Professional Documents
Culture Documents
d w ith
e
Version 52
gu y.
switching, Cisco CCNP RS
1600+ Cisco CCIE RS ver 4 / 5
Cisco CCNA routing switching, Cisco CCNP routing
ch
Cisco CCNP study flashcards, Cisco CCNP flashcards Be s t v
a
i
d
e w
o rs im i la r!
d an iP
Easy to understand CCNP / CCIE study flashcards
car
/ CCNP RS study flashcards
Effective CCNP training
sh
Effective CCIE training
la
w. fCisco Web learning
Online training
command:
,30
n 1 All
Po2
EtherChannel over
vla unk
Switchport trunk
Spanning-tree global vs Interface debug spanning-tree
Tr
no switchport
bridge-group X l
switchport mode dynamic desirable switchport mode dynamic desirable switchport mode dynamic desirable switchport mode dynamic desirable
switchport mode dynamic desirable switchport mode dynamic desirable switchport mode dynamic desirable switchport mode dynamic desirable switchport trunk encapsulation dot1q switchport trunk encapsulation dot1q switchport trunk encapsulation dot1q switchport trunk encapsulation dot1q
Switchport trunk encapsulation dot1q Switchport trunk encapsulation dot1q switchport mode trunk switchport mode trunk switchport mode trunk switchport mode trunk
Ranging 5 bucks to unlimited!
Colin
http://www.flashcardguy.ch
Switch / Bridge
Int fa0/x
Udld port aggressive
Show spanning-tree mst X detail Sending TCP FIN to IDS/IPS show parser macro
SW1: show
vlan
remo
Vlan [500] te-sp
an
remote-span
Standard / existing macros can be verified by:
monitor session [X] source interface [fa0/x]
Interface fa0/x monitor session [X] destination vlan [500] Show parser macro
Spanning-tree mst X cost [COST] SW2: Vlan 500
Spanning-tree MST port priority And applied with dynamic parameters:
RSPAN sessions: Vlan [500]
SW2
Applying dynamic macros
and cost Interface fa0/x remote-span
SW3 SW1
Spanning-tree mst X priority [16] SW3: Interface fa0/10
Macro apply cisco-desktop $access_vlan 10
Vlan [500] destination source
remote-span
monitor session [X] source vlan [500]
monitor session [X] destination fa0/x ingress vlan [YY]
IPv4:
ports? RIPv2
Vlan104
Int fa4 104.0.0.10 R5 IP addr
Switchport access vlan 20 104.0.0.4/24
Thanks for appreciating my efforts
IPv6 addr
IPv4: 2001::4/64
Fa2 and Fa3 can’t communicate even being in the same Vlan RIPv2
show bridge [1] group
Colin
http://www.flashcardguy.ch
R4: R4# R4 R5
interface FastEthernet0/1
ip address 104.0.0.4 255.255.255.0
ipv6 address 2001::4/64
username USER-R4 pass cisco
Radius
uths
R4 a inst
aga
R5 PPP R5
aut
aga hs R4
inst
Switch / Bridge
SW1# interface Serial 0/1
Ip routing encapsulation ppp TACACS+
R4#
aaa new-model
between a
Fallback Bridging interface Vlan104 Bi-directional aaa authentication login CONSOLE none
ip address 104.0.0.10 255.255.255.0
bridge-group 1
routed port
and SVI vlan
While IPv4 CHAP Authentication Authentication aaa authentication ppp PPP-AUTH-LIST group GRP-RADIUS local
!
CH t h
aaa group server radius GRP-RADIUS
traffic is R5#
(Radius) server-private 155.1.146.100 key CISCO
au
AP
interface FastEthernet0/6 !
routed interface Serial 0/1/0
No switchport username USER-R5 pass cisco
ppp authentication pap chap PPP-AUTH-LIST
Ip address 106.0.0.10 255.255.255.0 !
bridge-group 1 interface Serial 0/1 line console 0
interface FastEthernet0/1 encapsulation ppp login authentication CONSOLE
ip address 106.0.0.6 255.255.255.0 ppp authentication chap
ipv6 address 2001::6/64 (Auth via Radius, if not available fallback to local database)
ppp chap hostname USER-R4
Design
Promiscous Port Host D
Community 1000
Host E
Community 3000 Useful PPP debug commands Debug ppp packet
Authentication aaa new-model
aaa authentication login CONSOLE none
Primary Vlan 100 Debug ppp error (TACACS+) aaa authentication ppp default group tacacs local
!
tacacs-server host 155.1.146.200 key CISCO
Community Community isolated 3000
!
1000 2000 ( debug aaa authentication ) line console 0
Host B Host A Host E
login authentication CONSOLE
Host D Host C
(Auth via TACACS+, if not available fallback to local database)
interface FastEthernet0/1
How do you filter out Vlan IDs out encapsulation ppp
dialer pool 1
no shutdown
switchport private-vlan mapping 100 add 1000,2000,3000 Gateway monitor session 2 destination interface fa0/1
config switchport mode private-vlan promiscuous of SPAN sessions for Trunks ? Client / Server
ppp chap hostname USER-1
ppp chap password CISCO
interface FastEthernet0/1.35
encapsulation dot1Q 35
! pppoe enable group PPPOE
interface FastEthernet0/3 Community 1000
interface FastEthernet0/1
switchport private-vlan host-association 100 1000
no ip address bba-group pppoe PPPOE
switchport mode private-vlan host
no shutdown virtual-template 1
interface FastEthernet0/5 Community 2000 ( SPAN session will only SPAN traffic within Vlan 5-10 ) pppoe enable sessions per-mac throttle 10 60 300
switchport private-vlan host-association 100 2000 pppoe-client dial-pool-number 1
switchport mode private-vlan host interface Virtual-Template 1
interface FastEthernet0/13 encapsulation ppp
switchport trunk encapsulation dot1q between switches ip address 155.1.35.1 255.255.255.0
switchport mode trunk ppp authentication chap PPPOE-LIST
R4#
interface Serial 0/1 Session on Client is UP
encapsulation ppp
ppp pap sent-username USER-1 pass cisco
monitor session [1] destination interface Fa0/x
R4 R5 encapsulation replicate Help me create more flashcards:
PPP How can one SPAN CDP, STP and Transit to PPPoe SRV has just been disrupted
Uni-directional R4 will have to authenticate towards R5 (sending credentials) PPPoe Client status views:
other control protocols to the
PAP Authentication R5#
destination port ?
username USER-1 pass cisco
Transit disrupted, attempting connection to SRV
Simply press this button and send me your
interface Serial 0/1
encapsulation ppp
credit cards regards!
ppp authentication pap
Clock rate [64000]
Interface Fa0/1.41
oe
R4 tia ct
ed ex k
s
en pe
se ls t R5
nd o R to
R5#
(ca
http://www.flashcardguy.ch
Show int trunk
Show etherchannel summary
IF “spanning-tree extend system-id” is NOT ENABLED:
Switch / Bridge
Rack1SW1#show pagp ?
<1-48> Channel group number one MAC address per VLAN to make the bridge ID unique
counters Traffic information for each VLAN, using a lot of MAC addresses
internal Internal information spanning-tree extend system-id -> (chassis with only 64 MAC addresses!)
Advanced LACP / PAGP neighbor Neighbor information
extended system ID enabled:
troublehsooting commands: Rack1SW1#show lacp ?
<1-48> Channel group number
explained One MAC address used in all STP Vlans. In order to
counters Traffic information uniquely identify the root the VLAN-ID value is added to
internal Internal information the STP priority value, with the same MAC address in all
neighbor Neighbor information VLANs.
sys-id LACP System ID
- MST domain = domain name and revision number STP Root RX part breaks
( 64 instances max ) (unidirectional)
T R
- MST domain configuration can be distributed via VTP T R
X X
Version 3 instance. (Instead of error prone manual config) Spanning-tree loopguard X X
R T R T
What does: conf t - MST config changes only allowed on primary server. X X T R X X
X X
Mainly
VTP Version 3 SWITCH# show spanning-tree mst configuration
R
X
T
X
define interface-range VPORTS FastEthernet 0/7-8
define interface-range % Switch is not in mst mode
STP Root
Home Lab tip:
Name [MST]
Used for macro’s And MST Revision 1 Instances configured 3 (mainly used on fiber links, can be
Instance Vlans mapped T R
T R
If you have a lab on which the Lines keep miss-behaving,
Do? -------- ------------------------------------------------------------
reproduced with bpdufilter on X X
X X
Clear all lines instead of individually:
0 2-400,406-4000,4006-4094 ethernet) R
X
T
X
R
X
T
X
-------- ------------------------------------------------------------ T R
config changes of MST only allowed on VTP 3 primary X X
R T
server. X X alias exec line-clear event manager run CLEAR-LINES
- only the vtp primary server, is allowed to update other int fa1/24
devices no switchport Global:
Spanning-tree loopguard default event manager applet CLEAR-LINES
ip address 1.2.3.4 255.255.255.0
- Two instances in VTP version 3, VLAN and MST event none sync yes
instance Per interface:
VTP Version 3 SWITCH# show vlan internal usage action 1.0 cli command "clear line 65"
VLAN Usage Spanning-tree guard loop
VTP Version 3 - Instances can be on the same or separate switches. action 1.1 cli command "clear line 66"
---- --------------------
- If there is more than one primary server a warning <SNIP> action 1.2 cli command "clear line 67"
message will indicate conflicting devices. With routed interfaces and 1018 FastEthernet1/24 VlanID 1018 for Fa1/24 ! action 1.3 cli command "clear line 68"
facts: - Reserved VlanIDs 1000-1017, (show vlan intern usage) action 1.4 cli command "clear line 69"
default allocation policy the switch starts to allocate
- VTPVer 2 compatible to Version 3, where as Ver 1 is not. Default VLAN-IDs: beginning at 1018! In order to use Vlan 1018, default action 1.5 cli command "clear line 70"
interface fa1/24, shutdown the port, force a VTP revision action 1.6 cli command "clear line 71"
- VTP 2 device will never update a Version 3 device. number change, by changing vlan 1018's name to flood action 1.7 cli command "clear line 72"
the change from an Internal Vlan to a regular vlan to other
- After reload a primary server will take the secondary
switches. action 1.8 cli command "clear line 73"
server role
action 1.9 cli command "clear line 74"
spanning-tree extend system-id <- required
Access action 2.0 cli command "clear line 75"
Used for QoS classification and security
action 2.1 cli command "clear line 76"
vtp version 3
- vtp mode server
Routing action 2.2 cli command "clear line 77"
- vtp mode client Used for routing
vtp domain DOMAIN-X
action 2.3 cli command "clear line 78"
- vtp mode transparent
Vlan action 2.4 cli command "clear line 79"
VTP Version 3 vtp primary-server vlan [force] VTP Version 3 - vtp OFF Disables routing and sets the switch to be a layer 2 switch action 2.5 syslog msg "All lines cleared"
vtp primary-server mst [force] SDM Prefer on Catalyst Extended-match
Reformats routing memory space to allow 144-bit layer 3 R3#line-clear
Configuration: modes Disable vtp per port (VTP off) TCAM support needed for WCCP and/or multple VRF
instances %HA_EM-6-LOG: CLEAR-LINES: All lines cleared
service password-encryption
int fa0/24
SW1# show vtp password no vtp show sdm prefer
VTP Encrypted Password: 02270A5F19030E32
conf t
Display of the password is encrypted, vlan.dat IS CLEAR TEXT
sdm prefer [Access | Routing | Vlan | Extended-match]
Colin
http://www.flashcardguy.ch
HUB R1#show ip nhrp HUB R1#show ip nhrp
NBMA Range 192.1.1.x.x interface Tunnel1 10.1.1.2/32 via 10.1.1.2
NBMA Range 192.1.1.x.x 10.1.1.2/32 via 10.1.1.2
interface Tunnel1 GRE
Tunnel Range 10.1.1.x ip address 10.1.1.1 255.255.255.0
no ip redirects
ip nhrp map 10.1.1.2 192.1.2.2
Type: static, Flags:
NBMA address: 192.1.2.2
Tunnel Range 10.1.1.x
Tunnel1 created 00:11:18, never expire ip address 10.1.1.1 255.255.255.0 Tunnel1 created 00:07:29, expire 01:52:30
no ip redirects
ip nhrp network-id 111
Type: dynamic, Flags: unique registered
NBMA address: 192.1.2.2
int tun 1
DMVPN
ip nhrp map 10.1.1.3 192.1.3.3 10.1.1.3/32 via 10.1.1.3 tunnel source Ethernet0/0 10.1.1.3/32 via 10.1.1.3
HUB HUB
1.1 ip nhrp map 10.1.1.4 192.1.4.4 Tunnel1 created 00:11:18, never expire
1.1 tunnel mode gre multipoint Tunnel1 created 00:07:24, expire 01:52:35 tunnel source x.x.x.x
.1 ip nhrp network-id 111
Type: static, Flags: .1 Type: dynamic, Flags: unique registered
NBMA address: 192.1.3.3 NBMA address: 192.1.3.3 tunnel destination y.y.y.y
Tun 1 tunnel source Ethernet0/0 Tun 1
tunnel mode gre multipoint
10.1.1.4/32 via 10.1.1.4
3.3
What is the difference between
NBMA 3.3 Tunnel1 created 00:11:18, never expire
NBMA DMVPN Phase 1, Dynamic
2.2 Type: static, Flags: used 2.2 SPOKE the two DMVPN flavors?
.2 .3 Spoke
NBMA address: 192.1.4.4 .2 .3 Spoke interface Tunnel1 mGRE
Spoke Spoke
DMVPN Phase 1, static Spoke ip address 10.1.1.2 255.255.255.0
interface Tunnel1 ip nhrp map 10.1.1.1 192.1.1.1
R2#show ip nhrp
ip address 10.1.1.2 255.255.255.0
10.1.1.1/32 via 10.1.1.1
ip nhrp network-id 111 R2#show ip nhrp int tun 1
ip nhrp map 10.1.1.1 192.1.1.1 ip nhrp nhs 10.1.1.1 10.1.1.1/32 via 10.1.1.1
DMVPN Phase 1 ip nhrp network-id 111
Tunnel1 created 00:11:49, never expire
Type: static, Flags:
DMVPN Phase 1 tunnel source Ethernet0/0 Tunnel1 created 00:11:39, never expire tunnel source x.x.x.x
tunnel source Ethernet0/0 tunnel destination 192.1.1.1 Type: static, Flags: tunnel mode gre multipoint
Static config tunnel destination 192.1.1.1
NBMA address: 192.1.1.1 Dynamic mapping config NBMA address: 192.1.1.1
Using EIGRP
ip address 123.1.1.1
network 123.0.0.0 1.1.1.1/32 What are main configuration ip nhrp map SPOKE-TUNNEL-IP SPOKE-NBMA-IP
255.255.255.0
network 1.1.1.1 HUB tunnel mode gre multipoint
no ip redirects
ip nhrp map 123.1.1.2 200.1.2.2 clear ip nhrp on the HUB and 1.1 .1 differences between Spoke: Help me create more flashcards:
ip nhrp map 123.1.1.3 200.1.3.3 ip nhrp map HUB-TUNNEL-IP HUB-NBMA-IP
Tun 1
1.1.1.1/32 ip nhrp map multicast 200.1.2.2 discover that you no longer 3.3
ip nhrp map SPOKE-x-TUNNEL-IP SPOKE-x-NBMA-IP
HUB ip nhrp map multicast 200.1.3.3
have reachability from and to 2.2 NBMA DMVPN Phase 2 tunnel mode gre multipoint
1.1 .1
ip nhrp network-id 111
.3
no ip split-horizon eigrp 10 .2 Spoke Phase 2 dynamic
tunnel source Ethernet0/0 your spokes! Spoke
Tun 1
3.3
tunnel mode gre multipoint Spoke 2.2.2.2/32 3.3.3.3/32 Static and dynamic
Hub:
ip nhrp map SPOKE-TUNNEL-IP SPOKE-NBMA-IP Simply press this button and send me your
NBMA interface Tunnel123 tunnel mode gre multipoint
2.2 ip address 123.1.1.2 255.255.255.0 credit cards regards!
.2 .3 Spoke
Spoke:
ip nhrp map 123.1.1.1 200.1.1.1 How do you solve this in the On Spokes: Spoke:
Spoke router eigrp 10
ip nhrp network-id 111 int tun x Config? ip nhrp map HUB-TUNNEL-IP HUB-NBMA-IP
3.3.3.3/32
network 123.0.0.0
tunnel source Ethernet0/0 lab? ip nhrp nhs HUB-TUNNEL-IP
2.2.2.2/32 network 2.2.2.2
tunnel destination 200.1.1.1 ip nhrp registration timeout <1 sec> tunnel mode gre multipoint
NBMA Range 200.1.x.x NBMA Range 200.1.x.x HUB HUB: HUB:
HUB
Tunnel Range 123.1.1.x
HUB HUB: Tunnel Range 123.1.1.x interface Tunnel123
ip address 123.1.1.1
router rip
version 2
DMVPN Phase 1 setup interface Tunnel123
router rip
version 2 Ranging 5 bucks to unlimited!
DMVPN Phase 1 setup interface Tunnel123 router eigrp 10
DMVPN Phase 1 setup 255.255.255.0 network 1.0.0.0 Using RIP ip address 123.1.1.1 255.255.255.0
network 1.0.0.0
ip address 123.1.1.1 255.255.255.0 network 123.0.0.0 ip summary-address rip 0.0.0.0 0.0.0.0
Using EIGRP no ip redirects network 1.1.1.1
no ip redirects network 123.0.0.0
ip nhrp map 123.1.1.2 200.1.2.2
network 123.0.0.0
Do not use “no ip split-horizon eigrp X” ip nhrp map 123.1.1.2 200.1.2.2 Using RIP ip nhrp map 123.1.1.2 200.1.2.2
ip nhrp map 123.1.1.3 200.1.3.3
no auto-summary do not use “no ip split-horizon” ip nhrp map 123.1.1.3 200.1.3.3
no auto-summary
ip nhrp map 123.1.1.3 200.1.3.3 ip nhrp map multicast 200.1.2.2
Send ip nhrp map multicast 200.1.2.2
ip nhrp map multicast 200.1.2.2 ing a ip nhrp map multicast 200.1.3.3 Sending a default route
1.1.1.1/32 ip nhrp map multicast 200.1.3.3 via su default ro 1.1.1.1/32 ip nhrp map multicast 200.1.3.3
ip nhrp network-id 111
HUB mma
rizatio ute HUB ip nhrp network-id 111 1.1.1.1/32 via summarization
1.1
ip nhrp network-id 111
n 1.1 ip rip advertise 2 HUB ip rip advertise 2
(NBMA must be
.1 ip summary-address eigrp 10 0.0.0.0 0.0.0.0 .1 no ip split-horizon 1.1 .1
no ip split-horizon
specifically routed /32 or
tunnel source Ethernet0/0 tunnel source Ethernet0/0
Tun 1 tunnel source Ethernet0/0
Tun 1 tunnel mode gre multipoint Tun 1 tunnel mode gre multipoint higher AD)
tunnel mode gre multipoint
Spoke
NBMA 3.3 interface Tunnel123 NBMA 3.3 Spoke 3.3 Spoke
2.2 2.2 Spoke: interface Tunnel123 2.2 NBMA Spoke: interface Tunnel123
Spoke
.2 .3 Spoke
Spoke:
router eigrp 10
ip address 123.1.1.2 255.255.255.0
ip nhrp map 123.1.1.1 200.1.1.1
Spoke
.2 .3 Spoke router rip
version 2
ip address 123.1.1.2 255.255.255.0
ip nhrp map 123.1.1.1 200.1.1.1 .2 .3 Spoke
router rip
version 2
ip address 123.1.1.2 255.255.255.0
ip nhrp map 123.1.1.1 200.1.1.1
Thanks for appreciating my efforts
network 123.0.0.0 ip nhrp network-id 111 network 2.0.0.0 ip nhrp network-id 111
Spoke network 2.0.0.0 ip nhrp network-id 111
tunnel source Ethernet0/0 3.3.3.3/32
2.2.2.2/32 3.3.3.3/32 network 2.2.2.2
tunnel destination 200.1.1.1
2.2.2.2/32 network 123.0.0.0 tunnel source Ethernet0/0 2.2.2.2/32 3.3.3.3/32 network 123.0.0.0 tunnel source Ethernet0/0
no auto-summary tunnel destination 200.1.1.1 no auto-summary tunnel destination 200.1.1.1
Colin
http://www.flashcardguy.ch
Phase 1 – OSPF Phase 1 – OSPF HUB HUB Spoke
Spoke
DMVPN
Point-to-point interface Tunnel123 interface Tunnel123 interface Tunnel123
Broadcast interface Tunnel123
ip address 123.1.1.1 /24 ip address 123.1.1.1 /24 ip address 123.1.1.2 /24
no ip redirects
ip address 123.1.1.2 /24
ip nhrp map 123.1.1.1 200.1.1.1
DMVPN Phase 3 and EIGRP no ip redirects no ip redirects
ip
ip nhrp map multicast dynamic ip nhrp map multicast dynamic ip nhrp map multicast 200.1.1.1
nh
Tun 1 Tun 1 ip nhrp map multicast 200.1.1.1
rp
ip nhrp network-id 111 ip nhrp network-id 111 ip nhrp map 123.1.1.1 200.1.1.1
NBMA NBMA ip nhrp network-id 111
m
DMVPN Phase 2 and RIPv2 ip nhrp redirect ip nhrp network-id 222
ap
no ip split-horizon
What three solutions are there ip nhrp nhs 123.1.1.1
(direct Spoke to Spoke)
m
tunnel source Ethernet0/0 no ip split-horizon eigrp 10 ip nhrp nhs 123.1.1.1
ul
tunnel source Ethernet0/0
tic
tunnel mode gre multipoint tunnel source FastEthernet0/0 ip nhrp shortcut
a
tunnel mode gre multipoint
in regards to
st
Error messages! ip ospf prio 0 tunnel mode gre multipoint tunnel source FastEthernet0/0
Not using:
x
.x.
EXCHANGE to DOWN ….
(direct Spoke to Spoke) tunnel mode gre multipoint
x.
router rip
x
router rip
Phase 1 – OSPF Phase 1 – OSPF router eigrp 10
Non Broadcast Point-to-Multipoint
version 2
network 1.0.0.0
version 2
network 2.0.0.0
no ip next-hop-self eigrp 10 network 1.1.1.1 0.0.0.0 router eigrp 10
DMVPN Phase 1 and OSPF? router ospf ip ospf hello 10 network 123.0.0.0 network 123.0.0.0
network 123.1.1.1 0.0.0.0 network 2.2.2.2 0.0.0.0
network 123.1.1.2 0.0.0.0
ip
neigbor x.x.x.x ip ospf dead 40 Tun 1 no auto-summary no auto-summary
nh
Notice the route pointing to .1, traffic flowing to .3 directly as of the 2nd
rp
Tun 1 Tun 1 NBMA R2#show ip route | i 3.3.3.3 Tun 1
m
packet!
NBMA R2#show ip route | I 3.3.3
ap
NBMA R 3.3.3.3 [120/2] via 123.1.1.3, 00:00:16, Tunnel123 NBMA
m
D 3.3.3.3 [90/28288000] via 123.1.1.1, 00:00:16, Tunnel123
ul
R2#traceroute 3.3.3.3 source 2.2.2.2 numeric
tic
as
NBMA Range 200.1.x.x VRF info: (vrf in name/id, vrf out name/id) NBMA Range 200.1.x.x R2#traceroute 3.3.3.3 sou 2.2.2.2 numeric (2nd traceroute)
tx
p2p p2p
.x.
ip ospf prio 0 Tunnel Range 123.1.1.x 1 123.1.1.3 2 msec * 6 msec Tunnel Range 123.1.1.x 1 123.1.1.3 4 msec * 0 msec
x .x
HUB HUB HUB HUB Spoke
Spoke
interface Tunnel123 interface Tunnel123
DMVPN Phase 1 / OSPF interface Tunnel123 router ospf 1
ip address 123.1.1.1 255.255.255.0 router-id 0.0.0.1
interface Tunnel123
ip address 123.1.1.1 /24
interface Tunnel123
ip address 123.1.1.2 /24
ip address 123.1.1.1 255.255.255.0 ip address 123.1.1.2 255.255.255.0
no ip redirects
ip nhrp map 123.1.1.2 200.1.2.2
ip nhrp map 123.1.1.3 200.1.3.3
network 1.1.1.1 0.0.0.0 area 0
network 123.1.1.1 0.0.0.0 area 0
DMVPN Phase 2 and EIGRP no ip redirects
no ip next-hop-self eigrp 10
no ip redirects
DMVPN Phase 3 and OSPF ip nhrp map multicast dynamic
no ip redirects
ip nhrp map multicast 200.1.1.1
ip nhrp map 123.1.1.1 200.1.1.1
ip nhrp map multicast 200.1.2.2 no ip split-horizon eigrp 10 ip nhrp network-id 111 ip nhrp map 123.1.1.1 200.1.1.1
ip nhrp map multicast 200.1.1.1
Broadcast ip nhrp map multicast 200.1.3.3
(direct Spoke to Spoke)
ip nhrp map multicast dynamic ip nhrp network-id 111
ip nhrp redirect ip nhrp network-id 222
ip ospf network point-to-multipoint ip nhrp nhs 123.1.1.1
ip nhrp network-id 111
ip ospf network broadcast
ip nhrp network-id 111
tunnel source Ethernet0/0
ip nhrp nhs 123.1.1.1
tunnel source Ethernet0/0
(direct Spoke to Spoke) tunnel source FastEthernet0/0 ip nhrp shortcut
tunnel source Ethernet0/0 tunnel mode gre multipoint tunnel mode gre multipoint ip ospf network point-to-multipoint
tunnel mode gre multipoint
ip nhrp map multicast x.x.x.x tunnel mode gre multipoint tunnel source FastEthernet0/0
router ospf 1
-> change next-hop behaviour router eigrp 10 router eigrp 10 network 1.1.1.1 0.0.0.0 area 0
tunnel mode gre multipoint
Tun 1 Spoke: network 1.0.0.0 network 2.0.0.0 network 123.1.1.1 0.0.0.0 area 0 router ospf 1
NBMA interface Tunnel123 network 123.0.0.0
Tun 1
network 123.0.0.0 network 2.2.2.2 0.0.0.0 area 0
ip address 123.1.1.2 255.255.255.0 NBMA OSPF Point2Multipoint on all
ip nhrp map 123.1.1.1 200.1.1.1 network 123.1.1.2 0.0.0.0 area 0
Tun 1 R2#show ip route | i 3.3.3.3 routers would cause spokes to
Spoke: ip nhrp network-id 111 always travel via the HUB to other
ip ospf prio 0 router ospf 1
NBMA D 3.3.3.3 [90/28288000] via 123.1.1.3, 00:18:48, Tunnel123 R3#show ip route | i 2.2.
ip ospf network broadcast spokes, with Phase 3, the routes are
router-id 0.0.0.2 ip ospf priority 0 R2#traceroute 3.3.3.3 source 2.2.2.2 numeric O 2.2.2.2 [110/2001] via 123.1.1.1, 00:04:48, Tunnel123
advertised by the HUB, but
NBMA Range 200.1.x.x network 2.2.2.2 0.0.0.0 area 0 tunnel source Ethernet0/0 NBMA Range 200.1.x.x VRF info: (vrf in name/id, vrf out name/id) NBMA Range 200.1.x.x travel/redirect directly from spoke R3#traceroute 2.2.2.2 source 3.3.3.3 numeric
Tunnel Range 123.1.1.x network 123.1.1.2 0.0.0.0 area 0 tunnel destination 200.1.1.1 Tunnel Range 123.1.1.x 1 123.1.1.3 1 msec * 5 msec Tunnel Range 123.1.1.x to spoke! 1 123.1.1.2 0 msec * 0 msec As of 2nd packet!
HUB Spoke HUB Spoke Phase 2: Phase 3:
interface Tunnel123 interface Tunnel123 interface Tunnel123 interface Tunnel123
ip address 123.1.1.1 255.255.255.0 ip address 123.1.1.2 255.255.255.0 DMVPN Phase 2 and OSPF ip address 123.1.1.1 /24
The routing protocol on A Spokes routing protocol
DMVPN Phase 1 / OSPF ip nhrp map 123.1.1.2 200.1.2.2
ip nhrp map 123.1.1.3 200.1.3.3
ip nhrp map 123.1.1.1 200.1.1.1
ip nhrp network-id 111
ip nhrp map multicast dynamic
ip address 123.1.1.2 /24
ip nhrp map 123.1.1.1 200.1.1.1
a Spoke learns prefixes
of other spokes directly
points towards the HUB for
a prefix from another
ip nhrp network-id 111 ip nhrp map multicast 200.1.1.1
ip nhrp map multicast 200.1.2.2 ip ospf network non-broadcast ip ospf network broadcast ip nhrp network-id 111 of the other spokes Spoke, NHRP kicks in an
ip nhrp map multicast 200.1.3.3 ip ospf priority 0 (direct Spoke to Spoke) tunnel source Ethernet0/0 tunnel IP address. redirects traffic directly
non-broadcast ip nhrp network-id 111
ip ospf network non-broadcast
tunnel source Ethernet0/0
tunnel destination 200.1.1.1
tunnel mode gre multipoint
ip nhrp nhs 123.1.1.1
ip ospf network broadcast
What is the difference Traffic then forwarded between spokes.
ip ospf network broadcast ip ospf priority 0
tunnel source Ethernet0/0 router ospf 1
directly to the spokes On Hub: ip nhrp redirect
ip nhrp map multicast dynamic tunnel source Ethernet0/0
router ospf
neigbor x.x.x.x
tunnel mode gre multipoint
Tun 1
network 1.1.1.1 0.0.0.0 area 0
network 123.1.1.1 0.0.0.0 area 0
tunnel mode gre multipoint between DMVPN tunnel IP.
(Resolution done via IGP, On Spokes: ip nhrp shortcut
Tun 1 NBMA
NBMA HUB Spoke
router ospf 1
network 2.2.2.2 0.0.0.0 area 0 Phase 2 and Phase 3 ? not NHRP)
router ospf 1 router ospf 1 network 123.1.1.2 0.0.0.0 area 0
router-id 0.0.0.1 router-id 0.0.0.2 ip ospf prio 0 Pkt
network 1.1.1.1 0.0.0.0 area 0 network 2.2.2.2 0.0.0.0 area 0 ip ospf network broadcast R2#show ip route ospf | i 3.3.3 Tun 1 FWD Tun 1
ip ospf prio 0
network 123.1.1.1 0.0.0.0 area 0 network 123.1.1.2 0.0.0.0 area 0 O 3.3.3.0 [110/1001] via 123.1.1.3, 00:05:10, Tunnel123 NBMA NBMA
NBMA Range 200.1.x.x neighbor 123.1.1.3 NBMA Range 200.1.x.x R2#traceroute 3.3.3.3 source 2.2.2.2 numeric Pfx
Tunnel Range 123.1.1.x neighbor 123.1.1.2 Tunnel Range 123.1.1.x learned
1 123.1.1.3 2 msec * 2 msec
HUB Spoke HUB router bgp 100
interface Tunnel123 interface Tunnel123 interface Tunnel123 bgp log-neighbor-changes
DMVPN Phase 1 / OSPF ip address 123.1.1.1 255.255.255.0 ip address 123.1.1.2 /24
ip nhrp map 123.1.1.2 200.1.2.2 ip nhrp map 123.1.1.1 200.1.1.1
DMVPN Phase 2 and BGP ip address 123.1.1.1 /24
ip nhrp map multicast dynamic
network 1.1.1.0 mask 255.255.255.0
neighbor 123.1.1.2 remote-as 200
ip nhrp map 123.1.1.3 200.1.3.3 ip nhrp network-id 111 ip nhrp network-id 111
ip nhrp map multicast 200.1.2.2 tunnel source Ethernet0/0 neighbor 123.1.1.3 remote-as 300
tunnel source Ethernet0/0
HUB: Point-to-Multipoint ip nhrp map multicast 200.1.3.3
ip nhrp network-id 111
tunnel destination 200.1.1.1 (direct Spoke to Spoke) tunnel mode gre multipoint
Spoke router bgp 200
ip ospf network point-to-multipoint
Spoke: Point-to-Point ip ospf hello-interval 10
interface Tunnel123
ip address 123.1.1.2 /24
bgp log-neighbor-changes
network 2.2.2.0 mask 255.255.255.0
ip ospf dead-interval 40
ip ospf hello 10 ip nhrp map 123.1.1.1 200.1.1.1 neighbor 123.1.1.1 remote-as 100
tunnel source Ethernet0/0
ip nhrp map multicast 200.1.1.1 neighbor 123.1.1.3 remote-as 300
ip
Tun 1
m
HUB Spoke
as
router-id 0.0.0.2
NBMA Range 200.1.x.x network 1.1.1.1 0.0.0.0 area 0 network 2.2.2.2 0.0.0.0 area 0 NBMA Range 200.1.x.x R2#traceroute 3.3.3.3 source 2.2.2.2 numeric
Tunnel Range 123.1.1.x network 123.1.1.1 0.0.0.0 area 0 network 123.1.1.2 0.0.0.0 area 0 Tunnel Range 123.1.1.x 1 123.1.1.3 6 msec * 1 msec
HUB HUB
interface Tunnel123 router ospf 1
DMVPN Phase 1 / OSPF ip address 123.1.1.1 255.255.255.0
ip nhrp map 123.1.1.2 200.1.2.2
router-id 0.0.0.1
network 1.1.1.1 0.0.0.0 area 0
ip nhrp map 123.1.1.3 200.1.3.3 network 123.1.1.1 0.0.0.0 area 0
ip nhrp map multicast 200.1.2.2
HUB: Point-to-Multipoint ip nhrp map multicast 200.1.3.3
ip nhrp network-id 111
Help me create more flashcards:
ip ospf network point-to-multipoint
Spoke: Point-to-Multipoint tunnel source Ethernet0/0
tunnel mode gre multipoint
Tun 1
interface Tunnel123
ip address 123.1.1.2 /24
router ospf 1
router-id 0.0.0.2 Simply press this button and send me your
NBMA ip nhrp map 123.1.1.1 200.1.1.1 network 2.2.2.2 0.0.0.0 area 0
ip nhrp network-id 111 network 123.1.1.2 0.0.0.0 area 0 credit cards regards!
no ip route-cache
Point-to-multipoint ip ospf network point-to-multipoint
NBMA Range 200.1.x.x tunnel source Ethernet0/0
Tunnel Range 123.1.1.x tunnel destination 200.1.1.1
HUB Spoke HUB Spoke HUB
DMVPN Phase 1
interface Tunnel123
ip address 123.1.1.1 /24
interface Tunnel123
ip address 123.1.1.2 /24 DMVPN Phase 1 interface Tunnel123
ip address 123.1.1.1 /24
interface Tunnel123
ip address 123.1.1.2 /24
int tun 123
ip nhrp map 123.1.1.x 200.1.x.x Sta Ranging 5 bucks to unlimited!
ip nhrp map 123.1.1.2 200.1.2.2 ip nhrp map 123.1.1.1 200.1.1.1 ip nhrp map 123.1.1.2 200.1.2.2 ip nhrp map 123.1.1.1 200.1.1.1 tic
ip nhrp map 123.1.1.3 200.1.3.3 ip nhrp map 123.1.1.3 200.1.3.3
ip nhrp map multicast 200.1.x.x ma
ip nhrp network-id 111 ip nhrp network-id 111
What are the main differences pp
ip nhrp network-id 111 tunnel source Ethernet0/0 ip nhrp network-id 111 tunnel source Ethernet0/0 Spoke ing
BGP
tunnel source Ethernet0/0
tunnel mode gre multipoint
tunnel destination 200.1.1.1
BGP tunnel source Ethernet0/0
tunnel mode gre multipoint
tunnel destination 200.1.1.1
between DMVPN Phase 1 int tun 123
ip nhrp map 123.1.1.x 200.1.1.1
router bgp 100 router bgp 200 tunnel destination 200.1.1.1
router bgp 100
bgp log-neighbor-changes router bgp 200 bgp log-neighbor-changes
Using next-hop-self ebgp-multihop 2 between spokes bgp log-neighbor-changes
network 1.1.1.1 mask /32 bgp log-neighbor-changes
neighbor 123.1.1.2 remote-as 200 network 2.2.2.2 mask /24
network 1.1.1.1 mask /32
network 2.2.2.2 mask /24
neighbor 123.1.1.1 remote-as 100 Static mapping HUB
neighbor 123.1.1.2 next-hop-self neighbor 123.1.1.1 remote-as 100
neighbor 123.1.1.2 remote-as 200
neighbor 123.1.1.3 remote-as 300 int tun 123 Dy
neighbor 123.1.1.3 remote-as 300 na
Tun 1 neighbor 123.1.1.3 remote-as 300 neighbor 123.1.1.1 next-hop-self neighbor 123.1.1.3 ebgp-multihop 2 ip nhrp map multicast dynamic mi
NBMA neighbor 123.1.1.3 next-hop-self Tun 1 BGP view Dynamic mapping cm
Spoke ap Thanks for appreciating my efforts
NBMA
100 Be 100 pin
st
Be h pa st
int tun 123 g
t th ip nhrp map 123.1.1.1 200.1.1.1
NBMA Range 200.1.x.x NBMA Range 200.1.x.x pa Packets/
Best forwarding ip nhrp nhs 123.1.1.1
Tunnel Range 123.1.1.x Tunnel Range 123.1.1.x 200 300 200 300
path tunnel destination 200.1.1.1
Colin
http://www.flashcardguy.ch
Disable:
interface GigabitEthernet0/0.146
encapsulation dot1Q 146
.4 .6
ip local policy route-map RMP-POL-LOCAL
IP routing
ip address 155.1.146.6 255.255.255.0 POLICY_ROUTING .3 .5 route-map RMP-POL-LOCAL permit 10
no ip proxy-arp R1#
interface FastEthernet0/0
match ip address TO_R4
Enabling / disabling Proxy-Arp: Enable: ip policy route-map POLICY_ROUTING set ip next-hop 155.1.0.5
interface GigabitEthernet0/0.146
encapsulation dot1Q 146 Policy routing configuration:
ip access-list extended FROM_R4
permit ip host 155.1.146.4 any
Local Policy Routing !
route-map RMP-POL-LOCAL permit 20
Debugging proxy-arp: ip address 155.1.146.6 255.255.255.0 ip access-list extended FROM_R6 Configuration:
no ip proxy-arp permit ip host 155.1.146.6 any match ip address TO_R5
route-map POLICY_ROUTING permit 10
match ip address FROM_R4
set ip next-hop 155.1.146.4
Debug arp set ip next-hop 155.1.13.3
Debug ip packet
route-map POLICY_ROUTING permit 20
match ip address FROM_R6
Affects local by the router generated
IP ARP: rcvd rep src 150.1.6.6 0026.0b57.b960, dst 155.1.146.1 set ip next-hop 155.1.0.5 traffic.
FastEthernet0/0
Interface Loopback0
Ip address 150.1.9.9 255.255.255.0 (/24 Mask!)
Where to use GRE Tunneling and tunnel source Loopback0 IF NOT SPECIFIED WILL USE
ACL PFX…. PITFALL !!
Routing? If you need to create a backup path in case the primary Using RIP ip prefix-list PFX-DISALLOW-TUN-DST seq 5 deny 150.1.9.0/24
more specific route goes down. ip prefix-list PFX-DISALLOW-TUN-DST seq 10 permit 0.0.0.0/0 le 32
Routes
match ip address ACL_SRC_R3_DST_R5
set ip next-hop verify-availability 155.1.146.10 1 track 50 Recursive Routing
set ip next-hop verify-availability 155.1.146.20 2 track 99
What two solutions are there? Solution B:
Administrative distance 10
priorized over 20, using Serial 1
(ip policy with IP SLA combined) set ip next-hop 155.1.146.10
set ip next-hop 155.1.146.20
set ip default next-hop 155.1.0.5 Track Nr
Using static routes with lower
administrative Distance.
Routers:
interface Serial0/0/0.10 point-to-point
backup delay 3 60 Help me create more flashcards:
Backup Interface on backup interface Serial0/1/0 What two possible ways of tracking
Tracking through IP SLA
What is special about routes with
They can not be used, only if the primary
are available in policy routing, Administrative Distance, but are
switches and Unsing an IP and a non-IP configured as the Backup
interface goes down, are the backup
Tracking by the use of CDP interfaces/routes installed!
routers: Switches: protocol? interface? Simply press this button and send me your
Int Port-Channel 22 credit cards regards!
switchport backup interface Fa0/16
switchport backup interface Fa0/16 preemption mode forced
switchport backup interface Fa0/16 preemption delay 20
ip sla monitor 10
Cdp enable
Ip address 155.1.0.5 255.255.255.0
without GRE-Keepalives the router would Ranging 5 bucks to unlimited!
not be able to detect an underlying path
type echo protocol ipIcmpEcho 150.1.1.1 source-interface Gi0/1
timeout 2000
frequency 5
Interface X Reliable Backup error. If the Keepalive stop, the tunnel
line-protocol goes down, and the backup
IP SLA (RTR) configuration and ip sla 1 Routing route-map RELIABLE_POLICY_ROUTING permit 10 interface Tunnel0
monitoring: icmp-echo 155.1.146.1 source-interface FastEthernet0/1
timeout 2000
match ip address FROM_R3_TO_R4_LOOPBACK
Using Keepalives to detect End-To- ip address 10.0.0.5 255.255.255.0
frequency 5 set ip next-hop 155.1.0.5 tunnel source Serial0/0/0
ip sla schedule 1 life forever start-time now
(ip policy utilizing CDP, not IP SLA) set ip next-hop verify-availability
set ip default next-hop 155.1.146.4
End connectivity over Frame-Relay tunnel destination 155.1.0.4
Monitoring: keepalive 1 3
Networks backup interface Serial0/1/0 Thanks for appreciating my efforts
Show rtr config As long as 155.1.0.5 is learned via CDP that next-hop is
Show rtr statistics used as it is verified available.
Show ip sla XX
Colin
http://www.flashcardguy.ch
HUB site
cdp enable
HUB# conf terminal
HUB# router odr Enabled by default, uses NetFlow
oer master
active-probe tcp-conn 150.1.1.1 target-port 23
active-probe tcp-conn 150.1.4.4 target-port 23
R1:
key chain RIP
show oer border key 1 Help me create more flashcards:
OER Automatic prefix Master Controller collects OER BR 150.1.2.2 ACTIVE, MC 150.1.5.5 UP/DOWN: UP 00:20:04,
key-string CCIE
traffic class learning is NetFlow information from show oer border
Auth Failures: 0
Conn Status: SUCCESS, PORT: 3949 RIPv2 Authentication !
Exits
Configuration: interface FastEthernet0/0
based on what: the Border Routers Fa0/0
Se0/0.1
EXTERNAL
INTERNAL
ip rip authentication mode text Simply press this button and send me your
(ip rip authentication mode md5)
credit cards regards!
ip rip authentication key-chain RIP
oer master
Number of Border routers: 3
Number of Exits: 4
How to find spaces within Key-chain RIP:
highest outbound throughput (number of key 1 -- text "CCIE"
learn bytes transferred)
Number of monitored prefixes: 0 (max 5000)
Max prefixes: total 5000 learn 2500 Passwords: accept lifetime (always valid) - (always valid) [valid now]
send lifetime (always valid) - (always valid) [valid now]
show oer master Prefix count: total 0, learn 0, cfg 0
throughpug PBR Requirements not met
delay (RTT time) Nbar Status: Inactive What can “show key chain”
delay Border Status UP/DOWN AuthFail Version
150.1.5.5 ACTIVE UP 00:01:12 0 2.2 reveal?
show run | I CCIE$
http://www.flashcardguy.ch
What will R1 routing table show?
RIP:
clear ip route *
R1#show ip route | I 1.0.0.
O IA 1.0.0.0/24 [110/11] via 2.0.0.3, 00:00:23, e0/0.13 IP routing
Clearing routing ip prefix-list PFX seq 5 permit 128.0.0.0/2 ge 16 What will R1 RIP and OSPF R1#show ip rip database | I 1.0.0.0
EIGRP: database show? 1.0.0.0/24 auto-summary
processes in PREFIX Lists 1.0.0.0/24 redistributed
clear ip eigrp 100 neighbors
[1] via 10.1.13.3, from 0.0.0.3,
R1 RIP
OSPF: Allow class B networks that are or R 128.1.0.0/16 [120/1] via 10.1.12.1, 00:00:01, e0/0 2.x.x
Lo0
R1#show ip ospf database
1.0.0.1/24
clear ip ospf process 132.1.0.0/24 is subnetted, 1 subnets OSPF Summary Net Link States (Area 0)
RIP, EIGRP, OSPF and are not subnetted
.x
3.x
R 132.1.1.0 [120/1] via 10.1.12.1, 00:00:01, e0/0 1.0.0.0 0.0.0.3 752 0x80000001 0x00D1E6
yes
R 191.1.0.0/16 [120/1] via 10.1.12.1, 00:00:01, e0/0 Lo0
BGP: BGP:
1.0.0
.2
ip osp /24
f netw OSPF has the better admin distance than RIP! Therefore
ork p
oint- the OSPF route ends in the routing table!
clear ip bgp * to-po
int
Don’t waste time looking at stars! Change the escape-character to your easy to
What will R1 routing table show? R1#show ip route
remember escape-character:
If you forgotten how to use control, shift, R 1.0.0.0/24 [120/1] via 10.1.12.2, 00:00:01, e0/0.12
6 and X or what it was, change it to Permanent: Per session R1#show ip rip database
something you remember: line con 0 R1#terminal escape-character 27 ip prefix-list PFX seq 5 permit 192.0.0.0/3 ge 24 le 32 What will R1 RIP and OSPF 1.0.0.0/24 auto-summary
escape-character 27
PREFIX Lists: database show? 1.0.0.0/24
R1#traceroute 2.2.2.2 numeric [1] via 10.1.12.2, 00:00:00, e0/0.12
Decimal Hex Key R 192.1.1.0/24 [120/1] via 10.1.12.1, 00:00:02, e0/0
R1 RIP
R1#show ip ospf database | I 1.0.0.0
Type escape sequence to abort. Allow class C networks that are or 193.1.1.0/25 is subnetted, 1 subnets 2.x.x
Lo0
1.0.0.1/24 EMPTY
Tracing the route to 2.2.2.2 27 1B ESC R 193.1.1.0 [120/1] via 10.1.12.1, 00:00:02, e0/0 OSPF
are not subnetted:
.x
3.x
VRF info: (vrf in name/id, vrf out name/id) 194.1.1.0/26 is subnetted, 1 subnets
3 03 Ctrl-C
1 * * * Lo0
As soon as the OSPF route disapears, the RIP route to
127 7F Delete 1.0.0
2 * * * .2
ip os /24 1.0.0.0/24 will be visible via the RIP domain!
pf ne
twork Lo0
3 * * * Lookup in document: p oint-
to-po
int shutdown (-> OSPF has the better Admin Distance)
4 * “ASCII Character Set and Hex Values”
ALL unsubnetted /8 In this case we are redistributing RIP prefixes into EIGRP.
Will R4 see 1.0.0.0 in its routing table? 1.0.0.0/24 will show up in R4's routing table as the prefix
ip prefix-list BLA permit 0.0.0.0/1 ge 8 le 8 is NOT learned from the OSPF database.
x
routing table:
.
OSPF!
3.x
Lo0
Network 1.0.0 Admin Distance:
.2 R1#show ip route 1.0.0.0
Host ip osp /24 RIP 120
First bit has to be “0”,
th
f netw
ork p
Lo0 OSPF 110 Known via "rip"
Up to the 8 bit could be 1 or 0. oint- EIGRP 90
Initial byte: 0 - 127
to -poin
t shutdown
R1 learns 1.0.0.0 from 110 and 120!
Will R4 see 1.0.0.0 in its routing table?
1.0.0.0 is inserted by OSPF into R1's the routing table.
ip prefix-list ROUTES seq 5 permit 128.0.0.0/2 ge 16 le 16 ip prefix-list PFX seq 5 permit 0.0.0.0/0 le 16 Therefore, 1.0.0.0 will NOT be redistributed into EIGRP,
R1# due to the fact that 1.0.0.0 was inserted to R1's routing
PREFIX Lists: R4 EIGRP router eigrp 10 table via OSPF and not RIP!
PREFIX Lists: R 128.1.0.0/16 [120/1] via 10.1.12.1, 00:00:02, e0/0 4.
x.x redistribute rip metric 1 1 1 1 1
R 191.1.0.0/16 [120/1] via 10.1.12.1, 00:00:02, e0/0 R 3.0.0.0/8 [120/1] via 10.1.12.1, 00:00:01, e0/0 1.0.0.0 is found in R1'2 RIP database, but learned via OSPF.
