hitchikers guide to the ccie v0.3

CISQUEROS.BLOGSPOT.COM

presents

Hitchhikers Guide to the CCIE v0.3

2 Hitchhikers Guide to the CCIE v0.3 [cisqueros.blogspot.com]

This page was intentionally left blank.


About

This is nothing more but a script of simple guidelines I made during my CCIE preparations, 2012-2014. Have in mind

that I created this script throughout the entire preparation period, so some topics might seem basic as my level was

CCNP, while some others require the reader to have the almost-CCIE level.

If you find my notes useful Im more than glad I could help. You can use it, share it, whatever, as long as you dont

try to sell it or publish it as your own.


Table of Contents

About ............................................................................................................................................................................. 3

LAN Switching ................................................................................................................................................................. 10

LAN Switching Tips and Tricks ..................................................................................................................................... 11

VLAN Filters for NON-IP Traffic ................................................................................................................................... 11

MEMORY OPTIMIZATION - SDM (Switch Database Management) ............................................................................ 12

INTERFACE Statuses .................................................................................................................................................... 13

CAM TABLE .................................................................................................................................................................. 13

VTP - VLAN Trunking Protocol ..................................................................................................................................... 13

VMPS - VLAN Membership Policy Server .................................................................................................................... 14

TRUNKS and DTP (Dynamic Trunking Protocol) .......................................................................................................... 14

PRIVATE VLANS ........................................................................................................................................................... 15

Dot1q Tunneling: 802.1q, QinQ Tunneling ................................................................................................................. 16

SPANNING TREE PROTOCOL (STP) .............................................................................................................................. 16

MULTIPLE SPANNING TREE (MSTP) ............................................................................................................................ 18

PORTFAST .................................................................................................................................................................... 18

BPDU GUARD .............................................................................................................................................................. 18

UDLD - Unidirectional Link Detection ......................................................................................................................... 19

SOURCE GUARD and DHCP SNOOPING ....................................................................................................................... 20

ETHERCHANNEL .......................................................................................................................................................... 20

DAI (Dynamic ARP Inspection) .................................................................................................................................... 22

SNMP - UDP 161,162 .................................................................................................................................................. 23

MONITORING .............................................................................................................................................................. 24

LOGGING ..................................................................................................................................................................... 24

STORM CONTROL ........................................................................................................................................................ 25

HTTP Server (HTTP access) on a Switch ...................................................................................................................... 25

Router on a STICK and IP BRIDGING ........................................................................................................................... 25

IP Services ....................................................................................................................................................................... 26

IP Services Tips and Tricks ........................................................................................................................................... 27

HSRP - Hot Standby Routing Protocol ......................................................................................................................... 27

VRRP - Virtual Routing Redundancy Protocol ............................................................................................................. 28

GLBP - Global Load Balancing Protocol ....................................................................................................................... 29

IRDP - ICMP Router Discovery Protocol ...................................................................................................................... 30

DRP - Cisco Distributed Route Processor .................................................................................................................... 31

WAAS and WCCP Protocol .......................................................................................................................................... 31


NTP - Network Time Protocol ..................................................................................................................................... 32

IP SLA - Monitor the Network Performance ............................................................................................................... 33

STATIC NAT .................................................................................................................................................................. 34

DYNAMIC NAT ............................................................................................................................................................. 35

Load Balancing using NAT ........................................................................................................................................... 35

PAT (NAT Overload) .................................................................................................................................................... 36

PAR - When you need to implement traffic redirections using NAT .......................................................................... 36

Static NAT redundancy with HSRP .............................................................................................................................. 37

Scalability for Stateful NAT (SNAT) ............................................................................................................................. 37

NAT Translations with the Outside Source ................................................................................................................. 38

NAT on a Stick ............................................................................................................................................................. 38

DHCP Server ................................................................................................................................................................ 39

CNS (Cisco Networking Services) ................................................................................................................................ 39

GRE Tunnels ................................................................................................................................................................ 40

Various IOS Tricks ........................................................................................................................................................ 40

IP Routing ........................................................................................................................................................................ 42

IPv4 Routing TIPS ........................................................................................................................................................ 43

PBR - Policy Based Routing ......................................................................................................................................... 43

EOT Enhanced Object Tracking ................................................................................................................................ 43

ODR - ON-DEMAND ROUTING .................................................................................................................................... 44

RIP ............................................................................................................................................................................... 44

RIP: Authentication ..................................................................................................................................................... 44

RIP: Timers .................................................................................................................................................................. 45

RIP: Updates Control ................................................................................................................................................... 46

RIP: OFFSET LISTS ........................................................................................................................................................ 46

RIP: Update Source Control ........................................................................................................................................ 46

RIP: Route Summarizing .............................................................................................................................................. 47

RIP: Route Filtering using Prefix Lists .......................................................................................................................... 47

OSPF ............................................................................................................................................................................ 48

OSPF over Frame-Relay, focus on Network Types ...................................................................................................... 48

OSPF: Configuration on INTERFACE LEVEL .................................................................................................................. 49

OSPF: Timers ............................................................................................................................................................... 49

OSPF: Authentication .................................................................................................................................................. 50

OSPF: Route Redistribution ......................................................................................................................................... 50

OSPF Route Summarization ........................................................................................................................................ 51

OSPF Virtual Link ......................................................................................................................................................... 51


OSPF Cost .................................................................................................................................................................... 52

Redirecting Traffic (FORCING A PATH) ........................................................................................................................ 52

OSPF and the GRE Tunnels .......................................................................................................................................... 53

OSPF LSA Types and AREA TYPES ................................................................................................................................ 53

OSPF STUBS ................................................................................................................................................................. 55

OSPF Route Filtering ................................................................................................................................................... 56

OSPF Non-Broadcast Networks ................................................................................................................................... 57

OSPF NBMA (Non Broadcast Multiple Access) Networks ........................................................................................... 58

OSPF BROADCAST vs. POINT-TO-POINT vs. POINT-TO-MULTIPOINT Networks ......................................................... 58

DNS Lookup in OSPF .................................................................................................................................................... 59

ISPF .............................................................................................................................................................................. 59

Forward Address Suppression .................................................................................................................................... 59

OSPF Sham Link ........................................................................................................................................................... 60

OSPF in MPLS .............................................................................................................................................................. 61

EIGRP ........................................................................................................................................................................... 62

EIGRP "show neighbors" command ............................................................................................................................ 62

EIGRP Metric - K Values .............................................................................................................................................. 63

EIGRP Route Summarization and Leak Maps .............................................................................................................. 64

EIGRP Default Gateway ............................................................................................................................................... 64

VARIANCE Command .................................................................................................................................................. 65

EIGRP Authentication .................................................................................................................................................. 65

EIGRP: Maximum Hops ............................................................................................................................................... 65

EIGRP Administrative Distance ................................................................................................................................... 66

EIGRP Updates BW Percent ........................................................................................................................................ 66

EIGRP Redistribute Routes into EIGRP ........................................................................................................................ 66

EIGRP offset-list [metric adjustments] ........................................................................................................................ 66

EIGRP Stub................................................................................................................................................................... 66

MP-EIGRP .................................................................................................................................................................... 67

