my CCDE

cheat sheets
 Operation

Tunneling
L3 L2
and overlays
Layer 2
Security
 Layer 2 Design

Performance and stability Security

Apply ACL filter on admin VLAN

HSRP active
& STP Root
Modify VTP domain
(or turn VTP off)
Root Guard

Loop Guard or
Bridge Assurance Clear native VLAN

BPDU Guard Force access-mode (disable

Port Fast
802.1D Ehancements
PortFast Enables immediate transition into
forwarding state on edge ports
UplinkFast Enables access switches to
maintain backup paths to root
BackboneFast Enables immediate expiration of
the Max Age timer
DTP)
Choose VLAN≠1
Apply Port Security
Spanning Tree Protection
Root Guard Prevents a port from becoming the root port
BPDU Guard Disables a port if a BPDU is received
Loop Guard Prevents a blocked port from transitioning to
listening (unidirectional) after Max Age timer
BPDU Filtering Disables STP on a port
Bridge Assurance Blocks port if it receives no BPDU
 Layer 2 Design

Spanning normalisation
• DEC STP pre-IEEE • 802.1w—Rapid STP (RSTP)
• 802.1D—Classic STP • 802.1s—Multiple STP (MST)
• 802.1t—802.1d maintenance

Spanning toolkit
The following enhancements to 802.1(d,s,w) comprise the Cisco Spanning-Tree toolkit:
• PortFast Lets the access port bypass the listening and learning phases
• UplinkFast Provides 3-to-5 second convergence after link failure
• BackboneFast Cuts convergence time by MaxAge for indirect failure
• Loop Guard Prevents the alternate or root port from being elected unless (BPDUs) are present
• Root Guard Prevents external switches from becoming the root
• BPDU Guard Disables a PortFast-enabled port if a BPDU is received
• BPDU Filter Prevents sending or receiving BPDUs on PortFast-enabled ports

Cisco has incorporated a number of these features into the following versions of STP:
• Per-VLAN Spanning Tree Plus (PVST+)
Provides a separate 802.1D spanning tree instance for each VLAN configured in the
network.This includes PortFast, UplinkFast, BackboneFast, BPDU Guard, BPDU
Filter, Root Guard, and Loop Guard.
• Rapid PVST+ Provides an instance of RSTP (802.1w) per VLAN. This includes PortFast, BPDU
Guard, BPDU Filter, Root Guard, and Loop Guard.
• MST Provides up to 16 instances of RSTP (802.1w) and combines many VLANS with the
same physical and logical topology into a common RSTP instance. This includes,
PortFast, BPDU Guard, BPDU Filter, Root Guard, and Loop Guard.
Access design STP or not STP
L2 topologies
 Operation

Tunneling
L3 L2
and overlays
Layer 3
Security
 Layer 3 Design

The network must be reliable and resilient

The network must be manageable

The network must be scalable

 Layer 3 Design

Triangle vs Square

Triangles: Link/Box Failure does NOT Squares: Link/Box Failure requires

require routing protocol convergence routing protocol convergence
OSPF in a Campus EIGRP in a Campus

Core

Summaries
Queries not
forwarded
Area 0

Area 10
The router goes up Immediate
and may advertise replies
default route Queries
immediately, (if a
loopack is in area 0)

Queries not
ospf stub no-summary forwarded

eigrp stub
 OSPF as PE-CE protocol EIGRP as PE-CE protocol

Sham-link  use
route with lower Cost
AS should be the same

Metric/AS/SOO transported as communities

Ignore
routes with
Pre best path point of insertion
down bit
SOO transported into EIGRP

SOO on PE : same SOO per site

SOO on CEs : one SOO per CE

Set down
bit (LSA 3)
or domain
ID (LSA 5)

Ia routes
preferred
 OSPF

LSA Description
Type 1 Router Link LSA – Routers, links and costs
Type 2 Network Link LSA – Initiated by DR on multipoint networks - Pseudonode.

