffic in the ACL needs to be PROCESS SWITCHED, so the large amount of logs will influence
the CPU if we don't configure "logging rate-limit". You can also use the command "ip access-list logging 10000" to set each how many seconds
the logs are taken. Another method is setting the "ip access-list log-update THRESHOLD", which defines each how many Hits in the ACL
generates the Log message
ESTABLISHED - if we are trying to match only the RETURNING traffic, meaning the inbound TCP sessions that have been established already,
add the "establish" to the ACL configuration they you will apply INBOUND from the outside direction (beware cause the ESTABLISHED flag is
easy to spoof). Also the best practice would be to deny ICMP UNREACHABLE messages on the same interface, to prevent the outside attacker
from knowing which ports you deny by ACL:
(config-if)#no ip unreachables



120
Hitchhikers Guide to the CCIE v0.3 [cisqueros.blogspot.com]
____________________________________________________________________________________________________________________
Layer 2 Security
____________________________________________________________________________________________________________________
All features are in Cisco docs under the 3560 specific configuration.
PORT SECURITY - if you're using the:
VIOLATION mode, port goes to errdisable mode, until you manually unshut that port. You should define the errdisable timeout to avoid this.
PROTECT mode - filters the traffic from getting in
RESTRICT mode - like protect with LOG
PACL - Port Based ACLs, applied to the switched port, inbound. Could be IP or MAC based.
RACL - Routed ACL, applied to the SVI, can be applied either inbound or outbound
VACL - VLAN ACL, be really careful with the DENY, because these can drop VTP, STP or other L2 traffic. The configuration consists in defining
an ACL as the VLAN access map, and applying it as the VLAN FILTER:
(config)#vlan access-map VLAN_ACL
match IP address 101
action forward
(config)#vlan filter-map VLAN_ACL

Two ways you can secure the CAM table:
1. Enable the port security on the interface and add the MACs using STICKY or STATIC
2. Disable port security and add the entries directly to the CAM table:
(config)#mac address-table static 1.1.1.1 qvlan24 fa0/0 ffff:aabc:1233

The most important command:
#show port-security interface fa0/0

STORM CONTROL
Made to limit the traffic amounts by type (Unicast, multicast or broadcast), similar to policing but can only be applied on the INGRESS
direction.
802.1x
L2 security feature that requires credentials from the user in order to let him use the port. It requires TACACS or RADIUS server and a AAA. If
the host doesn't authenticate we can shut the port down, or place it into a GUEST VLAN.
121
Hitchhikers Guide to the CCIE v0.3 [cisqueros.blogspot.com]
____________________________________________________________________________________________________________________
Access Restrictions and Privilege Levels
____________________________________________________________________________________________________________________
For example when you want to modify how a certain privilege mode execute commands and limit it to just a few commands you want, you
execute from a global config mode (this is to enable the privilege mode 0 to show how the interface is configured):
(config)#privilege exec level 0 show run int fa0/0

The command will be CORRECTED into "show run" because that is the maximal granularity IOS supports. If you want the user to see the
commands configured under the INTERFACE, you need to configure the privilege on that mode:
(config)#privilege interface level 0 ip address

All the sub-commands to reach the "final command" are added automatically to the running config (in this case "ip" and "ip address".
Now user can see the "ip address" under the interface. We have to do this for all the lines we want user to see, like speed, duplex, switchport.

If you want the privilege X users not to be able to execute some commands, just move those commands to the privilege level X+1. For example
we don't want privilege 1 to be able to telnet, so we put telnet to level 2:

(config)#privilege exec level 2 telnet

Be careful here because by typing only an IP address you actually telnet. This can be prevented on the LINE VTY command:

(config-VTY)#transfer preferred none <By default it's TELNET)

____________________________________________________________________________________________________________________
RBAC (Role Based Access Control)
____________________________________________________________________________________________________________________
RBAC is a replacement for privilege levels, when there is no TACACS server available. It defines a ROLE as a group of commands, known as a
"parser view" in IOS. It requires AAA enabled on a router. You can enter the PARSER VIEW mode by doing:

#enable view - GO INTO THE ROOT VIEW

The parser view is defined in the global configuration mode:

(config)#parser view SHOWPARSER - IF YOU ADD "superview" IT WILL INHERIT ALL THE ALLOWED COMMANDS

And to test it you would enter the defined parser mode:

#enable view SHOWPARSER
!!!DONT FORGET TO DO THE COMMAND "aaa authorization group default local", to enable RBAC

Each view can have different password associated using the "secret" command. And then within the parser mode define the allowed
commands using the "commands" sub-command:

(config)#commands exec include all show

____________________________________________________________________________________________________________________
Router Security - Best Practices
____________________________________________________________________________________________________________________
First you should define some RULES for the password definitions. For example - Minimal Password Length:
(config)#security passwords min-length 7

Permit users to have to wait for 1 minute if they attempt to log in for 3 times, and LOG it:
(config)#login block-for 60 attempts 3 within 60 <- ALLOW 3 ATTEMPTS WITHIN 1 MINUTE
(config)#security authentication failure rate 3 log <- LOG FAILED ATTEMPTS

To set up a PRIVILEGE mode password, that used an MD5 hashing:
(config)#enable secret level 15 0 Cisco07
122
Hitchhikers Guide to the CCIE v0.3 [cisqueros.blogspot.com]
TIP: If your password contains "?", you need to press "ESC+Q" or CTRL+V before you enter the "?" sign.
To define the USERNAME and assign it a MD5 Hash Password:
(config)#username cisqueros secret 0 Cisco07
(config)#do sh run | i username
username cisqueros secret 5 $1$YyRE$V60bOcwZ7ZK0LMusIVnhs/

No Service Password-Recovery feature is a security enhancement to prevent anyone with console access from accessing the router
configuration and clearing the password. If you want to do this, make sure the Conf.Register is 0x2102:
#sh ver | i register
Configuration register 0x2102 (Ignores break, Boots into ROM if initial boot fails, 9600 console baud rate
default)

More about Configuration Register Values:
http://www.cisco.com/en/US/products/hw/routers/ps133/products_tech_note09186a008022493f.shtml
The apply the command. *This command is HIDDEN, so the "?" will not display it! You will also be WARNED by IOS:
(config)#no service password-recovery

WARNING: Executing this command will disable password recovery mechanism.
Do not execute this command without another plan for password recovery.
Are you sure you want to continue? [yes/no]:

Dont forget to configure both - CONSOLE Port (line con 0) and AUXILIARY Port as a backup solution (line aux 0). You should automatically
DISCONNECT these sessions (CON & AUX) after some time of inactivity:
(config-line)#session-timeout 300 <-DISCONNECT IF NO INPUT FOR 5 MINUTES
(config-line)#exit-timeout 300 <-TERMINATE CONSOLE CONNECTION IF NO INPUT FOR 5 MINUTES

If you have more than one administrator, and you want to limit them to a certain commands, use "privilege EXEC", and define the Privilege
Level 9 commands:
(config)#privilege exec level 9 show interfaces <- BOTH "SHOW" AND "SHOW INT" WILL APPEAR IN "SHOW RUN"
(config)#privilege exec level 9 ping
(config)#privilege exec level 9 traceroute

Be sure to apply the usage of the local user database on the CONSOLE PORT:
(config)#line con 0
(config-line)#login local

To disable showing WHO IS CURRENTLU LOGGED INTO the device:
(config)#no ip finger
____________________________________________________________________________________________________________________
KNOWN ATTACKS and how to prevent
____________________________________________________________________________________________________________________
SMURF ATTACK: Large number of ICMPs sent to the Router subnets BROADCAST to provoke DoS. You can create the ACL that denies the
x.x.x.255, or do the INTERFACE command (enabled by default in new IOS):
(config-subif)#no ip directed-broadcast

Trin00 ATTACK: SYN DoS attack that uses UDP FLOODS, uses TCP 1524,27665 and UDP 27444,31335
Trinityv3 ATTACK: Include UDP Fragment, SYN, RST, ACK. It uses IRC, mainly TCP/6667 with a client TCP/33270
ICMP echo, are used for many ATTACKS, so they should be disabled on the entrance to your network:
(config)#access-list 102 deny icmp any any mask-request
(config)#access-list 102 deny icmp any any redirect
(config)#access-list 102 deny icmp any any echo

TRACEROUTE uses the PORT range 33400-34400, so think if you want to disable those as well.
123
Hitchhikers Guide to the CCIE v0.3 [cisqueros.blogspot.com]
____________________________________________________________________________________________________________________
BANNER and MENU Configuration
____________________________________________________________________________________________________________________
If you need to define a BANNNER to display the user restrictions, have in mind that you can use the variables:
$(hostname) $(line) $(domain)

You also have an option of creating the DYNAMIC ENTRIES as a banner, and let user use the VARIABLES as a response:
Cisco Docs: Cisco IOS Configuration Fundamentals Configuration Guide, Release 12.4T>Banner Configuration

Step 1: Define the MENU TITLE
(config)#menu MYMENU title & This is the AXA menu

Step 2: Define the TEXT ITEMS:
(config)#meny MYMENU text 1 Display all interfaces with their IPs
(config)#meny MYMENU text 2 Display the configuration of Fa1/0/1
(config)#meny MYMENU text 3 Logout
(config)#meny MYMENU text 4 Exit the Menu

Step 3: Specify the UNDERLYING COMMAND of each item in the MENU:
(config)#menu MYMENU command 1 sh ip int br
(config)#menu MYMENU command 2 sh run int fa1/0/1
(config)#menu MYMENU command 9 sh menu-exit

Step 4: Define the DEFAULT action:
(config)#menu MYMENU default 9

Step 5: Define the GLOBAL commands, for example to clean the screen when the MENU starts:
(config)#menu MYMENU clear-screen

