Hitchikers Guide To The CCIE V011 Jan2014

CISQUEROS.BLOGSPOT.
COM
presents
Hitchhikers Guide to the CCIE v0.1
This page was intentionally left blank.
2 cisqueros.blogspot.com
About
This is nothing more but a script of simple guidelines I made during my CCIE preparations, 2012-2014. Have in mind that I created this script throughout the entire preparation period, so some topics might be pretty basic as my level was CCNP, while some othersrequire the reader to have the almost-CCIE level. I will keep updating the script, and you will always be able to find the last version on my blog, and on the CertCollection blog: http://certcollection.org/ If you find my notes useful Im more than glad I could help. You can use it, share it, whatever, as long as you dont try to sell it or publish it as your own. If for any reason youd like to get in touch with me, regardless if its just to give me the feedback about the script, or propose any kind of collaboration, youre more than welcome to contact me via my Blog, or via my LinkedIn profile: http://cisqueros.blogspot.com.es/ http://es.linkedin.com/in/matejajovanovic
Table of Contents
About............................................................................................................................................................................. 3 LAN Switching ................................................................................................................................................................. 10 Tips and Tricks ............................................................................................................................................................. 11 VLAN Filters for NON-IP Traffic ................................................................................................................................... 11 MEMORY OPTIMIZATION - SDM (Switch Database Management) ............................................................................ 12 INTERFACE Statuses .................................................................................................................................................... 13 CAM TABLE .................................................................................................................................................................. 13 VTP - VLAN Trunking Protocol ..................................................................................................................................... 13 VMPS - VLAN Membership Policy Server .................................................................................................................... 14 TRUNKS and DTP (Dynamic Trunking Protocol) .......................................................................................................... 14 PRIVATE VLANS ........................................................................................................................................................... 15 Dot1q Tunneling: 802.1q, QinQ Tunneling ................................................................................................................. 16 SPANNING TREE PROTOCOL (STP) .............................................................................................................................. 16 MULTIPLE SPANNING TREE (MSTP) ............................................................................................................................ 18 PORTFAST .................................................................................................................................................................... 18 BPDU GUARD .............................................................................................................................................................. 18 UDLD - Unidirectional Link Detection ......................................................................................................................... 19 SOURCE GUARD and DHCP SNOOPING....................................................................................................................... 20 ETHERCHANNEL .......................................................................................................................................................... 20 DAI (Dynamic ARP Inspection) .................................................................................................................................... 22 SNMP........................................................................................................................................................................... 23 MONITORING .............................................................................................................................................................. 24 LOGGING ..................................................................................................................................................................... 24 STORM CONTROL ........................................................................................................................................................ 25 HTTP Server (HTTP access) on a Switch ...................................................................................................................... 25 Router on a STICK and IP BRIDGING ........................................................................................................................... 25 IP Services ....................................................................................................................................................................... 26 IP Services Tips and Tricks ........................................................................................................................................... 27 HSRP - Hot Standby Routing Protocol ......................................................................................................................... 27 VRRP - Virtual Routing Redundancy Protocol ............................................................................................................. 28 GLBP - Global Load Balancing Protocol ....................................................................................................................... 29 IRDP - ICMP Router Discovery Protocol ...................................................................................................................... 30 DRP - Cisco Distributed Route Processor .................................................................................................................... 31 WAAS and WCCP Protocol .......................................................................................................................................... 31 4 cisqueros.blogspot.com
NTP - Network Time Protocol ..................................................................................................................................... 32 IP SLA - Monitor the Network Performance ............................................................................................................... 33 STATIC NAT.................................................................................................................................................................. 34 DYNAMIC NAT ............................................................................................................................................................. 35 Load Balancing using NAT ........................................................................................................................................... 35 PAT (NAT Overload) .................................................................................................................................................... 36 PAR - When you need to implement traffic redirections using NAT .......................................................................... 36 Static NAT redundancy with HSRP .............................................................................................................................. 37 Scalability for Stateful NAT (SNAT) ............................................................................................................................. 37 NAT Translations with the Outside Source ................................................................................................................. 38 NAT on a Stick ............................................................................................................................................................. 38 DHCP Server ................................................................................................................................................................ 39 CNS (Cisco Networking Services) ................................................................................................................................ 39 GRE Tunnels ................................................................................................................................................................ 40 Various IOS Tricks........................................................................................................................................................ 40 IP Routing ........................................................................................................................................................................ 42 PBR - Policy Based Routing ......................................................................................................................................... 43 ODR - ON-DEMAND ROUTING .................................................................................................................................... 43 RIP ............................................................................................................................................................................... 43 RIP: Authentication ..................................................................................................................................................... 44 RIP: Timers .................................................................................................................................................................. 44 RIP: Updates Control ................................................................................................................................................... 45 RIP: OFFSET LISTS ........................................................................................................................................................ 45 RIP: Update Source Control ........................................................................................................................................ 46 RIP: Route Summarizing .............................................................................................................................................. 46 RIP: Route Filtering using Prefix Lists .......................................................................................................................... 46 OSPF ............................................................................................................................................................................ 48 OSPF over Frame-Relay, focus on Network Types ...................................................................................................... 48 OSPF: Configuration on INTERFACE LEVEL .................................................................................................................. 49 OSPF: Timers ............................................................................................................................................................... 49 OSPF: Authentication .................................................................................................................................................. 50 OSPF: Route Redistribution......................................................................................................................................... 50 OSPF Route Summarization ........................................................................................................................................ 51 OSPF Virtual Link ......................................................................................................................................................... 51 OSPF Cost .................................................................................................................................................................... 52 Redirecting Traffic (FORCING A PATH) ........................................................................................................................ 52 5 cisqueros.blogspot.com
OSPF and the GRE Tunnels .......................................................................................................................................... 53 OSPF LSA Types and AREA TYPES ................................................................................................................................ 53 OSPF STUBS ................................................................................................................................................................. 55 OSPF Route Filtering ................................................................................................................................................... 56 OSPF Non-Broadcast Networks................................................................................................................................... 57 OSPF NBMA (Non Broadcast Multiple Access) Networks ........................................................................................... 58 OSPF BROADCAST vs. POINT-TO-POINT vs. POINT-TO-MULTIPOINT Networks ......................................................... 58 DNS Lookup in OSPF .................................................................................................................................................... 59 ISPF .............................................................................................................................................................................. 59 Forward Address Suppression .................................................................................................................................... 59 OSPF Sham Link ........................................................................................................................................................... 60 OSPF in MPLS .............................................................................................................................................................. 61 EIGRP ........................................................................................................................................................................... 62 EIGRP "show neighbors" command ............................................................................................................................ 62 EIGRP Metric - K Values .............................................................................................................................................. 63 EIGRP Route Summarization and Leak Maps .............................................................................................................. 64 EIGRP Default Gateway ............................................................................................................................................... 64 VARIANCE Command .................................................................................................................................................. 65 EIGRP Authentication .................................................................................................................................................. 65 EIGRP: Maximum Hops ............................................................................................................................................... 65 EIGRP Administrative Distance ................................................................................................................................... 66 EIGRP Updates BW Percent ........................................................................................................................................ 66 EIGRP Redistribute Routes into EIGRP ........................................................................................................................ 66 EIGRP offset-list [metric adjustments] ........................................................................................................................ 66 EIGRP Stub................................................................................................................................................................... 66 MP-EIGRP .................................................................................................................................................................... 67 EIGRP Route Filtering .................................................................................................................................................. 67 BGP TIPs and Best Practices ........................................................................................................................................ 68 BGP Version................................................................................................................................................................. 70 BGP Peer-Group .......................................................................................................................................................... 70 BGP Peer-Session and Peer-Policy Templates ............................................................................................................ 71 BGP Authentication..................................................................................................................................................... 71 BGP Route Reflectors .................................................................................................................................................. 72 BGP BACKDOOR Route ................................................................................................................................................ 73 BGP CONDITIONAL Advertisements - Advertise Maps ............................................................................................... 73 BGP Route Dampening ................................................................................................................................................ 74 6 cisqueros.blogspot.com
BGP Route Summarization .......................................................................................................................................... 75 BGP INJECT and EXIST map ......................................................................................................................................... 75 BGP Community Attribute .......................................................................................................................................... 75 BGP & Load Balancing ................................................................................................................................................. 76 1. AS-Path (The less ASs in the path - the Better) ....................................................................................................... 77 2. Weight (the Higher - the Better) ............................................................................................................................. 78 3. MED (Multi Exit Discriminator) ............................................................................................................................... 79 4. LOCAL PREFERENCE................................................................................................................................................. 79 BGP Filters: Distribution and Prefix lists ..................................................................................................................... 80 BGP: Regular Expressions............................................................................................................................................ 80 BGP Confederations .................................................................................................................................................... 81 MP-BGP (Multi-Protocol BGP)..................................................................................................................................... 82 Route Redistribution TIPs ....................................................................................................................................... 83 QoS .................................................................................................................................................................................. 84 QoS TIPS ...................................................................................................................................................................... 85 QoS on Access Ports ................................................................................................................................................ 85 DSCP and COS MAPPING ......................................................................................................................................... 87 Map COS to DSCP on a device ................................................................................................................................. 88 QoS POLICING - INDIVIDUAL and AGGREGATE POLICER......................................................................................... 88 PRIORITY QUEUING (priority-list) & CUSTOM QUEUING (queue-list) .................................................................... 88 WFQ - By default works with IP PRESEDENCE ........................................................................................................ 89 RSVP - Resource Reservation Protocol ................................................................................................................... 90 IPv6 QoS .................................................................................................................................................................. 90 Match MAC ADDRESS ............................................................................................................................................. 90 QoS Frame-Relay SHAPING ..................................................................................................................................... 91 QoS Frame-Relay PIPQ (PER-INTERFACE PRIORITY QUEUING) ............................................................................... 93 QoS Frame-Relay PAYLOAD and HEADER COMPRESSION ...................................................................................... 94 QoS CBWFQ - configured using MQC...................................................................................................................... 94 QoS LLQ (Low Latency Queuing) - "priority" and "priority percent" command ..................................................... 94 Define the QoS Schedule (TIME-RANGE command) ............................................................................................... 95 QoS CAR (Committed Access Rate) - "rate-limit" Interface Command .................................................................. 95 NBAR (match protocol XXX) - if you need to match the port without the ACL ...................................................... 95 DUAL RATE - DUAL BUCKET..................................................................................................................................... 96 WRED - Weighted Random Early Detection and CB-WRED .................................................................................... 96 WAN ................................................................................................................................................................................ 97 Frame-Relay TIPS ........................................................................................................................................................ 98 7 cisqueros.blogspot.com
FRAME RELAY QoS ...................................................................................................................................................... 98 PHYSICAL INTERFACE CONFIGURATION: .................................................................................................................... 99 POINT-TO-POINT SUB-INTERFACE: ............................................................................................................................. 99 POINT-TO-MULTIPOINT SUB-INTERFACE: ................................................................................................................. 100 VIRTUAL TEMPLATE .................................................................................................................................................. 100 FRAME RELAY AUTHENTICATION.............................................................................................................................. 101 FRAME RELAY End-to-End KEEPALIVE ....................................................................................................................... 102 FRAME-RELAY MULTILINKING ................................................................................................................................... 103 FRAME-RELAY AUTO-INSTALL ................................................................................................................................... 104 IP Multicast ................................................................................................................................................................... 105 Multicast TIPS............................................................................................................................................................ 106 Multicast - IGMP ....................................................................................................................................................... 106 Configure PIM Multicast ........................................................................................................................................... 107 PIM Dense Mode, PIM-DM - For the applications EVERYONE wants ....................................................................... 109 STATIC RENDEZVOUZ POINT (RP) Configuration ...................................................................................................... 110 DESIGNATED ROUTER (DR) Configuration ................................................................................................................ 110 IP MULTICAST: AUTOMATIC RENDEZVOUZ POINT (Auto-RP) Configuration............................................................ 111 IP MULTICAST: BSR (Bootstrap Router) Configuration ............................................................................................. 112 IP MULTICAST: MSDP (Multicast Source Discovery Protocol) Configuration ........................................................... 113 Multiprotocol BGP (MP-BGP) & IP Multicast ............................................................................................................ 113 IP MULTICAST: Configuring SSM (Source Specific Multicast) ................................................................................... 114 IP MULTICAST: Bidirectional PIM (Bidir-PIM) ........................................................................................................... 115 IP MULTICAST: Helper Map....................................................................................................................................... 116 MULTICAST Helper Map & Helper-address .............................................................................................................. 117 Security ......................................................................................................................................................................... 118 Security TIPS .............................................................................................................................................................. 119 Router Security - Best Practices ................................................................................................................................ 119 KNOWN ATTACKS and how to prevent ..................................................................................................................... 120 BANNER and MENU Configuration ........................................................................................................................... 121 Configure SSH Access ................................................................................................................................................ 121 ADVANCED Access Lists (ACL) Configuration ............................................................................................................ 122 DYNAMIC ACL (aka Lock and key ACL) ...................................................................................................................... 123 REFLEXIVE ACL - For Session Filtering ....................................................................................................................... 123 TCP INTERCEPT - To prevent TCP SYN DoS attacks ................................................................................................... 124 CBAC - Context Based Access Control Firewall ......................................................................................................... 124 PAM - Port to Application Mapping .......................................................................................................................... 125 8 cisqueros.blogspot.com
uRPF - Unicast Reverse Path Forwarding .................................................................................................................. 126 Zone Based Firewall .................................................................................................................................................. 127 CONTROL Plane Policy (CPPr).................................................................................................................................... 128 IOS IPS (Intrusion Prevention System) ...................................................................................................................... 129 AAA Authentication .................................................................................................................................................. 130 MPLS.............................................................................................................................................................................. 131 MPLS Configuration .................................................................................................................................................. 132 MPLS LFIB and Labels (Label Spacing) ....................................................................................................................... 133 MPLS Session Protection........................................................................................................................................... 134 MPLS VRFs, RD (Route Distinguisher) and RT (Route Target) ................................................................................... 135 L2VPN - AToM (Any Transport over MPLS) ............................................................................................................... 136 IPv6................................................................................................................................................................................ 137 IPv6 TIPS .................................................................................................................................................................... 138 IPv6 Basics ................................................................................................................................................................. 138 Convert MAC to Link Local IPv6 Address .................................................................................................................. 140 IPv6 Routing .............................................................................................................................................................. 141 OSPFv3 ...................................................................................................................................................................... 142 EIGRP IPv6 ................................................................................................................................................................. 143 IPv6 Tunnels .............................................................................................................................................................. 144 IPv6 Multicast Routing .............................................................................................................................................. 145
LAN Switching
____________________________________________________________________________________________________________________
Tips and Tricks

____________________________________________________________________________________________________________________ Remove a FOLDER from the flash: #delete /force /recursive flash:c3750-ipbase-mz.122-35.SE5
TIP: When there is a CISCO Phone attached to an access port- configure the "switchport voice vlan X" on an access port.
____________________________________________________________________________________________________________________
VLAN Filters for NON-IP Traffic

____________________________________________________________________________________________________________________ These are not used in the production environment very often, but in the CCIE exam this can be useful to know. On Cisco Docs can be found under the "Network Security with ACLs" under the Switch Configuration Guide: http://www.cisco.com/en/US/docs/switches/lan/catalyst3560/software/release/12.2_46_se/configuration/guide/swacl.html STEP 1: Basically instead of IP ACL, we're creating the MAC ACL in order to later apply it. For example here there's an MAC Access-list created to filter out BPDU-s of a certain type (check all the NON-IP stuff we can filter out):
(config)# mac access-list extended DENY_BPDU (config-ext-macl)# permit host 000.0c00.0111 any (config-ext-macl)# permit any any ? <0-65535> An arbitrary EtherType in decimal, hex, or octal aarp EtherType: AppleTalk ARP amber EtherType: DEC-Amber appletalk EtherType: AppleTalk/EtherTalk cos CoS value dec-spanning EtherType: DEC-Spanning-Tree decnet-iv EtherType: DECnet Phase IV diagnostic EtherType: DEC-Diagnostic dsm EtherType: DEC-DSM etype-6000 EtherType: 0x6000 etype-8042 EtherType: 0x8042 lat EtherType: DEC-LAT lavc-sca EtherType: DEC-LAVC-SCA lsap LSAP value mop-console EtherType: DEC-MOP Remote Console mop-dump EtherType: DEC-MOP Dump msdos EtherType: DEC-MSDOS mumps EtherType: DEC-MUMPS netbios EtherType: DEC-NETBIOS vines-echo EtherType: VINES Echo vines-ip EtherType: VINES IP xns-idp EtherType: XNS IDP
STEP 2: After the MAC ACL is created, we need to Applying a MAC ACL to a Layer 2 Interface. This can be done in one of 2 ways: 1. 2. Directly using the "mac access-group MACL in" command Using the VLAN Maps
VLAN Maps are the only way to control filtering within a VLAN. You can define the DROP or FWD action:
(config)#vlan access-map VLANACM 10 <-10 IS THE SEQ NUMBER (config-access-map)#action drop (config-access-map)#match mac address DENY_BPDU <-MATCH THE DEFINED MAC ACL
!!!IMPORTANT: ORDER IS IRRELEVANT HERE!!! First we're saying DROP, and then matching what to drop.
(config)#vlan access-map VLANACM 20 (config-access-map)#action forward <-TO PERMIT ALL OTHER TRAFFIC
STEP 3: At the end you need to APPLY the VLAN Access-Map to the VLAN (MEMORIZE THIS STUFF):
(config)#vlan filter VLANACM vlan-list ? <1-4094> VLAN id all Add this filter to all VLANs
____________________________________________________________________________________________________________________
MEMORY OPTIMIZATION - SDM (Switch Database Management)

____________________________________________________________________________________________________________________ Cisco Docs: 3560->Consolidated Platform Configuration Guides->SystemManagement->SDM Templates Depending on the Switch purpose (L2 Switching that uses CEF or IP Routing or IPv6), Memory allocations can be optimized using the SDM (Switch Database Management), and there are 4 templates: ACCESS - For QoS and Security ROUTING - for IP Routing VLAN - Sets Switch to L2 and disables IP Routing Extended Match - for WCCP and multiple VRF (reformats memory space to allow 144-bit L3 TCAM support)
(config)#sdm prefer [routing | dual-ipv4-and-ipv6 | vlan] (config)#sdm prefer ? access Access bias default Default bias dual-ipv4-and-ipv6 Support both IPv4 and IPv6 <-USE THIS MODE WHEN YOU HAVE BOTH, IPv4 and IPv6 ipe IPe bias routing Unicast bias <-SWITCH TO YOU USE AS A ROUTER, ONLY IPv4 vlan VLAN bias <-ONLY L2 SWITCH
Check the achieved results:

#show sdm prefer The current template is "desktop default" template. <--- COMMAND NOT ACTIVE BEFORE THE SWITCH HAS BEEN REBOOTED The selected template optimizes the resources in the switch to support this level of features for 8 routed interfaces and 1024 VLANs. number of unicast mac addresses: 6K number of IPv4 IGMP groups + multicast routes: 1K number of IPv4 unicast routes: 8K number of directly-connected IPv4 hosts: 6K number of indirect IPv4 routes: 2K number of IPv4 policy based routing aces: 0 number of IPv4/MAC qos aces: 0.5K number of IPv4/MAC security aces: 1K #show sdm prefer The current template is "desktop routing" template. <--- AFTER THE REBOOT SWITCH CHANGES THE SDM MODE The selected template optimizes the resources in the switch to support this level of features for 8 routed interfaces and 1024 VLANs. number of unicast mac addresses: 3K number of IPv4 IGMP groups + multicast routes: 1K <--- MEMORY ALLOCATION HAS BEEN CHANGED number of IPv4 unicast routes: 11K number of directly-connected IPv4 hosts: 3K number of indirect IPv4 routes: 8K number of IPv4 policy based routing aces: 0.5K number of IPv4/MAC qos aces: 0.5K
number of IPv4/MAC security aces:
1K
It can happen that you need to use IPv6 on a switch, and the command "ipv6 unicast routing" is not working. If the switch seems not to support the command, in reality you only need to change the buffer allocation first (Apply a different SDM template). The problem is that you have to SAVE and RELOAD, so be sure you do it before the LAB if you know you'll be using both ipv4 and ipv6. Make sure you need to reconfigure by checking the current SDM:
settings "show SDM prefer" (config)#sdm prefer dual-ipv4-and-ipv6 routing
____________________________________________________________________________________________________________________
INTERFACE Statuses
____________________________________________________________________________________________________________________ INTERFACE "no shut" BUT NOT CONNECTED TO ANYTHING:
GigabitEthernet3/0/1 unassigned YES unset down down
INTERFACE "shutdown":
GigabitEthernet3/0/17 unassigned YES unset administratively down down
INTERFACE "no shut" and CONNECTED:

GigabitEthernet3/0/19 unassigned YES unset up up
____________________________________________________________________________________________________________________
CAM TABLE
____________________________________________________________________________________________________________________ You can set up the MAC Aging Time, and Security (enable the known and secure MAC addresses)
(config)#mac address-table aging-time 600 <--- if not active for 10 minutes REMOVE from the CAM table (config)#mac-address-table secure 48BIT_MAC_ADDRESS Gi3/0/15
____________________________________________________________________________________________________________________
VTP - VLAN Trunking Protocol

____________________________________________________________________________________________________________________ Most commands can be configured in PRIVILEGED, CONFIGURE or DATABASE mode. Have in mind that there is no way to dis-configure the VTP DOMAIN NAME (by default its NULL). You have to delete flash:vlan.dat and erase the startup-config and reload the router. You can configure the source IP of all the VTP messages:
(config)#vtp interface Loopback 1 [only] <- It will not be propagated
To restrict FLOOD TRAFFIC to TRUNK Interfaces, use VTP PRUNING. 4 types of VTP Advertisements are being exchanged between the switches: 1. 2. 3. 4. Summary Advertisements - every time VTP database changes (every 300 ms) Subset Advertisements - sent right after SUMMARY, includes what exactly changed Advertisements requested from clients - client requests info to update the VTP database, server responds VTP Membership announcements - when PRUNING is enabled, they tell the neighbor WHAT VLANs they want (if the VLAN is not announced with this message, it is not on the trunk)
You can adjust the VLANs that are being pruned on the interface, so for example to PRUNE ALL BUT VLAN 8:
(config-if)#switchport trunk pruning vlan 2-7,9-1001
OR
(config-if)#switchport trunk pruning vlan remove 8
Check the PRUNING STATUS:

#show interfaces pruning Port Vlan traffic requested of neighbor <-!!!THE ALLOWED VLANS ARE DISPLAYED HERE!!! Fa1/0/13 1,6-8,12,36,43,45,77,255,258 Fa1/0/14 1,6-7,12,36,43,45,77,88,255,258 Fa1/0/15 1,6-7,12,36,43,45,77,88,255,258 Fa1/0/19 1,7,12,36,45,77,88,255,258 Fa1/0/20 1,6-7,12,36,43,45,77,88,255,258 Fa1/0/21 1,6-7,12,36,43,45,77,88,255,258
ENABLE PRUNING (can be done ONLY ON VTP SERVER Switch):

#vtp pruning <--- PROPAGATED TO ALL SWITCHES WITHIN THE VTP DOMAIN Pruning switched on *VLAN 1 CANNOT BE PRUNED!!! **VLANs that are used locally also CANNOT BE PRUNED. VLANs that are ELIGIBLE for Pruning are 2-1001 only
____________________________________________________________________________________________________________________
VMPS - VLAN Membership Policy Server

____________________________________________________________________________________________________________________ VLAN Membership Policy Server - provides a centralized server for selecting the VLAN for a port dynamically based on the MAC address of the device connected to the port. VMPS uses a UDP port to listen to VQP (VLAN Query Protocol) requests from clients, so, it is not necessary for VMPS clients to know if the VMPS resides on a local or remote device on the network. Upon receiving a valid request from a VMPS client, a VMPS server searches its database for an entry of a MAC-address to VLAN mapping. When a port is configured as "dynamic," it receives VLAN information based on the MAC-address that is on the port. The VLAN is not statically assigned to the port; it is dynamically acquired from the VMPS based on the MAC-address on the port. SECURE MODE: If MAC not found in VMPS Server - shut down the port Configuration is done on a per-role basis, on Client and Server. On the VMPS Server:
(config)#vmps server [ipaddress | hostname] primary
And on all the switches in the LAN (VMPS Clients):