EIGRP Route Filtering .................................................................................................................................................. 67

BGP TIPs and Best Practices ........................................................................................................................................ 68

BGP Version................................................................................................................................................................. 70

BGP Peer-Group .......................................................................................................................................................... 70

BGP Peer-Session and Peer-Policy Templates ............................................................................................................ 71

BGP Authentication ..................................................................................................................................................... 71

BGP Route Reflectors .................................................................................................................................................. 72

BGP BACKDOOR Route ................................................................................................................................................ 73


BGP CONDITIONAL Advertisements - Advertise Maps ............................................................................................... 73

BGP Route Dampening ................................................................................................................................................ 74

BGP Route Summarization .......................................................................................................................................... 75

BGP INJECT and EXIST map ......................................................................................................................................... 75

BGP Community Attribute .......................................................................................................................................... 75

BGP & Load Balancing ................................................................................................................................................. 76

1. AS-Path (The less ASs in the path - the Better) ....................................................................................................... 77

2. Weight (the Higher - the Better) ............................................................................................................................. 78

3. MED (Multi Exit Discriminator) ............................................................................................................................... 79

4. LOCAL PREFERENCE................................................................................................................................................. 79

BGP Filters: Distribution and Prefix lists ..................................................................................................................... 80

BGP: Regular Expressions ............................................................................................................................................ 80

BGP Confederations .................................................................................................................................................... 81

MP-BGP (Multi-Protocol BGP)..................................................................................................................................... 82

Route Redistribution TIPs ....................................................................................................................................... 83

QoS .................................................................................................................................................................................. 84

QoS TIPS ...................................................................................................................................................................... 85

QoS on Access Ports .................................................................................................................................................... 85

DSCP and COS MAPPING ............................................................................................................................................. 87

Map COS to DSCP on a device ..................................................................................................................................... 87

QoS POLICING - INDIVIDUAL and AGGREGATE POLICER ............................................................................................ 88

PRIORITY QUEUING (priority-list) & CUSTOM QUEUING (queue-list) ........................................................................ 88

WFQ - By default works with IP PRESEDENCE ............................................................................................................ 89

RSVP - Resource Reservation Protocol ....................................................................................................................... 89

IPv6 QoS ...................................................................................................................................................................... 90

Match MAC ADDRESS ................................................................................................................................................. 90

QoS Frame-Relay SHAPING ......................................................................................................................................... 90

QoS Frame-Relay PIPQ (PER-INTERFACE PRIORITY QUEUING) ................................................................................... 92

QoS Frame-Relay PAYLOAD and HEADER COMPRESSION .......................................................................................... 93

QoS CBWFQ - configured using MQC .......................................................................................................................... 93

QoS LLQ (Low Latency Queuing) - "priority" and "priority percent" command ......................................................... 93

Define the QoS Schedule (TIME-RANGE command) ................................................................................................... 94

QoS CAR (Committed Access Rate) - "rate-limit" Interface Command ...................................................................... 94

NBAR (match protocol XXX) - if you need to match the port without the ACL .......................................................... 94

DUAL RATE - DUAL BUCKET......................................................................................................................................... 95

WRED - Weighted Random Early Detection and CB-WRED ........................................................................................ 95


WAN ................................................................................................................................................................................ 96

Frame-Relay TIPS ........................................................................................................................................................ 97

FRAME RELAY QoS ...................................................................................................................................................... 97

PHYSICAL INTERFACE CONFIGURATION: .................................................................................................................... 98

POINT-TO-POINT SUB-INTERFACE: ............................................................................................................................. 98

POINT-TO-MULTIPOINT SUB-INTERFACE: ................................................................................................................... 99

VIRTUAL TEMPLATE .................................................................................................................................................... 99

FRAME RELAY AUTHENTICATION .............................................................................................................................. 100

FRAME RELAY End-to-End KEEPALIVE ....................................................................................................................... 101

FRAME-RELAY MULTILINKING ................................................................................................................................... 102

FRAME-RELAY AUTO-INSTALL ................................................................................................................................... 103

IP Multicast ................................................................................................................................................................... 104

Multicast TIPS ............................................................................................................................................................ 105

Multicast - IGMP ....................................................................................................................................................... 106

Configure PIM Multicast ........................................................................................................................................... 107

PIM Dense Mode, PIM-DM - For the applications EVERYONE wants ....................................................................... 109

STATIC RENDEZVOUZ POINT (RP) Configuration ...................................................................................................... 110

DESIGNATED ROUTER (DR) Configuration ................................................................................................................ 110

IP MULTICAST: AUTOMATIC RENDEZVOUZ POINT (Auto-RP) Configuration ............................................................ 111

IP MULTICAST: BSR (Bootstrap Router) Configuration ............................................................................................. 112

IP MULTICAST: MSDP (Multicast Source Discovery Protocol) Configuration ........................................................... 113

Multiprotocol BGP (MP-BGP) & IP Multicast ............................................................................................................ 113

IP MULTICAST: Configuring SSM (Source Specific Multicast) ................................................................................... 114

IP MULTICAST: Bidirectional PIM (Bidir-PIM) ........................................................................................................... 115

IP MULTICAST: Helper Map ....................................................................................................................................... 116

MULTICAST Helper Map & Helper-address .............................................................................................................. 117

Security ......................................................................................................................................................................... 118

Security TIPS .............................................................................................................................................................. 119

Layer 2 Security ......................................................................................................................................................... 120

Access Restrictions and Privilege Levels ................................................................................................................... 121

RBAC (Role Based Access Control) ............................................................................................................................ 121

Router Security - Best Practices ................................................................................................................................ 121

KNOWN ATTACKS and how to prevent ..................................................................................................................... 122

BANNER and MENU Configuration ........................................................................................................................... 123

Configure SSH Access ................................................................................................................................................ 123

ADVANCED Access Lists (ACL) Configuration ............................................................................................................ 124


DYNAMIC ACL (aka Lock and key ACL) ...................................................................................................................... 125

REFLEXIVE ACL - For Session Filtering ....................................................................................................................... 126

TCP INTERCEPT - To prevent TCP SYN DoS attacks ................................................................................................... 126

CBAC - Context Based Access Control Firewall ......................................................................................................... 127

PAM - Port to Application Mapping .......................................................................................................................... 128

uRPF - Unicast Reverse Path Forwarding .................................................................................................................. 128

Zone Based Firewall .................................................................................................................................................. 129

CONTROL Plane Policy (CPPr).................................................................................................................................... 130

IOS IPS (Intrusion Prevention System) ...................................................................................................................... 131

AAA Authentication .................................................................................................................................................. 132

MPLS.............................................................................................................................................................................. 134

MPLS Configuration .................................................................................................................................................. 135

MPLS LFIB and Labels (Label Spacing) ....................................................................................................................... 136

MPLS Session Protection ........................................................................................................................................... 137

MPLS VRFs, RD (Route Distinguisher) and RT (Route Target) ................................................................................... 138

L2VPN - AToM (Any Transport over MPLS) ............................................................................................................... 139

IPv6 ................................................................................................................................................................................ 140

IPv6 TIPS .................................................................................................................................................................... 141

IPv6 Basics ................................................................................................................................................................. 141

Convert MAC to Link Local IPv6 Address .................................................................................................................. 143

IPv6 Routing .............................................................................................................................................................. 144

RIPng ......................................................................................................................................................................... 145

OSPFv3 ...................................................................................................................................................................... 145

EIGRP IPv6 ................................................................................................................................................................. 146

MP-BGP, using a BGP-4 protocol extensions for IPv6 ............................................................................................... 147

IPv6 Tunnels .............................................................................................................................................................. 147

IPv6 Multicast Routing .............................................................................................................................................. 149


LAN Switching


____________________________________________________________________________________________________________________

LAN Switching Tips and Tricks ____________________________________________________________________________________________________________________

Remove a FOLDER from the flash: #delete /force /recursive flash:c3750-ipbase-mz.122-35.SE5

TIP: When there is a CISCO Phone attached to an access port- configure the "switchport voice vlan X" on an access port.

