hitchikers guide to the ccie v0.3
DESCRIPTION
CCIE Guide BookTRANSCRIPT
-
CISQUEROS.BLOGSPOT.COM
presents
Hitchhikers Guide to the CCIE v0.3
-
2 Hitchhikers Guide to the CCIE v0.3 [cisqueros.blogspot.com]
This page was intentionally left blank.
-
3 Hitchhikers Guide to the CCIE v0.3 [cisqueros.blogspot.com]
About
This is nothing more but a script of simple guidelines I made during my CCIE preparations, 2012-2014. Have in mind
that I created this script throughout the entire preparation period, so some topics might seem basic as my level was
CCNP, while some others require the reader to have the almost-CCIE level.
If you find my notes useful Im more than glad I could help. You can use it, share it, whatever, as long as you dont
try to sell it or publish it as your own.
-
4 Hitchhikers Guide to the CCIE v0.3 [cisqueros.blogspot.com]
Table of Contents
About ............................................................................................................................................................................. 3
LAN Switching ................................................................................................................................................................. 10
LAN Switching Tips and Tricks ..................................................................................................................................... 11
VLAN Filters for NON-IP Traffic ................................................................................................................................... 11
MEMORY OPTIMIZATION - SDM (Switch Database Management) ............................................................................ 12
INTERFACE Statuses .................................................................................................................................................... 13
CAM TABLE .................................................................................................................................................................. 13
VTP - VLAN Trunking Protocol ..................................................................................................................................... 13
VMPS - VLAN Membership Policy Server .................................................................................................................... 14
TRUNKS and DTP (Dynamic Trunking Protocol) .......................................................................................................... 14
PRIVATE VLANS ........................................................................................................................................................... 15
Dot1q Tunneling: 802.1q, QinQ Tunneling ................................................................................................................. 16
SPANNING TREE PROTOCOL (STP) .............................................................................................................................. 16
MULTIPLE SPANNING TREE (MSTP) ............................................................................................................................ 18
PORTFAST .................................................................................................................................................................... 18
BPDU GUARD .............................................................................................................................................................. 18
UDLD - Unidirectional Link Detection ......................................................................................................................... 19
SOURCE GUARD and DHCP SNOOPING ....................................................................................................................... 20
ETHERCHANNEL .......................................................................................................................................................... 20
DAI (Dynamic ARP Inspection) .................................................................................................................................... 22
SNMP - UDP 161,162 .................................................................................................................................................. 23
MONITORING .............................................................................................................................................................. 24
LOGGING ..................................................................................................................................................................... 24
STORM CONTROL ........................................................................................................................................................ 25
HTTP Server (HTTP access) on a Switch ...................................................................................................................... 25
Router on a STICK and IP BRIDGING ........................................................................................................................... 25
IP Services ....................................................................................................................................................................... 26
IP Services Tips and Tricks ........................................................................................................................................... 27
HSRP - Hot Standby Routing Protocol ......................................................................................................................... 27
VRRP - Virtual Routing Redundancy Protocol ............................................................................................................. 28
GLBP - Global Load Balancing Protocol ....................................................................................................................... 29
IRDP - ICMP Router Discovery Protocol ...................................................................................................................... 30
DRP - Cisco Distributed Route Processor .................................................................................................................... 31
WAAS and WCCP Protocol .......................................................................................................................................... 31
-
5 Hitchhikers Guide to the CCIE v0.3 [cisqueros.blogspot.com]
NTP - Network Time Protocol ..................................................................................................................................... 32
IP SLA - Monitor the Network Performance ............................................................................................................... 33
STATIC NAT .................................................................................................................................................................. 34
DYNAMIC NAT ............................................................................................................................................................. 35
Load Balancing using NAT ........................................................................................................................................... 35
PAT (NAT Overload) .................................................................................................................................................... 36
PAR - When you need to implement traffic redirections using NAT .......................................................................... 36
Static NAT redundancy with HSRP .............................................................................................................................. 37
Scalability for Stateful NAT (SNAT) ............................................................................................................................. 37
NAT Translations with the Outside Source ................................................................................................................. 38
NAT on a Stick ............................................................................................................................................................. 38
DHCP Server ................................................................................................................................................................ 39
CNS (Cisco Networking Services) ................................................................................................................................ 39
GRE Tunnels ................................................................................................................................................................ 40
Various IOS Tricks ........................................................................................................................................................ 40
IP Routing ........................................................................................................................................................................ 42
IPv4 Routing TIPS ........................................................................................................................................................ 43
PBR - Policy Based Routing ......................................................................................................................................... 43
EOT Enhanced Object Tracking ................................................................................................................................ 43
ODR - ON-DEMAND ROUTING .................................................................................................................................... 44
RIP ............................................................................................................................................................................... 44
RIP: Authentication ..................................................................................................................................................... 44
RIP: Timers .................................................................................................................................................................. 45
RIP: Updates Control ................................................................................................................................................... 46
RIP: OFFSET LISTS ........................................................................................................................................................ 46
RIP: Update Source Control ........................................................................................................................................ 46
RIP: Route Summarizing .............................................................................................................................................. 47
RIP: Route Filtering using Prefix Lists .......................................................................................................................... 47
OSPF ............................................................................................................................................................................ 48
OSPF over Frame-Relay, focus on Network Types ...................................................................................................... 48
OSPF: Configuration on INTERFACE LEVEL .................................................................................................................. 49
OSPF: Timers ............................................................................................................................................................... 49
OSPF: Authentication .................................................................................................................................................. 50
OSPF: Route Redistribution ......................................................................................................................................... 50
OSPF Route Summarization ........................................................................................................................................ 51
OSPF Virtual Link ......................................................................................................................................................... 51
-
6 Hitchhikers Guide to the CCIE v0.3 [cisqueros.blogspot.com]
OSPF Cost .................................................................................................................................................................... 52
Redirecting Traffic (FORCING A PATH) ........................................................................................................................ 52
OSPF and the GRE Tunnels .......................................................................................................................................... 53
OSPF LSA Types and AREA TYPES ................................................................................................................................ 53
OSPF STUBS ................................................................................................................................................................. 55
OSPF Route Filtering ................................................................................................................................................... 56
OSPF Non-Broadcast Networks ................................................................................................................................... 57
OSPF NBMA (Non Broadcast Multiple Access) Networks ........................................................................................... 58
OSPF BROADCAST vs. POINT-TO-POINT vs. POINT-TO-MULTIPOINT Networks ......................................................... 58
DNS Lookup in OSPF .................................................................................................................................................... 59
ISPF .............................................................................................................................................................................. 59
Forward Address Suppression .................................................................................................................................... 59
OSPF Sham Link ........................................................................................................................................................... 60
OSPF in MPLS .............................................................................................................................................................. 61
EIGRP ........................................................................................................................................................................... 62
EIGRP "show neighbors" command ............................................................................................................................ 62
EIGRP Metric - K Values .............................................................................................................................................. 63
EIGRP Route Summarization and Leak Maps .............................................................................................................. 64
EIGRP Default Gateway ............................................................................................................................................... 64
VARIANCE Command .................................................................................................................................................. 65
EIGRP Authentication .................................................................................................................................................. 65
EIGRP: Maximum Hops ............................................................................................................................................... 65
EIGRP Administrative Distance ................................................................................................................................... 66
EIGRP Updates BW Percent ........................................................................................................................................ 66
EIGRP Redistribute Routes into EIGRP ........................................................................................................................ 66
EIGRP offset-list [metric adjustments] ........................................................................................................................ 66
EIGRP Stub................................................................................................................................................................... 66
MP-EIGRP .................................................................................................................................................................... 67
EIGRP Route Filtering .................................................................................................................................................. 67
BGP TIPs and Best Practices ........................................................................................................................................ 68