(config-if)#switchport access vlan dynamic
Define how many times you want Client to contact the Server, like if you want to retry 5 times:
(config)#vmps retry 5 (config)#vmps reconfirm 30 <--- RETRY IN 30 MINUTES IF 5 ATTEMPTS FAIL
____________________________________________________________________________________________________________________
TRUNKS and DTP (Dynamic Trunking Protocol)

____________________________________________________________________________________________________________________ Dynamic Trunking Protocol PRE-REQUISITE: BOTH sides MUST have THE SAME SPEED and DUPLEX CONFIGURED!!! *You don't need to set the ENCAPSULATION on BOTH sides if you are using DTP To turn the DTP OFF, set the PERMANENT TRUNK MODE, (TURNS DTP OFF) and negotiates to CONVERT the Neighbor. The interface becomes a TRUNK even if the other side is not a trunk.
(config-if)#switchport mode trunk
Dynamic Desirable - Actively attempts to convert to TRUNK, but it's NOT in PERMANENT TRUNK mode:
(config-if)#switchport mode dynamic desirable
Dynamic Auto - Negotiate TRUNK ONLY if Negotiation Packet received from a Neighbour
(config-if)#switchport mode dynamic auto
Nonegotiate - Prevents the interface from generating DTP frames. You can use this command only when the interface
switchport mode is access or trunk (config-if)#switchport mode nonegotiate
____________________________________________________________________________________________________________________
PRIVATE VLANS
____________________________________________________________________________________________________________________ *REQUIRES VTP MODE TO BE SET TO TRANSPARENT, which disables VTP!!!
(config-if)#vtp mode transparent
This topic belongs to L2 SECURITY rather than L2 SWITCHING. Primary VLAN can have MANY COMMUNITIES but ONLY ONE ISOLATED VLAN!!! 1. Promiscuous - belongs to PRIMARY VLAN, can communicate with EVERYONE
(config)#vlan 10 (config-vlan)#private-vlan primary (config-vlan)#private-vlan association add 20,30,40 <-DONT FORGET TO ASSOCIATE EVEN WITH ISOLATED
Then configure the interface:

(config-if)#switchport mode private-vlan promiscuous (config-if)#switchport private-vlan mapping 10 add 30,40,50 <-Map Promiscuous VLAN 10 to Community and Isolated VLANs
2. Isolated - can only communicate with Promiscuous

(config)#vlan 40 (config-vlan)#private-vlan isolated (config-if)#switchport mode private-vlan host (config-if)#switchport private-vlan host-association 10 40
3. Community - Can communicate within the SAME community or with Promiscuous

(config)#vlan 30 (config-vlan)#private-vlan community (config-if)#switchport mode private-vlan host (config-if)#switchport private-vlan host-association 10 20 <-Associate Community VLAN 20 with Promiscuous VLAN 10
DONT FORGET TO ASSOCIATE Secondary VLANs to the Primary, so that they can all communicate with Promiscuous:
(config-vlan)#private-vlan association add 20,30,40 #show vlan private-vlan Primary Secondary Type Ports ------- --------- ----------------- -----------------------------------------10 20 community Et0/2 10 30 community Et0/0 10 40 isolated Et0/0
GREAT Example of PRIVATE VLANs is 2 HOSTS on a SWITCH that should NOT communicate to each other, and 1 router that should communicate with BOTH HOSTS. You should do VLAN XXX for HOSTS as ISOLATED, and VLAN for the ROUTER as the PROMISCUOUS, and associate it to the ISOLATED VLAN.
____________________________________________________________________________________________________________________
Dot1q Tunneling: 802.1q, QinQ Tunneling

____________________________________________________________________________________________________________________ When a TUNNEL port receives Customers Traffic, INGRESS PORT adds 2 Byte Ether Type field 0x8100 + 2 Bytes for CoS and VLAN Egress tunnel port STRIPS THESE 4 BYTES
(config-if)#switchport access vlan 100 (config-if)#switchport mode dot1q-tunnel <-CHECK THE EXPLANATION BELOW
You can also configure L2 TUNNELING (CDP, STP and VTP can be tunnelled)
(config-if)#l2protocol-tunnel [cdp | stp | vtp]
#show l2protocol-tunnel summary
*Take SPECIAL CARE about the MTU SIZE on Switches (might need to set to 1504 due to the ADDED 4 BYTES IN THE TUNNEL)
(config)#system mtu 1504
Make sure if you need to define a TUNNEL PORT for QinQ!!! When is this necessary? When the ROUTER is TAGGING the traffic towards the switch (using the 802.1Q TRUNK), you have to establish the DOT1Q TUNNEL, along with L2 tunnel. If you are using the NATIVE VLAN to do this, make sure that the TRUNK port is also tagging the NATIVE VLAN:
(config-if)#switchport mode dot1q-tunnel (config)#vlan dot1q tag native <-TO TAG THE NATIVE PORT ON 802.1q TRUNK WITH THE ROUTER
____________________________________________________________________________________________________________________
SPANNING TREE PROTOCOL (STP)

____________________________________________________________________________________________________________________ When setting the root, you can set the priority, or use the command "root primary" that sets the priority to: If CURRENT ROOT PRIORITY > 24576 - sets the priority to 24576 (priority 24576 sys-id-ext 12) If CURRENT ROOT PRIORITY =< 24576 - sets the priority to 4096 The "root secondary" command always sets the priority to 28762
GREAT COMMAND:
#show spanning-tree bridge <- See the MAC address of the Switch #show version | i Base #show spanning-tree vlan 12 VLAN0012 Spanning tree enabled protocol ieee Root ID Priority 24588 <-ABOUT THE ROOT BRIDGE, 24588 = 32768 + 12 (vlan 12) - 8192 Address ec44.768a.6d80 This bridge is the root Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec Bridge ID Priority 24588 (priority 24576 sys-id-ext 12) <--- ABOUT THIS SWITCH (LOCAL Bridge) Address ec44.768a.6d80 <-- ON ROOT BridgeID and RootID have the same MAC Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec Aging Time 300
Interface Role Sts Cost Prio.Nbr Type <-ABOUT INTERFACES IN THIS VLAN ------------------- ---- --- --------- -------- -----Gi3/0/19 Desg FWD 4 128.127 P2p <--- COST IS 4 CAUSE THIS IS GigabitEthernet Port
Gi3/0/20
Desg FWD 4
128.128
P2p
(on FastEth is would be 19)
Great command to check the ROOT:

#show spanning-tree root Vlan ---------------VLAN0001 VLAN0100 VLAN0200 VLAN0300 VLAN0400 Root Hello Max Fwd Root ID Cost Time Age Dly Root Port -------------------- --------- ----- --- --- -----------32769 aabb.cc00.0600 200 2 20 15 Et2/2 24676 aabb.cc00.0600 200 2 20 15 Et2/2 24776 aabb.cc00.0700 100 2 20 15 Et2/2 24876 aabb.cc00.0800 100 2 20 15 Et3/1 24976 aabb.cc00.0900 0 2 20 15 <--- COST TO ROOT IS 0, SO I'm the ROOT!!!
BEST PRACTICE:
Change the COST on the interface level to change the PATH Change the PORT PRIORITY to influence ONLY the NEIGHBORING SWITCH !!!IMPORTANT: WHEN GOING TOWARDS THE STP ROOT - USE COST WHEN GOING AWAY FROM THE ROOT - USE PORT-PRIORITY
UPLINKFAST: FAST Convergence in case of DIRECT failure of the ROOT port (Natively included in RSTP)
If a switch loses connectivity, it begins using the alternate paths as soon as the spanning tree selects a new root port. By enabling UPLINKFAST Globally you SPEED UP the choice of NEW ROOT PORT when a link or switch fails or when the spanning tree reconfigures itself:
(config)#spanning-tree uplinkfast
*Transitions to FWD STATE without going through LISTENING or LEARNING STATE:

*Mar 1 08:46.476: %SPANTREE_FAST-7-PORT_FWD_UPLINK: VLAN0044 GigabitEthernet1/0/15 moved to Forwarding (UplinkFast)
!!!UplinkFast is most useful in wiring-closet switches at the access or edge of the network. It is not appropriate for backbone devices
BACKBONEFAST: Complementary feature to UPLINKFAST, detects indirect failures in the core of the backbone.
When a switch receives an inferior BPDU from the designated port of another switch, the BPDU is a signal that the other switch might have lost its path to the root, and BackboneFast tries to find an alternate path to the root.
(config)#spanning-tree backbonefast
____________________________________________________________________________________________________________________
MULTIPLE SPANNING TREE (MSTP)

____________________________________________________________________________________________________________________ Supports up to 4096 instances of Spanning Tree
(config)#spanning-tree mode mst (config)#spanning-tree mst configuration (config-mst)#revision 1 (config-mst)#instance 1 vlan 12, 34 (config-mst)#instance 2 vlan 56, 90 (config-mst)#name CCIE <--- MST REGION NAME
SW2#show spanning-tree mst configuration Name [] Revision 1 Instances configured 3 Instance Vlans mapped -------- --------------------------------------------------------------------0 1-11,13-33,35-55,57-89,91-4094 1 12,34 2 56,90 -------------------------------------------------------------------------------
Check the ROOT:

#show spanning-tree root Root Hello Max Fwd MST Instance Root ID Cost Time Age Dly ---------------- -------------------- --------- ----- --- --MST0 32768 aabb.cc00.0600 0 2 20 15 MST1 1 aabb.cc00.0600 0 2 20 15 MST2 4098 aabb.cc00.0600 0 2 20 15 Root Port ------------
____________________________________________________________________________________________________________________
PORTFAST
____________________________________________________________________________________________________________________ Quick transition, BYPASS LISTENING & LEARNING (config-if-range)#spanning-tree portfast %Warning: portfast should only be enabled on ports connected to a single host. Connecting hubs, concentrators, switches, bridges, etc... to this interface when portfast is enabled, can cause temporary bridging loops. PORTFAST reduces significantly the overhead, because TCN (Topology Change Notification) BPDUs will not be generated. ____________________________________________________________________________________________________________________
BPDU GUARD
____________________________________________________________________________________________________________________ This feature is used to disable anything but a Workstation to be connected to a port we are configuring with PortFast. It should be configured on the Interfaces where BPDU should NEVER be received. If BPDU received go into "ERRDISABLE" state (disable the port)
(config-if-range)#spanning-tree bpduguard enable
There are to options to return to the normal state. One is to manually type shut and no shut command. Another option is to define an ERRDISABLE RECOVERY:
(config)#errdisable recovery cause bpduguard <-MANY CAUSES CAN BE DEFINED HERE, do show errdisable recovery (config)#errdisable recovery cause interval 360
____________________________________________________________________________________________________________________
UDLD - Unidirectional Link Detection

____________________________________________________________________________________________________________________ UDLD is used to detect the SEND part of the cable as DOWN, while the RECEIVE part is still active. This happens on a Fiber Optic cable quite often. UDLD sends L2 pings between neighbors to check if it's responding. To enable Unidirectional Link Detection on an Interface:
(config-if)#udld port aggressive
GLOBAL COMMAND "udld enable" ONLY APPLIES TO FIBER OPTIC INTERFACES!!! ITS RECOMMENDED TO USE UDLD WITH LOOPGUARD!!! (For the port to enter the DISABLE state when BPDU are no longer received) Normally when unidirectional link occurs, the other side stops receiving BPDUs, and assumes that STP ROOT is no longer available, so - it declares itself as a NEW STP ROOT. Loopguard prevents this.
(config-if)#spanning-tree guard loop <-CONFIGURE ON UPLINK PORTS
If its a TWISTED PAIR - use AGGRESSIVE mode! To automatically recover from err-disable state in x seconds (x=120 in this case)
(config)#errdisable recovery cause udld (config)#errdisable recovery interval 120
To RESET all ports from the ERRSISABLE state:

#udld reset #show errdisable recovery ErrDisable Reason ----------------arp-inspection bpduguard channel-misconfig dhcp-rate-limit dtp-flap gbic-invalid inline-power l2ptguard link-flap mac-limit loopback pagp-flap port-mode-failure psecure-violation security-violation sfp-config-mismatch small-frame storm-control udld vmps Timer interval: 120 seconds Timer Status -------------Disabled Disabled Disabled Disabled Disabled Disabled Disabled Disabled Disabled Disabled Disabled Disabled Disabled Disabled Disabled Disabled Disabled Disabled Enabled <--- UDLD CAUSE IS ON FOR ERRDISABLE Disabled
____________________________________________________________________________________________________________________
SOURCE GUARD and DHCP SNOOPING

____________________________________________________________________________________________________________________ !!!! SOURCE GUARD WILL NOT WORK IF DHCP SNOOPING IS NOT ENABLED!!!
(config)#ip dhcp snooping <--- DONT FORGET TO ENABLE IT FIRST!!! (config)#ip dhcp snooping vlan 2
When configuring the DHCP Snooping, make sure you set the DHCP TRUST on all the UPLINK TRUNKS, or the DHCP responses will be IGNORED!!!
(config-if)#ip dhcp snooping trust
!!!DONT FORGET TO EITHER DISABLE INFORMATION OPTION (option 82), OR CONFIGURE DHCP SERVER TO REJECT TRANSIT DHCP MESSAGES, because DHCP SNOOPING can insert EMPTY GIADDR FIELD!!!
(config)#ip dhcp relay information trust-all
First Enable Source Guard directly on the interface, WILL VERIFY IP ADDRESS ONLY!
(config-if)#ip verify source (config-if)#ip verify source port-security <--- TO VERIFY MAC AND IP (config-if)#SWItchport PORT-security <--- MUST ENABLE (permits L3 checks on a pure L2 interface)
Then add Dynamic or Static IP-to-MAC bindings. Static:

(config)#ip source binding 0000.2222.2222 vlan 2 10.1.1.2 interface e0/1
#show ip source binding MacAddress IpAddress ------------------ --------------00:00:22:22:22:22 10.1.1.2 00:00:33:33:33:33 10.1.1.3 00:00:11:11:11:11 10.1.1.1 Total number of bindings: 3
Lease(sec) ---------infinite infinite infinite
Type ------------static static static
VLAN ---2 2 2
Interface -------------------Ethernet0/1 Ethernet0/2 Ethernet0/0
____________________________________________________________________________________________________________________
ETHERCHANNEL
____________________________________________________________________________________________________________________
PAgP (Port Aggregation Protocol) - Cisco Prop. DESIRABLE or AUTO or NONEGOTIATE

*in case the link is configured as ACCESS, or the "switchport nonegotiate" command - Protocol Value: 0x0104 - Same multicast group MAC like CDP
LACP (Link Aggregation Control Protocol) - 802.3ad - ACTIVE or PASSIVE

- Multicast MAC: 01-80-C2-00-00-02 - During Detection transmits packets every second
TIP: To make SW1 Priority higher to allow it control the BUNDLE CREATION:
(config)#lacp system-priority 1
Check the DEFAULT PARAMETERS: 2#show lacp 1 internal Flags: S - Device is requesting Slow LACPDUs F - Device is requesting Fast LACPDUs A - Device is in Active mode P - Device is in Passive mode Channel group 1 Port Gi3/0/19 Gi3/0/20 Flags SA SA State bndl bndl LACP port Priority 32768 32768 Admin Key 0x1 0x1 Oper Key 0x1 0x1 Port Number 0x7F 0x80 Port State 0x3D 0x3D
"ON" - Doesnt use LACP or PaGP. BOTH sides MUST BE ON!!!

#do show etherch protocol Channel-group listing: ---------------------Group: 13 ---------Protocol: - (Mode ON)
You can configure MAX 16 PORTS, out of which: MAXIMUM 8 ACTIVE PORTS, and the other HOT STANDBY (activate if one of the first 8 fail). Which ones belong to the ACTIVE group depends on the LACP PRIORITY that can be configured:
(config-if)#lacp port-priority 1 <--- LOWER IS BETTER!!! (default is 32768)
L3 ETHERCHANNEL: Configure the Port-Channel interface statically, and all L3 configuration under it
Summary: 32 Po32(RU) Gi1/0/23(P) Gi1/0/24(P)
L2 ETHERCHANNEL: LOGICAL INTERFACE CREATED AUTOMATICALLY. Best Practice (CONFIGURATION):

- Default Interface - Channel Protocol and Group on physical interface (this creates Port Channel) - Configure TRUNKING ENCAPSULATION under the PORT CHANNEL directly - SHUT -> NO SHUT on PHYSICAL INTERFACES
Summary: 24 Po24(SU) PAgP Gi1/0/21(P) Gi1/0/22(P)
* "show interface trunk" Will show only Port Channel, but "show interface XX switchport" will show that the INT IS TRUNK LOAD BALANCE the Etherchannel (CONFIGURED in the Global Config mode):
(config)#port-channel load-balance ? dst-ip Dst IP Addr dst-mac Dst Mac Addr src-dst-ip Src XOR Dst IP Addr src-dst-mac Src XOR Dst Mac Addr src-ip Src IP Addr src-mac Src Mac Addr
#show etherchannel load-balance Ether Channel Load-Balancing Configuration: dst-mac
Ether Channel Load-Balancing Addresses Used Per-Protocol: Non-IP: Destination MAC address IPv4: Destination MAC address IPv6: Destination MAC address Spanning Tree treats the Etherchannel Link as a SINGLE LINK, by sending the BPDUs only over one of the physical links
____________________________________________________________________________________________________________________
DAI (Dynamic ARP Inspection)

____________________________________________________________________________________________________________________
(config)#ip arp inspection vlan 2 <--- Inspect ARP within the VLAN 2
You can create an ARP Access List and map the IP to MAC, and apply it to DAI:
(config)#arp access-list ARP_ACL_20 (config-arp-nacl)#permit ip host 20.1.1.2 mac host 0000.1111.1111 (config-arp-nacl)#permit ip host 20.1.1.3 mac host 0000.3333.3333
And now APPLY:

(config)#ip arp inspection filter ARP_ACL_20 vlan 2 #show ip arp inspection Source Mac Validation : Disabled Destination Mac Validation : Disabled IP Address Validation : Disabled Vlan ---2 Vlan ---2 Vlan ---2 Configuration ------------Enabled ACL Logging ----------Deny Forwarded --------0 Operation --------Active ACL Match --------ARP_ACL_20 Static ACL ---------No
DHCP Logging -----------Deny Dropped ------0
Probe Logging ------------Off DHCP Drops ---------0 ACL Drops --------0
The switch CPU performs dynamic ARP inspection validation checks; therefore, the number of incoming ARP packets is rate-limited to prevent a denial-of-service attack.
(config-if)#ip arp inspection limit rate 5 <--- DEFAULT IS 15 PPS (packets per second) #show ip arp inspection interfaces Interface Trust State Rate (pps) --------------- -------------------Gi3/0/1 Untrusted 5 Gi3/0/2 Untrusted 15
Burst Interval -------------1 <--- THE CHANGED ONE 1 <--- 15 pps IS THE DEFAULT VALUE
To monitor the DROPPED packets due to DAI:

(config)#ip arp inspection log-buffer logs 0 interval 5 <--- LOG 0 - NO SYSTEM MESSAGE GENERATED
Check the log for details:

#show ip arp inspection log Total Log Buffer Size : 32 Syslog rate : 0 entries per 5 seconds.
____________________________________________________________________________________________________________________
SNMP
____________________________________________________________________________________________________________________ Send the SNMP traps, Community "Public" to the NMS Server:
(config)#snmp-server host 192.168.1.1 traps [Public | Private]
If you need to define the VERSION and the COMMUNITY STRING:

(config)#snmp-server host 192.168.1.100 traps version 2c cisco
To define RO and RW COMMUNITY:

(config)#snmp-server community TST-RO ro <--- READ ONLY COMMUNITY STRING (config)#snmp-server community TST-RW rw <--- RE-WRITE COMMUNITY STRING
Specify the TRAPS TYPE:

(config)#snmp-server enable traps [mac-notification | bgp | pim | ...] <-FIRST ENABLE TRAPS OF A TYPE (config)#snmp-server host 192.168.1.100 traps version 2c cisco [mac-notification | bgp | pim] <-SEND TRAPS
When the traps contain MAC Address Add/Remove notifications, have in mind the QUANTITY, so control it with:
(config)#mac address-table notification change history-size 150 <--- LIMIT THE TABLE CAPACITY TO 150 (config)#mac address-table notification change interval 1800 <--- SEND TRAP EVERY 30 MINUTES (1800 seconds)
DO NOT FORGET to ENABLE the CAM notifications in Global Configure mode:

(config)#mac address-table notification change
And to make sure:

#show mac address-table notification change interface Gi3/0/1 MAC Notification Feature is Enabled on the switch Interface MAC Added Trap MAC Removed Trap ---------------------- ---------------GigabitEthernet3/0/1 Enabled Enabled #show mac address-table notification change MAC Notification Feature is Enabled on the switch Interval between Notification Traps : 1800 secs Number of MAC Addresses Added : 0 Number of MAC Addresses Removed : 0 Number of Notifications sent to NMS : 0 Maximum Number of entries configured in History Table : 150 Current History Table Length : 0 MAC Notification Traps are Enabled History Table contents ----------------------
And apply to the interface to GENERATE A TRAP when something happens:

(config-if)#snmp trap mac-notification change added
If you need to configure some deeper changes, or set timers, they are done within each particular COMMAND/TRAP, so;
(config)#mac address-table notification [more options like INTERVAL...]
____________________________________________________________________________________________________________________
MONITORING
____________________________________________________________________________________________________________________
RSPAN - Dont forget to CREATE the VLAN specially for the RSPAN
(config)#vlan 22 (config-vlan)#remote-span
____________________________________________________________________________________________________________________
LOGGING
____________________________________________________________________________________________________________________ Remote IP:
(config)#logging x.y.z.w
Or Localy in a FILE:
(config)#logging file flash:syslog 7 <--- 7 is DEBUGGING, so LOG EVERYTHING 0-7 emergencies System is unusable (severity=0) alerts Immediate action needed (severity=1) critical Critical conditions (severity=2) errors Error conditions (severity=3) warnings Warning conditions (severity=4) notifications Normal but significant conditions (severity=5) informational Informational messages (severity=6) debugging Debugging messages (severity=7)
Set SEVERITY level:

(config)#logging trap 4 <--- FROM WARNING-4 (INCLUDING 4) TO MORE CRITICAL (ALERT-1, CRITICAL-2, ERROR-3)
Add SEQUENCE numbers:

(config)#service sequence-numbers <--- "SERVICE" command IS FOR SYSTEM GENERAL SETTINGS
Add/Remove TIMESTAMPS
(config)#no service timestamps debug (config)#no service timestamps log
Set the LOGGING messages to be saved in Local:

(config)#logging facility local4
Specific (more GRANULAR) logging settings can be configured on the INTERFACE LEVEL:
(config-if)#logging event ? bundle-status BUNDLE/UNBUNDLE messages link-status UPDOWN and CHANGE messages nfas-status NFAS D-channel status messages power-inline-status Inline power messages spanning-tree Spanning-tree Interface events status Spanning-tree state change messages subif-link-status Sub-interface UPDOWN and CHANGE messages trunk-status TRUNK status messages
____________________________________________________________________________________________________________________
STORM CONTROL
____________________________________________________________________________________________________________________ To LIMIT the type of traffic (BROADCAST or MULTICAST or UNICAST). To limit the Broadcast to 50%:
(config-if)#storm-control broadcast level 50.00 <-LIMIT THIS TYPE OF TRAFFIC (also valid for MULTICAST or UNICAST) (config-if)#storm-control action [shutdown | trap] <-DEFINE THE ACTION
OR LIMIT the number of packets per second:

(config-if)#storm-control unicast level pps 250 #sh storm-control unicast Interface Filter State Upper Lower --------- ------------- ----------- ----------Fa1/0/1 Forwarding 250 pps 250 pps
Current ---------1 pps
____________________________________________________________________________________________________________________
HTTP Server (HTTP access) on a Switch

____________________________________________________________________________________________________________________ This is a simple feature, which we dont really recommend in the production environment.
(config)#ip http server (config)#ip http path flash: <-- define the PATH where files are #show ip http server status HTTP server status: Enabled HTTP server port: 80 HTTP server authentication method: enable HTTP server access class: 0 HTTP server base path: flash:
____________________________________________________________________________________________________________________
Router on a STICK and IP BRIDGING

____________________________________________________________________________________________________________________ Integrated Routing and Bridging enables a user to route a given protocol between routed interfaces and bridge groups or route a given protocol between the bridge groups. Normally the protocol can be ROUTED or BRIDGED. By using IRB (INTEGRATED ROUTING and BRIDGING) we overcome this. So the first step here is to define the BRIDGE MODE to be the IRB:
(config)#bridge irb
*BRIDGE GROUP is a VIRTUAL BRIDGE inside the Router, with its own MAC address table. To configure a VLAN associated with a bridge group with a default native VLAN:
(config)#interface FastEthernet0/0.16 (config-subif)#encapsulation dot1Q 16 <-FOR VLAN 16 (config-subif)#bridge-group 1
You need to define the BRIDGING PROTOCOL, and set it to ROUTE the IP traffic:
(config)#bridge 1 protocol ieee (config)#bridge 1 route ip
If, for example, VLAN 16 ends on the other side in a SVI, and you want it to be PING-able from the local router.
IP Services
____________________________________________________________________________________________________________________
IP Services Tips and Tricks

____________________________________________________________________________________________________________________
IMPORTANT:
HSRP: UDP to Multicast Address 224.0.0.2 (all routers), VRRP: Directly over IP, Protocol 112 HSRPv2: Also UDP, solves the conflict between the CGMP Leave Messages, Multicast Address 224.0.0.105
TIP: When a CLIENT sends a request for an IP which is out of that segment, the router responds with its own MAC address. This is called the
ARP Proxy, it's ON by default on Fast Ethernet, and it can be disabled:
(config-if)#no ip proxy-arp
____________________________________________________________________________________________________________________
HSRP - Hot Standby Routing Protocol

____________________________________________________________________________________________________________________ HSRP is a Cisco Proprietary protocol. There are 3 types of HSRP messages: HELLO, COUP (used by a router with the highest priority, which is currently NOT ACTIVE, to tell others that it should be ACTIVE) and RESIGN Configuration is quite straight-forward, but there are many ways to tune it, in accordance with your needs:
interface FastEthernet0/0 ip address 172.25.25.2 255.255.255.0 standby 1 ip 172.25.25.22 <- Group 1 VIRTUAL IP Address standby 1 timers 5 15 <- Can also be done in milliseconds using "standby 1 timers msec 250 800" standby 1 priority 150 <- Default it 100 standby 1 preempt <-TAKE BACK THE ACTIVE ROLE standby 1 authentication Cisco standby 1 name R2-Act <-Name of the HSRP Group 1 standby 2 ip 172.25.25.55 standby 2 timers 5 15 standby 2 authentication Cisco standby 2 name R5-Act <-Name of the HSRP Group 2
"07-ac" is the SIGNARURE part of Virtual MAC Address of the HSRP:

#sh standby | i 07 Active virtual MAC address is 0000.0c07.ac01 Local virtual MAC address is 0000.0c07.ac01 (v1 default)
To check the current configuration, including the HSRP Status and whether the preempt option is configured:
#sh standby brief
P indicates configured to preempt.