____________________________________________________________________________________________________________________
Configure SSH Access
____________________________________________________________________________________________________________________
Cisco Documents:Security>AAA>Secure Shell Configuration Guide:
http://www.cisco.com/en/US/docs/ios-xml/ios/sec_usr_ssh/configuration/12-4t/sec-cfg-secure-shell.html
First step would be to make sure that all the devices within your network SUPPORT the Secure Shell. The you need to make sure HOW you
want to implement it, as there are 2 options:
1. Configuring a Router for SSH Version 2 Using a Hostname and Domain Name
2. Configuring a Router for SSH Version 2 Using RSA Key Pairs
In the first configuration type, these are the steps to follow:
Step 1: Be sure to have the Hostname and the IP Domain Name configured:
(config)#ip domain name SNArchs

124
Hitchhikers Guide to the CCIE v0.3 [cisqueros.blogspot.com]
Step 2: Decide the key pair (in bits, by defaut its 512 bits) and generate the RSA key. This ENABLES SSHv2:
(config)#crypto key generate rsa usage-keys

The name for the keys will be: ES-MAT-AES-SR04.SNArchs
Choose the size of the key modulus in the range of 360 to 2048 for your Signature Keys. Choosing a key
modulus greater than 512 may take a few minutes.
How many bits in the modulus [512]:
Choose the size of the key modulus in the range of 360 to 2048 for your
Encryption Keys. Choosing a key modulus greater than 512 may take a few minutes.
How many bits in the modulus [512]: 512
% Generating 512 bit RSA keys, keys will be non-exportable...[OK]
% Generating 512 bit RSA keys, keys will be non-exportable...[OK]
*Dec 5 12:58:48.123: %SSH-5-ENABLED: SSH 2.0 has been enabled

Then configure the VTY port for the user database to use (TACACS or LOCAL), and to use SSH:
(config)#line vty 0 4
(config-line)#login local <-WONT BE AVAILABLE AFTER SSH IS ENABLED
(config-line)#transport input ssh

*When testing the access via SSH dont forget to use the "-l" to define the username:
#ssh -l mat 10.1.12.2

You can also use AAA to define the AUTHENTICATION PROFILE (AAA_AUTH), that can later be applied to ALL VTY ports:
(config)#aaa new-model
(config)#aaa authentication login AAA_AUTH local

Now apply it to the VTY port:
(config)#line vty 0 4
(config-line)#transport input ssh
(config-line)#login authentication AAA_AUTH
*"rotary" command under the VTY changes the telnet port to that line. "rotary 5" sets the port on that line to 3005
____________________________________________________________________________________________________________________
ADVANCED Access Lists (ACL) Configuration
____________________________________________________________________________________________________________________
TIP: ACL is applied directly to the interface using the "ip access-group" command:
(config-subif)#ip access-group EXTENDED_OR_STANDARD_ACL [in | out]

TIP: Watch out not to ban the routing protocol traffic!!! You might need to add this to your filter ACL:
(config-ext-nacl)#permit ospf any any

TIP: deny any any doesn't affect the locally generated traffic on the router
It's enough to configure the extended ACL, and hit a question mark when you want to define a PORT, just to realize that there is an entire
world of ACL configuration options that we never knew about.
One of the awesome features is playing with the ESTABLISHED attribute, which means - allow back the traffic from the hosts TCP session has
already been established with. In this example we're allowing back in the TELNET and HTTP traffic to HOST 10.187.12.1:
(config-ext-nacl)#permit tcp any range 80 23 host 10.187.12.1 established

TIME-BASED ACL
STEP 1: define the time range using the "time-range TIMERANGE" command in the global configuration mode. Be sure the Clock is correct
using the "show clock", and if not - set it using the "clock set", or with NTP server
STEP 2: attach the time-range to the ACL:
(Config)#access-list 120 permit tcp any any eq 23 time-range TIMERANGE

125
Hitchhikers Guide to the CCIE v0.3 [cisqueros.blogspot.com]
____________________________________________________________________________________________________________________
DYNAMIC ACL (aka Lock and key ACL)
____________________________________________________________________________________________________________________
These are used to TEMPORALLY open a hole in the router based on AUTHENTICATION, so we can apply it on an INSIDE interface, and the user
must authenticate before it's actually active. User needs to enter "access-enable" in order to activate the dynamic entry (From the
PRIVILEGED mode, which is ridiculous to type in manually, so to do it automatically, on the VTY line:
(config-line)#autocommand access-enable [host]

Special Feature used for AUTHENTICATION of other devices. Like the time-range, but instead of the time we permit or deny ACLs actions based
on Authentication. The ACL is defined using "access-list 102 dynamic..."
STEP 1: Create and EXTENDED ACL, but be sure to allow all the needed protocols before you apply it on the interface:
(config)#access-list 100 permit eigrp any any
(config)#access-list 100 permit icmp any any

STEP 2: Create a DYNAMIC entry in the defined ACL, which will create a Dynamic ACL called DYN_ACL:
(config)#access-list 100 dynamic DYN_ACL permit ip any any

STEP 3: Apply the ACL on the interface:
(config-if)#ip access-group 100 in

STEP 4: Configure the VTY line for the dynamic ACL using the AUTOCOMMAND feature:
(config-line)#autocommand access-enable host
*"access-enable" is an EXEC, it doesn't appear when "?" is pressed
**AUTOCOMMAND links the DYNAMIC ACL to TELNET AUTHENTICATION
*"rotary" command under the VTY changes the telnet port to that line. "rotary 5" sets the port on that line
to 3005

You can also apply the "autocommand" sirectly to the USERNAME, if we want to apply the DYNAMIC ACL to one user:
(config)#username TELNET password CISCO
(config)#username TELNET autocommand access-enable


126
Hitchhikers Guide to the CCIE v0.3 [cisqueros.blogspot.com]
____________________________________________________________________________________________________________________
REFLEXIVE ACL - For Session Filtering
____________________________________________________________________________________________________________________
REFLEXIVE ACL is used like CBAC, but using only idle timer. Applied on the outbound interface of the router, we're taking care of the outgoing
traffic, and then we CHECK THE RETURNING TRAFFIC, meaning - we are making sure that the returning traffic is opposite of what went out.
When configuring, you need 2 ACLs:
STEP 1 - OUTBOUND ACL, for the outbound within the extended ACL configure:
(config)#ip access-list extended OUT_ACL
(config-ext-nacl)#permit tcp host any any eq www reflect REFLECT_ACL
(config-ext-nacl)#permit tcp host any any eq telnet reflect REFLECT_ACL
(config-ext-nacl)#permit tcp host any any eq https reflect REFLECT_ACL

STEP 2: And on the INBOUND ACL within the extended ACL configuration:
(config)#ip access-list extended IN_ACL
(config-ext-nacl)#permit ospf any any <-YOU HAVE TO ALLOW THESE MANUALLY CAUSE THE PACKETS ORIGINATED BY THE
ROUTER
ITSELF WILL NOT BE REFLECTED
(config-ext-nacl)#permit tcp any any eq bgp
(config-ext-nacl)#permit tcp any eq bgp any
(config-ext-nacl)#evaluate REFLECT_ACL
*You should consider permitting ICMP time-excedeed and port-unreachable packets, for when you're pinging stuff outside your network
STEP 3: Then apply the first one outbound and the second one inbound on the same interface.
(config-subif)#ip access-group OUT_ACL out
(config-subif)#ip access-group IN_ACL in

After 5 minutes of inactivity the entries expire. it can be modified using the command "ip reflexive-list timeout X":
(config)#ip reflexive-list timeout 120 <-TIME REFLEXIVE ACL EXISTS WHEN NO PACKETS ARE DETECTED (default 300
seconds)
____________________________________________________________________________________________________________________
TCP INTERCEPT - To prevent TCP SYN DoS attacks
____________________________________________________________________________________________________________________
*there is another feature called CBAC (context based access control) which is pretty much the same thing, but it has multiple functionalities,
unlike TCP intercept which only intercepts one type of DoS attacks (Securing the data plane, on Cisco docs)
When you want to perform LOGGING of the SYN ATTACKS using the ACLs, you can automatically include into the log the MAC address of the
Device that forwarded the packet into the segment by simply adding to the Extended ACL:
(config-ext-nacl)# permit tcp any host 192.1.28.100 eq www syn log-input
(config-ext-nacl)# permit ip any any <-DONT FORGET TO ADD THIS, OR YOU JEAPARDIZE THE FLOWS

TCP INTERCEPT takes care that the 3-WAY TCP Handshake is correctly performed. So it observes the SYN done from the OUTSIDE towards the
inside Web Server (for example), server replies with the "SYN ACK", and that's where the TCP INTERCEPT does its job waiting for the CLIENT to
send the ACK and establish the TCP Session. If the ACK is NOT received - the Router decides to TIME OUT the session and send RESET to the
Server. (In TCP SYN attack thousands of TCP sessions are started with the servers, taking out Server resources). There are 2 modes of TCP
INTERCEPT:
INTERCEPT MODE - router actively intercepts the TCP session
WATCH MODE - router only MONITORS the TCP session and sends the RST (session reset) to the Server if ACK not received
(config)#ip tcp intercept list 101 <-SERVERS YOU'RE PROTECTING
(config)#ip tcp intercept watch-timeout 15 <-IF ACK NOT RECEIVED IN 15 SECONDS, SEND RST
(config)#ip tcp intercept mode watch