BGP Version................................................................................................................................................................. 70
BGP Peer-Group .......................................................................................................................................................... 70
BGP Peer-Session and Peer-Policy Templates ............................................................................................................ 71
BGP Authentication ..................................................................................................................................................... 71
BGP Route Reflectors .................................................................................................................................................. 72
BGP BACKDOOR Route ................................................................................................................................................ 73
-
7 Hitchhikers Guide to the CCIE v0.3 [cisqueros.blogspot.com]
BGP CONDITIONAL Advertisements - Advertise Maps ............................................................................................... 73
BGP Route Dampening ................................................................................................................................................ 74
BGP Route Summarization .......................................................................................................................................... 75
BGP INJECT and EXIST map ......................................................................................................................................... 75
BGP Community Attribute .......................................................................................................................................... 75
BGP & Load Balancing ................................................................................................................................................. 76
1. AS-Path (The less ASs in the path - the Better) ....................................................................................................... 77
2. Weight (the Higher - the Better) ............................................................................................................................. 78
3. MED (Multi Exit Discriminator) ............................................................................................................................... 79
4. LOCAL PREFERENCE................................................................................................................................................. 79
BGP Filters: Distribution and Prefix lists ..................................................................................................................... 80
BGP: Regular Expressions ............................................................................................................................................ 80
BGP Confederations .................................................................................................................................................... 81
MP-BGP (Multi-Protocol BGP)..................................................................................................................................... 82
Route Redistribution TIPs ....................................................................................................................................... 83
QoS .................................................................................................................................................................................. 84
QoS TIPS ...................................................................................................................................................................... 85
QoS on Access Ports .................................................................................................................................................... 85
DSCP and COS MAPPING ............................................................................................................................................. 87
Map COS to DSCP on a device ..................................................................................................................................... 87
QoS POLICING - INDIVIDUAL and AGGREGATE POLICER ............................................................................................ 88
PRIORITY QUEUING (priority-list) & CUSTOM QUEUING (queue-list) ........................................................................ 88
WFQ - By default works with IP PRESEDENCE ............................................................................................................ 89
RSVP - Resource Reservation Protocol ....................................................................................................................... 89
IPv6 QoS ...................................................................................................................................................................... 90
Match MAC ADDRESS ................................................................................................................................................. 90
QoS Frame-Relay SHAPING ......................................................................................................................................... 90
QoS Frame-Relay PIPQ (PER-INTERFACE PRIORITY QUEUING) ................................................................................... 92
QoS Frame-Relay PAYLOAD and HEADER COMPRESSION .......................................................................................... 93
QoS CBWFQ - configured using MQC .......................................................................................................................... 93
QoS LLQ (Low Latency Queuing) - "priority" and "priority percent" command ......................................................... 93
Define the QoS Schedule (TIME-RANGE command) ................................................................................................... 94
QoS CAR (Committed Access Rate) - "rate-limit" Interface Command ...................................................................... 94
NBAR (match protocol XXX) - if you need to match the port without the ACL .......................................................... 94
DUAL RATE - DUAL BUCKET......................................................................................................................................... 95
WRED - Weighted Random Early Detection and CB-WRED ........................................................................................ 95
-
8 Hitchhikers Guide to the CCIE v0.3 [cisqueros.blogspot.com]
WAN ................................................................................................................................................................................ 96
Frame-Relay TIPS ........................................................................................................................................................ 97
FRAME RELAY QoS ...................................................................................................................................................... 97
PHYSICAL INTERFACE CONFIGURATION: .................................................................................................................... 98
POINT-TO-POINT SUB-INTERFACE: ............................................................................................................................. 98
POINT-TO-MULTIPOINT SUB-INTERFACE: ................................................................................................................... 99
VIRTUAL TEMPLATE .................................................................................................................................................... 99
FRAME RELAY AUTHENTICATION .............................................................................................................................. 100
FRAME RELAY End-to-End KEEPALIVE ....................................................................................................................... 101
FRAME-RELAY MULTILINKING ................................................................................................................................... 102
FRAME-RELAY AUTO-INSTALL ................................................................................................................................... 103
IP Multicast ................................................................................................................................................................... 104
Multicast TIPS ............................................................................................................................................................ 105
Multicast - IGMP ....................................................................................................................................................... 106
Configure PIM Multicast ........................................................................................................................................... 107
PIM Dense Mode, PIM-DM - For the applications EVERYONE wants ....................................................................... 109
STATIC RENDEZVOUZ POINT (RP) Configuration ...................................................................................................... 110
DESIGNATED ROUTER (DR) Configuration ................................................................................................................ 110
IP MULTICAST: AUTOMATIC RENDEZVOUZ POINT (Auto-RP) Configuration ............................................................ 111
IP MULTICAST: BSR (Bootstrap Router) Configuration ............................................................................................. 112
IP MULTICAST: MSDP (Multicast Source Discovery Protocol) Configuration ........................................................... 113
Multiprotocol BGP (MP-BGP) & IP Multicast ............................................................................................................ 113
IP MULTICAST: Configuring SSM (Source Specific Multicast) ................................................................................... 114
IP MULTICAST: Bidirectional PIM (Bidir-PIM) ........................................................................................................... 115
IP MULTICAST: Helper Map ....................................................................................................................................... 116
MULTICAST Helper Map & Helper-address .............................................................................................................. 117
Security ......................................................................................................................................................................... 118
Security TIPS .............................................................................................................................................................. 119
Layer 2 Security ......................................................................................................................................................... 120
Access Restrictions and Privilege Levels ................................................................................................................... 121
RBAC (Role Based Access Control) ............................................................................................................................ 121
Router Security - Best Practices ................................................................................................................................ 121
KNOWN ATTACKS and how to prevent ..................................................................................................................... 122
BANNER and MENU Configuration ........................................................................................................................... 123
Configure SSH Access ................................................................................................................................................ 123
ADVANCED Access Lists (ACL) Configuration ............................................................................................................ 124
-
9 Hitchhikers Guide to the CCIE v0.3 [cisqueros.blogspot.com]
DYNAMIC ACL (aka Lock and key ACL) ...................................................................................................................... 125
REFLEXIVE ACL - For Session Filtering ....................................................................................................................... 126
TCP INTERCEPT - To prevent TCP SYN DoS attacks ................................................................................................... 126
CBAC - Context Based Access Control Firewall ......................................................................................................... 127
PAM - Port to Application Mapping .......................................................................................................................... 128
uRPF - Unicast Reverse Path Forwarding .................................................................................................................. 128
Zone Based Firewall .................................................................................................................................................. 129
CONTROL Plane Policy (CPPr).................................................................................................................................... 130
IOS IPS (Intrusion Prevention System) ...................................................................................................................... 131
AAA Authentication .................................................................................................................................................. 132
MPLS.............................................................................................................................................................................. 134
MPLS Configuration .................................................................................................................................................. 135
MPLS LFIB and Labels (Label Spacing) ....................................................................................................................... 136
MPLS Session Protection ........................................................................................................................................... 137
MPLS VRFs, RD (Route Distinguisher) and RT (Route Target) ................................................................................... 138
L2VPN - AToM (Any Transport over MPLS) ............................................................................................................... 139
IPv6 ................................................................................................................................................................................ 140
IPv6 TIPS .................................................................................................................................................................... 141
IPv6 Basics ................................................................................................................................................................. 141
Convert MAC to Link Local IPv6 Address .................................................................................................................. 143
IPv6 Routing .............................................................................................................................................................. 144
RIPng ......................................................................................................................................................................... 145
OSPFv3 ...................................................................................................................................................................... 145
EIGRP IPv6 ................................................................................................................................................................. 146
MP-BGP, using a BGP-4 protocol extensions for IPv6 ............................................................................................... 147
IPv6 Tunnels .............................................................................................................................................................. 147
IPv6 Multicast Routing .............................................................................................................................................. 149
-
10 Hitchhikers Guide to the CCIE v0.3 [cisqueros.blogspot.com]
LAN Switching
-
11 Hitchhikers Guide to the CCIE v0.3 [cisqueros.blogspot.com]
____________________________________________________________________________________________________________________
LAN Switching Tips and Tricks ____________________________________________________________________________________________________________________
Remove a FOLDER from the flash: #delete /force /recursive flash:c3750-ipbase-mz.122-35.SE5
TIP: When there is a CISCO Phone attached to an access port- configure the "switchport voice vlan X" on an access port.