Interface Fa0/0 Fa0/0 Grp Prio P State 1 100 Standby 2 200 P Active Active 172.25.25.2 local Standby local 172.25.25.2 Virtual IP 172.25.25.22 172.25.25.55
If you need to TRACK an interface, be sure to define for how much you want to decrease the HSRP priority in order to fail over to the HSRP Peer, and be sure that the active neighbor has Preempt configured:
(config-if)#standby 1 track serial 0/1/0.21 60
____________________________________________________________________________________________________________________
VRRP - Virtual Routing Redundancy Protocol

____________________________________________________________________________________________________________________ The VRRP configuration is similar to the HSRP, with a few slight differences. For example, there are no ACTIVE and STANDBY, but MASTER
and BACKUP router, as shown below:

#show vrrp brief Interface Fa0/0 Fa0/0 Grp Pri Time 1 200 3218 2 100 3609 Own Pre State Y Master Y Backup Master addr 172.25.12.1 172.25.12.2 Group addr 172.25.12.22 172.25.12.11
TIMERS are a bit different to configure. You need to tell Master to ADVERTISE the Hello Timer value to the Backup, and tell the Backup to LEARN the Hello Timer from the Master:
(config-if)#vrrp 1 timers advertise 10 (config-if)#vrrp 2 timers learn *Router is Master for VRRP Group 1 and Backup for VRRP Group 2
VRRP Authentication is configured PER GROUP using the command "vrrp X authentication text PASSWORD", and the debug on the VRRP Pair router is as follows (before the authentication is configured on BOTH):
#debug vrrp *13 15:04:37.585: VRRP: Grp 2 Advertisement from 172.25.12.1 *13 15:04:38.001: VRRP: Grp 1 sending Advertisement checksum *13 15:04:38.585: VRRP: Grp 2 Advertisement from 172.25.12.1 *13 15:04:39.001: VRRP: Grp 1 sending Advertisement checksum *13 15:04:39.585: VRRP: Grp 2 Advertisement from 172.25.12.1 *13 15:04:40.585: VRRP: Grp 2 Advertisement from 172.25.12.1 *13 15:04:40.973: VRRP: Grp 2 sending Advertisement checksum *13 15:04:41.001: VRRP: Grp 1 sending Advertisement checksum *13 15:04:41.585: VRRP: Grp 2 Advertisement from 172.25.12.1 *13 15:04:42.001: VRRP: Grp 1 sending Advertisement checksum #u all All possible debugging has been turned off has incorrect EBE4 has incorrect EBE4 has incorrect has incorrect 87E5 EBE4 has incorrect EBE4 authentication type 1 expected 0 authentication type 1 expected 0 authentication type 1 expected 0 authentication type 1 expected 0 authentication type 1 expected 0
The configuration on the interface will look similar to the HSRP:

interface FastEthernet0/0 ip address 172.25.12.2 255.255.255.0 vrrp 1 description MAT1 vrrp 1 ip 172.25.12.22 vrrp 1 timers learn vrrp 1 authentication cisco vrrp 2 description MAT2 vrrp 2 ip 172.25.12.11 vrrp 2 timers advertise 10 vrrp 2 priority 200 end
!!!IMPORTANT DIFFERENCE between HSRP and VRRP: VRRP has Preempt enabled by default!
____________________________________________________________________________________________________________________
GLBP - Global Load Balancing Protocol

____________________________________________________________________________________________________________________ GLBP is different from HSRP and VRRP, as in - it's more complex and gives more possibilities, such as Load Balancing Feature. It's got 1 VIRTUAL IP, and VARIOUS MACs, where the AVG (defined below) is deciding the times when to announce which MAC of the destination router to the client. You can have UP TO 4 ROUTERS IN A GLBP GROUP!!! GLBP Group Members communicate using HELLOs 224.0.0.102, UDP/3222, by default Hello Timer = 3 sec Basically there are 2 roles:
AVG (Active Virtual Gateway) MASTER Router in charge of Assigning Virtual MAC Addresses to other Routers and it has to know ALL the
MACs of the AVFs
AVFs (Active Virtual Forwarders) the rest of the Routers, which take AVG function if AVG dies.
#sh glbp br Interface Fa0/0 Fa0/0 Fa0/0 Grp 1 1 1 Fwd 1 2 Pri 100 7 7 State Standby Active Listen Address 10.1.1.100 0007.b400.0101 0007.b400.0102 Active router 10.1.1.2 local 10.1.1.2 Standby route local -
You can tune GLBP as you like, which means that (besides all the stuff you can also do in HSRP and VRRP) you can choose the Load Balancing method:
(config-if)#glbp 1 load-balancing ? host-dependent Load balance equally, source MAC determines forwarder choice round-robin Load balance equally using each forwarder in turn weighted Load balance in proportion to forwarder weighting (GLBP places WEIGHT on each router) <cr>
As an additional GLBP feature, there is a REDIRECT timer, which sets the time-out for assigning the Virtual MAC of AVF that has failed.
(config-if)#glbp 1 timers ? <1-60> Hello interval in seconds msec Specify hello interval in milliseconds redirect Specify time-out values for failed forwarders
Tracking is also different on GLBP, as in - it's configured in the Global Configuration mode, with a global Track Object. The advantage is that you can track 2 interfaces at once!!!
(config)#track 1 interface fa0/0 ? ip IP parameters <- TO TRACK IP ROUTING line-protocol Track interface line-protocol <- TRACK IF THE INTERFACE IS DOWN (config)#track 1 interface fa0/0 line-protocol (config)#track 2 interface s0/1/0 line-protocol #show track Track 1 Interface FastEthernet0/1 line-protocol Line protocol is Up 1 change, last change 00:02:39 Track 2 Interface Serial0/1/0 line-protocol Line protocol is Up
1 change, last change 00:02:10 Now the TRACK OBJECTS need to be applied to the Interface where GLBP is configured (If any of the tracked interfaces go DOWN, the WEIGHT will be decremented by 10, but these values can be tuned):
(config-if)#glbp 1 weighting track (config-if)#glbp 1 weighting track 1 2
<-MEMORIZE as it's a bit NON-INTUITIVE
____________________________________________________________________________________________________________________
IRDP - ICMP Router Discovery Protocol

____________________________________________________________________________________________________________________ IRDP enables Routers to automatically discover the IP of their potential Default Gateway. It uses ICMP and Solicitation Messages. Potential GW Routers periodically announce the IP address of their IRDP configured interface to a broadcast destination. IRDP Preference value is advertised with these messages, along with the IP Address. Step 1: The configuration is pretty straight-forward. First you MUST turn the Routing off on the router that you want to discover its own GW:
(config)#no ip routing
Step 2: IRDP needs to be enabled on the Router:

(config)#ip gdp ? eigrp Discover routers transmitting EIGRP router updates irdp Discover routers transmitting IRDP router updates <- THIS ONE is the one we want here rip Discover routers transmitting RIP router updates
Step 3: Here is what needs to be defined on the interface:

(config-if)#ip (config-if)#ip (config-if)#ip (config-if)#ip (config-if)#ip irdp irdp irdp irdp irdp <- ENABLE IRDP ON maxadvertinterval minadvertinterval holdtime 15 preference 600 <THE INTERFACE 5 <- DEFINE THE ADVERTISING TIMERS 3 DEFINE THE ROUTER PREFERENCE
Step 4: TEST by pinging the IP behind the routers that are supposedly advertising the GW. PING will work ONLY if Proxy-ARP is enabled on the IP Interface:
#sh ip inter fa0/0 | i ARP Proxy ARP is enabled <- THIS ONE MATTERS Local Proxy ARP is disabled #show ip route Gateway Using Interval Priority 10.187.117.2 IRDP 4 600 10.187.117.1 IRDP 4 200
Interface FastEthernet0/0 FastEthernet0/0
When you do a DEBUG of ICMP, you see that IRDP is using the ICMP Type 9 Code 0 messages to advertise the GW:
#debug ip icmp ICMP packet debugging *Nov 14 16:03:08.288: *Nov 14 16:03:09.340: *Nov 14 16:03:12.288: *Nov 14 16:03:12.340: *Nov 14 16:03:16.288: *Nov 14 16:03:16.340: *Nov 14 16:03:19.340: *Nov 14 16:03:20.288: *Nov 14 16:03:23.288: *Nov 14 16:03:23.340: is on ICMP: ICMP: ICMP: ICMP: ICMP: ICMP: ICMP: ICMP: ICMP: ICMP:
rdp rdp rdp rdp rdp rdp rdp rdp rdp rdp
advert advert advert advert advert advert advert advert advert advert
rcvd rcvd rcvd rcvd rcvd rcvd rcvd rcvd rcvd rcvd
type type type type type type type type type type
9, 9, 9, 9, 9, 9, 9, 9, 9, 9,
code code code code code code code code code code
0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
from from from from from from from from from from
10.187.117.2 10.187.117.1 10.187.117.2 10.187.117.1 10.187.117.2 10.187.117.1 10.187.117.1 10.187.117.2 10.187.117.2 10.187.117.1
____________________________________________________________________________________________________________________
DRP - Cisco Distributed Route Processor

____________________________________________________________________________________________________________________ It's a UDP based application, which enables Cisco Distributed Director to QUERY ROUTES (DRP Agent). It transparently REDIRECTS end-user service requests to CLOSEST RESPONSIVE SERVER. The configuration is straight-forward: Step 1: Enable the DRP Server Agent:
(config)#ip drp server
Step 2: Define the ACL to define who will be able to send queries to DRP
(config)#access-list 11 permit 10.182.131.15
Step 3: Attach the ACL to the DRP:

(config)#ip drp access-group 11
Step 4: Create the key-chain and set the DRP to use it for authentication:
(config)#ip drp authentication key-chain DRP_CHAIN
____________________________________________________________________________________________________________________
WAAS and WCCP Protocol

____________________________________________________________________________________________________________________ WCCP is a Web Cache Communication Protocol, and it enables the redirection of client web requests to one or more Web Cache Engines, which improves Web Browsing on the slow links. The only INTERFACE command to allow this for the users of that VLAN is " ip wccp webcache redirect [in | out]" If you set OUT - the Router is listening to the HTTP requests going OUT of that interface, and it's most commonly enabled on the WAN interface. First you need to enable the WCCP (protocol for web caching) globally on a router:
(config)#ip wccp web-cache
On the WAN interface enable checking if the packets need to be redirected to a web cache. Enable the redirection of outgoing destination port 80 packets on the interface:
(config-if)#ip wccp web-cache redirect out
Define the ACL that only contains the Cache Engine IP:
Attach the configured ACL to the WCCP configuration:

(config)#ip wccp web-cache group-list 11
____________________________________________________________________________________________________________________
NTP - Network Time Protocol

____________________________________________________________________________________________________________________ First there is an "old school" method of setting time on your IOS Device, which is fine if you're one of those :)
#clock set 16:50:00 15 NOVEMBER 2013 *%SYS-6-CLOCKUPDATE: System clock has been updated from 15:50:31 UTC Fri Nov 15 2013 to 16:50:00 UTC Fri Nov 15 2013, configured from console by console.
Now if you set this time really well, and the Switch is new generation and you really trust it, then in order to have an entire network to be synchronized (and absolutely no external NTP available), set the most awesome switch to be a NTP Server:
(config)#ntp master ? <1-15> Stratum number <- STRATUM Number, all DOWNFLOW routers shall have SERVER + Number of HOPS
#show ntp status Clock is synchronized, stratum 2, reference is 127.127.7.1 nominal freq is 250.0000 Hz, actual freq is 250.0000 Hz, precision is 2**18 reference time is D630D0D3.99A45AAB (16:56:51.600 UTC Fri Nov 15 2013) clock offset is 0.0000 msec, root delay is 0.00 msec root dispersion is 0.02 msec, peer dispersion is 0.02 msec
Then configure ALL the other Devices to synchronize their time based on the Awesome NTP Master Switch:
(config)#ntp server 131.1.13.1
Dont forget to configure the NTP BROADCAST on the Interfaces of the NTP Master/Client Switches:
(config-if)#ntp broadcast <- On the NTP MASTER (config-if)#ntp broadcast client <-ON NTP CLIENTS
If you want to PEER two switches within the network, so that they synchronize the time together:
(config)#ntp peer 150.1.2.2
Make sure that it "worked":

#sh ntp associations address ref clock st when poll reach delay offset disp ~150.1.2.2 .INIT. 16 64 0 0.000 0.000 16000. ~150.1.3.3 .INIT. 16 64 0 0.000 0.000 15937. * sys.peer, # selected, + candidate, - outlyer, x falseticker, ~ configured
____________________________________________________________________________________________________________________
IP SLA - Monitor the Network Performance

____________________________________________________________________________________________________________________ Probably the most typical usage of IP SLA is to measure the UDP Jitter and Echo, in order to make sure that the path is good enough to send the sensitive VoIP traffic. Two sides need to be configured, CLIENT and SERVER (RESPONDER). IP SLA can be configured without configuring a specific PROBE, just configure sending a generated packet to the RESPONDER, where the RESPONDER is configured to respond with a TIME STAMP information, so the source can calculate the performance values. CAREFULL with the times, configure NTP if you're not certain the devices are synced. To configure the RESPONDER with the IP and PORT of the RESPONDER:
(config)#ip sla monitor responder
Make sure you configure the CLIENT device in accordance with these defined parameters:
(config)#ip sla monitor 10 (config-sla-monitor)#type udpEcho dest-ipaddr 10.187.122.2 dest-port 500 (config-sla-monitor-udp)#frequency 5 <- IN SECONDS (config-sla-monitor-udp)#hours-of-statistics-kept 1 <-HOW MUCH TIME THE STATISCICS ARE KEPT (config-sla-monitor-udp)#request-data-size 1500 <- PACKET SIZE
And then just START the IP SLA on the CLIENT (in this case starts immediately and lasts for 100 seconds only):
(config)#ip sla monitor schedule 10 start-time now life 100
Check the statistics:

#sh ip sla monit statistics Round trip time (RTT) Index 10 Latest RTT: 2 ms <- THIS IS WHAT YOU WANT TO KNOW, the ROUND TRIP TIME (RTT) Latest operation start time: *14:47:06.923 UTC Fri Dec 6 2013 Latest operation return code: OK Number of successes: 10 Number of failures: 0 Operation time to live: 52 sec
And on the RESPONDER:

#sh ip sla monit responder IP SLA Monitor Responder is: Enabled Number of control message received: 17 Recent sources: 10.187.122.1 [14:25:11.241 UTC Fri 10.187.122.1 [14:25:06.241 UTC Fri 10.187.122.1 [14:25:01.237 UTC Fri 10.187.122.1 [14:24:56.237 UTC Fri 10.187.122.1 [14:24:51.237 UTC Fri
Number of errors: 0 Dec Dec Dec Dec Dec 6 6 6 6 6 2013] 2013] 2013] 2013] 2013]
If you are using IP SLA for ROUTING, meaning - you want to TRACK a certain route using ICMP (ping), and depending on the result - "tune" the routing table, you have 2 options:
OPTION 1: Use a simple TRACK object to track a certain route, and attach it to the STATIC ROUTE:
(config)#track 10 ip route 10.1.12.0 255.255.255.0 reachability (config)#ip route 1.0.0.0 255.0.0.0 10.1.12.2 track 10
Check the status of the TRACK 10 object, and based on that - you can know if your STATIC route is UP:
#sh track 10 Track 10 IP route 10.1.12.0 255.255.255.0 reachability Reachability is Up (connected) 3 changes, last change 00:04:04 First-hop interface is Serial0/1/0 Tracked by: STATIC-IP-ROUTING 0
IMPORTANT: Make sure that the prefix you are tracking isn't available using some other protocol, like OSPF:
#sh track 10 Track 10 IP route 10.1.12.0 255.255.255.0 reachability Reachability is Up (OSPF) <- THIS IS NOT WHAT WE WANTED TO ACHIEVE HERE 3 changes, last change 00:03:59 First-hop interface is FastEthernet0/0 Tracked by: STATIC-IP-ROUTING 0
OPTION 2: Use the IP SLA ICMP ECHO (ipIcmpEcho) to monitor end-to-end response
STEP 1: DEFINE THE IP SLA OBJECT
(config)#ip sla monitor 10 (config-sla-monitor)#$type echo protocol ipIcmpEcho 10.1.12.2 source-ipaddr 10.1.12.1 (config-sla-monitor-echo)#frequency 5
STEP 2: DONT FORGET TO LAUNCH THE IP SLA:

(config)#ip sla monitor schedule 10 start-time now life forever
STEP 3: DEFINE THE TRACK Object using the defined IP SLA:

(config)#track 15 rtr 10 reachability <- 15 is RTR NUMBER, 10 is the IP SLA we're attaching
Make sure the TRACK is UP before you attach it to the route:

#sh track 15 Track 15 Response Time Reporter 10 reachability Reachability is Up 2 changes, last change 00:00:18 Latest operation return code: OK Latest RTT (millisecs) 36 Tracked by: STATIC-IP-ROUTING 0
STEP 4: Attach the TRACK OBJECT to the STATIC ROUTE, like in the option 1. ____________________________________________________________________________________________________________________
STATIC NAT
____________________________________________________________________________________________________________________ You can do STATIC NAT and just "go out" of the router with a different IP address:
(config)#ip nat inside source static 10.2.2.1 131.1.12.3 [extendable] *Traffic sourced from 10.2.2.1 sent to ALL destinations will seem from 131.1.12.3 to the outside world *Extendable is used if you need 1 LOCAL IP to be mapped to Various Public IPs
Be sure to DEFINE the NAT INTERFACES:

(config)#int lo0 <- PRIVATE (config-if)#ip nat inside
IP (Global) IP
(config-if)#int s0/1/0.21 <- PUBLIC (config-subif)#ip nat outside #sh ip nat translations Pro Inside global Inside local --- 131.1.12.3 10.2.2.1
Outside local ---
Outside global ---
Inside Local - Private IP of the host in your Network Inside Global - Public IP that the outside network sees your hosts as Outside Local - How the local network sees IP of the remote host Outside Global - Public IP of the remote host If you want to do static NAT for a SUBNET:
(config)#ip nat inside source static network 10.2.2.0 200.2.2.0 /24
____________________________________________________________________________________________________________________
DYNAMIC NAT
____________________________________________________________________________________________________________________ Step 1: Define the POOL of the Inside Global IPs (Public), which your Private IPs will be NAT-ed into:
(config)#ip nat pool INSIDE_GLOBAL 131.1.12.3 131.1.12.8 prefix-length 24
Step 2: Define the ACCESS-LIST of the PRIVATE IPs, which are the ones that will be NAT-ed (Inside Local)
(config)#access-list 1 permit 10.2.2.0 0.0.0.255
Step 3: Implement the NAT from-ACL-to-POOL IPs

(config)#ip nat inside source list 1 pool INSIDE_GLOBAL
Do not forget to specify the INSIDE and the OUTSIDE Interface (I often do, and the Troubleshooting is not as much fun as you might expect)
#sh ip nat translations <- BE SURE TO PING SOMETHING BEFORE YOU CHECK THE TRANSLATIONS: Pro Inside global Inside local Outside local Outside global icmp 131.1.12.3:2 10.2.2.2:2 15.10.1.1:2 15.10.1.1:2 --- 131.1.12.3 10.2.2.2 -----
DEBUG IP NAT:
*Oct 29 16:25:54.766: NAT: s=10.2.2.1->131.1.12.3, d=15.10.1.1 [64]
Meaning: source=10.2.2.1 (SOURCE ACL)->inside global 131.1.12.3 (NAT POOL)

*Oct *Oct *Oct *Oct *Oct *Oct *Oct *Oct *Oct 29 29 29 29 29 29 29 29 29 16:25:54.822: 16:25:54.822: 16:25:54.878: 16:25:54.878: 16:25:54.938: 16:25:54.938: 16:25:54.994: 16:25:54.994: 16:25:55.050: NAT*: s=15.10.1.1, d=131.1.12.3->10.2.2.1 [64] NAT: s=10.2.2.1->131.1.12.3, d=15.10.1.1 [65] NAT*: s=15.10.1.1, d=131.1.12.3->10.2.2.1 [65] NAT: s=10.2.2.1->131.1.12.3, d=15.10.1.1 [66] NAT*: s=15.10.1.1, d=131.1.12.3->10.2.2.1 [66] NAT: s=10.2.2.1->131.1.12.3, d=15.10.1.1 [67] NAT*: s=15.10.1.1, d=131.1.12.3->10.2.2.1 [67] NAT: s=10.2.2.1->131.1.12.3, d=15.10.1.1 [68] NAT*: s=15.10.1.1, d=131.1.12.3->10.2.2.1 [68]
If you need the HOST portion matched, add the "type match-host" argument to the NAT POOL definition:
(config)#ip nat pool LAB4 200.2.2.1 200.2.2.5 prefix-length 24 type match-host
If you need the SOURCE&DESTINATION matched, define it in the EXTENDED ACL, and match it in Route Map, do not attach the ACL directly to the "ip nat" configuration line. ____________________________________________________________________________________________________________________
Load Balancing using NAT