127
Hitchhikers Guide to the CCIE v0.3 [cisqueros.blogspot.com]
____________________________________________________________________________________________________________________
CBAC - Context Based Access Control Firewall
____________________________________________________________________________________________________________________
Cisco Docs: Secure DATA PLANE>Security Configuration Guide: Context-Based Access Control Firewall
http://www.cisco.com/en/US/docs/ios-xml/ios/sec_data_cbac_fw/configuration/12-4t/sec-data-cbac-fw-12-4t-book.html
Without CBAC, traffic filtering is limited to access list implementations that examine packets at the network layer, or at most, the transport
layer. However, CBAC examines not only network layer and transport layer information but also examines the application-layer protocol
information (such as FTP connection information) to learn about the state of the session. This allows support of protocols that involve multiple
channels created as a result of negotiations in the control channel. Most of the multimedia protocols as well as some other protocols (such as
FTP, RPC, and SQL*Net) involve multiple channels.
CBAC creates TEMPORARY OPENINGS in ACLs at firewall interfaces. These openings are created when specified traffic exits your internal
network through the firewall. The openings ALLOW RETURNING TRAFFIC (that would normally be blocked) and additional data channels to
enter your internal network back through the firewall.
You can also configure CBAC to specifically inspect certain application-layer protocols. The following application-layer protocols can all be
configured for CBAC:
CU-SeeMe (only the White Pine version)
FTP
H.323 (such as NetMeeting, ProShare)
HTTP (Java blocking)
Microsoft NetShow
UNIX R-commands (such as rlogin, rexec, and rsh)
RealAudio
RTSP (Real Time Streaming Protocol)
RPC (Sun RPC, not DCE RPC)
SMTP (Simple Mail Transport Protocol)

The basic (GENERIC) CBAC is quite simple to configure. Define the INSPECTION RULES, and apply them on the interface:
(config)#ip inspect name INP_POL1 tcp
(config)#ip inspect name INP_POL1 udp
(config)#ip inspect name INP_POL1 icmp

APPLY the Inspection Rules to the interface, towards the OUTSIDE network:
(config-if)#ip inspect INP_POL1 out

To allow the initiated traffic BACK IN, define the ACL with what you want to permit and apply it:
(config)#access-list 100 permit eigrp any any
(config)#access-list 100 permit icmp any any
(config-if)#ip access-group 100 in

Check the established sessions:
#sh ip inspect sessions
Established Sessions
Session AEA5F2E0 (10.1.13.3:52287)=>(10.1.12.2:23) tcp SIS_OPEN

CBAC can be configured to inspect various traffic types. These are the global CBAC parameters that can be tuned:
(config)#ip inspect ?
WAAS Firewall and Cisco WAE interoperability configuration
alert-off Disable alert
audit-trail Enable the logging of session information (addresses and
bytes)
dns-timeout Specify timeout for DNS
hashtable-size Specify size of hashtable
log Inspect packet logging
max-incomplete Specify maximum number of incomplete connections before
clamping
name Specify an inspection rule
one-minute Specify one-minute-sample watermarks for clamping
tcp Config timeout values for tcp connections
udp Config timeout values for udp flows
<cr>
128
Hitchhikers Guide to the CCIE v0.3 [cisqueros.blogspot.com]

Also some specific HTTP types of traffic can be inspected, such as JAVA:
(config)#ip inspect name FW_INSPECT http ?
alert Turn on/off alert
audit-trail Turn on/off audit trail
java-list Specify a standard access-list to apply the Java blocking. If
specified, MUST appear directly after option "http"
timeout Specify the inactivity timeout time
urlfilter Specify URL filtering for HTTP traffic
<cr>

____________________________________________________________________________________________________________________
PAM - Port to Application Mapping
____________________________________________________________________________________________________________________
Cisco Docs: Secure DATA PLANE>Security Configuration Guide: Context-Based Access Control Firewall
http://www.cisco.com/en/US/docs/ios-xml/ios/sec_data_cbac_fw/configuration/12-4t/sec-data-cbac-fw-12-4t-book.html
PAM is a way to MAP a PORT (or a group of ports) to the already defined, or a new application. For example http is already mapped to port
TCP 80, but we can also add 8000 and 8080 to HTTP:
(config)#ip port-map http port tcp 8080
(config)#ip port-map http port tcp 8000

Check if it "worked"
#sh ip port-map http
Default mapping: http tcp port 80 system defined
Default mapping: http tcp port 8000 user defined
Default mapping: http tcp port 8080 user defined

Now if you want to inspect the NEW http, define the INSPECT operation and apply it just like in CBAC:
(config)#ip inspect name INS_WEB http
(config-if)#ip inspect INS_WEB out

____________________________________________________________________________________________________________________
uRPF - Unicast Reverse Path Forwarding
____________________________________________________________________________________________________________________
Designed for DoS attacks based on SPOOFING (forging the IP source). When you see IP SPOOFING - it's a "trigger" to use the uRPF
Cisco Docs: Cisco Docs: Secure DATA PLANE>Security Configuration Guide: Unicast Reverse Path Forwarding
http://www.cisco.com/en/US/docs/ios-xml/ios/sec_data_urpf/configuration/12-4t/sec-data-urpf-12-4t-book.html
The Unicast RPF feature helps to mitigate problems that are caused by the introduction of malformed or forged (spoofed) IP source addresses
into a network by discarding IP packets that lack a verifiable IP source address. Configure the receiving interface, which allows Unicast RPF to
verify the best return path before forwarding the packet on to the next destination. For example, verify if the SOURCE IP is reachable via that
exact interface:
(config-subif)#ip verify unicast source reachable-via ?
any Source is reachable via any interface
rx Source is reachable via interface on which packet was received <-EXACT INTERFACE

#sh ip int s1/0.21 | b verify
IP verify source reachable-via RX
0 verification drops
0 suppressed verification drops
0 verification drop-rate

If the check fails, and this is NOT the best interface to reach the IP from which the incoming packed was sourced the packed it DROPPED.
This feature can also be configured using the multiple extended ACLs, where you would DENY the traffic with your LAN IPs as source to come
from the PROVIDERs network.
129
Hitchhikers Guide to the CCIE v0.3 [cisqueros.blogspot.com]
____________________________________________________________________________________________________________________
Zone Based Firewall
____________________________________________________________________________________________________________________
Cisco Docs: Secure DATA PLANE>Security Configuration Guide:Zone-Based Policy Firewall:
http://www.cisco.com/en/US/docs/ios-xml/ios/sec_data_zbf/configuration/12-4t/sec-data-zbf-12-4t-book.html
To configure the Zone Based FW, the approach is somewhat similar to the MQC method in the QoS configuration.
STEP 1: Start by creating a class map of INSPECT TYPE, and match HTTP, and DROP everything else. Under the class map you can INSPECT or
PASS, and you can match much more things than in the regular class map, like recipient count etc. The ZBFW configuration Policy Maps also
need to be of the "type inspect". Have in mind that ZBFW is applied before any other policy maps applied globally on the router or the
interface, but this depends on the IOS version, so best practice is to do ALL the filtering in the ZBFW
(config)#class-map type inspect match-any OUTSIDE
(config-cmap)#match protocol http <-WITHIN HTTP YOU CAN ALSO MATCH URL, JUST ADDING "http url "blabla" "
(config-pmap)#class type inspect OUTSIDE
(config-pmap-c)#drop

STEP 2: Create a inspect type POLICY-MAP that matches the defined CLASS-MAP, and INSPECTS:
(config)#policy-map type inspect OUTSIDE_POLICY
(config-pmap)#class OUTSIDE
(config-pmap-c)#inspect ?
WORD Parameter-map (inspect) name <PARAMETER MAP CAN BE DEFINED to tune the inspection
<cr>
(config-pmap-c)#inspect

STEP 3: Define the SECURITY ZONES for the interfaces you need, and assign them to the interfaces:
(config)#zone security DMZ
(config-if)#zone-member security DMZ
(config)#zone security OUTSIDE
(config-if)#zone-member security OUTSIDE

STEP 4: Set the POLICIES between each ZONE PAIR. How traffic is moving between interfaces is defined by zone pairing, and "zone-pair"
command (should be defined between all the zones in all directions):
(config)#zone-pair security OUT-to-DMZ source OUTSIDE destination DMZ
(config-sec-zone-pair)#service-policy type inspect OUTSIDE_POLICY

#show policy-map type inspect zone-pair session
policy exists on zp OUT-to-DMZ
Zone-pair: OUT-to-DMZ
Service-policy inspect : OUTSIDE_POLICY
Class-map: INSIDE (match-any)
Match: protocol tcp
0 packets, 0 bytes
30 second rate 0 bps
Match: protocol udp
0 packets, 0 bytes
30 second rate 0 bps
Match: protocol icmp
0 packets, 0 bytes
30 second rate 0 bps
Inspect
Class-map: class-default (match-any)
Match: any
Drop
0 packets, 0 bytes

PARAMETER MAP can be created to tune to drop logs, handle alarms, max&min session numbers and much more, for example:
(config)#parameter-map type inspect eng-network-profile
(config-profile)#tcp synwait-time 3 <-HOW LONG TO WAIT FOR SYN FOR THE TCP SESSION


130
Hitchhikers Guide to the CCIE v0.3 [cisqueros.blogspot.com]
____________________________________________________________________________________________________________________
CONTROL Plane Policy (CPPr)
____________________________________________________________________________________________________________________
QoS: Policing and Shaping Configuration Guide>Control Plane Policing
http://www.cisco.com/en/US/docs/ios-xml/ios/qos_plcshp/configuration/12-4t/qos-plcshp-ctrl-pln-plc.html
CPPr works treating the RP (Route Processor) as the VIRTUAL INTERFACE attached to the Router. You need to take care which EXACT control
plane VIRTUAL SUB-INTERFACE you want to apply the policy to.
1. Control-plane HOST - Control plane for TCP/UDP traffic destined for one of the Physical Interfaces. Here you can use the PORT-FILTERING
and drop automatically packets destined to a certain port.
Within the class-map do, for example:
(config-cmap)#match port tcp 1996