Type 3 Network Summary Link LSA – Initiated by ABRs.

Type 4 AS External ASBR Summary Link LSA – Advertised by ASBRs to be reachable.
Type 5 External Link LSA – Initiated from ASBR – OSPF external routes advertisment.
Type 7 NSSA External LSA - Initiated from ASBR in a NSSA area– OSPF external routes advertisment.
.

Aire Description
Backbone (Area 0) All other areas have to be linked with. Accepts LSA 4 from other areas.
Standard Receives LSA 3 & 5, initiates LSA 3,4 & 5 toward backbone area.
Stub Receives type 3 LSA and a default route (advertised as a LSA 3). initiates LSA 3.
Totally Receives a default route as a type 3 LSA, initiates LSA 3
Stub Initiates type 7 LSA, Receives LSA 3. Implicit default route for Totally NSSA.
NSSA

Inter-area routes are summarized on the ABR

External routes are summarized on the ASBR
NSSA-External routes can be summarized on the ASBR or ABR
OSPF Areas

Area 0 Std Area

External
type 1 & 2 type 1 & 2

type 3
type 4
type 5

Area 0 Stub Area

External
type 1 & 2 type 1 & 2
type 3
default route

Area 0 Totally
Stub Area
External
type 1 & 2 type 1 & 2

default route
OSPF Areas

Area 0 NSSA
External
type 1 & 2 type 1 & 2
type 3
type 5 type 7
Default route

Area 0 Tottaly
NSSA External
type 1 & 2 type 1 & 2

type 5 type 7
Default route
 OSPF NBMA and partial mesh networks

• Set the DR priority to 0 • Set the DR priority to 0

on all partial meshed on all partial meshed
nodes nodes
• Configure the peers • Set broadcast mode on
manually in unicast mode all links
 troubleshooting adjacencies

• EIGRP
• Same AS
• Same primary IP subnet
• Same metrics
• OSPF
• Same area
• Same area type
• Same IP subnet and mask (not on point to point)
• Same hello and dead interval
• Same MTU
• IS-IS
• Same area for L1 adjacencies
• Different system ID
• Same MTU
• Same IP subnet
• Same network/interface type (multipoint or point-to-point)
 IS-IS inter area

• L1/2 routers set attached bit if they are adjacent to extra area L2 routers. L1
routers receiving attached bit generate default routes toward advertising router
and propagate it (transitive).

• Intra area routes are preferred oved Inter Area even if metric is greater

• L1 routes advertised by L1/2 routers to other L2 routers

• L1/2 routers may be configured to leak L2 routes into the L1 domain

System ID best practice :

Add implicit zeros into the main IP loopback : 192.168.1.24  192.168.001.024

Transfer it to XXXX.XXXX.XXXX format 192.168.001.024  1921.6800.1024
Add 49.<4 bytes area> and 00 as NSEL 1921.6800.1024  49.area.1921.6800.1024.00
VPN backdoors

Partial mesh of sham links  backbone preferred

BGP backdoor  IGP (internal links) preferred over eBGP
Outgoing traffic engineering with BGP

Route Reflectors
Following physical topology
• Session between an RR and a nonclient should not traverse a client
• Session between an RR and its client should not traverse a nonclient

• AS path prepending
• MED
• communities
• selective advertisments (no backup)
• specific advertisments
 BGP confederations
FEATURE
Peering
Communications between peers
Additions to the BGP attributes
Preserved attributes
Readvertising a learned prefix
Communications with non member
BGP peers
User of multi-hop parameter
SEEN IN THE CONFEDERATION
partial-mesh peering between sub-autonomous systems.
full-mesh peering within sub-AS (or route-reflectors)
iBGP is used within each sub-AS
cBGP is used between sub-autonomous systems, similar to eBGP but with the
following differences:
•Enhancement of the AS_Path attribute
•Change in the next-hop handling
Enhancements to the AS_Path attribute, adding the sub-AS IDs.
This enhancement is not advertised to the external Autonomous Systems.
•next-hop
•local preference
•MED
readvertised to other sub-autonomous systems if they are selected as best.
If a member of the confederation is peering with a BGP peer located in another
AS, the sub-AS numbers located in the AS_Path attribute are supressed and
only the confederation number is passed within the AS_Path attribute.
By default cBGP needs directly connected interface
 remotely triggered black hole source triggered black hole