TIP: The maximum-aging time is the number of seconds a Switch waits without receiving spanning-tree configuration messages before

attempting a reconfiguration.

(config)#spanning-tree vlan 1 max-age 30

____________________________________________________________________________________________________________________

VLAN Filters for NON-IP Traffic ____________________________________________________________________________________________________________________

These are not used in the production environment very often, but in the CCIE exam this can be useful to know. On Cisco Docs can be found

under the "Network Security with ACLs" under the Switch Configuration Guide:

http://www.cisco.com/en/US/docs/switches/lan/catalyst3560/software/release/12.2_46_se/configuration/guide/swacl.html

STEP 1: Basically instead of IP ACL, we're creating the MAC ACL in order to later apply it. For example here there's an MAC Access-list created

to filter out BPDU-s of a certain type (check all the NON-IP stuff we can filter out):

(config)# mac access-list extended DENY_BPDU

(config-ext-macl)# permit host 000.0c00.0111 any

(config-ext-macl)# permit any any ?

An arbitrary EtherType in decimal, hex, or octal

aarp EtherType: AppleTalk ARP

amber EtherType: DEC-Amber

appletalk EtherType: AppleTalk/EtherTalk

cos CoS value

dec-spanning EtherType: DEC-Spanning-Tree

decnet-iv EtherType: DECnet Phase IV

diagnostic EtherType: DEC-Diagnostic

dsm EtherType: DEC-DSM

etype-6000 EtherType: 0x6000

etype-8042 EtherType: 0x8042

lat EtherType: DEC-LAT

lavc-sca EtherType: DEC-LAVC-SCA

lsap LSAP value

mop-console EtherType: DEC-MOP Remote Console

mop-dump EtherType: DEC-MOP Dump

msdos EtherType: DEC-MSDOS

mumps EtherType: DEC-MUMPS

netbios EtherType: DEC-NETBIOS

vines-echo EtherType: VINES Echo

vines-ip EtherType: VINES IP

xns-idp EtherType: XNS IDP

STEP 2: After the MAC ACL is created, we need to apply the MAC ACL to a Layer 2 Interface. This can be done in one of 2 ways:

1. Directly using the "mac access-group MACL in" command

2. Using the VLAN Maps

VLAN Maps are the only way to control filtering within a VLAN. You can define the DROP or FWD action:

(config)#vlan access-map VLANACM 10


____________________________________________________________________________________________________________________

MEMORY OPTIMIZATION - SDM (Switch Database Management) ____________________________________________________________________________________________________________________

Cisco Docs: 3560->Consolidated Platform Configuration Guides->SystemManagement->SDM Templates

Depending on the Switch purpose (L2 Switching that uses CEF or IP Routing or IPv6), Memory allocations can be optimized using the SDM

(Switch Database Management), and there are 4 templates:

- ACCESS - For QoS and Security

- ROUTING - for IP Routing

- VLAN - Sets Switch to L2 and disables IP Routing

- Extended Match - for WCCP and multiple VRF (reformats memory space to allow 144-bit L3 TCAM support)

(config)#sdm prefer [routing | dual-ipv4-and-ipv6 | vlan]

(config)#sdm prefer ?

access Access bias

default Default bias

dual-ipv4-and-ipv6 Support both IPv4 and IPv6


____________________________________________________________________________________________________________________

INTERFACE Statuses ____________________________________________________________________________________________________________________

INTERFACE "no shut" BUT NOT CONNECTED TO ANYTHING:

GigabitEthernet3/0/1 unassigned YES unset down down

INTERFACE "shutdown":

GigabitEthernet3/0/17 unassigned YES unset administratively down down

INTERFACE "no shut" and CONNECTED:

GigabitEthernet3/0/19 unassigned YES unset up up

____________________________________________________________________________________________________________________

CAM TABLE ____________________________________________________________________________________________________________________

You can set up the MAC Aging Time, and Security (enable the known and secure MAC addresses)

(config)#mac address-table aging-time 600


ENABLE PRUNING (can be done ONLY ON VTP SERVER Switch):

#vtp pruning


____________________________________________________________________________________________________________________

PRIVATE VLANS ____________________________________________________________________________________________________________________

*REQUIRES VTP MODE TO BE SET TO TRANSPARENT, which disables VTP!!!

(config-if)#vtp mode transparent

This topic belongs to L2 SECURITY rather than L2 SWITCHING.

Primary VLAN can have MANY COMMUNITIES but ONLY ONE ISOLATED VLAN!!!

1. Promiscuous - belongs to PRIMARY VLAN, can communicate with EVERYONE

(config)#vlan 10

(config-vlan)#private-vlan primary

(config-vlan)#private-vlan association add 20,30,40


____________________________________________________________________________________________________________________

Dot1q Tunneling: 802.1q, QinQ Tunneling ____________________________________________________________________________________________________________________

When a TUNNEL port receives Customers Traffic, INGRESS PORT adds 2 Byte Ether Type field 0x8100 + 2 Bytes for CoS and

VLAN Egress tunnel port STRIPS THESE 4 BYTES

(config-if)#switchport access vlan 100

(config-if)#switchport mode dot1q-tunnel


Great command to check the ROOT:

#show spanning-tree root

Root Hello Max Fwd

Vlan Root ID Cost Time Age Dly Root Port

---------------- -------------------- --------- ----- --- --- ------------

VLAN0001 32769 aabb.cc00.0600 200 2 20 15 Et2/2

VLAN0100 24676 aabb.cc00.0600 200 2 20 15 Et2/2

VLAN0200 24776 aabb.cc00.0700 100 2 20 15 Et2/2

VLAN0300 24876 aabb.cc00.0800 100 2 20 15 Et3/1

VLAN0400 24976 aabb.cc00.0900 0 2 20 15


____________________________________________________________________________________________________________________

MULTIPLE SPANNING TREE (MSTP) ____________________________________________________________________________________________________________________

Supports up to 4096 instances of Spanning Tree

(config)#spanning-tree mode mst

(config)#spanning-tree mst configuration

(config-mst)#revision 1

(config-mst)#instance 1 vlan 12, 34

(config-mst)#instance 2 vlan 56, 90

(config-mst)#name CCIE


____________________________________________________________________________________________________________________

UDLD - Unidirectional Link Detection ____________________________________________________________________________________________________________________

UDLD is used to detect the SEND part of the cable as DOWN, while the RECEIVE part is still active. This happens on a Fiber Optic cable quite

often. UDLD sends L2 pings between neighbors to check if it's responding. To enable Unidirectional Link Detection on an Interface:

(config-if)#udld port aggressive

GLOBAL COMMAND "udld enable" ONLY APPLIES TO FIBER OPTIC INTERFACES!!!