R1 RIP
Allow networks with a prefix- 4.0.0.0/16 is subnetted, 1 subnets
Lo0
Match all unsubnetted /16 R 4.4.0.0 [120/1] via 10.1.12.1, 00:00:01, e0/0 2.x.x 1.0.0.1/24
Admin Distance:
length of 16 or less in its routing R 125.0.0.0/8 [120/1] via 10.1.12.1, 00:00:01, e0/0 OSPF RIP 120
prefixes: OSPF 110
.x
OSPF
3.x
10nnnnnn nnnnnnnn hhhhhhhh hhhhhhhh R 128.1.0.0/16 [120/1] via 10.1.12.1, 00:00:01, e0/0
table: Lo0
EIGRP 90
Router-ID
1.0.0 R1#show ip rip database
Network .2
ip os /24
Host pf ne 1.0.0.0/24 auto-summary R1#show ip route 1.0.0.0
First two bits have to be “10”, twork 1.0.0.0.0/24 redistributed
point- Known via "ospf 1"
to -poin
Up to the 16th bit could be 1 or 0. t [1] via 10.1.13.3, from 0.0.0.3,
Initial byte: 128 - 191
How can you solve this situation so that
R1#
ip prefix-list PFX seq 5 permit 0.0.0.0/0 ge 16 le 25
1.0.0.0/24 ends up in R4's routing table? R4 EIGRP router eigrp 10
ip prefix-list ROUTES seq 5 permit 192.0.0.0/3 ge 24 le 24 4.x redistribute rip metric 1 1 1 1 1
. x
R1 RIP
PREFIX Lists: R 192.1.1.0/24 [120/1] via 10.1.12.1, 00:00:01, e0/0
PREFIX Lists
R4
R1#
router eigrp 10 Lo0 Help me create more flashcards:
R 128.1.0.0/16 [120/1] via 10.1.12.1, 00:00:00, e0/0 EIGRP redistribute rip metric 1 1 1 1 1 2.x.x 1.0.0.1/24
R 195.1.1.0/24 [120/1] via 10.1.12.1, 00:00:01, e0/0 4.x OSPF
132.1.0.0/24 is subnetted, 1 subnets
.x
. x
3.x
Allow networks with a prefix- R 132.1.1.0 [120/1] via 10.1.12.1, 00:00:00, e0/0 R1 RIP RID:0.0.0.3
Match all unsubnetted /24 R 191.1.0.0/16 [120/1] via 10.1.12.1, 00:00:00, e0/0 Lo0
Lo0
length of 16 to 25 in its routing R 192.1.1.0/24 [120/1] via 10.1.12.1, 00:00:00, e0/0 2.x.x 1.0.0.1/24
1.0.0
.2
ip osp /24 R1#
prefixes: 110nnnnnn nnnnnnnn hhhhhhhh hhhhhhhh
table: 193.1.1.0/25 is subnetted, 1 subnets OSPF f netw router ospf 1 Simply press this button and send me your
.x
ork p
3.x
oint-
R 193.1.1.0 [120/1] via 10.1.12.1, 00:00:00, e0/0 to-po distance 121 0.0.0.3 0.0.0.0 99
Network
Host
Lo0
1.0.0
R1#show ip route 1.0.0.0
Routing entry for 192.168.23.0/24
int
access-list 99 permit 1.0.0.0
credit cards regards!
First three bits have to be “110”, .2
ip osp /24 Known via "ospf 1", distance 110,
Up to the 24th bit could be 1 or 0. f netw
ork p
oint-to * 10.1.13.3, from 0.0.0.3, Increasing the Admin Distance of the OSPF
Initial byte: 192 - 223 -poin route, in order to trigger the RIP route on R1!
t
Colin
http://www.flashcardguy.ch
int fa0/0 ALWA
RIP
YS R1
ip rip authentication mode md5 -> ord KEY-CHAIN
er of
ip rip authentication key-chain RIP opera FIRST 155.1.7.0/24
155.1.0.1 router rip
tion 155.1.9.0/24 R3 R5
The default route: 155.1.146.0/24 FR S0/0 distribute-list 100 in Serial0/0
debug ip rip cloud
155.1.0.3
RIP: received packet with MD5 authentication
RIP: received v2 update from 192.10.1.254 on FastEthernet0/0
Prefix lists for: ip prefix-list DEFAULT permit 0.0.0.0/0
debug ip rip key chain RIP Explain RIP filtering with access-list 100 deny ip host 155.1.0.3 host 155.1.7.0
key 1 Key ID value must match! The default route: ---------------------------------------------------------- Extended ACLs: Prefix/network to be filtered
key-string CCIE
Output, seeking for authentication: R5#
int fa0/0 ANY ANY, all routes: access-list 100 deny ip host 155.1.0.3 host 155.1.9.0
router rip relay cloud using extended access-lists over Frame-Relay R4 R5 BGP:
FR S0/0
network 150.1.0.0 cloud
no auto-summary
S0/0 Source field = Network Address
ip 155.1.0.4
R1 – R3 should be allowed updates, What differences are there with Destination field = Subnet Mask
Configuring IP rip versions
interface fa0/0 whereas R4 is not. R2 Extended access-lists
(send/receive): ip address 155.1.108.8 255.255.255.0 R1
router rip
version 2 between IGPs and BGP
access-list 100 permit ip 10.1.1.0 0.0.0.0 255.255.255.0 0.0.0.0
http://www.flashcardguy.ch
AL
R1#ping 4.4.4.4 L
Tricky RIP problem con rou
Router rip
passive-interface default Find the fault:
………. Not successful
RIP ?
- on a per-prefix basis Updates process Multicast announcements! R4 R1
R2 R3
R1
R2 R3
- on a per-neighbor per-prefix basis
R2#
Can be verified by show ip protocol int ser0/0
R3#
int ser0/0
ip address 10.0.0.1/24 no ip address
int fa0/2
Broadcast can be changed from 255.255.255.255 to: ip address 10.90.90.1 255.255.255.0
bfd interval 50 min_rx 50 multiplier 5
int gi0/0.146
ip broadcast-address 155.1.146.255
Process:
ip route 169.254.0.1 255.255.255.255 Null0 track 99
Validation no validate-update-source router rip
/8
How to inject a How will R2 routing table R1 R2 Ranging 5 bucks to unlimited!
0
0.
1) int fa0/x look in regards to 1.0.0.0/8
0.
1.
Conf t RIP default route ip summary-address rip 0.0.0.0 0.0.0.0 (per neighbor)
http://www.flashcardguy.ch
R2
8
0/
Option 1:
RIP
0.
R1
0.
1.
/8
R2 R1# RIP: router rip
distribute-list X
.0
int ser0/0
.0
R1
0
router rip
How to add an offset router rip Option 2:
no validate-update-source
offset-list 0 out 7 What filtering options are router rip
Explain what the following does: R2#
int ser0/0
value of 7 to ALL routes there in regards to RIP? offset-list X
ip address 22.0.0.22 255.255.255.0
router rip router rip Option 3:
no validate-update-source no validate-update-source
router rip
R2#
R 1.0.0.0/8 [120/2] via 10.0.0.1, 00:00:03 distance 255 ...
X
x.x.x.x/10 4.0.0.0/8 route-map EIGRP-2-RIP permit 10
router RIP
R3 5.0.0.0/8 match ip address prefix-list PFX-3 redistribution routes from 3) Setting a tag value on the originating
set metric 2 router, denying that tag to be redistributed
deny x.x.x.x/8 to ip prefix-list NET permit 0.0.0.0/0 ge 8 le 10 other protocols?
X
x.x.x.x/10
Redistribute prefixes from EIGRP route-map EIGRP-2-RIP permit 20 using route-maps
R3 ip prefix-list R2 permit 10.0.0.2/32
match ip address prefix-list PFX-4
to RIP setting the hop count for 4) using distribute lists
set metric 3
Filter out routes with a /8 to /10 router rip 3.0.0.0 networks to 2 and for
prefix sourced from Router R1 route-map EIGRP-2-RIP permit 30
distribute-list prefix NET gateway R2 in 4.0.0.0 to 3, anything else to 1: 5) using an offset-list (RIP sourced PFXs)
R1#
1.0.0.0/8
R1 R2
2.0.0.0/8
1.0.0.0/8
R1 R2
2.0.0.0/8 What methods are 1. host route to the other interface IP int ser0/0
ip address unnumbered lo88
specifying the local interface
R1 and R2 # int e0/0
ip rip authentication mode md5
R1 and R2 # int e0/0 there to bypass RIP’s (ip route x.x.x.x/32 fa0/x) int lo88
ip rip authentication mode md5 router rip How to bypass RIP’s sanity check by ip address 192.168.1.1 255.255.255.0
ip rip authentication key-chain
BLA
ip rip authentication key-chain BLA sanity checks if you no-validate-source
using ip unnumbered LoX router rip
version 2
R1: R2: R1:
key chain BLA
R2:
key chain BLA
have the following 2. on the connecting interface use:
ip unnumbered LoX
no auto
network 192.168.1.0
key chain BLA key chain BLA R2#
key 1 key 2 key 1
key-string CISCO
key 2
key-string CISCO
situation: in order to bypass the sanity check, using the
interface rather then the IP address as next-hop using ip unnumbered
int ser0/1
ip address unnumbered lo99
key-string CISCO key-string CISCO
loopback, sets the Interface
3. change the encapsulation to PPP and do int lo99
R1#show ip route R1 and R2 use the same password, but R2 as the next-hop and not the ip address 10.0.0.2 255.255.255.0
NO ROUTE has the greater Key value! R2 see’s R1 fa0/0
router rip source IP address, bypassing
fa0/0 ser0/0 ser0/0
routes, but not the other way around! ip addr 192.168.1.1 255.255.255.0 ip addr 10.0.0.2 255.255.255.0 no validate-update-source ip addr 192.168.1.1 255.255.255.0 the sanity check! router rip
What can happen in this scenario? R2#show ip route
ip addr 10.0.0.2 255.255.255.0
version 2
router rip router rip 4. “adjust” the problem by using a correct secondary router rip no auto
R 1.1.1.1 [120/1] via 10.0.0.1, 00:00:24, e0/0 router rip
network 10.0.0.0
network 192.168.1.0 network 10.0.0.0 IP address (may not be a valid CCIE Lab answer) network 192.168.1.0 network 10.0.0.0
Suppresses triggered updates when the R1# R1#
int fa0/0 int ser0/0
arrival of a regularly scheduled update ip address 192.168.1.1 255.255.255.0 ip address 192.168.1.1 255.255.255.0
What does the following RIP matches, or is less than the number of ip route 10.0.0.2 255.255.255.255 fa0/0 encapsulation ppp
shutdown
command do? seconds that is configured. router rip
version 2
How to bypass RIP’s sanity check by no shut
How to bypass RIP’s sanity check by no auto changing the encapsulation to PPP router rip
Bypassing the sanity check via
If configured visible via using the “host route method” no validate-update-source no-validate-source, and routing
version 2
router rip Network 192.168.1.0
towards the other IP via
no auto
network 192.168.1.0 R2#
Regular
Sending updates every 60 seconds, next router rip
no auto
router rip router rip
clear ip route *, sit back and relax no auto
Regular router rip no validate-update-source network 10.0.0.0
update update due in 41 seconds network 192.168.1.0 network 10.0.0.0 Network 10.0.0.0 network 192.168.1.0 network 10.0.0.0 no validate-update-source
R1#
int fa0/0 Fast Router Slow Router
R2#show ip protocols
….
ip address 192.168.1.1 255.255.255.0 How can you instruct the fast RIP
ip address 10.0.0.1 255.255.255.0 secondary running RIP running RIP
Interface Send Recv Triggered RIP Key-chain
How to “bypass” RIP’s sanity check router rip
router to slow down its pace while
FastEthernet0/0 2 2 KEY
FastEthernet0/1 2 2 KEY23 by using a secondary address: version 2 sending updates to the slow one? Help me create more flashcards:
no auto
How to check which key-chain is network 10.0.0.0
network 192.168.1.0
Bypassing the RIP sanity check FastRouter#
used on which interface with RIP? key chain KEY interface FastEthernet0/0 by using a secondary address
router rip
key 1 ip address x.x.x.x 255.255.255.0 “adjusting” the problem. Fast Router Slow Router
R2#
key-string cisco ip rip authentication key-chain KEY running RIP running RIP output-delay <50 in msec>
int fa0/1
ip address 10.0.0.2 255.255.255.0 Simply press this button and send me your
key chain KEY23 interface FastEthernet0/1
ip address y.y.y.y 255.255.255.0
fa0/0
ip addr 192.168.1.1 255.255.255.0
fa0/0 router rip
version 2 The fast router adds 50 msec delay
credit cards regards!
key 1 ip addr 10.0.0.2 255.255.255.0
no auto
key-string cisco23 ip rip authentication mode md5 between each of the update packet.
router rip router rip network 10.0.0.0
ip rip authentication key-chain KEY23
network 192.168.1.0 network 10.0.0.0
Has to b
R2#conf t e a cla
network ssful
On which router would you configure: !! ip default-network 99.0.0.0 Ranging 5 bucks to unlimited!
ip default-network 2.0.0.0 ip route 99.0.0.0 255.0.0.0 null 0
ip default-network x.x.x.x
R3#show ip route Describe
Gateway of last resort is 2.0.0.2 to network 0.0.0.0 0.0.0.0/0
In this RIP network? increase the capable number of
R* 0.0.0.0/0 [120/1] via 2.0.0.2, 00:00:01, Serial1/2 23.1.1.x router rip
ip default-network x.x.x.x NOT yet processed RIP update
0.0.0.0/0 0.0.0.0/0 packets to 120 on a RIP router: input-queue 120
in a RIP domain: 12.1.1.x
2.0.0.x
4.0.0.x
3.0.0.x 2.0.0.x
z.z.z.z
4.0.0.x
3.0.0.x
z.z.z.z Thanks for appreciating my efforts
R* 0.0.0.0/0
R2
Colin
http://www.flashcardguy.ch
OR case:
int loopback 9
ip address 9.9.9.9 255.255.255.0
int loopback 99
ip address 99.99.99.99 255.255.255.0
Advertise a default route in RIP
if track 9 interface Loopback9 line-protocol
track 99 interface Loopback99 line-protocol
3.0.0.3
1.0.0.1
R2
router rip
R1 default-information originate route-map
Explain two options on how to rMP-DEF-fa0/x
send a default route only on the
link towards R2 in RIP route-map RMP-DEF-fa0/x permit 10 Thanks for appreciating my efforts
set interface fa0/x
Colin
http://www.flashcardguy.ch
Amount of time EIGRP
Time it took to neighbor and
waits to re-send a
a ACK is received back.
packet from the queue
EIGRP
R3#show ip eigrp neighbors
2 155.1.37.7
1 155.1.0.5
Fa0/0
Se1/0.1
(sec)
12
139
(ms)
00:05:22 6 200
00:07:12 39 1140
Cnt Num
0
0
27
124
EIGRP Unicast router eigrp 100 Prefix-Lists
distribute-list prefix PERMIT_ALL gateway NOT_FROM_R4 in
condition?
Feasible Distance, it is considered an R5# show ip route eigrp | i EX Extended Access-
alternative path. Network D*EX 200.0.0.0/24 [170/2812416] via 155.1.0.1, 00:00:52, Ser0/0/0
------------------------------------------------------------------------------------------
R5# sh ip route
Lists access-list 100 deny ip host 155.1.0.2 host 150.1.2.0
- if the Advertised Distance is smaller than ia - IS-IS inter area, * - candidate default, U - per-user static route
the Feasible Distance, it is considered as a o - ODR, P - periodic downloaded static route Where 155.1.0.2 is the next hop
new Feasible successor. 150.1.2.0 is the prefix.
Gateway of last resort is 155.1.0.1 to network 200.0.0.0
Interface fa0/0 EIGRP Filtering with router eigrp 100 Help me create more flashcards:
distance 255 0.0.0.0 255.255.255.255 4
What are usefull EIGRP Debug debug eigrp packets hello
Configuring EIGRP summary
ip summary-address eigrp 100 30.0.0.0 0.0.0.0 Administrative
commands: debug eigrp fsm addresses EIGRP AS: 100
Distance 0.0.0.0 255.255.255.255 specify from
any neighbour.
Simply press this button and send me your
Per prefix, any neighbour: Setting the Admin Distance to credit cards regards!
UNKNOWN 255 from any neighbour
for prefix 150.1.4.0/xx
http://www.flashcardguy.ch
Router# show ip protocols
Configure EIGRP so that if a query
Routing Protocol is "eigrp 100"
Outgoing update filter list for all interfaces is not set
Incoming update filter list for all interfaces is not set
Default networks flagged in outgoing updates
router eigrp 100
to a missing route is stuck in Active timers active-time 1 EIGRP
Default networks accepted from incoming updates will be declared dead after one (Stuck in Active SIA ) Declare route down if no answer
EIGRP metric weight K1=1, K2=0, K3=1, K4=0, K5=0
interface Ser0/0/0.1 point-to-point Checking the usage of the EIGRP EIGRP maximum hopcount 100
EIGRP maximum metric variance 1
minute: was received after one minute.
ip summary-address eigrp 100 0.0.0.0 0.0.0.0 5
EIGRP Summarization Metric Weights / K-Values using: Redistributing: eigrp 100
EIGRP NSF-aware route hold timer is 240s
sending only a Default Route: Everything else will be suppressed out this interface, only
Automatic network summarization is not in effect
Maximum path: 4
router eigrp 100
the Default route will be advertised out Ser0/0/0.1. show ip protocols Routing for Networks:
150.1.0.0
timers active-time disable
155.1.0.0
Routing Information Sources:
Configure EIGRP so that SIA Disables the timers and permits the
Gateway
155.1.0.2
Distance Last Update
90 00:15:49
condition can remain indefinitely routing wait time to remain active
155.1.45.4 90 00:15:06
Distance: internal 90 external 170
indefinitely.
interface Serial0/1/0
ip summary-address eigrp 100 0.0.0.0 0.0.0.0 5
leak-map LEAK_LOOPBACK0
Leak Map
Composite metric is (128000/0), Route is Internal
Vector metric:
Minimum bandwidth is 10000000 Kbit
considered with Hello
RD If after 5 seconds the adjacency is NOT established use
show ip eigrp
Total delay is 5000 microseconds
Reliability is 255/255 Timers and EIGRP? UNICAST.
This will send out only a default route and the leaked out Load is 1/255
FD
Minimum MTU is 1514
Loopback0 prefix of 150.1.4.0/24
topology PREFIX MASK Hop count is 0
interface FastEthernet0/0
ip summary-address eigrp 100 150.1.4.0 255.255.254.0 5
EIGRP Floating !
ip route 150.1.4.0 255.255.254.0 155.1.0.4
conf t
Summarization interface fa0/0
Specific
150.1.4.0/24
Using solely EIGRPs Delay K-Value, delay 999999 Which debug command would you debug eigrp packet terse
Summary
150.1.4.0/23 after performed changes, what end use to troubleshoot EIGRP Stuck In EIGRP: Enqueueing QUERY on Port-channel1
Generates summary with route to
needs to be done? Active situations? EIGRP: Received QUERY on Vlan79 nbr 155.1.79.7
Null0. Fa0/0 EIGRP: Enqueueing ACK on Vlan79 nbr 155.1.79.7
155.1.67.6 (Vlan67), from 155.1.67.6, Send flag is 0x0 EIGRP stub is used to limit the query messages, limiting
Composite metric is (25728000/128000), Route is Internal SIA conditions.
EIGRP Poisoned Floating interface GigabitEthernet0/0 Feasible Distance: ( Feasible Distance FD / Advertised Distance AD )
router eigrp 100
ip summary-address eigrp 100 150.1.4.0 255.255.254.0 255
Summarization eigrp stub connected
Advertised Distance is the distance received from the
neighbour.
What for does one use
Reported Distance: R5#show ip eigrp neighbors detail
Propagating a summary out, but Poisoning the route via setting the Admin Distance to Feasible Distance is the routers distance to the network,
EIGRP stub routing? IP-EIGRP neighbors for process 100
H Address Interface Hold Uptime SRTT RTO Q Seq
UNKNOWN, prevents the summary to be announced out once added the local interface “cost” / metric to the (sec) (ms) Cnt Num
locally deny of using it via AD: Gi0/0 Advertised Distance: path. 5 155.1.58.8 Gi0/0 29 00:00:28 8 200 0 150
Version 12.2/3.0, Retrans: 0, Retries: 0, Prefixes: 3
Stub Peer Advertising ( CONNECTED ) Routes
Suppressing queries
Metric Weights How can one identify the effect of Reliability 255/255, minimum MTU 1500 bytes
Loading 1/255, Hops 4
* 155.1.67.7, from 155.1.67.7, 00:00:43 ago, via GigabitEthernet0/0.67
EIGRP Stub Routing route-map STUB_LEAK_MAP permit 20
!
router eigrp 100
metric weights 0 K1 K2 K3 K4 K5 EIGRP variance of an IP route? Route metric is 3072, traffic share count is 5
Total delay is 120 microseconds, minimum bandwidth is 100000 Kbit with Leak Map eigrp stub connected leak-map STUB_LEAK_MAP
http://www.flashcardguy.ch
The administrative Interface e0/0
EIGRP
EIGRP Filtering with distance for EIGRP router eigrp 100 bfd interval 50 min_rx 50 multiplier 3
Per Neighbor AD eigrp router-id 150.1.2.2
internal routes can be
changed on a per prefix
EIGRP Router-ID EIGRP BFD router eigrp 100
Can be used to filter out external EIGRP routes of
Differences between Internal bfd interface e0/0
basis, but external EIGRP a different router, by using his Router-ID, the local
Router will ignore those routing updates.
EIGRP routes and External ones:
routes cannot. bfd all-interfaces
router eigrp 100 match routes with a metric of 110, or 200, or a metric
Configure a route-map distribute-list route-map METRIC_RANGE in
ip route 0.0.0.0 0.0.0.0 Null0
within a range of 700 to 800
(750 plus / minus 50 = low 700 high 800)
filter for EIGRP that A)
B)
network 0.0.0.0
redistribute static into EIGRP Route-map METRIC
filters routes with a route-map METRIC_RANGE deny 10 EIGRP Default routes route-map METRIC
metric that ranges within match metric 625000 +- 125000 ip summary-address eigrp 100 0.0.0.0 0.0.0.0 match different metrics match metric 110 200 750 +- 50
500000 – 700000 from route-map METRIC_RANGE permit 20 3 options ip default network 99.99.0.0
metric +/-
entering the routing router eigrp 100
router eigrp 1
redistribute ospf route-map METRIC
table: ( METRIC 625K +/- 125K = 500K or 750K )
network 99.99.0.0
metric +/-
Ad RP
EI
d na
G
Pa m
router eigrp 100
th ed
router eigrp name
on m
interface Serial0/1 network 1.0.0.0 address-family ipv4 autonomous-system 10
ly od
EIGRP Bandwidth
wi e!
af-interface tunnel 0
EIGRP Add path support
th
bandwidth 1544 no next-hop-self no-ecmp-mode
Pacing ip bandwidth-percent eigrp 100 10 add-paths 4
Make sure EIGRP does not use no default-information Add Path Support on Spoke:
more than 154Kbit of Bandwith on
allowed out D 1.0.0.0 (without D* on R2) enables hubs in DMVPN to router eigrp name
the link: (10% of 1544 is 154Kbit)
route
r
no de eigrp x advertise multiple best address-family ipv6 autonomous-system 10
fault-i paths to spokes af-interface tunnel 0
nform
ation no next-hop-self no-ecmp-mode
allow
ed ou add-paths 4
t
router eigrp 55
address-family ipv4 vrf X autonomous-system 66 Ranging 5 bucks to unlimited!
router eigrp 100 neighbor 1.2.3.4 description MY-DESCRIPTION
neighbor 1.2.3.4 maximum-prefix 600 <threshold> EIGRP router eigrp 100
no eigrp log-neighbor-changes address-family ipv4 [unicast] vrf vrf-name
EIGRP [warning-only]
redistribute maximum-prefix maximum
eigrp log-neighbor-warnings 20
EIGRP Neighbor neighbor 1.2.3.4 maximum-prefix 600 <threshold> reset- Redistribute maximum-prefix
time <min> restart <min> ...
neighbor maximum prefix
Logging Only create a warning message Autonomous-System router eigrp INSTANCE-NAME
address-family ipv4 vrf X autonomous-system 66
every 20 seconds. per vrf / per neighbor router eigrp INSTANCE-NAME
topology {base | topology-name tid number}
address-family ipv4 vrf X autonomous-system 66
neighbor 1.2.3.4 description MY-DESCRIPTION Named-Mode redistribute maximum-prefix maximum Thanks for appreciating my efforts
neighbor 1.2.3.4 maximum-prefix 600 <threshold>
[warning-only]
Colin
http://www.flashcardguy.ch
conf t What will R1 have in its routing table in
ca .0.1
Loopbacks:
route-tag notation dotted-decimal Sets the route-hold timer to determine how long an NSF- 1.1.0.0/24 Ser1/1 Ser1/2
EIGRP
0
regards to the 1.0.0.0 networks?
, w 1 0.
rd
range: 1 to 4294967295 aware router that is running EIGRP will hold routes for an 1.1.1.0/24
tag .2.2.
inactive peer. R2#
ild
range: 0.0.0.0 to 255.255.255.255 1.1.2.0/24
EIGRP router eigrp 100 R1
it 2
network 1.1.0.0 0.0.255.255
1.1.3.0/24
timers graceful-restart purge-time <seconds>
erm
eigrp default-route-tag <123 or 0.0.1.2> interface Serial1/2
p
for internal routes only ip summary-address eigrp 100 1.1.0.0 255.255.252.0 R1#show ip route eigrp
T1
Verify using: show ip protocols
EIGRP Nonstop Forwarding (NSF) 1.0.0.0/24 is subnetted, 4 subnets
-LIS
router eigrp 100
route-map X permit D 1.1.0.0 [90/206400] via 12.1.1.1, 00:02:08, Serial1/1
AG
eigrp stub connected
Route Tag Enhancements match tag 1235 Awareness debug ip eigrp notifications D 1.1.1.0 [90/206400] via 12.1.1.1, 00:02:08, Serial1/1
st T
match tag 0.0.12.99 D 1.1.2.0 [90/206400] via 12.1.1.1, 00:02:08, Serial1/1
li
EIGRP:NSF:AS2. Rec RS update from x.x, Wait for EOT.
tag
match tag list TAG-LIST1 D 1.1.3.0 [90/206400] via 12.1.1.1, 00:02:08, Serial1/1
te-
Graceful-restart UAL-5-NBRCHANGE:IP-EIGRP(0) 2:Neighbor Loopbacks:
rou
conf t x.x (fa3/0) is up:peer NSF restarted 1.1.0.0/24 Ser1/1 Ser1/2
route-tag list NAME permit 1235 8879 EIGRP-IPv4 100: Neighbor x.x (fa1/0) is resync: peer graceful- 1.1.1.0/24
restart THE INDIVIDUAL ROUTES SEEN!!!
1.1.2.0/24
R1 NO SUMMARY, even it is configured!
show route-tag list 1.1.3.0/24
Static route /2 4
What will R1 have in its routing table ? RIP .1.1.0 Ser1/2
Make sure EIGRP uses max 520 kbit R1# 11.0.0.0/8 x 200
EIGRP on the control plane and Locator ID Separation prefi
R2# Loopbacks:
Protocol (LISP) encapsulation of bandwith, do NOT use conf t router eigrp 100 1.1.0.0/24 Ser1/1
network 1.1.0.0 0.0.255.255
ip bandwith-percent eigrp x 520 or interface serial 1/0 1.1.3.0/24 R2 R1
- must configure the neighbor command with LISP interface Serial1/2
any service-policy applied to the bandwith 1040 ip summary-address eigrp 100 1.1.0.0 255.255.252.0
R2#
encapsulation on every CE
EIGRP over the top interface: router eigrp 100
router eigrp 100
eigrp stub redistributed
- having many CE, could use EIGRP Route Reflectors redistribute static
(E-RRs) redistribute rip metric 1 1 1 1 1
Background info: By default EIGRP will use up to 50% of the eigrp stub redistributed
links bandwith for EIGRP. R1#show ip route eigrp
E-RR: remote-neighbors source Ser1/0 Ser1/2 D EX 11.0.0.0/8 [170/2051] via 12.1.1.1, 00:00:36, Ser1/1
to listen to unicast messages from peer Ces Static route 24
RIP .1.0/ D EX 200.1.1.0/24 [170/2560] via 12.1.1.1, 00:00:36, Ser1/1
bandwith 1040 / 2 = 520 kbit/s 11.0.0.0/8 200.1 Ser1/2
prefix
Loopbacks:
1.1.0.0/24 Ser1/1
1.1.3.0/24 R2 R1
router eigrp 100
EIGRP over the top on CE network 1.1.0.0 0.0.255.255 OL EIGRP a neigbor command is used on an
D
EIGRP Summary-address interface Serial1/2
Will 3.0.0.0/8 be seen by the other two Ethernet Broadcast medium, EIGRP will no
router eigrp virtual-name routers in this EIGRP network?
address-family ipv4 autonomous-system 65 (classic, old fashioned) ip summary-address eigrp 100 1.1.0.0 255.255.252.0 longer use broadcast for other still
neighbor 1.2.3.4 fa0/x remote <max-hops> lisp-encap <lisp-id> broadcast enabled routers on the same Help me create more flashcards:
3.0.0.0/8 segment!!
EIGRP over the top --------------------------------------------- Ser1/0 Ser1/2
works
EIGRP over the top Route Reflectors E-RR 3.0.0.0/8 3.0.0.0/8
NE 10.1.1.3 10.1.1.2
W
router eigrp NAME 10.1.1.3 10.1.1.2 10.1.1.3 10.1.1.2
E-RR router eigrp NAME EIGRP Named Mode 10.1.1.1
address-family ipv4 unicast autonomous-system 55
af-interface fa0/0 Summary-address
address-family ipv4 unicast autonomous-system 100 10.1.1.1 10.1.1.1
Simply press this button and send me your
af-interface Serial1/1
no next-hop-self
no split-horizon
summary-address 2.2.0.0 255.255.252.0
exit-af-interface R1# Will not work
3.0.0.0/8 works credit cards regards!
2.2.0.0/22 Ser1/1 Ser1/2 1.1.0.0/22 router eigrp NAME 10.1.1.3 10.1.1.2
! topology base address-family ipv4 autonomous-system 100
remote-neighbors source fa0/x unicast-listen lisp-encap 1 exit-af-topology 10.1.1.1
neigbor 10.1.1.2 fa0/x
network 2.2.0.0 0.0.255.255 mcast
Convert from EIGRP classic mode to Named mode, Cla Redistribute OSPF into EIGRP so that R2
R1#
R2#sh
http://www.flashcardguy.ch
router eigrp 100 classic 3.0.0.0/8 3.0.0.0/8 3.0.0.0/8 4.0.0.0/8 3.0.0.0/8
X
R1
Verify: 10.1.1.1
router eigrp 10
X
show ip eigrp 100 interfaces detail fa0/1 | i time
10.1.1.1 R1 R1
And router eigrp TST named distance 91 10.1.1.3 0.0.0.0 88
R1#
R1 router eigrp 100 access-list 88 permit 3.0.0.0 0.0.0.255
address-family ipv4 unicast autonomous-system 200
Named Mode: distribute-list 102 in FastEthernet0/0 R1 should prefer R2 for prefix 3.0.0.0 access-list 88 deny any
R1 should filter out 3.0.0.0 via R3, while
af-interface FastEthernet0/1 as long as R2 is up within EIGRP AS 10
hello-interval 10 receiving 3.0.0.0 and 4.0.0.0 via R2 access-list 102 deny ip host 10.1.1.3 3.0.0.0 0.0.0.255
hold-time 30 access-list 102 permit ip any any Making the path worse for 3.0.0.0 from R3
30.0.0.3/24
Unequal cost DLY 20000 R1 R2
30.0.0.3/24
router eigrp NAME calculation EIGRP 24
R1
14
R2#
128K .0/ .0. 128K D EX 3.3.0.0/16 [170/816] via 10.0.0.3, 00:02:37, Fa0/1
.0 0.0
address-family ipv4 unicast autonomous-system 100 You want to get a ration 1:3 13
.0 /2
4 3x R1
R1#
How to configure the router to from R1 to 34.0.0.0/24 1x R3 R4 int loopback30
never exceed more then 10% of any af-interface default DLY 20000 DLY 20000 R2 should receive the following:
ip address 30.0.0.3 255.255.255.0
34.0.0.0/24
links bandwith for EIGRP in named bandwidth-percent 10 R2#
mode: D EX 3.3.0.0/16 [170/816] via 10.0.0.3, 00:02:37, Fa0/1 ip default-network 3.3.0.0
R1#show ip route 34.1.1.0 | i via|share
14.1.1.4, from 14.1.1.4, 00:00:29 ago, via Serial1/4
Route metric is 21024000, traffic share count is 1 router eigrp 500
You have to make path via Ser1/3 3x worse than via Ser 1/4
* 13.1.1.3, from 13.1.1.3, 00:00:29 ago, via Serial1/3
You should use “redistribute static” under the EIGRP redistribute static metric 1 1 1 1 1
Route metric is 21024000, traffic share count is 1 In oder to end up with a load-distribution of 1x via R3 and 3x via R4
process on R1, but do NOT use a static route on R1!
3x 21024000 = 63072000 R1#show ip route | I S
S 30.3.0.0/16 [1/0] via 130.3.3.0
Check the Vector metrics Bandwith and Delay for the Path
from R1 to 34.1.1.0/24 and extract the two values per path EIGRP 20
access-list 99 permit 1.1.0.0 0.0.255.255 63072000 = 256 (BW + DLY) Redistribute connected
R1#show ip eigrp 300 topology 34.1.1.0 255.255.255.0 (-> D EX, within EIGRP 20) configured for 1.0.0.0/8 and 2.0.0.0/8
EIGRP-IPv4 Topology Entry for AS(300)/ID(0.0.0.1) for 34.1.1.0/24 R3 R4
router eigrp A-100 State is Passive, Query origin flag is 1, 2 Successor(s), FD is 1024000 EIGRP 20
address-family ipv4 unicast autonomous-system 100 Descriptor Blocks:
EIGRP offset-lists topology base 13.1.1.3 (Serial1/3), from 13.1.1.3, Send flag is 0x0 R3 R4
Configuration: offset-list 99 out 8888 Serial1/3 Composite metric is (1024000/512000), route is Internal 1.0.0.0/8 R1 R2 2.0.0.0/8 X
Vector metric:
Minimum bandwidth is 128 Kbit
Background info regarding the calculation:
Redistribute connected
X
Bandwith: 10'000'000 is a fixed EIGRP value.
Total delay is 40000 microseconds Delay: under the interface delay is configured in 10th of micro-seconds (-> D EX, within EIGRP 20) configured for 1.0.0.0/8 and 2.0.0.0/8 1.0.0.0/8
on R1 R2 2.0.0.0/8
Hop count is 1 tc Redis
“classic mode” Redis t con
Originating router is 0.0.0.1 Calculate Path via Serial 1/3
access-list 99 permit 1.1.0.0 0.0.255.255 14.1.1.4 (Serial1/4), from 14.1.1.4, Send flag is 0x0 Ensure that R1 and R2 do never accept External
Composite metric is (1024000/512000), route is Internal Bandwith = 10'000'000 / 128 = 78125
Named mode: Vector metric: routes from each other. router eigrp 20
router eigrp 10 Delay 40000 / 10 = 4000
Minimum bandwidth is 128 Kbit Do not use a distribute-list / offset-list / Distance. eigrp router-id 0.0.0.22
offset-list 99 out 8888 FastEthernet0/17 Total delay is 40000 microseconds
Any future external route should be accounted
Hop count is 1 You have two choices, either manipulate the Delay value or
Originating router is 0.0.0.4 the Bandwith Value. Its recommended to use Delay, as for. Set the same router-id on R1 and R2!!
router eigrp A-100 routing protocols and QoS uses the Bandwith statement
under the interface for their calculations, whereas only Redist. connected Redist. connected Configure the same EIGRP router-id on R1 and R2, so they
EIGRP Metric formula: EIGRP 20
address-family ipv4 unicast autonomous-system 100 EIGRP considers delay. 2.2.2.2/32 will reject any external prefixes seen with
1.1.1.1/32 Fa0/0
R3 R2 af-interface Serial1/2 256 (BW + DLY) = COMPOSITE-Metric R1 R2 “their own router-id”
summary-address 1.1.0.0 255.255.252.0
20.1.1.3 64K 256K 10.1.1.2 exit-af-interface
router eigrp 20
In order to have 3x the metric (63072000) received from R3 R3 eigrp router-id 0.0.0.22
af-interface Serial1/3 EIGRP 99
20.1.1.1 R1 10.1.1.1 summary-address 1.1.0.0 255.255.252.0
R4 (21024000)we need to calculate the following:
R1#show interface ser 1/3 Intended
exit-af-interface Redist. connected Redist. connected
63072000 = 256 (BW + DLY) MTU 1500 bytes, BW 128 Kbit/sec, DLY 20000 usec, EIGRP 20
current 1.1.0.0/22 topology base
path
1.1.1.1/32 2.2.2.2/32
Fa0/0
desired summary-metric 1.1.0.0/22 1 1 1 1 1 distance 90 R1 R2
63072000 = 256 (78125 + 4000) Make sure the that R1 and R2 never use the
R3#show ip route 1.1.0.0 | i metri 164250 + 20000 = 184250 direct fa0/0 to reach each others external
R1 generates a summary 1.1.0.0/22 to R2 and R3, make R3 R3
Known via "eigrp 100", distance 90, metric 2560512256, type internal prefixes.
sure R3 will not use R2 to reach the summary. 63072000 = 256 (82125) EIGRP 99
The solution: Do not use distribute-list / offset-list / distance.
EIGRP should be configured in named mode R2#show ip route 1.1.0.0 | i met Intended
Send the summary with equal cost to both R2, and R3! Known via "eigrp 100", distance 90, metric 2560512256, type internal 63072000 R1#conf t path
256
= 82125 int serial 1/3
R1#show ip route 34.1.1.0 | i share
delay 184250 EIGRP Route metric is 21024000, traffic share count is 1 (Serial 1/3)
What is the difference between the X = the value you need to add to R3's Route metric is 21024000, traffic share count is 1 (Serial 1/4)
path to make it 3x worse then via R4!
router eigrp X Desired Ratio 1:3 between R3 and R4
following: variance 4 Currently the share is 1:1, use the metric multiply by 3x
You could add the delay or a value for from R1 to 34.0.0.0/24 3x 21024000 = 63072000 (used to make R3's path 3x worse than R4s)
rks bandwith! -> I use delay in this R1#show ip eigrp 300 topology 34.1.1.0 255.255.255.0
Help me create more flashcards:
RIP: RIP: wo example DLY 184250 Composite metric is (1024000/512000), route is Internal
Vector metric:
router rip router rip Composite Metric R1 Composite Metric R1 Minimum bandwidth is 128 Kbit Check min bandwith/delay
63072000 63072000 4 14 21024000 /2
4 14 3x Total delay is 40000 microseconds along the path
passive-interface fa0/x passive-interface fa0/x = 82125 + X 128K .0
/2 .0 128K
.0. 1x 128K .0 .0 128K
.0.
256 .0 .0 0/ Bandwith: 10'000'000 / 128 = 78125
.0 0/ .0
neigbor 10.0.0.1 fa0/x neigbor 10.0.0.1 fa0/x 13 24
3x 13 24
Delay: 40'000 / 10 = 4000 Calculation!
246375 = 82125 + X 1x R3 R4
R3 R4 R1#show int ser 1/3
Simply press this button and send me your
K 4000 + 78125 = 82125
T WOR
DLY 20000 DLY 20000 ..., BW 128 Kbit/sec, DLY 20000
EIGRP EIGRP
ILL NO
34.0.0.0/24
router eigrp 100 router eigrp 100 W
246375 - 82125 = X
34.0.0.0/24 63072000
256
= 82125 + X 164250 + 20000 = 184250 credit cards regards!
246375 = 82125 + X R1#conf t
passive-interface fa0/x passive-interface fa0/x Via R3: 63072000 = 256 [(10'000'000 /128) + {(40000/10)+164250}]
down 164250 = X Unequal cost calculation EIGRP 246375 - 82125 = X router eigrp X int serial 1/3
neigbor 10.0.0.1 fa0/x neigbor 10.0.0.1 fa0/x Session
is teared Via R4: 21024000 = 256 [(10'000'000 /128) + (40000/10)] 164250 = X variance 3 delay 184250
7.
.0.
246375 = 82125 + X 13
34 .0.0 .0/24
R4
http://www.flashcardguy.ch
R1#
Have R1 leak 2.0.0.0/8 to R2 while
you leak 3.0.0.0/8 to R3.
router eigrp 100
network 2.0.0.0
network 3.0.0.0
eigrp stub connected leak-map RMP-LEAK-EIGRP
EIGRP
Do not remove “eigrp stub
ip prefix-list PFX-LEAK-2 seq 5 permit 2.0.0.0/8
connected” on R1:
ip prefix-list PFX-LEAK-3 seq 10 permit 3.0.0.0/8
route-map RMP-LEAK-EIGRP permit 10
match ip address prefix-list PFX-LEAK-2
3.0.0.0/8 2.0.0.0/8 match interface ser0/0.2
R1# R3#
router eigrp 100 router eigrp 100
network 1.0.0.0 network 3.0.0.0
ip default network 1.0.0.0/8 ip default network 3.0.0.0/8
R2#
router eigrp 100 R4#
network 2.0.0.0
ip default network 2.0.0.0/8
router eigrp 100
/8 0/8 /8 default-information in 2
R1 .0.0 R2 .0. R3 .0.0
1.0 2.0 3.0
R1 R1 R3 R3 R2
R2
13.0.0.x 12.0.0.x 10.0.0.x
R1# R1#
router eigrp 100
R3 R2 R3 R2
router eigrp 100 network 10.0.0.1 0.0.0.0
network 12.0.0.1 0.0.0.0 neigbor 10.0.0.2 fa0/0
network 13.0.0.1 0.0.0.0 neigbor 10.0.0.3 fa0/0
eigrp stub eigrp stub
R2 and R3#
router eigrp 100
network 10.0.0.[2,3] 0.0.0.0
neigbor 10.0.0.1 fa0/0
NO EIGRP STUB:
What will EIGRP: Enqueueing QUERY on Fa0/21 tid 0 iidbQ un/rely 0/1 serno 43-43
EIGRP: Enqueueing QUERY on Fa0/19 tid 0 iidbQ un/rely 0/1 serno 43-43
debug eigrp packets terse display in the EIGRP: Sending QUERY on Fa0/19 tid 0
case R2 and R3 have eigrp stub connected
EIGRP is enqueueing for both but only sending the
enabled and once disabled? querry to R3!
Colin
http://www.flashcardguy.ch
route-map O->E deny 10 Redistribution solution 1
De tow
R1 and R4
ny a
Redistribution
match tag 90
R1 and R4 s
al rds
-l ist access-list 30 deny X
l R th
ute
route-map O->E permit 20 router eigrp 20 access-list 30 deny ALL RIP NETWORKS
IP e
redistribute rip metric 1 1 1 1 1 trib
ne RIP
set tag 110 access-list 30 permit any (EIGRP)
dis
tw s
SW4#show ip alias distance eigrp 90 110 e
Us
or ide
router rip
Address Type IP Address Port
ks !
router rip distribute-list 30 out fa0/0
ou
route-map E->O deny 10 Interface 150.1.10.10
Narbiks Redistribution Route-Map:
t
match tag 110 redistribute eigrp 20 metric 1
Interface 155.1.10.10
route-map E->O permit 20 Show ip alias output explained: Interface 155.1.108.10
R X via R2 [3 hop] R X via R5 [2 hop] R X via R2 [7 hop] R X via R3 [6 hop]
set tag 90
2 to 1 route-map Shows all connected interfaces: R3 sends hop R3 sends hop
EIGRP count of 5 EIGRP count of 5
router ospf 1 Similar to show ip int brie | e una R1 R2 R3 X for X to R2 R1 R2 R3 X for X to R2
redistribute eigrp 35 subnets route-map E->O metric-type 2 14.1.1.1 14.1.1.1
14.1.1.4 14.1.1.4
router eigrp 35 R4 R5 R4 R5
RIP RIP
redistribute ospf 1 metric 100000 100 255 1 1500 route-map O->E
D EX X via R1 [1 hop] R X via R4 [1 hop] D EX X via R1 [1 hop] R X via R2 [7 hop]
Redistribution solution 2 Us
1. RIP distribute list, deny advertised routes inbound -id i
ter R1 and R4 r ng
2. Same Router ID on EIGRP R1 and R4
dr
ou EIG oute the s
e RP r-id am
3. Redistribute appropriate routes using RMPs and PFX router eigrp 20 cat router eigrp 20 ext to e E
4. 2 to 1 route-map pli ern blo IGR
redistribute rip metric 1 1 1 1 1
P du eigrp router-id 0.0.0.1
al n ck o P
5. Filter based on route summarization (longest match) distance eigrp 90 110
IGR etw ut
eE ork
6. Set lower distance on neighbor (RIP / OSPF)
router rip Us s!
debug sw-vlan vtp events Narbiks 8 redistribution methods 7. Distance?
redistribute eigrp 20 metric 1
RIP
Handy VTP debug commands: EIGRP OSPF
R X via R2 [3 hop] R X via R5 [2 hop]
R X via R2 [7 hop] R X via R3 [6 hop]
8. EIGRP races OSPF condition (EIGRP is super quick)
debug sw-vlan vtp packets Briefly mentioned: R3 sends hop
R3 sends hop
acl into-eigrp deny 5.0.0.0 EIGRP count of 5
EIGRP count of 5
acl into-eigrp permit any R1 R2 R3 X for X to R2
R1 R2 R3 X for X to R2 14.1.1.1
14.1.1.1
router ospf 1 14.1.1.4
14.1.1.4 R4 R5
distribute-list into-eigrp out ospf 1 R4 R5 RIP
RIP
router eigrp 100
distribute-list into-ospf out eigrp 100 R X via R5 [8 hop] R X via R2 [7 hop]
D EX X via R1 [1 hop] R X via R4 [1 hop]
OSPF 3.
Mutual
OSPF Mutual
redistribution R1 R2 R3 3.3.3.0/24 Ranging 5 bucks to unlimited!
R1#show run | i route redistribution R1 R2 R3 3.3.3.0/24 RIP<->OSPF
1. RIP
ip route 200.1.12.0 255.255.255.0 200.1.12.11 RIP<->OSPF 2.
OSPF RIP
What could be the problem here: Will R2 be able to ping 3.3.3.3 ? OSPF 6.
Route to 3.3.3.0/
R1(config)#no ip route 200.1.12.0 255.255.255.0 200.1.12.11 Mutual 24 via OSPF
Mutual 4.
redistribution R1 R2 R3 3.3.3.0/24
%No matching route to delete OSPF redistribution R1 R2 R3 3.3.3.0/24
R1#show run | i route RIP<->OSPF Fix: RIP<->OSPF
ip route 200.1.12.0 255.255.255.0 200.1.12.11 Troubleshoot using: 7. RIP
Someone configured a default network, but not to a RIP router rip Mutual 5.
redistribution R1 R2 R3 3.3.3.0/24
R1(config)#no ip route 200.1.12.0 255.255.255.0 200.1.12.11
classfull network! You will not be able to NO out the static debug ip routing distance 109 RIP<->OSPF
1. R2 received route 3.x via RIP from R3
route other than doing this: 2. R2 advertises 3.0.0.0 via RIP to R1
%No matching route to delete How can you solve this that R1 and R2 3. R1 redistributes 3.0.0.0 into OSPF advertises towards R2
debug ip rip RIP
R1#conf t will be able to ping the 3.3.3.0/24 4. R2 starts using OSPF route to 3.x flushes the RIP route and
watch for inaccessible
R1(config)#no ip default-network 200.1.12.11 network?
announces it as inaccessible within RIP.
5. R1 receives inaccessible RIP route from R2 for 3.0.0.0 and Thanks for appreciating my efforts
6. R1 advertises OSPF max-age for 3.0.0.0 route, R2 flushes route
debug ip ospf lsa-generation What happens here in detail? 7. R2 receives RIP update from R3, and it starts at 1. again
(watch for Rcv Maxage LSA, Type 5, LSID 3.3.3.0)
Colin
http://www.flashcardguy.ch
Serial0/0 is up, line protocol is up
interface Serial1/3
OSPF
Internet Address 155.1.0.5/24, Area 0
Process ID 1, Router ID 150.1.5.5, Network Type NON_BROADCAST, ip address 155.1.23.3 255.255.255.0
Cost: 64
Enabled by interface config, including secondary ip addresses ip ospf 1 area 5
Transmit Delay is 1 sec, State DR, Priority 1 clock rate 64000
Designated Router (ID) 150.1.5.5, Interface address 155.1.0.5
Backup Designated router (ID) 223.255.255.255, Interface address
3.3.3.0/24
OSPF Point-2-Multipoint .3
.2
- Statically configured
.1
- Host Routes for reachability
Show ip ospf neighbor sh ip ospf neighbor - 30/120 timers 3.3.3.0/24
Configure all attached interfaces router ospf 1 - Next-Hop Advertising Router via .2
into OSPF area 2 with one line: network 0.0.0.0 255.255.255.255 area 2 Neighbor ID Pri State
150.1.1.1 1 FULL/DR
Dead Time Address
00:00:34 155.1.146.1
Interface
Gi0/1
OSPF Point-2-Multipoint: - NO DR / BDR election!
Output: 150.1.6.6 1 FULL/DROTHER 00:00:38 155.1.146.6 Gi0/1
interface Serial0/0
ip ospf network point-to-multipoint
frame-relay map ip 155.1.0.5 105 broadcast
Router1:
int Loopback222
ip address 222.255.255.255 /32
it simply enables the OSPF process OSPF Broadcast
on the interface. Router3:
- Ethernet
OSPF network statement How to detect a dublicated router- int Loopback222 - DR / BDR Election
described:
If multiple network statements
id in ospf?
ip address 222.255.255.255 /32 OSPF Broadcast: - Multicast 224.0.0.5 / 224.0.0.6
- 10/40 Timers
overlap the same interface, the - Next-hop does not change
most specific match based on the
%OSPF-4-DUP_RTRID_AREA: Detected router with
wildcard mask wins. duplicate router ID 222.255.255.255 in area 2
Use this command after initial If no “Net Link States (Area X)” is Thanks for appreciating my efforts
visible in the OSPF database, there
ospf config, to verify was no DR elected!