CE CE
192.0.2.1/32  Null0 192.168.1.0/24
192.0.2.1/32  Null0
+ loose uRPF

NOC
NOC

10.1.1.0/24

10.1.1.0/24  192.0.2.1
192.168.1.0/24  192.0.2.1
 IPv6

Type Abrv ICMP Description

Router Solicitation RS 133 Sent by hosts to request an RA
Router Advertisement RA 134 Originated by routers to announce their existence
Neighbor Solicitation NS 135 Facilitates link-layer address resolution and duplicate address detection
Neighbor NA 136 Response to an NS
Advertisement
Redirect 137 Used by a router to inform a host of a better path out of the link
 IPv6 deployment scenarios

Dual Stack Hybrid Service Block

Native ISATAP and Manually Configured Tunnels

QoS End to End Marking at tunnel egress

mCast
Single ISATAP with Anycast Single ISATAP with Anycast
HA IGP No load balancing load balancing after Tunnels

IPv6 hardware required, Core Layer becomes access

New IPv6 hardware
no per-user/per-appli control for IPv6 Tunnels
High Avalability

• from http://www.sanog.org/resources/sanog14/sanog14-paresh-highavailability.pdf

Router resiliency

Reliable Hardware Redundant Non Stop

High MTBF Components Routing

HA

Rapid Failure Network Quick

detection design convergence

N et w o r k resiliency
ISIS
CE 2 CE 3 CE 4 CE 5
Fast 2 Fast 1
Fast 1 10.1.34.0/24
10.1.23.0/24 10.1.45.0/24

2.2.2.2/32 Area 1 3.3.3.3/32 4.4.4.4/32 Area 2 5.5.5.5/32

router isis router isis router isis router isis

net 49.0100.0000.0000.0002.00 net 49.0100.0000.0000.0003.00 net 49.0200.0000.0000.0004.00 net 49.0200.0000.0000.0005.00
area-password IS-IS area-password IS-IS metric-style wide metric-style wide
metric-style wide (for tag TLV) metric-style wide log-adjacency-changes log-adjacency-changes
log-adjacency-changes log-adjacency-changes summary-add 5.5.0.0 255.255.0.0 tag 5
redistribute isis ip level-2 into level-1
route-map MatchTag5

interface Loopback2 interface Loopback3 interface Loopback4 interface Loopback5

ip address 2.2.2.2/32 ip address 3.3.3.3/32 ip address 4.4.4.4/32 ip address 5.5.5.5/32
ip router isis ip router isis ip router isis ip router isis
interface FastEthernet1 interface FastEthernet01 isis tag 5 interface FastEthernet1
ip address 10.1.23.2/24 ip address 10.1.23.3/24 interface FastEthernet1 ip address 10.1.45.5/24
ip router isis ip router isis ip address 10.1.45.4/24 ip router isis
isis circuit-type level-1 isis circuit-type level-1 ip router isis (level-1 not configured) isis circuit-type level-1
interface FastEthernet2 interface FastEthernet2
ip address 10.1.34.3/24 ip address 10.1.34.4/24
ip router isis ip router isis