Per-Protocol filtering is also possible, so you can set selective QUEUE LIMITS for BGP, OSPF, HTTP, SNMP...
2. Control-plane TRANSIT - For transit IP packets not handled by CEF
3. Control-plane cef-exception - For the NON TCP/UDP Traffic
When you are asked to limit the packets going to Routers CPU to protect from Flood Attacks - this is the answer. It's very simple actually.
Define the Policy Map like in MQC for QoS, and instead of the interface,
APPLY IT DIRECTLY TO THE CONTROL PLANE
CBAC and Zone Based FW are all DATA Plane policies. Another type of Security Policies is a Control Plane Policy. This is quite similar to Cisco's
MQC used for the QoS traffic shaping and policing. You can also use the commands like from MQC to limit (POLICE) the Control Traffic.
You can use STANDARD CLASS-MAPS like in MQC to match PROTOCOL or ACLs (access-group), but you can also use, for example, the LOGGING
TYPE CLASS-MAPS:
(config)#class-map type logging match-any LOGGING
(config-cmap)#match packets ?
dropped Packets dropped by control-plane protection features <-IN ORDER TO VIEW THE CONTROL PLANE
error Error packets dropped by control-plane protection features
permitted Packets permitted by control-plane protection features

You can also MATCH the CLOSED PORTS within the class-map, or match the FRAGMENTED PACKETS within the ACL. Within the POLICY-MAP,
the actions are to POLICE based on the number of PACKETS PER SECOND and allow BURST PACKETS, or based on BW, or just PASS or DROP the
traffic within the matched Class-Map
(config)#policy-map POLICE_50KBPS
(config-pmap)#class CONTROL_BW
(config-pmap-c)#police 50000 conform-action transmit exceed-action drop violate-action drop
OR
(config-pmap-c)#police rate 100 pps burst 20 packets

The trick is to APPLY the Policy Map to the CONTROL PLANE:
(config)#control-plane
(config-cp)#service-policy input POLICE_50KBPS
*Jan 3 16:34:23.467: %CP-5-FEATURE: Control-plane Policing feature enabled on Control plane cef-exception
path

Don't forget to check if your changes have been applied:
#sh control-plane features


131
Hitchhikers Guide to the CCIE v0.3 [cisqueros.blogspot.com]
____________________________________________________________________________________________________________________
IOS IPS (Intrusion Prevention System)
____________________________________________________________________________________________________________________
Cisco Docs: Secure DATA PLANE>Security Configuration Guide:Cisco IOS Intrusion Prevention System
http://www.cisco.com/en/US/docs/ios-xml/ios/sec_data_ios_ips/configuration/12-4t/sec-data-ios-ips-12-4t-book.html
IPS is watching packets and sessions as they flow through the router and scanning each packet to match any of the Cisco IOS IPS signatures.
When packets in a session match a signature, Cisco IOS IPS can take any of the actions:
- Send an alarm to a syslog server or a centralized management interface
- Drop the packet
- Reset the connection
- Deny traffic from the source IP address of the attacker for a specified amount of time
- Deny traffic on the connection for which the signature was seen for a specified amount of time
SDEE is application-level communication protocol, used to exchange IPS messages between IPS clients and IPS servers.
If you want to configure transparent Cisco IOS IPS, you must configure bridge group before loading IPS onto a device:
(config)#bridge 1 protocol [dec | ibm | ieee | vlan-bridge]
*1 IS A BRIDGE-GROUP NUMBER

Then apply the defined bridge group 1 to the interface you want:
(config-if)#bridge-group 1

First you need to specify the location in which the router loads the SDF (Signature Definition File), because in the IOS there are NO DEFAULT
SIGNATURES:
(config)# ip ips sdf location disk2:attack-drop.sdf

If you're configuring the IP IPS on a new router, first CREATE the IPS, name it, and define it, in this case to send the events as SYSLOG
messages:
(config)#ip ips name MYIPS
(config)#ip ips notify log
*Be sure to have a SYSLOG SERVER defined:
(config)#logging 10.187.145.12
(config)#logging ON

Specify where the IPS configuration will be stored:
(config)#ip ips config location flash:MYIPS

Apply the configured IPS to the interface:
(config-if)#ip ips MYIPS out
*THIS WILL NOT WORK UNLESS YOU HAVE THE SIGNATURES. To check the signatures:
#sh ip ips signatures
Cisco SDF release version S0.0
Trend SDF release version V0.0
En - possible values are Y, Y*, N, or N*
Y: signature is enabled
N: enabled=false in the signature definition file
*: retired=true in the signature definition file
Cmp - possible values are Y, Ni, Nr, Nf, or No
Y: signature is compiled
Ni: signature not compiled due to invalid or missing parameters
132
Hitchhikers Guide to the CCIE v0.3 [cisqueros.blogspot.com]
Nr: signature not compiled because it is retired
Nf: signature compile failed
No: signature is obsoleted
Nd: signature is disallowed
Action=(A)lert, (D)eny, (R)eset, Deny-(H)ost, Deny-(F)low
Trait=alert-traits EC=event-count AI=alert-interval
GST=global-summary-threshold SI=summary-interval SM=summary-mode
SW=swap-attacker-victim SFR=sig-fidelity-rating Rel=release
Signature Micro-Engine: atomic-ip (INACTIVE)
Signature Micro-Engine: normalizer (INACTIVE)
Signature Micro-Engine: service-http-v2 (INACTIVE)
Signature Micro-Engine: service-http (INACTIVE)
...

You might need to generate the SDF using the .txt file downloaded from the cisco.com to your flash:
#more flash:downloaded_key.txt <-COPY THE CONTENT TO LATER PASTE INTO THE KEY

Now create the key:
(config)#crypto key pubkey-chain rsa
(config-pubkey-chain)#named-key DOWNLOADED_KEY signature
(config-pubkey-key)#key-string
Enter a public key as a hexidecimal number ....

(config-pubkey)#(ENTER THE COPIED CONTENT HERE, and type "quit")
____________________________________________________________________________________________________________________
AAA Authentication
____________________________________________________________________________________________________________________
Cisco Docs: Securing User Services Configuration>Authentication Authorization and Accounting
http://www.cisco.com/en/US/docs/ios-xml/ios/sec_usr_aaa/configuration/12-4t/sec-cfg-authentifcn.html
Old Model - local authentication and authorization based on username settings
New model - supports LOCAL and REMOTE authentication and authorization
ALWAYS save the config BEFORE changing the authentication to be able to reload and log into the device. Best practice would be to configure
the primary authentication using TACACS and secondary using the LOCAL DB:
(config)#aaa authentication login default group tacacs+ local
*This command is read like this: for Login Authentication by default go first to TACACS, and if it's unavailable then authenticate locally
AUTHORIZATION for commands cannot be done locally, only with TACACS (RADIUS doesn't support this). There is a possibility to configure a
part of it locally, using the PRIVILEGE levels, or RBAC.
Cisco PRIVILEGE LEVELS:
0 - no access
1 - user mode access (>)
15 - privilege (enable) mode access (#)
2-14 are USER DEFINED

To change a privilege and the allowed commands for a certain privilege mode use the "privilege" command, in this case for privilege mode 0:
(config)#privilege exec level 0 show run interface fa0/0 - UNDER THE PRIVILEGE MODE
(config)#privilege interface level 0 ip address - INTERFACE CONFIGURATION MODE

If you want to DENY users to do some commands, just increase the privilege level of that command, so for example - set TELNET at privilege 2
so that users with privilege level 0 or 1 cannot telnet:
(config)#privilege exec level 2 telnet
*in case of TELNET you might also want to disable the device behavior where you type the IP and it simply telnets to that IP automatically:
(config-line)#transport preferred none - DEFAULT IS TELNET

133
Hitchhikers Guide to the CCIE v0.3 [cisqueros.blogspot.com]
To test a mode do "enable X" (by default when we done enable it means - enable 15)
This is pretty straight forward, because on CCIE R&S exam you wont have to configure an actual ACS server. For starters be sure that the "aaa
new-model" is configured.
Turn the TACACS+ authentication ON, and set LOCAL DB as backup:
(config)#aaa authentication login MYTACACS group tacacs+ local enable
*MYTACACS is the authentication policy. If you put "default" instead of specifying the policy, there is no need to assign the policy to VTY line
later, it's a default policy on a device, from where ever you try to authenticate. In case you have a default policy, you need to ALSO define a
NO_AUTH policy to apply where you dont want TACACS, like AUX and CONSOLE ports maybe.
Define the TACACS+ as a server, and set the Shared Secret:
(config)#tacacs-server host 10.1.1.10 key cisco

Define the source interface from which you will authenticate:
(config)#ip tacacs source-interface Loopback0

Apply the authentication settings to the VTY line:
(config-line)#login authentication MYTACACS

Test the access via TACACS:
#test aaa group tacacs+ USERNAME PASSWORD legacy

134
Hitchhikers Guide to the CCIE v0.3 [cisqueros.blogspot.com]







MPLS


135
Hitchhikers Guide to the CCIE v0.3 [cisqueros.blogspot.com]
RIB: show IP route
FIB: show IP CEF
LIB: show MPLs ldp bindings
LFIB (MOST important one, created using all the others): show mpls forward
____________________________________________________________________________________________________________________
MPLS Configuration
____________________________________________________________________________________________________________________
This post will assume that youve already know how the protocol works. If you dont - go read that first, what are you waiting for... dont you
know how important MPLS is. MPLS Neighbor Discovery uses Hello messages, 224.0.0.2, Port UDP-646
LSR - Label Switching Router
LDP - Label Distribution Protocol
To configure the MPLS you first need to enable it globally on a router and on all the relevant interfaces. You also have to define the actual
PROTOCOL for the LABEL DISTRIBUTION (LDP or TDP, which is a DEFAULT setting to IOS versions prior to 12.4, but it's no longer in use):
(config)#mpls ip
(config)#mpls label protocol ldp <-ALL THE INTERFACES WILL INHERIT IT
(config)#int fa0/1
(config-if)#mpls ip <-TURN IT ON ON THE INTERFACE
You will get this message: *Dec 17 18:11:50.430: %LDP-5-NBRCHG: LDP Neighbor 11.1.1.1:0 (1) is UP
As the ALTERNATIVE you can use the Auto configuration, so under the ROUTING PROTOCOL (OSPF in this example):
(config)#router ospf 1
(config-router)#mpls ldp autoconfig area 0