Colin
http://www.flashcardguy.ch
150.1.6.6
OSPF Point-2-Multipoint NON-Broadcast
interface Serial0/1/0
ip ospf 1 area 0 R1:
Debug IP packet of OSPF: IP: s=155.1.45.4 (Serial0/1/0), d=224.0.0.5, len 80, rcvd 0, proto=89 router ospf 1
interface GigabitEthernet0/0
ip address 155.1.58.5 255.255.255.0 Repairing area 1 virtual-link 150.1.6.6
ip ospf 1 area 3 show ip ospf database router
Point-2-Point 150.1.8.8 self-originate Discontiguous OSPF
s=155.1.58.8 (GigabitEthernet0/0), d=224.0.0.5, len 80, rcvd 0,
proto=89
How to display the local OSPF R6:
interface Serial0/0/0 database which all local networks Areas with Virtual- router ospf 1
Broadcast ip address 155.1.0.5 255.255.255.0
( 150.1.8.8 is its own local Loopback IP address )
encapsulation frame-relay area 1 virtual-link 150.1.1.1
ip ospf network point-to-multipoint non-broadcast
frame-relay map ip 155.1.0.1 501
Links
Point-to-multipoint non-broadcast no frame-relay inverse-arp
IP: s=155.1.0.5 (local), d=155.1.0.3 (Serial0/0/0), len 92, sending,
Make sure Router-ID has been
proto=89 manually configured!
32
R4 k no capability transit
1/
R6
one network statement and one
1.
with Bandwidth
1.
1.
Area 7
interface command? router ospf 1
network 99.99.99.99 255.255.255.255 area 99
interface Serial0/0 What does this command do?
bandwidth 10000
Area 0
show ip ospf database summary 150.1.8.0 capability transit is set as default, which means, IF there is
a shorter intra-area path, it will be preferred than the
32
could potentially harm the
1/
Link connected to: a Transit Network router ospf 1 R6
1.
1.
1.
(Link ID) Designated Router address: 155.1.146.6 Area 7
network, explain why: Set the auto-cost value consistently Calculate cost to ABR: capability transit
throughout the entire OSPF domain
(Link Data) Router Interface address: 155.1.146.6
Number of TOS metrics: 0
Simply press this button and send me your
Summarize both = route metric:
TOS 0 Metrics: 300 (shows metric to the ABR)
credit cards regards!
R6#show ip route 150.1.8.8
via FastEthernet0/0.146 Area 0
Route metric is 20031, traffic share count is 1
Virtual link
150.1.6.6
Desired Traffic flow
Ranging 5 bucks to unlimited!
Area 2 7
Show ip route output of R4 using Area Physical link
an intra-area route to R6: area area
2 1 OSPF Path Selection router ospf 1
150.1.6.6 Area 0 R4 OSPF Path Selection
with Per-Neighbor neighbor 155.1.0.1 cost 1000
Area 2
neighbor 155.1.0.4 cost 9999 with Virtual-Links Area 0
area area R4#sh ip route 150.1.6.6
Routing entry for 150.1.6.6/32
Cost
2 1 Known via "ospf 1", distance 110, metric 301, type intra area
Last update from 155.1.146.6 on GigabitEthernet0/1, 00:14:19 ago Use Virtual links to adjust traffic flow Thanks for appreciating my efforts
Area 0 R4 Routing Descriptor Blocks:
over other areas. Cost for Vlink
* 155.1.146.6, from 150.1.6.6, 00:14:19 ago, via GigabitEthernet0/1
Route metric is 301, traffic share count is 1 calculated based on physical interfaces!
Colin
http://www.flashcardguy.ch
interface Serial0/1/0
ip ospf demand-circuit
a virtual-link is an interface in Deliberately make routes a longer prefix to force traffic
OSPF
OSPF Demand R4# show ip ospf interface Serial0/1/0
Serial0/1/0 is up, line protocol is up area 0 !! another, more specific way.
…..
Circuit Enabled by interface config, including secondary ip addresses
Configured as demand circuit. Authentication and Area 0 or OSPF Path Selection Use
Run as demand circuit.
g, w
hil
e
Be carefull not to forget this Router ospf X
DoNotAge LSA allowed. ms DJ Virtual links: with Summarization
reduce periodic OSPF …. ello he A
sH gt while enabling: Area X range x.x.x.x 255.255.254.0 to make a /24 look like
oob-resync timeout 40 sse inin a /23 to force a different route.
pre nta
Hello due in 00:00:07 Sup mai
hello transmission Supports Link-local Signaling (LLS)
…. area 0 authentication
Last flood scan time is 0 msec, maximum is 0 msec
Neighbor Count is 1, Adjacent neighbor count is 1
Adjacent with neighbor 150.1.5.5 (Hello suppressed)
Suppress hello for 1 neighbor(s)
Reduction
LSA, removing the requirement for the
periodic refresh.
OSPF Null interface Vlan7 OSPF metric and forward metric * 155.1.79.7, from 192.10.1.254, 00:06:49 ago, via
Vlan79
Authentication ip ospf authentication null on E2 routes: Route metric is 20, traffic share count is 1
interface Vlan10
Reducing “paranoid update”
ip ospf flood-reduction Forward metric, gives information about which paths is
taken effectively to the E2 destination.
router ospf 1
area 3 stub
interface FastEthernet0/0
ip ospf authentication message-digest stub area
OSPF Type 1 ip ospf message-digest-key 16 md5 KEY-1
ip ospf message-digest-key 46 md5 KEY-2
(clear text) interface Vlan67
OSPF MD5 totally stubby area
ip ospf authentication-key SECRET
What four OSPF stub
Authentication Authentication with not-so-stubby area (NSSA)
router ospf 1 types are there?
area 2 authentication Multiple Keys KEY-1 KEY-2
Per area / interface not-so-totallystubby
area
interface Serial0/0
ONLY ON ABR:
Ranging 5 bucks to unlimited!
ip ospf 1 area 0
ip ospf message-digest-key 1 md5 KEY
router ospf 1
router ospf 1 OSPF Totally Stubby area 3 stub no-summary
OSPF MD5 area 0 authentication message-digest
area 1 virtual-link 150.1.6.6 message-digest-
OSPF Internal Area router ospf 1 Areas
area 3 range 155.1.8.0 255.255.252.0
Authentication key 1 md5 KEY
R3
Summarization Internal Area routers have:
Area 99
Config:
router ospf 1
Area 1
Thanks for appreciating my efforts
Area 0
area 3 stub
R2
Colin
http://www.flashcardguy.ch
ABR: Internal Area Router: ABR:
Internal Area Router: OSPF Forwarding Address Suppression in
Router ospf 1
Area 3 stub no-summary
Show ip route
Router ospf 1
Area 3 stub
router ospf 1
area 2 nssa no-summary
area 2 default-cost 500
Router ospf 1
area 2 nssa
Translated Type-5 LSAs OSPF
OSPF Totally Stubby O 150.1.8.8/32 [110/2] via 155.1.108.8, 00:31:57, Po1 O 155.1.67.0 [110/2] via 155.1.79.7, 00:01:19, Vlan79
with forwarding address suppression enabled the
traffic will always flow through the Type-7 to 5
Areas O*IA 0.0.0.0/0 [110/3] via 155.1.108.8, 00:03:46, Po1 O N2 200.0.3.0/24 [110/20] via 155.1.79.7, 00:01:20, Vlan79 OSPF Forwarding translator.
SW4#show ip ospf database OSPF Not-So-Totally- O*IA 0.0.0.0/0 [110/502] via 155.1.79.7, 00:01:20, Vlan79 (NSSA with multiple exits, Highest IP is translator)
OSPF Router with ID (150.1.10.10) (Process ID 1)
SW3#sh ip ospf database Address
show ip ospf database Router Link States (Area 3) Stubby Areas
Net Link States (Area 3)
OSPF Router with ID (150.1.9.9) (Process ID 1)
Router Link States (Area 2)
Suppression router ospf 1
area 3 nssa no-redistribution no-summary
Summary Net Link States (Area 3)
translate type7 suppress-fa
Output: Link ID ADV Router Age Seq# Checksum
Net Link States (Area 2)
router ospf 1
On
ly default-information originate always route-map RMP-TRACK
on
eT Higher
ABR-1
Areas AREA 3 NSSA 2. inter-area Default Routing
ip prefix-list PFX-R3 seq 5 permit 150.3.3.0/24
Type 7
Type
7 List ospf route preference: 3. external route-map RMP-TRACK permit 10
Speciality about the Type 7 to Type RTR-1 match ip address prefix-list PFX-BB1 PFX-R3
4. nssa-external Config:
5 conversion: RIP
( Advertise 0.0.0.0/0 if 54.1.1.0/24 or 150.3.3.0/24 is
Only one ABR is sending the translated in the routing table)
Type 5 into Area 0!
Rack1R3#show ip ospf database nssa-external 200.0.0.0 Multiple ABRs connect the NSSA to ip sla monitor 10
type echo protocol ipIcmpEcho 204.12.1.254
OSPF Router with ID (150.1.3.3) (Process ID 1)
Type-7 AS External Link States (Area 2) area 0 timeout 2000
Routing Bit Set on this LSA frequency 5
LS age: 312
Options: (No TOS-capability, Type 7/5 translation, DC) ABR with the highest router-id is OSPF Reliable ip sla monitor schedule 10 life forever start-time now
track 1 rtr 10
show ip ospf database nssa-external LS Type: AS External Link
Link State ID: 200.0.0.0 (External Network Number )
OSPF NSSA Type-7 elected as the Type-7 to 5 translator
Conditional Default ip route 169.254.0.1 255.255.255.255 Null0 track 1 name
x.x.x.x and is responsible for re-originating is.up.always.as.is.route.to.Null0
Advertising Router: 150.1.6.6
LS Seq Number: 80000001
Checksum: 0xF94A
to Type-5 Translator the Type-5 LSA into area 0. Routing ip prefix-list PLACEHOLDER seq 5 permit 169.254.0.1/32
route-map TRACK_PLACEHOLDER permit 10
Output: Length: 36
Network Mask: /24 Election On
ly o
match ip address prefix-list PLACEHOLDER
router ospf 1
Metric Type: 2 (Larger than any link state path) ne
TOS: 0
t
AREA 0 ranslate Config: default-information originate always route-map TRACK_PLACEHOLDER
Metric: 20 s
Forward Address: 155.1.67.6 AREA 3 NSSA Logic uses Track on a dummy route which is always UP/UP due to
External Route Tag: 0 pointed at Null0. Therefore only the IP SLA is important.
No O
router ospf 1 SPF
do SW2#show ip route ospf
route main ex
area 2 nssa Defa s visible ternal Intra-area filtering can be accomplished in OSPF with
auto ult ro ! O N2 5.5.5.5 [110/20] via 155.1.58.5, 00:05:32, Vlan58
mati u an inbound distribute-list:
cally te not O*IA 0.0.0.0/0 [110/2] via 155.1.58.5, 00:01:58, Vlan58
on A generate
Show ip route BR! d
O 150.1.7.7/32 [110/2] via 155.1.79.7, 00:31:00, Vlan79 Additional N2 is not needed due to the existing default
OSPF Filtering with
All routers have to have the same config, otherwise Help me create more flashcards:
O IA 150.1.5.5/32 [110/784] via 155.1.79.7, 00:31:00, Vlan79 OSPF NSSA route pointing to the same ABR. The additional N2's can
there is a danger of blackholing networks!
OSPF Not-So-Stubby O N1 200.0.0.0/24 [110/20] via 155.1.79.7, 00:30:59, Vlan79 be disabled via:
Distribute-Lists Intra
-a
O N2 200.0.1.0/24 [110/20] via 155.1.79.7, 00:30:59, Vlan79
Redistribution router ospf 1 Affec rea filte
t
routi s local
ring
Areas SW3#show ip ospf database
ABR#
Intra
distribute-list 1 in ng ta
ble o
OSPF Router with ID (150.1.9.9) (Process ID 1) Filtering router ospf 1
area 3 nssa no-redistribution no-summary
-a rea fi
lterin
g Config:
nly!
Simply press this button and send me your
Router Link States (Area 2) access-list 1 deny 150.1.1.1
Net Link States (Area 2)
5.5.5.5/32
access-list 1 deny 150.1.2.2 credit cards regards!
Summary Net Link States (Area 2) Area 3 9.9.9.9/xx
access-list 1 permit any Area 2
SW2
Type-7 AS External Link States (Area 2)
ABR# Inter
-area
filter Ranging 5 bucks to unlimited!
router ospf 1
OSPF LSA Type-3 ip prefix-list AREA_3_ROUTES deny 155.1.108.0/24
ip prefix-list AREA_3_ROUTES permit 0.0.0.0/0 le 32 OSPF LSA Type-3 coming from Area 0 going out to Area 2 ing
Colin
http://www.flashcardguy.ch
router ospf 1
router ospf 1
no discard-route internal
area 0 range 150.1.0.0 255.255.252.0 max-metric router-lsa OSPF
- prevent traffic black holes
Discard-route prevent the forwarding of traffic towards
a shorter match.
OSPF Stub Router - advertise a
OSPF Summarization automatic origination of the discard route can be Advertisement
maximum metric for non-stub destinations
- initializing the OSPF process, transit traffic Ignore OSPF LSA type 6 error router ospf 1
disabled via “no discard-route”
and Discard Routes will not flow through the stub router
- once the ospf domain is converged, the max metric is
messages: ignore lsa mospf
Internal = inter-area
External = summary-address withdrawn.
Config:
Discard route a ospf generated Null0 route for area
max-metric router-lsa on-startup wait-for-bgp
range or ip summary address command. If this
(waits for BGP keepalives)
automatic Null route should be disabled, use NO
max-metric router-lsa on-startup announce-time
discard-route (internal/external)
(how long to wait after a reload)
10.0.0.0/24 Ne OS
tw PF
interface Serial0/0 ork
access-list 99 permit 155.1.67.0 Typ
e!
ip ospf hello-interval 5
route
route
Static
Static
ip ospf dead-interval (seconds)
router ospf 1 Fa0/1 Ser0/1
Broadcast
d! OSPF cost calculation
OSPF Interface econ
Type
Sub-s
Fa
interface Serial0/1/0 0/0 /1
a0
Administrative ip ospf dead-interval minimal hello-multiplier 4 Area 0
F
Static
Static
route
route
access-list 4 permit 155.1.146.4 timers throttle lsa all 10 4000 6000
OSPF Filtering with timers lsa arrival 2000 OSPF cost calculation
R2
Fa0/1 Ser0/1
R3
Broadcast
route-map DENY_R3_LOOPB_FROM_R4 deny 10 !
Route-Maps
Type
match ip address 3 interface Serial0/1 Fa
match ip next-hop 4
Make pfx unique by
specifying pfx and next-hop OSPF Global Timers ip ospf transmit-delay 2 Changing network types
Area 0
0/0
Fa
0 /1
ip ospf retransmit-interval 10 R1
route-map DENY_R3_LOOPB_FROM_R4 permit 20
Config: SPF pacing/throttling timers control how fast OSPF Next R1 will see R3's IP address
responds to convergence events. R1 will see R4's IP address
as forward-address due to
as forward-address and will
the Serial Link and
Loopback IP is 150.1.3.3/32 Check via: show ip ospf calculate the cost to it!
calculate the cost to it:
Next-Hop of R4 is 155.1.146.4 Cost of 1+20+1 = 22
Cost of 1+20 = 21
Colin
http://www.flashcardguy.ch
Using unicast, instead of multicast via the LAN interface fa0/x
Ensure other routers of
segment cannot
segment so Router 3 “can” not intercept the ospf
conversation between R1 and R2
R1
router ospf 1
R2 R1 R2
ip ospf prefix-suppression OSPF
area 168 authentication message-digest
R1
area 168 authentication message-digest
What does 1.1.1.0/24
intercept the OSPF ip ospf network non-broadcast interface Vlan18
2.2.2.0/24
router ospf 1 ip ospf message-digest-key 8 md5 7 CISCO
communication: neighbor 1.1.1.1
1.1.1.2
What does one have to keep in
mind when dealing with
R2
int fa0/0
ip ospf prefix-suppression
1.1.1.3 Applied here
1.1.1.1 ip ospf message-digest-key 7 md5 7 CISCO
1.1.1.2 ip ospf network non-broadcast
Will hide the transit networks 3.3.3.0/24
1.1.1.3
router ospf 1
neighbor 1.1.1.2
ip ospf message-digest-key X If the key IDs are different, the ADJ will
NOT come up!!!
do? between the routers
1.1.1.1
Vlan18 : Mismatch Authentication Key - No message digest Prefixes in routing table:
In this situation? key 7 on interface
1.1.1.0 / 2.2.2.0 and 3.3.3.0
If this should be the backup path, make sure its in AREA 0,
What options are there if you would If not, use a virtual-link. Otherwise no traffic will use the LSA Type 3 filtering via
like to use the FR connection as a serial link as transit interface. area x range x x not-advertise
backup in case the ethernet segment
goes down in respect to OSPF?
area 1 range 1.0.0.0 255.255.255.0 not-advertise
FR
OSPF LSAs on Individual Timers LSA Type 3 filtering via
FR Backup 1.1.1.0/24 Area 1
Backup link Area 0 with Group Pacing
link Area 0
FR area 1 range x.x.x.x y.y.y.y not-advertise Area 0
FR
Area 2
Area 1
Area 1
fa
Transit area 45, via interface GigabitEthernet0/0, Cost of using router ospf X
OSPF
10000 Distance router ospf 1 What could be used instead of area 33 virtual-link 1.2.3.4
s s-
Transmit Delay is 1 sec, State POINT_TO_POINT,
Timer intervals configured, Hello 10, Dead 40, Wait 40, using a Virtual-Link in order to
distance ospf intra-area 200 Or use a GRE Tunnel to interconnect
pr e
Retransmit 5
Hello due in 00:00:02 connect discontigous OSPF Areas
show ip ospf virtual-links Adjacency State FULL (Hello suppressed)
For intra-area / inter- distance ospf inter-area 100 to Area 0? interface Tunnel X
su p
Index 2/4, retransmission queue length 0, number of ip unnumbered Loopback 0
Tun X
retransmission 0 ip ospf X area 0
First 0x0(0)/0x0(0) Next 0x0(0)/0x0(0)
Last retransmission scan length is 0, maximum is 0
area / external: distance ospf external 120 Area 33
e7
Area 0
Last retransmission scan time is 0 msec, maximum is 0 msec
typ
E
ON
a te
LSA Advertising Routing OSPF Database LSA Advertising Routing OSPF Database
ED
n sl
R5#show ip ospf interface S0/0/0 | include Timer Router Table Router Table
OSPF
Timer intervals configured, Hello 333 msec, Dead 1, Wait 1,
Retransmit 5 OSPF no discard-route [internal] [external] 1 (intra) ? ? 1 (intra) ALL O
tr a
show ip ospf database ? show ip ospf database router
B
2 (intra) ? ? show ip ospf database ? 2 (intra) DR O show ip ospf database network
TO
If not specified, will remove the route
ssa
3 (inter) ? ? 3 (inter) ABR OIA
Verifiying OSPF fast hello’s: show ip ospf database ? show ip ospf database summary
xn
ip ospf dead-interval minimal hello-multiplier 3
5 (Ext) ? ? show ip ospf database ? 5 (Ext) ASBR E2, E1 show ip ospf database external
EA
AR
ip sla 53 ABR
Intra area router:
TRACK NOT
area 2 nssa
Stub Stub area x stub 1,2,3 (default 3) YES ABR area 2 stub no-summary
Intra area router: 1400 ABR area 5 nssa no-summary
ASBR 100
! Define another object that is the negation of the previous area 2 stub no-sum area 2 stub
area 5 nssa no-sum 100 routes
routes
area 2 nssa
Totally Stubby Totally Stubby area x stub no-sum 1,2, (default 3) YES area 3 nssa
object ABR
area 2 nssa
100 routes
ASBR
area0
Not-So-Stub Not-So-Stub area x nssa 1,2,3,7 NO (if SLA X down / network x is NOT track 77 list boolean and
ABR area 4 nssa default information
500 routes
Not-So-Totally Not-So-Totally area x nssa no-sum 1,2,(default 3), 7 YES in the table, advertise the default object 13 not
area 4 nssa default inf
ABR area 5 nssa no-summary
ASBR
ASBR
area 2 nssa
100 routes
AREA 4:
Simply press this button and send me your
100 routes
Stubby Area Stubby Area
route) ! Insert a static route if the second object is UP (thus the ASBR
area 5 nssa no-sum area 2 nssa AREA 1:
100 O AREA 2:
AREA 3:
100 O
100 O
500 O IA
AREA 5:
100 O
credit cards regards!
! IP SLA probe failed) 500
500 routes
routes 500 O IA 100 O 500 O IA 100 O N2 100 O N2
IA 0.0.0.0 IA 0.0.0.0 100 O N2 N2 0.0.0.0 IA 0.0.0.0
601 101 700 701 201
ip route 1.0.0.0 255.0.0.0 Null0 track 77 100 routes in intra Areas
LSA Type 3 from Area 1 to OSPF ABR area 1 stub
Intra area router: Ranging 5 bucks to unlimited!
Area 0 will be redistributed
How do you connect AREA 25 to Area 0 ? AREA 0 1,2,3,Default 4,5 area 1 stub
(usual rules apply)
ABR area 2 stub no-summary
AREA 3 NSSA
1.1.1.0/24 Area 1 Area stub flags and config: 1,2,Default 3,4,5
Intra area router:
area 2 stub
OSPF Filtering with Area 0
Area 0 to 2 ABR
area 1 stub
Intra area router:
area 1 stub
ABR area 3 nssa ASBR 100
1,2,7,Default 3,4,5
ASBR 100
routes
-a rea fi ee
area 5 nssa no-summary
area 2 nssa
Thanks for appreciating my efforts
ABR
Stub / NSSA Area’s do NOT support Virtual Links! lterin b distribute-list 1 in area 5 nssa no-sum
ASBR 100
routes
ASBR
g usin s area 2 nssa
500
tribu g
rin
500
te lis routes
routes
ts lte
Fi
Colin
http://www.flashcardguy.ch
Enable OSPF What LSA Types will be announced in ces
un 4 RID:
Per Interface
Authentication:
Per Area
key chain TEST
each topology, and why? A2 RID:
0.0.0.1
no
an pe
R2 A Ty /24
LS .4.0
4.4
0.0.0.2
RID:
OSPF
IP OSPF Authentication int ser0/x router ospf 1
key 1
key-string PASSWORD RID: A2
RID:
0.0.0.1
RID:
0.0.0.2 RID:
0.0.0.9 A1
0.0.0.3
24
ip ospf authentication message .. area 0 authentication message .. A1 0.0.0.3 an Type static
0/
send-lifetime {start-time} [infinite | end-time | duration 1
R SA tr
A0 redis
4.
Enable per Interface / Area
4.
L
OSPFv2 Cryptographic <seconds>
24
4.
c
r stati
0/
redist
4.
4.
Apply authentication
Authentication
4.
Int ser0/x ces
un 1 RID:
Apply authentication per Interface ip ospf authentication-key TEXT-TYPE-1 Interface fa0/x RID: A2 RID: no
an pe 0.0.0.2
ip ospf message-digest key 1 MD5 PASSWORD ip ospf authentication key-chain TEST A2 RID: 0.0.0.2 0.0.0.1 R2 SA Ty /24
0.0.0.1 L .4.0
RID: 4.4 NSSA RID:
NSSA RID: 0.0.0.3
Disable authentication per interface Disable authentication per link
RID:
A1
0.0.0.3
0.0.0.9 s A1
Int ser0/x
0.0.0.9
A0 nce
ou 4
A0
24
ann ype
static
24
tatic
0/
0/
ip ospf authentication null tr s 1
R AT tr
redis
4.
redis
4.
LS
4.
4.
4.
4.
R3 RID: 0.0.0.2 is an RID: 0.0.0.3 is an
router ospf 1 Explain why it is essential that OSPF ABR ASBR
NO area 0 authentication Interface fa0/x router-id’s should be kept unique within
ospfv3 encryption {ipsec spi spi esp encryption-algorithm ces
area 99 virtual-link 2.2.2.2 un 4
key-encryption-type key authentication-algorithm key- the entire OSPF domain? no
an pe
R2 A Ty /24 3 RID:
R3 encryption-type key | null} ces LS .4.0 .0.
If the authentication would Area 1 un 4 A2 RID: 4.4 ID 0.0 0.0.0.2
OSPF virtual-link Authentication not explicitly be set to null 2
no
an Type 4 RID:
0.0.0.1 R
via into
A0
ipv6 ospf encryption {ipsec spi spi esp {encryption- A2 RID: R LSA .0/2 0.3 0.0.0.2 RID:
on the Virtual link, it would Area 99 OSPFv3 IPSec ESP Encryption and algorithm [[key-encryption-type] key] | null} 0.0.0.1
.4 0 .
4.4 ID 0. RID: 0.0.0.3
try to Auth via Type 2, MD5 R
via into
A0
RID: 0.0.0.9 A1
Problem with Area 0 to R3 on R2, failing to Area 0 Authentication authentication-algorithm [key-encryption-type] key | null}
0.0.0.3
A0
R2 A1 tic
tr sta
establish the Vlink.
authentication and VLinks A0 R9:
Show ip ospf database external redis
R2# ospfv3 encryption ipsec spi 1001 esp null md5 0 2757… tic
tr sta LS-ID: 4.4.4.0/24
redis
4.
area 0 authentication Advertising Router 0.0.0.3
4.
4.
ipv6 ospf encryption ipsec spi 1001 esp null sha1 1234... R9:
0/
area 0 authentication message-digest
24
4.
Show ip ospf database external
4.
area 99 virtual-link 3.3.3.3 authentication null If R9 had RID of 0.0.0.3 in Area 2,
4.
LS-ID: 4.4.4.0/24
0/
24
Advertising Router 0.0.0.3 4.4.4.0/24 would be filtered out!
1. ip route 0.0.0.0 0.0.0.0 192.168.1.1
router ospf 1
default information originate What segment announces which LSA Type? What segment announces which LSA Type?
OS Type 1 LSA
2. router ospf 1 PF OS
OSPF Default route default information originate always m ult PF ser
ia l
iar mu ser
i al
3. router ospf 1
ea ltia
3 different methods default information originate route-map RMP-X rea ethernet
route-map RMP-X ethernet
match ip address 77 authentication mode {strict |
deployment | normal}
access-list 77 permit 10.0.0.1
DR, Type 2 LSA
R1 10.0.0.2 10.0.0.3 me o D
OSPF BFD
rs d
ip address u.u.u.u
ip address10.0.0.1 255.255.255.0 ip address10.0.0.1 255.255.255.0
igh
10.0.0.2 10.0.0.3
router ospf 1 R3 has the highest IP on the common segment and is the DR.
wb
network u.u.u.u 0.0.0.0 area 0 R2 will never hear the update unless there is a static mapping
router ospf 1
bfd all-interfaces router ospf 1 from R3 to R2!
network 10.0.0.2 0.0.0.0 area 0 OSPF priority is the same on all routers
network 10.0.0.2 0.0.0.0 area 0
ospfv3 authentication {ipsec spi} {md5 | sha1}{ key- Check the ospf database for the If the OSPF priority is the same, the
What if DB filter / distribute list /
encryption-type key} | null network and the forward address! Who is going to be the DR ? higher IP wins!
prefix-suppression in operation?
ipv6 ospf authentication {null | ipsec spi spi
authentication-algorithm [key-encryption-type] [key]}
A0 A0 33.0.0.1
R1
10.0.0.1
Help me create more flashcards:
33.0.0.2
10.0.0.3
33.0.0.1 10.0.0.1
IPsec on OSPFv3 A3 A3 33.0.0.2 10.0.0.2
interface fa0/x
ospfv3 authentication md5 0 2757613409….09727 ip ospf priority all are Simply press this button and send me your
Or This router This router ip ospf priority all are set to the same credit cards regards!
needs to see A2 needs to see A2
ipv6 ospf authentication ipsec spi 500 md5 123456789
set to the same
this subnet! this subnet!
VLink VLink (R1 should be the DR in this situation)
Explain how
What could be the problem here? OSPF LSA Type 1 flooding works? OSPF LSA Type 1 flooding
Ranging 5 bucks to unlimited!
What could be the problem here?
BDR DR
2WAY/DROTHER BDR DR
conf t 2.
interface fa0/x
IPv6 OSPF Null authentication ospfv3 authentication null
2WAY/DROTHER 2WAY/DROTHER
1.
ipv6 ospf authentication null 2WAY/DROTHER
2WAY/DROTHER 2WAY/DROTHER
All routers have: Something changed Something changed
here here Thanks for appreciating my efforts
Interface e0/0
ip ospf priority 0
Colin
http://www.flashcardguy.ch
Explain output of: R2#show ip ospf database
Explain output of: Explain output of:
23.1.1.0
0.0.0.2 0.0.0.2 795 0x8000001B 0x00707A 1
23.1.1.0
Area 0
23.1.1.0
Area 0 Codes: i - Intra-area route, I - Inter-area route Codes: i - Intra-area route, I - Inter-area route Area 0
ec r .
R1#show ip ospf database
24
ec r.
ec r.
24
nn ist
d
24
nn ist
d
nn ist
d
te
0/
te
co e d
0/
i 0.0.0.2 [10] via 12.1.1.2, e0/0, ABR, Area 1, SPF 12 i 0.0.0.2 [10] via 12.1.1.2, e0/0, ABR, Area 1, SPF 12
te
0/
co e d
co Red
9.
OSPF Router with ID (0.0.0.1) (Process ID 1)
9.
9.
R
9.
9.
I 0.0.0.4 [75] via 12.1.1.2, e0/0, ASBR, Area 1, SPF 12 I 0.0.0.3 [20] via 12.1.1.2, e0/0, ASBR, Area 1, SPF 12
9.
.3 Cost 10 .3 Cost 10
9.
.3 Cost 10
9.
9.
.4 34.1.1.0 .3 Router Link States (Area 1)
.4 34.1.1.0 .3 R4 .4 34.1.1.0 .3
R4 R3 R3 R4 R3 Link ID ADV Router Age Seq# Checksum Link count
Cost 55 Cost 55 Cost 55
RID: 0.0.0.4 RID: 0.0.0.3 RID: 0.0.0.4 AREA 2 NSSA RID: 0.0.0.3 0.0.0.1 0.0.0.1 992 0x80000015 0x007B79 1
Area 2 Cost to the ASBR Notice R3 is the ASBR once Area 2 converted to NSSA! RID: 0.0.0.4
Area 2
RID: 0.0.0.3
0.0.0.2 0.0.0.2 1256 0x8000001B 0x00707A 1
Explain output of: Explain output of: R2#show ip ospf database (partial output, looking at LSA 4, 5)
Explain output of:
R1#show ip ospf database adv-router 0.0.0.4
R1#show ip ospf database adv-router 0.0.0.4 R1#show ip ospf database adv-router 0.0.0.4 R2#show ip ospf database
R1#show ip ospf database adv-router 0.0.0.4 Summary ASB Link States (Area 0)
OSPF Router with ID (0.0.0.1) (Process ID 1) R1#show ip ospf database adv-router 0.0.0.3 OSPF Router with ID (0.0.0.1) (Process ID 1) (focus on LSA type 4,5)
Link ID ADV Router Age Seq# Checksum
RID: 0.0.0.2 RID: 0.0.0.2 0.0.0.4 0.0.0.3 693 0x80000002 0x006795
Type-5 AS External Link States RID: 0.0.0.2
.1
.1 12.1.1.0 .2 .1 12.1.1.0 .2 12.1.1.0 .2
R1 Cost 10 R2 R2 R1 Cost 10 R2
R1 Cost 10 R1#show ip ospf database adv-router 0.0.0.3 Summary ASB Link States (Area 1)
RID: 0.0.0.1 .2 Link ID ADV Router Age Seq# Checksum Tag RID: 0.0.0.1 .2 RID: 0.0.0.1 .2
Area 1 Area 1 Area 1
9.9.9.0 0.0.0.4 1614 0x80000002 0x003D52 0
OSPF Router with ID (0.0.0.1) (Process ID 1) Link ID ADV Router Age Seq# Checksum
23.1.1.0
23.1.1.0
Area 0
23.1.1.0
Area 0 Area 0
0.0.0.4 0.0.0.2 296 0x80000001 0x00D321
ec r.
ec r.
24
Type-5 AS External Link States
4
ec r.
nn ist
24
d
nn ist
d
/2
nn ist
d
te
te
0/
te
co Red
0/
co Red
0
co Red
Type-5 AS External Link States
9.
9.
9.
9.
9.
.3 Cost 10
9.
.3 Cost 10 .3 Cost 10
9.
Link ID ADV Router Age Seq# Checksum Tag
9.
9.
.4 34.1.1.0 .3 .4 34.1.1.0 .3 .4 34.1.1.0 .3
R4
Cost 55 R3 R4 R3
9.9.9.0 0.0.0.3 265 0x80000001 0x000E5B 0 R4
Cost 55 R3 Link ID ADV Router Age Seq# Checksum Tag
Cost 55
9.9.9.0 0.0.0.4 331 0x80000002 0x0088F7 0
RID: 0.0.0.4
Area 2
RID: 0.0.0.3 Redistributed prefix Router-ID of R4 RID: 0.0.0.4 AREA 2 NSSA RID: 0.0.0.3 RID: 0.0.0.4
Area 2
RID: 0.0.0.3
R1#show ip ospf database external R1#show ip ospf database external .1 RID: 0.0.0.2
ze
R2
OSPF Router with ID (0.0.0.1) (Process ID 1) OSPF Router with ID (0.0.0.1) (Process ID 1) R1
RID: 0.0.0.1 .2
RID: 0.0.0.1
Area 1
.2 Area 1
ari
R1#show ip ospf database external Type-5 AS External Link States
23.1.1.0
Area 0
R1#show ip ospf database external Type-5 AS External Link States
23.1.1.0
Area 0
mm
4. . 0 24
4.7 .0 24
?
ec r.
4. 4.5 .0/
4. .4.5 .0/
. 0 / 24
0/ 4
Routing Bit Set on this LSA in topology Base with MTID 0
ec r.
d
nn ist
7. / 2
d
nn ist
Routing Bit Set on this LSA in topology Base with MTID 0
te
4 4. 4
4
4. .4.4
te
co R ed
Its NO to 9.9.9.0
24
/2
co Red
4.
etric fective
LS age: 431
tes su
4
LS age: 1979 .3
.3
RID: 0.0.0.2 Options: (No TOS-capability, DC) R4
.4 34.1.1.0 .3
RID: 0.0.0.2 Options: (No TOS-capability, DC) .4 34.1.1.0 .3 R3
rou le to
.1 12.1.1.0 .2 R4 R3
.1 12.1.1.0 .2 LS Type: AS External Link R2 LS Type: AS External Link RID: 0.0.0.4
Area 2 RID: 0.0.0.3
R1 Cost 10 RID: 0.0.0.4
Area 2 RID: 0.0.0.3
.0
?
0
55.0.
R1 Cost 10 R2 Link State ID: 9.9.9.0 (External Network Number )
T 20!
.0.0 2
/24 ab
Area 1
forw at is the e
.2
pf x
RID: 0.0.0.1 Advertising Router: 0.0.0.4 Advertising Router: 0.0.0.3
Area 1 LS Seq Number: 80000001 r o s s s 4 .0
route ary-addre
.x.0 be
23.1.1.0
LS Seq Number: 80000002 Area 0 RID:
23.1.1.0
4.4 ll you
RID: 0.0.0.2
summ
R1 R2 .1 12.1.1.0
Length: 36 RID: Area .2
ec r.
ard m
Length: 36 R2
24
.2 R1
nn ist
d
0.0.0.1
ec r.
RID: 0.0.0.1
1
0/
co Red
d
Area 0
23.1.1.0
te
9.
0/
4. .0 24
Wh
23.1.1.0
ec r .
Metric Type: 2 (Larger than any link state path) Area 0
9.
the ere w
9.
4. 4.5 .0/
nn ist
0/ 4
d
.3 Cost 10
7. /2
te
9.
4. . 0 24
MTID: 0 Either on
9.
co Red
4. .4.4
24
.3 Cost 10 MTID: 0
4. .4.5 .0/
/2 4
9.
7.0 /2
ec r.
.4 34.1.1.0 .3
4 .4.4
4
nn ist
d
Metric: 20 .
te
R4
co Red
4
.4 34.1.1.0 .3 Metric: 20 R3
R4 or R3
E2
3
R4 R3 Cost 55 Forward Address: 34.1.1.4 .4 34.1.1.0 .3 .3
Wh
R4
Cost 55 Forward Address: 0.0.0.0 R3
AREA 2 NSSA
.3
R3
Area 2 area 2 range 34.0.0.0/8 RID: 0.0.0.4 RID: 0.0.0.3
How can you calculate the forward metric R1#show ip route 9.9.9.0 E2 How can you calculate the forward metric R1#show ip route 9.9.9.0 R1#show ip route ospf | I 4.
Known via "ospf 1", distance 110, metric 20, type extern Known via "ospf 1", distance 110, metric 20, type extern Where can you summarize these internal O IA 4.0.0.0/8 [110/76] via 12.1.1.2, 00:05:54, e0/0
from R1 to 9.9.9.0/24 ? from R1 to 9.9.9.0/24 ?
2, forward metric 75 2, forward metric 75
What show commands are needed? What show commands are needed? AREA 2 routes? RID: 0.0.0.2
R1#show ip ospf database external R1#show ip ospf database external .1 12.1.1.0 .2
R1 Cost 10 R2
Link State ID: 9.9.9.0 (External Network Number ) RID: 0.0.0.2 Link State ID: 9.9.9.0 (External Network Number ) RID: 0.0.0.1 .2
RID: 0.0.0.2 Advertising Router: 0.0.0.4 .1 12.1.1.0 .2 Advertising Router: 0.0.0.3 RID: 0.0.0.2 Area 1
.1 R1 Cost 10 R2 .1 12.1.1.0 .2
12.1.1.0 .2
23.1.1.0
R2 Forward Address: 0.0.0.0 ( 0.0.0.0 = set to self ) RID: 0.0.0.1 .2 Forward Address: 34.1.1.4 R1 Cost 10 R2 Area 0
R1 Cost 10 Area 1
4. . 0 24
RID: 0.0.0.1 .2 RID: 0.0.0.1 .2
4. .4.5 .0/
R1#show ip ospf database asbr-summary R1#show ip ospf database asbr-summary
0/ 4
Area 1 Area 1
7. /2
23.1.1.0
4 4. 4
Area 0
24
Link State ID: 0.0.0.4 (AS Boundary Router address) Link State ID: 0.0.0.3 (AS Boundary Router address)
23.1.1.0
23.1.1.0
4.
Area 0 Area 0
Advertising Router: 0.0.0.2 Advertising Router: 0.0.0.2
4. . 0 24
.3 Cost 10
ec r.
24
nn ist
d
4. .4.5 .0/
0/ 4
te
0/
7. /2
.3
co Red
ec r.
4 .4.4
R4
nn ist
24
d
9.
/2
R3
te
Cost 55
9.
co Red
.3 Cost 10
.0
4
9.
R1#sh ip ospf database router 0.0.0.2 R1#show ip ospf database summary 34.1.1.0
.9
.3 Cost 10 .4 34.1.1.0 .3
9.
Link State ID: 0.0.0.2 R4 Cost 55 R3 Link State ID: 34.1.1.0 (summary Network Number) .4 34.1.1.0 .3 R3#
.4 34.1.1.0 .3 R4
R4 R3 Advertising Router: 0.0.0.2 Advertising Router: 0.0.0.2 R3
Cost 55 RID: 0.0.0.4 AREA 2 NSSA RID: 0.0.0.3
RID: 0.0.0.4
Cost 55
RID: 0.0.0.3
router ospf 1
RID: 0.0.0.4 RID: 0.0.0.3 TOS 0 Metrics: 10 From R1 to ABR Area 1
area 2 range 34.0.0.0/8 Metric: 65 Area 2 area 2 range 4.0.0.0 255.0.0.0 [not-advertise]
Area 2
What info will the following provide: R1#show ip ospf database adv-router 0.0.0.2 What info will the following provide: You will be load-balancing over unequal,
OSPF Router with ID (0.0.0.1) (Process ID 1)
R1#show ip ospf database adv-router 0.0.0.2 What is the potential problem of physical access rates. The DMVPN tunnel
OSPF Router with ID (0.0.0.1) (Process ID 1) using OSPF Point-to-Multipoint in this
R1#show ip ospf database adv-router 0.0.0.2 Router Link States (Area 1) R1#show ip ospf database adv-router 0.0.0.2 Router Link States (Area 1) will not see the underlying access-rates!
Link ID ADV Router Age Seq# Checksum Link scenario with DMVPN?
count
0.0.0.2 0.0.0.2 1774 0x8000000E 0x008A6D 1
Link ID
0.0.0.2
ADV Router
0.0.0.2
Age
222
Seq# Checksum Link count
0x80000010 0x00866F 1 OSPF Point-to-Multipoint Help me create more flashcards:
RID: 0.0.0.2
.1
RID: 0.0.0.2
Net Link States (Area 1)
OSPF Point-to-Multipoint
.1 12.1.1.0 .2 Net Link States (Area 1) 12.1.1.0 .2
R2 R1 Cost 10 R2
R1 Cost 10 Link ID ADV Router Age Seq# Checksum
Link ID ADV Router Age Seq# Checksum
ve!
RID: 0.0.0.1 .2 RID: 0.0.0.1 .2
Area 1 12.1.1.2 0.0.0.2 222 0x80000005 0x00E53B
-
Area 1 12.1.1.2 0.0.0.2 1774 0x80000003 0x00E939
o sol
23.1.1.0
DMVPN
23.1.1.0
cast t
ec r.
4
nn ist
d
/2
nn ist
d
te
Use P
9
9
9.
.4 34.1.1.0 .3
Summary ASB Link States (Area 1)
R4
.4 34.1.1.0 .3 Link ID ADV Router Age Seq# Checksum
rates:
R4 Cost 55 R3 Link ID ADV Router Age Seq# Checksum Cost 55 R3
0.0.0.3 0.0.0.2 1147 0x80000001 0x00B577
10.0.0.0/8
RID: 0.0.0.4 RID: 0.0.0.3 0.0.0.4 0.0.0.2 43 0x80000005 0x00CB25 RID: 0.0.0.4 RID: 0.0.0.3 10.0.0.0/8
Area 2 area 2 range 34.0.0.0/8
AREA 2 NSSA area 2 range 34.0.0.0/8
R1#show ip ospf database R1#show ip ospf database R1#
What info will the following provide: How can you solve this situation,
What info will the following provide: OSPF Router with ID (0.0.0.1) (Process ID 1)
Router Link States (Area 1)
OSPF Router with ID (0.0.0.1) (Process ID 1)
Router Link States (Area 1) accounting for the unequal, physical
router ospf 1
neigbor 1.1.1.1 cost 10 (needs to cost less)
Ranging 5 bucks to unlimited!
Link ID ADV Router Age Seq# Checksum Link count Link ID ADV Router Age Seq# Checksum Link count
R1# show ip ospf database 0.0.0.1 0.0.0.1 1952 0x80000007 0x00976B 1 R1#show ip ospf database 0.0.0.1 0.0.0.1 481 0x80000009 0x00936D 1
access rates using OSPF ? neigbor 1.1.1.2 cost 100 (has lower Bandwith)
0.0.0.2 0.0.0.2 6 0x8000000F 0x00886E 1 0.0.0.2 0.0.0.2 548 0x80000010 0x00866F 1 int tun123
RID: 0.0.0.2
Net Link States (Area 1) .1 12.1.1.0 .2 Net Link States (Area 1) ip ospf network point-to-multipoint non-broadcast
RID: 0.0.0.2 Link ID ADV Router Age Seq# Checksum R1 Cost 10 R2 Link ID ADV Router Age Seq# Checksum R1
.1 12.1.1.0 .2 12.1.1.2 0.0.0.2 6 0x80000004 0x00E73A RID: 0.0.0.1 .2
R2 Area 1 12.1.1.2 0.0.0.2 548 0x80000005 0x00E53B R1
R1 Cost 10
RID: 0.0.0.1 .2 Summary Net Link States (Area 1) Summary Net Link States (Area 1)
23.1.1.0
Area 0 23.1.1.0 0.0.0.2 748 0x80000003 0x009A7B 23.1.1.0 0.0.0.2 1315 0x80000004 0x00987C
NBMA access
ec r.
24
34.0.0.0 0.0.0.2 6 0x80000003 0x004A8B 34.0.0.0 0.0.0.2 548 0x80000004 0x00488C DMVPN
te
0/
co Red
rates:
ec r.
9.
4
Summary ASB Link States (Area 1) Summary ASB Link States (Area 1)
nn ist
d
/2
9.
1.1.1.2 10 100
te
.3 Cost 10
Thanks for appreciating my efforts
9.
1.1.1.1
co Red
0
.3 Cost 10 0.0.0.4 0.0.0.2 254 0x80000005 0x00CB25 R4 0.0.0.3 0.0.0.2 1474 0x80000001 0x00B577 1.1.1.2
9.
Cost 55 R3 1.1.1.1
.4 34.1.1.0 .3
R4 Cost 55 R3
Type-5 AS External Link States RID: 0.0.0.4
AREA 2 NSSA RID: 0.0.0.3 Type-5 AS External Link States 10.0.0.0/8
Link ID ADV Router Age Seq# Checksum Tag Link ID ADV Router Age Seq# Checksum Tag
RID: 0.0.0.4
Area 2
RID: 0.0.0.3 area 2 range 34.0.0.0/8 10.0.0.0/8
area 2 range 34.0.0.0/8 9.9.9.0 0.0.0.4 1474 0x80000003 0x003B53 0 9.9.9.0 0.0.0.3 1469 0x80000001 0x000E5B 0
Colin
http://www.flashcardguy.ch
What info will the following provide: R1#show ip ospf database external
redist. static 4.4.4.4/32 redist. static 4.4.4.4/32
What info will the following provide: R1#show ip ospf database external R1#show ip ospf database external
23.1.1.0
Area 0 Advertising Router: 0.0.0.4 Advertising Router: 0.0.0.3 Area 0
ARE
23.1.1.0
LS Seq Number: 80000001 Area 0 LS Seq Number: 80000001 12.1.1.0 13.1.1.0 12.1.1.0 13.1.1.0 A1
ec r.
.1 .1
0/
.1
ec r .
co Red
24
LS Type: AS External Link
nn ist
d
9.
Length: 36 Length: 36
te
0/
R1 R1
9.
co Red
.3 Cost 10 Network Mask: /24 Link State ID: 4.4.4.0 (External Network Number )
9.
9.
9.
.4 34.1.1.0 .3 .3 Cost 10 Metric Type: 2 (Larger than any link state path) Advertising Router: 0.0.0.3
9.
R4 Metric Type: 2 (Larger than any link state path)
Cost 55 R3 .4 34.1.1.0 .3 MTID: 0
RID: 0.0.0.4 RID: 0.0.0.3
MTID: 0
Metric: 20
R4
Cost 55 R3 Metric: 20
R1#show ip ospf database external Network Mask: /24
RID: 0.0.0.4 RID: 0.0.0.3 Forward Address: 34.1.1.4 Metric: 20
Forward Address: 0.0.0.0 AREA 2 NSSA connections = e0/x
Forward Address: 24.1.1.4
External Route Tag: 0 External Route Tag: 0 ip ospf network broadcast
R3#show ip ospf topology-info
What info will the following provide: show ip ospf events: clear ip ospf events redist. static 4.4.4.4/32
OSPF Router with ID (0.0.0.3) (Process ID 1) R2#show ip ospf database external
Network 9.9.9.0 from UP to DOWN status: Base Topology (MTID 0) R4 LS Type: AS External Link
R4
R1#show ip ospf events .4 .4 .4 .4 Link State ID: 4.4.4.0 (External Network Number )
Timer Exp: if_ack_delayed 0xAB5314C0 Topology priority is 64 Advertising Router: 0.0.0.4
Redistributing External Routes from, 34.1.1.0 24.1.1.0 Network Mask: /24
RIB Delete, Topo Base, dest 9.9.9.0, mask 255.255.255.0, gw 12.1.1.2,
via Ethernet0/0, source 0.0.0.4, type Ext2
Router is not originating router-LSAs with maximum metric
.2 Area 1 .3 .2 Area 1 .3 Metric: 20
Number of areas transit capable is 0
NSSA
R1
.1 12.1.1.0
Cost 10
.2
RID: 0.0.0.2
R2
Insert MAXAGE lsa: 0xAA4223E8 9.9.9.0 Output of Initial SPF schedule delay 5000 msecs
Minimum hold time between two consecutive SPFs 10000 msecs
R2
.2
R3
.3
R2
.2
R3
.3
Forward Address: 0.0.0.0
RID: 0.0.0.1 .2 Rcv Changed Type-5 LSA, LSID 9.9.9.0, Adv-Rtr 0.0.0.4, Seq# 80000002,
Maximum wait time between two consecutive SPFs 10000 msecs Area 0 Area 0 AREA
Area 1 Age 3600 1
Area BACKBONE(0)
13.1.1.0 12.1.1.0 13.1.1.0 NSSA
23.1.1.0
Area 0
Network 9.9.9.0 from DOWN to UP status: show ip ospf topology-info SPF algorithm last executed 03:06:47.368 ago
SPF algorithm executed 2 times .1 .1 .1 .1
ec r.