____________________________________________________________________________________________________________________ Step 1: Create a POOL of all the INSIDE LOCAL IPs, and define the pool type "type rotary":
(config)#ip nat pool TASK1 10.2.2.1 10.2.2.5 prefix-length 24 type rotary
Step 2: Define an ACL with the Inside Global IP (Public ones, the one were NAT-ing into):
Step 3: Do the inside NAT with the ACL 1 as the DESTINATION list, and the POOL or LOCAL IPs:
(config)#ip nat inside destination list 1 pool ? WORD Pool name for local addresses
Step 4: Define the NAT inside and outside interfaces, exactly like in case of Static/Dynamic NAT:
(config)#int lo0 (config-if)#ip nat inside (config-if)# (config-if)#int s0/1/0.21 (config-subif)#ip nat outside
Be sure that the routing is in place (both, go and return path towards the NAT-ed IP, 200.2.2.2)!!! Step 5: Make sure that the IP NAT Translations are correct, and that the sources VARY:
#sh ip nat translations Pro Inside global Inside local tcp 200.2.2.2:23 10.2.2.1:23 tcp 200.2.2.2:23 10.2.2.2:23 tcp 200.2.2.2:23 10.2.2.3:23 Outside local 131.1.12.1:20186 131.1.12.1:25096 131.1.12.1:20389 Outside global 131.1.12.1:20186 131.1.12.1:25096 131.1.12.1:20389
____________________________________________________________________________________________________________________
PAT (NAT Overload)

____________________________________________________________________________________________________________________ Port Address Translation (PAT) means using PORTS in order to NAT various Inside Local IPs to ONE SINGLE Inside Global IP. Step 1: Create an ACL with all the Inside Local addresses:
(config)#access-list 1 permit 10.2.2.0 0.0.0.7
Step 2: There are 2 ways to configure PAT, described in Steps 2.1 and 2.2: Step 2.1: Create the Inside Global IP Pool of any addresses from the Link towards the other Router and Configure the NAT Overload with the defined pool:
(config)#ip nat pool OVERLOAD 15.10.1.2 15.10.1.2 prefix-length 24 (config)#ip nat inside source list 1 pool TASK2 overload
Step 2.2: Configure the NAT to point to the Interface you need the traffic to go out from:
(config)#ip nat inside source list 1 interface s0/1/0.21
*The system adds "overload" argument:

(config)#do sh run | i nat inside ip nat inside ip nat inside source list 1 interface Serial0/1/0.21 overload
____________________________________________________________________________________________________________________
PAR - When you need to implement traffic redirections using NAT

____________________________________________________________________________________________________________________ You can define the traffic redirection using Static Entries, but there is a trick. For example you want all the http traffic DESTINED FOR s0/0.5 of R1 to be REDIRECTED to the IP 15.10.123.3 instead. You can configure this by defining the static NAT:
(config)#ip nat inside source static tcp 15.10.123.3 80 int s0/0.5 80 *MAKE SURE YOU UNDERSTAND THIS COMMAND, ITS A BIT BACKWORDS!!! #telnet 131.1.14.1 80 (131.1.14.1 is the IP configured on the s0/0.5 interface of R1) Trying 131.1.14.1, 80 ... Open
So when you try to telnet R1s IP using the port 80, from the router on the s0/0.5 side you see the following debug:
*Nov 6 15:54:48.703: we telnet *Nov 6 15:54:48.707: 15.10.123.3 *Nov 6 15:54:48.735: *Nov 6 15:54:48.739: *Nov 6 15:55:48.739: *Nov 6 15:55:48.767: *Nov 6 15:56:48.763: *Nov 6 15:56:48.791: *Nov 6 15:57:12.959: NAT*: s=131.1.14.4, d=131.1.14.1->15.10.123.3 [23053] <- 131.1.14.4: Router from where NAT*: s=15.10.123.3->131.1.14.1, d=131.1.14.4 [31747] <- NATed and FWD-ed to to NAT*: NAT*: NAT*: NAT*: NAT*: NAT*: NAT*: s=131.1.14.4, d=131.1.14.1->15.10.123.3 s=131.1.14.4, d=131.1.14.1->15.10.123.3 s=15.10.123.3->131.1.14.1, d=131.1.14.4 s=131.1.14.4, d=131.1.14.1->15.10.123.3 s=15.10.123.3->131.1.14.1, d=131.1.14.4 s=131.1.14.4, d=131.1.14.1->15.10.123.3 s=131.1.14.4, d=131.1.14.1->15.10.123.3 [23054] [23055] [31748] [23056] [31749] [23057] [23058]
____________________________________________________________________________________________________________________
Static NAT redundancy with HSRP

____________________________________________________________________________________________________________________ This approach is used when you want to configure NAT and integrate it with HSRP (enable the same NAT on all the routers that form the HSRP group). In order to do this, it's necessary to NAME each of the HSRP groups: Step 1: Name the already configured HSRP group:
(config-if)#standby name HSRP-1 <- HSRP Group Name is HSRP-1
Step 2: Configure NAT on the relevant interfaces

(config-if)#ip nat inside <- NAT inside interface
Step 3: Static NAT redundancy with HSRP. After you've named the HSRP group, configure the Redundancy NAT:
(config)#ip nat inside source static 10.185.117.1 152.168.13.9 redundancy HSRP-1
This means that the traffic originated from the IP 10.185.117.1 will be NAT-ed into 152.168.13.9 Tests: In this example the router 10.185.117.1 is pinging the IP 10.185.117.4. The final router (232.32.32.4) does have the route back to 152.168.13.9. When the DEBUG is done on the router, the PING done from 10.185.117.1 gives the following display:
*Nov *Nov *Nov *Nov *Nov *Nov *Nov *Nov *Nov 7 7 7 7 7 7 7 7 7 11:34:02.606: 11:34:02.606: 11:34:02.610: 11:34:04.606: 11:34:04.606: 11:34:04.606: 11:34:04.606: 11:34:04.610: 11:34:04.610: NAT*: NAT*: NAT*: NAT*: NAT*: NAT*: NAT*: NAT*: NAT*: s=10.185.117.1->152.168.13.9, d=232.32.32.4 s=232.32.32.4, d=152.168.13.9->10.185.117.1 s=10.185.117.1->152.168.13.9, d=232.32.32.4 s=10.185.117.1->152.168.13.9, d=232.32.32.4 s=232.32.32.4, d=152.168.13.9->10.185.117.1 s=10.185.117.1->152.168.13.9, d=232.32.32.4 s=232.32.32.4, d=152.168.13.9->10.185.117.1 s=10.185.117.1->152.168.13.9, d=232.32.32.4 s=232.32.32.4, d=152.168.13.9->10.185.117.1 [226] [226] [227] [228] [228] [229] [229] [230] [230]
____________________________________________________________________________________________________________________
Scalability for Stateful NAT (SNAT)

____________________________________________________________________________________________________________________ Scalability for Stateful NAT feature allows Stateful Network Address Translation (SNAT) to control the Hot Standby Router Protocol (HSRP) state change until the NAT information is completely exchanged. Reference: http://www.cisco.com/en/US/docs/ios/12_4/12_4_mainline/snatsca.html Step 1: You need to create the SNAT group, and assign a unique identifier to each router within the group:
(config)#ip nat stateful id 1
Step 2: In order to configure the Stateful Failover, you need to have the HSRP previously configured. Within the Stateful NAT group configuration, assign the HSRP redundancy name to the router:
(config-ipnat-snat)#redundancy HSRP-1
Step 3: The Active HSRP Router sends the NAT Translation to the Standby Routers. This translation is assigned an ID, which is called "mappingid" and it MUST BE THE SAME ON THE ENTIRE GROUP.
(config-ipnat-snat-red)#mapping-id 1
Step 4: Consider adding features such Asymmetric queuing, or define a specific protocol for the redundancy group. IP Stateful NAT Redundancy mode configuration commands:
as-queuing exit mapping-id no protocol Disable asymmetric process for this redundancy group Exit from IP Stateful NAT Redundancy config mode Configure mapping-id for this redundancy group Negate or set default values of a command Select transport protocol for this redundancy group
Step 5: Configure the Dynamic NAT, as described in my previous posts, and just attach the configured mapping-id:
(config)#ip nat inside source route-map ROUTE_MAP_MATCHING_ACL pool INSIDE_GLOBAL mapping-id 1
Step 6: Check the translations

#sh ip snat distributed Stateful NAT Connected Peers
No entries will appear until you perform a PING, and when you do, and do a debug, you'll see:
*Nov *Nov *Nov *Nov *Nov *Nov *Nov *Nov *Nov *Nov *Nov *Nov *Nov 7 7 7 7 7 7 7 7 7 7 7 7 7 14:47:12.081: 14:47:12.081: 14:47:12.081: 14:47:12.081: 14:47:12.081: 14:47:12.085: 14:47:12.085: 14:47:12.085: 14:47:12.085: 14:47:12.089: 14:47:12.089: 14:47:12.089: 14:47:12.089: SNAT (Add_node): Allocated database distributed-id 1 SNAT (Add_node): Init RTree for distributed-id 1 SNAT (Add_node): Allocate Node for nat-id 19, Router-id 1 NAT: s=15.10.1.1->172.25.185.1, d=10.185.117.4 [271] NAT*: s=10.185.117.4, d=172.25.185.1->15.10.1.1 [271] NAT*: s=15.10.1.1->172.25.185.1, d=10.185.117.4 [272] NAT*: s=10.185.117.4, d=172.25.185.1->15.10.1.1 [272] NAT*: s=15.10.1.1->172.25.185.1, d=10.185.117.4 [273] NAT*: s=10.185.117.4, d=172.25.185.1->15.10.1.1 [273] NAT*: s=15.10.1.1->172.25.185.1, d=10.185.117.4 [274] NAT*: s=10.185.117.4, d=172.25.185.1->15.10.1.1 [274] NAT*: s=15.10.1.1->172.25.185.1, d=10.185.117.4 [275] NAT*: s=10.185.117.4, d=172.25.185.1->15.10.1.1 [275]
____________________________________________________________________________________________________________________
NAT Translations with the Outside Source

____________________________________________________________________________________________________________________ Just the other way around from the standard NAT, do the "ip nat outside" and define the interface from where the traffic will be coming with "ip nat outside". This will translate the incoming traffic with the source 2.2.2.2 into the LOCAL traffic with the source 200.2.2.2:
(config)#ip nat outside source static 2.2.2.2 200.2.2.2
____________________________________________________________________________________________________________________
NAT on a Stick
____________________________________________________________________________________________________________________ When a NAT router has the same interface for both, INSIDE and OUTSIDE NAT, the trick is to use: Step 1: Define the following: - One normal interface, Fa0/0 for example for ip nat outside and PBR (ip policy-route map NAT_MAP) & "no ip redirect" - One Loopback interface for ip nat inside Step 2: Define the Policy Map MATCHING the Source and Destination IP ACL, and SETTING the Loopback interface
(config)#route-map NAT_MAP (config-rmap)#match ip add ACL_1 (config-rmap)#set interface lo0
Step 3: Define "inside" AND "outside" static NAT
____________________________________________________________________________________________________________________
DHCP Server
____________________________________________________________________________________________________________________ Using the DHCP Pool configured on an IOS device is somewhat obsolete, but in cases of smaller companies where this solution is inevitable (or in a case such as mine, preparations for a CCIE exam) - you should know how to configure a full DHCP on a Cisco Router: Step 1: Enable a DHCP Server on a Device (Dont forget this step!!!):
(config)#service dhcp
Step 2: Configure global DHCP options:

(config)#ip dhcp pool Cisco (config-dhcp)#network 172.25.185.0 255.255.255.0 <- Network Range (config-dhcp)#netbios-note-type h-node <- If you're using WINS, set the HYBRID TYPE (config-dhcp)#netbios-name-server 172.25.185.253 <- WINS Server IP (config-dhcp)#dns-server 172.25.185.200 172.25.185.201 <- Primary and Secondary IPs (config-dhcp)#lease 3 5 <- The duration of the DHCP Lease (3 days 5 hours) (config-dhcp)#update arp <-Router updates ARP table based on DHCP Database Contents (config-dhcp)#default-router 172.25.185.254 <-GW to be ALLOCATED TO THE HOSTS
Step 3: Configure the IP Exclusions (IPs) you do not want to lease, in the Global Config mode:
(config)#ip dhcp excluded-address 172.25.185.252 172.25.185.254
Step 4: Disable the DSCP Logging of the Conflicts, because quite a few are likely to occur, and your log file can fill in the memory:
(config)#no ip dhcp conflict logging
Step 5: Static DHCP entries must be configured IN A SEPARATE POOL!!! This is a trick that you need to know by heart because there is no other (more intuitive) way to do it. So - create another DHCP pool, and assign the hosts IP and the MAC address (THIS HOST WILL INHERIT THE CONFIG FROM THE DEFAULT POOL):
(dhcp-config)#host 10.184.117.37 (dhcp-config)#hardware-address 0014.2526.ef46
Check if your manual entry was configured:

#sh ip dhcp binding Bindings from all pools not associated with VRF: IP address Client-ID/ Lease expiration Hardware address/ User name 10.184.117.37 0014.2526.ef46 Infinite
Type Manual
____________________________________________________________________________________________________________________
CNS (Cisco Networking Services)

____________________________________________________________________________________________________________________
KRON - The Command Scheduler (KRON) Policy for System Startup feature enables support for the Command Scheduler upon system startup.
STEP 1: Define the KRONE Policy Map, and enter the KRON configuration mode:
(config)#kron policy-list cns-weekly
STEP 2: Define the CLI command you want executed:

(config-kron-policy)#cli ?
LINE Exec level cli to be executed, E Example: (config-kron-policy)#cli coy startup-config tftp//r4-config
STEP 3: Define when the KRON is being executed:

(config)#kron occurrence week in 7:1:30 recurring (config-kron-occurrence)# policy-list cns-weekly
STEP 4: Check the KRON status:

#show kron schedule Kron Occurrence Schedule week inactive, will run again in 7 days 01:25:17
____________________________________________________________________________________________________________________
GRE Tunnels
____________________________________________________________________________________________________________________ Cisco Documentation: Interface and Hardware Component Configuration Guide->Implementing Tunnels GRE is the Generic Encapsulation Tunnel, and it's the basic one and the most simple to implement. For starters you need to define the Tunnel interface:
(config)#interface tunnel 0
Define the IP Address of the Tunnel Interface, and assign it the SOURCE and DESTINATION IP (These must be mutually PINGable):
(config-if)#ip address 10.187.134.121 (config-if)#tunnel source 131.1.12.1 <-YOU CAN USE IP ADDRESS OR AN INTERFACE AS A SOURCE (config-if)#tunnel destination 131.1.12.2
*you'll get a message that the interface went UP **Check if you need to tune the routing protocols metrics on the Tunnel interfaces, if you want to prefer those, because by default the Tunnel Interface will have a higher metric. BEST PRACTICE is to configure the tunnel using the Loopback Interfaces, and make sure you have enough redundancy so that the Loopbacks are always PING-able ____________________________________________________________________________________________________________________
Various IOS Tricks

____________________________________________________________________________________________________________________ Define a name of a remote host:
(config)#ip host REMOTE_HOST 10.1.12.1
Configure a "Busy-message" (response when the hos/service is not available)

(config)#Busy-message REMOTE_HOST @NOT AVAILABLE@
To hide a hostname IP when doing a Telnet:

(config)#service hide-telnet-addresses
To use the decompressed IOS in the DRAM, and not the compressed one in the flash
(config)#warm-reboot
To make a prompt dissapear:

(config)#prompt New_prompt (config)#no service prompt config
To prevent the stupid message "Password required but none set" (don't do this!!!):
(config)#line vty 0 4 (config-vty)#no login (config-vty)#privilege level 15 <- TO GO TO PRIVILEGE MODE DIRECTLY
To avoid sending a packet for each keystroke typed:

(config)#service nagle
To "tune" CDP:
(config)#cdp timer 10
If you want to keep your configuration change logs in the NVRAM:

(config)#archive (config-archive)#log config <- TO LOG ALL THE CONFIGURATION CHANGES *"config" is the only option you will have here (config-archive-log-config)#logging enable (config-archive-log-config)#logging size SIZE <- in KB (config-archive-log-config)#hidekeys (config-archive-log-config)#notify syslog <- TO DISPLAY THE CONFIG CHANGE
To test:
#show archive config differences
IP Routing
____________________________________________________________________________________________________________________
PBR - Policy Based Routing

____________________________________________________________________________________________________________________ The most important thing here is to know how to DEBUG the Policy Map:
#debug ip policy
To match the SOURCE IP use the standard ACL:

(config)#access-list 2 permit host 100.1.1.1
To match the FLOW use the EXTENDED ACL:

(config)#ip access-list extended FLOW1 (config-ext-nacl)#permit ip host 1.1.1.1 host 2.2.2.2 <-TO MATCH THE FLOW (config-ext-nacl)#permit tcp any any eq 23 <- TO MATCH THE PROTOCOL (PORT)
ROUTE-MAP can be applied GLOBALLY on a router, to change the Routing Table:

(config)#ip local policy route-map ROUTE_MAP
This will not work for traffic transiting this router. For that you need to apply it on the interface
____________________________________________________________________________________________________________________
ODR - ON-DEMAND ROUTING

____________________________________________________________________________________________________________________ On-Demand Routing is not a routing protocol. It uses Cisco Discovery Protocol (CDP) to propagate the IP prefix. ODR is a perfect solution for hub and spoke topology when the spoke routers act as stub routers by connecting to. ODR is a feature that provides IP routing for stub sites, with minimum overhead. Configuration is quite simple: Step 1: Enable ODR globally on a HUB router:
(config)#router odr <-HUB router begins installing stub network routes in the IP forwarding table
*dont configure ANY routing protocol on a STUB Step 2: Adjust CDP timers, as ODR uses CDP as a transport protocol (Ensure CDP versions match)
(config)#cdp timer seconds
____________________________________________________________________________________________________________________
RIP
____________________________________________________________________________________________________________________ RIP Protocol uses the Multicast Address 224.0.0.9 to send Hellos/updates via port UDP-520. "no summary" - disables the CLASSFULL NATURE of RIP, allows classless routing, so when you check the RIP database:
#show ip rip database 1.0.0.0/8 auto-summary *** <--- the AUTO SUMMARIES are not ADVERTISED 1.0.0.0/8 directly connected, Loopback0 10.0.0.0/8 auto-summary *** 10.1.1.0/24 directly connected, Serial1/0.123
Network Layer Reachability Information (NLRI) - Means pure reachability contained by ROUTING UPDATES When you need to send the RIP Updates using the UNICAST instead of Multicast packets, the neighbor command is used. Be sure to check the SPLIT HORIZON in the case of HUB-and-SPOKE configuration. If you need to DISABLE it for routing, BE SURE TO CONFIGURE FRAME-RELAY IP-DLCI mappings manually! * BY DEFAULT SPLIT HORIZON is DISABLED ON PHYSICAL, AND ENABLED ON MULTIPOINT INT.
#show ip inter s1/0.123 | i Split Split horizon is enabled
To avoid the SPLIT HORIZON and ADDITIONAL IP-DLCI mappings, you can use PPP and VIRTUAL TEMPLATES
____________________________________________________________________________________________________________________
RIP: Authentication
____________________________________________________________________________________________________________________
TIP: If you configure a "neighbor" command, that neighbor will RECEIVE the RIP updates using UNICAST, because this way the router updates
are sent as UNICAST, not MULTICAST. Don't forget to define the "passive-interface default" to stop the MULTICAST updates. RIP Version 2 supports clear text and MD5 Authentication. The key-chain needs to be defined, and applied to the physical interface using the command:
(config-if)#ip rip authentication mode md5 (config-if)#ip rip authentication key-chain CISQUEROS_CHAIN
If configured on one side only, the DEBUG IP RIP EVENTS will show:
*Aug 18 08:57:04.391: RIP: ignored v2 packet from 10.1.1.1 (invalid authentication)
IT WILL TAKE A LOOONG TIME FOR RIP TO UPDATE THE DATABASE!!! So do the:
#clear ip route *
First step is to build a KEY-CHAIN

key chain RIP_12 key 1 <--- TEXT Authentication KEY NUMBERS DONT HAVE TO MATCH. MD5 key-string cisco
- Numbers MUST MATCH!!!
IMPORTANT: The passwords and the key numbers MUST be the same on all the routers for MD5. In case the Key numbers are different: - Router with the HIGHER key number will receive ALL the routes - Router with the LOWER key number will IGNORE (reject) the received all routes received from the other router ____________________________________________________________________________________________________________________
RIP: Timers
____________________________________________________________________________________________________________________ *To see the default values:
#show ip protocol ... Sending updates every 30 seconds, next due in 20 seconds Invalid after 180 seconds, hold down 180, flushed after 240 (config-router)#timers basic ? <1-4294967295> Interval between updates for RIP (config-router)#timers basic 60 ? <1-4294967295> Invalid (config-router)#timers basic 60 360 ? <0-4294967295> Holddown (config-router)#timers basic 60 360 360 ? <1-4294967295> Flush (config-router)#timers basic 60 360 360 480 ? <1-4294967295> Sleep time, in milliseconds <cr> (config-router)#timers basic 60 360 360 480
To AVOID COLLISIONS you can INSERT A DELAY every time updates are sent by adding the last attribute to the TIMER SETTING:
(config-router)#timers basic 60 360 360 480 ? <1-4294967295> Sleep time, in milliseconds
Other RIP Specific Configuration parameters: SUPRESS flash updates when the periodic update comes in less than configured time:
(config-router)#flash-update-threshold
Validate the Update Source:

(config-router)#validate-update-source *Enabled by default, makes sure source IP of RIP advertising router matches connection IP. Needs to
be disabled when you are playing with LOOPBACKS
Change the unprocessed RIP queue depth. Good practice on SLOW ROUTERS, and also prevents routing info from being lost
(config-router)#input-queue 75 <-DEFAULT IS 50
Define the DELAY when sending the UPDATES, when FAST router is neighbors with the SLOW one:
(config-router)#output-delay 10 <-BY DEFAULT THERE IS NO INTER-PACKET DELAY, this timer is in range 8-50ms
____________________________________________________________________________________________________________________
RIP: Updates Control

____________________________________________________________________________________________________________________ By default Version 1 uses Broadcast to send its updates. Version 2 uses Multicast, with the destination address 224.0.0.9. If you need to send the Updates only when something changes in the topology, there is an INTERFACE command "ip rip triggered":
(config-if)#ip rip triggered
There is a way to "force" the routing updates to only one of the neighbors (UNICAST UPDATES). To achieve this you need to manually define the neighbor using the "neighbor" command, and define the interface towards the defined neighbor as PASSIVE, to prevent the Multicast Updates that are sent by default (If the interface is not defined as passive, both UNICAST and MULTICAST Updates will be sent). There is also a way to force Broadcast Updates (ip 255.255.255.255 instead of default multicast destination 224.0.0.9) in Version 2 of RIP, and its achieved using the Interface Command:
(config-if)#ip rip v2-broadcast
Another RIP-specific feature is injecting the default route using the "ip default-network" command. This is done in the Global Configuration mode. Dont forget to advertise the network into RIP protocol:
(config)#ip default-network 4.0.0.0 (config-router)#network 4.0.0.0
____________________________________________________________________________________________________________________
RIP: OFFSET LISTS

____________________________________________________________________________________________________________________ In the RIP Protocol the METRIC IS ACTUALLY the HOP COUNT, so if you want it to be UNREACHABLE - set METRIC to 16. RIP offset list is used to INCREASE the Hop Count. Define the ACL (10 in this example), and set the Hop Count to be increased by a value, in this example 13:
(config-router)#offset-list 10 out 13 Fa0/0
Offset Lists work only with RIP and EIGRP
____________________________________________________________________________________________________________________
RIP: Update Source Control

____________________________________________________________________________________________________________________ RIP Validates the source for the Update packets, so they need to be from the same subnet as the interconnection is. If they are not, like in the case the routes are sourced by a Loopback, you can force the route updates by turning off the Source IP Validation:
(config-router)#no validate-update-source
This way the RIP routes will be exchanged, but if the L3 Reachability is not established between the routers - the RIP routes will not be reachable. If you need to define the EXACT SOURCES (RIP Neighbors) you want to receive the RIP Updates from - use "gateway" word on a distribute-list. This will work for RIP and EIGRP only. Start by defining 2 PREFIX LISTS, one for WHERE you want updates from, another to filter UPDATES you want. Once youve got your Prefix Lists configured, apply them via Distribute List in the Router Configuration Mode:
(config-router)#distribute-list UPDATE_PREFIXES gateway PREFIX_UPDATE_SOURCES in Fa0/0
____________________________________________________________________________________________________________________
RIP: Route Summarizing