*if you need to specifically disable MPLS on some interface, do:
(config)#no mpls ldp igp autoconfig

As in most other protocol LDP Router-ID needs to be assigned. The "mpls ldp router-id" command allows you to establish the IP address of an
interface as the LDP router ID (L-ID), in this example Loopback 0 IP. Be sure that all the routers have to have the L-ID reachability:
config)#mpls ldp router-id lo0 [force]
When you issue the mpls ldp router-id command without the force keyword, the router select selects the IP address of the specified interface
(provided that the interface is operational) the next time it is necessary to select an LDP router ID, which is typically the next time the interface
is shut down or the address is configured.
IMPORTANT: VPMv4 Peering If MUST be /32, so make sure you're learning the Lo0 with the /32 mask, so set it:
(config-if)#ip address 150.1.5.5 255.255.255.255

If, however, you wish to force the Router-ID to be the PHYSICAL INTERFACE of the router:
(config-if)#mpls ldp discovery transport-address interface

#sh mpls interfaces
Interface IP Tunnel BGP Static Operational
FastEthernet0/1 Yes (ldp) No No No Yes
Serial0/1/0.34 Yes (ldp) No No No Yes
Serial0/1/0.35 Yes (ldp) No No No Yes

#sh mpls ldp neighbor | i Peer
Peer LDP Ident: 4.4.4.4:0; Local LDP Ident 3.3.3.3:0
Peer LDP Ident: 2.2.2.2:0; Local LDP Ident 3.3.3.3:0
Peer LDP Ident: 5.5.5.5:0; Local LDP Ident 3.3.3.3:0


136
Hitchhikers Guide to the CCIE v0.3 [cisqueros.blogspot.com]
When you want to see other LDP PARAMETERS (can be usefull if you're looking to see what can be optimized):
#sh mpls ldp param
Protocol version: 1
Session hold time: 90 sec; keep alive interval: 30 sec
Discovery hello: holdtime: 45 sec; interval: 15 sec
Discovery targeted hello: holdtime: 90 sec; interval: 10 sec
Downstream on Demand max hop count: 255
Downstream on Demand Path Vector Limit: 255
LDP for targeted sessions
LDP initial/maximum backoff: 15/120 sec
LDP loop detection: off

DISCOVERY process in MPLS: There are 2 Types of Discovery:
1. BASIC Discovery - for the DIRECTLY CONNECTED LDP LSRs, the Hellos are sent of ALL interfaces LDP is enabled
2. EXTENDED Discovery - for the NON DIRECTLY CONNECTED LDP LSRs. LSR sends TARGETED Hellos to a SPECIFIC IP.
Authentication between two MPLS neighbors can be configured PER-NEIGHBOR, or GLOBALLY.
(config)#mpls ldp neighbor 11.1.1.1 password cisco

To FILTER for which IPs exactly youre generating the labels, define the ACL and apply in the global config mode:
(config)#access-list 41 permit 150.1.0.0 0.0.255.255
(config)#no mpls ldp advertise-labels <-FIRST DISABLE FOR ALL
(config)#mpls ldp advertise-labels for 41 ?
to Access-list specifying controls on LDP peers <-OPTIONAL, TO CONTROL WHERE YOURE SENDING WHICH LABELS
<cr>

____________________________________________________________________________________________________________________
MPLS LFIB and Labels (Label Spacing)
____________________________________________________________________________________________________________________
Maybe the MOST important thing in the LDP, and the overall MPLS LABEL CONTROL is understanding all the TABLES, and how they are formed.
FIB (FORWARDING Information Base) - CEF table, gets build based on RIB (Routing Information Base)
#show ip cef
LIB - LABEL INFORMATION BASE
#sh mpls ldp bindings 177.7.7.0 24
lib entry: 177.7.7.0/24, rev 35
local binding: label: 113
remote binding: lsr: 2.2.2.2:0, label: 213

LFIB - LABEL FORWARDING INFORMATION BASE
#show mpls forwarding-table

IN THE CCIE LAB, FIRST CHECK IF THE LABEL RANGE IS CHANGED BECAUSE ROUTERS NEED TO BE RELOADED!!! The LABEL SPACE is Platform-
Dependent, and the LABEL planning is done in the DESIGN phase of the Project. You can SET the RANGE of labels you want to be used on that
router:
(config)#mpls label range 100 199
% Label range changes will take effect at the next reload.

#sh mpls label range
Downstream Generic label region: Min/Max label: 17/199
[Configured range for next reload: Min/Max label: 100/199]

#sh mpls ldp bin local
tib entry: 1.1.1.0/24, rev 14
local binding: tag: 103
tib entry: 2.2.2.0/24, rev 16
local binding: tag: 104
tib entry: 3.3.3.0/24, rev 18
local binding: tag: 105
137
Hitchhikers Guide to the CCIE v0.3 [cisqueros.blogspot.com]
LFIB is the MOST IMPORTANT table in the MPLS Architecture. You can literally follow exactly what's happening on the router regarding the
MPLS Labels and the IPs:
#sh mpls forwarding-table
Local Outgoing Prefix Bytes Label Outgoing Next Hop
Label Label or VC or Tunnel Id Switched interface
17 Untagged 7.7.7.0/24 0 Se0/1/0.35 point2point
18 18 6.6.6.6/32 0 Se0/1/0.35 point2point
27 28 1.1.1.0/24 0 Fa0/1 10.1.23.2
28 Pop Label 2.2.2.0/24 0 Fa0/1 10.1.23.2
29 Pop Label 4.4.4.0/24 0 Se0/1/0.34 point2point
30 Pop Label 5.5.5.0/24 0 Se0/1/0.35 point2point
32 Pop Label 10.1.12.0/24 0 Fa0/1 10.1.23.2
33 Pop Label 10.1.45.0/24 0 Se0/1/0.34 point2point
Pop Label 10.1.45.0/24 0 Se0/1/0.35 point2point
34 Pop Label 10.1.56.0/24 0 Se0/1/0.35 point2point
35 34 10.1.67.0/24 0 Se0/1/0.35 point2point
36 38 11.1.1.0/24 0 Fa0/1 10.1.23.2
37 Pop Label 55.5.5.0/24 0 Se0/1/0.35 point2point

"Untagged" as Outgoing Label - Remove ALL the labe;s and forward as the IP traffic
"Pop Label" as Outgoing Label - Remove the TOP label, and forward the packet to the defined interface
NOTHING in the Local Label column - Refers to the label above, this means that Load Balancing is occurring Local & Outgoing Labels
Numerical Value - SWAP the Local with the Outgoing Label
IMPORTANT: FIB (ip cef) and LFIB information MUST be IN ACCORDANCE!!!
EXPLICIT NULL should be configured for all the DIRECTLY CONNECTED prefixes for which you want the previous router to replace the label with
"EXPLICIT NULL" label. Next router will perform the PHP (Penultimate Hop Popping) by default because Implicit Null is marked by default for all
the directly connected subnets.
(config)#mpls ldp explicit-null

LDP Conditional Label Advertising
If you want to advertise or stop advertising some prefixes, there is a special command for that. First you need to define the ACL where you
PERMIT the prefixes you WANT and DENY prefixes you DONT WANT to advertise (ACL_FROM). Then you need ANOTHER ACL where you will
define the peers these labels will be advertised to (ACL_TO)
(config)#mpls ldp advertise-labels for ACL_FROM to ACL_TO

If you need to HIDE the MPLS LABELS from the Customer, there is command that STOPS the TTL propagation, and therefore stops the MPLS
structure from the LSRs:
(config)#no mpls ip propagate-ttl forwarded
(config)#no mpls ip propagate-ttl local

____________________________________________________________________________________________________________________
MPLS Session Protection
____________________________________________________________________________________________________________________
When a link between two LSRs go down - LDP session goes down, and if they come back LIB and LFIB need to be re-populated. This is why it
might be a good idea to PROTECT THE SESSION. This feature provides faster label distribution protocol convergence when a link recovers
following an outage.
The configuration consists of building a REDUNDANT link that stays up, which is used to maintain the targeted LDP session UP until the primary
link comes back up. To enable this use the Global Config command, that needs to be configured on ALL the routers, or configured on one
router and configure the ACCEPTANCE Of TARGETED LDP HELLOs on the other router using the "mpls ldp discovery targeted-hello accept":
(config)#mpls ldp session protection

138
Hitchhikers Guide to the CCIE v0.3 [cisqueros.blogspot.com]
____________________________________________________________________________________________________________________
MPLS VRFs, RD (Route Distinguisher) and RT (Route Target)
____________________________________________________________________________________________________________________
VRF stands for Virtual Router Forwarding. Simply put - represents another routing process within the same router.
STEP 1: VRF. To configure a VRF instance on a router with a name VRF_1 do (This name is LOCALLY SIGNIFICANT):
(config)#ip vrf VRF_1

STEP 2: RD and RT
Within the VRF you will need a Route Distinguisher (RD), used to make the VRF prefix unique within the cloud, and the Route Target (RT) that
you will later IMPORT/EXPORT to define the end-to-end communication of the VRF:
(config-vrf)#rd 1:10 <-VRF IS NOT ACTIVE UNTIL RD IS DEFINED
(config-vrf)#route-target [import|export|both] 1:100
*RD does NOT indicate to which VRF the prefix belongs to!!! Route-Target is used for that.