ITS RECOMMENDED TO USE UDLD WITH LOOPGUARD!!! (For the port to enter the DISABLE state when BPDU are no longer received)

Normally when unidirectional link occurs, the other side stops receiving BPDUs, and assumes that STP ROOT is no longer available, so - it

declares itself as a NEW STP ROOT. Loopguard prevents this.

(config-if)#spanning-tree guard loop


____________________________________________________________________________________________________________________

SOURCE GUARD and DHCP SNOOPING ____________________________________________________________________________________________________________________

!!!! SOURCE GUARD WILL NOT WORK IF DHCP SNOOPING IS NOT ENABLED!!!

(config)#ip dhcp snooping


Check the DEFAULT PARAMETERS:

2#show lacp 1 internal

Flags: S - Device is requesting Slow LACPDUs

F - Device is requesting Fast LACPDUs

A - Device is in Active mode P - Device is in Passive mode

Channel group 1

LACP port Admin Oper Port Port

Port Flags State Priority Key Key Number State

Gi3/0/19 SA bndl 32768 0x1 0x1 0x7F 0x3D

Gi3/0/20 SA bndl 32768 0x1 0x1 0x80 0x3D

"ON" - Doesnt use LACP or PaGP. BOTH sides MUST BE ON!!!

#do show etherch protocol

Channel-group listing:

----------------------

Group: 13

----------

Protocol: - (Mode ON)

You can configure MAX 16 PORTS, out of which: MAXIMUM 8 ACTIVE PORTS, and the other HOT STANDBY (activate if one of the first 8 fail).

Which ones belong to the ACTIVE group depends on the LACP PRIORITY that can be configured:

(config-if)#lacp port-priority 1 NO SHUT on PHYSICAL INTERFACES

Summary: 24 Po24(SU) PAgP Gi1/0/21(P) Gi1/0/22(P)

* "show interface trunk" Will show only Port Channel, but "show interface XX switchport" will show that the INT IS TRUNK

LOAD BALANCE the Etherchannel (CONFIGURED in the Global Config mode):

(config)#port-channel load-balance ?

dst-ip Dst IP Addr

dst-mac Dst Mac Addr

src-dst-ip Src XOR Dst IP Addr

src-dst-mac Src XOR Dst Mac Addr

src-ip Src IP Addr

src-mac Src Mac Addr

#show etherchannel load-balance

Ether Channel Load-Balancing Configuration:

dst-mac

Ether Channel Load-Balancing Addresses Used Per-Protocol:

Non-IP: Destination MAC address

IPv4: Destination MAC address

IPv6: Destination MAC address

Spanning Tree treats the Etherchannel Link as a SINGLE LINK, by sending the BPDUs only over one of the physical links


____________________________________________________________________________________________________________________

DAI (Dynamic ARP Inspection) ____________________________________________________________________________________________________________________

(config)#ip arp inspection vlan 2


____________________________________________________________________________________________________________________

SNMP - UDP 161,162 ____________________________________________________________________________________________________________________

Two ways to configure it:

1. SNMP polling, where the NMS asks the Router what is the status of the MIB

2. SNMP Walk - where NMP pull every MIB that the device is sending and filters out what it needs

Send the SNMP traps, Community "Public" to the NMS Server:

(config)#snmp-server host 192.168.1.1 traps [Public | Private]

If you need to define the VERSION and the COMMUNITY STRING:

(config)#snmp-server host 192.168.1.100 traps version 2c cisco

To define RO and RW COMMUNITY:

(config)#snmp-server community TST-RO ro


____________________________________________________________________________________________________________________

MONITORING ____________________________________________________________________________________________________________________

RSPAN - Dont forget to CREATE the VLAN specially for the RSPAN

(config)#vlan 22

(config-vlan)#remote-span

____________________________________________________________________________________________________________________

LOGGING ____________________________________________________________________________________________________________________

Remote IP:

(config)#logging x.y.z.w

Or Localy in a FILE:

(config)#logging file flash:syslog 7


____________________________________________________________________________________________________________________

STORM CONTROL ____________________________________________________________________________________________________________________

To LIMIT the type of traffic (BROADCAST or MULTICAST or UNICAST). To limit the Broadcast to 50%:

(config-if)#storm-control broadcast level 50.00


IP Services


____________________________________________________________________________________________________________________

IP Services Tips and Tricks ____________________________________________________________________________________________________________________

IMPORTANT:

HSRP: UDP to Multicast Address 224.0.0.2 (all routers), VRRP: Directly over IP, Protocol 112

HSRPv2: Also UDP, solves the conflict between the CGMP Leave Messages, Multicast Address 224.0.0.105

TIP: When a CLIENT sends a request for an IP which is out of that segment, the router responds with its own MAC address. This is called the

ARP Proxy, it's ON by default on Fast Ethernet, and it can be disabled:

(config-if)#no ip proxy-arp

____________________________________________________________________________________________________________________

HSRP - Hot Standby Routing Protocol ____________________________________________________________________________________________________________________

HSRP is a Cisco Proprietary protocol. There are 3 types of HSRP messages: HELLO, COUP (used by a router with the highest priority, which is

currently NOT ACTIVE, to tell others that it should be ACTIVE) and RESIGN

Configuration is quite straight-forward, but there are many ways to tune it, in accordance with your needs:

interface FastEthernet0/0

ip address 172.25.25.2 255.255.255.0

standby 1 ip 172.25.25.22


____________________________________________________________________________________________________________________

VRRP - Virtual Routing Redundancy Protocol ____________________________________________________________________________________________________________________

The VRRP configuration is similar to the HSRP, with a few slight differences. For example, there are no ACTIVE and STANDBY, but MASTER

and BACKUP router, as shown below:

#show vrrp brief

Interface Grp Pri Time Own Pre State Master addr Group addr

Fa0/0 1 200 3218 Y Master 172.25.12.1 172.25.12.22

Fa0/0 2 100 3609 Y Backup 172.25.12.2 172.25.12.11

TIMERS are a bit different to configure. You need to tell Master to ADVERTISE the Hello Timer value to the Backup, and tell the Backup to

LEARN the Hello Timer from the Master:

(config-if)#vrrp 1 timers advertise 10

(config-if)#vrrp 2 timers learn

*Router is Master for VRRP Group 1 and Backup for VRRP Group 2

VRRP Authentication is configured PER GROUP using the command "vrrp X authentication text PASSWORD", and the debug on the VRRP Pair

router is as follows (before the authentication is configured on BOTH):

#debug vrrp

*13 15:04:37.585: VRRP: Grp 2 Advertisement from 172.25.12.1 has incorrect authentication type 1 expected 0

*13 15:04:38.001: VRRP: Grp 1 sending Advertisement checksum EBE4





*13 15:04:40.973: VRRP: Grp 2 sending Advertisement checksum 87E5




#u all

All possible debugging has been turned off

The configuration on the interface will look similar to the HSRP:

interface FastEthernet0/0

ip address 172.25.12.2 255.255.255.0

vrrp 1 description MAT1

vrrp 1 ip 172.25.12.22

vrrp 1 timers learn

vrrp 1 authentication cisco

vrrp 2 description MAT2

vrrp 2 ip 172.25.12.11

vrrp 2 timers advertise 10

vrrp 2 priority 200

end

!!!IMPORTANT DIFFERENCE between HSRP and VRRP: VRRP has Preempt enabled by default!