____________________________________________________________________________________________________________________ Done on the interface level:
(config-if)#ip summary-address rip 150.1.0.0 255.255.252.0 #show ip rip database 150.1.0.0/22 int-summary <-MANUAL SUMMARY
____________________________________________________________________________________________________________________
RIP: Route Filtering using Prefix Lists

____________________________________________________________________________________________________________________ PREFIX LISTS are used to implement the Route Filtering in RIP, and are applied via the DISTRIBUTION LISTS. The main trick is to wait for the timer to END before checking if the filter worked, or even better CLEAR THE ROUTING TABLE. The same principle applies to most of the Routing Protocols.
#clear ip route *
Step 1: Define the IP Prefix List. In this example were allowing only the prefix 192.1.1.0/24, & denying everything else (remember this structure of selecting ALL in the Prefix List: deny 0.0.0.0/0 le 32):
(config)#ip prefix-list TEST_MAT_2 seq 5 permit 192.1.1.0/24 (config)#ip prefix-list TEST_MAT_2 seq 10 deny 0.0.0.0/0 le 32 *NOTE that THERE IS A DEFAULT DENY ALL IN THE END, so the Second Entry was added ONLY FOR LOGGING
Step 2: Apply the filtering using the Distribution List within the Router Protocol configuration, in the INBOUND direction, meaning filter the routes learned via RIP:
(config-router)#distribute-list prefix TEST_MAT_2 in
Step 3: Clear the routing table and check if the filtering has been applied correctly by reviewing the Routing Table
#clear ip route *
Also make sure how your Prefix List is doing:

#sh ip prefix-list detail
Prefix-list with the last deletion/insertion: TEST_MAT_2 ip prefix-list TEST_MAT_2: count: 2, range entries: 1, sequences: 5 - 10, refcount: 3 seq 5 permit 192.1.1.0/24 (hit count: 37, refcount: 1) seq 10 deny 0.0.0.0/0 le 32 (hit count: 595, refcount: 1) <-CHECK HOW MANY HITS PER ENTRY *The HITS are actually from the ROUTING PROTOCOL UPDATE PACKETS If you want to use PREFIX LISTS to filter, for example, all subnets that DO NOT belong to RFC 1918 class A:
ip prefix-list FILTER_A seq 5 permit 0.0.0.0/1 le 8 ge 8 <- CLASS A has a first bit 0, and Subnet Mask 8
So, check the following examples:
Class A would be: permit 0.0.0.0/1 ge 8 le 8 Class B would be: permit 128.0.0.0/2 ge 16 le 16 Class C would be: permit 192.0.0.0/3 ge 24 le 24
____________________________________________________________________________________________________________________
OSPF
____________________________________________________________________________________________________________________ OSPF Multicasts: 224.0.0.5 send Hello packets to all OSPF routers on a network segment, 224.0.0.6 Send info to the DR
TIP: When using BROADCAST and NON-BROADCAST in order to PEER you MUST ADJUST THE TIMERS!!! TIP: When you need to do a CONDITION, like do something if a certain route exists in a routing table - just use the PREFIX-LIST, and match it
in the route-map "match ip address prefix-list ROUTE_EXISTS"
TIP: When you have the L2 tunnel directly attached to an OSPF interface, better configure ignoring of MTU:
(config-if)#ip ospf mtu-ignore
TIP: To IGNORE stuff in the ospf, like LSA6 (MOSPF), under the routing process:
(config-router)#ignore lsa mospf
WHEN you need to advertise Loopbacks with the CORRECT MASKS, be sure to do "ip ospf network point-to-point", otherwise it will be sent with /32 (/32 Might be required for Multicast or MPLS, so be careful with this!) ____________________________________________________________________________________________________________________
OSPF over Frame-Relay, focus on Network Types

____________________________________________________________________________________________________________________
TIP: Revise DR->"neighbor" command->TIMERS

Don't forget that in Frame-Relay "broadcast" is defined ONLY DIRECTLY HUB AND A SPOKE, ON BOTH SIDES of the pvc!!! What this does is tell the routers Hey if you have any broadcast messages, go ahead and send them down this DLCI as a unicast So basically it is a way to send broadcast messages on a non-broadcast medium. Don't include "broadcast" between the SPOKEs, as the Hellos won't be able to traverse the HUB. Type 1: NON-BROADCAST - use "neighbor" command on HUB to use UNICAST for OSPF OSPF uses Multicast, which Router considers to be a kind of Broadcast. Due to the non-broadcast nature of Frame-Relay it can be assumed that this is the DEFULT OSPF network type over FR. - Set the OSPF Priority to 0 on all the SPOKEs, so HUB is elected as the DR, and SPOKEs neither DR nor BDR - Non-broadcast network type in OSPF uses slow timers meaning 30 second hello and 120 second dead-time. Here it will not affect us, as all neighbor types match. Type 2: BROADCAST - two important things: - As BROADCAST is meant to be FASTER timers are 10/40 seconds by default - Include the "broadcast" when mapping DLCI to IP. Also set the SPOKEs OSPF Priority to 0, we dont want them to be DR Type 3: POINT-TO-POINT - Really simple, POINT-TO-XXX (P2P or P2MP) does not do the DR/BDR election - Timers 10/40 seconds
TIP: When doing a HUB-AND-SPOKE, configure Point-to-Multipoint on a HUB, and ADJUST THE TIMERS!!!
Type 4: POINT-TO-MULTIPOINT No DR, no "neighbor" commands. Slow timers (120/30 seconds). "broadcast" is mandatory on FR Mappings!!! HUB will just advertise the learned routes from ONE SPOKE to the other, like if it were the DR. !!!HUB must have .multipoint Sub-interface, while on SPOKES you can do .multipoint or Physical Interface. Type 5: POINT-TO-MULTIPOINT NON-BROADCAST Cisco Proprietary, like P2MP, with NO BROADCASTS ALLOWED! Timers are still slow, 30 and 120 Seconds. Next hop is ALWAYS the router you are directly connected to.
(config-if)#ip ospf network point-to-multipoint non-broadcast
____________________________________________________________________________________________________________________
OSPF: Configuration on INTERFACE LEVEL

____________________________________________________________________________________________________________________ The routes can be advertised using the "network" command, but there is also another way. You can do an entire OSPF configuration on the Interface Level:
(config-if)#ip ospf network point-to-point (config-if)#ip ospf 1 area 0
This will automatically CREATE the OSPF process on the router:

#sh run | s router ospf router ospf 1 log-adjacency-changes
Even so, you should define "router ospf 1" process in the Global Configuration mode before the interface (it's not necessary for the OSPF PEERING, but to avoid restarting the OSPF process later cause of Router ID change). Being defined as a P2P network - DR and BDR election will not take place. The state of all the OSPF Neighbors will be "FULL/-", as presented below:
#show ip ospf neighbor Neighbor ID Pri State 3.3.3.3 0 FULL/ 1.1.1.1 0 FULL/ Dead Time 00:00:30 00:00:34 Address 10.1.23.3 10.1.12.1 Interface GigabitEthernet0/0 Serial1/0
This way the interface is configured to automatically belong to the Area 0, and the interface Subnet will be "injected" into the OSPF Area. If there is SECONDARY IP configured on the interface - it will also be advertised. If however you do NOT want to advertise the Secondary IP, you can do the following specific OSPF command:
(config-if)#ip ospf 1 area 0 secondaries none
____________________________________________________________________________________________________________________
OSPF: Timers
____________________________________________________________________________________________________________________ Standard commands for setting the OSPF timers are "ip ospf hello-timer" and "ip ospf dead-timer" on the interface level. If you need smaller values then 1 second for hello, you need to use the following (minimal means less then 1 second):
(config-if)#ip ospf dead-interval minimal hello-multiplier 4
*VALUE MUST MATCH BETWEEN THE NEIGHBORING INTERFACES When ACK hasnt been received for the LSA, the router keeps LSA, and default is to wait 5 secs to re-send. To change:
(config-if)#ip ospf retransmit-interval 10 retransmit-interval Time between retransmitting lost link state advertisements
____________________________________________________________________________________________________________________
OSPF: Authentication
____________________________________________________________________________________________________________________ You can enable the OSPF Authentication: 1. Globally on the Router, in the "router ospf" configuration, so it's enabled on all the Interfaces:
(config-router)#area 0 authentication <- Plain Text Authentication (config-router)#area 0 message-digest <- MD5 Authentication
2. Directly on the Interface

(config-if)#ip ospf authentication message-digest <-MD5 Authentication
OSPF supports two types of Authentication: 1. Plain Text (64-bit Password)

(config-if)#ip ospf authentication-key ^&*(^*&&%
2. MD5 (ID + 128-bit Password):

(config-if)#ip ospf message-digest-key 1 MD5 ^&*^&^*
To DISABLE the authentication on an interface:

(config-if)#ip ospf authentication null
Check what type of OSPF Authentication has been configured and what Key/Password is applied:
#show ip ospf interface s1/0.12 | b authentic Simple password authentication enabled
When you need to CHANGE the PASSWORD without the service interruption, configure the 2nd KEY, and remove the 1st:
(config-if)#ip ospf message-digest-key 2 MD5 SECOND_KEY
*Authentication always uses the YOUNGEST KEY (the one that was configured last) ____________________________________________________________________________________________________________________
OSPF: Route Redistribution

____________________________________________________________________________________________________________________
(config-router)#redistribute eigrp 1 subnets
- Be sure to include the word "subnets", otherwise it's going to redistribute the classfull ONLY! - By default the routes are being redistributed into OSPF with the Metric 20, Metric-type 2 (E2). AD is still 110. You can define the MAXIMAL NUMBER of prefixes to be redistributed into OSPF, and the % when to give the first warning message. Here MAX 10 prefixes can be redistributed, and on 70% of that Warning Message is displayed:
(config-router)#redistribute maximum-prefix 10 70 warning-only
____________________________________________________________________________________________________________________
OSPF Route Summarization

____________________________________________________________________________________________________________________ This is to be done under the ROUTING PROCESS configuration. Routing process auto-injects DISCARD ROUTE (Null0) to avoid loops. ABR for the Internal Routes, using the "AREA X RANGE" command
(config-router)#area 2 range 4.4.0.0 255.255.252.0 advertise cost 10
ASBR for the External (redistributed into OSPF) Routes, using the "summary-address" command
(config-router)#summary-address 4.4.0.0 255.255.252.0
If you want to prevent the route Null0 in the routing table, just exclude the discard-route:
(config-router)#no discard-route [internal | external] <- INTERNAL on ABR, EXTERNAL on ASBR
____________________________________________________________________________________________________________________
OSPF Virtual Link

____________________________________________________________________________________________________________________ Configure between two routers out of which none is in the Area 0 (Backbone Area). Once it's configured - a new OSPF neighbor will be added as a Virtual-Link neighbor:
#show ip ospf neighbor Neighbor ID Pri State 4.4.4.4 0 FULL/ 2.2.2.2 0 FULL/ 4.4.4.4 0 FULL/ Dead Time 00:00:05 00:00:30 00:00:34 Address 10.1.34.4 10.1.23.2 10.1.34.4 Interface OSPF_VL0 <--- VIRTUAL LINK NEIGHBOR Serial1/0.32 Serial1/0.34
Can multiple Virtual Links be formed? YES!!! So for example if we have the following scenario: Cisqueros_R1 - Area 0 - Cisqueros_R2 - Area 1 - Cisqueros_R3 - Area 2 - Cisqueros_R4 - Area 3 - Cisqueros_R5 We would need to create 2 virtual links: - AREA 1 VIRTUAL LINK between Cisqueros_R2 and Cisqueros_R3 so that Area 2 would have the communication with the Area 0 - AREA 2 VIRTUAL LINK between Cisqueros_R3 and Cisqueros_R4 so that Area 3 could communicate with Area 1, and therefore with Area 0 Cisqueros_R2:
(config-router)#area 1 virtual-link 3.3.3.3
Cisqueros_R3:
(config-router)#area 1 virtual-link 2.2.2.2 (config-router)#area 2 virtual-link 4.4.4.4
Cisqueros_R4: (config-router)#area 2 virtual-link 3.3.3.3 Let's check the OSPF Neighbors again on Cisqueros_R3 router:
#show ip ospf neighbor Neighbor ID Pri State 2.2.2.2 0 FULL/ 4.4.4.4 0 FULL/ 2.2.2.2 0 FULL/ 4.4.4.4 0 FULL/ Dead Time 00:00:34 00:00:33 Address 10.1.23.2 10.1.34.4 10.1.23.2 10.1.34.4 Interface OSPF_VL1 OSPF_VL0 Serial1/0.32 Serial1/0.34
Check the Virtual Link Details:

#show ip ospf virtual-links
Have in mind that routers Cisqueros_R3 and Cisqueros_R4 are now VIRTUALLY connected to Area 0, so if you enable the authentication on the Cisqueros_R1 interface towards Cisqueros_R2, you also must enable it on Cisqueros_R3 and Cisqueros_R4 FOR AREA 0!!! If you need AUTHENTICATION for the Virtual Link, configure in the continuation:
(config-router)#area 1 virtual-link 2.2.2.2 authentication [md5 | WORD]
____________________________________________________________________________________________________________________
OSPF Cost
____________________________________________________________________________________________________________________ NLRI - Network Layer Reachability Information OSPF routes are mainly classified based on their metric, where the Metric and Cost are calculated based only on the Link Bandwidth. Cost = 100/(BW[Mbps]) There are two things you could play with here: 1. Set the REFERENCE BW (because with the formula above the Max cost value is 1, and we dont want the same values for 100M and 10G link). Dont forget to clear the OSPF process in order for the changes to take effect:
(config-router)#auto-cost reference-bandwidth 10000 <--- it's in Mbps #clear ip ospf process
2. Directly change the COST in the Interface Configuration

(config-if)#ip ospf cost 20
#show ip ospf inter Lo0 | i Cost

Process ID 1, Router ID 1.1.1.1, Network Type POINT_TO_POINT, Cost: 20
Then check the metric on the OSPF Neighbor:

#show ip route 1.0.0.0 Routing entry for 1.0.0.0/8 Known via "ospf 1", distance 110, metric 84, type intra area Last update from 10.1.12.1 on Serial1/0.21, 00:02:31 ago Routing Descriptor Blocks: * 10.1.12.1, from 1.1.1.1, 00:02:31 ago, via Serial1/0.21 Route metric is 84, traffic share count is 1
Metric is 84, which is the cost of the Serial interface between routers 1 and 2, and the Cost of the Loopback0 interface on Router 1. Default cost of the Loopback interface is 1, so it actually increased for 20-1 = 19 ____________________________________________________________________________________________________________________
Redirecting Traffic (FORCING A PATH)

____________________________________________________________________________________________________________________ http://www.cisco.com/en/US/docs/ios-xml/ios/iproute_ospf/configuration/12-4t/iro-stub-router.html "max-metric" command is used for the router to originate LSAs with a max metric of 0xffff (INFINITY). This way the other routers DONT PREFER this router as a TRANSIT HOP:
(config-router)#max-metric router-lsa <-Configured "ON-STARTUP" or on graceful shutdown (no argument)
____________________________________________________________________________________________________________________
OSPF and the GRE Tunnels

____________________________________________________________________________________________________________________ In this example there is a need to establish the connectivity between some OSPF Areas that are not connected to the Area 0, and we do not want to use the Virtual Links. GRE is a pretty simple concept, where you basically create a TUNNEL between 2 points, and extend the Area 0 to the other end of the tunnel. To configure it, do on BOTH ENDS of the tunnel: Step 1. Create a Tunnel Interface and assign the IP Address
(config)#int tunnel 1 (config-if)#ip add 172.25.185.3 255.255.255.0
Step 2. Define the SOURCE and the DESTINATION of the tunnel, MAKE SURE THESE ARE REACHABLE
(config-if)#tunnel source 100.10.34.3 (config-if)#tunnel destination 100.10.34.4
If we are using OSPF then the Tunnel subnet needs to be advertised with the "network" command on both ends of tunnel:
(config-router)#network 172.25.185.0 0.0.0.255 area 0 *The IP Address of the Tunnel MUST be advertised into Area 0 on BOTH ENDS OF TUNNEL!!!
You will see that the OSPF Neighbor will be formed on the Tunnel 1 interface.
#show ip ospf neighbor Neighbor ID Pri State 3.3.3.3 0 FULL/ 3.3.3.3 0 FULL/ 5.5.5.5 1 FULL/DR Dead Time 00:00:38 00:00:38 00:00:38 Address 172.25.185.3 100.10.34.3 100.10.45.5 Interface Tunnel1 Serial1/0.43 GigabitEthernet5/12
____________________________________________________________________________________________________________________
OSPF LSA Types and AREA TYPES

____________________________________________________________________________________________________________________ First lets make sure we're comfortable with the LSA types, because you will not understand Stubs before you understand all the LSAs and who exactly CREATES and ADVERTISES each type. LSA is the OSPF Link State Advertisement; Each LSA has a LSID (Link State ID, like Router-ID for the LSAs)
LSA 1 - Router LSA, One per Router (Generated by Each Router) LSA 2 - Network LSA, One per Network (Generated by DR) LSA 3 - Summary LSA, One per Area (generated by ABR when LSAs 1 and 2 are injected into another Area).
LSA3 = Subnet + Mask + Cost to reach the Network
LSA 4 - Summary External LSA, One per Autonomous System (Generated by ASBR) LSA 5 - External LSA, Injected into OSPF from another routing process (non-ospf), Generated by ASBR LSA 6 - Grout Membership LSA, used for Multicast OSPF (MOSPF). Its not supported by Cisco
Cisco routers do not support LSA Type 6 Multicast OSPF (MOSPF), and they generate syslog messages if they receive such packets. If the router is receiving many MOSPF packets, you might want to configure the router to ignore the packets and thus prevent a large number of syslog messages. To disable SYSLOG generation (IGNORE LSA Type-6):
(config-router)#ignore lsa mospf
LSA 7 - NSSA External, Generated by ASBR inside the NSSA instead of LSA 5 (details explained below, NSSA Section)
LSA 8-11 - Not implemented by Cisco
Check the LSA Statistics using the command:

(config-router)#do show ip ospf stat OSPF Router with ID (3.3.3.3) (Process ID 1) Area 0: SPF algorithm executed 4 times Summary OSPF SPF statistic SPF calculation time Delta T Intra D-Intra Summ D-Summ Ext D-Ext Total 00:22:26 0 0 0 0 0 0 0 00:22:16 0 0 0 0 0 0 0 00:21:47 0 0 0 0 0 0 0 00:20:01 0 0 0 0 0 0 0
Reason R R R, N, SN R, SN
Check the OSPF DATABASE and all the LSAs currently in it:
#show ip ospf database OSPF Router with ID (3.3.3.3) (Process ID 1) Router Link States (Area 0) <- LSA1 Link ID ADV Router Age Seq# Checksum 2.2.2.2 2.2.2.2 79 0x80000003 0x000E94 3.3.3.3 3.3.3.3 78 0x80000007 0x006F2C 4.4.4.4 4.4.4.4 52 0x80000004 0x007781 Net Link States (Area 0) <- LSA2 Link ID ADV Router Age Seq# Checksum 10.1.23.3 3.3.3.3 78 0x80000001 0x00658F Summary Net Link States (Area 0) <- LSA3 Link ID ADV Router Age Seq# Checksum 1.1.1.0 2.2.2.2 124 0x80000002 0x00B33C 2.2.2.0 2.2.2.2 124 0x80000002 0x000D20 10.1.12.0 2.2.2.2 124 0x80000002 0x00BA22 10.1.45.0 4.4.4.4 43 0x80000001 0x00F5F4 44.4.4.0 4.4.4.4 43 0x80000001 0x008077 Router Link States (Area 1) <- LSA1 Link ID ADV Router Age Seq# Checksum 3.3.3.3 3.3.3.3 89 0x80000007 0x00AC78 Router Link States (Area 2) <- LSA1 Link ID ADV Router Age Seq# Checksum 3.3.3.3 3.3.3.3 90 0x80000006 0x00AE77
Link count 2 4 3
Link count 0 Link count 0
To LIMIT the LSAs that can be STORED IN THE LOCAL DATABASE:

(config-router)#max-lsa 900 ? <1-100> Threshold value (%) at which to generate a warning msg ignore-count maximum number of times adjacencies can be suppressed ignore-time time during which all adjacencies are suppressed reset-time time after which ignore-count is reset to zero warning-only Only give warning message when limit is exceeded <cr>
____________________________________________________________________________________________________________________
OSPF STUBS
____________________________________________________________________________________________________________________
STUB Area - Blocks OSPF External Routes (LSA4 and LSA5), so - all the LSAs are generated by the ASBR. Totally-Stubby Area is a STUB Area, with no LSA3 (Summary LSAs originated by the ABR). ABR generates a DEFAULT ROUTE and advertises it
into the Totally Stubby area. The "no-summary" attribute is ONLY necessary on ABR, because the ABR is the only router that actually originates the LSA 3.
NSSA Area - Like a STUB (blocks LSA4&5) where the REDISTRIBUTION is allowed from the NSSA area, using the LSA7. ASBR Generates the LSA
type 7 instead of LSA 5 because the LSA 5 is not supported by NSSA. Then the ABR transforms it into the LSA 5 on the ingress from NSSA to the regular OSPF Area (shown as "N1 or N2" in the routing table):
(config-router)#do sh ip route N1 - OSPF NSSA external E1 - OSPF external type O N2 11.1.0.0 [110/20] via O N2 11.1.1.0 [110/20] via O N2 11.1.2.0 [110/20] via O N2 11.1.3.0 [110/20] via | i E1|E2|N type 1, N2 - OSPF NSSA external type 2 1, E2 - OSPF external type 2 10.1.12.1, 00:01:27, Serial1/0.21 10.1.12.1, 00:01:27, Serial1/0.21 10.1.12.1, 00:01:27, Serial1/0.21 10.1.12.1, 00:01:27, Serial1/0.21
When you need the ABR to also inject the DEFAULT ROUTE, use on the ABR:
(config-router)#area X nssa default-information-originate *Default Route will be injected as N2 route, as in NSSA the LSA5 is not allowed **When its a "Totally Stubby NSSA" no need for this, because "no-summary" ALLWAYS generates default route!
NOT-SO-Totally-Stubby Area - NSSA without LSA3, ALSO originates the default route by default
IMPORTANT: Stubby Areas DO NOT SUPPORT VIRTUAL LINKS!!! The only way to solve this is the Tunnel No LSA 5 (E1 and E2) advertised on ABRs. ABR Injects the DEFAULT ROUTE (with Cost 1) to Stub Area, to reach external routes. You cannot use a Virtual Link here, but GRE Tunnel is an option. STUB Area cannot contain an ASBR, because if it does its considered a NSSA. Backbone Area cannot be a STUB. To configure an area as a Stub, configure on ALL ROUTERS in an Area:
(config-router)#area X stub
When you apply STUB configuration on 1 router within an AREA, the Neighbor goes down. Then apply it on the others, and observe the ADJACENCY DEBUG:
319: OSPF: Rcv DBD from 2.2.2.2 on Serial1/0.12 seq 0x1001 opt0x50 flag 0x7 319: OSPF: 2 Way Communication to 2.2.2.2 on Serial1/0.12, state 2WAY 319: OSPF: Serial1/0.12 Nbr 2.2.2.2: Prepare dbase exchange 319: OSPF: Send DBD to 2.2.2.2 on Serial1/0.12 seq 0x1000 opt 0x50 flag 0x7 319: OSPF: NBR Negotiation Done. We are the SLAVE 319: OSPF: Serial1/0.12 Nbr 2.2.2.2: Summary list built, size 12 319: OSPF: Send DBD to 2.2.2.2 on Serial1/0.12 seq 0x1001 opt 0x50 flag 0x2 515: OSPF: Rcv DBD from 2.2.2.2 on Serial1/0.12 seq 0x1002 opt0x50 flag 0x1 515: OSPF: Exchange Done with 2.2.2.2 on Serial1/0.12 515: OSPF: Send LS REQ to 2.2.2.2 length 120 LSA count 10 515: OSPF: Send DBD to 2.2.2.2 on Serial1/0.12 seq 0x1002 opt 0x50 flag 0x0 735: OSPF: Rcv LS UPD from 2.2.2.2 on Serial1/0.12 length 328 LSA count 10 735: OSPF: Synchronized with 2.2.2.2 on Serial1/0.12, state FULL 735: %OSPF-5-ADJCHG: Process 1, Nbr 2.2.2.2 on Serial1/0.12 from LOADING to 735: OSPF: Rcv LS REQ from 2.2.2.2 on Serial1/0.12 length 60 LSA count 3 *Oct 5 11:04:08.235: OSPF: Build router LSA for area 1, router ID 1.1.1.1, #u all All possible debugging has been turned off len 32 len 32 len 272 len 272 len 32 FULL, Loading Done seq0x80000005, process 1 mtu 1500 state INIT
mtu 1500 state EXCHANGE
If you need to change the cost of the DEFAULT ROUTE Injected by default by ABR into the STUB Area:
(config-router)#area X default-cost 10 <- Change COST from 1 (default) to 10
____________________________________________________________________________________________________________________
OSPF Route Filtering