RD is a 64 bit value used to transform users IPv4 IP address into UNIQUE 96 bit address called VPNv4.
THESE ADDRESSES ARE EXCHANGED ONLY BETWEEN PEs, NEVER BETWEEN CEs!!! PE takes the update it receives from CE, and sticks the RD to
it, making the VPNv4 96-bit address.
"Route Target Import|Export" command defines the RT, which is a BGP Extended Community that indicated which routes should be
exported/imported from MP-BGP to VRF. That is why when you configure the VPNv4 AF under the MP-BGP, you automatically get the
following command under the BGP process (IF NOT, ADD IT MANUALLY)
(config-router-af)#neighbor 3.3.3.3 send-community extended

"route-target export" - Specifies RT attached to every routed exported from the Local VRF to MP-BGP.
"route-target import" - RT to be used as an IMPORT FILTER, so only the routes matching the filter are imported to VRF
STEP 3: VRF INTERFACES. If you check the configured VRF at this point:
#sh ip vrf det
VRF CB; default RD 1:20; default VPNID <not set>
No interfaces <-NO INTERFACES!!!
VRF Table ID = 212
Export VPN route-target communities
RT:1:100
Import VPN route-target communities
RT:1:100

VRFs have more or less similar phylosophy like VLANs - you need to assign the interfaces to the VLAN. NOTE that the IP address of the interface
will automatically be removed:
(config-if)#ip vrf forwarding CA
% Interface Serial0/1/1 IP address 10.1.13.3 removed due to enabling VRF CA
(config-if)#ip add 10.1.13.3 255.255.255.0
*YOU WILL BE ABLE TO PING THE NEIGHBOR ON THIS INTERFACE ONLY UNDER THE VRF:

#ping vrf CA 10.1.13.1
Sending 5, 100-byte ICMP Echos to 10.1.13.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 28/28/32 ms

MP-BGP: When you create RD and RT, and you have the BGP configured, notice that the new address family appears within the BGP process:
address-family ipv4 vrf CB
*When the ROUTE-TARGET is not imported and exported where needed between the MP-BGP neighbors - the routes will NOT advertised via
BGP.
139
Hitchhikers Guide to the CCIE v0.3 [cisqueros.blogspot.com]

____________________________________________________________________________________________________________________
L2VPN - AToM (Any Transport over MPLS)
____________________________________________________________________________________________________________________
AToM encapsulates Layer 2 frames at the ingress PE and sends them to a corresponding PE at the other end of a pseudo wire, which is a
connection between the two PE routers. The egress PE removes the encapsulation and sends out the Layer 2 frame.
The combination of the peer router ID and the VC ID must be unique on the router. Two circuits cannot use the same combination of the peer
router ID and VC ID. Specify the tunneling method used to encapsulate data in the pseudo wire. AToM uses MPLS as the tunneling method.
(config-if)# xconnect peer-router-id vcid encapsulation mpls

Used to interconnect VLANs of the remote MPLS CE routers. Configured on the PE interface towards the CE.Create a SUB-INTERFACE under the
interface pointing to your VLAN, and define the Dot1Q encapsulation on it:
(config)#interface FastEthernet0/1.4
encapsulation dot1Q 4
no cdp enable
xconnect 150.1.6.6 2 encapsulation mpls <-DESTINATION PE IP ADDRESS, and 2 is a VIRTUAL CIRCUIT IDENTIFIER
(VCI)
remote circuit id 2

If there is no MPLS IN THE ENTIRE PATH - you need to create a TUNNEL to traverse the NON-MPLS part
#show mpls l2transport vc detail
Local interface: Fa0/1.4 up, line protocol up, Eth VLAN 4 up
Destination address: 150.1.6.6, VC ID: 2, VC status: down
Output interface: none, imposed label stack {}
Preferred path: not configured
Default path: no route
No adjacency
Create time: 00:04:55, last status change time: 00:04:48
Signaling protocol: LDP, peer 150.1.6.6:0 up
MPLS VC labels: local 32, remote 31
Group ID: local 0, remote 0
MTU: local 1500, remote 1500
Remote interface description:
Sequencing: receive disabled, send disabled
VC statistics:
packet totals: receive 0, send 0
byte totals: receive 0, send 0
packet drops: receive 0, seq error 0, send 0

140
Hitchhikers Guide to the CCIE v0.3 [cisqueros.blogspot.com]







IPv6


141
Hitchhikers Guide to the CCIE v0.3 [cisqueros.blogspot.com]
____________________________________________________________________________________________________________________
IPv6 TIPS
____________________________________________________________________________________________________________________
TIP: When doing IPv6 over Frame-Relay, ALWAYS configure, and MAP the Link-Local address as well!!!
TIP: To filter the IPv6 traffic have in mind 2 things:
1. When you try to configure the IPv6 ACL, it will not give you the NAME options, but it can be done:
(config)#ipv6 access-list ACL_IPV6

2. Apply the filter DIRECTLY ON THE INTERFACE using the IPv6 Traffic Filter:
(config-if)#ipv6 traffic-filter ACL_IPV6 in

TIP: ipv6 icmp error-interval 250 1 - command that limits to 4 messages per second the rate at which all IPv6 enabled devices
generate all IPv6 ICMP error messages (250 - interval in milliseconds, 1 - Bucket Size (how many packets each interval)
____________________________________________________________________________________________________________________
IPv6 Basics
____________________________________________________________________________________________________________________
Loopback: ::1/128
Multicast: FF00::/8
Link Local: FE80::/10 - used for stateless auto-configuration, Neighbor discovery, Router discovery
FC00::/7 Unique Local, Unicast (equivalent to the IPv4 private addresses), not routable via global BGP
EUI-64 - always use the /64 addresses for all the INTERFACES (MAC can be converted into EUI-64 format to get the interface address)
Router can assign the HOST portion of the Network AUTOMATICALLY using the MAC of the first LAN interface:
(config-if)#ipv add 2:2:2:2::/64 eui-64

When you need to MANUALY do this, find the MAC address of the highest interface, for example Fa0/0, and modify it.
#sh int fa0/0 | i bia
Hardware is Gt96k FE, address is 001e.be5d.27f0 (bia 001e.be5d.27f0)

So MAC is 001e.be5d.27f0. Add "FFFE" in the middle, and you get the HOST PORTION: 001e:beff:ee5d:27f0
ARP has been replaced with ICMPv6 Neighbor Discovery (ND). Inverse ARP has been removed, so for NBMA networks we need to provide a
static L2-L3 mapping
TIP: before enabling IPv6 on a router and configuring the interfaces male sure there is a IPv4 connectivity
IPv6 is not enabled by default, so first enable IPv6 globally on the Router/Switch:
(config)#ipv6 unicast-routing

On a ROUTER you should enable IPv6 on an interface:
(config-if)#ipv6 enable

LINK-LOCAL address is generated based on the interfaces MAC Address by doing "ipv6 enable"
Assign the UNICAST IPv6 address:
(config-if)#no switchport <--- DONT FORGET on 3560 OR 3750
(config-if)#ipv6 add 12:1:1::3/64

142
Hitchhikers Guide to the CCIE v0.3 [cisqueros.blogspot.com]

#show ipv6 inter lo0
Loopback0 is up, line protocol is up
IPv6 is enabled, link-local address is FE80::21E:BEFF:FE5D:27F0
Global unicast address(es):
2:2:2:2:21E:BEFF:FE5D:27F0, subnet is 2:2:2:2::/64 [EUI]

Assign a LINK-LOCAL IPv6 Address, if you want to configure it STATICALLY:
(config-if)#ipv6 address FE80::1 link-local
*Be sure it starts with FE80, or you will get a message "% Invalid link-local address"
By default IPv6 has Neighbor Discovery as a L2-L3 mapping mechanism, instead of ARP. To debug it do:
#debug ipv6 nd

When you configure the "ipv6 enable" on the interface, the Link Local address is assigned:
*Nov 21 08:21:02.068: ICMPv6-ND: Sending NS for FE80::21E:BEFF:FE5D:27F0 on FastEthernet0/0
!!!NS -Neighbor Solicitation
*Nov 21 08:21:03.068: ICMPv6-ND: DAD: FE80::21E:BEFF:FE5D:27F0 is unique.
!!!FE80::21E:BEFF:FE5D:27F0 Assigned. DAD - Duplicate Address Detection confirms IP is UNIQUE!
*Nov 21 08:21:03.068: ICMPv6-ND: Sending NA for FE80::21E:BEFF:FE5D:27F0 on FastEthernet0/0
!!!NA - Neighbor Advertisement for routers Link Local address
*Nov 21 08:21:03.068: ICMPv6-ND: Address FE80::21E:BEFF:FE5D:27F0/10 is up on FastEthernet0/0
!!!Interface comes UP because no one complained
Check if the interface got the correct IPv6 Address:
#sh ipv6 int br
FastEthernet0/0 [up/up]
FE80::21E:BEFF:FE5D:27F0
FastEthernet0/1 [administratively down/down]
Serial0/1/0 [up/down]
Serial0/1/1 [administratively down/down]
Serial0/2/0 [administratively down/down]

When you SHUT the local interface, the Link Local address is deleted:
*Nov 21 08:19:12.972: ICMPv6-ND: Sending Final RA on FastEthernet0/0
*Nov 21 08:19:12.984: ICMPv6-ND: STALE -> DELETE: FE80::213:60FF:FE85:AEEA

And we are finally reaching my favorite change in the IPv6, the NEIGHBOR DISCOVERY and DISPLAY:
#show ipv6 neighbors
IPv6 Address Age Link-layer Addr State Interface
12:1:1:12::1 0 0013.6085.aeea STALE Fa0/0 <- UNICAST
FE80::1 0 0013.6085.aeea STALE Fa0/0 <- LINK-LOCAL
123::21E:BEFF:FE5D:27F0 166 001e.be5d.27f0 STALE Fa0/0
FE80::3 0 0013.6085.e3c6 REACH Fa0/0