____________________________________________________________________________________________________________________

GLBP - Global Load Balancing Protocol ____________________________________________________________________________________________________________________

GLBP is different from HSRP and VRRP, as in - it's more complex and gives more possibilities, such as Load Balancing Feature.

It's got 1 VIRTUAL IP, and VARIOUS MACs, where the AVG (defined below) is deciding the times when to announce which MAC of the

destination router to the client.

You can have UP TO 4 ROUTERS IN A GLBP GROUP!!!

GLBP Group Members communicate using HELLOs 224.0.0.102, UDP/3222, by default Hello Timer = 3 sec

Basically there are 2 roles:

AVG (Active Virtual Gateway) MASTER Router in charge of Assigning Virtual MAC Addresses to other Routers and it has to know ALL the

MACs of the AVFs

AVFs (Active Virtual Forwarders) the rest of the Routers, which take AVG function if AVG dies.

#sh glbp br

Interface Grp Fwd Pri State Address Active router Standby route

Fa0/0 1 - 100 Standby 10.1.1.100 10.1.1.2 local

Fa0/0 1 1 7 Active 0007.b400.0101 local -

Fa0/0 1 2 7 Listen 0007.b400.0102 10.1.1.2 -

You can tune GLBP as you like, which means that (besides all the stuff you can also do in HSRP and VRRP) you can choose the Load Balancing

method:

(config-if)#glbp 1 load-balancing ?

host-dependent Load balance equally, source MAC determines forwarder choice

round-robin Load balance equally using each forwarder in turn

weighted Load balance in proportion to forwarder weighting (GLBP places WEIGHT on each router)

As an additional GLBP feature, there is a REDIRECT timer, which sets the time-out for assigning the Virtual MAC of AVF that has failed.

(config-if)#glbp 1 timers ?

Hello interval in seconds

msec Specify hello interval in milliseconds

redirect Specify time-out values for failed forwarders

Tracking is also different on GLBP, as in - it's configured in the Global Configuration mode, with a global Track Object. The advantage is that

you can track 2 interfaces at once!!!

(config)#track 1 interface fa0/0 ?

ip IP parameters


____________________________________________________________________________________________________________________

IRDP - ICMP Router Discovery Protocol ____________________________________________________________________________________________________________________

IRDP enables Routers to automatically discover the IP of their potential Default Gateway. It uses ICMP and Solicitation Messages.

Potential GW Routers periodically announce the IP address of their IRDP configured interface to a broadcast destination. IRDP Preference

value is advertised with these messages, along with the IP Address.

Step 1:

The configuration is pretty straight-forward. First you MUST turn the Routing off on the router that you want to discover its own GW:

(config)#no ip routing

Step 2:

IRDP needs to be enabled on the Router:

(config)#ip gdp ?

eigrp Discover routers transmitting EIGRP router updates

irdp Discover routers transmitting IRDP router updates


____________________________________________________________________________________________________________________

DRP - Cisco Distributed Route Processor ____________________________________________________________________________________________________________________

It's a UDP based application, which enables Cisco Distributed Director to QUERY ROUTES (DRP Agent). It transparently REDIRECTS end-user

service requests to CLOSEST RESPONSIVE SERVER. The configuration is straight-forward:

Step 1: Enable the DRP Server Agent:

(config)#ip drp server

Step 2: Define the ACL to define who will be able to send queries to DRP

(config)#access-list 11 permit 10.182.131.15

Step 3: Attach the ACL to the DRP:

(config)#ip drp access-group 11

Step 4: Create the key-chain and set the DRP to use it for authentication:

(config)#ip drp authentication key-chain DRP_CHAIN

____________________________________________________________________________________________________________________

WAAS and WCCP Protocol ____________________________________________________________________________________________________________________

WCCP is a Web Cache Communication Protocol, and it enables the redirection of client web requests to one or more Web Cache Engines,

which improves Web Browsing on the slow links. The only INTERFACE command to allow this for the users of that VLAN is "ip wccp web-

cache redirect [in | out]" If you set OUT - the Router is listening to the HTTP requests going OUT of that interface, and it's most

commonly enabled on the WAN interface.

First you need to enable the WCCP (protocol for web caching) globally on a router:

(config)#ip wccp web-cache

On the WAN interface enable checking if the packets need to be redirected to a web cache. Enable the redirection of outgoing destination

port 80 packets on the interface:

(config-if)#ip wccp web-cache redirect out

Define the ACL that only contains the Cache Engine IP:


Attach the configured ACL to the WCCP configuration:

(config)#ip wccp web-cache group-list 11


____________________________________________________________________________________________________________________

NTP - Network Time Protocol ____________________________________________________________________________________________________________________

First there is an "old school" method of setting time on your IOS Device, which is fine if you're one of those :)

#clock set 16:50:00 15 NOVEMBER 2013

*%SYS-6-CLOCKUPDATE: System clock has been updated from 15:50:31 UTC Fri Nov 15 2013 to 16:50:00 UTC

Fri Nov 15 2013, configured from console by console.

Now if you set this time really well, and the Switch is new generation and you really trust it, then in order to have an entire network to be

synchronized (and absolutely no external NTP available), set the most awesome switch to be a NTP Server:

(config)#ntp master ?

Stratum number


____________________________________________________________________________________________________________________

IP SLA - Monitor the Network Performance ____________________________________________________________________________________________________________________

Probably the most typical usage of IP SLA is to measure the UDP Jitter and Echo, in order to make sure that the path is good enough to send the sensitive VoIP traffic. Two sides need to be configured, CLIENT and SERVER (RESPONDER).

IP SLA can be configured without configuring a specific PROBE, just configure sending a generated packet to the RESPONDER, where the

RESPONDER is configured to respond with a TIME STAMP information, so the source can calculate the performance values. CAREFULL with

the times, configure NTP if you're not certain the devices are synced.