R1
24
Area 1 R 3 ha
9.
s high
9.
.3 Cost 10 RIB Replace, Topo Base, dest 9.9.9.0, mask 255.255.255.0, It is a NSSA area
9.
100.0.0.0/24
100.0.0.0/24
Area 0 10.1.1.1 0.0.0.1 6 (DNA) 0x800001 0x00E944 If necessary add authentication or set it to
RID: 0.0.0.4 12.1.1.0 0.0.0.1 6 (DNA) 0x800001 0x006DB0 Null.
R1 R1 RID: 0.0.0.4 12.1.1.0 0.0.0.2 547 0x800002 0x0065B6
RID: 0.0.0.1 RID:0.0.0.3
Redistr. static R1#show ip ospf database external 5.5.5.5 interface Serial1/1
interface Serial1/1
0.0.0.0/0 Config ip ospf message-digest-key 1 md5 ccie
ip ospf message-digest-key 1 md5 ccie
OSPF Router with ID (0.0.0.1) (Process ID 1) ip ospf message-digest-key 2 md5 NEW-PASS
AREA Area 2 RIP R2 R1 R2
Area 1 R2 router ospf 1 R1
0 R3 NSSA R4 routes R5 Lo0 Type-5 AS External Link States
router-id 0.0.0.2
5.5.5.5 interface Serial1/2 interface Serial1/2
R1 area 0 authentication ip ospf message-digest-key 1 md5 ccie
Routing Bit Set on this LSA in topology Base with MTID 0 ip ospf message-digest-key 1 md5 ccie
R6
12.0.0.0 23.0.0.0 34.0.0.0 45.0.0.0
LS age: 121
Options: (No TOS-capability, DC)
How to verify OSPF interface Serial1/1
ip ospf message-digest-key 2 md5 NEW-PASS
AREA Area 2 RIP TTL set to 1 Length of message 48 bytes OSPF Router with ID (0.0.0.4) (Process ID 1)
Area 1 R2 AREA Area 2 RIP
Area 1 R2
0 R3 NSSA R4 routes R5 Lo0
5.5.5.5 0 R3 NSSA R4 routes R5 Lo0
5.5.5.5
Explain the output of the show ip ospf database network Net Link States (Area 0)
R1
R6
R1
R6
following command with Type 1 Router-id of the received packet.
Routing Bit Set on this LSA in topology Base with MTID 0 Help me create more flashcards:
12.0.0.0 23.0.0.0 34.0.0.0 45.0.0.0 OSPF Version 2 On the DR of this network? LS age: 185
12.0.0.0 23.0.0.0 34.0.0.0 45.0.0.0
Auth: Options: (No TOS-capability, DC)
LS Type: Network Links
Link State ID: 10.1.1.4 (address of Designated Router)
The router needs to have a minimum of OSPF-1 PAK : rcv. v:2 t:1 l:48 rid:0.0.0.3 aid:0.0.0.0 chk:EC94 aut:1 RID: 0.0.0.2 RID: 0.0.0.4 Advertising Router: 0.0.0.4
What is mandatory for the following one interface within Area 0 for “no- debug ip ospf packet auk: from Serial1/3
command to work correctly ? summary” to work! 10.1.1.0/24
LS Seq Number: 80000002
Checksum: 0x70A2 Simply press this button and send me your
Length: 40
router ospf 1
Area ID Network Mask: /24
Attached Router: 0.0.0.4
credit cards regards!
router ospf 1 Authentication key Authentication type 1 Attached Router: 0.0.0.1 All OSPF routers on
area 2 nssa no-summary
area 2 nssa no-summary Attached Router: 0.0.0.2 that subnet
Attached Router: 0.0.0.3
RID: 0.0.0.1 RID: 0.0.0.3
Redistr. static R1#
R1#show ip ospf route *
0.0.0.0/0 Type-5 AS External Link States *> conn
SPF ected ID 1)
OSPF Ranging 5 bucks to unlimited!
Link ID ADV Router Age Seq# Checksum Tag OSPF Router with ID (0.0.0.1)O(Process
Area 1 R2
AREA Area 2 RIP 0.0.0.0 0.0.0.3 182 0x80000001 0x00C6C3 0 What to expect of: lea , do
rne
0 R3 NSSA R4 routes R5 Lo0
5.5.5.5 R2# Base Topology (MTID 0)
n
d r ot s
ou ho
te wa
Do not advertise the secondary
Type-5 AS External Link States
R1
R6 Link ID ADV Router Age Seq# Checksum Tag
Area BACKBONE(0) >
address:
12.0.0.0 23.0.0.0 34.0.0.0 45.0.0.0 0.0.0.0 0.0.0.3 206 0x80000001 0x00C6C3 0 Intra-area Route List interface Loopback0
R4# R3# show ip ospf route * 10.1.1.0/24, Intra, cost 1, area 0, Connected
interface Loopback0 ip address 10.2.2.2 255.255.255.0 secondary
Type-7 AS External Link States (Area 2) via 10.1.1.1, FastEthernet0/0
area 2 nssa default-information-originate Link ID ADV Router Age Seq# Checksum Tag * 1.0.0.0/8, Intra, cost 1, area 0, Connected ip address 10.2.2.2 255.255.255.0 secondary ip address 2.2.2.2 255.0.0.0
0.0.0.0 0.0.0.4 222 0x80000001 0x002C53 0 via 1.1.1.1, Loopback0 ip address 2.2.2.2 255.0.0.0 ip ospf 1 area 0 secondaries none
Type-5 AS External Link States RID: 0.0.0.2 RID: 0.0.0.4 *> 2.0.0.0/8, Intra, cost 2, area 0
What will the output of the following command Link ID ADV Router Age Seq# Checksum Tag
via 10.1.1.2, FastEthernet0/0
show on all Routers in regards to 0.0.0.0 ?
0.0.0.0
R6#
0.0.0.3 221 0x80000001 0x00C6C3 0 10.1.1.0/24 *> 3.0.0.0/8, Intra, cost 2, area 0 router ospf 1 Thanks for appreciating my efforts
via 10.1.1.3, FastEthernet0/0 network 10.2.2.2 0.0.0.0 area 0
Type-7 AS External Link States (Area 2)
show ip ospf database *> 4.0.0.0/8, Intra, cost 2, area 0
Link ID ADV Router Age Seq# Checksum Tag
RID: 0.0.0.1 RID: 0.0.0.3 via 10.1.1.4, FastEthernet0/0
network 2.2.2.2 0.0.0.0 area 0
0.0.0.0 0.0.0.4 250 0x80000001 0x002C53 0
Colin
http://www.flashcardguy.ch
What two solutions are Option 1: vLink
OSPF stub area: What will be seen in the routing table in this O*IA 0.0.0.0/0 [110/65] via 12.1.1.2, 00:26:43, Serial1/2
situation? O 222.22.2.0/24 [110/65] via 12.1.1.2, 00:04:49, Ser1/2
ip ospf retransmit-interval 10
R1 R2 Area 2
22.22.22.0/24
access-list 11 permit 0.0.0.2 Simply press this button and send me your
R1 expects ACK for LSA Lo X within 5 seconds from R2 Verify configuration R1
12.1.1.x
R2
credit cards regards!
RID: 0.0.0.1 RID: 0.0.0.2
R1#show ip ospf interface fa0/0 | i Retransmit
Timer intervals configured, Hello 250 msec, Dead 1, Wait 1, Retransmit 10 OSPF router-id of R2
R1 R4 R2
Are
a X R3 Are
aX
R1 R4 Thanks for appreciating my efforts
X
R3
X
http://www.flashcardguy.ch
R1# AS 100
R1#show ip bgp 112.0.0.0 255.0.0.0
BGP routing table entry for 112.0.0.0/8, version 22
Paths: (2 available, best #2, table Default-IP-Routing-Table)
router bgp 65379
bgp confederation identifier 100
bgp confederation peers 65146
AS 100
Confed
65379
iBGP
BGP
Not advertised to any peer neighbor 155.1.37.3 remote-as 65379
54 50 60
54.1.1.254 (metric 2172416) from 155.1.146.6 (150.1.6.6)
neighbor 155.1.37.7 remote-as 65146
neighbor 155.1.44.44 remote-as 200 Synchronization By default BGP routes that have RIB-failure
Confed
Origin IGP, metric 0, localpref 100, valid, internal
show ip bgp x.x.x.x y.y.y.y 65146 are advertised to neighbors.
explained:
54 50 60
204.12.1.254 (metric 30720) from 155.1.0.4 (150.1.4.4) iBGP Confederation R1#show ip bgp 150.1.6.0
Local Disable RIBfailure marked routes
Origin IGP, metric 0, localpref 100, valid, internal, best
155.1.108.10 from 155.1.58.5 (150.1.5.5)
This can be disabled by using:
Origin IGP, metric 0, localpref 100, valid, confed-internal from being automatically
(65379 65146)
155.1.146.4 (metric 2172416) from 155.1.0.3 (150.1.3.3)
propagated:
204.12.1.254 eBGP next-hop
Origin IGP, metric 0, localpref 100, valid, confed-external
bgp suppress-inactive
155.1.0.4 Peering-IP
(150.1.4.4) router-id 200
192.10.1.254 from 192.10.1.254 (222.22.2.1)
Origin incomplete, metric 0, localpref 100, valid, external
(65146 65379)
Modification neighbor 150.1.4.4 update-source Loopbck0 decision: …
155.1.37.7 .. from 155.1.0.1 (150.1.1.1)
Origin ..., valid, confed-external, best
... ...
R
Route-Reflector Client
cli
...
Originator: 204.12.1.10, Cluster list: 150.1.1.1
BGP is allowed to propagate the prefix. Update messages formatted 0, replicated 0
Number of NLRIs in the update sent: max 0, min 0
...
Local
RIB-failure output is an informational message to let us know
network 150.0.0.0 mask 255.252.0.0 Thanks for appreciating my efforts
155.1.79.9 (metric 2175488) from 155.1.58.5 (150.1.5.5)
that although the BGP route is valid, it is not being installed in
network 99.9.9.0 mask 255.255.255.0
Origin IGP, metric 0, localpref 100, valid, internal the routing table
Originator: 150.1.9.9, Cluster list: 150.1.1.1, 150.1.5.5 -> route via an IGP route with a lower administrative distance
Colin
http://www.flashcardguy.ch
Router bgp 200
Router bgp 100 How to make BGP ignore the Router bgp x load-balance based on the bandwidth of
Create a summary, but do not use auto-summary AS-Path length: bgp bestpath as-path ignore unequal cost load- the links used to connect to the external
BGP peers
aggregate-address: balancing
bandwidth value is copied into a new extended
community attribute
Described: Internal routers need maximum-path activated and
need to exchange ext-communities
1) Ignore invalid paths (no valid next hop, not synchronized,
looped). BGP origin type can be used for path selection:
2) Prefer path with the highest locally assigned weight R3
router bgp 100
value. i bgp dmzlink-bw
3) Prefer path with the highest Local Preference attribute neighbor 155.1.146.1 send-community extended
value.
4) Prefer locally originated prefixes (i.e. originated via the e neighbor 54.1.1.77 dmzlink-bw
205.90.31.0/24 R1
network, aggregateaddress maximum-path ibgp 2 interface Serial 0/0/0
?
Describe BGP path or redistribution commands).
5) Prefer path with the shortest AS_PATH attribute length
1. i
BGP bgp dmzlink-bw R3 bandwidth 1544
AS-3
6) Prefer path with the lowest numerical value of the Origin
BGP - Origin 2. e
3. ?
route-map X
set origin igp
R1
AS-5
selection: code (IGP < EGP <
Incomplete)
7) Prefer path with the lowest MED attribute value (provided
set origin egp
set origin incomplete DMZ Link Bandwidth R2
AS-7
---------------------------------------------------------------------------------------------------------
set weight 100
Selection - Weight MED set metric 1000 R3
AS-3
R1#show ip route 112.0.0.0
Routing entry for 112.0.0.0/8
Known via "bgp 100", distance 200, metric 0
router bgp 100 R1
...
AS-5 204.12.1.254, from 155.1.146.4, 00:07:21 ago
neighbor 204.12.1.254 route-map Route metric is 0, traffic share count is 48
AS-7 ...
SET_WEIGHT in R2 * 54.1.1.254, from 155.1.146.6, 00:07:21 ago
Route metric is 0, traffic share count is 1
...
X 1.2.3.4/24
Usefull “sh ip bgp regexp” sh ip bgp regexp _54$ BGP AS 5 AS-55
prefixes learned from different eBGP peers, prefer the older one,
BGP Lo3: 10.0.3.1/24 10.0.3.1/24
10.0.0.0/22
Colin
http://www.flashcardguy.ch
Prefixes advertised to the peer
BGP
R1
Router bgp 100
aggregate-address 10.0.0.0 255.255.252.0 summary-only Neighbor <IP> send-community neighbor <IP> advertise-map MAP-1 non-exist MAP-2
10.0.0.0/22
BGP BGP
BGP Lo3: 10.0.3.1/24
Communities Communities can be set be out/
Conditional Prefixes which will be tracked in local BGP table.
inbound route-maps or by the
Aggregate Summary Only
R2#show ip bgp 10.0.0.0/22 Command and prerequisites:
attribute map for locally generated
summaries.
Advertisement If used with non-exist : MAP-1's prefix is advertised
if MAP-2s prefix is NOT in BGP table.
Re
... Sca lies o
nn
er n BG
Local, (aggregated by 200 150.1.2.2)
... 60 P
Origin IGP, localpref 100, weight 32768, valid, aggregated, If used with exist-map : MAP-1's prefix is sec
!
local, atomic-aggregate, best advertised if MAP-2s prefix is in BGP table.
!
match ip address prefix-list PFX-Lo1
How the route was learned? BGP aggregate-address 10.0.0.0 255.255.252.0 summary-only
http://www.flashcardguy.ch
router bgp 200
BGP
AS-100 config: RMP-100-IN AS-600 in BGP table: AS-600
Lo10 10.0.0.1/24 Local-as AS-400
Lo10 10.0.1.1/24
AS-100 AS-400 AS-600 10.0.0.0/24 601 bgp dampening route-map DAMPENING
Lo10 10.0.2.1/24 10.0.2.0/24 R4
Lo10 10.0.3.1/24
Half_Life ReuseLimit SuppressLimit debug ip bgp rib-filter R1(config)#no ip route 99.99.99.99 255.255.255.255 Null0
SW1#show ip bgp neighbors 155.1.37.3 | include
Maximum|Thresh MaximumSuppressTime *Jul 16 16:46:30.470: BGP- ATF: EVENT 99.99.99.99/32 RIB update UP
Maximum prefixes allowed 20 (warning-only)
Threshold for warning message 75% show ip bg dampening flap-statistics
show ip bg dampening dampened-path
Router bgp 100 sh ip bgp 1.1.1.1/32 neighbor <IP> capability orf prefix-list {send | receive | both}
network 0.0.0.0 mask 0.0.0.0 ...
400 (suppressed due to dampening) (history entry)
Received:
... R1 R2 Network 6.6.6.6/32
----------------------------------------------------------- 1.1.1.1/32
AS-600
Local-as AS-400 Routes flaps twice in a row, they should only advertise R6#show ip bgp neighbors 155.1.146.4 received
prefix-filter
Ranging 5 bucks to unlimited!
601
R4 after 10 minutes of stability:
Address family: IPv4 Unicast er:
ip prefix-list 155.1.146.4: 3 entries filt
Maximum penalty = reuse-limit *2 ^ (maximum suppress ate t
Router bgp 400 seq 3 deny 6.6.6.6/32 u pd x ou
time/half-life tim to x.
Router bgp 600 Neigbor 6.6.6.6 remote-as 601 BGP seq 10 permit 0.0.0.0/0 le 32 hb
or * x.x.
Neigbor 4.4.4.4 remote-as 400 n eig bgp
2000 = 750 * 2 ^ ( 10 minutes / half-life time ) Outbound Route Filtering (ORF) Config ------------------------ rce
Fo clear
ip
BGP Local AS neighbor 4.4.4.4 local-as 601 no-prepend
BGP dampening calculation: 2000/750 = 2 ^ (10 / half-life)
8/3 = 2 ^ (10 / half-life) R1#
R4#sh ip bgp using basic exponential equation, take log of both side
Show commands: ip prefix-list ORF seq 3 deny 6.6.6.6/32
Network Next Hop Metric LocPrf Weight Path
*> 1.1.1.1/32 155.1.146.6 0 0 601 600 i ip prefix-list ORF seq 10 permit 0.0.0.0/0 le 32
log (8/3) = log [2 ^ (10 / half-life)]
0.4259 = 10 log 2 / half-life router bgp 400 Thanks for appreciating my efforts
0.4295 = 3.0102 / half-life neighbor 155.1.146.6 capability orf prefix-list both
AS 600 still visible! half-life = 7.067 (approximately 7) neighbor 155.1.146.6 prefix-list ORF in
Colin
http://www.flashcardguy.ch
Router bgp 100
AS-12
neighbor <IP> soft-reconfiguration inbound
Adj
BGP multipath BGP multipath
R1
10.0.0.0/24
R2 R5
BGP
Adj In RIB X
out
BGP Multipath BGP address family command BGP Multipath BGP address family command
BGP community AS-65123
AS-65199
As soon as any change that affects an BGP SOO BGP router bgp X
BGP existing NEXT_HOP occurs, the watch bgp asnotation dot
asplain:
65536 to 4294967295
bgp scan-interval
general scanning interval
interface X
neighbor <IP> ttl-security hops <hop-count> advertisement-interval bfd interval <msec> min_rx <msec> multiplier <interval-
periodic “batching” of events: multiplier>
BGP packets will be tolerated with a TTL no
BGP waits for the timer to expire and accumulates the bfd interval 50 min_rx 50 multiplier 3 ! = 150 msec holddown
lower than (255 – 2 hops) = 253
updates
BGP BGP scan interval BGP
R1/R3# scan-time import 15
neighbor <IP> ttl-security hops 2 router bgp 65000
process to import the MP-BGP VPNv4
TTL Security 2 Hops away prefixes into the local VRF table BFD for IPv4 and IPv6 neighbor 2001:DB8:5:1::2 fall-over bfd
R1
1 Hop away
R2 R3 R4 VPN performance tuning router bgp 100 neighbor 1.2.3.4 fall-over bfd
address-family vpnv4 unicast
scan-time import 15
R5#show ip bgp neighbors 1.1.1.1| inc TTL neighbor 150.1.5.5 advertisement-interval 0 show bfd neighbors
Mininum incoming TTL 253, Outgoing TTL 255 bgp scan import 5
2 Hops away
R1 R2 R3 R4 R3
1 Hop away
Area 2 Area 2
R1/R3# R4
neighbor <IP> ttl-security hops 2 R2
R1 R5
BGP Debug ip packet detail DUMP //do not use in production!
2nd Rule of R2 / R4 are OSPF AS-BR BGP PIC Edge and BGP FRR
TTL Security *Feb 10 12:15:37.485: IP: s=155.1.146.4 (GigabitEthernet0/0.146),
d=155.1.146.6 (GigabitEthernet0/0.146), len 61, rcvd 3 R2:
OSPF RID: 2.2.2.2
*Feb 10 12:15:37.485: TCP src=47218, dst=179, seq=1061966907,
ack=369930400, win=16384 ACK PSH IGP / BGP synchronization BGP RID: 2.2.2.2 Explained:
3F200C00: 0026 0B57B960 .&.W9`
Debugging: 3F200C10: 00260B57 BA610800 45C0003D 00150000 .&.W:a..E@.=.... 2nd rule of BGP synchronization!
3F200C20: FE0661D8 9B019204 9B019206 B87200B3 ~.aX........8r.3
3F200C30: 3F4C543B 160CB0A0 50184000 FF360000 ?LT;..0 P.@..6.. OSPF and BGP IDs have to match on R2 in order
3F200C40: FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF ................
3F200C50: for R4 to advertise learned prefixes originated
FE Hex = 254 packet has arrived with a TTL of 254 from 155.1.146.4 from R1 to R5
- idle router bgp X
AS-6500 config: AS-6500 Received: - connect neigh 1.1.1.1 remote-as 200
AS-40 AS-6500
Lo10 10.0.0.1/24
Lo10 10.0.1.1/24
10.0.0.1/24
10.0.1.1/24
router bgp X - active ( 3 way handshake ) (reachability to peer)
address-family ipv4 unicast vrf x - open sent ( capabilities )
X - open confirm
neighbor transport-mode
BGP will deny 10.0.0.0 and 10.0.1.0/24 due
to seeing its own AS within the AS-Path
neighbor 1.1.1.1 as-override
- open OpenSent: Help me create more flashcards:
neighbor 2.2.2.2 as-override BGP info: - ASN Number
BGP debug ip bgp updates
rcv UPDATE about 7.7.7.7/32 -- DENIED due to: AS-PATH
BGP Keep alives
- Holddown
CE1 CE2 - Router-ID
AllowAS in contains our own AS;
as-override AS-6500 config: AS-6500 AS-40 AS-6500 - Options (AFI/SAFI)
Lo10 10.0.0.1/24
Lo10 10.0.1.1/24
1.1.1.1 2.2.2.2
- Open Simply press this button and send me your
AS-6500 config: AS-6500 AS-40
Lo10 10.0.0.1/24
Lo10 10.0.1.1/24
AS-6500
CE1: CE2:
BGP can NOT peer using a default 0/0 route! credit cards regards!
AS-path for 20.0.0.0/24: AS-path for 10.0.0.0/24:
40 40 0.0.0.0/0 0.0.0.0/0
2 IPv6
bu
11 IPX
12 AppleTalk and route-map PEER-ADDRESS permit 10 TCP SYN to 1.1.1.1:179
capabilities: set ip next-hop peer-address connection-mode
SAFI: 1.1.1.1
1 unicast forwarding neighbor x.x.x.x route-map OUT Server Side Client Side
2 multicast forwarding
Route-map OUT permit 10
outside inside
Thanks for appreciating my efforts
3 both, unicast and multicast forwarding If 9.0.0.0 would not be in the RT of Router
4 IPv4 label forwarding Set ip next-hop-self B, then 7.0.0.0 would be inaccessible. Watch out for stateful firewalls or Router
128 labeled VPN forwarding ACLs with keyword established
Colin
http://www.flashcardguy.ch
Setup BGP Sessions
AS-200 AS-200 bgp bestpath med missing-as-worst
consider a missing MED as having a value of infinity,
BGP
making the path without a MED value the least desirable
path.
BGP next-hop AS-100 AS-300 AS-100 AS-300
bgp bestpath med missing-as-
bgp bestpath med confed router bgp 50000
worst bgp route-map priority
Enable Path/MED comparison between different Sub-Ases bgp route-map priority address-family ipv4 unicast vrf inside
within a confederation.
AS-200 Route learned/ bgp route-map priority
default Forwarding traffic
received from bgp bestpath med confed - comparison between MEDs is made only if there are no
external autonomous systems in the path
- external autonomous system in the path, then the
external MED is passed transparently through the
AS-100 AS-300 confederation
B 1.0.0.0 200 100
2 Byte ASN Range: 4 Byte ASN Range: Used due to lowest MED
0 to 65535 0 to 4294967295 bgp router-id { ip-address | vrf auto-assign }
2 Byte max ASN 65535 = 0.65535 4 Byte ASN Format bgp bestpath med confed path= 65000 65004, med=2
Router bgp 45000
BGP 65536 = 1.0
65537 = 1.1
path= 65001 65004, med=3 bgp router-id 1.1.1.1
path= 65000 65004, med=2 path= 65002 65004, med=4
4 Byte ASN calculation Example calculation using ASN 140000 path= 65001 65004, med=3 path= 65003 22, med=1
path= 65002 65004, med=4 BGP router-id router bgp 45000
140000 / 65535 = 2.1 (gives the factor) path= 65003 22, med=1 bgp router-id vrf auto-assign
Has lower MED, but it is not involved in the MED
explained 2x 65535 = 131070
comparison because there is an external
autonomous system is in this path router bgp 45000
140000 - 131070 = 8930
Which path will be used? address-family ipv4 vrf VRF2
bgp bestpath med confed bgp router-id auto-assign
Final 4 Byte ASN Nr: 2.8930
Do not use the oldest path as the best Delay the first update with prefixes for X seconds
2 Byte ASN
NEWEST PATH Compare 1st bgp update-delay <seconds>
100.3 ? OLDER PATH Compare 2nd
4 Byte – 2 Byte BGP BGP OLDEST PATH Could be used in to initialize learned perfixes learned older
or newer depending how much you delay on which router.
bgp update-delay
ASN operation bgp bestpath compare-router-id bgp bestpath compare-router-id (will select lowest RID) Command can be used with:
Making bgp NOT compare down to the oldest path. bgp graceful-restart
M as
2 Byte
es
ED
1.2
neighbor GROUP remote-as 22 alternative-as 44
(u
http://www.flashcardguy.ch
How can you filter out any originated prefixes AS-100
AS-200
BGP
AS-100
originated by R5 and R6 without using Route-
router bgp 100 RID: 1.1.1.1 RID 4.4.4.4 R2 R1
address-family ipv4 unicast maps, ACLs / Prefix lists on RR-1 ? RR-1 RR-2 Prepending 2x
bgp additional-paths select all AS-100
RID: 1.1.1.1 RID 4.4.4.4 RID: 6.6.6.6
neighbor 192.168.1.2 additional-paths send receive RR-1 RR-2 R2 R3 R5 R6
neighbor 192.168.1.2 advertise additional-path all RID: 2.2.2.2 RID: 3.3.3.3
RID:
Lo6 R1#show ip bgp regexp ^([0-9]+)(_\1)*$
5.5.5.5
BGP additional path R2 R3 R5
RID: 6.6.6.6
R6 Lo5 6.0.0.0/8 BGP regex
address-family ipv4 unicast RID: 2.2.2.2 RID: 3.3.3.3 RID: 5.5.5.5 Lo6 RR-1# 5.0.0.0/8 (\1) stores, what ever was discovered as directly
bgp additional-path select all best 3 group-best Lo5 6.0.0.0/8
router bgp 100 attached neigbor AS!
.0/8
(BGP Add path) neighbor 1.1.1.1 route-map ADD-PATH out
neighbor 1.1.1.1 advertise additional-paths best 2 RR-1#show ip bgp
5.0.0
bgp cluster-id 4.4.4.4 Utilizing (\1): * allowes the prepend of one more
Network Next Hop Metric LocPrf Weight Path
*> 1.0.0.0 0.0.0.0 0 32768 i
RR-1#show ip bgp instance of ANY prepended number.
route-map ADD-PATH permit 10 Network Next Hop Metric LocPrf Weight Path
*>i 2.0.0.0 12.1.1.2 0 100 0 i
match additional-paths advertise-set best 2 *> 1.0.0.0 0.0.0.0 0 32768 i show ip bgp regexp ^([0-9]+)(_\1)+$
*>i 3.0.0.0 13.1.1.3 0 100 0 i
*>i 2.0.0.0 12.1.1.2 0 100 0 i
set metric 888 *>i 4.0.0.0 14.1.1.4 0 100 0 i
*>i 3.0.0.0 13.1.1.3 0 100 0 i
*>i 5.0.0.0 45.1.1.5 0 100 0 i Filter them out
*>i 4.0.0.0 14.1.1.4 0 100 0 i
+ only allows 200 200, the prepended number needs to be
*>i 6.0.0.0 46.1.1.6 0 100 0 i the same!
Keyword BGP Backdoor: R1 How will the config look in regards to the R1#
12.1.1.x 13.1.1.x
How do you configure router bgp 50 BGP confederation ? router bgp 65511
bgp confederation identifier 900 Confed peer not
bgp bestpath as-path multipath-relax Lo0 R2 R3 Lo0 configured!
eBGP multipath? maximum-paths 2 Configure R3 and R2 so that traffic from Loopback 2.0.0.0/24 10.1.23.x 3.0.0.0/24
neigbor R2.R2.R2.R2 remote-as 65511
neighbor 2.2.13.3 remote-as 100 to loopback takes the ethernet interfaces. AS-900 R2#
neighbor 2.2.16.6 remote-as 200 Use two different configuration on both sides! EIGRP 100 router bgp 65511
AS-888 R1 AS-65511 bgp confederation identifier 900
Router#show bgp
BGP Backdoor, two solutions: R2 bgp confederation peers 65522
R1 AS-100
R3# neigbor R1.R1.R1.R1 remote-as 65511
Network Next Hop Metric LocPrf Weight Path BGP session R2 AS-200
R3 AS-65522 neigbor R3.R3.R3.R3 remote-as 65522
*> 1.2.3.4/32 2.2.16.6 0 200 888 i R3 AS-300 1. router bgp 300
Confederation peers only
*m 2.2.13.3 0 100 888 I network 2.0.0.0 mask 255.255.255.0 backdoor R4 R3# configured where
AS-100 AS-200 R1 router bgp 65522 necessary!
12.1.1.x 13.1.1.x bgp confederation identifier 900
Router#show ip route bgp
R2#
R5 AS-65533 bgp confederation peers 65511
1.0.0.0/32 is subnetted, 1 subnets Lo0 R2 R3 Lo0 router bgp 200 neigbor R2.R2.R2.R2 remote-as 65511
AS-50 B 1.2.3.4 [20/0] via 2.2.16.6, 00:01:46 2.0.0.0/24 10.1.23.x 3.0.0.0/24 neigbor R4.R4.R4.R4 remote-as 65522
[20/0] via 2.2.13.3, 00:01:46
2. distance 91 12.1.1.1 0.0.0.0 88
Weight, LP, AS-Path, Origin, MED need to be the same. EIGRP 100 R6 AS-123
access-list 88 permit 3.0.0.0
Po pla
*>i 13.1.1.3 0 100 0I
Te
capability allowas-in
lic tes
m
RR client RR client path with the lowest metric in this default-originate
y
description
bgp session R2#show ip bgp 3.3.3.3 distribute-list
bgp session
BGP routing table entry for 3.0.0.0/8, version 4
situation? Sending MET 150
for all prefixes
dmzlink-bw
filter-list
disable-connected-check
ebgp-multihop
Help me create more flashcards:
Paths: (2 available, best #2, table default)
Not advertised to any peer
BGP Session templates maximum-prefix fall-over
3. Lo0
nt
nt
RR-
RR-C
RR-Client
RR-Client
RR
RR
lie
lie
Paths: (1 available, best #1, table default)
-C
-C
-C
-C
RID: 1.1.1.1 AS-100
Clie
Not advertised to any peer lie
lie
RR
RR
lien
access-list 88 deny 2.0.0.0 0.0.0.0
n
n
RR
nt
t
t
Refresh Epoch 1
t
access-list 88 permit any
RR client RR client Local
bgp session 13.1.1.3 (metric 128) from 12.1.1.1 (1.1.1.1)
.x
.x
13
13
34.0.0.x 34.0.0.x
.0
.0
bgp session
.0
.0
12.0.0.x
.0
.0
Origin IGP, metric 0, localpref 100, valid, internal, best
router bgp 100
.0
.0.
24
24
12.0.0.x
What are 3 different examples of
.x
Originator: 3.3.3.3, Cluster list: 1.1.1.1
x
4
R2 R3 R2 R3
.0
. 3 Lo
bgp session
filtering methods in BGP:
33
R2 R3 RR#show ip bgp 33.33.33.0 ip prefix-list PFX-1 deny 2.0.0.0/24 2.0.0.0/8 3.0.0.0/8 2.0.0.0/8 3.0.0.0/8
BGP routing table entry for 33.33.33.0/24, version 11
ip prefix-list PFX-1 permit 0.0.0.0/0 le 32
33
RID: 2.2.2.2 RID: 3.3.3.3 Paths: (1 available, best #1, table default)
Advertised to update-groups:
.
BGP Route-reflector cluster:
2 router bgp 100 x…
Output of show ip bgp 33.33.33.0 Refresh Epoch 2 neigbor 1.1.1.1 filter-list 77 in
bgp
r ege
s t <1-
50
0> All IGP metrics are the same. 13th Prefer the path that comes from the Thanks for appreciating my efforts
Local, (Received from a RR-client) wi
p
er -l i Which path will R2 choose to lowest neighbor address
13.1.1.3 from 13.1.1.3 (3.3.3.3) ip as-path access-list 77 deny _300$ sho filt
On R2 and the RR: gp reach 3.0.0.0/8 ?
Origin IGP, metric 0, localpref 100, valid, internal, best ip as-path access-list 77 permit .* ip b
w
sho
Colin
http://www.flashcardguy.ch
12.0.0.1 12.0.0.2 13.0.0.3 AS-100 Customer
AS-100 AS-200 AS-400 AS-100 AS-200 AS-400
BGP Inject-map R1 R2 R3
BGP
R1 sends a R3 R1
default route to R2 13.0.0.2 Via R2 1.0.0.0/8 1.0.0.0/8 AS-100 Customer 4.0.0.0/8
R4
Inject ANY prefix into BGP 99.99.99.0/24
12.0.0.1 12.0.0.2 12.0.0.1 12.0.0.2 R2
8.0.0.0/8
4.0.0.0/8
R2 has ALL routes in table due the default R1 R2 R3 R4 R1 R2 R3 R4 R3 R1 R4 8.0.0.0/8 router bgp 100
route, R2 can inject ANY route specified by the neigbor 2.2.2.2 remote-as 100 Ma
R1 sends a neigbor 2.2.2.2 route-map RMP-R2-IN in tch
R2# INJECT route-map into BGP! R1# 4.0
default route to R2 R2 .0.
12.0.0.2 13.0.0.3 router bgp 200 neigbor 12.1.1.2 send-community route-map RMP-R2-IN permit 10 0a
nd
R1 R2 R3 bgp inject-map INJECT exist-map EXIST neigbor 12.1.1.2 route-map RMP-SET-COM R2# match community 4 set
com
12.0.0.1 13.0.0.2 neigbor 12.0.0.1 remote-as 100 set ip next-hop 2.2.2.2
neigbor 13.0.0.3 remote-as 300 route-map RMP-SET-COM Router bgp 200 BGP communites / tags route-map RMP-R2-IN permit 10
4
match ip address 1
route-map INJECT permit 10 set community no-export no neigbor 23.1.1.3 send-community R1 match community 4 router bgp 100
neigbor 4.4.4.4 remote-as 400
Inject network 99.99.99.0/24 SET ip address prefix INJECT-THIS-NETWORK
access-list 1 permit 1.0.0.0 0.0.0.255
Ensure R3 takes takes path via R1 towards set ip next-hop to R1
neigbor 4.4.4.4 send-community
which is NOT configured on R2, route-map EXIST 4.0.0.0/8 neigbor 4.4.4.4 route-map RMP-R4-IN in
match ip address prefix DEFAULT match community 8
into R2s BGP table. match ip route-source prefix R1-NEXT-HOP Ensure that 1.0.0.0/8 is in R4 routing table, do By disabling communities from R2 to R3, the And R2 towards 8.0.0.0/8 Set ip next-hop to R2 route-map RMP-R4-IN permit 10
R3 will see the route but will not match ip address 4
ip prefix-list DEFAULT permit 0.0.0.0/0 NOT create/modify existing route-maps: community “no-export” set by R1 will be removed. set community 4
be able to reach it. ip prefix-list INJECT-THIS-NETWORK 99.99.99.0/24 Therefore R2 will advertise 1.0.0.0/8 to R4 Use communities to accomplish this task: route-map RMP-R4-IN permit 20
ip prefix-list R1-NEXT-HOP permit 12.0.0.1/32 access-list 4 permit 4.0.0.0 0.255.255.255
10.0.0.0/24
AS 22
10.0.1.0/24
R2 R1
R2# AS 57
AS 44
router bgp 100 AS 35
Set-community 10.0.3.0/
aggregate-address 10.0.0.0 255.255.252.0 summary-only as-set 24
No-advertise AS 19
aggretator
10.0.0.0/24
10.0.2.0/24
AS 22
10.0.1.0/24 R2
AS 57 R1 R3#show ip bgp community no-advertise
AS 44 ...
AS 35
10.0.2.0/24 10.0.3.0/24 Network Next Hop Metric LocPrf Weight Path
AS 19
aggretator
show ip bgp s> 10.0.2.0/24 35.1.1.5 0 0 19 i
set-community
no-advertise ! ? *> 10.0.0.0/22 0.0.0.0 100 32768 {22,57,19} i
10.0.0.0/24
AS 22
Give two solutions on how to fix the 10.0.1.0/24
R2 R1
missing summary on R1 AS 57
AS 35
AS 44
Set-community 10.0.3.0/24
aggretator
No-advertise AS 19
10.0.2.0/24
R2# Solution 1
router bgp 100
aggregate-address 10.0.0.0 255.255.252.0 summary-only as-set Change outbound route-map of AS-19 NOT to set community
no-advertise.
10.0.0.0/24
AS 22 Solution 2
10.0.1.0/24 R2 R2#
AS 57 R1
router bgp 35
AS 44
AS 35 aggregate-address 10.0.0.0 255.255.252.0 summary-only as-set
10.0.2.0/24 10.0.3.0/24 attribute-map ATTR-MAP
AS 19
aggretator
show ip bgp
set-community route-map ATTR-MAP permit 10
no-advertise ! ? set community internet
Will only send the summary
Includes all AS numbers of all
What do the following specific routes of the summary.
address and suppress the more
specific routes
commands do?
router bgp 300
bgp log-neighbor-changes
aggregate-address 10.1.0.0 255.255.252.0 as-set summary-only Help me create more flashcards:
router bgp 300 attribute-map ATTR-MAP advertise-map ADVERTISE-MAP
bgp log-neighbor-changes
aggregate-address 10.1.0.0 255.255.252.0 as-set summary-only Sets attributes such as communities etc
attribute-map ATTR-MAP advertise-map ADVERTISE-MAP route-map ATTR-MAP permit 10
set community internet
Can be used to filter out either single prefixes and their attached Simply press this button and send me your
attributes (no-export with AS-SET!) or entire AS numbers out of the
summary (with or without no-advertise / no-export attributes) credit cards regards!
route-map ADVERTISE-MAP permit 10
match as-path 400 (if you only want to have AS 400 in AS-SET)
or
match ip address prefix-list PFX-MATCH-ONLY-THIS-INTO-AS-SET
10.0.0.0/24 AS 22
R7 AS 77
10.0.0.0/24
AS 22 R7 AS 77
10.0.1.0/24 AS 57
R2 R1 10.0.1.0/24 AS 57
R2
R1
AS 44
Ranging 5 bucks to unlimited!
AS 35
AS 44
AS 35
aggretator
X
AS 19
aggretator 10.0.2.0/24
AS 19
10.0.2.0/24
R2#
router bgp 100
R2#
aggregate-address 10.0.0.0 255.255.252.0 summary-only as-set
router bgp 100
aggregate-address 10.0.0.0 255.255.252.0 summary-only as-set
R2#:
router bgp 35
neigbor 7.7.7.7 unsuppress-map DONT-SUPPRESS
Unsuppress 10.0.1.0/24 to R7 but not to R1 route-map DONT-SUPPRESS
match ip address 2 Thanks for appreciating my efforts
access-list 2 permit 10.0.1.0 0.0.0.255
Colin
http://www.flashcardguy.ch
ip igmp join-group Network A
R4# Multicast
int fa0/x Source Tree (S,G) known as SPT Non Zero Maximum-Response-Time field.
Group specific joins and leaves
ip igmp join-group 224.11.22.33
Multicast Test setup: Source Tree: IGMPv2: Querier election when router starts by sending 224.0.0.1
R3# general-query.
ping 224.11.22.33 rep 100 Shared Tree (*,G) via RP known as RTP Lowest IP is querier.
Shared Tree:
Or use a IP SLA for a constant multicast
stream.
Only Group Members should respond to
the sent ping
Multicast Source Receiver Multicast Source Receiver
R3 R4 R3 R4
Joins Joins
224.10.10.10 224.10.10.10 Depends on unicast routing table (RPF check)
DENSE-MODE example
RPF check towards source, checks AdminDistance/Metric
SW4#sh ip mroute
Show ip mroute RP is always 0.0 in DM Join / Prunes include the source of the group: If several path exist, interface with highest IP is used.
http://www.flashcardguy.ch
PIM Dense-Mode PIM Dense-Mode
0 Hello Source 2.2.2.2
Ping 224.1.1.1 PIM 3.3.3.3
Source 2.2.2.2
Ping 224.1.1.1
Multicast
1 Register Ip igmp join 224.1.1.1 PIM PIM Ip igmp join 224.1.1.1 PIM
2 Register-Stop FR FR
ip pim sparse-dense-mode PIM 1.1.1.1 PIM 1.1.1.1
3 Join/Prune Explain the command PIM
E0
PIM
E0
(Join WC/RP flag set. Prune has none set) Will perform in Sparse mode for all groups where there is
PIMv2 Messages: 4 Bootstrap an Group/RP binding known / existing. Show ip route
2.2.2.2 via E0, 1.1.1.1
Show ip route
2.2.2.2 via E0, 1.1.1.1
Show ip mroute Show ip mroute
5 Assert Ip pim sparse-dense-mode: For all others it will flood and prune using IP PIM Dense- Incoming interface: Null, RPF nbr 1.1.1.1 Incoming interface: S0, RPF nbr 3.3.3.3
6 Graft (PIM DM only) Mode.
7 Graft-Ack (PIM only) Create a static mroute:
How do you correct this RPF failure
8 Candidate-RP-Advertisement
scenario?
Ip mroute 2.2.2.2 255.255.255.255 3.3.3.3
Explained: OiL copied into S,G entry to start the flood/prune of (*,G) is a result of a explicit join of a PIM neighbor or a Debug ip mpacket: DM
packets. (*,G) in PIM Sparse-Mode directly connected Host.
The incoming interface of (*,G) always points to the RP.
Dense-Mode s=155.1.146.6 (Vlan58) d=224.10.10.10 (Po1) id=19, ttl=252,
Directly Connected member prot=1, len=100(100), mforward
Local flag, Router is member of this group
Forward expire timer is always 00:00:00 as its still (*,G) S Finding RPF failures: credit cards regards!
explained: forwarding.
Prune expire timer is counting, once it expires it moves to
OiL Enet0
(192.168.1.1,224.1.2.3) PXT
forward until its pruned again by the downstream router. OiL Null
http://www.flashcardguy.ch
PIM Sparse-Dense-Mode PIM Sparse-Dense-Mode
ip pim accept-rp 150.1.5.5
RP for 224.0.0.0 – 224.255.255.255 RP for
ALLOWED_GRP Multicast
224.0.0.0 – 224.255.255.255
ip pim rp-address x.x.x.x ACL override ip access-list standard ALLOWED_GRP
RP RP
Explain the following command: permit 224.10.10.10
PIM permit 224.110.110.110
Sets the RP address for groups specified in the Access-Lists
ip pim rp-address <IP> <ACL>
<override> Keyword override will priorise static configuration versus
Setup config so that Routers MultiCast in Sparse-
Mode for any groups within 224.0.0.0 -
Accept RP Above configured on all Routers
ip pim sparse-dense-mode
Igmp join 224.10.11.12
Vlan X
PIM Dense-Mode PIM Dense-Mode
ip igmp join-
Vlan X debug ip pim show ip pim interface fastEthernet 0/0
Source ip igmp join-
group x.x.x.x Source detail
RP x.x.x.x group x.x.x.x RP x.x.x.x PIM(0): Received v2 Assert on
Troubleshooting PIM assert ...
PIM: enabled
(*,G) flags
winners:
FastEthernet0/0 from 155.1.146.4
PIM(0): Assert metric to source PIM PIM version: 2, mode: sparse-dense
(*,G) flags DCL D D D PIM DR: 155.1.146.1 (this system)
(*,G) i-list
(*,G) i-list Null Null Null Null
155.1.108.10 is [90/2174976]
PIM(0): We win, our metric [80/20] DR Election PIM neighbor count: 2
…
(*,G) o-list MultiCast
(*,G) o-list
Source
MultiCast Source R6#show ip pim neighbor
(S,G) flags
(S,G) flags LT T T T Verification: Neighbor Interface Uptime/Expires Ver DR
(S,G) i-list R2 R1 Address Prio/Mode
(S,G) i-list 10.0.0.2 10.0.0.1 R2 R1
(S,G) o-list 1.1.1.1 Gi0/0.146 00:27:04/00:01:19 v2 255/ DR S
(S,G) o-list 10.0.0.2 10.0.0.1
2.2.2.2 Gi0/0.146 02:44:56/00:01:43 v2 1 / S
Metric 90/15 Metric 80/20
Metric 90/15 Metric 80/20
Tun0
The Assert looser Ranging 5 bucks to unlimited!
1.1.1.1 2.2.2.2
How to figure out if PIM Sparse or Dense mode is needs to time-out IGP
used on an interface configured with IP PIM
the Assert winner!
SPARSE-DENSE-MODE (*, 239.0.0.1), 00:00:10/stopped, RP 0.0.0.0, flags: D What happens when an Assert
Incoming interface: Null, RPF nbr 0.0.0.0 MultiCast interface Tunnel 0 interface Tunnel 0
(*, 239.0.0.1), 00:00:10/stopped, RP 0.0.0.0, flags: D Outgoing interface list: winner stops operation? Source ip unnumbered Loopback0 ip unnumbered Loopback0
Incoming interface: Null, RPF nbr 0.0.0.0 Serial0/1/0, Forward/Sparse-Dense, 00:00:10/00:00:00
Multicast tunnel source Loopback0 tunnel source Loopback0
Outgoing interface list:
Serial0/1/0, Forward/Sparse-Dense, 00:00:10/00:00:00
FastEthernet0/1, Forward/Sparse-Dense, 00:00:10/
FastEthernet0/1, Forward/Sparse-Dense, 00:00:10/
00:00:00
(155.1.146.6, 239.0.0.1), 00:00:10/00:02:55, flags: T
MultiCast
Source
Assert winner
X Tunneling
tunnel destination 2.2.2.2
ip pim sparse-dense-mode
tunnel destination 1.1.1.1
ip pim sparse-dense-mode
X
00:00:00 Incoming interface: FastEthernet0/1, RPF nbr 0.0.0.0
(155.1.146.6, 239.0.0.1), 00:00:10/00:02:55, flags: T Outgoing interface list: R2 ip mroute 0.0.0.0 0.0.0.0 tunnel 0
R1
Incoming interface: FastEthernet0/1, RPF nbr 0.0.0.0 Serial0/1/0, Forward/Sparse-Dense, 00:00:12/00:00:00
Outgoing interface list:
Serial0/1/0, Forward/Sparse-Dense, 00:00:12/00:00:00 This router would loose
Use different IGP for tunnel, or make Thanks for appreciating my efforts
sure tunnel SRC/DST not learned
traffic for 3 minutes through the tunnel!
Colin
http://www.flashcardguy.ch
Ip igmp join 224.x.x.x interface Loopback0 Groups:
HUB
FR
Configuring a Auto-RP
ip pim sparse-dense-mode
cRP:
224.110.110.110
228.28.28.28
cRP
150.1.10.10
MA
Multicast
Override Split ip pim send-rp-announce Loopback 0 scope 10
Ping 224.x.x.x ip access-list standard RP_LIST
PIM horizon! MA:
ip pim send-rp-discovery loopback 0 scope 10 Auto-RP - permit 150.1.10.10
Candidate RP
NBMA Mode HUB: R5#show ip pim rp mapping Filtering Candidate ip access-list standard GROUP_LIST
interface Serial 0/0 PIM Group-to-RP Mappings
And
(sparse-mode only)
ip pim nbma-mode This system is an RP (Auto-RP)
This system is an RP-mapping agent (Loopback0)
RPs deny 224.110.110.110
permit any
Ip pim sparse-mode
frame-relay map ip x.x.x.x 501 broadcast Mapping Agent: Group(s) 224.0.0.0/4
RP 150.1.5.5 (?), v2v1 ip pim rp-announce-filter RP_LIST
Info source: 150.1.5.5 (?), elected via Auto-RP group-list GROUP_LIST
Uptime: 00:02:33, expires: 00:02:26
Override Split Ip igmp
HUB join 224.x.x.x
horizon!