You can configure the IPv6 Neighbor statically, using the Global Configuration command:
(config)#ipv6 neighbor 123::21E:BEFF:FE5D:27F0 Fa0/0 001e.be5d.27f0

The neighbors can have one of the following statuses:
- REACH
- STALE

You can tune the TIMERS for STATE TRANSITIONING. To check the current values do:
#sh ipv int fa0/0 | i time
ND reachable time is 30000 milliseconds <- When not responding for 30 Secs, Neighbor transitions to STALE
ND advertised reachable time is 0 milliseconds


143
Hitchhikers Guide to the CCIE v0.3 [cisqueros.blogspot.com]
If you want to CHANGE this value (time it takes the neighbor to go to STALE from REACHABLE):
(config-if)#ipv6 nd reachable-time 50000

There is also an AUTOMATIC IPv6 address assigning, called STATELESS AUTOCONFIG. The SERVER that assigns the IPv6 addresses should have
the "ipv6 unicast-routing" configured. The router assigns the addresses, and even if that router goes down - the IPs will remain active for 30
days if their interfaces don't go down. To activate this:
(config-if)#ipv6 address autoconfig
____________________________________________________________________________________________________________________
Convert MAC to Link Local IPv6 Address
____________________________________________________________________________________________________________________
Check how the Link Local address has been generated using the interface MAC address
#sh int fa0/0 | i Hard
Hardware is Gt96k FE, address is 001e.be5d.27f0 (bia 001e.be5d.27f0)
IPv6: FE80::21E:BEFF:FE5D:27F0
FE80:: - For Link Local IPv6 Addresses

First two 0s from MAC are replaced with a HEX 2, to complete MACs 48 bits up to 64 we need
Then the "1e.be" part is COPIED and PAST 2|1E:BE|FF:FE|5D:27F0
FFFE is added after this, in the MIDDLE of the MAC address
The rest of MAC follows
So - 2 + 4HEXofMAC + FFEE + 6HEXofMAC
Now check the complete IPv6 configuration of the interface:
#SH ipv6 int fa0/0
FastEthernet0/0 is up, line protocol is up
IPv6 is enabled, link-local address is FE80::21E:BEFF:FE5D:27F0
No global unicast address is configured
Joined group address(es):
FF02::1 <- 0 after F means the IPv6 is PERMANENT (if it were 1 - it would be temporal)
FF02::2 <- Subnet routers MULTICAST
FF02::1:FF5D:27F0 <- Solicited-Node-Multicast Address


144
Hitchhikers Guide to the CCIE v0.3 [cisqueros.blogspot.com]
____________________________________________________________________________________________________________________
IPv6 Routing
____________________________________________________________________________________________________________________
STATIC ROUTING is similar to the IPv6 Static Routing, but have in mind that you need to point to the IPv6 address of the IPv6 Neighbor. Link
Local IPv6 can also be used. IPv6 Routing is off by default, so do the "ipv6 Unicast routing" first to enable it. This command enables Routing,
ICMPv6 and ND (neighbor discovery) and RA (Router Announcing). If the switch seems not to support the command, in reality you only need
to change the buffer allocation first (Apply a different SDM template). The problem is that you have to SAVE and RELOAD, so be sure you do it
before the LAB if you know you'll be using both ipv4 and ipv6. Make sure you need it using "show SDM prefer"
(config)#sdm prefer dual-ipv4-and-ipv6 routing

In IPv6 REDISTRIBUTION the LOCAL CONNECTED routes are NOT included, even if they are part of local advertisement.
Step 1: First check the neighbors IP displaying the IPv6 neighbors:
#sh ipv6 nei
IPv6 Address Age Link-layer Addr State Interface
12:1:1:12::1 1 0013.6085.aeea STALE Fa0/0
FE80::1 1 0013.6085.aeea STALE Fa0/0

Step 2: And then add the route pointing to the appropriate address:
(config)#ipv6 route 1:1:1:1::/64 12:1:1:12::1

If you want to use the LINK LOCAL address, you also need to specify the INTERFACE:
(config)#ipv6 route 1:1:1:1::/64 fa0/0 FE80::1

If you need to add the DEFAULT ROUTE only:
(config)#ipv6 route 0::/64 fa0/0 FE80::2

Step 3: And check the Routing Table for Static Entries:
#sh ipv6 route static | b 64
S 1:1:1:1::/64 [1/0]
via 12:1:1:12::1

Or in the case of the Default Route:
#sh ipv6 route | b S
S ::/64 [1/0]
via FE80::2, FastEthernet0/0

Step 4: OPTIONAL: Configure HOST for the hosts you ping frequently, because IPv6 addresses are a bit robust. If you name the host R2_lo1,
you can later ping is using "ping R2_lo1":
(config)#ipv6 host R2_lo1 ?
<0-65535> Default telnet port number <- CAN BE USEFULL
X:X:X:X::X IPv6 address
(config)#ipv6 host R2_lo1 1:1:1:1:213:60FF:FE85:AEEA


145
Hitchhikers Guide to the CCIE v0.3 [cisqueros.blogspot.com]
____________________________________________________________________________________________________________________
RIPng
____________________________________________________________________________________________________________________
UDP port 521 (not 520) to Multicast to FF02::9, configured on a link level:
(config-if)#ipv6 rip 1 enable <- THIS ENABLES RIP ON A ROUTER

If you need to tune it globally, that will still be done under the routing process configuration:
(config)#ipv6 router rip 1

*FF02::1 - all hosts
FF02::2 - all routers like 224.0.0.2 in IPv4
Split horizon is on by default. All ipv6 protocols will have the routes in the routing table pointing to the neighbors LINK LOCAL address
FRAME RELAY might give ipv6 connectivity issues due to the route pointing to the other side link-local address, so we need to add an additional
mapping of the Link local ipv6 on the other side of the link and the DLCI assigned to that path.
____________________________________________________________________________________________________________________
OSPFv3
____________________________________________________________________________________________________________________
FF02::5 and FF02::6, Unicast and Multicast, with the transport protocol 89
The biggest difference is the Authentication, as OSPFv3 uses Authentication Header which is a part of IPSec stack, so we need to configure a
manual key, which is large. ESP (encapsulated secure payload) can be applied. The configuration is different than in OSPFv2.
Dont forget to define the router-id, because if there are no IPv4 addresses on the router - it cannot pick one!
So - FIRST define the RID, and THEN configure OSPF, to avoid restarting the OSPF process later
In OSPFv3 over Frame-Relay DONT FORGET TO create frame relay mappings for the link-local (FE80::/10) addresses. This being said, you might
as well create manually the Link Local addresses to the FR interfaces:
(config-if)#ipv6 address FE80::2 link-local

LSA Changes: Even though most LSA definitions stay the same, there are a few changes in OSPFv3:
OSPFv3 OSPFv2
0x2001 Router LSA 1 Router LSA
0x2002 Network LSA 2 Network LSA
0x2003 Inter-area Prefix LSA 3 Network Summary LSA
0x2004 Inter-area Router LSA 4 ASBR Summary LSA
0x4005 AS-External LSA 5 AS-External LSA
0x2006 Group Membership LSA 6 Group Membership LSA
0x2007 Type-7 LSA 7 NSSA External LSA
0x0008 Link LSA
0x2009 Intra-area Prefix LSA
146
Hitchhikers Guide to the CCIE v0.3 [cisqueros.blogspot.com]
*If you want an area not to receive LSA4 and LSA5, configure it as stub:
(config-rtr)#area 12 stub <- ADDS A DEFAULT ROUTE TO ISOLATED ROUTER (the router that only has stub area)
Default Route added: OI ::/0 [110/2] via FE80::2, FastEthernet0/0 <- INSTEAD OF ALL EXTERNAL ROUTES

If you want the router to maintain IO INTRA AREA routes only, configure it as NSSA "stub no-summary"
If you want not to propagate EXTERNAL routes- configure an area as NSSA (routes redistributed into NSSA area will appear marked with
"ON2"). You can add "default-information-originate" to inject the default route into nssa area
To change the METRIC/COST you can do two things. Either change the DEFAULT COST under OSPF process:
(config-rtr)#auto-cost reference-bandwidth 10000

Or use the "ipv6 ospf cost" command under EACH INTERFACE.
____________________________________________________________________________________________________________________
EIGRP IPv6
____________________________________________________________________________________________________________________
FF02::A/64 Unicast and Multicast, protocol 88
The difference with OSPF is that even if you configure it on the interface:
(config-if)#ipv6 eigrp 100

it will not form an adjacency unless you DEFINE THE ROUTER-ID, and do a NO SHUT:
(config-rtr)#eigrp router-id 1.1.1.1
(config-rtr)#no shut <-ON SOME IOS VERSIONS NOT NEEDED, BUT DO IT JUST IN CASE...
*Dec 1 11:18:08.343: %DUAL-5-NBRCHANGE: EIGRP-IPv6 100: Neighbor FE80::4 (Serial1/0.14) is up: new adjacency

BE SURE TO DEFINE THE METRIC WHEN REDISTRIBUTING INTO EIGRP, or it will not work!!!
(config-rtr)#no redistribute ospf 1 metric 1 1 1 1 1

To change the timers on the interface the command is a bit BACKWARDS, as in - "" ipv6 hello-interval eigrp..":
(config-if)#ipv6 hello-time eigrp 100 10 <-HELLO
(config-if)#ipv6 hold-time eigrp 100 40 <-DEAD

The command for checking the current timers is also unintuitive, cause you need to add "details" to the end:
#sh ipv6 eigrp interfaces detail | i Hello
Hello-interval is 10, Hold-time is 40
Hello-interval is 60, Hold-time is 180