To configure the RESPONDER with the IP and PORT of the RESPONDER:

(config)#ip sla monitor responder

Make sure you configure the CLIENT device in accordance with these defined parameters:

(config)#ip sla monitor 10

(config-sla-monitor)#type udpEcho dest-ipaddr 10.187.122.2 dest-port 500

(config-sla-monitor-udp)#frequency 5


#sh track 10

Track 10

IP route 10.1.12.0 255.255.255.0 reachability

Reachability is Up (OSPF)


____________________________________________________________________________________________________________________

DYNAMIC NAT ____________________________________________________________________________________________________________________

Step 1: Define the POOL of the Inside Global IPs (Public), which your Private IPs will be NAT-ed into:

(config)#ip nat pool INSIDE_GLOBAL 131.1.12.3 131.1.12.8 prefix-length 24

Step 2: Define the ACCESS-LIST of the PRIVATE IPs, which are the ones that will be NAT-ed (Inside Local)

(config)#access-list 1 permit 10.2.2.0 0.0.0.255

Step 3: Implement the NAT from-ACL-to-POOL IPs

(config)#ip nat inside source list 1 pool INSIDE_GLOBAL

Do not forget to specify the INSIDE and the OUTSIDE Interface (I often do, and the Troubleshooting is not as much fun as you might expect)

#sh ip nat translations 131.1.12.3, d=15.10.1.1 [64]

Meaning: source=10.2.2.1 (SOURCE ACL)->inside global 131.1.12.3 (NAT POOL) *Oct 29 16:25:54.822: NAT*: s=15.10.1.1, d=131.1.12.3->10.2.2.1 [64]

*Oct 29 16:25:54.822: NAT: s=10.2.2.1->131.1.12.3, d=15.10.1.1 [65]

*Oct 29 16:25:54.878: NAT*: s=15.10.1.1, d=131.1.12.3->10.2.2.1 [65]

*Oct 29 16:25:54.878: NAT: s=10.2.2.1->131.1.12.3, d=15.10.1.1 [66]

*Oct 29 16:25:54.938: NAT*: s=15.10.1.1, d=131.1.12.3->10.2.2.1 [66]

*Oct 29 16:25:54.938: NAT: s=10.2.2.1->131.1.12.3, d=15.10.1.1 [67]

*Oct 29 16:25:54.994: NAT*: s=15.10.1.1, d=131.1.12.3->10.2.2.1 [67]

*Oct 29 16:25:54.994: NAT: s=10.2.2.1->131.1.12.3, d=15.10.1.1 [68]

*Oct 29 16:25:55.050: NAT*: s=15.10.1.1, d=131.1.12.3->10.2.2.1 [68]

If you need the HOST portion matched, add the "type match-host" argument to the NAT POOL definition:

(config)#ip nat pool LAB4 200.2.2.1 200.2.2.5 prefix-length 24 type match-host

If you need the SOURCE&DESTINATION matched, define it in the EXTENDED ACL, and match it in Route Map, do not attach the ACL directly to

the "ip nat" configuration line.

____________________________________________________________________________________________________________________

Load Balancing using NAT ____________________________________________________________________________________________________________________

Step 1: Create a POOL of all the INSIDE LOCAL IPs, and define the pool type "type rotary":

(config)#ip nat pool TASK1 10.2.2.1 10.2.2.5 prefix-length 24 type rotary

Step 2: Define an ACL with the Inside Global IP (Public ones, the one were NAT-ing into):


Step 3: Do the inside NAT with the ACL 1 as the DESTINATION list, and the POOL or LOCAL IPs:

(config)#ip nat inside destination list 1 pool ?

WORD Pool name for local addresses


Step 4: Define the NAT inside and outside interfaces, exactly like in case of Static/Dynamic NAT:

(config)#int lo0

(config-if)#ip nat inside

(config-if)#

(config-if)#int s0/1/0.21

(config-subif)#ip nat outside

Be sure that the routing is in place (both, go and return path towards the NAT-ed IP, 200.2.2.2)!!!

Step 5: Make sure that the IP NAT Translations are correct, and that the sources VARY:

#sh ip nat translations

Pro Inside global Inside local Outside local Outside global

tcp 200.2.2.2:23 10.2.2.1:23 131.1.12.1:20186 131.1.12.1:20186

tcp 200.2.2.2:23 10.2.2.2:23 131.1.12.1:25096 131.1.12.1:25096

tcp 200.2.2.2:23 10.2.2.3:23 131.1.12.1:20389 131.1.12.1:20389

____________________________________________________________________________________________________________________

PAT (NAT Overload) ____________________________________________________________________________________________________________________

Port Address Translation (PAT) means using PORTS in order to NAT various Inside Local IPs to ONE SINGLE Inside Global IP.

Step 1: Create an ACL with all the Inside Local addresses:

(config)#access-list 1 permit 10.2.2.0 0.0.0.7

Step 2: There are 2 ways to configure PAT, described in Steps 2.1 and 2.2:

Step 2.1: Create the Inside Global IP Pool of any addresses from the Link towards the other Router and Configure the NAT Overload with the

defined pool:

(config)#ip nat pool OVERLOAD 15.10.1.2 15.10.1.2 prefix-length 24

(config)#ip nat inside source list 1 pool TASK2 overload

Step 2.2: Configure the NAT to point to the Interface you need the traffic to go out from:

(config)#ip nat inside source list 1 interface s0/1/0.21

*The system adds "overload" argument:

(config)#do sh run | i nat inside

ip nat inside

ip nat inside source list 1 interface Serial0/1/0.21 overload

____________________________________________________________________________________________________________________

PAR - When you need to implement traffic redirections using NAT ____________________________________________________________________________________________________________________

You can define the traffic redirection using Static Entries, but there is a trick. For example you want all the http traffic DESTINED FOR s0/0.5 of

R1 to be REDIRECTED to the IP 15.10.123.3 instead. You can configure this by defining the static NAT:

(config)#ip nat inside source static tcp 15.10.123.3 80 int s0/0.5 80

*MAKE SURE YOU UNDERSTAND THIS COMMAND, ITS A BIT BACKWORDS!!!

#telnet 131.1.14.1 80 (131.1.14.1 is the IP configured on the s0/0.5 interface of R1)

Trying 131.1.14.1, 80 ... Open

So when you try to telnet R1s IP using the port 80, from the router on the s0/0.5 side you see the following debug:

*Nov 6 15:54:48.703: NAT*: s=131.1.14.4, d=131.1.14.1->15.10.123.3 [23053] 131.1.14.1, d=131.1.14.4 [31747] 15.10.123.3 [23054]

*Nov 6 15:54:48.739: NAT*: s=131.1.14.4, d=131.1.14.1->15.10.123.3 [23055]

*Nov 6 15:55:48.739: NAT*: s=15.10.123.3->131.1.14.1, d=131.1.14.4 [31748]

*Nov 6 15:55:48.767: NAT*: s=131.1.14.4, d=131.1.14.1->15.10.123.3 [23056]

*Nov 6 15:56:48.763: NAT*: s=15.10.123.3->131.1.14.1, d=131.1.14.4 [31749]

*Nov 6 15:56:48.791: NAT*: s=131.1.14.4, d=131.1.14.1->15.10.123.3 [23057]

*Nov 6 15:57:12.959: NAT*: s=131.1.14.4, d=131.1.14.1->15.10.123.3 [23058]


____________________________________________________________________________________________________________________

Static NAT redundancy with HSRP ____________________________________________________________________________________________________________________

This approach is used when you want to configure NAT and integrate it with HSRP (enable the same NAT on all the routers that form the HSRP

group). In order to do this, it's necessary to NAME each of the HSRP groups:

Step 1: Name the already configured HSRP group:

(config-if)#standby name HSRP-1


Step 5: Configure the Dynamic NAT, as described in my previous posts, and just attach the configured mapping-id:

(config)#ip nat inside source route-map ROUTE_MAP_MATCHING_ACL pool INSIDE_GLOBAL mapping-id 1

Step 6: Check the translations

#sh ip snat distributed

Stateful NAT Connected Peers

No entries will appear until you perform a PING, and when you do, and do a debug, you'll see:

*Nov 7 14:47:12.081: SNAT (Add_node): Allocated database distributed-id 1

*Nov 7 14:47:12.081: SNAT (Add_node): Init RTree for distributed-id 1

*Nov 7 14:47:12.081: SNAT (Add_node): Allocate Node for nat-id 19, Router-id 1

*Nov 7 14:47:12.081: NAT: s=15.10.1.1->172.25.185.1, d=10.185.117.4 [271]

*Nov 7 14:47:12.081: NAT*: s=10.185.117.4, d=172.25.185.1->15.10.1.1 [271]

*Nov 7 14:47:12.085: NAT*: s=15.10.1.1->172.25.185.1, d=10.185.117.4 [272]

*Nov 7 14:47:12.085: NAT*: s=10.185.117.4, d=172.25.185.1->15.10.1.1 [272]

*Nov 7 14:47:12.085: NAT*: s=15.10.1.1->172.25.185.1, d=10.185.117.4 [273]

*Nov 7 14:47:12.085: NAT*: s=10.185.117.4, d=172.25.185.1->15.10.1.1 [273]

*Nov 7 14:47:12.089: NAT*: s=15.10.1.1->172.25.185.1, d=10.185.117.4 [274]

*Nov 7 14:47:12.089: NAT*: s=10.185.117.4, d=172.25.185.1->15.10.1.1 [274]

*Nov 7 14:47:12.089: NAT*: s=15.10.1.1->172.25.185.1, d=10.185.117.4 [275]

*Nov 7 14:47:12.089: NAT*: s=10.185.117.4, d=172.25.185.1->15.10.1.1 [275]

____________________________________________________________________________________________________________________

NAT Translations with the Outside Source ____________________________________________________________________________________________________________________

Just the other way around from the standard NAT, do the "ip nat outside" and define the interface from where the traffic will be coming with

"ip nat outside". This will translate the incoming traffic with the source 2.2.2.2 into the LOCAL traffic with the source 200.2.2.2:

(config)#ip nat outside source static 2.2.2.2 200.2.2.2

____________________________________________________________________________________________________________________

NAT on a Stick ____________________________________________________________________________________________________________________

When a NAT router has the same interface for both, INSIDE and OUTSIDE NAT, the trick is to use:

Step 1: Define the following:

- One normal interface, Fa0/0 for example for ip nat outside and PBR (ip policy-route map NAT_MAP) & "no ip redirect"

- One Loopback interface for ip nat inside

Step 2:

Define the Policy Map MATCHING the Source and Destination IP ACL, and SETTING the Loopback interface

(config)#route-map NAT_MAP

(config-rmap)#match ip add ACL_1

(config-rmap)#set interface lo0

Step 3: Define "inside" AND "outside" static NAT


____________________________________________________________________________________________________________________

DHCP Server ____________________________________________________________________________________________________________________

Using the DHCP Pool configured on an IOS device is somewhat obsolete, but in cases of smaller companies where this solution is inevitable (or

in a case such as mine, preparations for a CCIE exam) - you should know how to configure a full DHCP on a Cisco Router:

Step 1: Enable a DHCP Server on a Device (Dont forget this step!!!):

(config)#service dhcp

Step 2: Configure global DHCP options:

(config)#ip dhcp pool Cisco

(config-dhcp)#network 172.25.185.0 255.255.255.0


STEP 3: Define when the KRON is being executed:

(config)#kron occurrence week in 7:1:30 recurring

(config-kron-occurrence)# policy-list cns-weekly

STEP 4: Check the KRON status:

#show kron schedule

Kron Occurrence Schedule

week inactive, will run again in 7 days 01:25:17

____________________________________________________________________________________________________________________

GRE Tunnels ____________________________________________________________________________________________________________________

Cisco Documentation: Interface and Hardware Component Configuration Guide->Implementing Tunnels

GRE is the Generic Encapsulation Tunnel, and it uses the IP Protocol 47. It's the basic one and the most simple to implement. For starters you

need to define the Tunnel interface:

(config)#interface tunnel 0

(config-if)#tunnel mode GRE IP

Define the IP Address of the Tunnel Interface, and assign it the SOURCE and DESTINATION IP (These must be mutually PINGable):

(config-if)#ip address 10.187.134.121

(config-if)#tunnel source 131.1.12.1


To avoid sending a packet for each keystroke typed:

(config)#service nagle

To "tune" CDP:

(config)#cdp timer 10

If you want to keep your configuration change logs in the NVRAM:

(config)#archive

(config-archive)#log config


IP Routing


____________________________________________________________________________________________________________________

IPv4 Routing TIPS ____________________________________________________________________________________________________________________

TIP: Remember that you can only DEBUG THE PROCESS SWITCHED TRAFFIC, not the "cache", so during the implementation it might be useful

to turn the CEF off on the router. Dont forget to turn it back on, once your debugs have been closed.

(config)#no ip route-cache

____________________________________________________________________________________________________________________

PBR - Policy Based Routing ____________________________________________________________________________________________________________________

First define the route-map and apply it on the interface level:

(config-if)#ip policy route-map PBR

*you can apply defined route-map to the local router using the command "ip local-policy route-map ROUTEMAP"

If you are setting the next hop where you are not sure that the next hop failure will be detected, use the "verify-availability" sub command

under the route-map, which is an old method and uses CDP, it would work only in frame-relay and not if there is a switch in between because

of CDP nature, and its not nearly as good as EOT (Enhanced Object Tracking):

(config-rmap)#Set IP next-hop verify-availability


____________________________________________________________________________________________________________________

ODR - ON-DEMAND ROUTING ____________________________________________________________________________________________________________________

On-Demand Routing is not a routing protocol. It uses Cisco Discovery Protocol (CDP) to propagate the IP prefix. ODR is a perfect solution for

hub and spoke topology when the spoke routers act as stub routers by connecting to. ODR is a feature that provides IP routing for stub sites,

with minimum overhead. Configuration is quite simple:

Step 1: Enable ODR globally on a HUB router:

(config)#router odr


First step is to build a KEY-CHAIN

key chain RIP_12

key 1


____________________________________________________________________________________________________________________

RIP: Updates Control ____________________________________________________________________________________________________________________

By default Version 1 uses Broadcast to send its updates. Version 2 uses Multicast, with the destination address 224.0.0.9. If you need to send

the Updates only when something changes in the topology, there is an INTERFACE command "ip rip triggered":

(config-if)#ip rip triggered

There is a way to "force" the routing updates to only one of the neighbors (UNICAST UPDATES). To achieve this you need to manually define

the neighbor using the "neighbor" command, and define the interface towards the defined neighbor as PASSIVE, to prevent the Multicast

Updates that are sent by default (If the interface is not defined as passive, both UNICAST and MULTICAST Updates will be sent).