FR
How to change the ? From the
output below? conf t
PIM int ser0/0 Ping 224.x.x.x ip host Router5 150.1.5.5
end debug ip pim auto-rp
ip pim nbma-mode
NBMA Mode Frame-relay map xx broadcast Debug ip pim auto-rp output
Ip pim sparse-mode R5#show ip pim rp mapping R5#show ip pim rp mapping Auto-RP(0): Received RP-announce, from
... 150.1.10.10, RP_cnt 1, ht 181
…
(sparse-mode only)
Show ip mroute
(*, 224.110.110.110), 00:17:47/00:03:28, RP 150.1.5.5, Group(s) 224.0.0.0/4
Disallowing group Auto-RP(0): Filtered -224.110.110.110/32 for RP
150.1.10.10
Group(s) 224.0.0.0/4
flags: S RP 150.1.5.5 (?), v2v1 RP 150.1.5.5 (Router5), v2v1 224.110.110.110: Auto-RP(0): Update (232.0.0.0/5, RP:150.1.10.10),
Incoming interface: Null, RPF nbr 0.0.0.0 PIMv2 v1
Info source: 150.1.5.5 (?), elected via Auto-RP Info source: 150.1.5.5 (Router5), elected via Auto-RP
Show ip mroute output: Outgoing interface list:
Uptime: 00:02:33, expires: 00:02:26 Uptime: 00:07:34, expires: 00:02:21
Serial0/0/0, 155.1.0.3, Forward/Sparse-Dense,
00:16:48/00:03:28
IP is visible instead of only the interface! -> override
Explained as picture:
MA
Info source: 150.1.5.5 (?), elected via Auto-RP Placement MA FR
MA
Send to 224.0.1.40
UDP 496 Auto-RP:
Uptime: 00:00:22, expires: 00:02:37 cRP Simply press this button and send me your
ip pim send-rp-announce Loopback0 scope 10 group-list
Only MA with highest IP GROUPS I did not get the point here, basically credit cards regards!
continues to send MA’s ip access-list standard GROUP how to connect the MA with the cRPs
All regular routers join / deny 224.110.110.110
listen to 224.0.1.40 permit 224.0.0.0 7.255.255.255 over a NBMA
http://www.flashcardguy.ch
filtering control plane traffic (IGMP,PIM,AutoRP) and data BSR: ip pim bsr-candidate Loopback0 31
plane not relying on TTL.
ip multicast boundary <access-list> [filter-autorp] BSR Router1: ip pim rp-candidate Loopback0 Interface X
ip igmp query-interval <seconds>
Multicast
standard ACL:
ingress IGMP/PIM, forwards group traffic if it has a match Multiple RP Router2: ip pim rp-candidate Loopback0
ip igmp querier-timeout <seconds>
Multicast Boundary permit 224.10.10.10
Candidates Router2#show ip pim rp-hash 239.1.1.1
... IGMP ip igmp query-max-response-time <seconds>
extended ACL: PIMv2 Hash Value (mask 255.255.255.254)
Acl: specifies multicast source and group RP 150.1.10.10, via bootstrap, priority Timers ip igmp last-member-query-count <2 sec>
interface FastEthernet 0/0 Distribute all odd / even multicast 0, hash value 989207280
ip igmp last-member-query-interval <msec>
…
ip multicast boundary PERMITTED_GROUPS filter-autorp groups between two RPs using 31 Router2#show ip pim rp-hash 239.1.1.2
ip access-list standard PERMITTED_GROUPS PIMv2 Hash Value (mask 255.255.255.254) ip igmp immediate-leave group-list <ACL>
deny 232.0.0.0 7.255.255.255
bits: RP 150.1.8.8, via bootstrap, priority 0,
permit any hash value 1364246456
ck
ck
he
he
…
Filtering BSR
Fc
Fc
RP
Bootstrap Router
RP
RP
IGMP query interval is 20 seconds
Checking IGMP timers: IGMP querier timeout is 40 seconds
RP/Group flood
Messages Interface fa0/x IGMP max query response time is 4 seconds
Last member query count is 2
PIMv2 RP
BSR floods RP/group info via PIM messages hop by hop,
BSR RP/Group flood
Ip pim bsr-border Last member query response interval is 1000 ms
NOT Dense-Mode
...
X
Stop BSR flooding here
When RPF check fails: permit ip <srcip> <src-mask> If limit is “forgotten” it results in ALL
PIM-BSR(0): bootstrap from non-RPF neighbor <group-ip> <group-mask>
Allows to specify source and group multicast traffic being dropped!
155.1.146.6
Used globaly:
http://www.flashcardguy.ch
SW1#show ip msdp peer
Successful:
ip msdp peer SW3#mtrace 150.1.10.10 224.44.44.44
ip msdp originator-id ...
-2 155.1.79.7 PIM/MBGP [150.1.10.0/24]
Source Specific MultiCast mtrace source group: -3 155.1.37.3 PIM/MBGP [150.1.10.0/24]
Rack1R1#show ip mroute 232.6.6.6 150.1.10.10 ip msdp peer 2.2.2.2 connect-source Loop0 -4 155.1.0.5 [AS 200] PIM Reached RP/Core Help me create more flashcards:
Multicast
IP Multicast Routing Table MSDP remote-as 2 [150.1.10.0/24]
http://www.flashcardguy.ch
SW1#show ip igmp snooping vlan 146 Type GDA USA Function
- PIM Joins are being sent to the closest RP
- Groups of RPs use the same IP address.
- To maintain consistent source information configure
Global IGMP Snooping configuration:
-----------------------------------
IGMP snooping : Enabled
CGMP messages:
Join 0 Router MAC Identify Router Port
Multicast
MSDP sessions.
IGMPv3 snooping (minimal) : Enabled Type GDA USA Function
Report suppression : Enabled Join Group MAC Member MAC Adds member
1. Use the same IP address on all routers as the show ip igmp snooping
Anycast RP candidate RP IP address. (Propagate via Auto-RP
vlan 146
TCN solicit query :
TCN flood query count :
Disabled
2
Join
Leave Group MAC Member MAC Removes member
or BSR) Join
Last Member Query Interval : 1000
Vlan 146: Leave Group MAC 0 Removes Group
OR Leave
intra-domain solution Output: --------
IGMP snooping : Enabled Leave
2. Using different IP addresses on every router. Removes all groups
IGMPv2 immediate leave : Enabled Leave 0 Router MAC
source MSDP sessions and link all candidate RPs Leave Affected switch
Explicit host tracking : Enabled
in a mesh. 0
Multicast router learning mode : pim-dvmrp Leave Leave 0 Removes all groups
Manually specify the MSDP originator ID to be
Last Member Query Interval : 1000 all switches
different on every RP
CGMP interoperability mode : IGMP_ONLY
R1#
interface loopback 0
Protocol Implicit Join Explicit Join Protocol Implicit Join Explicit Join
ip address 9.9.9.9 255.255.255.255
DVMRP DVMRP
interface loopback 1 show ip igmp snooping
Anycast RP ip address 1.1.1.1 255.255.255.255
ip msdp peer 2.2.2.2 connect-source loopback 1
mrouter vlan <nr>
Rack1SW1#show ip igmp snooping mrouter vlan 146
Vlan ports MOSPF MOSPF X X
---- -----
ip msdp originator-id loopback1
146 Fa0/1(dynamic), Fa0/19(dynamic) PIM-DM PIM-DM
ip pim rp-address 9.9.9.9
intra-domain solution show ip igmp snooping
R2# PIM-SM PIM-SM X X
SW4#show ip igmp snooping groups vlan 146
interface loopback 0 groups vlan <nr> Vlan Group Version Port List
ip address 9.9.9.9 255.255.255.255 CBT X
------------------------------------------ CBT
Config: interface loopback 1 146 239.1.1.100 v2 Fa0/4, Fa0/13, Fa0/16
ip address 2.2.2.2 255.255.255.255 Output: Sender Hosts join
ip msdp peer 1.1.1.1 connect-source loopback 1
ip msdp originator-id loopback1 originates via IGMP
ip pim rp-address 9.9.9.9
Lo1: 2.2.2.2 X
Lo1: 1.1.1.1 MSDP
Session Multicast VLAN Int Gi0/2
mvr type receiver
Int Gi0/1
mvr type source MOSPF MOSPF X
intra-domain solution From Lo1 Switchport access vlan 20 Switchport access vlan 10
Registration mvr vlan 10
PIM-DM PIM-DM X
ip pim rp-address 9.9.9.9
PIM-SM
Diagram: mvr PIM-SM X
(155.1.10.10, 239.1.1.1), RP 150.1.8.8, MBGP/AS 200, ip igmp profile 1 PIMv2 DM messages: 6 Graft
Output: 00:00:26/00:05:34, Peer 150.1.8.8 IGMP Profiles permit
range 232.0.0.0 232.255.255.255
(155.1.108.10, 239.1.1.1), RP 150.1.8.8, MBGP/AS 200,
00:00:25/00:05:34, Peer 150.1.8.8
7 Graft-Ack
interface FastEthernet 0/4
ip igmp filter 1
5 Assert
http://www.flashcardguy.ch
• Static RP
Multicast
• Bootstrap Router (BSR)
1. use group lists: Unicast-Prefix based Multicast
Explain two ways on how to • Auto-RP
Address IPv6 Unicast Address: What types of Multicast RP
perform RP load balancing for
2. use hash values: assignments are there? • Anycast-RP
multicast groups? 2001:100:abc:1::/64
Similar to GLOB under IPv4:
Global Multicast Address:
• Phantom RP
FF3E:0040:2001:100:abc:1:11FE:11EE
• Embedded RP
MultiCast Load balance over equal cost Path
m ly f rs e iv
O eiv re
vr or ar er
show commands:
re
n e c
c
m wa e a si
Tun0
o d rd tt d e
A
e s ach
dy tra e
B Multicast Vlan Registration show mvr
na ff d
m ic i on
10.0.0.1/24
ic f
Explain how to Load Balance Tun0
10.2.0.1/24 IPv6 Solicited-Node
A# show mvr interface
MultiCast traffic over an Equal cost int Tun0 Multicast Address: MVR
ip addr 1.1.1.1 255.255.255.0 24bits
path? ip pim sparse-dense-mode show mvr members
tunnel source lo0 2001:100:abc:1:0:0:aabb:ccdd/64
tunnel destination x.x.x.x Show commands:
FF02::1:FFbb:ccdd show ip igmp groups
Ip mroute 2.2.2.2 255.255.255.255 tunnel0
P = prune-capable
M = mtrace-capable
S = SNMP-capable
Explain mrinfo’s output: A = Auto-RP-capable
Router# mrinfo
Router# mrinfo
192.1.7.37 (b.x.com) [version cisco 11.1] [flags: PMSA]: IPv6 Show ip mroute active
192.1.7.37 (b.x.com) [version cisco 11.1] [flags: PMSA]:
192.1.7.37 -> 192.1.7.34 (s.x.com) [1/0/pim]
192.1.7.37 -> 192.1.7.34 (s.x.com) [1/0/pim]
192.1.7.37 -> 192.1.7.47 (d.x.com) [1/0/pim/querier/leaf]
192.1.7.37 -> 192.1.7.47 (d.x.com) [1/0/pim/querier/leaf]
192.1.7.37 -> 192.1.7.44 (d2.x.com) [1/0/pim]
192.1.7.37 -> 192.1.7.44 (d2.x.com) [1/0/pim]
131.9.26.10 -> 131.9.26.9 (su.bbnplanet.net) [1/32/pim]
EUI-64 Interface ID generation: Output:
131.9.26.10 -> 131.9.26.9 (su.bbnplanet.net) [1/32/pim]
B
192.10.1.254
X B
192.10.1.254
1 0001 Interface-local interface Vif1
ip pim sparse-mode
2 0010 Link-local ip service reflect Ethernet 0 destination 224.1.1.0 to
A
192.10.1.99 A 10.3.3.0 mask-len 24 source 10.1.1.2
C C
192.10.1.99
3 0011 Subnet-local
Multicast Service Reflection
Fill in the blanks To be continued….
Do not allow router B to interface Fa0/0 4 0100 Admin-local
ip pim neighbor-filter 75 IPv6 Multicast Scope and values: “Multicast NAT”
build a PIM adjacency 5 0101 Site-local
with Router A: access-list 75 deny 192.10.1.254 8 1000 Organizational-local Found under Implementing Multicast Service Reflection Thanks for appreciating my efforts
access-list 75 permit any
(config on RTR A) E 1110 Global-local
Colin
http://www.flashcardguy.ch
ip multicast multipath
Multicast
ECMP Multicast Load Splitting Based on source address
based on: ip multicast multipath s-g-hash basic
Source and group address S-G-Hash algorithm.
S,G
ip multicast multipath s-g-hash next-hop-based
source, group, and next-hop address using the
S,G next-hop next-hop-based algorithm
Alternative
- Tunnel interface (static mroutes)
R2#show ip multicast
What info does the following Multicast Routing: disabled
command provide: Multicast Multipath: disabled
Multicast Route limit: No limit
Multicast Fallback group mode: Sparse
Number of multicast boundaries configured with filter-
show ip multicast: autorp option: 0
Colin
http://www.flashcardguy.ch
Announce prefix via ND RA, but hosts
are not allowed to use it for
autoconfig:
IPv6
interface Serial0/0/0
IPv6 encapsulation frame-relay
manipulates the IPv6
ipv6 address FE80::5 link-local ipv6 nd prefix fc00:1:0:58::/64 14400
interface serial 0/0/0 IPv6
frame-relay map ipv6 FE80::1 501 broadcast 14400 no-autoconfig Lifetime set network prefixes included
to 4 hours ipv6 nd prefix:
Frame map / show frame-relay R5#show frame-relay map Auto-Configuration ----------------------------------------------------- into RA. By default, all
Serial0/0/0 (up): ipv6 FE80::2 dlci 502(0x1F6,0x7C60),
map output: static, broadcast, Announce prefix via ND RA, hosts are prefixes are included.
CISCO, status defined, active allowed to use it:
R1 learns its IPv6 address automatically and use R2 R1 learns its IPv6 address automatically and use R2
1/8th of the total IPv6 address space is as its default gateway
as its default gateway
currently allocated: 2001::/16
R1 R2 R1 R2
binary prefix 001 (2000::/3) ipv6 unicast-routing
IPv6 2000:: - 3FFF::
R1-Client#
interface fa0/1
R2#
interface FastEthernet 0/0
R1-Client#
interface fa0/1 RIPng
ipv6 address autoconfig default
Global Aggregatable interface FastEthernet 0/0
R2#
Lowest in
Config: ipv6 address fc00:1:0:1::1/64
Addressing 0010 0000 0000 0000 Range interface FastEthernet 0/0
ipv6 address fc00:1:0:85::5/64 ipv6 rip RIPNG enable
Fill in the blanks: ipv6 nd prefix fc00:1:0:85::/64 14400 14400
3FFF
ipv6 nd ra-interval 40
0011 1111 1111 1111 Highest in
ipv6 nd ra-lifetime 60
Range
no ipv6 nd suppress-ra
http://www.flashcardguy.ch
HUB
FR
Spokes:
interface Serial0/0/0
IPv6
HUB: ipv6 rip RIPNG enable FC00:1:0:5::/64
ipv6 router rip RIPNG FC00:1:0:8::/64
no split-horizon IPv6 Summarization
RIPng interface Serial 0/0/0
RIPng interface g0/0.146 0000 0000 0000 0 0101 = 5
ipv6 rip RIPNG enable ipv6 rip RIPNG default-information originate metric 5
over NBMA Default Routing FC00:1:0:5::/64 0000 0000 0000 0 1000 = 8
FC00:1:0:8::/64 Shifting 4 bits, to
Do not forget to use the broadcast keyword with the left ending
the IPv6 mapping statements on DLCIs FC00:1::/60 up with a /60 as
summary
NBMA networks the next-hop is always going to be
a link-local address
le
Serial0/0/0/FE80::4, expires in 157 secs ipv6 summary-address eigrp 100 FC00:1::/60
ab
gt
FC00:1:0:1::/64, metric 2, installed
in
Serial0/0/0/FE80::1, expires in 179 secs
ut
ro
In
key chain EIGRPV6
key 1
EIGRPv6
key-string CISCO Prefix Filtering
ipv6 prefix-list PFX-1 seq 10 deny FC00:1:0:6::/64
RIPng Interface fa0/x
ipv6 rip RIPNG enable
EIGRPv6 interface FastEthernet 0/1 Ipv6 prefix-list PFX-1 seq 20 permit ::/0 le 128
ipv6 split-horizon eigrp 100 EIGRPv6 can only implement equal cost
loadbalancing due to CEF IPv6 limitations.
FC
ifnums:
S0/1
00
00
:1
R1 R1 R1 R1
Serial0/1/0(6): FE80::213:1AFF:FE68:B04C
:0
:0
S0/0
:1
:1
R2 R2 R1 FC00:1:0:1::/64 path 65E7BFC8, path list 65F9332C, share 1/1, type attached nexthop,
::
::
R2 R2
S0/1 S0/1 S0/1 S0/1
Show ipv6 cef <prefix> internal for IPv6
/6
/6
X X
4
? R FC00:1:0:1::/64 [120/2]
ipv6 rip RIPNG metric-offset 2 loadinfo 6655FD68, per-session, 2 choices, flags 0005, 8 locks
flags: Per-session, for-rx-IPv6
? R FC00:1:0:1::/64 [120/2]
via FE80::1, Serial0/0
S0/1
X
R2
512k
…...
Subblocks:
None
Colin
http://www.flashcardguy.ch
show ipv6 route codes: :67::7
Redistribution:
C
L
– Connected
– Local
ipv6 nat ipv6 nat
IPv6
EIGRPv6 EIGRP an external route with an AD of 170.
S
R
- Static
- RIP 1.2.3.4
Allows metric manipulations! ping 2001::1:2:3:4
Default Routing --------------------------------------------------------------------------- Show ipv6 route ospf
B
U
- BGP
- Per-user Static route
I1 - ISIS L1
I2 - ISIS L2 debug ipv6 nat detailed debug ipv6 nat detailed
Summarization:
using redistribution summarize all routes, no leak-map! C / L / S / R / B …. :
IA - ISIS interarea
IS - ISIS summary
Metric is calculated, not changeable
O - OSPF intra NOT GOOD:
OI - OSPF inter, IPv6 NAT: Dropping v6tov4 packet
interface Fa0/1
using summarization ipv6 summary-address eigrp 100 ::/0 5
OE1 - OSPF ext 1
OE2 - OSPF ext 2 GOOD:
ON1 - OSPF NSSA ext 1 ipv6nat_find_entry_v4tov6:
ON2 - OSPF NSSA ext 2
Source Addres s
Data Portion
Head er
255 1 1500
OSPFv3 ipv6 router ospf 1 NAT-PT to IPv4 IPv4 src 0.0.0.0 via 2.1 ::/0 via :1
::/0 via :2
Ipv6 nat prefix 2000::/96
area 37 virtual-link 150.1.7.7 and dst
Virtual Links ip nat v6v4 source 2001::99:99 1.1.1.1
Drawing / rules 1) Rules to translate IPv4 source addrs to IPv6 addrs Explain IPv6 NAT-PT
ip nat v4v6 source 2.2.2.2 2000::960B:202
2) Rules to translate IPv6 source addrs to IPv4 addrs
3) The /96 prefix to map the IPv4 address space to Thanks for appreciating my efforts
NAT statements: CHECK ANSWER MIGHT
BE WRONG!
Colin
http://www.flashcardguy.ch
Loopback1: prefix/64 Loopback1: prefix/64 IPv4 DR registers to RP,
R5#show ipv6 pim interface
IPv6
Loopback2: prefix /61 Loopback2: prefix /61
encapsulates packet R1, DR
Advertising /59 summary to peer Advertising /59 summary to peer Interface PIM Nbr Hello DR
Count Intvl Prior registers
interface Loopback 101
ipv6 address 2003:1:0:1::1/64 VoIP-Null0 off 0 30 1 RP with RP
Show ipv6 pim interface Address: :: What is the difference between a
IPv6 interface Loopback 102
ipv6 address 2003:1:0:11::11/61 DR : not elected
GigabitEthernet0/0 on 0 30 1
DR registering with an RP in IPv4
MP-BGP: router bgp 100
address-family ipv6 unicast Output: Address: FE80::221:A0FF:FE9A:F4C0 and IPv6? IPv6 DR creates tunnel to
R1, creates
neighbor 2001:1:0:1234::5 remote-as 500 DR : this system register
tunnel
neighbor 2001:1:0:1234::5 activate
GigabitEthernet0/1 off 0 30 1 RP interface
network 2003:1:0:1::/64
network 2003:1:0:10::/61 Address: ::
aggregate-address 2003:1::/59 summary-only DR : not elected
show ipv6 pim tunnel
Change mld querry interval multicast group ranges in FF3A::/32 Up: 00:51:08
FF3B::/32 Up: 00:51:08
ff76:0640:2001:CC1E::8 FF3C::/32 Up: 00:51:08
IPv6? FF3D::/32 Up: 00:51:08 Simply press this button and send me your
FF3E::/32 Up: 00:51:08
Mld time-out ipv6 mld query-timeout
FF3F::/32 Up: 00:51:08
BSR SM RP: FC00:1:0:6::6 Exp: 00:02:13 Learnt from :
credit cards regards!
ipv6 mld query-max-reponsetime FC00:1:0:4::4
Response time FF00::/8 Up: 00:01:16
MLDv1:
so urc SSM IPv6 SSM, join group ff36::8 but only
sourced from 2001::25
Group based filtering: ipv6 access-list MLDv1_FILER
e/
IPv6 FF7E:0640:2002:6666::1 On th
e RP:
gro conf
t:
permit ipv6 any ff08::/64 up FF Multicast ipv6
--------------------------------------------------------------------- Join a group ff36::8 Embedded RP FF7 Embedded RP IPv6
pim rp
-addre
SSM source/group based filtering: Only sourced from 2001::25 interface FastEthernet 0/0 FF7E Global scope
ss 2 0
02:66
66::6
Filter MLDv1, SSM based, source/group:
ipv6 mld join-group ff36::8 2001::25 FF7E:0 must be 0
FF7E:06 Last digit of “rp-address"
MLDv2:
ipv6 access-list MLDv1_FILER config Thanks for appreciating my efforts
FF7E:0640 Prefix length of IPv6 addr 40 Hex = 64 decimal
permit ipv6 2000::25 ff08::/64
FF7E:0640:2002:6666::1111:1111 Multicast Group
Colin
http://www.flashcardguy.ch
R4#show interface tunnel 345
Tunnel345 is up, line protocol is up
IPv6
IPv6 Hardware is Tunnel
MTU 1514 bytes, BW 9 Kbit/sec, DLY 500000 usec,
IPv6 OSPFv3 clear ospfv3 <process-ID> force-spf
ISATAP Tunneling reliability 255/255, txload 1/255, rxload 1/255
Encapsulation TUNNEL, loopback not set
Embedded RP address Keepalive not set
clear ospfv3 <process-ID> process
Tunnel source 150.1.4.4 (Loopback0), destination UNKNOWN
format: Show interface tun X Tunnel protocol/transport IPv6 ISATAP Clearing process/redistr./ clear ospfv3 <process-ID> redistribution
Fast tunneling enabled spf: clear ipv6 ospf <process-ID> [ process, force-spf, redistr ]
Tunnel transmit bandwidth 8000 (kbps)
Output: Tunnel receive bandwidth 8000 (kbps)
….
P
interface tunnel 88 interface tunnel 26
IPv6
TA
following two tunnel configs: tunnel source Loopback0 ipv6 address 2001:1:0:345::/64 eui-64
tunnel source Loopback0
ISA
tunnel destination 1.1.1.1 tunnel destination 1.1.1.1
tunnel source Loopback0 BFD Support for EIGRP IPv6 router eigrp NAME
Interface Tunnel 88
ipv6 address 2001:2::2/64 ipv6 address 2001:1::2/64 ISATAP Tunneling tunnel mode ipv6ip isatap
! address-family ipv6 autonomous-system 88
tunnel mode ipv6ip af-interface default
interface Loopback100
Tunnel mode ipv6ip
interface tunnel 88 interface tunnel 26 ipv6 address 2001:1:0:5::5/64 bfd
tunnel source Loopback0 tunnel source Loopback0 !
Interface Tunnel 26 tunnel destination 2.2.2.2 tunnel destination 2.2.2.2 ipv6 route 2001:1:0:4::/64 2001:1:0:345:0:5efe:9601:404
ipv6 address 2001:2::6/64 ipv6 address 2001:1::6/64 ipv6 route 2001:1:0:3::/64 2001:1:0:345:0:5efe:9601:303
(no mode specified)
tunnel mode ipv6ip
Protocol 41: (ipv6ip)
access-list 100 [permit|deny] 41 any any ISATAP Addressing:
Assigning FE80::1 the same
interface tunnel 88 Link-local address to several
Fa0/1
...
ipv6 address 2001:2::2/64
IPv6 EUI-64 = 0000 (16 bits) + 5EFE (16 bits) Interfaces: Fa0/2 FE80::1
+ IPv4 Address (32 bits): FE80::1
Automatic 6to4 Tunneling are - 6to4 tunnels are multipoint by design R1 can NOT ping R3's FE80::3
Multipoint by design: N o
Will R1 be able to ping FE80::3 ? Link local address!
de Tun - router extracts the IPv4
s n
con tinat el address embedded in the IPv6 address
fig ion
ure
R1
interface Tunnel 345 d R1
Automatic 6to4 tunnel source Loopback0
Automatic 6to4 Tunneling: - need to use the 16-bit prefix 2002, FE80::1
FE80::1
tunnel mode ipv6ip 6to4 - only static routing is possible, (usually 2002::/16) FE80::2
Tunneling ipv6 address 2002:9601:303::3/64 General info about 6to4: FE80::2
2002 (16 bits): IPv4 address (32 bits):
FE80::44
X
Subnet ID(16 bits): Interface ID (64 bits) FE80::44
ipv6 route 2002::/16 Tunnel 345 FE80::3 R3
150.1.3.3 = 2002:9601:303::/48
FE80::3
(route destination through tun) 150.1.3.3
2402:9400:10::/48 Leave your IPv6 calculator at IPv6 Multicast addresses: Ranging 5 bucks to unlimited!
2402:9400:11::/48 home: 2402:9400:1234:1234::/64 IPv6 RIP: FF02::9 (224.0.0.9)
...... 2402:9400:1234:123X::/60 IPv6 Multicast addresses: IPv6 EIGRP FF02::10 (224.0.0.10)
2402:9400:1F::/48 2402:9400:1234:1234::/?
2402:9400:1234:123X::/? 2402:9400:1234:12XX::/56
2402:9400:20::/48 IPv6 RIP: IPv6 OSPF: FF02::5
Example of /48 allocations: 2402:9400:21::/48
2402:9400:1234:12XX::/? 2402:9400:1234:1XXX::/52 IPv6 EIGRP
(224.0.0.5)
After DR election FF02::6 appears (224.0.0.6)
2402:9400:1234:1XXX::/? 2402:9400:1234:XXXX::/48
2402:9400:22::/48 2402:9400:1234:XXXX::/?
IPv6 OSPF:
...... 2402:9400:123X:XXXX::/? 2402:9400:123X:XXXX::/44 mDNS: mDNS: FF02::B Thanks for appreciating my efforts
2402:9400:2F::/48 2402:9400:12XX:XXXX::/? 2402:9400:12XX:XXXX::/40 send to FF02::B, if there is
2402:9400:30::/48 something it will reply
Colin
http://www.flashcardguy.ch
ICMPv6-ND: Setup RA from FE80::1 to FF02::1 on e0/0 R1#
What will the following command display:
IPv6
ICMPv6-ND: MTU = 1500 interface Ethernet0/0
ICMPv6-ND: prefix = 2001:12:1::/64 onlink autoconfig ipv6 address FE80::9 link-local
ICMPv6-ND: 2592000/604800 (valid/preferred)
R1# show ipv6 interface e0/x interface Ethernet0/1
ipv6 unicast-routing ipv6 address FE80::9 link-local
int ser1/2
IPv6 SLAAC ipv6 address 2001::1/64 Configure int Looback 0 with IPv6 conf t R1
e0/0
SW1
show ipv6 interface e0/0
ND DAD is enabled, number of DAD attempts: 1
ipv6 enable
clock rate 64000
addr: 1:1:1:1::/64 using the mac interface Loobback 0 e0/1
Configuration: R1 R2 address of the first LAN interface: ipv6 addr 2:2:2:2::/64 eui-64 show ipv6 interface e0/1
IPv6 is stalled, link-local address is FE80::9 [DUP]
R1# SW1#
R2# interface Ethernet0/0 interface e0/0
show logging
ork er Will instruct the router to use the ipv6 address FE80::9 link-local switchport access vlan 10
tw int ser1/2 %IPV6_ND-6-DUPLICATE_INFO: DAD attempt detected
ne out first LAN interface in regards to
ire om R for FE80::9 on e0/0
q u
Ac on f r ipv6 enable interface Ethernet0/1 interface e0/1
rt i
the MAC address! %IPV6_ND-4-DUPLICATE: Duplicate address FE80::9 on
po ipv6 address autoconfig default ipv6 address FE80::9 link-local switchport access vlan 10
e0/0
ipv6 unicast-routing R5#show ipv6 eigrp 100 interfaces detail serial 2/1
interface Loopback 0 EIGRP-IPv6 Interfaces for AS(100)
int e0/0
ipv6 address 2001::1/64
What is the correct FE80::x ipv6 address x:x:x:x::/64 eui-64 Xmit Queue PeerQ
Multicast Pending
Mean Pacing Time
ipv6 enable
ipv6 nd other-config-flag
address ? Interface
Flow Timer Routes
Peers Un/Reliable Un/Reliable SRTT Un/Reliable
http://www.flashcardguy.ch
R1#show ipv6 interface e0/0 R1#show ipv6 ospf database router
R
1
Area 1
12::x/64 R
2
2::2/64
IPv6
Or seen with a flapping adjacency? R2#show ipv6 interface e0/0 Link Metric: 10
Area 0
Ethernet0/0 is up, line protocol is up Local Interface ID: 3 23::x/64
IPv6 is stalled, link-local address is FE80::3 1::1/64 Area 1 2::2/64 Neighbor (DR) Interface ID: 3
R
12::x/64 Neighbor (DR) Router ID: 0.0.0.2 3
R1 R2 R1
interface Serial1/0
R2
interface Serial1/0
R1 R2 3::3/64
interface Serial1/0 interface Serial1/0
ipv6 address FE80::3 link-local ipv6 address FE80::3 link-local ipv6 address FE80::3 link-local ipv6 address FE80::3 link-local R1#show ipv6 ospf database inter-area prefix adv-router 0.0.0.2
Area 0
ipv6 address 23::1/64 ipv6 address 23::2/64 ipv6 address 23::1/64 ipv6 address 23::2/64 …
clock rate 64000 clock rate 64000 clock rate 64000 clock rate 64000 23::x/64 Advertising Router: 0.0.0.2
Metric: 64
12::x/64 12::x/64 Prefix Address: 3::3
R1 R2 Area 1 R1 R2 Area 1 R3 R1#show ipv6 route ospf
1::1/64 2::2/64 1::1/64 2::2/64 OI 3::3/128 [110/74]
3::3/64
via FE80::2, Ethernet0/0
What to expect of a
OSPFv3 Router with ID (0.0.0.1) (Process ID 1) How can you find the cost to the ASBR in Type-5 AS External Link States
Link (Type-8) Link States (Area 1) ADV Router Age Seq# Prefix
LS age: 1147
OSPFv3 from R1? 0.0.0.4 953 0x80000001 4::4/64
Options: (V6-Bit, E-Bit, R-bit, DC-Bit) R1#show ipv6 ospf database inter-area router 0.0.0.4
R1# show ipv6 ospf database link LS Type: Link-LSA (Interface: e0/0) OSPFv3 Router with ID (0.0.0.1) (Process ID 1)
Link State ID: 3 (Interface ID)
Advertising Router: 0.0.0.1 LS age: 1873 1::1/64 Area 1 2::2/64 ….
Inter Area Router Link States (Area 1)
LS Seq Number: 80000006 Options: (V6-Bit, E-Bit, R-bit, DC-Bit)
Output: Checksum: 0xB973 LS Type: Link-LSA (Interface: e0/0) R1
12::x/64
R2
Advertising Router: 0.0.0.2
LS Seq Number: 80000001 R1#
Length: 56 Link State ID: 3 (Interface ID) Checksum: 0xDD9E show ipv6 ospf database router 0 | b 0.0.0.2
Router Priority: 1 Advertising Router: 0.0.0.2 Length: 32 Advertising Router: 0.0.0.2
Area 0
Link Local Address: FE80::1 LS Seq Number: 80000004 Redistributed into OPSFv3 Link connected to: a Transit Network
Metric: 128
Checksum: 0xCD5F Loopback 0
Number of Prefixes: 1 23::x/64 Destination Router ID: 0.0.0.4 Link Metric: 10
Prefix Address: 12:: Length: 56 4::4/64 Local Interface ID: 3
12::x/64
R1 R2 Area 1 Prefix Length: 64, Options: None Router Priority: 1 Neighbor (DR) Interface ID: 3
Link Local Address: FE80::2 34::x/64 R1#show ipv6 route ospf Neighbor (DR) Router ID: 0.0.0.2
1::1/64 2::2/64 Number of Prefixes: 1 R4 R3 OE2 4::4/64 [110/20]
Prefix Address: 12:: via FE80::2, e0/0
3::3/64 Forward metric 128+10 = 138
Prefix Length: 64, Options: None
R1#show ipv6 ospf database prefix Type-1:
OSPFv3 Router with ID (0.0.0.1) (Process ID 1) How will 4::4/64 be seen on R1 in case of R1#show ipv6 route ospf
What to expect of a Intra Area Prefix Link States (Area 1) it being redistributed into OSPFv3 as OE1 4::4/64 [110/158] Total forward metric + 20 = 158
Routing Bit Set on this LSA via FE80::2, Ethernet0/0
LS age: 729 Type-1 or Type-2 ?
R1# show ipv6 ospf database prefix LS Type: Intra-Area-Prefix-LSA
Link State ID: 0 R4#
Advertising Router: 0.0.0.1 1::1/64 Area 1 ipv6 router ospf 1
2::2/64
LS Seq Number: 80000004 redistribute connected route-map RMP-CON metric-type 1
Output: Checksum: 0x9C3E R1
12::x/64
R2
Length: 72
Type-2:
Referenced LSA Type: 2001
R1#show ipv6 route ospf
Area 0
R3
Inter Area Prefix Link States (Area 1)
OI 23::/64 [110/74]
via FE80::2, Ethernet0/0
0.0.0.2
0.0.0.2
1925
1761
0x80000001
0x80000001
23::/64
3::3/128
Checksum: 0x8807
Length: 36
Thanks for appreciating my efforts
ADV Router Age Seq# Prefix R3 Metric: 64
3::3/64 0.0.0.2 739 0x80000001 23::/64 Prefix Address: 23::
0.0.0.2 575 0x80000001 3::3/128 3::3/64 Prefix Length: 64, Options: None
Colin
http://www.flashcardguy.ch
Radius Packet header
Standard ACL
Extended ACL
IP named ACL
Compiles access-list for acceleration:
8 bits
Code
16 bits
Identifier Length
32 bits
Security
Lock and Key ACL (Dynamic ACLs) Authenticator (16 bytes)
Reflexive ACL Code
Established ACL Router-config# access-list compiled Identifier:
Decribe all available Time-based ACL (time-range)
1 Access-Request
2 Access-Accept
Message Sequence Number,
Distributed time-based ACL Turbo ACLs: Radius Packet header: 3 Access-Reject
allows Radius client to match a
types of ACLs: Turbo ACL 4 Accounting-Request
Radius response
Usually holds only permit statements for various vlan access-map VACL-1 10 show
protocols, ports or flags. Used to identify traffic, match ip address ACL-IPv4 vla
access-list 10 permit 10.1.1.0 0.0.0.255 na
or DoS attacks: match ipv6 address ACL-IPv6 c ce
ss-
match mac address ACL-MAC-ADDR ma
access-list 10 permit 10.1.1.0 0.0.0.255 log p
access-list 101 permit icmp any any eq echo action [forward,drop]
access-list 101 permit tcp any any eq syn
Standard Access-list access-list 10 permit 10.1.1.0 0.0.0.255 log-intput
access-list 101 permit tcp any any eq fragment VACL vlan filter VACL-1 vlan-list 25-37 (vlans 25-37)
parameters:
(Logs Layer 2 interface information)
Classification ACL: access-list 101 permit udp any any eq fragment
access-list 101 permit ip any any eq fragment Vlan access-list config:
Interface X access-list 101 permit tcp any any
ip access-group 10 [in,out] access-list 101 permit udp any any
access-list 101 permit icmp any any
access-list 101 permit ip any any
UDP options:
$(mtu)
$(line)
Order of processing:
TCP options: $(line-desc)
Timeout in minutes, port, precedence, tos, log, log-input,
time-range, fragments
Interface X
username test password cisco123 s: switchport port-security Overall 5 allowed, detailed
on
line vty 0 4 ! Trigger Auth process nati No ip source-route Disables strict / loose source routing switchport port-security max 5 broken down to 3 and 2
la
Exp
login local switchport port-security 3 vlan access
Lock and Key ACL ! Time-out per uses basis after 10 minutes No ip proxy-arp
Router replies with own MAC for an IP attached to its
other interface.
switchport port-security 2 vlan voice
username test autocommand access-enable switchport port-security agging -timeout
host timeout 10
No ip gratuitous-arps
Turns of unsolicited ARP broadcasts IP of host but
Routers MAC addr.
Switchport Port-security - static
! Time-out any user globally after 10 minutes: - type inactivity (idle)
(Dynamic ACL) line vty 0 4
Can be used to map a network, also to use as amplifier in
- type absolute (ttl 5min
autocommand access-enable host timeout 10 No ip directed-broadcast clears cam tbl!)
access-list 102 permit tcp any host <router-ip> eq telnet
a DoS attack. Config: switchport port-security agging time
access-list 102 dynamic ACCESS timeout 15 permit tcp
No ip redirects Disables ICMP redirects, is enabled with HSRP by default
Config: any any eq 80
deny ip any any log
switchport port-security violation shutdownDiscards traffic of
exceeding MACs
Will not send unreachable messages for traffic pointing switchport port-security violation restrict SNMP msg!
interface X No ip unreachables to Null0 interface.
ip access-group 102 in Discards silently,
switchport port-security violation protect no SNMP msg
“INSIDE” “Outside” Eth0 “INSIDE” Does not support – log option
“Outside” in Source
Dest Does not support MPLS / ARP filtering
Eth0 192.168.x.x/16 10.0.0.0/24 conf t
Filtering is based on the fields of the Ethernet
Dest In Source out
192.168.x.x/16 10.0.0.0/24 Evaluate Reflect datagr
auto-secure
out (return traffic in) (record states)
! Disables common services
see how much TCAM space is available: Help me create more flashcards:
Only return traffic that has been initiated from the
interface Eth0 inside is permitted!
Port Access-List show tcam counts
auto-secure no-interact
Reflexive ACLs ip access-group ACL-IN in
ip access-group ACL-OUT out
Auto-Secure: ! User not prompted for interaction
interface X
[ip, mac] access-group XXX [in, out]
ip access-list extended ACL-IN
evaluate tcp_reflect
show auto secure config PACL config: Simply press this button and send me your
Config: ip access-group extended ACL-OUT Shows all config that has been added part of the
credit cards regards!
permit tcp 10.0.0.0/24 192.x.x/16 reflect tcp_reflect secure process.
ip reflexive-list timeout <TIMEOUT>
! timing out of old sessions
time-range MY-RANGE
Apply via:
or bl ck
access-list <NR> permit tcp< SRC> <DST> time-range MY-RANGE Unknown unicast blocked: enabled
te ull en
cte H ts
time-range WEEKDAYS_EVES
destination on switches?
t.
http://www.flashcardguy.ch
DHCP Snooping (prerequisite) ip dhcp snooping Collect traffic flow statistics from host 1.1.1.1:
- IP Source Guard
L3 check only:
ip dhcp snooping vlan X
Router-config#
ip source-track 1.1.1.1
Security
interface fa0/x
ip verify source 1. select interface internal, external Ip source-track syslog-interval 2
IP Source Guard Any traffic incoming with a source other than assigned via Configuring CBAC 2. configure ACL Ip source-track export-interval 30
DHCP or static will be filtered out. 3. define inspection rule
4. configure timeouts and thresholds IP source tracker Syslog every 2 sec / exports flow info every 30 sec from
L2+L3 combination check route processor.
Config: interface fa0/x Steps: 5. apply ACL and inspection rule to an interface
switchport port-security 6. verify CBAC
ip verify source port-security show ip source-track <IP-ADDR>
Address SRC IF Bytes Pkts Bytes/s Pkts/s
ip source binding 1234.1234.abcd vlan 22 1.1.1.1 int fa0/x External 1.1.1.1 Fa0/0 123G345M 562342 134535
Internal Fragmented packets can’t be checked by
Static entry for MAC 1234.x in vlan 22. Trusted / Protected Untrusted / Unprotected CBAC! show ip source-track summary
Sh
Inspection Rule:
ow
ip dhcp snooping vlan X ip inspect name CBAC http On inside
Sh nsp
ip
Syn
ow ec
OR ip inspect name CBAC ftp
ip [co
in nf
t
sp ig
Inspection timeout / thresholds Proxy reply
ec , in
L3 SRC and SRC MAC check L3 src check only:
t a te
ip inspect tcp synwait-time <30 sec> from RTR
ll rf
IP Source Guard interface x ip inspect udp …. TCP intercept SYN-ACK
interface x
ACK
Configuring CBAC:
ac
ip verify source port-security
e
ip verify source
]
switchport port-security
Config / troubleshooting: Interface fa0/1 Interface fa0/0 Diagram: Syn
Configure static binding: ip inspect CBAC in ip inspect CBAC out
Syn-ACK
trusted Client DHCP Built to overcome limitations of CBAC: uRPF Strict Mode:
Client Server Traffic passing through the interface was subject
DHCP to the same inspection policy. Soure Address must match the FIB Adjacency Info in the
trusted
Server Attacker
untrusted Unicast Reverse Path CEF table
Attacker
untrusted
Ip dhcp snooping
Ip dhcp snooping vlan X
Puts ports in vlan X Zone-Based Policy Firewall ZFW: Forwarding Packets sourced from 10.0.0.0/8 arriving at ser0/0 failing
the uRPF check will be logged and dropped:
in untrusted mode Interfaces are assigned to zones, policy
(ZFW) inspections are applied to traffic moving access-list 101 deny ip 10.0.0.0/8 any log-input
DHCP Server: sho sho between zones. Uses class-maps via CPL!
IP DHCP Snooping: Interface X w i w ip
pd
uRPF Packets sourced from 172.x. arriving at ser0/0 failing the
ip dhcp snooping trust hcp dhcp
sno sno Comparison ZFW and CBAC: DMZ uRPF will be logged and forwarded:
op opin Interface#1
Zone Interface#3
Clients / untrusted ports: ing g
interface X
bin
din Strict mode: access-list 101 permit ip 172.x.x any log-input
g
ip dhcp snooping limit rate 100 Private Public interface Serial0/0
ip verify unicast reverse-path 101
Errdisable recovery cause arp-insepection interval <seconds> Interface#2
ip dhcp snooping
ip dhcp snooping vlan X
no ip dhcp snooping information option 1 Define zones Strict Mode: Resolves source IP address / source interface
ip dhcp snooping vlan X 2 Define zone-pairs
Unicast Reverse Path Loose Mode: Resolves source network
ip dhcp snooping database flash://snoop.db
ip dhcp snooping database write-delay X Forwarding In case Loose Mode is configured with a default route, Help me create more flashcards:
IP DHCP snooping Zone-Based Policy Firewall: 3 Define class-map(s) which identify traffic
(traverses zone-pair)
Loose mode is useless!
Write-delay:
Default time from local entry to remote DB writing time.
config: Option 82: Steps:
4 Define policy-map / action to the traffic in class-map uRPF ip cef
Ip dhcp snooping information option RemoteID + CircuitID
within DHCP Discover message, seen on the servers
5 Apply Policy-Map to zone-pair Simply press this button and send me your
Loose mode interface X
trusted port outbound.
( SW# within exec mode, not config! )
6 Assign Interfaces to Zones
ip verify unicast source reachable-via any
credit cards regards!
ip dhcp snooping binding xxxx.xxxx.xxxx vlan X 1.2.3.4
int X expiry
match [ACL, protocol, ip prec, ip dhcp, vlan] match protocol tcp Packet received on Interface where the IP should source?
e
pr b
at
y pu
class CMAP-COPP
policy-map type inspect MYPOL Difference of ip verify unicast source reachable-via rx
ne s
------------------------------------------------------------------------------
exceed-action <action>
zone-pair security PAIR source private destination public uRPF Strict Mode
CoPP control-plane Config: service-policy type inspect MYPOL
uRPF loose mode:
Is the source network in the routing table?
service-policy [input, output] PMAP-COPP
interface ethernet0 uRPF Loose Mode: Interface X
zone-member security private
ip verify unicast source reachable-via any Thanks for appreciating my efforts
(IGP/BGP packets from an to Router) interface ethernet1
zone-member security public
Colin
http://www.flashcardguy.ch
Strict Mode:
commands:
…
IP unicast RPF check is enabled
2. Cisco Secure ACS Server Authorization Services: Command
sessions
Auths EXEC mode commands associated
Three types: Auth-proxy
with priviledge levels
applying specific sec policies per user
3. Cisco Secure ACS Solutions Engine
Configuration downloads configs from AAA server
appliance
show ip traffic
…
0 no route, 0 unicast RPF, 0 forced drop
PVLAN 10.0.0.25/24
forwards the packet to the Victim.
Named Method: applied to specific interfaces
Challenge
Response
Challenge
Response
Unidirectional
single challenge
Bidirectional
Multiple challengs
Default Method: globally / automatically applied to all
access-list 101 deny ip 10.0.0.0 0.0.0.255 10.0.0.0 0.0.0.255 Protocol Support Protocol Support No NetBEUI Full support
interfaces if no other list is specified.
access-list 101 permit ip any any on
ati Security Security Encrypts only Encrypts
Interface X tig
Ip access-group 101 in mi the password the entire packet
AAA enable enable pass authentication login enable authentication for ASCI based
local use local username database ppp Auth list for any PPP-based protocol
local-case uses case-sensitive local database such as ISDN, remote dial-in...
none no authentication used
Start
GETUSER
aaa group server radius TEST-1
server 1.2.3.4
Ranging 5 bucks to unlimited!
Username: aaa new-model
radius-server key super-secret123
TACACS+ PPP authentication aaa authentication ppp default if-needed group radius
CONTINUE Configuring AAA RADIUS ----------------------------------------------------------------------------
aaa authorization network default group radius if-authenticated
Communication TACACS+
Colin
TACACS+ Server Groups aaa group server radius TEST-2
If-needed:
Client GETPASS Server server-private 2.2.2.2 key secret123 if-needed: If the user has already authenticated by going trough the ASCI
login procedure, PPP authentication is not necessary and
Password: skipped.
----------------------------------------------------------------------------
Authentication: CONTINUE “globally and privately” If-authenticated:
Password = cisco123 aaa authentication login default group TEST-1 if-authenticated: Indicates that users can be given access to requested services
Thanks for appreciating my efforts
only if they have been authenticated first.
aaa authentication ppp default group TEST-2
PASS / FAIL
Final Status
Colin
http://www.flashcardguy.ch
IKE phase 2 protects user data and establishes SA for aaa new-model aaa for Xauth
Keepalives
3 messages
No
2 messages
Yes
Client Router config: xauth userid mode local
Keepalives
Identity Hiding Identity Hiding in main-mode Yes interface gi0/0
Diagram: UDP/NAT UDP/NAT no Yes
description outside
SA Negotiation SA Negotiation Responder selects Same as IKEv1, (Network extension crypto ipsec client ezvpn MYVPN outside
initiators proposal simpler
Number of MSGs Number of MSGs 6-9 4-8 mode) interface gi0/1
description inside
EAP/CP EAP/CP No Yes crypto ipsec client ezvpn MYVPN inside
connections: Is UDP port 500 open on the outside ACL? Overview: - Client Mode / PAT mode: single source ip
service-policy output TEST
- Network Extension Mode: fully routable over tunel ip local pool POOL 172.16.1.1 172.16.1.100
IP pool for Thanks for appreciating my efforts
Some situations require that UDP port 4500 is open for
the outside.
- Network Extension Plus Mode: able to request IP
address via mode
Part 3 ip route 0.0.0.0 0.0.0.0 gi0/0
VPN users
http://www.flashcardguy.ch
Ip cef crypto isakmp policy 10
Security
encr 3des
Username cisco privilege 15 password 0 cisco1
authentication pre-share
Cisco Easy VPN with Policy-map TEST
Class class-default
group 2
crypto isakmp key SECRET address 0.0.0.0 0.0.0.0
username ADMIN privilege 7 password 0 CISCO
es he
!
ny
ic lo le
ip access-list extended DYNAMIC-1
Your Password:"
ya
tri s t
m un ab
DMVPN deployment - Server Load Balancing (SLB) AAA Authentication dynamic PERMIT permit icmp any any interface Serial0/1
an
en ck
,
na d en
aaa authentication username-prompt "Please Enter Your ID:"
deny ip any any ip access-group DYNAMIC1 in T
dy man ss-
aaa authentication banner # E
! LN
topologies
m ce
Dynamic Mesh Designs Lists This system requires you to identify yourself. interface FastEthernet0/0
T_
TE
co ac
ip access-group DYNAMIC-1 in line vty 0 4 I
- Dual Hub Single DMVPN (DHSD)
#
aaa authentication fail-message # Dynamic Access-lists: line vty 4
login local RM
P E
- Multihub Single DMVPN (MHSD) Authentication Failed, Sorry. rotary 1 C1
password CISCO MI
- Hierarchical (Tree-Based) # NA
tacacs-server host 155.1.146.100
login
autocommand access-enable timeout 5 e DY
tacacs-server directed-request l at
tacacs-server key CISCO clear access-template DYNAMIC-1 PERMIT any 10.0.0.0 0.0.0.255 e mp
s- t
c es
line vty 4 ac
ar
debug aaa authentication autocommand access-enable timeout 5 cl e
autocommand access-enable host timeout 5
R5#telnet 150.1.1.1
Trying 150.1.1.1 ... Open access-enable host replaces the source IP
show ip nhrp reveals NBMA address specification (any) in the access-list entry with the Help me create more flashcards:
AAA/AUTHEN/START (649338587): using "default" list Lock N Key IP of the authenticated user
DMVPN show crypto socket Local/Remote network Debugging AAA for AAA/AUTHEN/START (649338587): Method=tacacs+
(tacacs+)
access-list dynamic-extended
re-login to the router to extend the
show commands: show crypto ipsec sa remote crypto endpoints
a telnet line: AAA/AUTHEN(649338587): Status=ERROR
AAA/AUTHEN/START (649338587): Method=ENABLE absolute timeout
http://www.flashcardguy.ch
Ethertype Protocol Ethertype Protocol
show ip inspect config IPv4
ARP
0x800
0x0806
IPv4
ARP Security
class-map match-all EXTENSION show ip inspect interfaces Reverse-ARP 0x0835 Reverse-ARP
match protocol http url “*.bin|*.exe|*.com” 802.1Q tagged frame 0x8100 802.1Q tagged frame
CBAC Filtering show ip inspect sessions IPX 0x8137 IPX
NBAR for Content- policy-map DROP IPX 0x8138 IPX
Based Filtering
class EXTENSION
drop
Show commands:
show ip inspect all ? IPv6
MPLS unicast
MPLS multicast
0x86DD
0x8847
0x8848
IPv6
MPLS unicast
MPLS multicast
PPPoe Discovery stage 0x8863 PPPoe Discovery stage
tin ile
interface Gi 0/0.146 show ip port-map | inc http
oo wh
g
service-policy output DROP PPPoe Session Stage 0x8864 PPPoe Session Stage
sh ,
le ind
LLDP 0x88CC LLDP
ub to f
TFTP is the perfect protocol for testing, due to it
tro ky
EAP over LAN 0x888E EAP over LAN
ic
using dynamic ports
Tr
TRILL 0x22F3 TRILL
Vlan ID
ip access-list logging interval 1000 ARP,CDP,VTP,DTP,UDLD,STP LSAP value of 0xAAAA credit cards regards!