TIP: The maximum-aging time is the number of seconds a Switch waits without receiving spanning-tree configuration messages before
attempting a reconfiguration.
(config)#spanning-tree vlan 1 max-age 30
____________________________________________________________________________________________________________________
VLAN Filters for NON-IP Traffic ____________________________________________________________________________________________________________________
These are not used in the production environment very often, but in the CCIE exam this can be useful to know. On Cisco Docs can be found
under the "Network Security with ACLs" under the Switch Configuration Guide:
http://www.cisco.com/en/US/docs/switches/lan/catalyst3560/software/release/12.2_46_se/configuration/guide/swacl.html
STEP 1: Basically instead of IP ACL, we're creating the MAC ACL in order to later apply it. For example here there's an MAC Access-list created
to filter out BPDU-s of a certain type (check all the NON-IP stuff we can filter out):
(config)# mac access-list extended DENY_BPDU
(config-ext-macl)# permit host 000.0c00.0111 any
(config-ext-macl)# permit any any ?
An arbitrary EtherType in decimal, hex, or octal
aarp EtherType: AppleTalk ARP
amber EtherType: DEC-Amber
appletalk EtherType: AppleTalk/EtherTalk
cos CoS value
dec-spanning EtherType: DEC-Spanning-Tree
decnet-iv EtherType: DECnet Phase IV
diagnostic EtherType: DEC-Diagnostic
dsm EtherType: DEC-DSM
etype-6000 EtherType: 0x6000
etype-8042 EtherType: 0x8042
lat EtherType: DEC-LAT
lavc-sca EtherType: DEC-LAVC-SCA
lsap LSAP value
mop-console EtherType: DEC-MOP Remote Console
mop-dump EtherType: DEC-MOP Dump
msdos EtherType: DEC-MSDOS
mumps EtherType: DEC-MUMPS
netbios EtherType: DEC-NETBIOS
vines-echo EtherType: VINES Echo
vines-ip EtherType: VINES IP
xns-idp EtherType: XNS IDP
STEP 2: After the MAC ACL is created, we need to apply the MAC ACL to a Layer 2 Interface. This can be done in one of 2 ways:
1. Directly using the "mac access-group MACL in" command
2. Using the VLAN Maps
VLAN Maps are the only way to control filtering within a VLAN. You can define the DROP or FWD action:
(config)#vlan access-map VLANACM 10
-
12 Hitchhikers Guide to the CCIE v0.3 [cisqueros.blogspot.com]
____________________________________________________________________________________________________________________
MEMORY OPTIMIZATION - SDM (Switch Database Management) ____________________________________________________________________________________________________________________
Cisco Docs: 3560->Consolidated Platform Configuration Guides->SystemManagement->SDM Templates
Depending on the Switch purpose (L2 Switching that uses CEF or IP Routing or IPv6), Memory allocations can be optimized using the SDM
(Switch Database Management), and there are 4 templates:
- ACCESS - For QoS and Security
- ROUTING - for IP Routing
- VLAN - Sets Switch to L2 and disables IP Routing
- Extended Match - for WCCP and multiple VRF (reformats memory space to allow 144-bit L3 TCAM support)
(config)#sdm prefer [routing | dual-ipv4-and-ipv6 | vlan]
(config)#sdm prefer ?
access Access bias
default Default bias
dual-ipv4-and-ipv6 Support both IPv4 and IPv6
-
13 Hitchhikers Guide to the CCIE v0.3 [cisqueros.blogspot.com]
____________________________________________________________________________________________________________________
INTERFACE Statuses ____________________________________________________________________________________________________________________
INTERFACE "no shut" BUT NOT CONNECTED TO ANYTHING:
GigabitEthernet3/0/1 unassigned YES unset down down
INTERFACE "shutdown":
GigabitEthernet3/0/17 unassigned YES unset administratively down down
INTERFACE "no shut" and CONNECTED:
GigabitEthernet3/0/19 unassigned YES unset up up
____________________________________________________________________________________________________________________
CAM TABLE ____________________________________________________________________________________________________________________
You can set up the MAC Aging Time, and Security (enable the known and secure MAC addresses)
(config)#mac address-table aging-time 600
-
14 Hitchhikers Guide to the CCIE v0.3 [cisqueros.blogspot.com]
ENABLE PRUNING (can be done ONLY ON VTP SERVER Switch):
#vtp pruning
-
15 Hitchhikers Guide to the CCIE v0.3 [cisqueros.blogspot.com]
____________________________________________________________________________________________________________________
PRIVATE VLANS ____________________________________________________________________________________________________________________
*REQUIRES VTP MODE TO BE SET TO TRANSPARENT, which disables VTP!!!
(config-if)#vtp mode transparent
This topic belongs to L2 SECURITY rather than L2 SWITCHING.
Primary VLAN can have MANY COMMUNITIES but ONLY ONE ISOLATED VLAN!!!
1. Promiscuous - belongs to PRIMARY VLAN, can communicate with EVERYONE
(config)#vlan 10
(config-vlan)#private-vlan primary
(config-vlan)#private-vlan association add 20,30,40
-
16 Hitchhikers Guide to the CCIE v0.3 [cisqueros.blogspot.com]
____________________________________________________________________________________________________________________
Dot1q Tunneling: 802.1q, QinQ Tunneling ____________________________________________________________________________________________________________________
When a TUNNEL port receives Customers Traffic, INGRESS PORT adds 2 Byte Ether Type field 0x8100 + 2 Bytes for CoS and
VLAN Egress tunnel port STRIPS THESE 4 BYTES
(config-if)#switchport access vlan 100
(config-if)#switchport mode dot1q-tunnel
-
17 Hitchhikers Guide to the CCIE v0.3 [cisqueros.blogspot.com]
Great command to check the ROOT:
#show spanning-tree root
Root Hello Max Fwd
Vlan Root ID Cost Time Age Dly Root Port
---------------- -------------------- --------- ----- --- --- ------------
VLAN0001 32769 aabb.cc00.0600 200 2 20 15 Et2/2
VLAN0100 24676 aabb.cc00.0600 200 2 20 15 Et2/2
VLAN0200 24776 aabb.cc00.0700 100 2 20 15 Et2/2
VLAN0300 24876 aabb.cc00.0800 100 2 20 15 Et3/1
VLAN0400 24976 aabb.cc00.0900 0 2 20 15
-
18 Hitchhikers Guide to the CCIE v0.3 [cisqueros.blogspot.com]
____________________________________________________________________________________________________________________
MULTIPLE SPANNING TREE (MSTP) ____________________________________________________________________________________________________________________
Supports up to 4096 instances of Spanning Tree
(config)#spanning-tree mode mst
(config)#spanning-tree mst configuration
(config-mst)#revision 1
(config-mst)#instance 1 vlan 12, 34
(config-mst)#instance 2 vlan 56, 90
(config-mst)#name CCIE
-
19 Hitchhikers Guide to the CCIE v0.3 [cisqueros.blogspot.com]
____________________________________________________________________________________________________________________
UDLD - Unidirectional Link Detection ____________________________________________________________________________________________________________________
UDLD is used to detect the SEND part of the cable as DOWN, while the RECEIVE part is still active. This happens on a Fiber Optic cable quite
often. UDLD sends L2 pings between neighbors to check if it's responding. To enable Unidirectional Link Detection on an Interface:
(config-if)#udld port aggressive
GLOBAL COMMAND "udld enable" ONLY APPLIES TO FIBER OPTIC INTERFACES!!!