Straightforward configuration
CE2#sh ip route | i ^i Summarization + leaking
i L1 3.3.3.3 [115/20] via 10.1.23.3, Fast0
i ia 4.4.4.4 [115/30] via 10.1.23.3, Fast0 CE4#sh ip route | in ^i
i ia 5.5.0.0 [115/40] via 10.1.23.3, Fast0 i L2 2.2.2.2 [115/30] via 10.1.34.3, 01:51:07, Fast2
i L1 10.1.34.0/24 [115/20] via 10.1.23.3, Fast0 i L2 3.3.3.3 [115/20] via 10.1.34.3, 03:23:20, Fast2
i*L1 0.0.0.0/0 [115/10] via 10.1.23.3, Fast0 i su 5.5.0.0/16 [115/20] via 0.0.0.0, 00:08:19, Null0
i L1 5.5.5.5/32 [115/20] via 10.1.45.5, 00:08:19, Fast1
i L2 10.1.23.0/24 [115/20] via 10.1.34.3, 03:23:20, Fast1
CE3#sh ip route | in ^i CE5#sh ip route | in ^i
i L1 2.2.2.2 [115/20] via 10.1.23.2, 01:55:41, Fast0 i L1 4.4.4.4 [115/20] via 10.1.45.4, Fast1
i L2 4.4.4.4 [115/20] via 10.1.34.4, 00:11:55, Fast1 i L1 10.1.34.0/24 [115/20] via 10.1.45.4, Fast1
i L2 5.5.0.0 [115/30] via 10.1.34.4, 00:12:49, Fast1 i*L1 0.0.0.0/0 [115/10] via 10.1.45.4, Fast1
i L2 10.1.45.0/24 [115/20] via 10.1.34.4, 01:55:41, Fast1
 OSPF

CE1 Area 202 NSSA

Fast 2
Fast 1 10.1.23.0/24 Fast 3
10.1.12.0/24 10.1.34.0/24

1.1.1.1/24 Area 0
CE 2 CE 3 CE 4
2.2.2.2/24
3.3.3.3/24

interface Loopback1111 router rip router ospf 1 router ospf 1

ip address 1.1.1.1 255.255.255.0
interface Loopback2222
ip address 2.2.2.2 255.255.255.0
interface Loopback3333
ip address 3.3.3.3 255.255.255.0
router rip
version 2
redistribute connected route-map Loopbacks
passive-interface default
no passive-interface FastEthernet1
network 10.0.0.0
no auto-summary
version 2 log-adjacency-changes network 10.1.34.0 0.0.0.255 area 0
timers basic 15 45 15 60 area 202 nssa
passive-interface default summary-address 10.0.0.0 255.0.0.0 not-advertise
network 10.0.0.0 summary-address 1.0.0.0 255.0.0.0
no auto-summary network 10.1.23.0 0.0.0.255 area 202
router ospf 1 network 10.1.34.0 0.0.0.255 area 0
log-adjacency-changes
area 202 nssa ! Remark :
summary-address 3.0.0.0 255.0.0.0 not-advertise ! area 10 filter-list prefix FILTER out
summary-address 2.2.0.0 255.255.0.0 ! area 10 range 10.0.0.0 255.0.0.0 not-advertise
redistribute rip metric 123 metric-type 1 subnets ! Only for standard Areas
network 10.1.23.0 0.0.0.255 area 202

lyo-maq-2611-01#sh ip route | i ^C lyo-maq-2611-02#sh ip route | i ^R|^O lyo-maq-2811-03#sh ip route | i ^O lyo-maq-2811-03#sh ip route | i ^O

C 1.1.1.0 is connected, Loopback1111
C 2.2.2.0 is connected, Loopback2222
C 3.3.3.0 is connected, Loopback3333
C 10.1.12.0/24 is connected, Fast1
R 1.1.1.0 [120/1] via 10.1.12.1, Fast1
O 2.2.0.0/16 is a summary, Null0
R 2.2.2.0/24 [120/1] via 10.1.12.1, Fast1
R 3.3.3.0 [120/1] via 10.1.12.1, Fast1
O IA 10.1.34.0/24 [110/2] via 10.1.23.3, Fast2
O N1 1.1.1.0/24 [110/124] via 10.1.23.2, Fast2 OE1 1.0.0.0/8 [110/124] via 10.1.34.3,Fast3
O 1.0.0.0/8 is a summary, Null0 O E1 2.2.0.0 [110/125] via 10.1.34.3, Fast3
O N1 2.2.0.0 [110/124] via 10.1.23.2, Fast2
O N1 10.1.12.0/24 [110/124] via 10.1.23.2,Fast2
 Operation