To check filtering, make opposite switch the root for one Option 82:
Rate-limiting logging -> CPU process Vlan and filter it on the port, check if the local switch can Remote-id = BIA of switch
switching if log / log-input is used on ACLs not see the root on that port. Port-ID = Port where the Client is attached
Trusted
Inside Inspect in
Router1# show ip dhcp snooping database detail Ranging 5 bucks to unlimited!
ACL in ipx routing
interface Serial 0/1/0
ip inspect INSPECT out
more flash:/dhcp-bindings.txt
interface FastEthernet 0/1
ip access-group INBOUND in
ipx network 146 encapsulation snap
http://www.flashcardguy.ch
Fa0/1 Fa0/6 CPPr treats the Route Processor (RP) as a
SW2:
ip dhcp snooping
ip dhcp snooping vlan 5 Control Plane
virtual interface attached to the router
classified into three categories or sub-interfaces: Security
DHCP Snooping and SW2#show ip arp inspection vlan 146
ip dhcp snooping information option format remote- Source Mac Validation : Enabled
Protection (CPPr) control-plane host subinterface
receives all control plane TCP/UDP traffic that is
the Information id string SWITCH2
ip dhcp snooping information option allow-untrusted show ip arp inspection vlan X
Destination Mac Validation :
IP Address Validation :
Enabled
Enabled directly destined for router interfaces.non TCP/UDP
Vlan Configuration Operation ACL Match Static ACL control traffic will end up on the CEF exception sub-
Option interface FastEthernet0/6 ---- -------------
146 Enabled
---------
Active
---------
ARP_VLAN146
----------
No
Explaining: interface.
Has most policing, port-filtering, per protocol queue
ip dhcp snooping vlan 5 information option
format-type circuit-id string CLIENT22 Output: Vlan ACL Logging DHCP Logging Probe Logging
thresholds
Interface X
&
ip dhcp snooping trust Control Plane Protection (CPPr) control-plane CEF exception subinterface
CLIENT22
SWITCH2
debug ip dhcp snooping event
NBAR can NOT be used for control-plane
%DHCP_SNOOPING-5-DHCP_SNOOPING_NONZERO_GIADDR: traffic classification !!
DHCP_SNOOPING drop
! Global ACL 99 in place for VTY access: no egress policing for any of the host subinterfaces
arp access-list ARP_VLAN146 no ARP lookup, CEF
line vty 0 4 All TCP/UDP to directly
permit ip host 155.1.146.1 mac host 000d.edc8.4f60 log adjacency still incomplete
destined on router
permit ip host 155.1.146.4 mac host 0015.c634.6c61 log access-class 99 in
ip arp inspection vlan 146
login local
Control Plane
Dynamic ARP ip arp inspection vlan 146 logging acl-match matchlog
ip arp inspection log-buffer entries 16 Controlling Terminal User TELNET has a second ACL, permitting
this user only from ACL 100 allowed networks. Protection (CPPr)
ip arp inspection log-buffer logs 4 interval 10
Inspection ! Checks content of the ARP packets
Line Access username TELNET password CISCO
username TELNET access-class 100
maximum, 16 entries in the ARP logging buffer. Diagram:
ip arp inspection validate src-mac dst-mac ip
Enable all additional sanity checks for ARP packets Access-class 100 could be useful in
! Apply the ARP ACL
combination of restricting rotary access to non- IP router-destined traffic, CDP, L2
ip arp inspection filter ARP_VLAN146 vlan 146 ports like 80, 161 etc.. keepalives, multicast OSPF updates
lists?
traffic across the loopback interface and Enhancements login on-failure log every 3
control-plane host
make it re-enter the router Log every successful attempt:
login on-success log
Control-plane host: service-policy input CPP_HOST_POLICY
login delay 2
line vty 0 4
login local
aaa new-model
Used to trust/disable inspection on trunks: parser view DEBUG enable view
ip arp inspection trust secret CISCO
commands exec include show running-config
Check correctness of contents of ARP packets for
commands exec include all debug
src and DST
ip arp inspection validate src-mac dst-mac
commands exec include all undebug Help me create more flashcards:
parser view INTERFACE1
IP address consistency checks for ARP packets
Dynamic arp inspection command Ensures no host binds 0.0.0.0 or 255.255.255.255
secret CISCO How can one check for OPEN ports
by command: ip arp inspection validate ip Role Based CLi commands interface include all ip
commands configure include interface in the control-plane:
show control-plane host open ports
For host NOT using DHCP create static entries: commands exec include configure terminal
ip arp inspection filter <ARP_ACL> vlan <vlan_ID> commands configure include interface FastEthernet0/0 Simply press this button and send me your
static
Starts logging allowed or denied packets
parser view SUPER superview
secret CISCO DEBUG
credit cards regards!
ip arp inspection vlan <VLAN_ID> logging acl- view DEBUG
Supa view interface1
match view INTERFACE1
Dynamic arp inspection ip arp inspection log-buffer entries <N> Controlling the ICMP messages (100 per second = <10> )
ip icmp rate-limit unreachable <once per this ms>
(CPPr) match not port 520
(rotary-group)
or RIP routing protocol
switch empties this buffer using a rate-limited
Commands: procedure Messages Rate Control the rate of “packet-too-big” messages policy-map type port-filter FILTR_CLOSED_PORTS
ip arp inspection log-buffer logs <number>
(<1> = 1000 times per second) Control-plane host / port-filter: class CLOSED_PORTS
<interval>
ip icmp rate-limit unreachable DF <once per ms> drop
estrict the rate of received ARP packets to <pps> per Thanks for appreciating my efforts
<seconds> interval control-plane host
ip arp inspection limit rate {<pps> burst interval service-policy type port-filter input FILTR_CLOSED_PORTS
<seconds> | none }
Colin
http://www.flashcardguy.ch
separate limit enforced for this particular protocol in
the common input queue, only one threshold policy
map possible. Map different threshold class maps to
route map.
-Load a PHDF (optional). PHDF Packet Header
Definition File written in XML
Security
Control-Plane Protection ZFW Application
load protocol system:fpm/phdf/ip.phdf
class-map type queue-threshold CMAP_BGP
(CPPr) match protocol bgp
Flexible Packet
load protocol system:fpm/phdf/icmp.phdf Inspection Config too big to display here!
STACK_POLICY
show policy-map control-plane cef-exception
interface Fa 0/1
".*AAAA.*" Transit 9736/0/0
Filter ICMPs with string AAA in policy-map type access Cef-exception 140558/0/0
CEF-exceptions show policy-map control-plane transit payload, look no deeper than 256 ACCESS_CONTROL_POLICY
class ICMP_ECHO_STRING
Show commands: class-map type port-filter match-all CLOSED_PORTS
IP source route [strict / loose]: deny ip any any option lsr RMPs: control-plane cef-exception
48 30 0 service-policy input CEF_EXCEPTION_RATE_LIMIT
IP source route strict: 49 31 1
.. .. ..
deny ip any any option ssr 57 39 9
http://www.flashcardguy.ch
X Fa0/1.52
bridge crb (router has no SVI in L2 domain, not reachable) X
bridge x bridge ip
(bridge IP packets, no ip route mode)
aaa new-model
aaa authentication login default none
aaa authentication dot1x default group radius
Fa0/1
Fa0/1.52
Fa0/1.53
Fa0/1
X
Fa0/1.53 Security
The difference between bridge x route ip
X
dot1x system-auth-control
(ignore IP packets, follow IP routing rules) class-map match-all FROM_ETHERNET
interface FastEthernet0/9 match input-interface FastEthernet0/1
802.1x Authentication switchport mode access
Securing sub-interfaces
bridge irb
bridge crb If BVI is in bridge group, enable either IP bridging or IP dot1x port-control auto policy-map SAME_INTERFACE
routing, but not both! class FROM_ETHERNET
and Config using Radius: interface FastEthernet0/10
switchport mode access
For traffic transiting by using a drop
bridge irb bridge irb (bvi represents L3 in L2 domain) dot1x port-control auto policy-map: interface FastEthernet0/1.52
bridge X route ip (similar as a SVI)
bridge X protocol IEEE (probably necessary) ip radius source-interface Loopback0 service-policy output SAME_INTERFACE
int Z, bridge group X radius-server host 204.12.1.100
int BVIx interface FastEthernet0/1.53
radius-server key CISCO
service-policy output SAME_INTERFACE
bridg
interface BVI1 e
bridg irb Dot1x Info for FastEthernet0/9
ip address 10.0.0.6 255.255.255.0 e
bridg 1 protoco -----------------------------------
e 1 ro l
ip inspect name INSIDE_PROTOCOLS http ute ip ieee PAE = AUTHENTICATOR
ERSPAN Source Session:
ip inspect name OUTSIDE_PROTOCOLS http PortControl = AUTO
ControlDirection = Both
Troubleshooting: Total of 300 station blocks, 297 free RADIUS: id 1, priority 1, host 204.12.1.100, auth-port 1645, acct-port
1646
Codes: P - permanent, S - self ERSPAN Destination
State: current UP, duration 1636s, previous duration 0s
Bridge Group 1: Dead: total time 0s, count 0
Classic IOS Transparent Firewall monitor session <session-nr> type erspan-destination
Address Action Interface Age RX count TX count
0013.c451.f240 forward Fa0/0.146 0 123 23
Troubleshooting AAA Servers: Quarantined: No
Authen: request 0, timeouts 0 description bla
0013.c440.3980 forward Fa0/0.67 0 297 23 Response: unexpected 0, server error 0, incorrect 0, time 0ms
Transaction: success 0, failure 0
ERSPAN Destination Session: destination interface fa0/x
source
show aaa servers: Author: request 0, timeouts 0
Response: unexpected 0, server error 0, incorrect 0, time 0ms
ip address <ip.ip.ip.ip> [force] ! must match source
Using bridge IRB show ip inspect config Transaction: success 0, failure 0 erspan-id <flow-ID>
Account: request 0, timeouts 0 no shutdown
Response: unexpected 0, server error 0, incorrect 0, time 0ms
(L2 firewall mode) show ip inspect sessions Transaction: success 0, failure 0
Elapsed time since counters last cleared: 14m
debug ip inspect l2-transparent packets
Colin
http://www.flashcardguy.ch
router ospf 1
Don’t forget Switch#
VPN / MP-BGP / MPLS
Router# mpls ldp autoconfig
VRF A router-id 150.1.4.4 VRF A
ip vrf VPN_A ip routing VRF B router bgp 100 VRF B
rd 100:1
ip vrf VPN_B Trunk ip vrf VPN_A
R6#show mpls ldp neighbor
Peer LDP Ident: 150.1.4.4:0; Local LDP Ident 150.1.6.6:0
MP-BGP R6 no bgp default ipv4-unicast
bgp log-neighbor-changes
R6
SW1#show ip vrf
TCP-6-BADAUTH: No MD5 digest from 1.1.1.1(47531) to MP-BGP ip address x.x.x.x 255.255.255.0 route-target both 100:2
router bgp 100
mpls
2.2.2.2(646) ip
Show ip vrf Name Default RD Interfaces Configuring MPLS LDP password VPNv4 RR Client no bgp default ipv4-unicast
neighbor 150.1.4.4 remote-as 100
RR Client
VPN_A 100:1 Vl67 R4
Lo101 on only one side: R4 neighbor 150.1.4.4 update-source Loopback0
output: VPN_B 100:2 Vl76
conf t
RR Client address-family vpnv4 unicast
neighbor 150.1.4.4 activate
RR Client
mpls
Lo102 neighbor 150.1.4.4 send-community extended ip
mpls ldp neighbor 2.2.2.2 password WRONG-pass
Configuring a wrong MPLS LDP R5/R6's config R5
address-family ipv4 vrf VPN_A
redistribute connected R5
password: TCP-6-BADAUTH: Invalid MD5 digest from 1.1.1.1(43524)
to 2.2.2.2(646) VRF A redistribute static VRF A
address-family ipv4 vrf VPN_B
VRF B redistribute connected VRF B
redistribute static
9.9.9.0/24
1:999 mpls mpls
route target import 1:999 ip vrf A TCP connection: 150.1.5.5.42010 - 150.1.4.4.646 Using the same RD on PE’s: 1:1 9.9.9.0/24 Client 1
rd 1:10 Password: required, neighbor, in use
route target export 1:999 State: Oper; Msgs sent/rcvd: 28/28 RR only passes on the best path to RR Client 3, to
route target import 1:999 over come this use different route targets
RR Client 1 RR RR Client 3
Local 21
9.9.9.0/24
Tracing from R6 to R5's loopback address: R6
On R5 no info can be found in: Out 20
Interface X MP-BGP mpls mpls
1. initially LDP sends multicast discovery Normally labels are generated for all entries in the
messages using 224.0.0.2 UDP 646 routing table outbound. In order to generate
labels only for specific prefixes use an access-list
2. Hears other LDP router,
(highest IP or mpls ldp router-id <interface>) and specify the prefixes you want to have labels Prevents bgp from automatically
Will start to establish a TCP session to other assigned for. Generate labels only for Loopbacks
activating the session: Help me create more flashcards:
LDP router-ID (normaly from loopback)
to use the physical address instead:
for example: Prevent BGP to
MPLS LDP discovery: mpls ldp discovery transport-address <interface>
MPLS Label Filtering access-list 99 permit 150.1.6.6
automatically activate a router bgp 100
3. Using LDP-Router-IDs, rtrs establish TCP
no mpls ldp advertise-labels no bgp default ipv4-unicast
session to port 646. Can be authenticated
using: interface X, mpls ldp mpls ldp advertise-labels for 99
configured session: Simply press this button and send me your
neighbor <IP> password <password>
Or globally:
R6#show mpls forwarding-table credit cards regards!
Local Outgoing Prefix Bytes tag Outgoing Next Hop
mpls ldp password required tag tag or VC or Tunnel Id switched interface
4. LFIB should be getting populated 16 Untagged 204.12.1.0/24 0 Gi0/0.146 1.2.3.4
17 Untagged 155.1.0.0/24 0 Gi0/0.146 1.2.3.4
R6#
MPLS IP mpls ip Enable MPLS
MPLS IP
show ip bgp vrf A <pfx of R5>
Originator R5 (5.5.5.5)
LSP VRF A Ranging 5 bucks to unlimited!
set mpls
mpls ldp router-id Loopback0 force router-id mpls ip MPLS label switch path In label none R6 to pfx
of R5
VRF B
Out label 19 R6
Configuration using Using Loopback0 for LDP session show mpls forward table 5.5.5.5
interface FastEthernet 0/1 Configuration using mpls ldp router-id Loopback0 force
Explained:
Local 17
Out 16
R4# mpls
show ip bgp vpnv4 rd 100:1 <pfx of R5>
ip
mpls ldp discovery transport-address interface Originator R5 (5.5.5.5)
Local address for LDP Using local address to establish LDP session interface Serial 0/1/0 In label none
R4
The loopback for the LDP session mpls ip Enable MPLS per interface LSP from R6 to a prefix announced Out label 19 RR
router ospf 1 Show mpls forward table 5.5.5.5
Enable MPLS on all OSPF Local 16 mpls
Enable all OSPF interfaces for mpls ldp autoconfig enabled interfaces Make password mandatory
from R5 R5# Out POP-tag ip
Enable MPLS per interface mpls ldp password required show ip bgp vrf A <pfx of R5>
MPLS mpls ldp neighbor 150.1.4.4 password CISCO
Originator R5 (5.5.5.5) locally originated R5
Thanks for appreciating my efforts
In label 19
mpls ldp password required
Make password mandatory PE-P-PE Out lableAggregate(VPN_A)
VRF A
Make passwords mandatory Show mpls forward table 5.5.5.5 VRF B
Make passwords mandatory: mpls ldp neighbor 150.1.5.5 password CISCO No entry Label 19 is VPN label for the prefix on R5, distributed via BGP
Colin
http://www.flashcardguy.ch
On PE
A to VPN B of another PE
set extcommunity rt 100:1
ip vrf VPN_A
VPN B
Exports Lo102 to 100:66
RIP
MP
RIP router bgp 100 Picture:
Everything else to 100:2 BGP address-family ipv4 vrf VPN-X
export map VPN_A_EXPORT
route-target both 100:1 imports 100:2 redistribute rip mertic <1-16> or <16+>
route-target import 100:66 imports 100:55
Filtering Paths: (1 available, best #1, table VPN_A) RIP redistribute bgp 100 FIB:
...
Extended Community: RT:100:66 Filtering the rip route out using a RIP
LIB commands: show adjacency detail
RIP show ip cef vrf x
...
bgp redistributed metric MP
Importing a prefix into VPN A BGP
LIB:
BGP routing table entry for 100:2:192.168.6.0/24,
version 28
within 0-16 120/1
200/6 120/7
FIB commands: show mpls bindings
Paths: (1 available, best #1, no table) vpnv4 entry BGP show mpls ip bindings
VPN A RT 100:1 ...
RIP RIP router bgp 100
MP
PFX was set to RT 100:66 ...
Extended Community: RT:100:66 BGP address-family ipv4 vrf VPN-X LFIB commands: LFIB:
redistribute rip mertic 5
Show mpls forwarding
VPN a has imported this prefix from RT 100:66
ip vrf VPN_A router rip
rd 100:1 Incomming label 23 is swapped with label
route-target both 100:1
route-target import 100:66
PE-CE Routing with version 2
address-family ipv4 vrf VPN-X
20, and label 16 is pushed onto label 20
export map VPN_A_EXPORT
RIP Redistribute bgp 100
Show mpls forwarding-
MP-BGP Prefix interface Loopback101 Filtering the rip route out using a RIP RIP
R1#show mpls forwarding-table 10.200.254.4 detail
Local Outgoing Prefix Bytes tag Outgoing Next Hop
Area 1 Area 1
SuperBack
Default label range: 16 – 100 000
Ranging 5 bucks to unlimited!
bone
Reserved Labels 0 - 15
MPLS labels
PE-CE Routing with Label 0 explicit 0 for IPv4
MPLS Header: show ip ospf 100
http://www.flashcardguy.ch
Label 0 explicit 0 for IPv4 e1 e1
Label 2 explicit 0 for IPv6 ip cef
Int lo1
Ip address 1.1.1.1/32
e2 e2
VPN / MP-BGP / MPLS
Copy EXP bits of outer label to inner
label, preserving QoS bits mpls ldp router-id Loobpack0 force LDP hello transport
mpls label protocol LDP interface e1
MPLS labels mpls ldp discovery transport ip addr x.x.x.x / 24
IP 1.1.1.1
Label 3 implicit 0
PE requests POP operation from P address mpls ldp discovery transport address 1.1.1.1
router. Only for directly connected
Basic MPLS LDP config: int loopback0 mpls ip
ip address 10.10.10.10 255.255.255.255
0, 2, 3, 1, 14 explained: or summary routes
Explained: interface e2
ip addr x.x.x.x / 24
Label 1 router alert label interface X mpls ldp discovery transport address 1.1.1.1
Label check in Software! mpls ip
ip address x.x.x.x/yy
When a router has multiple links to the same LDP
Label 14 OAM alert label
mpls ip router, the same transport addr must e advertised on
Not used by Cisco all parallel links.
RTR#show mpls ldp discovery detail
Local LDP Identifier:
Configuring the MPLS label 10.200.254.2:0
Discovery Sources:
range: Interfaces:
Ethernet0/1/2 (ldp): xmit/recv Number of MPLS LDP session: 1 LDP session 2 LDP session
RTR(config)#mpls label range 16 1048575 Enabled: Interface config
And Hello interval: 5000 ms; Transport IP addr:
event#show mpls label range show mpls ldp discovery detail: 10.200.254.2 Frame based transport / Mixed /
Downstream Generic label region: Min/Max LDP Id: 10.200.254.5:0
label: 16/1048575 Src IP addr: 10.200.215.2; Transport IP addr: LC-ATM:
show mpls label range: 10.200.254.5
Hold time: 15 sec; Proposed local/peer: 15/15 sec
3 LDP session 4 LDP session
Reachable via 10.200.254.5/32
te
MPLS ldp discovery
! ou
Local LDP Identifier: ...
SR p r
10.200.254.2:0
rL i
Addresses bound to peer LDP Ident:
fo how
Discovery Sources:
10.200.254.2 10.200.210.2 10.200.218.2
ks
When there is no route to the LDP Interfaces:
ec
10.200.211.1 10.200.215.1
Ch
Ethernet0/1/4 (ldp): xmit/recv
TTL expired in MPLS network neighbor: LDP Id: 10.200.254.1:0 Peer holdtime: 180000 ms; KA interval: 60000
POS5/0/0 (ldp): xmit/recv MPLS ms; Peer state: estab
LDP Id: 10.200.254.3:0; no route
LDP bound IP addresses: Remote LSR binds each local IGP prefix in the
Picture: Discovered via multicast, but london#show mpls ldp discovery detail routing table and advertise them through LDP
...
RTR#show mpls interfaces fastEthernet 2/6 detail RTR#show mpls ldp discovery
Local LDP Identifier: RTR#show mpls ldp bindings
Interface FastEthernet2/6:
lib entry: 10.200.210.0/24, rev 4
IP labeling enabled 10.200.254.2 :0
LSP Tunnel labeling not enabled Discovery Sources: lib entry: 10.200.211.0/24, rev 12
BGP labeling not enabled Interfaces: show mpls ldp bindings: local binding: label: imp-null POP action
show mpls interfaces fastEthernet 2/6 MPLS not operational Identifying the remote Ethernet0/1/4 (ldp): xmit/recv remote binding: lsr: 10.200.254.5:0, label: 18
MTU = 1500 LDP Id: 10.200.254.1:0 remote binding: lsr: 10.200.254.1:0, label: 32
detail: LSR and label space remote binding: lsr: 10.200.254.3:0, label: imp-null
RTR(config)#interface FastEthernet2/6
4 bytes identifies LSR uniquely Check the local actions for a
being used: lib entry: 10.200.254.1/32, rev 31
RTR(config-if)#mpls mtu 1508
2 Bytes identifies the label space, PFX: local binding: label: 24 SWAP action
RTR#show mpls interfaces fastEthernet 2/6 detail remote binding: lsr: 10.200.254.5:0, label: 22
- if set to 0 platform-wide label space, remote binding: lsr: 10.200.254.1:0, label: imp-null
... )
mtu - if set to 1, per interface label space is remote binding: lsr: 10.200.254.3:0, label: 26
mbo
MTU = 1508 m ju te used.
( sys
- informs the LSR how big a 1. Discover via LDP Hello’s Multicast 224.0.0.2
received labeled packet of a UDP 646
certain FEC can be that can 2. Attempt TCP connection port 646
LIB
show mpls ldp neighbor 10.200.254.5 detail show mpls ldp bindings 1.1.1.1/32 Ranging 5 bucks to unlimited!
MPLS LDP functions are:
Peer LDP Ident: 10.200.254.5:0; Local LDP Ident
10.200.254.2:0
MPLS Local bind Label 20
Remote bind: lsr 3.3.3.3 label 18
RIB
Rem
State: Oper; Msgs sent/rcvd: 16/19; Downstream; Next hop IP via Interface
detail: Last TIB rev sent 50 2.2.2.2 POS1
side
Check which end is the TCP server Ethernet0/1/2; Src IP addr: 10.200.215.2 show mpls ldp neighbor pos1
- Advertising of label mappings holdtime: 15000 ms, hello interval: 5000 ms LFIB LDP peers Peer LDP ident 3.3.3.3, Local 2.2.2.2
of the LDP session:
e
http://www.flashcardguy.ch
router ospf 1 Enable cef: ip cef
OLD DEFAULT:
MPLS LDP does not withraw labels from a neigbor
mpls ldp autoconfig area 0
router2
MP In combination with mpls ldp sync in this situation,
BGP Incoming Interface Outgoing Interface Switching Method
Loopback 1 Loopback 1 MPLS router 2 would never achieve a OSPF adjacency.
OSPF waits for LDP!
MPLS LDP ip addr 2.2.2.2 CEF Process CEF
(Allow hello’s only from 2.2.2.2) If the hold-down timer expires before the LDP session is
established, the OSPF adjacency is built anyway.
http://www.flashcardguy.ch
-subdivide the vpnv4 routes into groups
- increases scalability
On Route Reflector 1:
RTR#show ip ospf 42
Routing Process "ospf 42" with ID 10.99.1.1
VPN / MP-BGP / MPLS
Domain ID type 0x0005, value 0.0.0.42
show ip cef exact-route SOURCE-IP DESTINATION-IP router bgp X
Connected to MPLS VPN Superbackbone, VRF cust-one
address-family vpnv4
RTR#show ip cef exact-route 10.200.1.2 10.200.254.4 RR Group config: ip extcommunity-list 1 permit rt 1:3
ip extcommunity-list 1 deny rt 1:2
10.200.254.2 (metric 3) from 10.200.254.2 (10.200.254.2)
Origin incomplete, metric 10, localpref 100, valid, internal, best
10.200.1.2 -> 10.200.254.4 => IP adj out of Ethernet1/3, addr 10.200.203.2
Extended Community: RT:1:1 OSPF
On Route Reflector 2: DOMAIN-ID:0x0005:0x0000002A0200
ip extcommunity-list 1 deny rt 1:1 OSPF RT:0.0.0.0:5:1 OSPF ROUTER ID:10.99.1.1:1281,
mpls labels in/out nolabel/18
ip extcommunity-list 1 permit rt 1:2
Area:route-type:option
ip extcommunity-list 1 permit rt 1:1 ip extcommunity-list 1 deny rt 1:1 vrf X vrf X
ip extcommunity-list 1 deny rt 1:2 ip extcommunity-list 1 permit rt 1:2 ospf router 22 ospf router 77
ip extcommunity-list 1 permit rt 1:3 ip extcommunity-list 1 deny rt 1:3 MP
RTR#show ip cef vrf cust-one 10.100.103.2 ip extcommunity-list 1 deny rt 1:2 ip extcommunity-list 1 permit rt 1:2
BGP
10.100.103.2/32 Area 0 Area 0
show ip cef vrf x <prefix> [detail] nexthop 10.200.200.2 Ethernet0/0/0 label 23 21
VPNv4 BGP vpnv4
Top and bottom MPLS labels: Domain-ID NOT = OSPF process ID
Result: External LSA Type 5
Extended communities for OSPF
Output:
RTR#show ip cef vrf cust-one 10.100.103.2 detail
10.100.103.2/32, epoch 5 RR Group config:
recursive via 10.200.254.4 label 21 Domain-ID = OSPF process ID
nexthop 10.200.200.2 Ethernet0/0/0 label 23 Result: internal route
router bgp X router bgp
Top Label: 23 Bottom Label: 23 address-family vpnv4 address-family xy
bgp rr-group <1-500> {ext-com-list} domain-id 77
By default only Type 3
MP
BGP
Area 0 Area 0
show mpls forwarding-table
VPNv4 Backdoor
labels label exact-path ipv4 Type 1,2,3
source-address destination- Life of a IPv4 Packet across a Sham-link Type 1,2 By default only Type 3
show mpls forwarding-table labels 18 exact-path ipv4 <SRC> <DST> OSPF sham Links
address
IGP label 18 for PE-2
MPLS VPN Backbone: Lo0 1.1.1.1
MP
Lo0 2.2.2.2
SRC DST BGP
1.1.1.1 PE PE-2 2.2.2.2 explained:
osp nk
Area 0 Area 0
Output:
to m-li
f
vrf vrf
s in ha
Backdoor
int tise s
Type 1,2,3
en dver
show mpls forwarding-table labels 18 exact-path ipv4 1.1.1.1 2.2.2.2
router ospf X vrf BLA
a
po
1.1.1.1 -> 2.2.2.2 : Eth1/3 (next-hop x.x.x.x) Label Stack: 16
n’t
area 0 sham-link <1.1.1.1> <2.2.2.2>
Do
london#show cef table inPE#show ip cef vrf cust-one 10.10.100.1 /32 detail
Global information: 10.10.100.1/32, epoch 0 RTR#show ip ospf 42 neighbor
MTRIE information: recursive via 10.200.254.2 label 30 Neighbor ID Pri State Dead Time Address Interface
TAL: node pools: 10.200.200.1 1 FULL/DR 00:00:35 10.10.2.1 Ethernet0/1/2
nexthop 10.200.214.1 POS0/1/0 label 16
pool[C/8 bits]: 45 allocated (0 failed), 46800 bytes {3 refcount} show ip cef vrf x <PFX> 10.99.1.2 0 FULL/ - - 10.99.1.2 OSPF_SL2
show cef table 3 active IPv4 tables out of a maximum of 2048 VPN label 30 IGP label to loopbk0 16 RTR#show ip ospf 42 sham-links
Sham Link OSPF_SL2 to address 10.99.1.2 is up
VRF
Default
Prefixes
38
Memory
23620
Flags show ip bgp vpnv4 rd 1:1 <PFX> inPE#show ip bgp vpnv4 rd 1:1 10.10.100.1 Verifying OSPF sham links Area 0 source address 10.99.1.1
BGP routing table entry for 1:1:10.10.100.1/32, version 81 Run as demand circuit
Output: cust-one
cust-one-ipv4 11
11 14680
14680
LCS
LCS
Paths: (1 available, best #1, table cust-one)
Not advertised to any peer
DoNotAge LSA allowed. Cost of using 10 State
POINT_TO_POINT,
Explained: Local
Timer intervals configured, Hello 10, Dead 40, Wait 40,
10.200.254.2 (metric 3) from 10.200.254.2 (10.200.254.2)
1 active IPv6 table out of a maximum of 1 Origin incomplete, metric 1, localpref 100, valid, internal, best Hello due in 00:00:03
VRF Prefixes Memory Flags Extended Community: RT:1:1, Adjacency State FULL (Hello suppressed)
Default 0 60 mpls labels in/out nolabel/30 BGP loopback
IGP next hop
10.10.100.3/32 10.10.4.2 38/exp-null Across MPLS VPN EIGRP 0x8803 route metric info Reserved field,
10.88.1.1/32 10.200.254.2 34/34 Load, MTU
Output explained: 10.99.1.1/32 10.200.254.2 28/33 Backbone 0x8804 External route info Remote
10.200.200.1/32 10.200.254.2 30/32
Autonomous System,
Prefixes with next hop 0.0.0.0, Labeled traffic
Router bgp X
Remote ID Thanks for appreciating my efforts
have no outgoing label, learned 0x8805 External route info Remote Protocol,
from VRF interface, should be address-family X
Remote metric
forwarded unlabeled towards CE domain-ID xx
Colin
http://www.flashcardguy.ch
Internal Previous:
RTR#show ip bgp vpnv4 all 10.10.100.1
BGP routing table entry for 1:1:10.10.100.1/32, version 28
...
Extended Community:
ip vrf ABC
rd 1:1
VPN / MP-BGP / MPLS
RT:1:1 Cost:pre-bestpath:128:409600 0x8800:32768:0
0x8801:42:153600 0x8802:65281:256000 0x8803:65281:1500,
Upgrading route-target export 1:1
route-target import 1:1
mpls labels in/out 22/nolabel Capability vrf-lite on vrf upgrade-cli multi-af-mode common-policies
BGP Extended communities for OSPF enabled CE
EIGRP
BGP extcommunities for EIGRP ip vrf x Are you sure ? [yes]: yes
Number of VRFs upgraded: 1
External
RTR#show ip bgp vpnv4 all 10.200.200.1 vrf definition ABC
BGP routing table entry for 1:1:10.200.200.1/32, version 91 Explained: rd 1:1
Extended Community:
RT:1:1 Cost:pre-bestpath:129:409600 0x8800:0:0 router ospf 1 To ip vrf definition x: route-target export 1:1
0x8801:42:153600 0x8802:65281:256000 0x8803:65281:1500 route-target import 1:1
capability vrf-lite
0x8804:0:168453121 0x8805:11:0,
mpls labels in/out nolabel/31 address-family ipv4
CE performs down-bit / domain-tag check, disabled by
exit-address-family
capability vrf-lite
IPv6 over IPv4
Cust A 6PE global routing table tunnel
CE CE
A EIGRP AS Nr: 19 MP
MP Cust BGP
BGP PE PE
Cust
B
Cust B
IPv4 show bgp vpnv6 unicast vrf x
Differences between IPv6 Core IPv6
EIGRP AS Nr: 45 <PFX> R1#show bgp vpnv6 unicast vrf A 2001:DB8:1:2::1/128
BGP routing table entry for [1:1]2001:DB8:1:2::1/128,
EIGRP VRF configuration: 6PE and 6VPE 6VPE version 5
SOO route-map
ipv6 unicast-routing mpls ldp route-id loopback0 force
route-map CUST-A permit 10
ipv6 cef
int fa0/0
Ranging 5 bucks to unlimited!
set extcommunity soo 1:100
SOO config explained: Facing P pseudowire-class one
vrf definition CUST-1 ip address 10.0.0.1/24
router encapsulation mpls
Applying SOO route-map for BGP rd 1:1 mpls ip
router bgp 1 address-family ipv6
int ser0/0 interface FastEthernet9/0/0
address-family ipv4 vrf CUST-A route-target export 1:1
vrf forwarding CUST-1 no ip address
neighbor 1.2.3.4 route-map CUST-A in route-target import 1:1
ipv6 address 2001::1/64 EoMPLS Carrying Simple xconnect 10.200.254.4 2000 pw-class one
6VPE PE configuration: exit-address-family
ipv6 enable Facing vrf
Applying SOO on the VRF interface customer Ethernet
interface fa0/0 router bgp 1
neighbor 1.1.1.1 update-source Loopback 0 PE1#show mpls l2transport vc 2000
ip vrf sitemap CUST-A
Local intf Local circuit Dest address VC ID Status
address-family vpnv6
------------- ----------------------- --------------- ---------- -------
Applying SOO route-map for static routes neighbor 1.1.1.1 activate
neighbor 1.1.1.1 send-community both Fa9/0/0 Ethernet 10.200.254.4 2000 UP Thanks for appreciating my efforts
router bgp 1
address-family ipv4 vrf CUST-A address family ipv6 vrf CUST-1
Redistribute static route-map CUST-A neighbor 2001::2 remote-as XXX
Colin
http://www.flashcardguy.ch
MPLS Diffserver Tunneling
Uniform Model
MP
BGP
- tests one particular FEC
- uses UDP port 3503
- LSR never forewards such a packet if LSP is broken
VPN / MP-BGP / MPLS
Customer sets DSCP, copied into EXP field of label
Models:
Reply Modes: Meaning:
1 Do not reply
Uniform Model Short Pipe Model
MP
BGP
2 Reply via IPv4/IPv6 UDP packet IP protocol 115 or UDP
- Uses
mpls ip encapsulate explicit-null - ip dfbit set, drop if packets can not be fragmented
To Packet-Marking Type From Packet-Marking Type To Packet-Marking Type From Packet-Marking Type
Value Meaning R5#show l2tp session all
-------------------------------------------------------------------------------------------- L2TP Session Information Total tunnels 1 sessions 1
Precedence Precedence CoS 0 no return code
1 malformed echo request received
Session id 19547 is up, tunnel id 38503
QoS group Remote session id is 55660, remote tunnel id 34507
2 one ore more TLVs misunderstood
3 Replying router is egress for the FEC Locally initiated session
DSCP DSCP CoS 4 Replying router has no mapping for the FEC Call serial number is 1694600001
QoS group MPLS LSP Ping 5 Downstream mapping mismatch Verifying L2TPv3 Remote tunnel name is R6
6 Upstream interface index unknown
7 Reserved
Internet address is 150.1.6.6
CoS CoS Precedence 8 Label-Switched at stack depth RSC Local tunnel name is R5
DSCP return codes 9 Label-switched but no MPLS forwarding at stack Config: Internet address is 150.1.5.5
10 Mapping for this FEC is not given label at stack IP protocol 115
11 No label entry at stack depth Session is L2TP signaled
MPLS EXP topmost MPLS EXP topmost QoS group 12 Protocol not associated with interface at FEC
13 Premature termination of ping due to label stack
Session state is established, time since change
shrinking to a single label 00:00:35
MPLS EXP imposition MPLS EXP imposition Precedence
Session PMTU enabled, path MTU is 1496 bytes
DSCP
3.3.3.3 PE1
PE-1 1.1.1.1
mpls ldp router-id Loopback0 force
mpls label protocol ldp
pseudowire-class one
Unlike the default, where if a TTL expires along the path, encapsulation mpls
What does the packet is sent to the Egress PE.
4.4.4.4
int serial 0/0
Help me create more flashcards:
With mpls ip ttl-expiration pop 1
MPLS ping of a failed LSP PE-1#ping mpls ipv4 1.1.1.1/32 verbose
‘B’ - unlabled output interface
MPLS encapsulation [ hdlc, ppp ]
xconnect 2.2.2.2 100 pw-class one
mpls ip ttl-expiration pop 1 Type escape sequence to abort.
B size 100, reply addr 3.3.3.3, return code 9 PE2
If a ttl expires on a P router, the P router sends back a
ICMP unreachable to the source router of the packet. MPLS traceroute of a failed LSP B size 100, reply addr 3.3.3.3, return code 9 Basic AToM config of two PE’s mpls ldp router-id Loopback0 force
Do?
mpls label protocol ldp Simply press this button and send me your
PE-1#traceroute mpls ipv4 1.1.1.1.1/32 verbose pseudowire-class one
Type escape sequence to abort.
0 3.3.3.1 3.3.3.3 MRU 1500 [Labels: 44 Exp: 0]
encapsulation mpls credit cards regards!
B 1 3.3.3.3 4.4.4.4 MRU 1504 [No Label] 80 ms, ret code 9 int serial 0/0
B 2 3.3.3.3 4.4.4.4 MRU 1504 [No Label] 72 ms, ret code 9
…. encapsulation [ hdlc, ppp ]
B 3 3.3.3.3 4.4.4.4 MRU 1504 [No Label] 88 ms, ret code 9 xconnect 3.3.3.3 100 pw-class one
1. VC identifiers have to match
access-list 2700 permit [mpls label table or any] int fa0/x int fa0/x.1 R1#show mpls l2transport vc 100 detail
do la
[mpls label number] [mpls exp value] [mpls End of Stack xconnect Local interface: Se0/0/0 up, line protocol up, HDLC up
wi ti o
encap dot1q 10
re n
4. Authentication
Using ACLS: Label, EXP, TTL Config: Troubleshooting Atom: VC Label
- Topmost label is the transport label PE Loopback
- Second label identifies the remote AC. IGP Label
MPLS turbo: Et3/1: rx: Len 122 Stack {16 0 253} {24 0 254} -
ipv4 data interface FastEthernet 0/1
Thanks for appreciating my efforts
MPLS turbo: Se4/0: tx: Len 108 Stack {24 0 252} - ipv4 data xconnect 1.1.1.1 100 encapsulation mpls
show mpls l2transport hw-capability int X
mpls ldp neighbor 1.1.1.1 password CISCO
Colin
http://www.flashcardguy.ch
R1 S0/0/0
S0/1/0
R2
mpls ip
R1 S0/0/0
S0/1/0
R2
VPN / MP-BGP / MPLS
MPLS mpls ldp router-id loopback 0 force
1.0.0.1/24 R1 R2
Lo0 Lo0
NO IP! 1.1.1.1 2.2.2.2 1.0.0.2/24
R1#
NO IP! e0/1
interface Loopback0
ip address 1.1.1.1 255.255.255.255
pseudowire-class THE-WIRE
encapsulation l2tpv3
ip local interface Loopback0
interface e0/1
L2TPv3 configuration example: xconnect 2.2.2.2 100 encapsulation l2tpv3 pw-class THE-WIRE
R2#
interface Loopback0
1.0.0.1/24 R1 ip address 2.2.2.2 255.255.255.255
R2
pseudowire-class THE-WIRE
Lo0 Lo0
NO IP! 1.1.1.1 1.0.0.2/24 encapsulation l2tpv3
2.2.2.2
NO IP! ip local interface Loopback0
interface e0/1
xconnect 1.1.1.1 100 encapsulation l2tpv3 pw-class THE-WIRE
R1#show xconnect all
Legend: XC ST=Xconnect State S1=Segment1 State S2=Segment2
show xconnect all State
UP=Up DN=Down AD=Admin Down IA=Inactive
SB=Standby RV=Recovering NH=No Hardware
Colin
http://www.flashcardguy.ch
sh
ow
track local config changes exception core-file r3-core
Create core-dump named r3-core
exception protocol ftp
wr exc
ite ep
co tion
re
System
archive
alias interface si service-policy input
Configuring Change log config
exception dump 155.1.146.100
exception memory fragment 64000 reboot
Notification and logging enable
logging size 1000
Generating Reload case that memory fragmentation
prohibits a process from allocating more than
alias configure iae ip access-list extended
Exec Aliases Logging logging queue size 1000 entries max. Exception Core 64Kbytes of memory
exception memory minimum 1000000 reboot
alias exec ri show ip route
notify syslog
Dumps reload as soon as free memory falls below 1Mbyte
no ip ftp passive
alias exec rb show ip bgp ip ftp username cisco
archive log via syslog that changes occured ip ftp password cisco
hidekeys no exception crashinfo
don't send passwords via syslog Disable local crash information collection
logging on
g
debug condition interface Gi0/0.67
in
logging buffered 8192 debugging R4#show archive log config all
debug ip rip
Config / change notification
ogg
save debugging up to 8192 bytes to buffers idx sess user@line Logged command Ext
1 1 console@console | logging enable r em
bu ely h
logging console debugging
And logging Conditions could be:
w l
2 1 console@console | logging size 1000 sy e
send debugging to console 3 1 console@console | notify syslog - Interfaces rou lpfu
ter l on
System Message Conditional
sho
4 1 console@console | hidekeys - usernames s
logging rate-limit console all 1
limit console messages to one per second 5 2 console@console |interface Gi0/0 - calling lines
Logging logging monitor informational
Show archive log config all 6 2 console@console | description i am testing
Debugging
users via telnet should see only informational and above R4#show archive log config all provisioning Undebug all does not remove the conditions!
messages hidekeys
mkdir flash:/var Established TCP session refuse-message # Sorry, the line is already in use#
mkdir flash:/var/log
y clo connec
http://www.flashcardguy.ch
snmp-server community CISCO RW
snmp-server location Default Location
memory free low-watermark processor 1000
set up the free memory low threshold to 1000Kbytes
Enable SNMP traps for LinkUp and LinkDown events
only, and send them to the destination host System
snmp-server contact Default Contact memory reserve critical 512
SNMPv3 155.X.146.100 using the security model “priv” and
the username TRAP.
snmp-server ifindex persist Reserve 512Kbytes of memory for the notification
Ensure that interface index numbers persist between
reloads. CPU and Memory process using the memory command.
snmp-server group TRAP v3 priv
SNMPv2 Server snmp-server system-shutdown process cpu threshold type total rising 50 interval 5 View 2:
Thresholds monitor CPU usage every 5 seconds using the
snmp-server user TRAP TRAP v3 auth sha CISCO priv
des56 CISCO
process cpu command, and to generate a rising
access-list 98 permit 155.1.146.100 threshold event every time the CPU usage hits 50%
snmp-server host 155.1.146.100 traps version 3 priv TRAP
snmp-server tftp-server-list 98
Only allow configuration transfers via TFTP to/from snmp-server enable traps cpu threshold
traps
snmp-server enable traps snmp linkup linkdown
the host 155.X.146.100 send snmp CPU traps
- group defines what access rights a set of users have show snmp view
R4#show snmp community and controls which SNMP objects (MIBs) can be *ilmi system - included permanent active
Community name: ILMI accessed for reading and writing *ilmi atmForumUni - included permanent active
Community Index: cisco0 - group defines which SNMP objects can generate NORMAL iso - included nonvolatile active
Community SecurityName: ILMI notifications to the members of a group v1default iso - included permanent active
storage-type: read-only active - security model (SNMP version) v1default internet.6.3.15 - excluded permanent active
Community name: CISCO SNMPv3 - security level (authentication and/or encryption)
- read view has implicit permit, if no write or notify is
SNMPv3 v1default internet.6.3.16 - excluded permanent active
v1default internet.6.3.18 - excluded permanent active
show snmp community Community Index: cisco4
Community SecurityName: CISCO
defined. v1default ciscoMgmt.394 - excluded permanent active
v1default ciscoMgmt.395 - excluded permanent active
storage-type: nonvolatile active access-list: 99 Generall info: security levels are defined as
show snmp view v1default ciscoMgmt.399 - excluded permanent active
noauth noAuthNoPriv, (no auth, no encrypt) v1default ciscoMgmt.400 - excluded permanent active
Community name: PUBLIC auth AuthNoPriv (auth, no encrypt) RESTRICTED ifEntry.0.3 FF:EF included nonvolatile active
Community Index: cisco5 priv AuthPriv (auth and encrypt) *tv.FFFFFFFF.FFFFFFFF.FFFFFFFF0F
Community SecurityName: PUBLIC iso.2.840.10036 - included volatile
storage-type: nonvolatile active Group security model, but password and encryption active
*tv.FFFFFFFF.FFFFFFFF.FFFFFFFF0F internet - included volatile active
key) are set per-user
http://www.flashcardguy.ch
Loopback 0 (150.1.4.4) ntp server 150.1.6.6
show ip http server status
clear mac-address-table dynamic
System
ntp master 5 ntp server 150.1.4.4 prefer
HTTP server status: Enabled ntp source Loopback0
ntp peer 150.1.6.6
HTTP server port: 8080 ntp source Loopback0 interface fa 0/0
HTTP server authentication method: local ntp broadcast
show mac-address-table notification
SNMP HTTP server access class: 0 Br
MAC Address
MAC Notification Feature is Enabled on the switch
Interval between Notification Traps : 2 secs
HTTP server base path: flash:
Maximum number of concurrent server connections allowed: 2
NTP Loopback0 (150.1.6.6)
ntp master 5
ntp peer 150.1.4.4 Fa0/0
NT oad
P o cas
n f ts
a0
Number of MAC Addresses Added : 7 Server idle time-out: 180 seconds /0
ntp source Loopback0
Notifications: Number of MAC Addresses Removed : 7 Server life time-out: 180 seconds
Number of Notifications sent to NMS : 9 show ip http server status Maximum number of requests allowed on a connection: 1 ntp peer int gi0/0.67 interface Vlan58
HTTP server active session modules: ALL ntp multicast 224.0.55.55 ttl 1 ntp broadcast client
Maximum Number of entries configured in History
show mac-address-table MAC Notification Traps are Enabled HTTP secure server capability: Present ntp broadcast vlan67 vlan88
HTTP secure server status: Enabled
notification
History Index 0, Entry Timestamp 3441456, Despatch
Timestamp 3441456
HTTP secure server port: 4043 ntp multicast ip multicast-routing distributed
int vlan67
HTTP secure server ciphersuite: des-cbc-sha
MAC Changed Message : HTTP secure server client authentication: Disabled ip pim dense-mode
ip multicast-routing distributed
Operation: Deleted Vlan: 58 MAC Addr: HTTP secure server trustpoint:
ntp multicast client 225.0.55.55 int vlan 88
0004.9a0b.62c1 Dot1dBasePort: 7 HTTP secure server active session modules: ALL int vlan 88 ntp multicast client 225.0.55.55
ip pim dense-mode
show ip http client all
send debugging and higher prio messages HTTP client status: Enabled
HTTP client application session modules:
via SNMP to x.x.x.x Id : 1
Application Name : HTTP CFS SW2#show ntp associations detail
snmp-server enable traps syslog Version : HTTP/1.0 155.1.58.5 dynamic, our_master, sane, valid, stratum 6
snmp-server host 155.1.146.100 CISCO Persistent : persistent ref ID 150.1.4.4, time D6DFC145.83F9908B (09:37:09.515
R4#show cdp
Global CDP information: Router#
Sending CDP packets every 10 seconds ntp server 1.1.1.1 prefer
R6:
Sending a holdtime value of 40 seconds ntp authenticate
Sending CDPv2 advertisements is enabled tftp-server flash:XXX.bin alias R6-IOS 10
ntp authentication-key 58 md5 CISCO58
Source interface is Loopback0
CDP R4#show cdp interface access-list 10 permit 150.1.1.1
NTP Authentication interface Gi 0/0
FastEthernet0/1 is up, line protocol is up
Encapsulation ARPA
TFTP Server and ntp broadcast
ntp broadcast key 58
show commands:
Sending CDP packets every 10 seconds
Holdtime is 40 seconds
Client R1: ntp broadcast: Switch#
R4#show cdp traffic ip tftp source-interface Loopback0 ntp authenticate
CDP counters : ntp authentication-key 58 md5 CISCO58
Total packets output: 160, Input: 148
Hdr syntax: 0, Chksum error: 0, Encaps failed: 0 ntp trusted-key 58
No memory: 0, Invalid packet: 0, Fragmented: 0 debug tftp events int vlan 58
CDP version 1 advertisements output: 0, Input: 0 ntp broadcast client
CDP version 2 advertisements output: 160, Input: 148
R4 R6 Config:
R6 Http on 8080 Loopback 0 (150.1.4.4) Loopback0 (150.1.6.6)
R4 R6
Http on 8080 R4 R1: ntp master 5 ntp master 5
http client http server ntp peer 150.1.6.6 ntp peer 150.1.4.4
http server
150.1.6.6 ip rcmd remote-username RCP
ntp source Loopback0 ntp source Loopback0
http client ip rcmd source-interface Loopback0
ip http client source-interface Loopback0
ip http client username CISCO
#R4
rsh 150.1.6.6 /user R6 show run interface Serial 0/0 Help me create more flashcards:
IOS ip http client password CISCO
ip http client secure-ciphersuite des-cbc-sha
R6:
ip rcmd rcp-enable
No password is required to
access the local system NTP authentication
ntp authenticate
ntp authentication-key 46 md5 CISCO46
only entry in local ".rhosts"
HTTP Server and username CISCO password 0 CISCO
ip rcmd rsh-enable table
ntp trusted-key 46
ntp peer 150.1.6.6 key 46
ip http server
ip http max-connections 2 Remote Shell ntp peer x.x.x.x
Client ip http path flash:
ip http port 8080
ip rcmd remote-host R6 150.1.1.1 Rack1R1 enable
ip rcmd remote-host RCP 150.1.1.1 Rack1R1 enable
ntp authenticate
ntp authentication-key 46 md5 CISCO46
ntp trusted-key 46
Simply press this button and send me your
loc vileg
ip http access-class 80
er
ip http secure-server
rsh 150.1.6.6 /user R6 show run int gi0/0
ed
R6
R4
150.1.6.6
Ranging 5 bucks to unlimited!