ITS RECOMMENDED TO USE UDLD WITH LOOPGUARD!!! (For the port to enter the DISABLE state when BPDU are no longer received)
Normally when unidirectional link occurs, the other side stops receiving BPDUs, and assumes that STP ROOT is no longer available, so - it
declares itself as a NEW STP ROOT. Loopguard prevents this.
(config-if)#spanning-tree guard loop
-
20 Hitchhikers Guide to the CCIE v0.3 [cisqueros.blogspot.com]
____________________________________________________________________________________________________________________
SOURCE GUARD and DHCP SNOOPING ____________________________________________________________________________________________________________________
!!!! SOURCE GUARD WILL NOT WORK IF DHCP SNOOPING IS NOT ENABLED!!!
(config)#ip dhcp snooping
-
21 Hitchhikers Guide to the CCIE v0.3 [cisqueros.blogspot.com]
Check the DEFAULT PARAMETERS:
2#show lacp 1 internal
Flags: S - Device is requesting Slow LACPDUs
F - Device is requesting Fast LACPDUs
A - Device is in Active mode P - Device is in Passive mode
Channel group 1
LACP port Admin Oper Port Port
Port Flags State Priority Key Key Number State
Gi3/0/19 SA bndl 32768 0x1 0x1 0x7F 0x3D
Gi3/0/20 SA bndl 32768 0x1 0x1 0x80 0x3D
"ON" - Doesnt use LACP or PaGP. BOTH sides MUST BE ON!!!
#do show etherch protocol
Channel-group listing:
----------------------
Group: 13
----------
Protocol: - (Mode ON)
You can configure MAX 16 PORTS, out of which: MAXIMUM 8 ACTIVE PORTS, and the other HOT STANDBY (activate if one of the first 8 fail).
Which ones belong to the ACTIVE group depends on the LACP PRIORITY that can be configured:
(config-if)#lacp port-priority 1 NO SHUT on PHYSICAL INTERFACES
Summary: 24 Po24(SU) PAgP Gi1/0/21(P) Gi1/0/22(P)
* "show interface trunk" Will show only Port Channel, but "show interface XX switchport" will show that the INT IS TRUNK
LOAD BALANCE the Etherchannel (CONFIGURED in the Global Config mode):
(config)#port-channel load-balance ?
dst-ip Dst IP Addr
dst-mac Dst Mac Addr
src-dst-ip Src XOR Dst IP Addr
src-dst-mac Src XOR Dst Mac Addr
src-ip Src IP Addr
src-mac Src Mac Addr
#show etherchannel load-balance
Ether Channel Load-Balancing Configuration:
dst-mac
Ether Channel Load-Balancing Addresses Used Per-Protocol:
Non-IP: Destination MAC address
IPv4: Destination MAC address
IPv6: Destination MAC address
Spanning Tree treats the Etherchannel Link as a SINGLE LINK, by sending the BPDUs only over one of the physical links
-
22 Hitchhikers Guide to the CCIE v0.3 [cisqueros.blogspot.com]
____________________________________________________________________________________________________________________
DAI (Dynamic ARP Inspection) ____________________________________________________________________________________________________________________
(config)#ip arp inspection vlan 2
-
23 Hitchhikers Guide to the CCIE v0.3 [cisqueros.blogspot.com]
____________________________________________________________________________________________________________________
SNMP - UDP 161,162 ____________________________________________________________________________________________________________________
Two ways to configure it:
1. SNMP polling, where the NMS asks the Router what is the status of the MIB
2. SNMP Walk - where NMP pull every MIB that the device is sending and filters out what it needs
Send the SNMP traps, Community "Public" to the NMS Server:
(config)#snmp-server host 192.168.1.1 traps [Public | Private]
If you need to define the VERSION and the COMMUNITY STRING:
(config)#snmp-server host 192.168.1.100 traps version 2c cisco
To define RO and RW COMMUNITY:
(config)#snmp-server community TST-RO ro
-
24 Hitchhikers Guide to the CCIE v0.3 [cisqueros.blogspot.com]
____________________________________________________________________________________________________________________
MONITORING ____________________________________________________________________________________________________________________
RSPAN - Dont forget to CREATE the VLAN specially for the RSPAN
(config)#vlan 22
(config-vlan)#remote-span
____________________________________________________________________________________________________________________
LOGGING ____________________________________________________________________________________________________________________
Remote IP:
(config)#logging x.y.z.w
Or Localy in a FILE:
(config)#logging file flash:syslog 7
-
25 Hitchhikers Guide to the CCIE v0.3 [cisqueros.blogspot.com]
____________________________________________________________________________________________________________________
STORM CONTROL ____________________________________________________________________________________________________________________
To LIMIT the type of traffic (BROADCAST or MULTICAST or UNICAST). To limit the Broadcast to 50%:
(config-if)#storm-control broadcast level 50.00
-
26 Hitchhikers Guide to the CCIE v0.3 [cisqueros.blogspot.com]
IP Services
-
27 Hitchhikers Guide to the CCIE v0.3 [cisqueros.blogspot.com]
____________________________________________________________________________________________________________________
IP Services Tips and Tricks ____________________________________________________________________________________________________________________
IMPORTANT:
HSRP: UDP to Multicast Address 224.0.0.2 (all routers), VRRP: Directly over IP, Protocol 112
HSRPv2: Also UDP, solves the conflict between the CGMP Leave Messages, Multicast Address 224.0.0.105
TIP: When a CLIENT sends a request for an IP which is out of that segment, the router responds with its own MAC address. This is called the
ARP Proxy, it's ON by default on Fast Ethernet, and it can be disabled:
(config-if)#no ip proxy-arp
____________________________________________________________________________________________________________________
HSRP - Hot Standby Routing Protocol ____________________________________________________________________________________________________________________
HSRP is a Cisco Proprietary protocol. There are 3 types of HSRP messages: HELLO, COUP (used by a router with the highest priority, which is
currently NOT ACTIVE, to tell others that it should be ACTIVE) and RESIGN
Configuration is quite straight-forward, but there are many ways to tune it, in accordance with your needs:
interface FastEthernet0/0
ip address 172.25.25.2 255.255.255.0
standby 1 ip 172.25.25.22
-
28 Hitchhikers Guide to the CCIE v0.3 [cisqueros.blogspot.com]
____________________________________________________________________________________________________________________
VRRP - Virtual Routing Redundancy Protocol ____________________________________________________________________________________________________________________
The VRRP configuration is similar to the HSRP, with a few slight differences. For example, there are no ACTIVE and STANDBY, but MASTER
and BACKUP router, as shown below:
#show vrrp brief
Interface Grp Pri Time Own Pre State Master addr Group addr
Fa0/0 1 200 3218 Y Master 172.25.12.1 172.25.12.22
Fa0/0 2 100 3609 Y Backup 172.25.12.2 172.25.12.11
TIMERS are a bit different to configure. You need to tell Master to ADVERTISE the Hello Timer value to the Backup, and tell the Backup to
LEARN the Hello Timer from the Master:
(config-if)#vrrp 1 timers advertise 10
(config-if)#vrrp 2 timers learn
*Router is Master for VRRP Group 1 and Backup for VRRP Group 2
VRRP Authentication is configured PER GROUP using the command "vrrp X authentication text PASSWORD", and the debug on the VRRP Pair
router is as follows (before the authentication is configured on BOTH):
#debug vrrp
*13 15:04:37.585: VRRP: Grp 2 Advertisement from 172.25.12.1 has incorrect authentication type 1 expected 0
*13 15:04:38.001: VRRP: Grp 1 sending Advertisement checksum EBE4
*13 15:04:38.585: VRRP: Grp 2 Advertisement from 172.25.12.1 has incorrect authentication type 1 expected 0
*13 15:04:39.001: VRRP: Grp 1 sending Advertisement checksum EBE4
*13 15:04:39.585: VRRP: Grp 2 Advertisement from 172.25.12.1 has incorrect authentication type 1 expected 0
*13 15:04:40.585: VRRP: Grp 2 Advertisement from 172.25.12.1 has incorrect authentication type 1 expected 0
*13 15:04:40.973: VRRP: Grp 2 sending Advertisement checksum 87E5
*13 15:04:41.001: VRRP: Grp 1 sending Advertisement checksum EBE4
*13 15:04:41.585: VRRP: Grp 2 Advertisement from 172.25.12.1 has incorrect authentication type 1 expected 0
*13 15:04:42.001: VRRP: Grp 1 sending Advertisement checksum EBE4
#u all
All possible debugging has been turned off
The configuration on the interface will look similar to the HSRP:
interface FastEthernet0/0
ip address 172.25.12.2 255.255.255.0
vrrp 1 description MAT1
vrrp 1 ip 172.25.12.22
vrrp 1 timers learn
vrrp 1 authentication cisco
vrrp 2 description MAT2
vrrp 2 ip 172.25.12.11
vrrp 2 timers advertise 10
vrrp 2 priority 200
end
!!!IMPORTANT DIFFERENCE between HSRP and VRRP: VRRP has Preempt enabled by default!