____________________________________________________________________________________________________________________
1. DISTRIBUTE LIST - Filters all LSAs from the Routing Table, but they stay in the OSPF Database. You can use IN or OUT filter, but have in
mind that the distribute-list OUT even though works on both, routing table and OSPF database, but ONLY on ASBR for LSA5 and 7!!! The easiest way to filter the OSPF routes from being added to the Routing Table is the distribute-list. DISTRIBUTE-LIST only affects the local router!!! Meaning - the Update will be distributed to the other routers; the subnets will only be filtered out the local IP ROUTING TABLE The advantage is that it's rather easy to implement, and it can filter any type of LSA:
(config-router)#distribute-list prefix MY_PREFIX_LIST in <-OUT would only work on ASBR TO FILTER LSA5 & LSA7
The big CON is that even though the Route is not added to the Routing Table - it will stay in the database, and it will be further propagated to the other OSPF Neighbors. The route will therefore appear in the Routing Table, but it will not be reachable, as one of the routers along the path does not have it in its Routing Table. The second way is reserved ONLY for the External Routes, and it's the "not-advertised" applied to the "summary-address" command:
(config-router)#summary-address 172.29.189.0 255.255.255.0 not-advertise <--- NEEDS TO BE APPLIED ON ASBR
2. FILTER LIST - Filters only LSA3, so - only on ABR, but filters from OSPF Database. Filter-list can be applied: IN - into the area, OUT - out of
the area. This ONLY works for LSA-3 (Summary), and therefore needs to be configured on the ABR only. Lets say that we want to filter the network 172.25.185.0/24 from the Area 2. Then on the ABR we define the prefix list that DENIES that network, and ALLOWS everything else
(config)#ip prefix-list JEDANES seq 10 deny 172.25.185.0/24 (config)#ip prefix-list JEDANES seq 20 permit 0.0.0.0/0 le 32
Then apply the prefix-list as a filter-list within a OSPF configuration process for Area 2:
(config-router)#area 2 filter-list prefix JEDANES in
This will prevent the network from being redistributed into Area 2. Note that IN/OUT means that the network is being advertised into or outfrom the AREA 2.
3. NOT-ADVERTISE - ONLY filter LSA Types 1 and 2, apply on ABR (filters both, routing table and OSPF Database). It can be used with both,
"area X range" (ABR) and "summary-address" (ASBR) commands. If you need to filter LSAs 1 and 2, you can use the "not-advertise" command, but also ONLY ON ABR!
(config-router)#area 1 range 172.25.182.0 255.255.255.0 not-advertise
4. Tune the ADVERTISED DISTANCE - Set the AD of the advertised routes to 255, so that they are UNREACHABLE
(config-router)#distance 255 3.3.3.3 0.0.0.0 10 <- 10 is an ACL, it's OPTIONAL
5. DATABASE-FILTER
- If you want to prevent ANY LSAs from being advertised (can be applied per neighbor or on INT):
(config-subif)#ip ospf database-filter all out <- PER INTERFACE (config-router)#neighbor x.x.x.x database-filter all out <- PER NEIGHBOR
6. MATCH IP ROUTE-SOURCE in the Route-map - In OSPF it's not the NEXT HOP but the ORIGINATOR Router-ID of the PREFIX
(config-route-map)#match ip route-source 4 <- ACL 4 includes the Router-ID
Also the SOURCE PROTOCOL can be matched:

(config-route-map)#match source-protocol ? bgp Border Gateway Protocol (BGP) connected Connected
eigrp isis mobile ospf rip static <cr>
Enhanced Interior Gateway Routing Protocol (EIGRP) ISO IS-IS Mobile routes Open Shortest Path First (OSPF) Routing Information Protocol (RIP) Static routes
Be sure which type of LSA you need to filter by making sure in which part of database the route is:
#show ip ospf database [router | network | summary | internal | external]
*If you need to reach the route without passing through the router that cannot reach it - define the route-map with the next hop pointing towards an alternative path, and apply it in the Global Configuration mode:
(config-router)#ip local policy route-map ROUTE_MAP
7. Filter OSPF per Interface - If you wish to prevent LSAs to be sent via particular Interface:
(config-if)#ip ospf database-filter all out
* ALL and OUT are the only options, which means you cannot apply a specific filter on the OSPF interface
8. Filter OSPF per NEIGHBOR - Even though OSPF doesn't require that we manually configure the Neighbors, we do need to use the
"neighbor" command in order to configure the OSPF database filtering:
(config-router)#neighbor 5.5.5.5 database-filter all out
*Network MUST be configured as POINT-TO-POINT (on the Interface Configuration)

(config-if)#ip ospf network point-to-point
____________________________________________________________________________________________________________________
OSPF Non-Broadcast Networks

____________________________________________________________________________________________________________________ To check the NEIGHBOR NETWORK TYPE, do the following command and check the column "State":
#sh ip ospf interface brief Interface PID Area Lo0 1 0 Se0/1/0.14 1 2 Se0/1/0.13 1 3 Se0/1/0.41 1 4 IP Address/Mask 1.1.1.1/8 10.1.12.1/24 10.1.13.1/24 10.1.14.1/24 Cost 1 64 64 64 State P2P P2P P2P DR Nbrs F/C 0/0 1/1 1/1 1/1
On the Multipoint Frame-Relay network the default OSPF type is NON-BROADCAST. This means that the OSPF Neighbors will not be formed like on the standard Broadcast Network Segment.
#show ip ospf inter s1/0 Serial1/0 is up, line protocol is up Internet Address 10.1.1.1/24, Area 0 Process ID 1, Router ID 1.1.1.1, Network Type NON_BROADCAST, Cost: 64 Topology-MTID Cost Disabled Shutdown Topology Name 0 64 no no Base ...
So in order to establish the OSPF Neighbors, we can for example use the "network" command in order to transform the OSPF link from MULTICAST to UNICAST:
(config-router)#neighbor 172.128.185.66
No need to keep "broadcast" on frame relay configuration if you use "neighbor" command, as only UNICAST is then used, so also do this:
(config-if)#frame-relay map ip 10.1.1.4 104 broadcast -> frame-relay map ip 10.1.1.4 104 (REMOVE "broadcast")
*In HUB-AND-SPOKE the Spokes do not have the Layer 2 reachability, so this command makes no sense. Instead just be sure to set their (HUBS) OSPF priority to 0, so that they dont participate the DR/BDR Election
(config-if)#ip ospf priority 0
The HUB Router will be elected as DR on every Link and exchange OSPF Database with each of the Spokes:
#show ip ospf neighbor <--- R1 IS THE HUB Neighbor ID 2.2.2.2 3.3.3.3 4.4.4.4 Pri 0 0 0 State FULL/DROTHER FULL/DROTHER FULL/DROTHER Dead Time 00:01:51 00:01:51 00:01:56 Address 10.1.1.2 10.1.1.3 10.1.1.4 Interface Serial1/0 Serial1/0 Serial1/0
*In this kind of OSPF Topology - it's not necessary to have the Frame-Relay interface configured with the "broadcast" keyword, because we are manually defining the OSPF Neighbor and turning the Links into UNICASTS. ____________________________________________________________________________________________________________________
OSPF NBMA (Non Broadcast Multiple Access) Networks

____________________________________________________________________________________________________________________ Once the interface is defined as NON-BROADCAST, the "neighbor" command should be used to establish OSPF peering. First you need to define the interface as a OSPF non-broadcast:
(config)#interface Serial0/1/0.14 point-to-point (config-if)# ip ospf network non-broadcast
Then under the OSPF process define the neighbor.

(config-router)#neighbor 10.1.12.2 [priority 0] <- PRIORITY 0 if you want the other side to not be the DR
!!!BE SURE TO ADJUST THE TIMERS ON BOTH SIDE INTERFACES, otherwise the Routers will establish the peering, but they will not exchange the routes!!!
#sh ip ospf int s0/1/0.14 | i Hello|Network Process ID 1, Router ID 1.1.1.1, Network Type POINT_TO_POINT, Cost: 64 Timer intervals configured, Hello 10, Dead 40, Wait 40, Retransmit 5 Hello due in 00:00:05
Also you need to match AREA ID and Area STUB FLAG and they must be of the SAME TYPE (Normal, BB, Stub or NSSA) ____________________________________________________________________________________________________________________
OSPF BROADCAST vs. POINT-TO-POINT vs. POINT-TO-MULTIPOINT Networks

____________________________________________________________________________________________________________________ If you wish to convert the previous network into the Broadcast Network, the following command needs to be applied:
(config-if)#ip ospf network broadcast
In HUB AND SPOKE topology you want to AVOID the SPOKE being elected as the DR, so set the OSPF priority to 0:
(config-if)#ip ospf priority 0 <- ON ALL THE SPOKE Routers
A router with a router priority set to zero is ineligible to become the DR or BDR, which is why its better to set the Priority on Spokes to 0, otherwise we have to clear the OSPF process. Then check on the HUB router, and make sure all SPOKEs appear as DROTHERs:
#sh ip ospf nei Neighbor ID Pri 2.2.2.2 0 3.3.3.3 0 4.4.4.4 0 State FULL/DROTHER FULL/DROTHER FULL/DROTHER Dead Time 00:00:32 00:00:38 00:00:33 Address 10.1.1.2 10.1.1.3 10.1.1.4 Interface Serial1/0 Serial1/0 Serial1/0
And in case it needs to be Point-to-Point:

(config-if)#ip ospf network point-to-point
The main difference here is the NEXT HOP:

BROADCAST: Next Hop is the router that ORIGINATED the Route POINT-TO-POINT: Next Hop is the router that ADVERTISED the Route POINT-TO-MULTIPOINT: Next Hop is also the router that ADVERTISED the Route, but NLRI is achieved because it fixes the Spoke-to-Spoke reachability from L3 perspective. ____________________________________________________________________________________________________________________
DNS Lookup in OSPF

____________________________________________________________________________________________________________________ Enable OSPF to lookup the names:
(config)#ip ospf name-lookup
And define the NAME-IP correlation:

(config)#ip host R5 5.5.5.5
____________________________________________________________________________________________________________________
ISPF
____________________________________________________________________________________________________________________ Incremental SPF is more efficient than the full SPF algorithm, thereby allowing OSPF to converge faster on a new routing topology in reaction to a network event. ____________________________________________________________________________________________________________________
Forward Address Suppression

____________________________________________________________________________________________________________________ The aim is to SUPRESS the address of the router that originated the Prefix. When the area is NSSA, and you want CONTROL the remap process of the LSA7 to LSA5, but use 0.0.0.0 as the forwarding address instead of the one specified in the LSA7:
(config-router)#area 1 nssa translate type7 suppress-fa ? default-information-originate Originate Type 7 default into NSSA area no-redistribution No redistribution into this NSSA area no-summary Do not send summary LSA into NSSA <cr>
Before the command has been applied the external (LSA5) subnet within the area 0 is seen as:
#sh ip ospf database external 6.0.0.0 OSPF Router with ID (1.1.1.1) (Process ID 1) Type-5 AS External Link States LS age: 557 Options: (No TOS-capability, DC) LS Type: AS External Link Link State ID: 6.0.0.0 (External Network Number ) Advertising Router: 3.3.3.3 LS Seq Number: 80000003 Checksum: 0x1286 Length: 36 Network Mask: /8 Metric Type: 2 (Larger than any link state path) MTID: 0 Metric: 20 Forward Address: 200.1.36.6 External Route Tag: 0
While after the command has been implemented, we have:

#sh ip ospf database external 6.0.0.0 OSPF Router with ID (1.1.1.1) (Process ID 1) Type-5 AS External Link States Routing Bit Set on this LSA in topology Base with MTID 0 LS age: 41 Options: (No TOS-capability, DC) LS Type: AS External Link Link State ID: 6.0.0.0 (External Network Number ) Advertising Router: 3.3.3.3 LS Seq Number: 80000004 Checksum: 0x3952 Length: 36 Network Mask: /8 Metric Type: 2 (Larger than any link state path) MTID: 0 Metric: 20 Forward Address: 0.0.0.0 <- THE FORWARD ADDRESS HAD CHANGED External Route Tag: 0
If you add "no-summary" to this command, LSA3s are filtered, and the default route is advertised instead. You can use the similar approach to NOT ADVERTISE THE SPECIFIC PREFIXES into the NSSA, but advertise only the default route on the ABR. In this example the Area 1 is NSSA:
(config-router)#area 1 nssa default-information-originate no-summary
Area 1 (NSSA Area) will learn the Default Route as the LSA7 (N2):
#sh ip route ... Gateway of last resort is 205.1.36.3 to network 0.0.0.0 O*N2 0.0.0.0/0 [110/1] via 205.1.36.3, 00:05:21, Serial1/0.63 1.0.0.0/32 is subnetted, 1 subnets
The Default Route will be injected into that area regardless of whether youre using the "nssa default-information-originate" or the "nssa no-summary" command in the OSPF Area. The difference is the route type: NSSA NO-SUMMARY Gateway of last resort is 10.1.34.3 to network 0.0.0.0
O*IA 0.0.0.0/0 [110/65] via 10.1.34.3, 00:04:22, Serial1/0.43

NSSA DEFAULT-INFORMATION-ORIGINATE Gateway of last resort is 10.1.35.3 to network 0.0.0.0
O*N2 0.0.0.0/0 [110/1] via 10.1.35.3, 00:00:22, Serial1/0.53

1.0.0.0/32 is subnetted, 1 subnets ____________________________________________________________________________________________________________________
OSPF Sham Link

____________________________________________________________________________________________________________________ In an MPLS VPN configuration, when there are 2 ways for the CE routers to communicate: 1 over the PEs and the MPLS link 2 over the OSPF link *It is assumed that Customer CEs and the PEs have the OSPF implemented between them.
The OSPF will always be preferred, simply because nothing beats the INTERNAL (Intra Area) OSPF route (O). Regardless of the COST and the AD of E1/E2 and O IA (Inter-Area) Routes will never be preferred. The way to solve this is using the SHAM links, that have been designed specifically for such a scenario. Namely the LINK is created between the PE routers, so that ALL the OSPF Prefixes appear as INTERNAL OSPF routes on the CE routers, and that we can just influence the preferred path using the OSPF COST on the Interface.
STEP 1: Create /32 Loopback Interfaces to the PE routers, and add them into the appropriate VRF: PE1:
(config)#interface Loopback1 (config-if)#ip vrf forwarding CA (config-if)#ip address 192.168.1.1 255.255.255.255
PE2:
(config)#interface Loopback1 (config-if)#ip vrf forwarding CA (config-if)#ip address 192.168.1.1 255.255.255.255
STEP 2: Advertise these networks via the BGP process in the PEs, so that they are reachable:
(config)#address-family ipv4 vrf CA (config-router)#redistribute ospf 15 vrf CA (config-router)#network 192.168.1.1 mask 255.255.255.255
STEP 3: Create OSPF SHAM-LINK between the PR Routers, with the Loopback1 /32 addresses as SOURCE and DESTINATION (these should already be reachable via BGP). Make sure that new OSPF adjacency appears between the PEs:
(config)#router ospf 15 vrf CA (config-router)#area 0 sham-link 192.168.1.1 192.168.1.2 cost 1 *Dec 20 11:59:28.206: %OSPF-5-ADJCHG: Process 15, Nbr 10.1.45.4 on OSPF_SL2 from LOADING to FULL, Loading Done
TIP: Filter these Loopbacks from the CUSTOMERS network, so that the Tunnel which is the Sham Link isnt routed through the Customers
routers. STEP 4: The LAST step is now to tune the OSPF COST on the link between the CEs, so that it would be LESS PREFERRED:
(config-if)#ip ospf cost 500
____________________________________________________________________________________________________________________
OSPF in MPLS
____________________________________________________________________________________________________________________
TIP: Be sure the set the domain-id to match (default domain is based on the OSPF Process Number):
(config)#ip ospf 1 vrf VRF_XXX (config-router)#domain-id 55.55.55.55
*this way the LSA Type 3 will be translated properly
____________________________________________________________________________________________________________________
EIGRP
____________________________________________________________________________________________________________________ EIGRP uses the IP Protocol 88 (doesn't use specific TCP or UDP port), HELLOs - Multicast to 224.0.0.10
TIP: When you need to FILTER EIGRP, you can do "permit eigrp any any" within the extended ACL TIP: "default-information [ in|out ]" in EIGRP does NOT generate the Default Route, it only allows it to be sent to the neighbor or received, if
it already exists. The EIGRP timers are configured on the interface towards the EIGRP neighbor. Set the Hello timer and the HOLD Time (which is actually the Dead Timer) for the EIGRP 100 process:
(config-if)#ip hello-interval eigrp 100 30 (config-if)#ip hold-time eigrp 100 120
Check the configured Timers using the command:

#show ip eigrp interfaces detail EIGRP-IPv4 Interfaces for AS(200) Xmit Queue Mean Pacing Time Multicast Interface Peers Un/Reliable SRTT Un/Reliable Flow Timer Et0/0 1 0/0 12 0/2 80 Hello-interval is 30, Hold-time is 120 <--- TIMERS VALUES Split-horizon is enabled Next xmit serial <none> Un/reliable mcasts: 0/2 Un/reliable ucasts: 1/6 Mcast exceptions: 2 CR packets: 0 ACKs suppressed: 1 Retransmissions sent: 0 Out-of-sequence rcvd: 0 Topology-ids on interface - 0 Authentication mode is not set
Pending Routes 0
____________________________________________________________________________________________________________________
EIGRP "show neighbors" command

____________________________________________________________________________________________________________________
#show ip eigrp neighbors EIGRP-IPv4 Neighbors for AS(100) H Address Interface 0 10.1.12.2 Se1/0.12
Hold Uptime SRTT (sec) (ms) 115 00:10:04 26
Q Seq Cnt Num 200 0 32
RTO
How to interpret this output:
H - The order in which neighbors were formed, starting from 0 Address - Neighbors IP Interface - From where we see the Neighbor Holdtime - How long we have left before we declare the neighbor down (if no Hello is received) Uptime - How long since we first found out about the neighbor SRTT - Smooth Round Trip Time - time required for EIGRP packet to reach the neighbor and receive the ACK RTO - Retransmission Time-Out - how long before the packet is re-transmitted Q Count - Number of packets in the EIGRP queue SeqNum - Sequence Number of the last received EIGRP packet
If you want to disable the logging of neighbor changes:

(config-router)#no eigrp log-neighbor-changes OR log-neighbor-warnings
Once it's enabled/disabled, define the TIMES for WARNINGS only:

(config-router)#eigrp log-neighbor-warnings X (X is seconds)
____________________________________________________________________________________________________________________
EIGRP Metric - K Values

____________________________________________________________________________________________________________________ 5 K-Values are used to calculate the EIGRP Metric. Its pretty important to know at least which one is which of the K values:
K1 - Bandwidth K2 - Load K3 - Delay K4 - Reliability K5 - Reliability
Metric = (K1*BW + (K2*BW)/(256-Load) + K3*Delay) * 256 Little better explained: Metric = (10.000.000/LowestPathBW + Sum of all DELAYS/10)*256
By default K2 = K4 = K5 = 0, so the Metric depends on the Bandwidth and Delay only. To check the parameters on the interface:
#SHOW Interfaces e0/0 | i BW MTU 1500 bytes, BW 10000 Kbit, DLY 1000 usec
If you need the EIGRP Metric to depend on some other values the command is (ToS should be left 0):
(config-router)#metric weight tos k1 k2 k3 k4 k5
BE CAREFULL when you change this BECAUSE K VALUES NEED TO MATCH BETWEEN THE EIGRP NEIGHBORS!!! The following MUST match in order for 2 routers to become EIGRP adjacent: K values AS numbers They must share same L2 data link Authentication
____________________________________________________________________________________________________________________
EIGRP Route Summarization and Leak Maps

____________________________________________________________________________________________________________________ The EIGRP route Summarization is done exactly the same like RIP Summarization, which makes sense because both protocols have the Distance Vector nature. It can also be done on ANY of the routers within the same EIGRP process, unlike the Link State protocols. It's done on the Interface using the command:
(config-if)#ip summary-address eigrp 100 3.0.0.0 255.0.0.0
And dont be afraid when you see the following message:

*Apr 27 12:53:32.203: %DUAL-5-NBRCHANGE: EIGRP-IPv4 100: Neighbor 10.1.12.1 (Serial1/0) is resync: summary configured
The interface towards Null0 Interface is created automatically. So dont worry, because EIGRP adds this "discard route" for Loop Avoidance. Check if "it worked":
#show ip route | i summ i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2 D 3.0.0.0/8 is a summary, 00:02:52, Null0
If you wish to have greater granular control the solution presented since 12.3(13) is - the LEAK MAP (Its something like the SUPRESS Maps in the BGP, but itp cannot be used under the SUB-Interface). If the Leak Map is configured, and it references a non-existing Route Map - The summary route is advertised, more specific routes are suppressed. If the Route Map however exists, and references a non-existing ACCESS LIST - both the summary route and the more specific routes are advertised. If the Access List also exists - it lets us define the routes that will be advertised IN ADDITION to the Summarized Route! To configure the Leak Map just attach a route-map to the "eigrp summary" command:
(config-if)#ip summary-address eigrp 100 2.2.4.0 255.255.252.0 leak-map ROUTE_MAP
SUB-INTERFACE LEAK MAPS: Since the LEAK Maps are not available on the SUB-interface, there is a workaround, and its done using the VIRTUAL TEMPLATE Interface. We would then configure the Route Summarization and a Leak Map under it:
(config-if)#interface Virtual-template 13 (config-if)#ip summary-address eigrp 100 2.2.4.0 255.255.252.0 leak-map ROUTE_MAP
And then under the SUB-Interface assign the Virtual Template (SUB-INTERFACE needs to be of a MULTIPOINT TYPE, or this will not work)
(config-subif)#no ip add (config-subif)#frame-relay interface-dlci 103 ppp Virtual-template 13
____________________________________________________________________________________________________________________
EIGRP Default Gateway

____________________________________________________________________________________________________________________ The command we all know from OSPF and BGP "default-information originate [always]" will not work in EIGRP. Instead we need to:
Option 1: Configure the static route and redistribute it into the EIGRP Option 2: Summarize the routes into a Default Route using the previously described summarization method (leak map is added if we wish to
inject another routes besides the default route)
(config-if)#ip summary-address eigrp 100 0.0.0.0 0.0.0.0 [leak-map ROUTE_MAP]
____________________________________________________________________________________________________________________
VARIANCE Command
____________________________________________________________________________________________________________________ Variance is an EIGRP feature that enables UNEQUAL load balancing. The only condition that needs to be met is that all the Paths need to be in the routing table and MEAT THE FEASIBILITY CONDITION! (Routes ADVERTISED Distance must be lower than the local routes FAESIBLE Distance). Its configured in the EIGRP configuration mode:
(config-router)#variance 2
This means that it will include the routes with the metric value up to 2 times greater than the Best Route metric. If you need more GRANULAR control, or more precise variance, get the METRIC from the EIGRP TOPOLOGY:
#show ip ei 400 topology 10.1.56.0/24 | i metric Composite metric is (2195456/281600), route is Internal Vector metric: Composite metric is (319545/281600), route is Internal Vector metric:
There are 2 routes, 1 with metric 2195456, and the other with metric 319545, and both meet the Feasibility Condition. To get the VARIANCE you need, divide them and circle up to the BIGGER value:
2195456/319545 = 6.87 => Variance will be 7!
____________________________________________________________________________________________________________________
EIGRP Authentication
____________________________________________________________________________________________________________________ Like in OSPF - the configuration is done in the Interface Configuration mode. Unlike OSPF - EIGRP supports only MD5 authentication. You need to set the mode to MD5, even though it's the default mode on most devices. This is an example of Frame relay P2P Interface and EIGRP authentication:
(config)#interface Serial4/1.25 point-to-point (config-if)#ip authentication mode eigrp 100 md5 (config-if)#ip authentication key-chain eigrp 100 EIGRP_CHAIN
____________________________________________________________________________________________________________________
EIGRP: Maximum Hops