BE CAREFULL WITH FRAME RELAY, because EIGRP has SPLIT HORIZON enabled by default on multipoint interfaces:
(config-subif)#no ipv6 split-horizon eigrp 100

Like in EIGRPv4, on EIGRPv6 EIGRP Patckets use UP TO 50% of the Links BW. To change that (to 25% in this example):
(config-subif)#ipv6 bandwidth-percent eigrp 100 25

Another similarity to EIGRPv4, you can use "summary-address" to inject the default route:
(config-if)#ipv6 summary-address eigrp 100 ::0/0
%DUAL-5-NBRCHANGE: EIGRP-IPv6 100: Neighbor FE80::2 (Ethernet0/0) is resync: summary configured
%DUAL-5-NBRCHANGE: EIGRP-IPv6 100: Neighbor FE80::3 (Ethernet0/0) is resync: summary configured

EIGRPv6 Authentication: Also similar to EIGRPv4
Step 1: Define the Key Chain
(config)#key chain MAT
(config-keychain)#key 1
(config-keychain-key)#key-string Cisqueros

147
Hitchhikers Guide to the CCIE v0.3 [cisqueros.blogspot.com]
Step 2: Apply the key chain to the interface:
(config-if)#ipv6 authentication key-chain eigrp 100 MAT

Step 3: Turn ON the authentication on the interface, in this example MD5:
(config-if)#ipv6 authentication mode eigrp 100 md5

Some ADDITIONAL features:
Make sure the incoming prefixes are in less than 50 hops (TTL <= 50)
(config-rtr)#metric maximum-hops 50

"Tune" the Active Time (time before declaring a router STUCK IN ACTIVE - SIA)
(config-rtr)#timers active-time ?
<1-65535> active state time limit in minutes
disabled disable time limit for active state

____________________________________________________________________________________________________________________
MP-BGP, using a BGP-4 protocol extensions for IPv6
____________________________________________________________________________________________________________________
TRANSPORT and ADVERTISING are two separate things in BGP, So routers can PEER using IPv4 only, and then advertise the IPv6 prefixes.
When doing a IPv6 BGP don't forget to configure under the routing process:
(config-router)#address-family ipv6 unicast

Just make sure that you distinguish between these two. There is also a protocol called 6PE (IPv6 over PE router) that enables advertising IPv6
routes over IPv4 MPLS, and it's one of the "transition" tools from ipv4 to ipv6
____________________________________________________________________________________________________________________
IPv6 Tunnels
____________________________________________________________________________________________________________________
STATIC Tunnels: GRE, IPv6IP
AUTOMATIC Tunnels: 6to4 (IPv4 into IPv6 prefix), ISATAP - have a standard format of the IP address, so only the tunnel source and the IP
address are configured in accordance to that standard - and the Tunnel goes UP.
Automatic 6to4: everyone is allocated 2002: address, followed by their ipv4 converted into HEX. Knowing this we can solve the routing by
pointing all the 2002::/16 traffic to the Tunnel interface:
(config)#ipv6 route 2002::/16 tunnel0
When you configure them MANUALLY (this means that you define both, source and the destination of the tunnel) the Tunnel mode can be
IPv6IP or GRE, depends what you are asked to do:
(config)#interface tunnel 0
(config-if)#tunnel mode ipv6ip <- DEFAULT IS GRE

The difference between IPv6IP and GRE will be in the TUNNEL PROTOCOL, so in GRE:
#sh int tunnel 3 | i transport
Tunnel protocol/transport GRE/IP

While in IPv6IP:
#sh int tunnel 3 | i transport
Tunnel protocol/transport IPv6/IP



148
Hitchhikers Guide to the CCIE v0.3 [cisqueros.blogspot.com]
GRE is Protocol 47, and IPV6IP is Protocol 41. You can check this by PINGING one side from another, and debugging "ip packet details" on the
other side:
IPv6IP - PROTOCOL 41:
*Nov 29 18:23:52.126: IP: tableid=0, s=10.1.12.1 (Serial0/1/0.21), d=10.1.12.2 (Serial0/1/0.21), routed via
RIB
*Nov 29 18:23:52.126: IP: s=10.1.12.1 (Serial0/1/0.21), d=10.1.12.2 (Serial0/1/0.21), len 136, rcvd 3,
proto=41
*Nov 29 18:23:52.126: IP: s=10.1.12.2 (Tunnel0), d=10.1.12.1 (Serial0/1/0.21), len 96, sending, proto=41
*Nov 29 18:23:53.110: IP: tableid=0, s=10.1.12.1 (Serial0/1/0.21), d=10.1.12.2 (Serial0/1/0.21), routed via
RIB
*Nov 29 18:23:53.110: IP: s=10.1.12.1 (Serial0/1/0.21), d=10.1.12.2 (Serial0/1/0.21), len 120, rcvd 3,
proto=41

GRE - PROTOCOL 47:
*Nov 29 18:25:30.506: IP: tableid=0, s=10.1.12.1 (Serial0/1/0.21), d=10.1.12.2 (Serial0/1/0.21), routed via
RIB
*Nov 29 18:25:30.506: IP: s=10.1.12.1 (Serial0/1/0.21), d=10.1.12.2 (Serial0/1/0.21), len 140, rcvd 3,
proto=47
*Nov 29 18:25:30.574: IP: s=10.1.12.2 (Tunnel0), d=10.1.12.1 (Serial0/1/0.21), len 140, sending, proto=47
*Nov 29 18:25:30.622: IP: tableid=0, s=10.1.12.1 (Serial0/1/0.21), d=10.1.12.2 (Serial0/1/0.21), routed via
RIB
*Nov 29 18:25:30.622: IP: s=10.1.12.1 (Serial0/1/0.21), d=10.1.12.2 (Serial0/1/0.21), len 140, rcvd 3,
proto=47

6to4 Tunnels: AUTOMATICALLY established, allowing IPv6 connection through IPv4. They require SPECIAL ADDRESSING: IPv6 of 2002
followed by TRANSLATED IPv4 address. So, we need these steps:
Step 1: Translate IPv4 into IPv6 address. For example 10.1.1.1:
10 1 1 1
0A 01 01 01
Step 2: Identify tunnel source. IMPORTANT: Tunnel is AUTOMATIC, so DONT CONFIGURE THE DESTINATION
So using the 2002 which is the 6to4 marker, you get> 2002:A01:101::/128, so:
(config-if)#ipv6 add 2002:A01:101::/128

Step 3: Configure the TUNNEL MODE as IPV6IP 6to4:
(config-if)#tunnel mode ipv6ip 6to4

Step 4: Make sure that the Tunnel Interface is going UP/UP
*Nov 29 19:10:13.709: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel7, changed state to up

ISATAP Tunnel: It's a IETF transition mechanism that allows IPv6 networks to connect over IPv4 Networks. The IPv6 tunnel interface must be
configured with a modified EUI-64 address because the last 32 bits in the interface identifier are constructed using the IPv4 tunnel source
address. ISATAP also has its own IPv6 Address Format, which is formed like this:
NETWORK PORTION: can be any IPv6 address
HOST PORTION: starts with 0000:5EFE, and the rest of host portion is TRANSLATED IPv4 of the TUNNEL SOURCE
Step 1: Define the Tunnel SOURCE address
(config-if)#tunnel source 10.44:44:44

Step 2: Sending of IPv6 router advertisements is disabled by default on tunnel interfaces. This command re-enables the sending of IPv6 router
advertisements to allow client auto-configuration:
(config-if)# no ipv6 nd ra suppress

149
Hitchhikers Guide to the CCIE v0.3 [cisqueros.blogspot.com]
Step 3: ISATAP
The only difference from standard IPv6IP configuration is that the IPv6 address needs to be eui-64 generated, and that the MODE needs to be
defined as ISATAP:
(config-if)#ipv6 address 46:1:46::/64 eui-64 <- EUI CONVERTS IPv4 TO IPv6 AUTOMATICALLY
(config-if)#tunnel mode ipv6ip isatap
____________________________________________________________________________________________________________________
IPv6 Multicast Routing
____________________________________________________________________________________________________________________
To start implementing multicasting in the campus network, users must first define who receives the multicast. The MLD protocol is used by
IPv6 routers to discover the presence of multicast listeners. MLD uses ICMP for messages.
Multicast QUERIER is a ROUTER that sends queries to discover the group members.
Multicast HOST is the RECEIVER (including routers) that sends REPORTS to inform the querier.
IPv6 RP and BSR (Boot-Strap Router)
BSR protocol for PIM-SM provides a mechanism to distribute group-to-RP mapping information throughout a domain.If the RP is unreachable -
BSR will detect it and modify the mapping tables. A few routers are configured as candidate bootstrap routers (C-BSRs) and a single BSR is
selected for that domain.
To set a router to be a BSR candidate - enable IPv6 Multicast globally, make sure IPv6 is also enabled, and use one of its local IPv6 addresses.
Assign the router BSR priority:
(config)#ipv6 pim bsr candidate bsr 2001:CC1E:1:404:21A:E2FF:FEAB:FF29 priority 100

Configure a Router that will be Sending PIM RP Advertisements to the BSR:
(config)#ipv6 pim bsr candidate rp 2001:CC1E:1:505:21B:2AFF:FE0C:E0C0

#sh ipv pim bsr rp-cache
PIMv2 BSR C-RP Cache
BSR Candidate RP Cache
Group(s) FF00::/8, RP count 1
RP 2001:CC1E:1:505:21B:2AFF:FE0C:E0C0 SM
Priority 192, Holdtime 150
Uptime: 00:02:46, expires: 00:01:43

The big challenge in any Multicast configuration is the verification. This can be done by debuging the ICMP packets that are used for the MLD,
and then pinging the MULTICAST IPv6 source from the other side:
#debug ipv6 icmp