-
29 Hitchhikers Guide to the CCIE v0.3 [cisqueros.blogspot.com]
____________________________________________________________________________________________________________________
GLBP - Global Load Balancing Protocol ____________________________________________________________________________________________________________________
GLBP is different from HSRP and VRRP, as in - it's more complex and gives more possibilities, such as Load Balancing Feature.
It's got 1 VIRTUAL IP, and VARIOUS MACs, where the AVG (defined below) is deciding the times when to announce which MAC of the
destination router to the client.
You can have UP TO 4 ROUTERS IN A GLBP GROUP!!!
GLBP Group Members communicate using HELLOs 224.0.0.102, UDP/3222, by default Hello Timer = 3 sec
Basically there are 2 roles:
AVG (Active Virtual Gateway) MASTER Router in charge of Assigning Virtual MAC Addresses to other Routers and it has to know ALL the
MACs of the AVFs
AVFs (Active Virtual Forwarders) the rest of the Routers, which take AVG function if AVG dies.
#sh glbp br
Interface Grp Fwd Pri State Address Active router Standby route
Fa0/0 1 - 100 Standby 10.1.1.100 10.1.1.2 local
Fa0/0 1 1 7 Active 0007.b400.0101 local -
Fa0/0 1 2 7 Listen 0007.b400.0102 10.1.1.2 -
You can tune GLBP as you like, which means that (besides all the stuff you can also do in HSRP and VRRP) you can choose the Load Balancing
method:
(config-if)#glbp 1 load-balancing ?
host-dependent Load balance equally, source MAC determines forwarder choice
round-robin Load balance equally using each forwarder in turn
weighted Load balance in proportion to forwarder weighting (GLBP places WEIGHT on each router)
As an additional GLBP feature, there is a REDIRECT timer, which sets the time-out for assigning the Virtual MAC of AVF that has failed.
(config-if)#glbp 1 timers ?
Hello interval in seconds
msec Specify hello interval in milliseconds
redirect Specify time-out values for failed forwarders
Tracking is also different on GLBP, as in - it's configured in the Global Configuration mode, with a global Track Object. The advantage is that
you can track 2 interfaces at once!!!
(config)#track 1 interface fa0/0 ?
ip IP parameters
-
30 Hitchhikers Guide to the CCIE v0.3 [cisqueros.blogspot.com]
____________________________________________________________________________________________________________________
IRDP - ICMP Router Discovery Protocol ____________________________________________________________________________________________________________________
IRDP enables Routers to automatically discover the IP of their potential Default Gateway. It uses ICMP and Solicitation Messages.
Potential GW Routers periodically announce the IP address of their IRDP configured interface to a broadcast destination. IRDP Preference
value is advertised with these messages, along with the IP Address.
Step 1:
The configuration is pretty straight-forward. First you MUST turn the Routing off on the router that you want to discover its own GW:
(config)#no ip routing
Step 2:
IRDP needs to be enabled on the Router:
(config)#ip gdp ?
eigrp Discover routers transmitting EIGRP router updates
irdp Discover routers transmitting IRDP router updates
-
31 Hitchhikers Guide to the CCIE v0.3 [cisqueros.blogspot.com]
____________________________________________________________________________________________________________________
DRP - Cisco Distributed Route Processor ____________________________________________________________________________________________________________________
It's a UDP based application, which enables Cisco Distributed Director to QUERY ROUTES (DRP Agent). It transparently REDIRECTS end-user
service requests to CLOSEST RESPONSIVE SERVER. The configuration is straight-forward:
Step 1: Enable the DRP Server Agent:
(config)#ip drp server
Step 2: Define the ACL to define who will be able to send queries to DRP
(config)#access-list 11 permit 10.182.131.15
Step 3: Attach the ACL to the DRP:
(config)#ip drp access-group 11
Step 4: Create the key-chain and set the DRP to use it for authentication:
(config)#ip drp authentication key-chain DRP_CHAIN
____________________________________________________________________________________________________________________
WAAS and WCCP Protocol ____________________________________________________________________________________________________________________
WCCP is a Web Cache Communication Protocol, and it enables the redirection of client web requests to one or more Web Cache Engines,
which improves Web Browsing on the slow links. The only INTERFACE command to allow this for the users of that VLAN is "ip wccp web-
cache redirect [in | out]" If you set OUT - the Router is listening to the HTTP requests going OUT of that interface, and it's most
commonly enabled on the WAN interface.
First you need to enable the WCCP (protocol for web caching) globally on a router:
(config)#ip wccp web-cache
On the WAN interface enable checking if the packets need to be redirected to a web cache. Enable the redirection of outgoing destination
port 80 packets on the interface:
(config-if)#ip wccp web-cache redirect out
Define the ACL that only contains the Cache Engine IP:
(config)#access-list 11 permit 10.182.131.15
Attach the configured ACL to the WCCP configuration:
(config)#ip wccp web-cache group-list 11
-
32 Hitchhikers Guide to the CCIE v0.3 [cisqueros.blogspot.com]
____________________________________________________________________________________________________________________
NTP - Network Time Protocol ____________________________________________________________________________________________________________________
First there is an "old school" method of setting time on your IOS Device, which is fine if you're one of those :)
#clock set 16:50:00 15 NOVEMBER 2013
*%SYS-6-CLOCKUPDATE: System clock has been updated from 15:50:31 UTC Fri Nov 15 2013 to 16:50:00 UTC
Fri Nov 15 2013, configured from console by console.
Now if you set this time really well, and the Switch is new generation and you really trust it, then in order to have an entire network to be
synchronized (and absolutely no external NTP available), set the most awesome switch to be a NTP Server:
(config)#ntp master ?
Stratum number
-
33 Hitchhikers Guide to the CCIE v0.3 [cisqueros.blogspot.com]
____________________________________________________________________________________________________________________
IP SLA - Monitor the Network Performance ____________________________________________________________________________________________________________________
Probably the most typical usage of IP SLA is to measure the UDP Jitter and Echo, in order to make sure that the path is good enough to send the sensitive VoIP traffic. Two sides need to be configured, CLIENT and SERVER (RESPONDER).
IP SLA can be configured without configuring a specific PROBE, just configure sending a generated packet to the RESPONDER, where the
RESPONDER is configured to respond with a TIME STAMP information, so the source can calculate the performance values. CAREFULL with
the times, configure NTP if you're not certain the devices are synced.