____________________________________________________________________________________________________________________ Another attribute that can be useful for controlling the routes is the "maximum-hops". To see each routes hop count:
#show ip route 172.28.185.0 Known via "eigrp 100", distance 90, metric 2297856, type internal Redistributing via eigrp 100 Last update from 131.1.12.2 on Serial1/0.12, 00:13:47 ago Routing Descriptor Blocks: * 131.1.12.2, from 131.1.12.2, 00:13:47 ago, via Serial1/0.12 Route metric is 2297856, traffic share count is 1 Total delay is 25000 microseconds, minimum bandwidth is 1544 Kbit Reliability 255/255, minimum MTU 1500 bytes Loading 1/255, Hops 12 <-- 12 HOPS TO THIS ROUTE!!!
To change the Maximum number of Hops to, for example, 110 (Its 100 by Default):
(config-router)#metric maximum-hops 110 #show eigrp protocols | i hop Maximum hopcount 110
____________________________________________________________________________________________________________________
EIGRP Administrative Distance

____________________________________________________________________________________________________________________ By default EIGRP has the following Administrative Distance values:
170 - External EIGRP Routes 90 - Internal EIGRP Routes 5 - EIGRP Summary Routes
You can make EIGRP External routes smaller if you need them to not be less preferred then, for example, OSPF, that has AD 110 for External routes:
(config-router)#distance eigrp 90 100
____________________________________________________________________________________________________________________
EIGRP Updates BW Percent

____________________________________________________________________________________________________________________ The default configuration for EIGRP is to use up to 50 percent of the available bandwidth, but this can be changed with the following command on the interface level:
(config-if)#ip bandwidth-percent eigrp 200 30
____________________________________________________________________________________________________________________
EIGRP Redistribute Routes into EIGRP

____________________________________________________________________________________________________________________ *YOU NEED TO DEFINE THE METRIC, either a DEFAULT one:
(config-router)#default-metric 1500 20000 255 1 1500
Or when configuring the redistribution:

(config-router)#redistribute static metric 150 20000 255 1 1500
____________________________________________________________________________________________________________________
EIGRP offset-list [metric adjustments]

____________________________________________________________________________________________________________________ Offset List is used to INCREASE or DECREASE an EIGRP or RIP metric for the OFFSET value you define:
(config-router)#offset-list 3 in 50 s1/1 <-Match ACL 3, INCREASE the metric for 50 on routes learned on s1/1
____________________________________________________________________________________________________________________
EIGRP Stub
____________________________________________________________________________________________________________________ First a heads up - it's a bit complicated because there are just too many details... Subjective impression! The command is rather straight forward:
(config-router)#eigrp stub [connected | summary | static | receive-only | redistributed]
You can ALSO use LEAK-MAPS here, like in the SUMMARIZATION, to allow some subnets out (matched in route-map). When the EIGRP process is configured as STUB on a router using the "stub connected" command:
(config-router)#eigrp stub connected
That Router will ONLY see the Summary (if configured), and also Static and Redistributed routes (because the STUB doesn't affect the Router where it's configured). The EIGRP Neighbor(s) will NOT see the Summary, Static or Redistributed Routes, ONLY the specific routes BECAUSE ONLY Connected Routes are advertised If however we use the "stub summary" command to configure the STUB:
(config-router)#eigrp stub stub summary
The router will keep the same EIGRP routes in the routing table. The EIGRP Neighbor(s) will ONLY see the Summary Now with the "stub static" or "stub redistributed":
(config-router)#eigrp stub stub [static | redistributed]
This router keeps behaving exactly the same, while the EIGRP Neighbors ONLY receive the Static OR Redistributed routes With the "stub receive-only":
(config-router)#eigrp stub receive-only
This router keeps behaving exactly the same, while the EIGRP Neighbors stop receiving ANY routes from the Router And finally the "eigrp stub" command can be configured without any attributes, so just:
(config-router)#eigrp stub
in which case the EIGRP neighbors ONLY receive the Summary Route ____________________________________________________________________________________________________________________
MP-EIGRP
____________________________________________________________________________________________________________________ When configuring the ADDRESS FAMILY within the EIGRP process, the most important thing to have in mind is to DEFINE THE AS NUMBER AGAIN WITHIN THE AF CONFIGURATION, or the peering will not be established.
(config)#router eigrp 100 (config-router)#no auto-summary ! (config-router)#address-family ipv4 vrf CA (config-router-af)#network 4.4.4.4 0.0.0.0 (config-router-af)# network 10.1.45.4 0.0.0.0 (config-router-af)# no auto-summary (config-router-af)#autonomous-system 200
____________________________________________________________________________________________________________________
EIGRP Route Filtering

____________________________________________________________________________________________________________________ EIGRP uses the DISTRIBUTE LIST to filter the prefixes, but there is also an advanced option - it also filters the PREFIX GATEWAYS (Originator IPs). So if you configure 2 PREFIX LISTS: PREFIX-LIST NOT_R4 to filter OUT the updates ORIGINATED by 10.10.1.4:
(config)#ip prefix-list NOT_R4 deny 10.10.1.4/32 Deny updates from this neighbor (config)#ip prefix-list NOT_R4 permit 0.0.0.0/0 le 32 Allow updates from everyone else
PREFIX-LIST ALLOW_ALL - which you can play with to filter some incoming PREFIXES:
(config)#ip prefix-list ALLOW_ALL permit 0.0.0.0/0 le 32
Apply the 1st PREFIX-LIST as the GATEWAY to the second PREFIX-LIST route filter:
(config-router)#distribute-list prefix ALLOW_ALL gateway NOT_R4 in
____________________________________________________________________________________________________________________
BGP TIPs and Best Practices

____________________________________________________________________________________________________________________ Two first things that are considered the "BGP configuration best practice" are to disable the SYNCHRONIZATION and disable the Auto Summarization. Why? Auto-summary - to enable the CLASSLESS BGP behavior
(config-router)#no auto-summary
Synchronization - it's an old loop prevention mechanism that is no longer used, so there is no need to have it enabled. In the newer versions of IOS it's disabled by default. It was originally created to prevent the BLACK HOLE Advertising. Basically the SYNC Logic is: Do not consider an iBGP route in the BGP table BEST unless the EXACT PREFIX was learned via IGP and is currently in the routing table.
(config-router)#no synchronization
When adding a new NEIGHBOR, you need to specify their AS Number using the "remote-as":
(config-router)#neighbor 10.1.1.2 remote-as 100
Debug looks like this:

*Nov *Nov *Nov *Nov *Nov *Nov *Nov *Nov *Nov *Nov *Nov 23 23 23 23 23 23 23 23 23 23 23 12:34:55.223: 12:34:55.223: 12:34:55.223: 12:34:55.223: 12:34:55.223: 12:34:55.223: 12:34:55.223: 12:34:55.223: 12:34:55.223: 12:34:55.223: 12:34:55.223: BGP: 10.1.1.2 active OPEN has CAPABILITY code: 131, length 1 BGP: 10.1.1.2 active OPEN has MULTISESSION capability, without grouping BGP: 10.1.1.2 active rcvd OPEN w/ optional parameter type 2 (Capability) len 6 BGP: 10.1.1.2 active OPEN has CAPABILITY code: 65, length 4 BGP: 10.1.1.2 active OPEN has 4-byte ASN CAP for: 100 BGP: nbr global 10.1.1.2 neighbor does not have IPv4 MDT topology activated BGP: 10.1.1.2 active rcvd OPEN w/ remote AS 100, 4-byte remote AS 100 BGP: 10.1.1.2 active went from OpenSent to OpenConfirm BGP: 10.1.1.2 active went from OpenConfirm to Established BGP: ses global 10.1.1.2 (0xAF0217D0:1) Up %BGP-5-ADJCHANGE: neighbor 10.1.1.2 Up
Once you've got the neighbors configured using the "neighbor" command, you should be able to identify the outputs:
(config-router)#do show ip bgp summary | b Neighbor Neighbor V AS MsgRcvd MsgSent TblVer InQ OutQ 100.11.1.1 4 100 9 9 5 0 100.11.1.3 4 100 9 9 5 0 100.11.1.4 4 100 8 8 5 0 (config-router)#do show ip bgp BGP table version is 5, local router ID is 192.168.2.2 Status codes: s suppressed, d damped, h history, * valid, > best, r RIB-failure, S Stale Origin codes: i - IGP, e - EGP, ? - incomplete Network Next Hop Metric LocPrf Weight Path *>i1.0.0.0 10.1.1.1 0 100 0 i *> 2.0.0.0 0.0.0.0 0 32768 i *>i4.0.0.0 10.1.1.4 0 100 0 i Up/Down State/PfxRcd 0 00:05:23 1 0 00:05:12 1 0 00:04:57 1 i - internal,
* - The entry in the table is valid > - It's the BEST entry for that prefix i - learned via iBGP Network - prefix entry, mask is assumed Next Hop - Next Hop IP (if it's 0.0.0.0 - it's locally originated prefix) Metric - MED Attribute LocPrf - Local Preference, HIGHER IS BETTER, and default is 100. It can be changed by "bgp default local-preference" Weight - No.1 Attribute for Path Determination, LOCAL will have 32768, Originated by NEIGHBOR will have 0 Path - iBGP will have "i", and eBGP will have all BGP AS Numbers you need to traverse to get to the prefix (max 255)
(config-router)#do show ip bgp <-CASE OF ONLY Ebgp ROUTES BGP table version is 5, local router ID is 192.168.4.4 Status codes: s suppressed, d damped, h history, * valid, > best, i - internal, r RIB-failure, S Stale Origin codes: i - IGP, e - EGP, ? - incomplete Network Next Hop Metric LocPrf Weight Path * 1.0.0.0 10.1.1.1 0 300 100 i * 10.1.1.1 0 200 100 i *> 10.1.1.1 0 0 100 i * 2.0.0.0 10.1.1.2 0 100 200 i * 10.1.1.2 0 300 200 i *> 10.1.1.2 0 0 200 i *> 3.0.0.0 10.1.1.3 0 0 300 i
*> 4.0.0.0
0.0.0.0
32768 i
Notice that the PATH is no longer marked as "i" for iBGP, but it shows an entire AS-PATH now (list of all the BGP Autonomous Systems the route needs to pass in order to reach the route) Also Local Preference is no longer marked as 100 (default for iBGP) MED is 0 or BLANC. MED is set to 0 when the advertised by the originating AS, but when the SAME prefix is advertised by another AS, then the MED value is removed. If you are peering eBGP using the LOOPBACKS, don't forget to use the "ebgp-multihop" command!!!
From Cisco Docs: By design, a BGP routing process expects eBGP peers to be directly connected, for example, over a WAN connection.
However, there are many real-world scenarios where this rule would prevent routing from occurring. Peering sessions for multihop neighbors are configured with the neighbor ebgp-multihop command:
(config-router)#neighbor 2.2.2.2 ebgp-multihop 2
ALTERNATIVE TO MULTIHOP: If loopback interfaces are used to connect single-hop eBGP peers, you can configure the "neighbor disable-connected-check" command before you can establish the eBGP peering session:
(config-router)#neighbor 10.1.12.1 disable-connected-check <-DISABLES CONNECTION VERIFICATION
When you want to DISABLE prefixes removed from the BGP table when the neighbor goes down:
(config-router)#fast-external-failover
When you want to advertise the prefixes and HIDE THE LOCAL AS number:
(config-router)#neighbor 10.1.45.5 remove-private-as
SECURITY in BGP can be also provided by TTL check, but it's considered a LIGHT security. It's done by DEFINING THE MAXIMAL TTL on the received routes; lets say we want to define max 2 hops:
(config-router)#neighbor 10.1.45.5 ttl-security hops 2
Also the MAXIMUM AS NUMBER can be defined, so that routes that go through more than 10 ASs are rejected:
(config-router)#bgp maxas-limit 20
To CHANGE the ADMINISTRATIVE DISTANCE (AD):

(config-router)#distance bgp 150 200 1 <- OTHER AS : LOCAL AS : LOCALLY ORIGINATED
OR to change the AD of the PREFIXES originated by the PARTICULAR NEIGHBOR:

(config-router)#distance 150 10.1.23.3 0.0.0.0 [ACL] <- ATTACH AN ACL TO CHOOSE THE PREFIXES TO APPLY THE AD
There is another BGP TUNING, when you want to ADVERTISE the prefix to the AS, learn from the SAME AS: (AS 100)-->(AS 200)-->(AS 100) On the EGRESS of AS200 the route will not be advertised to AS100 due to the LOOP PREVENTION mechanism. If you need to correct this on your network, there is a "allow-as" command which stops this loop prevention. On the EDGE router of AS 100 towards the AS 200 do:
(config-router)#neighbor 100.1.1.100 allowas-in <- WILL ALLOW THE PREFIXES WITH OUR OWN AS
___________________________________________________________________________________________________________________
BGP Version
____________________________________________________________________________________________________________________ Cisco IOS 12.0 support BGP versions 2, 3 and 4, but the NEWER IOS versions support ONLY BGP Version 4. In order to change that (on the IOS models where it's allowed), in order to peer with, for example, different vendor routers:
(config-router)#neighbor version 4
____________________________________________________________________________________________________________________
BGP Peer-Group
____________________________________________________________________________________________________________________ It's a simple concept, just a group of neighbors we want to configure with the same group of parameters. It's defined in 3 steps: Step 1. Define/Configure the Peer Group
(config-router)#neighbor CISQUEROS peer-group
Step 2. Add the individual neighbors into the configured peer group *Be sure to configure the interface used as the UPDATE-SOURCE, using the "neighbor x.x.x.x update-source lo0"
(config-router)#neighbor 2.2.2.2 peer-group CISQUEROS (config-router)#NEIghbor 3.3.3.3 PEER-group CISQUEROS
Be sure to configure ROUTER-ID Manually using "bgp router-id" command, or you will get this message:
*Nov 23 13:48:02.535: %BGP-4-NORTRID: BGP could not pick a router-id. Please configure manually.
Expect the following message:

*May 5 10:13:21.395: %BGP_SESSION-5-ADJCHANGE: neighbor 3.3.3.3 IPv4 Unicast topology base removed from session
Member added to peergroup *May 5 10:13:21.395: %BGP-5-ADJCHANGE: neighbor 3.3.3.3 Down Member added to peergroup *May 5 10:13:22.283: %BGP-5-ADJCHANGE: neighbor 3.3.3.3 Up Both neighbors remain UP! If you CANNOT bring the BGP neighbors UP, use the PHYSICAL IPs. Then both Neighbors will appear. Once you've got the peering - you can remove the neighbor added using the Physical IP. Step 3. Apply the set of parameters to the Peer Group, and the parameters will apply to each of the Peers. For example, lets configure the Password:
(config-router)#neighbor CISQUEROS password cisco
____________________________________________________________________________________________________________________
BGP Peer-Session and Peer-Policy Templates

____________________________________________________________________________________________________________________ Another way to make the BGP configuration easier by avoiding configuring the same command set on every router. Step 1: Define the peer-session and give it a name:
(config-router)#template peer-session MYBGP
Step 2: Assign the attributes to the peer-session:

(config-router-stmp)#version 4 (config-router-stmp)#update-source lo0 (config-router-stmp)#password Cisqueros
Step 3: If you have more groups of neighbors, and they all have some common settings (for example the ones defined in the template IBGP), and some different ones. Then create another template, and inherit the first template:
(config-router)#template peer-session GROUP_1 (config-router-stmp)#inherit peer-session MYBGP (config-router-stmp)#remote-as 100 (config-router)#template peer-session GROUP_2 (config-router-stmp)#inherit peer-session MYBGP (config-router-stmp)#remote-as 200
Step 4: Apply the LAST defined Template to RELEVANT NEIGHBORS, which inherited the settings of the initial Templates:
(config-router)#neighbor 1.1.1.1 inherit peer-session GROUP_1 (config-router)#neighbor 2.2.2.2 inherit peer-session GROUP_1 (config-router)#neighbor 3.3.3.3 inherit peer-session GROUP_2
Peer-Policy has the similar purpose. The difference is the commands inside, and Peer-Session CANNOT INHERIT Peer-Policy template. Here is an example of a peer policy template:
(config)#router bgp 200 (config-router)#template peer-policy FORCE_SELF_AS_NEXT_HOP (config-router-ptmp)#next-hop-self (config-router-ptmp)#exit-peer-policy
____________________________________________________________________________________________________________________
BGP Authentication
____________________________________________________________________________________________________________________ It's configured on PER-NEIGHBOR, or as described in the Previous Post - on the PER-PEER-GROUP basis.
(config-router)#neighbor CISQUEROS password cisco
From Jeff Doyle ROUTING TCP/IP Vol2 (Routing Bible in my opinion, even though I hope it gets updated soon, it's been 12 years !): The IOS uses MD5 authentication when a BGP neighbor password is configured. MD5 is a one-way message digest or secure hash function produced by RSA Data Security, Inc. It also is occasionally referred to as a cryptographic checksum, because it works in somewhat the same way as an arithmetic checksum. MD5 computes a 128-bit hash value from a plain-text message of arbitrary length (in this case, a BGP message) and a password. This "fingerprint" is transmitted along with the message. The receiver, knowing the same password, calculates its own hash value. If nothing in the message has changed, the receiver's hash value should match the sender's value transmitted with the message. The hash value is impossible to decipher (without a huge amount of computing power) without knowing the password so that an unauthorized router cannot, either maliciously or by accident, peer with a router running neighbor authentication.
____________________________________________________________________________________________________________________
BGP Route Reflectors

____________________________________________________________________________________________________________________ *Configuring Multi-protocol BGP (MP-BGP) Support for CLNS on Cisco Docs Like the BGP Confederations - Route Reflectors REMOVE THE NEED FOR FULL-MESH iBGP peering. Route Reflectors let all the routers learn all the iBGP routes, and prevent loops.
Route Reflector SERVERS: Allowed to learn the iBGP routes from their CLIENTS, and advertise them to other iBGP peers. RR Servers act as
normal BGP peers with the NON-RR-CLIENT peers and the eBGP peers; they send all the BGP Updates
Route Reflector CLUSTER - One or more RR Servers and their clients. With MULTIPLE Clusters - at least one of the RRs must be peered with
at least one RR in Each Cluster. There are 3 implemented LOOP PREVENTION Mechanisms: 1. CLUSTER_LIST - The Cluster ID is automatically included into the BGP PA (path attribute) when generated, so the RR rejects the prefixes where their own Cluster ID appears. It's similar to AS_PATH attribute, but instead of AS it has a list of CLUSTED IDs. 2. ORIGINATOR_ID - Attribute created by the RR. It's the Router ID of the first iBGP peer to advertise the route into the AS. RR will not advertise the prefix back to the originator. 3. Only advertise BEST routes The configuration is rather simple, and it contains of 2 steps: Step 1: Define the CLUSTER ID on ALL the routers (this is NOT MANDATORY)
(config-router)#bgp cluster-id 3
Step 2: There is a difference between the RR SERVER and RR CLIENT (under the BGP configuration). On RR SERVER configure ALL the clients:
(config-router)#neighbor 172.25.185.22 route-reflector-client (config-router)#neighbor 172.25.186.59 route-reflector-client
Step 3: Check the status of each Client on the RR SERVER ROUTER:

#show ip bgp neighbors 172.25.185.22 | i Reflector Route-Reflector Client
Also make sure that the routes you expect to learn from RR Clients look like this:
#sh ip bgp 2.0.0.0/8 BGP routing table entry for 2.0.0.0/8, version 23 Paths: (1 available, best #1, table default) Advertised to update-groups: 4 Local, (Received from a RR-client) #sh ip bgp 6.6.6.6 BGP routing table entry for 6.0.0.0/8, version 7 Paths: (1 available, best #1, table default) Not advertised to any peer Local 10.1.46.6 (metric 2) from 10.1.13.1 (1.1.1.1) Origin IGP, metric 0, localpref 100, valid, internal, best Originator: 6.6.6.6, Cluster list: 1.1.1.1, 4.4.4.4 <- CLUSTER LIST
DONT forget to remove the iBGP sessions between CLIENTS, because... well, that's the point of implementing the RRs, to decrease the number of BGP peering The Route Reflector will "reflect" the routes received from one iBGP peer to the others. In the normal configuration (without root reflectors) the iBGP neighbors must be FULLY MESHED due to the SPLIT HORIZON rule (a prefix learned from iBGP peer will NEVER be announced to another iBGP peer). Have in mind that the RR is a single point of failure in the Network, so - BEST PRACTICE is to have MULTIPLE RR SERVERS, and make sure that RR SERVERS HAVE A FULL MESH.
____________________________________________________________________________________________________________________
BGP BACKDOOR Route

____________________________________________________________________________________________________________________ When you need to prefer LESS the eBGP route - you need a way to tune it, because not many routing protocols "beat" the eBGPs Administrative Distance (20). The "backdoor" argument sets the routes AD to 200 (like it were an iBGP instead of eBGP route), and alters the order of preference in the routing table. It's quite easy to configure - you configure a regular network using a "network" command, but add a "backdoor" argument at the end. This will advertise the route into the BGP process, but it will note add it to the routing table unless the same prefix doesnt appear in the routing table at all. *BE CAREFUL!!! The BACKDOOR argument is applied to the network advertised TO YOU, not from you like in the normal "network" command application.
(config-router)#network 150.1.2.0 mask 255.255.255.0 backdoor
Note that you will not SEE this route in the routing table unless the route with the bigger AD is down. Also, in the BGP table it will have the "r" symbol, meaning - not eligible to be added to the routing table
#sh ip bgp | i 150.1.2 r> 150.1.2.0/24 10.1.13.1 0 100 200 ?
____________________________________________________________________________________________________________________
BGP CONDITIONAL Advertisements - Advertise Maps

____________________________________________________________________________________________________________________ This is a simple feature, but you really need to know the BGP philosophy and maybe even have some basic experience in programming. The trick is to change the behavior of the BGP advertisements depending on the routes that are being learned. Step 1: Configure 2 Route Maps, one for the CHECK condition, and another for PREFIXES you will advertise if CHECK passes . For example we want to CHECK if the 2.0.0.0 is learned:
(config)#access-list 2 permit 2.0.0.0 (config)#route-map CHECK permit 10 (config-rmap)#match ip address 2
And ONLY if it's NOT in the routing table, we want to advertise 2.0.0.0
(config)#access-list 1 permit 1.0.0.0 (config)#route-map ADVERTISE permit 10 (config-rmap)#match ip address 1
Step 2: Configure the advertise map and the condition in the BGP routing process:
(config)#router bgp 65545 (config-router)#neighbor 10.1.12.2 advertise-map exist-map advertise prefix only if prefix non-exist-map advertise prefix only if prefix (config-router)#neighbor 10.1.12.2 advertise-map ADVERTISE ? is in the condition exists <- CHECK THESE OPTIONS in the condition does not exist ADVERTISE non-exist-map CHECK
Intuitively we can see that the ADV_ROUTE_MAP is the route map that defines the routes that will be broadcast, in this case if the conditions defined in the route-map CONDITION_ROUTE_MAP is NOT satisfied, meaning - if the prefixes are NOT in the table.
____________________________________________________________________________________________________________________
BGP Route Dampening