There is also a way to force Broadcast Updates (ip 255.255.255.255 instead of default multicast destination 224.0.0.9) in Version 2 of RIP, and

its achieved using the Interface Command:

(config-if)#ip rip v2-broadcast

Another RIP-specific feature is injecting the default route using the "ip default-network" command. This is done in the Global Configuration

mode. Dont forget to advertise the network into RIP protocol:

(config)#ip default-network 4.0.0.0

(config-router)#network 4.0.0.0

____________________________________________________________________________________________________________________

RIP: OFFSET LISTS ____________________________________________________________________________________________________________________

In the RIP Protocol the METRIC IS ACTUALLY the HOP COUNT, so if you want it to be UNREACHABLE - set METRIC to 16. RIP offset list is used to

INCREASE the Hop Count. Define the ACL (10 in this example), and set the Hop Count to be increased by a value, in this example 13:

(config-router)#offset-list 10 out 13 Fa0/0

Offset Lists work only with RIP and EIGRP

____________________________________________________________________________________________________________________

RIP: Update Source Control ____________________________________________________________________________________________________________________

RIP Validates the source for the Update packets, so they need to be from the same subnet as the interconnection is. If they are not, like in the

case the routes are sourced by a Loopback, you can force the route updates by turning off the Source IP Validation:

(config-router)#no validate-update-source

This way the RIP routes will be exchanged, but if the L3 Reachability is not established between the routers - the RIP routes will not be

reachable.

If you need to define the EXACT SOURCES (RIP Neighbors) you want to receive the RIP Updates from - use "gateway" word on a distribute-list.

This will work for RIP and EIGRP only.

Start by defining 2 PREFIX LISTS, one for WHERE you want updates from, another to filter UPDATES you want. Once youve got your Prefix Lists

configured, apply them via Distribute List in the Router Configuration Mode:

(config-router)#distribute-list UPDATE_PREFIXES gateway PREFIX_UPDATE_SOURCES in Fa0/0


____________________________________________________________________________________________________________________

RIP: Route Summarizing ____________________________________________________________________________________________________________________

Done on the interface level:

(config-if)#ip summary-address rip 150.1.0.0 255.255.252.0

#show ip rip database

150.1.0.0/22 int-summary


____________________________________________________________________________________________________________________

OSPF ____________________________________________________________________________________________________________________

OSPF Multicasts: 224.0.0.5 send Hello packets to all OSPF routers on a network segment, 224.0.0.6 Send info to the DR

TIP: When using BROADCAST and NON-BROADCAST in order to PEER you MUST ADJUST THE TIMERS!!!

TIP: When you need to do a CONDITION, like do something if a certain route exists in a routing table - just use the PREFIX-LIST, and match it

in the route-map "match ip address prefix-list ROUTE_EXISTS"

TIP: When you have the L2 tunnel directly attached to an OSPF interface, better configure ignoring of MTU:

(config-if)#ip ospf mtu-ignore

TIP: To IGNORE stuff in the ospf, like LSA6 (MOSPF), under the routing process:

(config-router)#ignore lsa mospf

WHEN you need to advertise Loopbacks with the CORRECT MASKS, be sure to do "ip ospf network point-to-point", otherwise it will be sent

with /32 (/32 Might be required for Multicast or MPLS, so be careful with this!)

____________________________________________________________________________________________________________________

OSPF over Frame-Relay, focus on Network Types ____________________________________________________________________________________________________________________

TIP: Revise DR->"neighbor" command->TIMERS

Don't forget that in Frame-Relay "broadcast" is defined ONLY DIRECTLY HUB AND A SPOKE, ON BOTH SIDES of the pvc!!! What this does is tell

the routers Hey if you have any broadcast messages, go ahead and send them down this DLCI as a unicast So basically it is a way to send

broadcast messages on a non-broadcast medium. Don't include "broadcast" between the SPOKEs, as the Hellos won't be able to traverse the

HUB.

Type 1: NON-BROADCAST - use "neighbor" command on HUB to use UNICAST for OSPF

OSPF uses Multicast, which Router considers to be a kind of Broadcast. Due to the non-broadcast nature of Frame-Relay it can be assumed

that this is the DEFULT OSPF network type over FR.

- Set the OSPF Priority to 0 on all the SPOKEs, so HUB is elected as the DR, and SPOKEs neither DR nor BDR

- Non-broadcast network type in OSPF uses slow timers meaning 30 second hello and 120 second dead-time. Here it will not affect us, as all

neighbor types match.

Type 2: BROADCAST - two important things:

- As BROADCAST is meant to be FASTER timers are 10/40 seconds by default

- Include the "broadcast" when mapping DLCI to IP. Also set the SPOKEs OSPF Priority to 0, we dont want them to be DR

Type 3: POINT-TO-POINT

- Really simple, POINT-TO-XXX (P2P or P2MP) does not do the DR/BDR election

- Timers 10/40 seconds

TIP: When doing a HUB-AND-SPOKE, configure Point-to-Multipoint on a HUB, and ADJUST THE TIMERS!!!


Type 4: POINT-TO-MULTIPOINT

No DR, no "neighbor" commands. Slow timers (120/30 seconds). "broadcast" is mandatory on FR Mappings!!!

HUB will just advertise the learned routes from ONE SPOKE to the other, like if it were the DR.

!!!HUB must have .multipoint Sub-interface, while on SPOKES you can do .multipoint or Physical Interface.

Type 5: POINT-TO-MULTIPOINT NON-BROADCAST

Cisco Proprietary, like P2MP, with NO BROADCASTS ALLOWED! Timers are still slow, 30 and 120 Seconds.

Next hop is ALWAYS the router you are directly connected to.

(config-if)#ip ospf network point-to-multipoint non-broadcast

____________________________________________________________________________________________________________________

OSPF: Configuration on INTERFACE LEVEL ____________________________________________________________________________________________________________________

The routes can be advertised using the "network" command, but there is also another way. You can do an entire OSPF configuration on the

Interface Level:

(config-if)#ip ospf network point-to-point

(config-if)#ip ospf 1 area 0

This will automatically CREATE the OSPF process on the router:

#sh run | s router ospf

router ospf 1

log-adjacency-changes

Even so, you should define "router ospf 1" process in the Global Configuration mode before the interface (it's not necessary for the OSPF

PEERING, but to avoid restarting the OSPF process later cause of Router ID change). Being defined as a P2P network - DR and BDR election will

not take place.

The state of all the OSPF Neighbors will be "FULL/-", as presented below:

#show ip ospf neighbor

Neighbor ID Pri State Dead Time Address Interface

3.3.3.3 0 FULL/ - 00:00:30 10.1.23.3 GigabitEthernet0/0

1.1.1.1 0 FULL/ - 00:00:34 10.1.12.1 Serial1/0

This way the interface is configured to automatically belong to the Area 0, and the interface Subnet will be "injected" into the OSPF Area. If

hitchikers guide to the ccie v0.3

Documents

ccie v0

hitchhikers guide

ccie level

ccie preparations

vtp vlan trunking protocol

vlan filters

spanning tree protocol

lan switching