To configure the RESPONDER with the IP and PORT of the RESPONDER:
(config)#ip sla monitor responder
Make sure you configure the CLIENT device in accordance with these defined parameters:
(config)#ip sla monitor 10
(config-sla-monitor)#type udpEcho dest-ipaddr 10.187.122.2 dest-port 500
(config-sla-monitor-udp)#frequency 5
-
34 Hitchhikers Guide to the CCIE v0.3 [cisqueros.blogspot.com]
#sh track 10
Track 10
IP route 10.1.12.0 255.255.255.0 reachability
Reachability is Up (OSPF)
-
35 Hitchhikers Guide to the CCIE v0.3 [cisqueros.blogspot.com]
____________________________________________________________________________________________________________________
DYNAMIC NAT ____________________________________________________________________________________________________________________
Step 1: Define the POOL of the Inside Global IPs (Public), which your Private IPs will be NAT-ed into:
(config)#ip nat pool INSIDE_GLOBAL 131.1.12.3 131.1.12.8 prefix-length 24
Step 2: Define the ACCESS-LIST of the PRIVATE IPs, which are the ones that will be NAT-ed (Inside Local)
(config)#access-list 1 permit 10.2.2.0 0.0.0.255
Step 3: Implement the NAT from-ACL-to-POOL IPs
(config)#ip nat inside source list 1 pool INSIDE_GLOBAL
Do not forget to specify the INSIDE and the OUTSIDE Interface (I often do, and the Troubleshooting is not as much fun as you might expect)
#sh ip nat translations 131.1.12.3, d=15.10.1.1 [64]
Meaning: source=10.2.2.1 (SOURCE ACL)->inside global 131.1.12.3 (NAT POOL) *Oct 29 16:25:54.822: NAT*: s=15.10.1.1, d=131.1.12.3->10.2.2.1 [64]
*Oct 29 16:25:54.822: NAT: s=10.2.2.1->131.1.12.3, d=15.10.1.1 [65]
*Oct 29 16:25:54.878: NAT*: s=15.10.1.1, d=131.1.12.3->10.2.2.1 [65]
*Oct 29 16:25:54.878: NAT: s=10.2.2.1->131.1.12.3, d=15.10.1.1 [66]
*Oct 29 16:25:54.938: NAT*: s=15.10.1.1, d=131.1.12.3->10.2.2.1 [66]
*Oct 29 16:25:54.938: NAT: s=10.2.2.1->131.1.12.3, d=15.10.1.1 [67]
*Oct 29 16:25:54.994: NAT*: s=15.10.1.1, d=131.1.12.3->10.2.2.1 [67]
*Oct 29 16:25:54.994: NAT: s=10.2.2.1->131.1.12.3, d=15.10.1.1 [68]
*Oct 29 16:25:55.050: NAT*: s=15.10.1.1, d=131.1.12.3->10.2.2.1 [68]
If you need the HOST portion matched, add the "type match-host" argument to the NAT POOL definition:
(config)#ip nat pool LAB4 200.2.2.1 200.2.2.5 prefix-length 24 type match-host
If you need the SOURCE&DESTINATION matched, define it in the EXTENDED ACL, and match it in Route Map, do not attach the ACL directly to
the "ip nat" configuration line.
____________________________________________________________________________________________________________________
Load Balancing using NAT ____________________________________________________________________________________________________________________
Step 1: Create a POOL of all the INSIDE LOCAL IPs, and define the pool type "type rotary":
(config)#ip nat pool TASK1 10.2.2.1 10.2.2.5 prefix-length 24 type rotary
Step 2: Define an ACL with the Inside Global IP (Public ones, the one were NAT-ing into):
(config)#access-list 1 permit 200.2.2.2
Step 3: Do the inside NAT with the ACL 1 as the DESTINATION list, and the POOL or LOCAL IPs:
(config)#ip nat inside destination list 1 pool ?
WORD Pool name for local addresses
-
36 Hitchhikers Guide to the CCIE v0.3 [cisqueros.blogspot.com]
Step 4: Define the NAT inside and outside interfaces, exactly like in case of Static/Dynamic NAT:
(config)#int lo0
(config-if)#ip nat inside
(config-if)#
(config-if)#int s0/1/0.21
(config-subif)#ip nat outside
Be sure that the routing is in place (both, go and return path towards the NAT-ed IP, 200.2.2.2)!!!
Step 5: Make sure that the IP NAT Translations are correct, and that the sources VARY:
#sh ip nat translations
Pro Inside global Inside local Outside local Outside global
tcp 200.2.2.2:23 10.2.2.1:23 131.1.12.1:20186 131.1.12.1:20186
tcp 200.2.2.2:23 10.2.2.2:23 131.1.12.1:25096 131.1.12.1:25096
tcp 200.2.2.2:23 10.2.2.3:23 131.1.12.1:20389 131.1.12.1:20389
____________________________________________________________________________________________________________________
PAT (NAT Overload) ____________________________________________________________________________________________________________________
Port Address Translation (PAT) means using PORTS in order to NAT various Inside Local IPs to ONE SINGLE Inside Global IP.
Step 1: Create an ACL with all the Inside Local addresses:
(config)#access-list 1 permit 10.2.2.0 0.0.0.7
Step 2: There are 2 ways to configure PAT, described in Steps 2.1 and 2.2:
Step 2.1: Create the Inside Global IP Pool of any addresses from the Link towards the other Router and Configure the NAT Overload with the
defined pool:
(config)#ip nat pool OVERLOAD 15.10.1.2 15.10.1.2 prefix-length 24
(config)#ip nat inside source list 1 pool TASK2 overload
Step 2.2: Configure the NAT to point to the Interface you need the traffic to go out from:
(config)#ip nat inside source list 1 interface s0/1/0.21
*The system adds "overload" argument:
(config)#do sh run | i nat inside
ip nat inside
ip nat inside source list 1 interface Serial0/1/0.21 overload
____________________________________________________________________________________________________________________
PAR - When you need to implement traffic redirections using NAT ____________________________________________________________________________________________________________________
You can define the traffic redirection using Static Entries, but there is a trick. For example you want all the http traffic DESTINED FOR s0/0.5 of
R1 to be REDIRECTED to the IP 15.10.123.3 instead. You can configure this by defining the static NAT:
(config)#ip nat inside source static tcp 15.10.123.3 80 int s0/0.5 80
*MAKE SURE YOU UNDERSTAND THIS COMMAND, ITS A BIT BACKWORDS!!!