L3
Tunneling
L2
Tunneling
and overlays
& MPLS
Security
MPLS TE

How to route a flow into a tunnel

• static routing
• PBR
• Autoroute
• tunnel included into SPF calculation, not into the IGP
 other routers are unaware of the Tunnel
• default metric is the tail end IGP metric
• Relative/asolute metrics OSPF similar to E1/E2 externals
• LSP tail end is always routed through the tunnel
• IGP+LSP load sharing available behind tail end
• tail end load sharing needs 2 LSP
• Forwarding Adjacency
• tunnel propagated into the IGP
 Inter Area MPLS TE

Multi domain LSP : each domain core topology should be hidden

•per-domain static ERO (next-hop loose <IP Edge>…)

• CSPF stitching (CSPF calculation on each ASBR) then ERO
extended to hide core topology
• backward recursive path computation
• A tree is created by destination PE (<PE><ASBR n>=cost
X) and topology increased by each domain
• Stitching
• Use targeting signaling
• Stacking
• Inner domain uses its own LSP to tunnel border domains LSP,
targeted signaling required
 Inter domain VPN with CSC - IGP

vpnv4 multiphop
e/i-bgp peering,
MP-iBGP session
next-hop-unchanged
MP-iBGP session
Outer VPN definition
CEPE route distribution
IPv4+ Backbone IPv4+
labels labels
CE1 CSC-CE1 Provider CSC-CE2 CE2
PE1 PE2
CSC-PE1 CSC-PE2

IGP + local loopback

IGP + LDP (int e0/0 mpls ip)

Inner VPN definition
and routing in vpnv4
IGP  ipv4 BGP
redistribution into ipv4 add-
family vrf inner
 Inter domain VPN with CSC - eBGP

vpnv4 multiphop
e/i-bgp peering,
MP-iBGP session
next-hop-unchanged
MP-iBGP session
Outer VPN definition
CEPE route distribution
IPv4+ Backbone IPv4+
labels labels
CE1 CSC-CE1 Provider CSC-CE2 CE2
PE1 PE2
CSC-PE1 CSC-PE2

IGP + local loopback  BGP

neighbor bgp send-label
Inner VPN definition
mpls ip not necessary
and routing in vpnv4
bgp neighbor as-
override
bgp send-label
 Inter domain VPN option B

interface Ethernet 1/0

mpls bgp forwarding One tag allocated by
ASBR
router bgp 1
neighbor <ASBR2> remote-as 2
neighbor <PEs> remote-as 1
no bgp default route-target filter eBGP : no route-target filtering
iBGP : next-hop-self
address-family vpnv4
neighbor <PEs> activate
neighbor <PEs> next-hop-self
neighbor <ASBR2> activate
neighbor <ASBR2> send-community extended

Option B1 Next-hop-self method

Option B2 Redistribute connected method
 Inter domain VPN option C – eBGP + send-label

RR

router bgp 1
neighbor <RR1> remote-as 1
Tag 1 : ebgp + send-label
address-family vpnv4 or IGP+LDP
neighbor <RR1> activate Tag 2 : VPN label

interface Ethernet 1/0

router bgp 1
neighbor <PEs> remote-as 1 router bgp 1
neighbor <RR2> remote-as 2
neighbor <RR2> ebgp-multihop
address-family vpnv4
neighbor <PEs> activate
neighbor <RR2> activate
neighbor <RR2> next-hop-
unchanged
mpls bgp forwarding
neighbor <ASBR2> remote-as 2
neighbor <RR1> remote-as 1
address-family ipv4
redistribute IGP
neighbor <ASBR2> activate
neighbor <ASBR2> send-label
address-family vpnv4
neighbor <RR1> activate

router IGP
network loopback LDP
redistribute BGP 1
 MPLS TE QoS

Uniform (mpls exp

value set by ISP)