#R4
rsh 150.1.6.6 /user R6 show run int Ser0/0 The difference between NTP Peer:
http://www.flashcardguy.ch
Loopback 0 (150.1.4.4) R4 R5
ntp master 5
ntp source Loopback0
ntp authenticate
ntp authentication-key 4 md5 CISCO4
R4(config)#interface FastEthernet0/1
R4(config-if)#ip address dhcp
DHCP SRV line aux 0
no modem inOut System
R4#show dhcp lease
Temp IP addr: 0.0.0.0 for peer on Interface: FastEthernet0/1
transport input telnet
ntp server 150.1.6.6
NTP Authentication ntp server 150.1.4.4 prefer
Temp sub net mask: 0.0.0.0
DHCP Lease server: 0.0.0.0, state: 1 Selecting Clear line <nr-of-aux-line>
ntp source Loopback0
ntp authenticate
How to find the client identifier on DHCP transaction id: 14F4 Reverse Telnet
Lease: 0 secs, Renewal: 0 secs, Rebind: 0 secs Telnet to the AUX-line via:
ntp trusted-key 4
ntp server 150.1.4.4 key 4
a Cisco Router / Switch: Next timer fires after: 00:00:01 On AUX lines:
NTP Master <–> NTP Server ntp authentication-key 4 md5 CISCO4
Retry count: 0 Client-ID: cisco-0007.ebde.5622-Et0/1
Client-ID hex dump: 636973636F2D303030372E656264652E port number by adding 2000 + TTY = 20xx
ntp trusted-key 6 353632322D4574302F31
Loopback0 (150.1.6.6) ntp server 150.1.6.6 key 6 Telnet <IP> 20xx
ntp master 5 ntp authentication-key 6 md5 CISCO6 R5#
ip dhcp pool HOST_R4 -----------------------------------------------------------------------
ntp source Loopback0
client-identifier 00636973636F2D303030372E656264652E
alias exec auxup telnet 127.0.0.11 2097
ntp authenticate
353632322D4574302F31 alias exec auxdown clear line 97
ntp authentication-key 6 md5 CISCO6
NTP
Auto-Install over LAN network-confg
cisconet.cfg
or cli show int X | redirect tftp://1.2.3.4/int-x.txt
R4#show ntp associations detail | inc auth Interfaces using This to allow the router to determine its KRON Command Apply policy to occurrence:
150.1.6.6 configured, authenticated, selected, sane,
Check if ntp is valid, stratum 5 DHCP hostname. If the host name is found, the
router then checks for Schedule kron occurrence SAVE_DAILY at 8:00 recurring
authenticated: policy-list SAVE_CONFIG
Boot files / sequence <hostname>-confg
occurrence either one-shot or recurring
If that lookup fails, the router uses
router-confg or outer.cfg
show kron schedule
Server only hosts listed in ACL5 router sends out RARP requests for an IP address Event detectors:
after it fails to obtain an address via DHCP/BOOTP - CLI event detector
ntp access-group serve-only 5
- Syslog event detector
access-list 5 permit 5.5.5.5 ip dns server - Interface Counter thresholds
no event manager applet LOOPBACK_SHUTDOWN
NTP Auto-Install over LAN ip host R4 155.1.146.4 EEM Scripting: - Counter (generic)
- SNMP
event manager applet LOOPBACK_SHUTDOWN
arp 155.1.146.4 0007.ebde.5622 arpa event cli pattern ".*interface Loopback.*" sync yes
Only allow IPs out of ACL 6 to update the Interfaces using Interface Events - None (event manager run)
- Watchdog periodic timer events
action 1.0 cli command "enable"
local clock: inteface FastEthernet 0/0 action 1.1 cli command "configure terminal"
Access Control NT
Pl
oc
RARP no shutdown
Background info:
Event subscribers action 1.2 cli command "$_cli_msg"
ntp access-group peer 6 To ally u ip rarp-server 155.1.146.1 - start with an action keyword action 1.3 cli command "shutdown"
up ses
da -TCL scripts
te 127.
it s 1
access-list 6 permit 150.1.6.6 clo 27.7
ck .1 tftp-server flash:r4-confg
access global variables via
access-list 6 permit 127.127.7.1 tftp-server flash:network-confg event manager environment
http://www.flashcardguy.ch
ip dhcp pool POOL Don’t waiste time!
network 172.16.0.0 /16
default-router 172.16.0.1
BFD Version 0 and therefore does not use the echo mode When ever you see this while 1. Copy the entire config into Notepad and
reload the box.
System
domain-name cisco.com doing a write memory
disable BFD echo mode without asymmetry—no echo 2. once reloaded, paste the config back
dns-server 172.16.1.102 172.16.2.102 packets will be sent by the router, and the router will not
Or on.
DHCP address pool with lease 30 Disabling BFD Echo Mode Without forward BFD echo packets that are received from any copy running-config startup-config: ------------------------------------------------------
neighbor routers.
secondary subnets: network 172.16.1.0 /24 secondary Asymmetry Your proctor has been doing this to you:
override default-router 172.16.1.1 conf t n fig
end write memory ed co
no bfd echo SW4#write memory o sav
conf t first t
startup-config file open failed (Not enough space) g
network 172.16.2.0 /24 secondary confi
boot config-file flash:/ d the re
override default-router 172.16.2.1 pointe he
end Then into now
file
The task says something like, configure The task says, configure clock timezone GMT +8
Subnet allocation Server: “clock timezone GMT +8”
The correct command is:
ODAP Subnet allocation ip dhcp pool VRF-POOL
conf t
vrf RED And this happens: Because something is
Server network 172.16.0.0 /16
conf t --------------------------------------------
clock timezone GMT +8 strange you type clock ?
subnet prefix-length 26 Then out of nothing..
R2(config)#clock ?
show Configuring BFD Templates bfd-template single-hop <template-name> <cr>
the “exit” on the next line
appears.
And ip dh
cp po interval min-tx 50 min-rx 50 multiplier 5 R2(config)#clock ? R2(config)#exit
ODAP manager: ol
<cr> The proctor or Narbik is picking on you!!
ODAP manager Config ip dhcp pool usergroup1
R2#sh run | i alias
origin dhcp subnet size initial /26 autogrow /26 R2(config)#exit alias configure clock exit
lease 0 1
R2#
ODAP Subnet 1. Higher priority:
allocation Server
int fa0/x
standby <nr> priority <1-255>
ODAP address pool management show bfd neighbors [details]
How does HSRP elect the active
Troubleshooting BFD
debug bfd packet
Node?
Terminology:
2. If Priorities are even, highest IP address.
debug bfd event
ODAP manager
Default priority 100
ip cef What options are there in regards standby 1 authentication text Cisco
BFD per interface: int fa0/x BFD in an HSRP Network interface Fa0/x
ip address 10.0.0.2 255.255.255.0 bfd interval 200 min_rx 200 multiplier 3
to HSRP authentication? standby 2 authentication md5 key-string HSRP
bfd interval 50 min_rx 50 multiplier 5 standby 1 ip 10.0.0.11
standby 3 authentication md5 key-chain CHAIN
BFD for static routes: ip route static bfd fa0/0 10.0.0.1 group GRP-1 {passive}
standby 1 preempt
standby 1 priority 110
ip route 0.0.0.0 0.0.0.0 10.0.0.1
Colin
http://www.flashcardguy.ch
R3 R6 DHCP srv
1.1.1.1 Serial
Your IP address (YIAddr) First suboption remote-id (0x02) total length 12 (0xC)
interface FastEthernet 0/0
Packet header: Server IP address (SIAddr) DHCP Relay ip helper-address 1.2.3.4 DHCP option 82 Remote-Id TLV (type 0x02 length 0x0A)
Gateway IP address (GIAddr)
Remote-id value 10 bytes,
Client Hardware Address (CHAddr)
Server Name (Sname) Next suboption is 0x06 length 0x06
Boot File Name (128 bytes)
ASCI Value
Vendor-Specific Area (variable size) / allows more options
lease 0 12
2e36.3261.302d.4661.
302f.30 ARP ip dhcp pool R1_HOST
update arp
cp
ip dhcp pool R1_HOST interface fa0/0.146
dh
no ip bootp server Ignore BOOTP host 155.1.146.1 255.255.255.0
ss
arp authorize
dre /
ip ess
client-identifier 0063.6973.636f.2d30.3031.3…….
arp timeout <seconds>
no addr
ad
ip dhcp database flash:/bindings arp probe interval <sec> count 15
ip
Serial Assigns R1s
R1 R3 ip sla 2
PPP IP via IPCP
tcp-connect 54.1.1.254 23 control disable
R6#show ip dhcp pool
R3: timeout 5000
interface Serial 1/2
Pool VLAN146 :
Utilization mark (high/low) : 100 / 0 R1:
encapsulation ppp
ip sla schedule 2 life forever start-time now
Help me create more flashcards:
ip address 155.1.13.3 255.255.255.0
Show ip dhcp pool Subnet size (first/next) :0/0
DHCP on-Demand interface Serial 0/1 peer default ip address 155.1.13.1
Total addresses
Leased addresses
: 254
:0
encapsulation ppp ppp ipcp mask 255.255.255.0
ip address negotiated ppp ipcp dns 155.1.146.4 155.1.146.6 IP SLA
Output: Pending event : none Pool ppp ipcp mask request no peer neighbor-route
ppp ipcp dns request
1 subnet is currently in the pool :
Current index IP address range Leased
no peer neighbor-route ip sla monitor 2
type tcpConnect dest-ipaddr 54.1.1.254 dest-port 23 control disable
Simply press this button and send me your
timeout 5000
addresses
155.1.146.1 155.1.146.1 - 155.1.146.254 0
ip dhcp pool ODAP_POOL
import all
R1 imports DHCP infos
via IPCP from R3
credit cards regards!
origin ipcp ip sla monitor schedule 2 life forever start-time now
(RIP functional via
router rip DHCP received IP)
no validate-update-source
interface Serial 1/2 track 1 rtr 2 show track 1
R1:
encapsulation ppp
ip address 155.1.13.3 255.255.255.0
delay down 15 up 10 Track 1
Response Time Reporter 2 state
Ranging 5 bucks to unlimited!
interface Serial 0/1 peer default ip address 155.1.13.1 track 2 rtr 3 State is Up
encapsulation ppp ppp ipcp mask 255.255.255.0 1 change, last change 00:05:10
R6#show ip dhcp database
ip address negotiated ppp ipcp dns 155.1.146.4 155.1.146.6 track 3 list boolean and Delay up 10 secs, down 15 secs
URL : flash:/bindings
Read : Never DHCP on-Demand ppp ipcp mask request
ppp ipcp dns request
no peer neighbor-route object 1
object 2
Latest operation return code: OK
Latest RTT (millisecs) 16
Written : Never no peer neighbor-route Tracked by:
http://www.flashcardguy.ch
Ve
R1# rs 204.12.1.1-.253
interface FastEthernet 0/0.146
standby 146 ip 155.1.146.254
standby 146 timers 1 3
UD 224. ion 1
P p 0.0
ort .2
19
85
track 16 rtr 99
ip sla monitor 99
155.1.x.x
inside outside
Services
type tcpConnect dest-ipaddr 54.1.1.254 dest-port 23
standby 146 preempt ip nat pool VLAN43 204.12.1.1 204.12.1.253 prefix-length 24
control disable
standby 146 authentication md5 key-string CISCO timeout 5000
standby 146 name VLAN146 ip access-list extended NAT_TRAFFIC
standby 146 priority 110 sta Router Redundancy ip sla monitor schedule 99 life forever start-time now
permit ip 155.1.0.0 0.0.255.255 any
HSRP 2
nd
by interface Gi 0/0 Basic NAT
R2#
interface FastEthernet 0/1
UD 24.0 vers
P p .0.1 ion
or 0 2 2
and Object Tracking standby 146 track 16 decrement 20
ip nat inside source list NAT_TRAFFIC pool VLAN43
Authentication MD5, key-string 10 is going invalid. Pro Inside global Inside local Outside local Outside global
Preemption enabled described The metric has then to go below 20 to become icmp 54.1.1.7:3 155.1.146.1:3 212.18.1.1:3 212.18.1.1:3
Output: Active router is 155.1.146.6, priority 110 (expires in 2.164 active again. (Hysteresis) verification --- 54.1.1.7 155.1.146.1 --- ---
sec) icmp 54.1.1.6:3 155.1.146.4:3 212.18.1.1:3 212.18.1.1:3
Standby router is local --- 54.1.1.6 155.1.146.4 --- ---
Priority 100 (default 100)
IP redundancy name is "VLAN146" (cfgd)
http://www.flashcardguy.ch
R6 7.7.7.7 NAT direction is always “inside” for NVI based NAT
150.1.1.1
inside
54.1.1.6
outside
54.1.1.254
7.7.7.7
inside
inside
routing lookup is always performed before the translation
after routing, packet source is translated Services
How to troubleshoot 155.1.4.4
1.1.1.2
1.1.1.1
outside Ser0/0
2.2.2.1 2.2.2.2
R2
interface Serial 0/1/0
ip nat enable
To
ver
1.1.1.2 2.2.2.2
i fy N
NAT Interface is 54.1.1.6 1.1.1.7 2.2.2.7
1.1.1.7
NAT
2.2.2.7
NAT interface FastEthernet 0/0 VI
R1 inside R5 outside R2
10.0.0.1/24 R1
1.1.1.1 2.2.2.1
10.0.0.2/24
1.1.1.2NAT to 2.2.2.2 Once R1 opened a
AT n
1:1 NAT
r N io
2.2.2.9 1:1 NAT session outbound,
di p t
interface FastEthernet 0/0
10.0.0.0/24 to
Bi sy o
1.1.1.15 Reachable via 10.0.0.0/24 to R3 received NAT addr, R3
Reachable via ip nat inside
NAT to 2.2.2.9 from R2 66.0.0.0/24 can connect to R1's NAT
Ea
1.1.1.15 from R1 55.0.0.0/24
Troubleshooting debug ip nat detail NAT with Advertise 55.0.0.0 Advertise 66.0.0.0
interface Serial 0/1/0
ip nat outside
addr from the outside
Solution 2: NAT only on R2 performed, NO config on R1. internaly to 22.0.0.0. match ip address INSIDE_HOSTS
id
to 11.0.0.0/24
match interface Serial0/1/0
ts
R1 inside R5 outside R2
R1 inside R5 outside R2
172.16.0.2 R2 155.1.0.1
1.1.1.1 2.2.2.1 155.1.0.2
1.1.1.1 2.2.2.1 1.1.1.2 2.2.2.2
1.1.1.2 2.2.2.2 show ip snat distributed verbose
2.2.2.99 8023 10.0.0.35 NAT NAT 155.1.0.3
2.2.2.99 8023 t Stateful NAT Connected Peers
t telne Clients
outside inside Things that did not work in the lab:
telne SNAT: Mode BACKUP
R5#
TCP Load telnetting to 155.1.58.55
R2#
Stateful NAT with : State READY
: Local Address 155.1.146.4 Stateful NAT prim backup or Redundancy
Static PAT
ip nat inside source static tcp 1.1.1.2 23 2.2.2.99 8023
Distribution with NAT ip nat pool ROTARY prefix-length 24 type rotary
address 155.1.0.1 155.1.0.1 Primary/Backup : Local NAT id 2
address 155.1.0.2 155.1.0.2 : Peer Address 155.1.146.6
address <start-ip> <end-ip> Overlapping
R2# telnet 2.2.2.99 8023
: Peer NAT id 1
Login Prompt of R1
(Rotary NAT) ip access-list extended LOAD_BALANCE Verification: : Mapping List 1
permit tcp any host 155.1.58.55 eq telnet
Stateful with HSRP
: InMsgs 15, OutMsgs 0, tcb 0x650FE6E0,
Telnet R2 to 2.2.2.99 8023 forwards to 1.1.1.2 23 (R1) listener 0x650FE22C
ip nat inside destination list LOAD_BALANCE pool ROTARY
through R5
ip alias 155.1.58.55 23
addresses R5#
Distribution with NAT 155.1.0.3 NAT
outside
NAT
inside
155.1.0.3 mapping-id 1 mapping-id 1
Help me create more flashcards:
ip nat inside source static tcp 1.1.1.2 23 2.2.2.99 8023 Clients
telnetting to 155.1.58.55
Primary/Backup R4 & R6
show ip alias
Interface 2.2.2.1 tcp 155.1.58.55:23 155.1.0.3:23 155.1.58.8:147 155.1.58.8:147
Config: ip nat inside source list NAT_LIST pool SHARED_POOL credit cards regards!
Dynamic 2.2.2.99 mapping 1
Output:
ip route 155.1.254.0 255.255.255.0 Null 0
R1 inside R5 outside R2
1.1.1.2
1.1.1.1 2.2.2.1
2.2.2.2
interface FastEthernet 0/0.146
standby 146 ip 155.1.146.254
R6#show ip snat distributed verbose
Ranging 5 bucks to unlimited!
2.2.2.99 8023 standby 146 timers 1 3 Stateful NAT Connected Peers
R5: Stateful NAT with standby 146 name VLAN146 R1 Stateful NAT with SNAT: Mode IP-REDUNDANCY :: ACTIVE
ip nat inside source static tcp 1.1.1.2 23 2.2.2.99 8023 ip nat stateful id 1
extendable no-alias
HSRP redundancy VLAN146 HSRP : State READY
Static NAT R5 does not respond to the ICMP echo packets mapping-id 1
R1
: Local Address 155.1.146.6
: Local NAT id 1
since it has no local alias for the NAT address ip access-list standard NAT_LIST : Peer Address 155.1.146.4
and IP Aliasing (SNAT) permit 155.1.0.0 0.0.255.255 (SNAT) : Peer NAT id 2
show ip aliases : Mapping List 1
ip nat pool SHARED_POOL 155.1.254.1 155.1.254.254 prefix-
Address Type IP Address Port length 24 : InMsgs 4, OutMsgs 0, tcb 0x44C999F8, listener
Interface 1.1.1.1 config ip nat inside source list NAT_LIST pool SHARED_POOL verification 0x0
Thanks for appreciating my efforts
Interface 2.2.2.1 mapping 1 o
Interface 2.2.2.99 ct t
ip route 155.1.254.0 255.255.255.0 Null 0 inje
d to ing
e t
Us rou
Colin
http://www.flashcardguy.ch
inside outside
1.1.1.1
R1 R5 R2
access-list 10 permit 155.1.58.100
Services
R3
192.168.0.20 access-list 20 permit 155.1.58.0 0.0.0.255
192.168.0.99
Static Extendable R5# ip wccp version 2
ip wccp 50 group-address 224.0.1.100 redirect-list 20
ip nat inside source static 1.1.1.1 192.168.0.20 extendable
ip nat inside source static 1.1.1.1 192.168.0.99 extendable TCP Optimization ?????? WCCPv2 Services group-list 10
NAT R5#show ip nat translations
password CISCO
Pro Inside global Inside local Outside local Outside global
--- 192.168.0.20 1.1.1.1 --- --- interface FastEthernet 0/0
--- 192.168.0.99 1.1.1.1 --- --- ip wccp 50 redirect in
ip wccp 50 group-listen
R2 or R3 can either Access R1 via 192.168.0.20 or
192.168.0.99
Accounting Input
Precedence 0: 5 packets, 520 bytes
Event Timers (current time is 0x1080595):
Timer
Retrans
Starts
6
Wakeups
0
Next
0x0
Discovery ip nbar custom TEST 0 ascii A destination tcp 3001
Match ASCII “A” in the beginning of a TCP segment flowing to
Precedence 3: 5 packets, 520 bytes the destination port 3001.
TimeWait 0 0 0x0
Precedence 6: 53 packets, 4304 bytes AckHold 3 1 0x0
Output SendWnd 0 0 0x0 show ip nbar port-map
Precedence 0: 7 packets, 608 bytes KeepAlive 0 0 0x0
Precedence 3: 5 packets, 520 bytes GiveUp 0 0 0x0 show ip nbar protocol-discovery
PmtuAger 0 0 0x0
Precedence 6: 24 packets, 7936 bytes show ip nbar protocol-discovery protocol TEST
DeadWait 0 0 0x0
ip flow-capture vlan-id (collect VlanIDs)
ip accounting-threshold 4096 service udp-small-servers ip flow-capture icmp (collect ICMP too)
Limit database to 4096 entries service tcp-small-servers ip flow-export version 5
ip finger ip flow-export destination 155.1.146.100 9999
IP Output Packet ip accounting-transits 1
Set number of packets to 1 for any packets, not
Netflow Ingress & ip flow-export version 5 origin-as
ip flow-cache entries 4096 (DB max entries)
Accounting matching the accounting list (first packet of flow only) IOS Small Services & TCP to port 7: echo’s all characters sent back to prompt
Egress interface Serial 0/0/0
ip accounting-list 155.1.0.0 0.0.255.255 Finger TCP to port 9: blackhole, nothing comes back
ip flow ingress
Config: Only account for packets going to 155.1.0.0/16 TCP to port 13: receive Date and Time, exists session Version 5
Ingress: including the packets destined to the router
interface FastEthernet 0/0 TCP to port 19: CHARGEN, does not stop! itself, applied before ACLs and rate-limiting
ip accounting output-packets Egress: does not include packets originated from the
TCP to port 79: list of currently logged in Users router itself (used with MPLS, monitor leaving untagged traffic)
155.1.58.0/24 R2
R1#show ip accounting ip flow-top-talkers
Source Destination Packets Bytes R1 Fa0/0 S0/0 top 10
155.1.146.4 155.1.13.3 2 200 HLPr
R3 sort-by packets
155.1.13.3 155.1.146.4 2 200 Ping 155.1.58.255
155.1.146.6 155.1.13.3 20 2000 255.255.255.255 match source address 155.1.0.0 255.255.0.0
IP Output Packet 155.1.13.3 155.1.146.6 20 2000
R2#
match protocol 1
R1#
no ip forward-protocol udp tftp
no ip forward-protocol udp time Netflow Top Talkers Showing top talkers for ICMP
clear ip accounting
& UDP Forwarding no ip forward-protocol udp netbios-ns
no ip forward-protocol udp netbios-dgm
traffic of hosts in 155.1.0.0/16
Show output: (stores the old accounting database into a checkpoint)
no ip forward-protocol udp tacacs
interface Serial 0/0
(overrides the default
of generating a
ip helper-address 155.1.58.255 255.255.255.255,
Checkpoint can be retrieved by: sending to 155.1.58.255 R4#show ip flow top-talkers
interface FastEthernet 0/0 instead) SrcIf SrcIPaddress DstIf DstIPaddress Pr SrcP DstP Pkts
show ip accounting checkpoint ip broadcast-address 155.1.58.255 Et0/1 155.1.146.1 Et0/0 30.0.0.1 01 0000 0800 50
ip directed-broadcast
p
interface Serial 0/0/0 dr
no ed
ip access-group 101 in ip
or Ls!
key chain DRP ow Simply press this button and send me your
kw
key 1 Version 8 Dst If Dst Prefix Msk AS Flows Pkts B/Pk Active
R6#show ip accounting access-violations
key-string CISCO Null 204.0.0.0 /8 0 1 1 44 0.0 credit cards regards!
Source Destination Packets Bytes ACL Gi0/0 204.12.1.0 /24 0 1 28 41 3.7
112.0.0.1 54.1.1.6 5 500 101 access-list 99 permit 155.1.146.0 0.0.0.255 Gi0/1 155.1.146.0 /24 0 1 25 91 3.7
http://www.flashcardguy.ch
ip access-list extended VLAN146 dampening <half-life time> <start using> <start interface GigabitEthernet 0/0/1
Services
permit ip 155.1.146.0 0.0.0.255 any
suppressing> <max suppress duration t> <enable restart
permit ip any 155.1.146.0 0.0.0.255
suppression> <penalty value at restart>
ip dhcp client client-id ascii my-test1
class-map VLAN146 ip dhcp client class-id my-class-id
match access-group name VLAN146 interface Serial 0/0/0 ip dhcp client lease 0 1 0
policy-map NETFLOW_MAP dampening 30 1000 2000 60 restart 2000 ip dhcp client hostname host1
Netflow Input Filters class VLAN146
netflow-sampler NORMAL - after a reload IP is not advertised into IGP for 30 seconds
no ip dhcp client request tftp-server-address
ip address dhcp
class class-default
netflow-sampler SAMPLER
IP Event Dampening DHCP Client options:
- if connection flaps: it does not disappear for more int X
- Every packet is sampled for sources on VLAN 146 than 60 seconds from the routing table no matter
flow-sampler-map NORMAL how much penalty it accumulates no ip address dhcp
mode random one-out-of 1 ip address dhcp
- Other packets should still be randomly sampled
flow-sampler-map SAMPLER To find default values:
mode random one-out-of 10 int X Or
interface Serial 0/0/0 dampening
service-policy output NETFLOW_MAP Do show dampening release dhcp
NAT
ip dns server
ip dns primary cisco.com soa ns.cisco.com ccie.com
terminology: ip dhcp pool pool1
origin dhcp number 3
ip dns primary <domain> soa <primary-srv> <DNS odap client client-id id1 interface gi0/0 target-server
mailbox> <refresh t> <retry t> <Auth expire t> <Min TTL Inside Local 192.168.10.1
IOS Authoritative zone t> IPv4 Address Pool for DMVPN origin dhcp subnet size initial /24 autogrow /24
Inside Global Spokes
DNS Server ip host cisco.com ns 155.1.146.4
(DNS srv local own entry) Outside Global First IP of first pool assigned to interface.
If second pool Is requested, a secondary IP will be created
ip host R4.cisco.com 150.1.4.4 155.1.146.4 155.1.45.4 Outside Local with the first IP address of the second pool on the same
interface.
All IPs which should be resolved to R4.cisco.com
Explained:
R1 R2
ip name-server 155.1.146.4 155.1.146.6 First hop redundancy protocols
1.1.1.1 HSRPv2 224.0.0.102
R2#
service tcp-small-servers Telnet 1.1.1.1 19
ip domain-lookup CHARGEN TCP Port 19
Router as DNS client
ip domain round-robin Using CHARGEN to simulate TCP R1#show tcp brief
TCB Local Address Foreign Address (state)
Using two DNS server in a round- streams: 847557E4 1.1.1.1.19 2.2.2.2.27318 ESTAB
84BDB7A0 1.1.1.1.23 2.2.2.2.44491 ESTAB
robin fashion. ip domain name cisco.com R1#clear tcp tcb 847557E4
complete all unqualified domain-names with the [confirm]
name “cisco.com”. [OK]
R2#
HIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz{|}~ !"#$%&
IJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz{|}~ !"#$%&
Connection lost
2.2.2.2 Rack1R1#reload track 4 list threshold percentage
http://www.flashcardguy.ch
R2# R3#
int e0/0
ip address 20.0.0.2 255.255.255.0
vrrp ip 20.0.0.1
int e0/0
ip address 20.0.0.3 255.255.255.0
vrrp ip 20.0.0.1
R5#traceroute 1.1.1.1 numeric
Type escape sequence to abort.
Services
vrrp prio 125 vrrp prio 120 Tracing the route to 1.1.1.1
mac-address 0000.1111.1111 mac-address 0000.2222.2222 VRF info: (vrf in name/id, vrf out name/id)
1.1.1.1/32 1 20.0.0.2 1 msec 0 msec 0 msec
2 12.1.1.1 12 msec * 13 msec
like?
R2# R3# R2# R3#
int e0/0 int e0/0 int e0/0 int e0/0
ip address 20.0.0.2 255.255.255.0 ip address 20.0.0.3 255.255.255.0 ip address 20.0.0.2 255.255.255.0 ip address 20.0.0.3 255.255.255.0
vrrp ip 20.0.0.1 vrrp ip 20.0.0.1 vrrp ip 20.0.0.1 vrrp ip 20.0.0.1
vrrp prio 125 vrrp prio 120 vrrp prio 125 vrrp prio 120
mac-address 0000.1111.1111 mac-address 0000.2222.2222 mac-address 0000.1111.1111 mac-address 0000.2222.2222
1.1.1.1/32
Colin
http://www.flashcardguy.ch
Tool Max Number Classification Tool Max Number Classification
Priority Queuing
(PQ)
of Queue possibilities of Queue
Priority Queuing 4
(PQ)
possibilities
IP ACL
Input interface
Set Mark several fields inside headers
QoS
Fragments
Custom Queuing Bandwith Reserve BW for a class CBWFQ
Custom Queuing 16 IP ACL
(CQ)
(CQ) Input interface
Fragments
QoS
Priority Reserve BW for LLW in CBWFQ
QoS Explained in one picture: Weighted Fair
Queueing (WFQ)
Weighted Fair
Queueing (WFQ) 4096
Automatic, based on
flows, SRC/DST, PORT
action Sub-commands
Class-Based WFQ Shape traffic in class to defined BW, bursts
(CBWFQ)
Class-Based WFQ 64
(CBWFQ)
IP ACL
NBAR Inside a policy map: Police traffic in class to defined BW, bursts
Flows, SRC,DST, Port, Prot
Low Latency
Low Latency N/A IP ACL, NBAR, Flows SRC
Queueing LLQ
Queueing LLQ DST, port, and protocol
Compress performs TCP/RTP header compression/class
Modified Deficit
Modified Deficit 8 IP Precedence
Round-Robin Round-Robin
Delay, Throughput, Reliability, Cost, Unused
- input software queue length of 10 packets
- output software queue length of 30 packets QoS IP Precedence
D T R C
U
Field/Value Binary Name Field/Value Binary Name TOS
QoS - output hardware queue size to 15 packets
Precedence 0 000 Precedence 0 000 Routine
interface FastEthernet0/0
hold-queue 10 in
Precedence 1 001 Precedence 1 001 Priority ToS field explained:
hold-queue 30 out Precedence 2 010 Precedence 2 010 Immediate
Hold-Queue tx-ring-limit 15 Precedence 3 011 Precedence 3 011 Flash IPv4
R1#show interfaces fastEthernet 0/0 | include queue Precedence 4 100 Precedence 4 100 Flash Override Using
and Input queue: 0/10/0/0 (size/max/drops/flushes); Total output
drops: 0
Precedence 5 101 Precedence 5 101 Critic/ECP IP precedence
Tx-Ring Output queue: 0/30 (size/max) Precedence 6
Precedence 7
110
111
Precedence 6
Precedence 7
110
111
Internetwork control
Network Control Or ECT CE
show controllers fastEthernet 0/0 | include tx
tx_limited=0(15) DSCP ECT = 0
ECT = 1, ECN capable
CE = 0
CE = 1, congestion
- input queueing there is just one queue per
interface, size of 75 packets by default Name of DSCP Name of DSCP
(FIFO) Class Selector Binary Precedence Value Class Selector Binary Precedence Value
Default 000000 Default 000000 0
Two output queues by default. CS1 001000 CS1 001000 1
QoS
Input / Output Queuing - first output queue is the “software CS 2 010000 CS 2 010000 2
queue” queuing strategy can be defined. CS 3 011000
(FIFO, WFQ, CBWFQ) CS 4 100000
CS 3 011000 3
L2 markable fields:
explained: CS 4 100000 4
CS 5 101000 CS 5 101000 5
- Second output queue is the transmit ring tx- ISL CoS
ring is always FIFO. CS 6 110000 CS 6 110000 6 802.1Q/P User Priority
CS 7 111000
software output queue only starts to fill up when the CS 7 111000 7
tx-ring is full
bits sent
- Serialization Delay (fixed) Link speed
= msec per packet
- ATM CLP Class 4 AF41 / / AF42 / / AF43 / / Class 4 AF41 / 34 / 100010 AF42 / 36 / 100100 AF43 / 38 / 100110 pre-classify QOS pre-classification
http://www.flashcardguy.ch
Hardware queue
Show controllers serial 0/0 | I tx_
Tx_limited=0(16)
holds 16 packets
0 = queue size not limited
due to a queuing tool
R1#show queue serial 0/0
Input queue: 0/75/0/0 (size/max/drops/flushes); Total output Requires complex classification
WFQ CBWFQ LLQ
Requires complex classification
WFQ
No
CBWFQ LLQ
Yes Yes
QoS
drops: 0
being enabled on
Int ser0/0 Queueing strategy: weighted fair
interface
Output queue: 0/1000/64/0 (size/max total/threshold/drops)
Uses MQC Uses MQC No Yes Yes
Priority-group 1
QoS TX ring is 2
Show controllers serial 0/0 | I tx_ (1) =length is automatically
show queue serial 0/0 Conversations 0/1/256 (active/max active/max total)
Reserved Conversations 0/0 (allocated/max allocated)
Available Bandwidth 1158 kilobits/sec
Prefers low volume, high IPP flows Prefers low volume, high IPP flows Yes not flow based
Tx_limited=1(2) limited as result of queuing Experiences problems with Experiences problems with Yes No* No
Tx_limited=0(x) explained Int ser0/0
configured. Explained: Current WFQ Size / max total = hold queue, global limit of buffers /
Large numbers of flows Large numbers of flows
threshold ??? / count of tail drops
tx-ring-limit 1 Can reserve bandwith per queue Can reserve bandwith per queue No Yes Yes
If active = 0 no conversations / max currently active / absolute max
show controllers serial 0/0 | I tx_ No queuing, but tx limited to
1 packet Reserved conversation == RSVP flow reservation Provide low delay, low jitter queing Provide low delay, low jitter queing No No Yes
tx_limited=0(1)
QoS no
yes
TX ring has
more room - Class-Default configured automatically Bc Commited burst size in bits. Amount of traffic
Packets in - “queue-limit 30” sets maximum queue size to 30 / queue that can be sent over one Tc
Medium this queue? QoS
(PQ) Scheduling Logic no Put packets CBWFQ Drop policy: Tail drop or WRED CIR Commited information rate, in bits/sec
Low Packets in yes Details: Single queue FIFO or WFQ on class-default queue Be Excess burst size in Bits. Number of bits beyond Bc
this queue? can be send after a period of inactivity
Max. Queue length depends on router
Logic explained
In WFQ number of queues changes rapidly. show queue CBWFQ default values: Shaping Q 1
Subint 2
Shape to
64 kbps
Sofware Q 2 AR 128
kbps Simply press this button and send me your
Shaping Q 2
Precedence 7 traffic gets 8 times more bandwith than 0:
(7 + 1) / (0 + 1) = 8
credit cards regards!
Precedence 3 traffic gets 4 times more bandwith than 0:
(3 + 1) / (0 + 1) = 4
http://www.flashcardguy.ch
Bc tokens placed in TCP Flags:
token bucket
1 byte = 1 token
If 128Kbps policed,
Spilled over
from Bc to Be
000
0
0
Reserved: not set
Nonce: not set
Congestion Window Reduced (CWR): not set
QoS
1 ECN-Echo: set
QoS Every second 16000 Bc 0 Urgent: not set
bytes are refiled conform Overview of Single-rate two-color policing single token bucket conform/exceed QoS 1 Acknowledgement: Set
After 0.1 sec 1600 Single-rate three-color policing two token buckets conform/exceed/ 0 Push: not set
Dual Token Bucket bytes/tokens refilled violate 0 Reset: not set
into Bc bucket Single-rate / Dual-rate Which TCP Flags can be used for 0 Syn: not set
Be Dual-rate three-color policing two token buckets PIR, CIR rates
cn
exceed 0 Fin: not set
Two/three color policing congestion avoidance:
te
ec
(single rate)
et
R1-config#ip tcp ecn
-d
violate
om
nd
If bytes of incoming packet <= Bc = conforms show tcp tcb 123456A |i ECN
ra
Connection is ECN Enabled
D:
If bytes of incoming packet <= Be = exceeds
RE
W
If bytes of packet greater than Bc+Be = violates debug ip tcp ecn
- two sending rates, but only guarantee the smaller one TCP Flags:
Tc, Bc, as with Single Rate Type of Policing signs in the police defaults 000 Reserved: not set
Type of Policing signs in the police defaults
Configuration command 0 Nonce: not set
- Peak Information Rate (PIR): maximum sending rate. Configuration command
0 Congestion Window Reduced (CWR): not set
Bursts that exceed CIR but remain under PIR are allowed.
QoS May be marked for more aggressive discarding. Single Rate Single Rate No violate action Bc = CIR/32 QoS ….
1 ECN-Echo: set
Single bucket Single bucket No Be, No PIR
- Be: maximum size of the packet burst, accepted to
Two color Two color configured Be = 0 - initial TCP SYN handshake includes the addition of
sustain in the PIR rate
ECN-echo capability and Congestion Window
Dual Token Bucket
PIR
Single Rate Single Rate No PIR configured Bc = CIR/32 TCP ECN / CWR Flag Reduced (CWR) capability flags to negotiate
Dual bucket Dual bucket violate-action and capabilities.
Three color Three color or Be configured Be = Bc - When the TCP sender receives a packet with the ECN-
(dual rate) CIR
Dual Rate Dual Rate PIR configured Bc = CIR/32 Explained: echo flag set in the TCP header, the sender will adjust
its congestion window as if it had undergone fast
Dual bucket Dual bucket recovery from a single lost packet.
Three color Three color Be = PIR/32 - Next sent packet will set the TCP CWR flag, to indicate
No Change Discard,
modifications markings violates PIR to the receiver that it has reacted to the congestion
Discard
Line Rate Line Rate Percentage
Average 100%
Rate Global TCP
Average
Rate
QoS
Synchronisation
10%
Time Time WRED configuration: Maximum Discard
Percentage (1/MPD) Average
Shaping and latency-sensitive
traffic:
If you are sending latency-sensitive traffic, you should set
Bc to drive the calculation of Tc down to 10 msec! ? Class based with graph:
(1/10 = 10%) 20 40
Minimum Maximum
Queue Depth
http://www.flashcardguy.ch
60 byte
1500 byte packet 1500 byte packets SW2#show mls qos map cos-dscp
QoS
packet
arrived, followed Cos-dscp map:
Fragment by 60 byte cos: 0 1 2 3 4 5 6 7
If > 300
--------------------------------
QoS dscp: 0 8 16 24 32 40 48 56 Codec speech samples Voice Packets/ Total Bandw. Codec speech samples Voice Packets/ Total Bandw.
Classify per packet Payload Second Per Call per packet Payload Second Per Call
QoS Into Queues
show mls qos map cos-dscp SW2(config)#mls qos map cos-dscp 0 8 16 26 32 46 48 56 G.711 G.711 20 ms 160 bytes 50pps 80 kbps
Small G.711 G.711 30 ms 240 bytes 33pps 74 kbps
Queue 1
MLP LFI Queuing packet
G.729 G.729 20 ms 20 bytes 50pps 24 kbps
Modification and SW2#show mls qos map cos-dscp
Cos-dscp map: G.729 G.729 30 ms 30 bytes 33pps 19 kbps
Queue 2 Frag 4 Frag 3 Scheduler
Output: cos: 0 1 2 3 4 5 6 7
--------------------------------
dscp: 0 8 16 26 32 46 48 56
TX ring Frag 1 Frag 2
un ck S
A irec ma /DS
fair-queue 16 128 8
pa
id ets RC
co tio tc T
nv n hi , P
You want a maximum serialization delay of 10 ms:
er al ng ort
Queue length:
st se th s
SW2#show mls qos interface fa0/1
at qu e
16 congestive discard threshold
io e s
Max-delay in 0.x seconds * bandwith in bits = frag size FastEthernet0/1
QoS
n nc am
128 number of conversations (flows)
QoS
is e e
QoS QoS is disabled. When QoS is enabled, following settings
a of
8 reserved converstations for RSVP
Bandwith = configured value with the bandwith command. will be applied
trust state: not trusted Tx ring as small as possible to trigger
MLP LFI ppp multilink fragment delay X trust mode: not trusted WFQ more quickly to kick in. R
show mls qos interface X trust enabled flag: ena tx-ring-limit 1
ese
contr rved Que
Example: COS override: dis Weighted Fair ol-p laneue su
and L sed for
traffic 2 keepali
Calculation fragment size / default COS: 0 interface Serial0/1/0 ve
maximum delay
56Kbps with 10 ms delay makes fragment sizes of 70 bytes: Output: DSCP Mutation Map: Default DSCP Mutation Map
Trust device: none
Queuing (WFQ) clock rate 128000
bandwidth 128
56000 bit * 0.1 sec = 560 bits/10 msec or 70 bytes/10msec qos mode: port-based tx-ring-limit 1
fair-queue 16 128 8 Hold-queue (Q length default
hold-queue 256 75, up to 4096)
til
ip mtu 156
(v
QoS in n PQ
mls qos trust [x, y]
o
mls qos trust device cisco-phone used with Bitrate of link * time-limit in msec = bit/sec
eu
! Configure on each interface of MLP bundle 128000 bits / sec * 0.010 = 1248 bits/sec
n
gi
http://www.flashcardguy.ch
flow-based RED:
access-list 100 permit tcp 155.1.146.0 0.0.0.255 eq www any
access-list 101 permit icmp any any
- maximum number of flows to 16
- average flow depth scale factor to 2
- FIFO queue depth to 10 packets
QoS
interface Serial0/1/0
bandwidth 128
Legacy Custom queue-list 1 protocol ip 0 udp 520
queue-list 1 protocol ip 1 lt 65
queue-list 1 protocol ip 2 list 100 Legacy Flow-Based average queue size per flow, Avg=Q/N. (queue size
Legacy RTP max-reserved-bandwidth 100
Queueing with queue-list 1 protocol ip 3 list 101 Q divided by number of currently active flows)
ip rtp reserve 16384 16383 128 queue-list 1 default 3
Random Early interface Serial0/1/0
Reserved Queue Prioritization
queue-list 1 queue 3 limit 10
queue-list 1 queue 1 byte-count 320 random-detect
th y nt
Configure IP SLA sourcing G.729
w to tel rta
priority-list 1 protocol ip high udp rip
xt
flo es ple po
R2#
ne
priority-list 1 protocol http normal
nt ov m im
like packet stream.
e
rtr responder
rta t m co st
priority-list 1 protocol ip medium list 102
po e i ow o
ip sla responder Configuration:
im for c fl e m
priority-list 1 protocol ip low list 103 diagram
be affi s th
responder oIP priority-list 1 queue-limit 5 40 60 80
for V
tr nd
ful
elp
se
ery h nts interface Serial 0/1/0
not v eployme
d priority-group 1
Mon SRC
R4#show queueing interface serial 0/1/0 Rack1R4#show interfaces s0/1/0 - enable selective packet discard in aggressive mode
Interface Serial0/1/0 queueing strategy: fair Serial0/1/0 is up, line protocol is up - increase input queue
Input queue: 0/75/0/0 (size/max/drops/flushes); Total output
drops: 18748
Legacy Priority …..
Queueing strategy: priority-list 1
- set memory headroom for IGP packets to 150 Buffers
- set headroom for BGP packets should be set to 120
Queueing strategy: weighted fair
WFQ Output queue: 4/1000/64/18748 (size/max total/threshold/ Queueing Output queue (queue priority: size/max/drops):
high: 0/5/0, medium: 0/40/0, normal: 0/60/18754, low: 0/80/0
packets
- Start dropping low-priority packets randomly when the
drops) input queue is 50% full
Conversations 1/3/32 (active/max active/max total) ---------------------------------------------------------------------------------------- Selective Packet
h
show queueing int serial X
/0 2 = m hig
Reserved Conversations 0/1 (allocated/max allocated) access-list 102 permit udp any any range 16384 32767 spd extended-headroom 150 IGPs initialy land here
= no ed
lo rm
Discard
l 0 /1 /0 1 =
Available Bandwidth 128 kilobits/sec access-list 103 permit icmp any any spd headroom 120 BGP initialy lands here
ria l 0 /1 0 0
w
3 =
show interface X
se ria l 0 1/
priority-list 1 protocol ip high udp rip ip spd mode aggressive
e se ia l 0/
(depth/weight/total drops/no-buffer drops/interleaves)
/1 /0
priority-list 1 protocol http normal
Output: ip spd queue max-threshold 150 om
eu e ser ria
4/16192/0/0/0 ro
qu ueu ue se
priority-list 1 protocol ip medium list 102 ad the
ip spd queue min-threshold 75 He
ow q ue ue
Conversation 20, linktype: ip, length: 118 priority-list 1 protocol ip low list 103 e
ed or e
sh how w q ue
nd bef ueu
source: 150.1.6.6, destination: 155.1.108.10, id: 0x4A59, ttl: Output: priority-list 1 queue-limit 5 40 60 80
s ho w q
interface FastEthernet 0/0 xte ied Q
254, D E mpt oom
s ho
interface Serial 0/1/0 P
S is e adr
s
TOS: 32 prot: 6, source port 19, destination port 40966 priority-group 1 hold-queue 150 in
Q d he
sp
output
Destination to Source Jitter Min/Avg/Max: 0/1/12 ms
Packet Loss Values Early Detection hold-queue 10 out
Max threshold pkts
Input queue: 0/150/0/0 (size/max/drops/flushes); Total
output drops: 0
Loss Source to Destination: 0 Loss Destination to Source: 0 Min threshold pkts …
Out Of Sequence: 0 Tail Drop: 0 Packet Late Arrival: 0 Precedence show ip spd R1#show ip spd
Voice Score Values R4#show interfaces serial 0/1/0 Current mode: normal.
Calculated Planning Impairment Factor (ICPIF): 11 ... Queue min/max thresholds: 75/150, Headroom: 120, Extended
MOS score: 4.06 Queueing strategy: random early detection(RED) Headroom: 150
Number of successes: 13
...
Output: IP normal queue: 0, priority queue: 0.
... SPD special drop mode: aggressively drop bad packets
Compression on
...
IP RTP Priority feature differs from the Output queues: (queue #: size/max/drops) Encapsulation PPP, LCP Open
Prioritization IP RTP Reserve in that the priority queue has a 0: 0/20/0 1: 0/20/0 2: 0/20/18754 3: 0/10/0 4: 0/20/0 Open: IPCP, CCP, CDPCP, loopback not set
WFQ weight of zero, meaning that the WFQ always
services it first.
using show interface X 5: 0/20/0 6: 0/20/0 7: 0/20/0 8: 0/20/0 9: 0/20/0
10: 0/20/0 11: 0/20/0 12: 0/20/0 13: 0/20/0 14: 0/20/0 Serial Links interface Serial1/3 interface Serial1/3 Simply press this button and send me your
15: 0/20/0 16: 0/20/0 encapsulation hdlc encapsulation hdlc
ip rtp priority <Starting UDP Port> <Port Range> 5 minute input rate 0 bits/sec, 0 packets/sec compress stac compress stac
on by
credit cards regards!
<Bandwidth> Output: 5 minute output rate 0 bits/sec, 0 packets/sec
k co m
pressi k, and
n
….. show compress Chec over the li mer
Queue Number pingin g RT ti
T
ip rtp priority is policing <bandwith> h the
watc
- VoIP traffic should be guaranteed 30% - VoIP traffic should be guaranteed 30%
- File transfers from Vl146 60%
- remaining 10% for ICMP, should not exceed 10 pkts in any QoS - File transfers from Vl146 60%
- remaining 10% for ICMP, should not exceed 10 pkts in any
- maximum of 16 concurrent RTP and TCP sessions
- R5 only optimizes if it detects optimized traffic from R4 Ranging 5 bucks to unlimited!
queue in any time.
queue in any time.