#telnet 131.1.14.1 80 (131.1.14.1 is the IP configured on the s0/0.5 interface of R1)
Trying 131.1.14.1, 80 ... Open
So when you try to telnet R1s IP using the port 80, from the router on the s0/0.5 side you see the following debug:
*Nov 6 15:54:48.703: NAT*: s=131.1.14.4, d=131.1.14.1->15.10.123.3 [23053] 131.1.14.1, d=131.1.14.4 [31747] 15.10.123.3 [23054]
*Nov 6 15:54:48.739: NAT*: s=131.1.14.4, d=131.1.14.1->15.10.123.3 [23055]
*Nov 6 15:55:48.739: NAT*: s=15.10.123.3->131.1.14.1, d=131.1.14.4 [31748]
*Nov 6 15:55:48.767: NAT*: s=131.1.14.4, d=131.1.14.1->15.10.123.3 [23056]
*Nov 6 15:56:48.763: NAT*: s=15.10.123.3->131.1.14.1, d=131.1.14.4 [31749]
*Nov 6 15:56:48.791: NAT*: s=131.1.14.4, d=131.1.14.1->15.10.123.3 [23057]
*Nov 6 15:57:12.959: NAT*: s=131.1.14.4, d=131.1.14.1->15.10.123.3 [23058]
-
37 Hitchhikers Guide to the CCIE v0.3 [cisqueros.blogspot.com]
____________________________________________________________________________________________________________________
Static NAT redundancy with HSRP ____________________________________________________________________________________________________________________
This approach is used when you want to configure NAT and integrate it with HSRP (enable the same NAT on all the routers that form the HSRP
group). In order to do this, it's necessary to NAME each of the HSRP groups:
Step 1: Name the already configured HSRP group:
(config-if)#standby name HSRP-1
-
38 Hitchhikers Guide to the CCIE v0.3 [cisqueros.blogspot.com]
Step 5: Configure the Dynamic NAT, as described in my previous posts, and just attach the configured mapping-id:
(config)#ip nat inside source route-map ROUTE_MAP_MATCHING_ACL pool INSIDE_GLOBAL mapping-id 1
Step 6: Check the translations
#sh ip snat distributed
Stateful NAT Connected Peers
No entries will appear until you perform a PING, and when you do, and do a debug, you'll see:
*Nov 7 14:47:12.081: SNAT (Add_node): Allocated database distributed-id 1
*Nov 7 14:47:12.081: SNAT (Add_node): Init RTree for distributed-id 1
*Nov 7 14:47:12.081: SNAT (Add_node): Allocate Node for nat-id 19, Router-id 1
*Nov 7 14:47:12.081: NAT: s=15.10.1.1->172.25.185.1, d=10.185.117.4 [271]
*Nov 7 14:47:12.081: NAT*: s=10.185.117.4, d=172.25.185.1->15.10.1.1 [271]
*Nov 7 14:47:12.085: NAT*: s=15.10.1.1->172.25.185.1, d=10.185.117.4 [272]
*Nov 7 14:47:12.085: NAT*: s=10.185.117.4, d=172.25.185.1->15.10.1.1 [272]
*Nov 7 14:47:12.085: NAT*: s=15.10.1.1->172.25.185.1, d=10.185.117.4 [273]
*Nov 7 14:47:12.085: NAT*: s=10.185.117.4, d=172.25.185.1->15.10.1.1 [273]
*Nov 7 14:47:12.089: NAT*: s=15.10.1.1->172.25.185.1, d=10.185.117.4 [274]
*Nov 7 14:47:12.089: NAT*: s=10.185.117.4, d=172.25.185.1->15.10.1.1 [274]
*Nov 7 14:47:12.089: NAT*: s=15.10.1.1->172.25.185.1, d=10.185.117.4 [275]
*Nov 7 14:47:12.089: NAT*: s=10.185.117.4, d=172.25.185.1->15.10.1.1 [275]
____________________________________________________________________________________________________________________
NAT Translations with the Outside Source ____________________________________________________________________________________________________________________
Just the other way around from the standard NAT, do the "ip nat outside" and define the interface from where the traffic will be coming with
"ip nat outside". This will translate the incoming traffic with the source 2.2.2.2 into the LOCAL traffic with the source 200.2.2.2:
(config)#ip nat outside source static 2.2.2.2 200.2.2.2
____________________________________________________________________________________________________________________
NAT on a Stick ____________________________________________________________________________________________________________________
When a NAT router has the same interface for both, INSIDE and OUTSIDE NAT, the trick is to use:
Step 1: Define the following:
- One normal interface, Fa0/0 for example for ip nat outside and PBR (ip policy-route map NAT_MAP) & "no ip redirect"
- One Loopback interface for ip nat inside
Step 2:
Define the Policy Map MATCHING the Source and Destination IP ACL, and SETTING the Loopback interface
(config)#route-map NAT_MAP
(config-rmap)#match ip add ACL_1
(config-rmap)#set interface lo0
Step 3: Define "inside" AND "outside" static NAT
-
39 Hitchhikers Guide to the CCIE v0.3 [cisqueros.blogspot.com]
____________________________________________________________________________________________________________________
DHCP Server ____________________________________________________________________________________________________________________
Using the DHCP Pool configured on an IOS device is somewhat obsolete, but in cases of smaller companies where this solution is inevitable (or
in a case such as mine, preparations for a CCIE exam) - you should know how to configure a full DHCP on a Cisco Router:
Step 1: Enable a DHCP Server on a Device (Dont forget this step!!!):
(config)#service dhcp
Step 2: Configure global DHCP options:
(config)#ip dhcp pool Cisco
(config-dhcp)#network 172.25.185.0 255.255.255.0
-
40 Hitchhikers Guide to the CCIE v0.3 [cisqueros.blogspot.com]
STEP 3: Define when the KRON is being executed:
(config)#kron occurrence week in 7:1:30 recurring
(config-kron-occurrence)# policy-list cns-weekly
STEP 4: Check the KRON status:
#show kron schedule
Kron Occurrence Schedule
week inactive, will run again in 7 days 01:25:17
____________________________________________________________________________________________________________________
GRE Tunnels ____________________________________________________________________________________________________________________
Cisco Documentation: Interface and Hardware Component Configuration Guide->Implementing Tunnels
GRE is the Generic Encapsulation Tunnel, and it uses the IP Protocol 47. It's the basic one and the most simple to implement. For starters you
need to define the Tunnel interface:
(config)#interface tunnel 0
(config-if)#tunnel mode GRE IP
Define the IP Address of the Tunnel Interface, and assign it the SOURCE and DESTINATION IP (These must be mutually PINGable):
(config-if)#ip address 10.187.134.121
(config-if)#tunnel source 131.1.12.1
-
41 Hitchhikers Guide to the CCIE v0.3 [cisqueros.blogspot.com]
To avoid sending a packet for each keystroke typed:
(config)#service nagle
To "tune" CDP:
(config)#cdp timer 10
If you want to keep your configuration change logs in the NVRAM:
(config)#archive
(config-archive)#log config
-
42 Hitchhikers Guide to the CCIE v0.3 [cisqueros.blogspot.com]
IP Routing
-
43 Hitchhikers Guide to the CCIE v0.3 [cisqueros.blogspot.com]
____________________________________________________________________________________________________________________
IPv4 Routing TIPS ____________________________________________________________________________________________________________________
TIP: Remember that you can only DEBUG THE PROCESS SWITCHED TRAFFIC, not the "cache", so during the implementation it might be useful
to turn the CEF off on the router. Dont forget to turn it back on, once your debugs have been closed.
(config)#no ip route-cache
____________________________________________________________________________________________________________________
PBR - Policy Based Routing ____________________________________________________________________________________________________________________
First define the route-map and apply it on the interface level:
(config-if)#ip policy route-map PBR
*you can apply defined route-map to the local router using the command "ip local-policy route-map ROUTEMAP"
If you are setting the next hop where you are not sure that the next hop failure will be detected, use the "verify-availability" sub command
under the route-map, which is an old method and uses CDP, it would work only in frame-relay and not if there is a switch in between because
of CDP nature, and its not nearly as good as EOT (Enhanced Object Tracking):
(config-rmap)#Set IP next-hop verify-availability
-
44 Hitchhikers Guide to the CCIE v0.3 [cisqueros.blogspot.com]
____________________________________________________________________________________________________________________
ODR - ON-DEMAND ROUTING ____________________________________________________________________________________________________________________
On-Demand Routing is not a routing protocol. It uses Cisco Discovery Protocol (CDP) to propagate the IP prefix. ODR is a perfect solution for
hub and spoke topology when the spoke routers act as stub routers by connecting to. ODR is a feature that provides IP routing for stub sites,
with minimum overhead. Configuration is quite simple:
Step 1: Enable ODR globally on a HUB router:
(config)#router odr
-
45 Hitchhikers Guide to the CCIE v0.3 [cisqueros.blogspot.com]
First step is to build a KEY-CHAIN
key chain RIP_12
key 1
-
46 Hitchhikers Guide to the CCIE v0.3 [cisqueros.blogspot.com]
____________________________________________________________________________________________________________________
RIP: Updates Control ____________________________________________________________________________________________________________________
By default Version 1 uses Broadcast to send its updates. Version 2 uses Multicast, with the destination address 224.0.0.9. If you need to send
the Updates only when something changes in the topology, there is an INTERFACE command "ip rip triggered":
(config-if)#ip rip triggered
There is a way to "force" the routing updates to only one of the neighbors (UNICAST UPDATES). To achieve this you need to manually define
the neighbor using the "neighbor" command, and define the interface towards the defined neighbor as PASSIVE, to prevent the Multicast
Updates that are sent by default (If the interface is not defined as passive, both UNICAST and MULTICAST Updates will be sent).