Short pipe

pipe
L2VPN

• VPWS Virtual Private Pseudowire Services : Point to Point

• L2 Protocol translation (L2.5 VPN)
• tLDP session
• Redundancy by  nominal/backup sessions

• VPLS Virtual Protocol LAN Service (P2M)

o Autodiscovery with BGP
o For Cisco : VPLS = full-mesh Pseudo Wires

• H-VPLS
• Full Mesh between N-PE
• PW beetwen User PE and Netwok PE
• redundancy with STP or PW backup between U-PE and N-PE
Operations
Tunneling
Monitoring
L3 L2
and overlays
Management
Performance
Security
Troubleshooting high CPU Utilization

• Identify process
o show proc cpu sorted
o show log
• Causes
o ARP
o BGP
o Exec
o SNMP
o NAT
o TCAM full (catalyst 3550/..)
• IP Input
o show interfaces stats
o show interfaces
o show interfaces switching
 QoS operation order

•Inbound
1. QoS Policy Propagation through Border Gateway Protocol (BGP) (QPPB)
2. Input common classification
3. Input ACLs
4. Input marking (class-based marking or Committed Access Rate (CAR))
5. Input policing (through a class-based policer or CAR)
6. IP Security (IPSec)
7. Cisco Express Forwarding (CEF) or Fast Switching

•Outbound
1. CEF or Fast Switching
2. Output common classification
3. Output ACLs
4. Output marking
5. Output policing (through a class-based policer or CAR)
6. Queueing (Class-Based Weighted Fair Queueing (CBWFQ) and Low
Latency Queueing (LLQ)), and Weighted Random Early Detection (WRED)
Multipoint WAN QoS

WAN
• Remote Ingress Shaping
o 95% of line rate

• egress shaping :
95% of smallest bandwidth FR
 QoS Models

4 Class model 8 Class model 12 Class model

Voice Voice

Realtime Interactive
Interactive Video
Realtime Multimedia Conferencing

Broadcast Video
Streaming Video
Multimedia Streaming

Signaling / Control Signaling Signaling

Network Control Network Control

Network Management
Critical Data
Critical Data Transactional Data

Bulk Data

Best Effort Best Effort

Best Effort
Scavanger Scavanger
 Operation

Tunneling
L3 L2
and overlays

Security
Internet Edge

• DMZ : public facing services

• Private DMZ : internal services (DNS, collaboration, HTTP)
o not vulnerable to outside attacks
o
• infrastructure ACLs
Internet Edge

Secure Operations
• Monitor Cisco Security Advisories and Responses
• Leverage Authentication, Authorization, and Accounting
• Centralize Log Collection and Monitoring
• Use Secure Protocols When Possible
• Gain Traffic Visibility with NetFlow
• Configuration Management

Data Plane
• General Data Plane Hardening
• Filtering Transit Traffic with Transit ACLs
• Anti-Spoofing Protections
• Limiting CPU Impact of Data Plane Traffic
• Traffic Identification and Traceback
• Access Control with VLAN Maps and Port Access Control Lists
• Using Private VLANs
 Internet Edge

Management Plane
• General Management Plane Hardening
• password management
• restrict protocols
• use secure protocols
• exec-timeout
• event detection (memory, cpu threshold)
• Limiting Access to the Network with Infrastructure ACLs
• Securing Interactive Management Sessions
• Using Authentication, Authorization, and Accounting
• Fortifying the Simple Network Management Protocol
• Logging Best Practices
• Cisco IOS Software Configuration Management

Control Plane
• General Control Plane Hardening
• filter IPCMP, fragments, source-route, disbale proxy-arp
• Limiting CPU Impact of Control Plane Traffic
• filter fragment, non ip traffic, rate ICMP unreachable
• Securing BGP
• Securing Interior Gateway Protocols
• Securing First Hop Redundancy Protocols
Everyone wants to live on top of
the mountain, but all the
happiness and growth occurs
while you’re climbing it.