- RIP packets in system prio Q R4 R5
- RIP packets in system prio Q active
sh passive
o
access-list 100 permit tcp 155.1.146.0 0.0.0.255 eq www any sh w ip
R4#show queueing custom ow t
access-list 101 permit icmp any any
Legacy Custom Current custom queue configuration: interface Serial0/1/0
ip cp h
rtp ea
pa ss che
ip tcp header-compression ad -c
et an in
er- om
m
queue-list 1 protocol ip 1 lt 65
Queueing
s 6 qu
Queueing queue-list 1 protocol ip 3 list 101 1 3 default Header Compression ip rtp header-compression res ion
a tes 1
sio
si
http://www.flashcardguy.ch
R5#show ip tcp header-compression - set total size of MQC buffer to 512
TCP/IP header compression statistics:
Interface Serial0/1/0 (compression on, VJ, passive)
Rcvd: 94 total, 93 compressed, 0 errors, 0 status msgs
- Traffic up to 256Kbps should be marked with an
IP precedence of 1
- http from vlan 146 with IP Prec 0 should be guaranteed 32Kbps
- Limit FIFO Q for http to 16 pkts, IP Prec 0 traff to 24 pkts
- all other traffic run WFQ, dynamic flows start dropping if they
QoS
Generic TCP/UDP 0 dropped, 3 buffer copies, 0 buffer failures
Sent: 96 total, 93 compressed, 0 status msgs, 0 not
QoS - Exceeding traffic should be marked with an IP
precedence of 0 QoS reach 32 packets
- use average traffic burst size of 4000 bytes
Header Compression predicted
3243 bytes saved, 677 bytes sent
policy-map SERIAL_LINK
class VOICE
5.79 efficiency improvement factor interface Serial 0/1/0
Connect: 32 rx slots, 32 tx slots,
1 misses, 0 collisions, 0 negative cache hits, 32 free
Legacy CAR for access-list 111 permit ip host 155.1.146.1 any
MQC Bandwidth class HTTP
bandwidth 32
bandwidth 128
max-reserved-bandwidth 100
show ip tcp header-compression queue-limit 16
contexts
98% hit ratio, five minute miss rate 0 misses/sec, 0 max Admission Control interface FastEthernet0/1 Reservations and class SCAVENGER
no fair-queue
hold-queue 512 out
rate-limit input access-group 111 256000 4000 bandwidth 32
output show ip tcp header-compression serial 0/1/0 detail
IP source: 150.1.4.4, IP destination: 155.1.45.5 ( Designed for packet remarking / policing ) 4000 conform-action set-prec-transmit 1 CBWFQ queue-limit 24
class class-default O in
stea
d WF
e FIF -default
Q:
- maximum serialization delay is 10ms access-list 111 permit ip host 155.1.146.1 any
- bandwidth of the link is 128Kbps.
- Encapsulation ppp interface FastEthernet0/1
- PPP multilink with interleaving
interface Virtual-Template1
QoS rate-limit input access-group 111 256000 4000
4000 conform-action set-prec-transmit 1
bandwidth 128 exceed-action set-prec-transmit 0
Virtual-Access2, bundle name is R5 Oversubscription access-list 111 permit ip host 155.1.146.1 any
access-list 116 permit ip host 155.1.146.6 any
128 set prec 0,
over 128 drop
QoS Endpoint discriminator is R5 interface FastEthernet0/1
Bundle up for 00:18:36, total bandwidth 128, load 190/255
with Legacy CAR and rate-limit input access-group 111 64000 3200 3200 conform- CBWFQ weight / conversation
Receive buffer limit 12192 bytes, frag timeout 1000 ms action set-prec-transmit 1 exceed-action continue
Interleaving enabled rate-limit input access-group 111 128000 3200 3200 conform- numbers:
show ppp multilink 0/0 fragments/bytes in reassembly list
0 lost fragments, 0 reordered
WFQ action set-prec-transmit 0 exceed-action drop
rate-limit input access-group 116 64000 3200 3200 conform-
0/0 discarded fragments/bytes, 0 lost received action set-prec-transmit 1 exceed-action continue Constant:
Output: 0x7EC3 received sequence, 0xFC9C sent sequence
Member links: 1 (max not set, min not set)
- 64Kbps that R4 receives from R1 and R6 rate-limit input access-group 116 128000 3200 3200 conform-
action set-prec-transmit 0 exceed-action drop
- Traffic from R1 and R6 should be allowed up to
Se0/1/0, since 00:18:34, 160 weight, 152 frag size interface Serial 0/1/0
128Kbps each total If R1 and R6 transmit,
No inactive multilink interfaces fair-queue
- Traffic above 128Kbps should be dropped clock rate 128000 share 128K at 64/64
- Averaging time interval of 200ms.
policy-map SERIAL_LINK If h
- limit the rate of packets going towards R4’s - rate limit packets going out to MAC address X of ttp
i
99.99.99.0/24 to 128Kbps MAC-ACL class VOICE con sha s not
ges re, u
- Shaping interval of 10msec, disable extended burst - rate-limite packets towards X having IPPrec set to 1,2,4 ti du sing
QoS priority 27 cou on, s ring its
- Limit shapers queue size to 1024 packets to 256Kbps ld u cave
class HTTP
QoS access-list 199 permit ip any 99.99.99.0 0.0.0.255 QoS access-list rate-limit 100 000d.2846.8f21 bandwidth remaining percent 33
s it nge
. r
Help me create more flashcards:
Legacy Generic interface FastEthernet 0/0 interface FastEthernet 0/0 MQC LLQ and class SCAVENGER
bandwidth remaining percent 33
rate-limit output access-group rate-limit 100 128000
traffic-shape group 199 128000 1280 0 1024
Traffic Shaping Legacy CAR Access-
8000 8000 conform-action transmit exceed-action
drop
Remaining (if there are 32 (25) dynamic
queues, then the LLQ conversation is number 40,
(1280*8)/128000 = 0.08 sec binary 1 means to Bandwidth Simply press this button and send me your
config Lists access-list rate-limit 0 mask 16 check, binary 0 ignore
weight value of 0, is serviced first)
Q!
traffic-shape rate <CIR> <Bc> <Be> <QueueLimit>
interface FastEthernet 0/0.67 0x16 (00010110)
Reservations credit cards regards!
g WF
traffic-shape group <ACL> <CIR> <Bc> <Be> <QueueLimit> HDLC overhead of 7 bytes, 60 bytes of layer 3 VoIP Payload
sin rate-limit output access-group rate-limit 0 128000
uler u
= 27 Kbps
Sched
8000 8000 conformaction (67 bytes/packet * 50 packets/second * 8 bits/byte = 26800bps)
show traffic-shape transmit exceed-action drop
start dropping packets when average queue size is
access-list 199 permit ip any 99.99.99.0 0.0.0.255 - Http from vlan 146 marked with IP Prec 2
interface FastEthernet 0/0
- VoIP range 16384-32767 packet size <60 byte marked EF
between 4-16
drop 1 of 4 packets when queue size reaches the max
Ranging 5 bucks to unlimited!
- ICMP packets >1000 bytes should be dropped
traffic-shape group 199 128000 1280 0 1024 - All other incoming with Prec 0 to be marked with 1 policy-map SERIAL_LINK
QoS
e r
class HTTP
eu pe
ip access-list extended HTTP
QoS
qu op
permit tcp 155.1.146.0 0.0.0.255 eq www any random-detect
le dr
Legacy Generic QoS random-detect precedence 2 4 16 4
ho m
ip access-list extended VOICE
r w do
permit udp any any range 16384 32767
class-map match-all SCAVENGER
pe ran
R6#show traffic-shape
match input-interface Fa0/1 Precedence
MQC Classification
ot se
Traffic Shaping class-map HTTP
minimum-thresshold in pkts
,n u
Interface Gi0/0.146 match ip precedence 0
w to
match access-group name HTTP
Access Target Byte Sustain Excess Interval Increment Adapt
MQC WRED max-threshold in pkts
flo ity
policy-map SERIAL_LINK
il
VC List Rate Limit bits/int bits/int (ms) (bytes) Active class-map match-all LARGE_ICMP
and Marking
ab
match protocol icmp class VOICE Mark propability denominator
- 104 128000 160 1280 0 10 160 -
set ip dscp ef
match packet length min 1001 show policy-map int x
config / show cmd R6#show traffic-shape statistics class-map match-all VOICE
class HTTP
set ip precedence 2 class Transmitted Random drop Tail drop Minimum Maximum Mark Thanks for appreciating my efforts
Acc. Queue Packets Bytes Packets Bytes Shaping match access-group name VOICE class LARGE_ICMP pkts/bytes pkts/bytes pkts/bytes thresh thresh prob
I/F List Depth Delayed Delayed Active match packet length min 60 max 60 Drop 2 713/4089 16/9280 0/0 4 16 1/4
Fa0/0 104 2 15365 21690 14962 2156 yes class SCAVENGER 3 0/0 0/0 0/0 26 40 1/10
set ip precedence 1
Colin
http://www.flashcardguy.ch
- meter incoming HTTP traffic: Ensure burst durations
- activate random drops for unclassified traffic’s
dynamic flows
- set for IP Prec 1 thres min 1 max 40
- if less than 128K set IP Prec 1, of 200ms and 300ms
if exceeds 128K then set IP Prec of 0 (using inactivity)
- drop violating traffic
specifying the policer rate as a percentage of the
interface speed, while specifying the burst rate in
msec
QoS
- propability of 25% packet discard QoS ip access-list extended HTTP B
ex e (ex
QoS
policy-map SERIAL_LINK
permit tcp any eq 80 any tra c
cre eed)
lon dit fo is us
QoS - set speed to 10
- Limit the traffic entering this link to 10% of this rate
class-map HTTP g in r p ed
class class-default
fair-queue
MQC Single-Rate match access-group name HTTP
ac erio as
tiv
ity ds o
f
with a burst value of 125ms.
sh
conform-action set-prec-transmit 1 class VOICE_BEARER
ow
priority 24
- overall effect of TCP ECN is better QoS exceed-action set-prec-transmit 0
ip
violate-action drop compression header ip rtp
rtp
performance, as compared to simple packet
class TCP
he
drops and slow start. Class-map: HTTP (match-all) show policy-map interface
QoS QoS
ad
compression header ip tcp
1245 packets, 1786990 bytes
e
- changing the exceed action from random
MQC Single-Rate
r-c
30 second offered rate 127000 bps, drop rate 0 bps
om
drop to ECN marking Match: access-group name HTTP
pr
MQC WRED with Three-Color Policer MQC Header show policy-map interface serial1/2
es
police:
sio
policy-map SERIAL_LINK cir 128000 bps, bc 3200 bytes, be 4800 bytes …
n
class HTTP conformed 1241 packets, 1780934 bytes; actions: compress:
ECN random-detect ecn set-prec-transmit 1 Compression header ip rtp
random-detect precedence 2 4 16 4 Config / show output: exceeded 4 packets, 6056 bytes; actions: UDP/RTP (compression on, IPHC, RTP)
set-prec-transmit 0 ...
violated 0 packets, 0 bytes; actions:
drop In combination with priority queues: base your
conformed 127000 bps, exceed 0 bps, violate 0 bps calculations on compressed packet sizes
policy-map POLICE_VLAN146 mls qos
- shape rate on vlan 146 to 384 Kbps interface FastEthernet 0/1
class HTTP
- shape rate on vlan 67 to 512 Kbps police 128000 3200 4800 mls qos trust dscp
QoS - burst interval Be of 20ms 5 Bc 120 =
00 CI
QoS conform-action transmit
exceed-action set-prec-transmit 0 128K Trust CoS bits in 802.1p header for encapsulated vlans.
For native vlan apply the CoS value of 1 (CDP, etc.)
*2 R
0m * T
MQC Class-Based policy-map SHAPE_VLAN146
class class-default
sec c /
/1 1
000 000
violate-action drop
service-policy SUBRATE_POLICER interface FastEthernet 0/6
Generic Traffic
shape average 384000 7680 =1
02
40 MQC Hierarchical policy-map SUBRATE_POLICER
class FROM_R1 Catalyst QoS Port-
mls qos trust cos
mls qos cos 1 If mls
trust qos confi
policy-map SHAPE_VLAN67 , inco
min gured, b
policy-map SHAPE_VLAN146 B
class class-default
384 c =
00
0 * CIR QoS policy-map POLICE_VLAN146
If the incoming packet is IP, the switch will if configured
trust fist DSCP or IP Precedence then CoS.
shape average 384000 7680 m *T
20 class HTTP
QoS interface FastEthernet 0/1.146
sec c /
/ 1 10
000 00
=
service-policy SUBRATE_POLICER
PIR
If no CoS value had been set, it will set the default CoS
service-policy output SHAPE_VLAN146 768 CIR value if not specified differently via
MQC Class-Based show policy-map interface fastEthernet 0/0.146
0
MQC Two-Rate
policy-map SUBRATE_POLICER
class FROM_R1 QoS
Service-policy output: SHAPE_VLAN146 police cir 64000 bc 3200 pir 128000 be 6400 mls qos CoS 4 (the CoS-to-DSCP map will map the
Generic Traffic Class-map: class-default (match-any)
Three-Color Policer conform-action set-prec-transmit 1 value accordingly into the DSCP field)
rs
ete
65844 packets, 28003483 bytes exceed-action set-prec-transmit 0
Catalyst QoS
te
ep c, B ram
-ra
5 minute offered rate 334000 bps, drop rate 0 bps
Shaping (GTS) violate-action drop Mls qos trust CoS: if NO 802.1q header, default CoS
f ill
de e.
Match: any
CoS port-based classification
B pa
value of interface is applied
nt
Traffic Shaping - CIR 64Kbps PIR 128Kbps
ha , P ble
class FROM_R6
Target/Average Byte Sustain Excess Interval Increment
en
Be CIR gura
police cir 64000 bc 3200 pir 128000 be 6400
ve IR,
Rate Limit bits/int bits/int (ms) (bytes) - CIR*400ms for Bc/Be PIR*200ms for Bc/Be mls qos cos override will override any incoming packet.
conform-action set-prec-transmit 1
in d
Config and output:
nfi
384000/384000 1920 7680 7680 20 960 - conform action set IP Prec 1, transmit exceed-action set-prec-transmit 0
co
Adapt Queue Packets Bytes Packets Bytes Shaping
- exceed action set IP Prec 0, transmit violate-action drop
ur
Active Depth Delayed Delayed Active
Fo
- violate action drop
Bc/
- 6 65838 279907 56930 270858 yes
- 32Kbps of priority for IP pkts size of 60 bytes with a show policy-map int X
Bc of 4000 byte
QoS - guarantee 256 Kbps of shaped http traffic QoS show mls qos interface fastEthernet 0/6 statistics
- default class uses WFQ FastEthernet0/6
dscp: incoming
MQC Class-Based
class-map VOICE
match packet length min 60 max 60 Shaping to 384K QoS Shaping to 384K
Catalyst
-------------------------------
0-4: 0 0 0 0 0 Help me create more flashcards:
5-9: 0 0 0 0 0
purposes: at 50 packets per second = MQC Peak Shaping match access-group 180 ms
ec
= Catalyst 3550 monitor mode:
dscp: incoming no_change classified policed dropped (in pkts)
0:
...
2 2 0 0 0
64
policy-map POLICY 00 48: 402 402 0 0 0
(60+18)*50*8 = 31200bps or class HTTP PIR
Others: 0 0 0 0 0
Including voice payload, 312Kbps (ios bug for show cmd) shape peak 64000 6400 6400 =2
Egress
dscp: incoming no_change classified policed dropped (in pkts)
Thanks for appreciating my efforts
*C 0: 404 n/a n/a 0 0
ethernet header, dot1q tag IR ...
48: 0 n/a n/a 0 0
interface FastEthernet 0/0
Others: 11 n/a n/a 0 0
service-policy output POLICY
Colin
http://www.flashcardguy.ch
Used to “tunnel” one type of QoS marking Rate-Limit to 128Kbps allow 10msec of burst
through your network, while using the other type. generated by a full 100Mbps interface rate.
policy-map POLICE
Configuring NHRP Group on a Spoke:
int tunnel X
ip nhrp group GROUP
QoS
Classify CoS values, but do not change the DSCP QoS class class-default
100M
bps*1
0ms
police 128000 125000 /8 = Config NHRP mapping on HUB:
value in IP packets. 1250
Catalyst QoS interface FastEthernet 0/1
00
Per-Tunnel QoS for DMVPN int tunnel X
Marking Pass-
no mls qos rewrite ip dscp
Catalyst QoS Port- service-policy input POLICE ip nhrp map group GROUP-1 service-policy output
SERVICE-POLICY-1
Police ICMP and remark exceeding traffic to 8
Through Based Policing and policy-map POLICE_INBOUND
QoS Profile ip nhrp map group GROUP-2 service-policy output
SERVICE-POLICY-2
Trust DSCP but do not change previous set CoS
values:
Have
DSCP
Marking class ICMP
trust dscp show policy-map multipoint [tunnel <nr>]
show ip nhrp group-map GROUP
But h se set cos 2
Interface fa0/1 ave C t to 46 police 64000 16000 exceed-action policed-dscp-transmit Show tunnel endpoints
oS at
mls qos trust dscp pass-through cos 2
show dmvpn detail | I (NHRP group|service-policy)
mls qos trust cos pass-through dscp mls qos map policed-dscp 0 16 24 26 to 8
SW1#ping
DSCP 40 R1 SW1 SW2 R2 R1 SW1 SW2 R2
ac cces
Protocol [ip]: SW4#show mls qos interface fastEthernet 0/4 statistics
ce s-
a
ss lis
Target IP address: 150.1.6.6 FastEthernet0/4
-li t 1
TRUNK TRUNK
23
cl TRUNK
,15
TRUNK TRUNK TRUNK
st 0
Repeat count [5]: 10 ea Ingress
22,
10 0 p
ra
QoS R2#
,14
Datagram size [100]: 1000 ping R1#
0 p er
cc dscp: incoming no_change classified policed dropped (in pkts)
,39
,
int fa0/0.100
,21
er mit
,13
Timeout in seconds [2]: 0 es 0: 1142 1 1 0 0 int fa0/0.100
m ip
How to setup the easiest possible
,38
s- encapsulation dot1q 100
,20
it
encapsulation dot1q 100
,12
Extended commands [n]: y lis 8: 0 0 0 0 0
icm an
ip address 10.0.0.2 255.255.255.0
, 37
tc ip address 10.0.0.1 255.255.255.0
19
Source address or interface: 150.1.7.7
,11
QoS lab:
p y an
ou 16: 0 0 1141 731 0
an y
How to troubleshooting QoS Show mls qos int fa0/x statistics service-policy input PMAP-COS
, 36
,
Type of service [0]: 160 service-policy output PMAP-COS-OUT
,18
nt
,10
Others: 1 0 0 0 0
ya
er policy-map PMAP-SET-COS
,35
ny
Set DF bit in IP header? [no]:
,17
s Egress
8,9
class COS-0
d
policy-map PMAP-SET-COS
,34
sc
Validate reply data? [no]: dscp: incoming no_change classified policed dropped (in pkts)
6
Have R1 send all packets with a CoS
CP
….
P1
class class-default
40
Data pattern [0xABCD]:
,33
0: 1746 n/a n/a 0 0
DS
Markings / Classification Output class COS-7
SC
set cos 4
Loose, Strict, Record, Timestamp, Verbose[none]: of 4
32
8: 0 n/a n/a 0 0
D
Sweep range of sizes [n]:
to
16: 0 n/a n/a 0 0
CP
On switches either R2#
s
Type escape sequence to abort.
s5
DS
Others: 84 n/a n/a 0 0 “no mls qos”
-co
Sending 10, 1000-byte ICMP Echos to 150.1.6.6, timeout is 0 class-map COS-0
-co
or trust cos!
6:
Ingress policing / marking match cos 0
02 01 01
scp
seconds:
scp
all incoming packets are DSCP 0, switch classifies
89
oS
2
…
Packet sent with a source address of 150.1.7.7 R2 should monitor all CoS
07 6 06 5 0 04 3 03 2 0
oC
07 06 06 05 0 4 04 03 03
ping R2 from R1,
sd
pd
them to CS2 (16), some are policed due to exceeding
0 ----
........!. class-map COS-4
4
show policy-map interface,
classifications
5t
0
7
ma
5 : 05 3 04 02 0 1 01 0 00
06 5 05 04 0
rates match cos 4
7 0 06
-
Success rate is 10 percent (1/10), round-trip min/avg/max = 9/9/9 use clear counters, after tests
-
CP
6
...
7
-
os
01 0 00 ----
70
7 0 06
DS
sq
2
SW1 SW2 R2#show policy-map interface policy-map PMAP-MONITOR
0
1 0 06
TOS DSCP IP-PREC TOS DSCP IP-Prec
-
interface FastEthernet 0/13
ml
1 : 00 ------ 3 4
-
R1 R2
0
-
FastEthernet0/0 class COS0
----
mls qos vlan-based
,63
TRUNK TRUNK TRUNK
0
6 : 06 5 05 4 0 03
d1 cos mls
class COS1
---- 0 1 :
96 24 3 Service-policy input: PMAP-MONITOR
, 62
0 0 0
-
2
R1#ping 10.0.0.2 R2# class COS2
3
class-map TRUNKS
0
-
0
, 61
cp- w
4 1 0 104 26 3 int fa0/0 Class-map: COS0 (match-all) First match
4
match input-interface FastEthernet 0/13 class COS3
0
0
int fa0/0
Ds #sho
,60
8 2 0 112 28 3 service-policy PMAP-MONITOR 6 packets, 708 bytes class COS4
0
service-policy outbound SET-DSCP-1 here:
Catalyst 3560 Per- 30 second offered rate 0 bps
0
----
,59
0
class COS5
0 02
Fill in the blanks (Dezimal) 12 3 0 120 30 3 policy-map INTERFACE_POLICY policy-map PMAP-MONITOR
0
1
0
Match: cos 0
2
class COS6
,58
policy-map SET-DSCP-1 class COS0
0
16 4 0 128 32 4 class TRUNKS
SW
07
class COS7
0
2 : 01
,57
police 128000 16000 exceed policed-dscp-transmit class class-default ... Class-map: DSCP-0-7 (match-any)
32 8 1 136 34 4
Port Per-VLAN
3 : 02
set dscp 1 class COS7 class DSCP-0-7
56
0 packets, 0 bytes
0:
0
4 : 03
TOS DSCP IP-PREC 40 10 1 144 36 4 class DSCP-0-7
CP
policy-map VLAN_POLICY 30 second offered rate 0 bps
0
07
48 12 1 152 38 4
DS
class IP_ANY class-map match-all COS0 Match: dscp default (0) 1 2 3 4 5 6 7
56 14 1 160 40 5 Policing set dscp af21 match cos 0 0 packets, 0 bytes
7
, 6,
64 16 2 176 44 5 service-policy INTERFACE_POLICY Why does R2 not see any class-map match-all COS1 30 second rate 0 bps
5
,4,
match cos 1
,31
72 18 2 184 46 5 packets with DSCP 1 via Entry stays 0!!
,2,3
….
interface Vlan 146
,30
80 20 2 192 48 6 class-map match-all COS7
0,1
service-policy input VLAN_POLICY
,29
88 22 2 show policy-map interface ? match cos 7
224 56 7
CP
,28
,47
class-map match-any DSCP-0-7
DS
,27
,46
,55
match dscp default 1 2 3 4 5 6 7 1 CoS value = 8 DSCP values
26
,45
,54
Dscp-dscp mutation map:
25,
set DSCP under non-IP traffic. The switch computes d1 d2
,44
,53
d2 Most specific Default DSCP Mutation Map:
Aggregate ICMP and IPX to 128Kbps, drop exceeding
24,
the respective CoS value using DSCP-to-CoS table.
,43
,52
outgoing DSCP value d1 : d2 0 1 2 3 4 5 6 7 8 9
CP
,42
,51
--------------------------------------------------------------------------------------------------------------------------
0: 00 01 02 03 04 05 06 07 08 09
DS
mls qos
,41
mls qos rewrite ip dscp Output dscp
50
60 1: 10 11 12 13 14 15 16 17 18 19
QoS Create a DSCP mutation map which
4 9,
40
mls qos aggregate-policer AGG128 128000 16000 2: 20 21 22 23 24 25 26 27 28 29
d1 Most specific
48 ,
CP
mac access-list extended IPX 3: 30 31 32 33 34 35 36 37 38 39
exceed-action drop
changes inbound DSCP 1 to 60. incoming DSCP value
DS
CP
4: 40 41 42 43 44 45 46 47 48 49
permit any any 0x8137 0x0 Se
Catalyst QoS
DS
tD policy-map POLICE_AGGREGATE 5: 50 51 52 53 54 55 56 57 58 59
Catalyst QoS ACL class-map match-all IPX
Co SCP
S o , tr
n 3 ust
class ICMP SW2#sh mls qos maps dscp-mutation 6 : 60 61 62 63
show mls qos !!
match access-group name IPX 550
Aggregate Policers police aggregate AGG128 Verify using Dscp-dscp mutation map: mls q
os m
Based Classification class IPX
police aggregate AGG128
TST:
d1 : d2 0 1 2 3 4 5 6 7 8 9
ap dsc
p-mu
tatio
n TST
policy-map CLASSIFY ------------------------------------------------------------------------------------------------------------------------
0 : 00 60 02 03 04 05 06 07 08 09
1 to 6
& Marking class IPX
set dscp ef
class class-default
set dscp cs1
show mls qos maps dscp-mutation: 1:
2:
10 11 12 13 14 15 16 17 18 19
20 21 22 23 24 25 26 27 28 29
mls qos rewrite ip dscp
0
DSCP DSCP
Make sure that classification only affects Vlan 146 of DSCP 40 DSCP 40 DSCP 46 28 SW1 44
a trunk port:
QoS trunk QoS DSCP mutation maps come in handy on
ip access-list extended ICMP
permit icmp any any
Vlans
1,9,20,146
the border of two QoS domains that use 1) mls qos Help me create more flashcards:
different markings
class-map ICMP
Catalyst QoS DSCP Process in order to configure 2) mls qos rewrite ip dscp
Catalyst 3550 Per- match access-group name ICMP Service-policy
applied
mls qos
3) mls qos map dscp-mutation BLA 28 to 44
Port Per-VLAN class-map VLAN_146_ICMP Mutation mls qos map dscp-mutation MUTATION 0 to 8 DSCP mutation map:
match vlan 146
match class-map ICMP Must be the mls qos map dscp-mutation MUTATION 26 to 24
4) int fa0/x
mls qos dscp-mutation BLA
Simply press this button and send me your
Classification policy-map PER_PORT_PER_VLAN
first statement
in class-map!
mls qos map dscp-mutation MUTATION 40 to 46
credit cards regards!
class VLAN_146_ICMP 5) int fa0/x
interface FastEthernet 0/4
set dscp CS3 Second layer class-map mls qos trust dscp
ICMP is only allowed to mls qos trust dscp
have 1 match criteria mls qos dscp-mutation MUTATION
SW1 Fa0/x SW2
mls qos
HTTP transfers of files with extensions “.bin”,
R1 TRUNK TRUNK TRUNK
R2 Ranging 5 bucks to unlimited!
interface FastEthernet 0/1 “.text” and “.taxt” are limited to 256Kbps: DSCP 5 DSCP 5
Inherit QoS settings CoS 0 CoS 6
mls qos vlan-based from SVI per port
QoS switchport-mode trunk map DSCP 5 to CoS 6
Advanced HTTP class-map match-all EXTENSION R1
SW1 Fa0/x SW2
R2
Interface Fa0/22 TRUNK TRUNK
SW2: DSCP remains 5, but L2 CoS
Disable Vlan based TRUNK
Catalyst 3560 Per- no mls qos vlan-based QoS per port Classification with match protocol http url "*.bin|*.t[ea]xt"
DSCP 5 CoS 6 mls qos
modified from 0 to 6 !!
policy-map SHAPE
VLAN Classification policy-map PER_VLAN
sh
NBAR class EXTENSION int fa0/x
class TCP fa ow m shape average 256000 map DSCP 5 to CoS 6 mls qos trust dscp
set dscp ef
0/4
st ls qo
at
ist s i
Thanks for appreciating my efforts
ics nte
interface FastEthernet 0/0.146 mls qos map dscp-cos <DSCP-value> to <CoS-Value>
interface VLAN 146 rf ac service-policy output SHAPE
e
service-policy input PER_VLAN mls qos map dscp-cos 5 to 6
Colin
http://www.flashcardguy.ch
SW2#show mls qos maps dscp-cos
Dscp-cos map:
d1 : d2 0 1 2 3 4 5 6 7 8 9
---------------------------------------
0 : 00 00 00 00 00 00 00 00 01 01 8 DSCP values map
QoS
1 : 01 01 01 01 01 01 02 02 02 02
2 : 02 02 02 02 03 03 03 03 03 03 to 1 CoS Value
3 : 03 03 04 04 04 04 04 04 04 04
show mls qos maps dscp-cos 4 : 05 05 05 05 05 05 05 05 06 06
5 : 06 06 06 06 06 06 07 07 07 07
6 : 07 07 07 07 SW2#show mls qos maps dscp-cos
Dscp-cos map:
Explained: DSCP 0-7 = Cos0
d1 : d2 0 1 2 3 4 5 6 7 8 9
---------------------------------------
DSCP 8-15 = Cos 1 0 : 00 00 00 DSCP
00 000 -00
7 00 00 018,901
DSCP 16-23 = CoS 2 1 : 01 DSCP
01 01 10-15
01 01 01 02DSCP 02 0216-19
02
DSCP 24-31 = CoS 3 2 : 02 02 02 02 03 03 03 03 03 03
DSCP 32-39 = CoS 4 3 : 03 03 04 04 04 04 04 04 04 04
DSCP 40-47 = CoS 5 4 : 05 05 05 05 05 05 05 05 06 06
DSCP 48-55 = CoS 6 5 : 06 06 06 06 06 06 07 07 07 07
DSCP 56-63 = CoS 7 6 : 07 07 07 07
Default:
SW1#show mls qos maps cos-dscp
Cos-dscp map:
cos: 0 1 2 3 4 5 6 7
----------------------------------------
dscp: 0 8 16 24 32 40 48 56
CoS to DSCP mapping: conf terminal
mls qos
mls qos map cos-dscp 0 8 16 24 32 40 48 22
int fa0/x
mls qos trust cos
SW1 Fa0/x SW2
R1 R2 Mapped incoming CoS 7 to DSCP 22:
TRUNK TRUNK TRUNK Incoming
SW1#show mls qos maps cos-dscp CoS value
CoS 7 DSCP 22 Cos-dscp map:
cos: 0 1 2 3 4 5 6 7
DSCP of
map CoS 7 to DSCP 22 ----------------------------------------
Outgoing ptks
dscp: 0 8 16 24 32 40 48 22
Default:
SW1# show mls qos map ip-prec-dscp
IpPrecedence-dscp map:
ipprec: 0 1 2 3 4 5 6 7
--------------------------------
dscp: 0 8 16 24 32 40 48 56
IP Precedece to DSCP mapping: conf t
mls qos
mls qos map ip-prec-dscp 0 8 16 24 32 7 48 56
SW1 Fa0/x SW2 int fa0/x
R1 TRUNK TRUNK TRUNK
R2 mls qos trust ip-precedence
SW1#show mls qos maps ip-prec-dscp
Prec 5 DSCP 7 IpPrecedence-dscp map: Incoming
ipprec: 0 1 2 3 4 5 6 7 IP Prec
map IP Precedence 5 to DSCP 7 -------------------------------- DSCP of
dscp: 0 8 16 24 32 7 48 56 Outgoing ptks
access-list 701 permit 0000.1111.1111 0000.0000.0000
class-map match-all SRV1
match access-group 701
policy-map OUT
class SRV1
Outbound policing and police 1000 conform-action transmit exceed-action drop
Int fa0/x
Service-policy output OUT
http://www.flashcardguy.ch
monitor capture MYCAP buffer circular packets 1000
monitor capture MYCAP buffer size 10
Embedded packet
monitor capture MYCAP interface Gig0/0/1 in
monitor capture MYCAP access-list MYACL
monitor capture MYCAP start
monitor capture MYCAP stop
capture
Embedded Packet capture monitor capture MYCAP export bootflash:EPC1.pcap
show monitor capture CAP parameter
Colin
http://www.flashcardguy.ch
R1(config)#int ser0/1
R1(config-if)#ip address 130.4.0.1 255.255.255.0
Bad mask /24 for address 130.4.0.1
show ip alias
R5:
interface FastEthernet 0/0
ip irdp
R5
pr
io
Help me create more flashcards:
hig
he
ip irdp address 155.1.58.5 1000 r
ip irdp maxadvertinterval 20
IRDP ip irdp minadvertinterval 10
No
tu
SW2:
interface Vlan 58
VR sing
Fo RP/ HS
r G R
Simply press this button and send me your
red firs LBP P/
ip irdp
ip irdp address 155.1.58.8 500
un t ho
da
nc p
y
credit cards regards!
ip irdp maxadvertinterval 20
ip irdp minadvertinterval 10
Colin
http://www.flashcardguy.ch
R4# R5#
Frame-Relay
interface Serial0/0 interface Serial6
encapsulation frame-relay encapsulation frame-relay What does one have to keep in
ip address 54.1.1.6 255.255.255.0
interface Serial6.51 point-to-point
ip address 54.1.3.254 255.255.255.0 mind while changing a Frame-Relay
frame-relay interface-dlci 51
sub-interface type from Conf t
Inverse-ARP and LMI interface Serial6.100 point-to-point
ip address 54.1.2.254 255.255.255.0
interface serial4/2 Int ser0/1.22 point-to-point
frame-relay interface-dlci 100
Configuration of the different encapsulation frame-relay [cisco / ietf ]
interface Serial6.101 point-to-point Ser0/1.22 point-to-point Int ser0/1.22 multipoing
Pinging the broadcast addr ip address 54.1.1.254 255.255.255.0
frame-relay interface-dlci 101
Frame-Relay encapsulation types:
R4# ping 255.255.255.255 RELOAD
Default is Cisco
problem: Reply to request 0 from 54.1.2.254, 76 ms To a
Reply to request 0 from 54.1.1.254, 108 ms
Reply to request 0 from 54.1.3.254, 92 ms
FRAME
R4
Relay Ser0/1.22 point
R5
Customer:
interface Serial0/0
Int ser0/x
encapsulation frame-relay
ip address 54.1.1.6 255.255.255.0 frame-relay lmitype lmi-type it is always assumed that the end
point of the point-to-point
Service Provider side: cisco
Frame-Relay Why does one don’t create a static connection automatically
Turning Frame-Relay LMI ansi
interface Serial1/6 resides on the same subnet as
Configuration Q933a ip map entries for frame-relay
no ip address
autosense off by: the start point.
using LMI and Inverse arp encapsulation frame-relay
clock rate 64000
point-to-point interfaces
( There is only one destination. )
frame-relay intf-type dce Also configure a keepalive of 10 seconds when
fixing the LMI type via: Inverse-Arp is not necessary too.
interface Serial1/6.101 point-to-point
ip address 54.1.1.254 255.255.255.0
frame-relay interface-dlci 101
keepalive 10
R1#ping 255.255.255.255
Disable:
Ranging 5 bucks to unlimited!
Int ser0/x
no frame-relay inverse-arp ip [DLCI 100]
Enable:
Enable / disable What types of DLCI assignments Global and local DLCI assignments
What kind of Frame-relay Int ser0/x
frame-relay inverse-arp ip [DLCI 100] are there on Frame-Relay
encapsulations are there?
Frame-Relay inverse-arp End networks? Local is usually used.
clear frame-relay inarp interface Ser0/x
Thanks for appreciating my efforts
Colin
http://www.flashcardguy.ch
Frame-Relay
show frame-relay end-to-end keepalive
http://www.flashcardguy.ch
R1#show frame-relay multilink detailed
Bundle: MFR0, State = up, class = A, fragmentation disabled
BID = MFR0
No. of bundle links = 2, Peer's bundle-id = MFR0
Bundle links:
Frame-Relay
Serial0, HW state = up, link state = Up, LID = Serial0
debug ppp authentication Cause code = none, Ack timer = 4, Hello timer = 10,
Max retry count = 2, Current count = 0,
Peer LID = Serial4/3, RTT = 4 ms
debug ppp authentication Vi1 CHAP: O CHALLENGE id 24 len 28 from "R2" Statistics:
interface Serial2/3
ip address x.x.x.1 255.255.255.0
Frame-Relay SVC on physical interface: Interface Serial 0/1 encapsulation frame-relay
frame-relay ip tcp header-compression
frame-relay multilink hello 10 [in seconds] frame-relay map ip z.z.z.2 100 broadcast
interface serial4/2 MFR / FRF.16 frame-relay map ip x.x.x.3 101 broadcast nocompress
frame-relay multilink retry 4 [in seconds]
Enabling Frame Relay SVC on the encapsulation frame-relay frame-relay multilink ack 2
TCP/IP Header Compression
map-group svc_group interface Serial2/3.200 multipoint
Physical interface over Frame Relay
frame-relay svc Sub-interface config details ip address x.x.x.x.x 255.255.255.0
frame-relay map ip x.x.x.z 300 CISCO tcp header-compression passive
default values are 10 seconds, 4
seconds, and 2 tries
explicitly configured for DLCI 100 active compression
mode, 101 inherited compression disabled by
nocompress, passive compression on DLCI 200
interface Serial2/3
interface descriptor block ip address 172.16.1.1 255.255.255.0
(IDB), which consists of hardware Frame Relay encapsulation frame-relay
frame-relay map ip 172.16.1.2 100 broadcast Help me create more flashcards:
IDB and software IDB frame-relay ip rtp header-compression
Compression RTP header compression
!
show idb maximum number of IDBs that a interface Serial2/3.200 multipoint
platform can support ip address 192.168.1.1 255.255.255.0
CRTP
header compression versus frame-relay map ip 192.168.1.2 300 CISCO rtp
header-compression passive Simply press this button and send me your
hardware IDB controls the physical
interface, whereas the software
payload compression credit cards regards!
IDB controls the Layer 2 Default Mode is active
Can be configured per physical or
encapsulation. per logical sub-interface
configuration
frame-relay map ip X.X.X.X 100 payload-compression packet-by-packet
Monitoring Frame 10 min avg ratio xmt/rcv 5.563/0.051
no bufs xmt 0 no bufs rcv 0
resyncs 0
http://www.flashcardguy.ch
Cisco Proprietary Payload Configure them on an unused sub-interface, for example Ser0/0.999
Frame-Relay
Compression (per-packet) interface Serial0/0
encapsulation frame-relay
What is an easy method for ip address 155.1.200.3 255.255.255.0
Frame-Relay fragmentation !
What types of header removing broadcast traffic for interface Serial0/0.999 multipoint
FRF.9 Payload Compression and interleaving NO IP ADDRESS
compressions are there for unused DLCI’s which are not frame-relay interface-dlci 401
frame-relay interface-dlci 402
Frame-Relay? Explained as a picture avoided by disabling Inverse-arp
TCP/IP Header Compression for those DLCI’s? DLCI’s 401, 402 are not used, and are placed into a unused sub-int
ser0/0.999,
Now one does not receive any Broadcast traffic for those DLCI’s once
pinging 255.255.255.255 while not disabling Inverse-Arp for those
CRTP, RTP compression DLCI’s.
R1#
interface Serial0/1
ip address 155.1.45.4 255.255.255.0
encapsulation frame-relay
no keepalive
R1#show frame-relay ip rtp header-compression interface Serial3/2 frame-relay map ip 155.1.45.5 514 broadcast
DLCI 100 Link/Destination info: point-to-point dlci
Interface Serial3/2: (passive, compression on) show frame-relay fragment R2#show frame-relay fragment
show frame-relay ip rtp header-compression interface Ser0/0 Rcvd: 703 total, 699 compressed, 2 errors
2 dropped, 0 buffer copies, 0 buffer failures
Frame-Relay Back-to-Back Disabling LMI via “no keepalive”
Output: Sent: 716 total, 713 compressed,
27073 bytes saved, 115527 bytes sent Output:
interface dlci frag-type frag-size in-frag out-frag dropped-frag Configuration.
Serial3/3 200 end-to-end 100 0 0 0
1.23 efficiency improvement factor
Connect: 101 rx slots, 101 tx slots, R2#
interface Serial0/1
ip address 155.1.45.5 255.255.255.0
encapsulation frame-relay
no keepalive
clock rate 64000
frame-relay map ip 155.1.45.4 514 broadcast
interface Serial3/2
no ip address DLCI = 514, DLCI USAGE = LOCAL, PVC STATUS = STATIC, INTERFACE = Serial0/1/0
encapsulation frame-relay
frame-relay traffic-shaping input pkts 228 output pkts 233 in bytes 23712
out bytes 24232 dropped pkts 0 in pkts dropped 0
!
out pkts dropped 0 out bytes dropped 0
interface Serial3/2.100 point-to-point in FECN pkts 0 in BECN pkts 0 out FECN pkts 0
ip address 172.16.1.1 255.255.255.252 show frame-relay fragment interface
frame-relay interface-dlci 100 ser0/x DLCI-NR
Back to back indication on out BECN pkts 0
out bcast pkts 0
in DE pkts 0
out bcast bytes 0
out DE pkts 0
Frame Relay IP RTP Priority class SHAPING 5 minute input rate 0 bits/sec, 0 packets/sec
5 minute output rate 0 bits/sec, 0 packets/sec
frame-relay ip rtp header-compression
configuration !
pvc create time 00:14:29, last time pvc status changed 00:12:48
available? per DLCI, picture Broadcast Queue <256000> Byte rate per sec.
FRF.12 Frame Relay Fragmentation
<36> Max. packets/S broadcasts
Simply press this button and send me your
credit cards regards!
Describe their tasks associated to the learned DLCI number. 1473 bytes saved, 435 bytes sent
4.38 efficiency improvement factor
(a 1500-byte frame takes approximately 214 ms to Connect: 256 rx slots, 256 tx slots,
leave the router on a 56-kbps line.) 2 misses, 0 collisions, 0 negative cache hits,
255 free contexts
95% hit ratio, five minute miss rate 0 misses/ Thanks for appreciating my efforts
sec, 0 max
Colin
http://www.flashcardguy.ch
First create the Virtual-Template:
Frame-Relay
interface Virtual-Template99
ip address 155.1.0.5 255.255.255.0
PPP over Frame Relay
Second, bind the Virtual-Template to the DLCI
Frame-Relay R3#show connection all
(PPPoFR)
interface Serial0/0/0
no ip address
Switching ID Name Segment 1 Segment 2 State
======================================================
1 R1_R2 Se1/2 132 Se1/3 231 UP
encapsulation frame-relay
Order of implementation: frame-relay interface-dlci 501 ppp Virtual-Template99 Show connection out:
interface FastEthernet0/0 PPP Multi Link via username Rack1R2 password CISCO
mp
lat
e1
bridge-group 1 interface Multilink1 - Te
Bridging over Frame Relay ! Frame-Relay ip address 174.1.23.3 255.255.255.0
Vir
tua
l
1
up p
interface Serial0/0 ppp multilink ce ink ro ha
encapsulation frame-relay t erfa ultil ink g on c
ppp multilink group 1 in p m ltil icati
pp p mu hent
frame-relay map bridge 205 broadcast
interface Serial1/0
Using CHAP pp aut
bridge-group 1
Config: ! encapsulation frame-relay
pp
p
no frame-relay inverse-arp
frame-relay interface-dlci 302 ppp Virtual-Template1
Check if you can see the spanning tree root over the Frame-Relay
Bridge! interface Serial1/1
encapsulation frame-relay
no frame-relay inverse-arp
frame-relay interface-dlci 312 ppp Virtual-Template1
S1/3 S0/1
R2 R1
S0/1 S1/2
R3#
R3
frame-relay switching
Frame-Relay Switching
R3#show frame-relay pvc | inc SWI
Show frame-relay pvc DLCI = 132, DLCI USAGE = SWITCHED, PVC STATUS = ACTIVE, INTERFACE = Serial½
DLCI = 231, DLCI USAGE = SWITCHED, PVC STATUS = ACTIVE, INTERFACE = Serial1/3
Colin
http://www.flashcardguy.ch
5. start learning using the Cisco docCD
CCIE RS Version 5 study approach: http://www.cisco.com/c/en/us/support/ios-nx-os-software/ios-software-release-15-3-3-m/model.html
I recommend going through the entire DocCD of version 15.3MT (configuration guides, not command reference)
or what ever your future version for the CCIE is.
1. Identify the scope / estimate your know how Browse through it and take notes where things are, can be commands, can be technologies, basically hints for yourself.
Then instead of using Google to find the right page on the docCD search within your own created docCD overview and
Use a training partner to identify all necessary topics for CCIE RS version 5 such as INE, IPExpert then directly jump into the section you are interested in. This will speed up your lookup time for commands/technologies
etc.. In my example I have used INE’s detailed expanded study blue print. initially, plus it makes you aware where to find things over time without Google.
The more lab hours you spend the more you will remember this tip written here..
Copy it into an Excel spreadsheet and start going trough it, this will take a while to go through but Plus during the lab if you know the feature name/technology but forgot the details, you find the right page within 30
its worth it. Be very honest with yourself, if you don’t know the command by hart or have an idea, seconds. Giving you another 5 minutes to answer that question.
you do NOT know it and all the sub-commands associated with it... This document just serves the purpose to CTRL-F:
colin cant,
http://blog.ine.com/2009/05/12/ccie-rs-4x-expanded-study-blueprint/ Additional and Legacy Protocols
switzerland, http://colin.cant.ch/projects/IOS-15.3T-docCD-overview-v3.xls
ISO CLNS Configuration Guide ISO
schweiz, router isis
communicatio Terminal Services Configuration Guide
n, and, Line
Modem
network,
technology,
Broadband Access Aggregation and DSL Configuration Guide
technologys,k
now PPP over Ethernet Client
pppoe-client dial-pool-number
how,consultan interface dialer
t, mpls, bgp, show vpdn session
cisco,
provider, Providing Session Limit Support
bba-group pppoe global
solution, vpn, sessions per-mac limit
design, sessions per-vlan limit
2. Estimate your efforts implementatio snmp-server enable traps pppoe
n, operation,
data, network,
voice, data
center,
datacenter,
virtualization,
6. Lab, lab, lab, and more lab….
CCIE, CCIP, Use a training partners workbook, there are plenty out there find one, stick to it, and don’t jump from one vendor to
Study time:
CCDP, CCNP, another during your studies.
3 days during the week 12 hours
study
1 day weekend 8 hours
material, Cisco
-------------------------------------------
20 hours / week
Press, book, 7. Bootcamps
Narbik, INE, I have visited the 5 day bootcamp performed by Narbik, the most increadible Cisco instructor I have ever met.
4x 20 = 80 hours per month IPExpert,
12x 80 = 960 hours per year study flash I had re-visited his 10 day bootcamp for a minor upgrade fee, his re-takes of the same bootcamp / version are for free and he encourages people to
cards, do so.
flashcards,
cisco.com I highly recommend re-taking his class, the first time you go, you will have a serious buffer overflow in terms of content and quality of information
DocCD, Perth, received.
3. Start learning the involved technology (CCIE book list) Australia,
network The second time you attend his class, you will be able to sip up details you could not process / digest the first time.
engineer,
senior I have attended many Cisco courses in my past, but this is unlike anything you have ever seen before!
network His memory is sensational and he knows every command / formula / ethertype etc… by hart and never needs to look up a thing in a PDF or similar.
engineer, In addition, I find his way of teaching and personality very entertaining in terms of how he delivers his class etc. Be prepared for long hours,
designer, ccie frustrating GOOD labs which make you remember what you did wrong or what alternatives you have in each situation. It will open your eyes in
study, routing terms of how protocols really work…
and switching,
http:// Narbiks training: http://micronicstraining.com/
colin.cant.ch,
CCIE
Calculated based on an average of 20
configuration
pages per hour. 8. create a process for each technology etc, follow it each time you configure that technology
examples,
(depends on your speed)
Cisco training,
study Once you have gained the “entire” picture in terms of technologies, go through the the initial Scope list from Step 1 and make sure you have for each item /
material, technology a process in place which you follow each time you configure it.
Read through the books, use a highlighter/marker and take personal notes of the books. APP Free, Or best, create you own set of cards!
Initially the book may take you around 40 hours to go through, but later you can refresh the entire book in 4 hours. CCNA study Follow your process EVERY TIME from the beginning to the end and you will have a consistent failure resolution time!
I had to have physical books as I get tired too fast reading on a screen, plus sitting in the sun staring in a screen is not flashcards, You do NOT want to place a hip-shot assumption and waist time on upper layer stuff, when the problem after 30 minutes turns out to be an unnoticed speed mis-
much fun.. CCNA match or a “mac-address static drop” or similar. Keep following your created processes, and build up speed and accuracy.
preparation, You will know when it is time to go!
Required effort rated at reading 20 pages per hour: 580 hours CCNP
All books, 6 hours of reading each day: 97 days flashcards
Reading all, 6 hours / day in month: 3.2 month CCNP booklist,
Free cisco
If you are really, really sure you know all technologies, skip the books and start going through the entire IOS configuration guides. training,
On your lab date X
4. Repeat going through your notes
Create you own set of notes / study repetition method. Good luck, I wish!
Or use my set of APP FREE ccie rs version 5 learning study flash
cards to repeat what you learned so far and keep the information
fresh. and may the force be with you!
http://colin.cant.ch/projects/Visio-CCIE_Lernkarten_v11.pdf