There is also a way to force Broadcast Updates (ip 255.255.255.255 instead of default multicast destination 224.0.0.9) in Version 2 of RIP, and
its achieved using the Interface Command:
(config-if)#ip rip v2-broadcast
Another RIP-specific feature is injecting the default route using the "ip default-network" command. This is done in the Global Configuration
mode. Dont forget to advertise the network into RIP protocol:
(config)#ip default-network 4.0.0.0
(config-router)#network 4.0.0.0
____________________________________________________________________________________________________________________
RIP: OFFSET LISTS ____________________________________________________________________________________________________________________
In the RIP Protocol the METRIC IS ACTUALLY the HOP COUNT, so if you want it to be UNREACHABLE - set METRIC to 16. RIP offset list is used to
INCREASE the Hop Count. Define the ACL (10 in this example), and set the Hop Count to be increased by a value, in this example 13:
(config-router)#offset-list 10 out 13 Fa0/0
Offset Lists work only with RIP and EIGRP
____________________________________________________________________________________________________________________
RIP: Update Source Control ____________________________________________________________________________________________________________________
RIP Validates the source for the Update packets, so they need to be from the same subnet as the interconnection is. If they are not, like in the
case the routes are sourced by a Loopback, you can force the route updates by turning off the Source IP Validation:
(config-router)#no validate-update-source
This way the RIP routes will be exchanged, but if the L3 Reachability is not established between the routers - the RIP routes will not be
reachable.
If you need to define the EXACT SOURCES (RIP Neighbors) you want to receive the RIP Updates from - use "gateway" word on a distribute-list.
This will work for RIP and EIGRP only.
Start by defining 2 PREFIX LISTS, one for WHERE you want updates from, another to filter UPDATES you want. Once youve got your Prefix Lists
configured, apply them via Distribute List in the Router Configuration Mode:
(config-router)#distribute-list UPDATE_PREFIXES gateway PREFIX_UPDATE_SOURCES in Fa0/0
-
47 Hitchhikers Guide to the CCIE v0.3 [cisqueros.blogspot.com]
____________________________________________________________________________________________________________________
RIP: Route Summarizing ____________________________________________________________________________________________________________________
Done on the interface level:
(config-if)#ip summary-address rip 150.1.0.0 255.255.252.0
#show ip rip database
150.1.0.0/22 int-summary
-
48 Hitchhikers Guide to the CCIE v0.3 [cisqueros.blogspot.com]
____________________________________________________________________________________________________________________
OSPF ____________________________________________________________________________________________________________________
OSPF Multicasts: 224.0.0.5 send Hello packets to all OSPF routers on a network segment, 224.0.0.6 Send info to the DR
TIP: When using BROADCAST and NON-BROADCAST in order to PEER you MUST ADJUST THE TIMERS!!!
TIP: When you need to do a CONDITION, like do something if a certain route exists in a routing table - just use the PREFIX-LIST, and match it
in the route-map "match ip address prefix-list ROUTE_EXISTS"
TIP: When you have the L2 tunnel directly attached to an OSPF interface, better configure ignoring of MTU:
(config-if)#ip ospf mtu-ignore
TIP: To IGNORE stuff in the ospf, like LSA6 (MOSPF), under the routing process:
(config-router)#ignore lsa mospf
WHEN you need to advertise Loopbacks with the CORRECT MASKS, be sure to do "ip ospf network point-to-point", otherwise it will be sent
with /32 (/32 Might be required for Multicast or MPLS, so be careful with this!)
____________________________________________________________________________________________________________________
OSPF over Frame-Relay, focus on Network Types ____________________________________________________________________________________________________________________
TIP: Revise DR->"neighbor" command->TIMERS
Don't forget that in Frame-Relay "broadcast" is defined ONLY DIRECTLY HUB AND A SPOKE, ON BOTH SIDES of the pvc!!! What this does is tell
the routers Hey if you have any broadcast messages, go ahead and send them down this DLCI as a unicast So basically it is a way to send
broadcast messages on a non-broadcast medium. Don't include "broadcast" between the SPOKEs, as the Hellos won't be able to traverse the
HUB.
Type 1: NON-BROADCAST - use "neighbor" command on HUB to use UNICAST for OSPF
OSPF uses Multicast, which Router considers to be a kind of Broadcast. Due to the non-broadcast nature of Frame-Relay it can be assumed
that this is the DEFULT OSPF network type over FR.
- Set the OSPF Priority to 0 on all the SPOKEs, so HUB is elected as the DR, and SPOKEs neither DR nor BDR
- Non-broadcast network type in OSPF uses slow timers meaning 30 second hello and 120 second dead-time. Here it will not affect us, as all
neighbor types match.
Type 2: BROADCAST - two important things:
- As BROADCAST is meant to be FASTER timers are 10/40 seconds by default
- Include the "broadcast" when mapping DLCI to IP. Also set the SPOKEs OSPF Priority to 0, we dont want them to be DR
Type 3: POINT-TO-POINT
- Really simple, POINT-TO-XXX (P2P or P2MP) does not do the DR/BDR election
- Timers 10/40 seconds
TIP: When doing a HUB-AND-SPOKE, configure Point-to-Multipoint on a HUB, and ADJUST THE TIMERS!!!
-
49 Hitchhikers Guide to the CCIE v0.3 [cisqueros.blogspot.com]
Type 4: POINT-TO-MULTIPOINT
No DR, no "neighbor" commands. Slow timers (120/30 seconds). "broadcast" is mandatory on FR Mappings!!!
HUB will just advertise the learned routes from ONE SPOKE to the other, like if it were the DR.
!!!HUB must have .multipoint Sub-interface, while on SPOKES you can do .multipoint or Physical Interface.
Type 5: POINT-TO-MULTIPOINT NON-BROADCAST
Cisco Proprietary, like P2MP, with NO BROADCASTS ALLOWED! Timers are still slow, 30 and 120 Seconds.
Next hop is ALWAYS the router you are directly connected to.
(config-if)#ip ospf network point-to-multipoint non-broadcast
____________________________________________________________________________________________________________________
OSPF: Configuration on INTERFACE LEVEL ____________________________________________________________________________________________________________________
The routes can be advertised using the "network" command, but there is also another way. You can do an entire OSPF configuration on the
Interface Level:
(config-if)#ip ospf network point-to-point
(config-if)#ip ospf 1 area 0
This will automatically CREATE the OSPF process on the router:
#sh run | s router ospf
router ospf 1
log-adjacency-changes
Even so, you should define "router ospf 1" process in the Global Configuration mode before the interface (it's not necessary for the OSPF
PEERING, but to avoid restarting the OSPF process later cause of Router ID change). Being defined as a P2P network - DR and BDR election will
not take place.
The state of all the OSPF Neighbors will be "FULL/-", as presented below:
#show ip ospf neighbor
Neighbor ID Pri State Dead Time Address Interface
3.3.3.3 0 FULL/ - 00:00:30 10.1.23.3 GigabitEthernet0/0
1.1.1.1 0 FULL/ - 00:00:34 10.1.12.1 Serial1/0
This way the interface is configured to automatically belong to the Area 0, and the interface Subnet will be "injected" into the OSPF Area. If