____________________________________________________________________________________________________________________ Cisco Docs: Advanced BGP Features
TIP: Don't forget to define the "set dampening ..." within the route-map configuration or you will be getting the following message when
checking the parameters:
#sh ip bgp dampening parameters % dampening reconfiguration in progress for IPv4 Unicast
When you check the BGP prefixes using the "show ip bgp", besides the arguments that appeared so far (*, >, r) there is another "Tag" that can appear, and it's a letter "d", which stands for DAMPENING.
#show ip bgp BGP table version is 5, local router ID is 192.168.2.2 Status codes: s suppressed, d damped, h history, * valid, > best, i - internal <- CHECK THIS LINE r RIB-failure, S Stale
From Cisco Docs: "Route dampening is a BGP feature designed to minimize the propagation of flapping routes across an internetwork. A route is considered to be flapping when its availability alternates repeatedly" If you're configuring it without any parameter tuning, there is an enable command under the BGP process:
(config-router)#bgp dampening
If you want to use this feature - make sure you understand the concept of PENALTIES being "rewarded" to a route every time it FLAPS, and make sure you're familiar with the PARAMETERS of BGP DAMPENING:
#sh ip bgp dampening parameters dampening 15 750 2000 60 (DEFAULT) Half-life time : 15 mins Max suppress penalty: 12000 Suppress penalty : 2000
Decay Time : 2320 secs Max suppress time: 60 mins Reuse penalty : 750
1. HALF-TIME (default 15 minutes): When the penalty is assigned to a route, the accumulated penalty is decreased every 5 seconds. When
the half-time expires, accumulated penalties are reduced by half. Default HALF-TIME is 15 minutes, and range 1-45 minutes.
2. REUSE (default 750): The route can be REUSABLE if the penalties for flapping route go BELOW THIS VALUE. By default it's 750, and the
range is 1 to 20000
3. SUPRESS: The route is SUPRESSED when the penalties REACH THIS VALUE. Default is 2000, and the range is 1-20000 4. MAX-SUPRESS-TIME: Max time that the route can STAY SUPRESSED. Default is 4 times Half-Time value (60 minutes), range is 1-255
If you need to configure the BGP DAMPENING for a certain routes, use the ROUTE-MAP:
(config-router)#route-map DAMPEN_1 (config-route-map)#match ip add 15 <- CONFIGURE THE ROUTES YOU ARE DAMPENING IN AN ACL (config-route-map)#set dampening 15 700 2000 60 <- SET DESIRED DAMPENING PARAMETERS *Parameters can be defined directly under the BGP process, or within the Route-Map like here
Then apply it within the BGP configuration process:

(config-router)#bgp dampening route-map DAMPEN_1
This configuration can get quite complicated, so you might need to MATCH THE AS-PATH, for this you need to be quite comfortable with META CHARACTERS, so for example match prefixes originated in AS 300:
(config)#ip as-path access-list 15 permit ^300$
And then MATCH it in the route-map and SET the dampening parameters:
(config-router)#route-map DAMPEN_2 (config-route-map)#match as-path 15 (config-route-map)#set dampening 15 700 2000 60
____________________________________________________________________________________________________________________
BGP Route Summarization

____________________________________________________________________________________________________________________ BGP Routes can be summarized in the BGP process configuration using the "aggregate-address" command. AGGREGATE is ONLY created if at least one of the specific prefixes exists in BGP table.
(config-router)#aggregate-address 2.2.0.0 255.255.0.0 ? advertise-map Set condition to advertise attribute <- ASSIGN THE ROUTE-MAP as-confed-set Generate AS confed set path information as-set Generate AS set path information attribute-map Set attributes of aggregate <- SET ATTRIBUTES such as COST/METRIC using ROUTE-MAP route-map Set parameters of aggregate summary-only Filter more specific routes from updates <- ONLY THE SUMMARY, SUPRESSES OTHER PREFIXES suppress-map Conditionally filter more specific routes from updates <cr>
*If you need to UN-SUPRESS some prefixes from the Summary route, the command is applied PER NEIGHBOR Another way to achieve the same effect is to create STATIC ROUTE to Null0, and advertise using "network" command. ATOMIC-AGGREGATE is an attribute that is assigned AUTOMATICALLY to the aggregate route if the "as-set" argument is NOT used in the "aggregate-address" command (AS-SET reveals the AS number that some routes were originated from) Additional arguments (route-maps) are a bit complicated, so you need to know exactly what which one is for:
Suppress-map - suppress the prefix defined in the ACL (it ADVERTISES prefixes DENIED by the ACL). The reverse (UNSUPRESS with the
REVERSE logic) can be configured on the NEIGHBOR basis:

(config-router)#neighbor x.x.x.x unsupress-map UNSUPP
____________________________________________________________________________________________________________________
BGP INJECT and EXIST map

___________________________________________________________________________________________________________________ This is not so common, and they are used for a more granular control of the advertised routes. For example if you want to make sure that a certain prefix is learned (EXIST) from a certain router (match route-source), then inject the specific prefixes (INJECT) into the routers BGP table:
(config-router)#bgp inject-map INJECT exist-map EXIST
____________________________________________________________________________________________________________________
BGP Community Attribute

___________________________________________________________________________________________________________________ *Under SERVICE PROVIDER in the Cisco Docs Community attribute is one of those non-standard BGP attributes that you really need to know well if you wish to use. The big advantage is that from time to time you will just swoop in and solve a big architecture problem your colleague Network Engineers are having. The down side is that it's a bit tacky. For example, these are the communities you can set within the route-map configuration:
(config-route-map)#set community ? <1-4294967295> community number aa:nn community number in aa:nn format additive Add to the existing community internet Internet (well-known community) <-ADVERTISE these networks to ALL neighbors local-AS Do not send outside local AS (well-known community) <-ONLY advertise within the AS no-advertise Do not advertise to any peer (well-known community) <-Do not advertise to any peer. no-export Do not export to next AS (well-known community) <-Do not advertise to eBGP peers. none No community attribute <cr>
*IMPORTANT: Do not forget to actually SEND the community to the neighbor, or your configuration will not work!!!
(config-router)#neighbor x.x.x.x send-community
You can of course apply the BGP community attributes on the INBOUND and OUTBOUND direction, where you automatically override the existing value. Besides these well-known community values, you can also assign a random community number and use them later as BGP TAGS.
Extended community attributes are used to configure, filter, and identify routes for virtual routing and forwarding (VRF) instances and
Multi-protocol Label Switching (MPLS) Virtual Private Networks (VPNs) COST is an example of an EXTENDED COMMUNITY Attribute. It allows you to customize the local route preference, and in that way influence the best path selection. It's configured under the route-map:
(config-route-map)#set extcommunity cost ? <0-255> Community ID igp Compare following IGP cost comparison pre-bestpath Compare before all other steps in bestpath calculation <-CHECK
THIS OUT!!!
So if you need to influence the path ABSOLUTELY:

(config-route-map)#set extcommunity cost PRE-bestpath 100 ? <-COST ID) IS USED AS A TIE BREAKER <0-4294967295> Cost Value (No-preference Cost = 2147483647) <-LOWER VALUE IS BETTER
There are 3 EXTENDED COMMUNITY attributes:

(config-route-map)#set extcommunity ? cost Cost extended community rt Route Target extended community <- FOR MPLS soo Site-of-Origin extended community
____________________________________________________________________________________________________________________
BGP & Load Balancing

____________________________________________________________________________________________________________________ If you see the same route from 2 different sources:
#sh ip bgp | b Network Network Next Hop * 10.1.23.0/24 10.1.12.2 *> 10.1.13.3 Metric LocPrf Weight Path 0 0 300 i 0 0 300 i
And in the routing table only one of them appears:

#sh ip route bgp B 10.1.23.0/24 [20/0] via 10.1.13.3, 00:00:01
You can increase the MAXIMUM PATH number, and add 2 (or more) different paths to the routing table:
(config-router)#maximum-paths 2
Check if the parameter "took":

#sh ip protocols | i Maxim Maximum path: 1
And make sure the routing table has been updated (happens intermediately)
#sh ip route bgp B 10.1.23.0/24 [20/0] via 10.1.13.3, 00:00:04 [20/0] via 10.1.12.2, 00:00:04
UNIQUAL COST BALANCING When you wish to Load Balance based on each the Link BW. This feature is used together with BGP
MULTIPATH to advertise the exit links BW as EXTENDED COMMUNITY to iBGP peers. The configuration is somewhat weird: Step 1: Enable DMZLINK-BW
(config-router)#bgp dmzlink-bw <ON BORDER AND INTERNAL ROUTERS
Step 2: Configure BGP to include the BW value to external interface on extended community, per neighbor:
(config-router)#neighbor 10.1.1.2 dmzlink-bw
BE SURE the neighbor is a SINGLE HOP eBGP PEER, or you will get a message:
%BGP: Propagation of DMZ-Link-Bandwidth is supported only for single-hop EBGP peers
Step 3: Send the COMMUNITY

(config-router)#neighbor 10.1.1.2 send-community extended
____________________________________________________________________________________________________________________
1. AS-Path (The less ASs in the path - the Better)

____________________________________________________________________________________________________________________ Used to influence another AS by adding or PREPENDING the AS's to the prefix using the Route Map:
(config-route-map)#set as-path prepend 111 <- WITHIN ROUTE-MAP CONFIG
When you want to NOT-PREPEND the LOCAL AS to the advertised prefixes:

(config-router)#neighbor 10.1.1.2 local-as 100 no-prepend
When you want to REPLACE the PREPENDED AS to the advertised prefixes:

(config-router)#nei 10.1.1.2 local-as 100 no-prepend replace-as *"replace-as" Instructs NOT TO PREPEND the REAL AS
You can do a pretty granular control here using the AS-PATCH Access Lists. You do need a basic knowledge of META Language for this, so basically if you need to match all the prefixes that pass through the AS 65505 you do this:
(config)#ip as-path access-list 10 permit ^65505$ <-you can go wild with the filters
*in this case we are filtering the prefixes originated and advertised directly by AS 65505 The AS-PATH ACL can also be applied to a neighbor as a FILTER-LIST
(config-router)#neighbor 172.25.185.45 filter-list 10 in
REMINDER of the META Characters:

^ $ | _ ? * + (x) [x] . - START of Line - END of Line - Logical OR - ANY DELIMETER (, or _ or whatever) - ZERO instances of the PRECEDING character - ZERO OR MODE instances of the PRECEDING character - ONE OR MORE instances of the PRECEDING character - Combine the enclosed String as a single entity - Wildcard where any position can match the position in AS-Path - Any Character
After this you just match this condition in the route-map in order to set some parameter later:
(config-route-map)#match as-path 10
____________________________________________________________________________________________________________________
2. Weight (the Higher - the Better)

____________________________________________________________________________________________________________________ It's a CISCO Proprietary Attribute, Used ONLY LOCALY to influence the LOCAL AS by assigning the WEIGHT attribute to prefixes learned from a BGP Neighbor. First you need to set up the route-map. You can use the MATCH condition, but you dont have to. In this case we will apply the weight to all the prefixes announced by a neighbor.
route-map SET_WEIGHT permit 10 match ... set weight 500
And apply the route-map to a neighbor in the INBOUND direction (prefixes coming IN, meaning - are announced by that neighbor):
router bgp 65535 neighbor 172.21.12.2 remote-as 64500 neighbor 172.21.12.2 route-map SET_WEIGHT in
Or you can simply apply the WEIGHT attribute to the neighbor directly:
router bgp 65535 neighbor 172.21.12.2 remote-as 64500 neighbor 172.21.12.2 weight 500
____________________________________________________________________________________________________________________
3. MED (Multi Exit Discriminator)

____________________________________________________________________________________________________________________ * Attribute; RFC 1771 - Optional and Non-Transitive; The Smaller the Better Router will compare the MED attribute for paths only from BGP peers that reside in the same autonomous system. In the CCIE the MED can be used to also influence the ISP BGP Neighbors to prefer one or the other point of exit of your network, but in the real world most ISPs will DISCARD the MED attribute to try and enforce the HOT POTATO strategy, where if the route is not destined for the providers network it prefers sending the traffic out to another provider ASAP. This is the most similar Attribute to the OSPF Metric that there is in BGP. The nature of this attribute is similar to the AS-Path, because they are both used to influence the other AS by tuning the attributes of the Locally Originated and Advertised Prefixes. You can simply set it (set metric X) within the route-map configuration, and apply it to the BGP Neighbor in the OUTBOUND direction MED is used only for the routes from one AS to another. It makes no sense to compare MED values of the learned BGP routes from different ASs. If you wish to RE-ARRANGE the Attribute Comparison order, and for example wish to compare the MED value before the AS-Path (meaning prefer the lower MED, regardless of the AS-Path), you can use this command under the BGP configuration:
(config-router)#bgp always-compare-med <-to compare MED value even if there is higher ranked attribute (config-router)#bgp bestpath as-path ignore <--- to IGNORE the AS-Path attribute, HIDDEN COMMAND on IOS!!!
*BE CAREFULL with the second command, the TAB key will not work and the "?" will not show you the "as-path" option
By default the MISSING MED value is considered the BEST one because on most IOS-s it picks up the value 0. To change this use:
(config-router)#bgp bestpath med missing-as-worst <- Treat the non-defined MED as the WORST
____________________________________________________________________________________________________________________
4. LOCAL PREFERENCE
____________________________________________________________________________________________________________________ It's used to PREFER AN EXIT POINT of a LOCAL BGP AS. Bigger is Better, DEFAULT: 100. There are 2 ways to configure the LOCAL PREFERENCE
WAY 1: TRY AND INFLUENCE DOWNSTREAM BGP NEIGHBORS.

If we configure this one, all the routes we announce will have Local Preference 500, unless RE-WRITTEN.
(config-router)#bgp default local-preference 500
The same effect is achieved by defining a ROUTE-MAP, setting the Local Preference and applying it OUTBOUND:
(config-router)#nei 10.1.34.4 route-map LOCPREF_PREFIXESRM out *configuration similar to the one explained below, within the Way2.
WAY 2: SUPERSEEDS the 1st way

Applied INBOUND to the LEARNED routes we want to PREFER. It OVERWRITES the Local Preference announced by the upstream BGP Neighbors. Step 1: Define a PREFIX LIST with the PREFIXES you want to assign the Local preference to:
(config-router)#ip prefix-list LOCPREF_PREFIXES seq 5 permit 1.0.0.0/8
Step 2: Define a ROUTE-MAP to match the PREFIX and SET THE LOCAL PREFERENCE (in this case 500):
(config)#route-map LOCPREF_PREFIXESRM permit 10 (config-route-map)# match ip address prefix-list LOCPREF_PREFIXES (config-route-map)#set local-preference 500
Step 3: Apply the ROUTE-MAP to the BGP process, INBOUND!!!

(config-router)#nei 10.1.34.4 route-map LOCPREF_PREFIXESRM in
Step 4: Clear the BGP process INBOUND, and check the BGP table:
#clear ip bgp * in #sh ip bgp | i 1.0.0.0 Network Next Hop *>i1.0.0.0 10.1.14.1
Metric LocPrf Weight Path 0 500 0 100 i <- LOC.PREF IS 500
BE CAREFULL WITH THE NEXT HOP!!! So, if you cannot reach the IP in the Next Hop, do this:
(config-router)#neighbor 10.1.34.4 next-hop-self <-POINT TO ME TO REACH ALL THE PREFIXES I KNOW AND YOU DONT
The alternative to this is to add a ROUTE-MAP pointing to the neighbor, and within it alter the next hop. ____________________________________________________________________________________________________________________
BGP Filters: Distribution and Prefix lists

____________________________________________________________________________________________________________________ The main difference between applying the DISTRIBUTE list and the PREFIX list to the BGP neighbor is:
DISTRIBUTE LIST: You need to define the ACL, and apply it in the form of a Distribution List:
(config)#access-list 1 deny 172.12.25.0 0.0.0.255 (config-router)#neighbor 5.5.5.5 distribute-list 1 in
PREFIX LIST: You define the PREFIX list, and apply the same prefix list to the BGP neighbor
(config-router)#neighbor 5.5.5.5 prefix-list PREF_LIST in
____________________________________________________________________________________________________________________
BGP: Regular Expressions

____________________________________________________________________________________________________________________ !!!Additional and Legacy protocols>IOS Terminal Services Configuration Guide>APPENDIXES (within the Cisco Docs)
REMINDER of the META Characters

^ $ | _ ? * + (x) [x] . - START of Line - END of Line - Logical OR - ANY DELIMETER - ZERO instances of the PRECEDING character - ZERO OR MODE instances of the PRECEDING character - ONE OR MORE instances of the PRECEDING character - Combine the enclosed String as a single entity - Wildcard where any position can match the position in AS-Path - Any Character
EXAMPLES (REMEMBER THESE!!!)

_65505$ - Prefixes that END with the AS 65505, meaning - they were originated by that AS _65505_ - Prefixes that traversed the AS 65505 ^$ .* - Locally Originated Prefixes (START and END of the line) - ANY prefix (zero or more instances of ANY character)
^[0-9]+$ - All the prefixes from DIRECTLY CONNECTED ASs (meaning - they have only 1 AS in the AS PAth) BEFORE CREATING THE AS-PATH ACL: If you want to STOP using the recursive algorithm in order to be able to control more complex regular expressions
(config-router)#bgp regexp deterministic
Now you can actually DISPLAY the prefixes that match your condition in the AS-PATH before defining the AS-PATH ACL
#show ip bgp regexp REGULAR_EXPRESSION
*There is a TRICK here; you need to add a MEMORY location you want to temporarily place the results, so instead of the expression ^300$ you would have to type #show ip bgp regexp (^300$)(_\1)*$ You can also display the Filter List before applying it to the neighbor:
#show ip bgp filter-list 1
____________________________________________________________________________________________________________________
BGP Confederations
____________________________________________________________________________________________________________________ BGP Confederation Identifier is used to configure a GROUP OF SMALL ASs as a SINGLE AS. It's used to reduce iBGP mesh. On ALL the routers within ALL ASs issue the command:
(config-router)#bgp confederation identifier 250
Once the Identifier is configured, you need to configure all the directly connected eBGP peers (this command is not needed if there are no eBGP sub confederation peers):
(config-router)#bgp confederation peers 65505 65409 65111 <-DEFINE ALL ASs WITHIN CONFEDERATION, BUT LOCAL
If you want to create the NEIGHBOR with the confederation, use the CONFEDERATION IDENTIFIER AS THE AS:
(config-router)#neighbor 10.1.45.4 remote-as 250
Check the BGP table, and make sure all the prefixes are sourced by the VIRTUAL AS 250:
(config-router)#do sh ip bgp BGP table version is 14, local router ID is 5.5.5.5 Status codes: s suppressed, d damped, h history, * valid, > best, i - internal, r RIB-failure, S Stale Origin codes: i - IGP, e - EGP, ? - incomplete *> *> *> *> *> Network 1.0.0.0 2.0.0.0 3.0.0.0 4.0.0.0 5.0.0.0 Next Hop 10.1.45.4 10.1.45.4 10.1.45.4 10.1.45.4 0.0.0.0 Metric LocPrf Weight 0 0 0 0 0 0 32768 Path 250 i 250 i 250 i 250 i i
____________________________________________________________________________________________________________________
MP-BGP (Multi-Protocol BGP)

____________________________________________________________________________________________________________________ By default, commands entered under the router bgp command apply to the IPv4 address family. This will continue to be the case unless you enter the "no bgp default ipv4-unicast" as the first command under the router bgp command:
(config-router)#no bgp default ipv4-unicast *The PEERING will NOT be established, unless you do the ACTIVATE command under the BGP process: (config-router)#address-family vpnv4 (config-router-af)#neighbor 3.3.3.3 activate
Make sure youre checking for the neighbors under the VPNv4 UNICAST Address Family:
#sh bgp vpnv4 unicast all summary BGP router identifier 4.4.4.4, local AS number 65001 BGP table version is 1, main routing table version 1 Neighbor V AS MsgRcvd MsgSent TblVer 3.3.3.3 4 65001 19 19 1
InQ OutQ Up/Down 0 0 00:03:47
State/PfxRcd 0
When you have various VRFs on the router, and youre configuring the BGP peering with the CLIENT router within the VRF assigned to that client, note 2 things: 1. The separate IPv4 VRF process has been created under the BGP. When you configure the BGP PEERING with the CLIENT, you should configure it under that specific AF:
router bgp 65001 no bgp default ipv4-unicast bgp log-neighbor-changes neighbor 3.3.3.3 remote-as 65001 neighbor 3.3.3.3 update-source Loopback0 ! address-family vpnv4 neighbor 3.3.3.3 activate neighbor 3.3.3.3 send-community extended exit-address-family ! address-family ipv4 vrf CLIENT_VRF <-AUTOMATICALLY CREATED AF UNDER THE BGP neighbor 10.1.45.5 remote-as 65015 <-ADD PEERING WITH THE CLIENT neighbor 10.1.45.5 activate <-COMMAND ADDED AUTOMATICALLY STARTING FROM 12.4 no synchronization exit-address-family
2. On the CLIENT side you will NOT LEARN the BGP routes announced by other CEs of the same client, due to the LOOP PREVENTION mechanism implemented in BGP (routes that have the same AS in the AS-PATH will not be accepted in the routing table). To change this behavior, on clients CE do:
(config-router)#neighbor 10.1.45.4 allowas-in ? <1-10> Number of occurances of AS number (I RECOMMEND TO NOT EXAGERATE, SO - ONLY 1!)
Another way would be to OVERRIDE the AS number on the PE. This way the PE advertises BGP routes with its own AS number attached instead of the ORIGINATING AS:
(config-router-af)#neighbor 10.1.13.1 as-override
____________________________________________________________________________________________________________________
Route Redistribution TIPs

____________________________________________________________________________________________________________________
RIP: Metric are HOPS, so if you want next router not to learn it set the HOPS to 16 (max):
(config-rmap)#set metric 16 !!!NOTE that RIP will not advertise a route if it didnt make the ROUTING TABLE OSPF: You might need to TUNE THE ADMINISTRATIVE DISTANCE:
(config-router)#distance 150 3.3.3.3 0.0.0.0 10 <- 10 is an ACL, it's OPTIONAL, and 150 is the new AD
DISCARD ROUTE is a route injected automatically when we SUMMARIZE OSPF, for LOOP PREVENTION. To remove it:
(config-router)#no discard-route [internal | external] <- INTERNAL on ABR, EXTERNAL on ASBR
HAVE IN MIND that SOURCE IP and SOURCE PROTOCOL can be matched within the Route-maps. MATCH IP ROUTE-SOURCE in the Route-map In OSPF it's not the NEXT HOP but the ORIGINATOR Router-ID of the PREFIX
(config-route-map)#match ip route-source 4 <- ACL 4 includes the Router-ID
Also the SOURCE PROTOCOL can be matched, when we wont to PREVENT certain protocol prefixes in the Route Table:
(config-route-map)#match source-protocol ? bgp Border Gateway Protocol (BGP) connected Connected eigrp Enhanced Interior Gateway Routing Protocol (EIGRP) isis ISO IS-IS mobile Mobile routes ospf Open Shortest Path First (OSPF) rip Routing Information Protocol (RIP) static Static routes <cr>
EIGRP: When you have a COMPOSITE METRIC, like 22222 and 44444, then the METRIC VALUE is the MIDDLE, so> METRIC = 22222 + 44444 /2 = 33333 DEVIATION = (44444 - 22222)/2 = 11111 So when you're MATCHIN THE METRIC of the EIGRP within the Route Map: (config-route-map)#match metric 33333 +- 11111
QoS
____________________________________________________________________________________________________________________
QoS TIPS
____________________________________________________________________________________________________________________
TIP: When you need to MAXIMIZE EFFICIENCY on a Serial Link, use the COMPRESS PREDICTOR or COMPRESS STACKER (STACKER is more CPU
consuming, but better for MEMORY, and PREDICTOR the other way around)
(config)#compress predictor | stacker
TIP: Shape AVERAGE - In the default conditions, Shape ADAPTIVE - when the notification was received, like BECN
(config-pmap-c)#shape ?
adaptive average fecn-adapt
Enable Traffic Shaping adaptation to BECN configure token bucket: CIR (bps) [Bc (bits) [Be (bits)]], send out Bc only per interval Enable Traffic Shaping reflection of FECN as BECN
If normal shaping is needed on a Frame-Relay link, just configure DIRECTLY ON THE INTERFACE AND configure the rest of the required parameters within the Map-Class:
(config-if)#frame-relay traffic-shaping
____________________________________________________________________________________________________________________
QoS on Access Ports

____________________________________________________________________________________________________________________ When there is a CISCO Phone behind, configure the port as ACCESS:
(config-if)#switchport access vlan 3 <--- data VLAN (config-if)#switchport mode access (config-if)#switchport voice vlan 5 <--- Cisco Phone VLAN
If you want to trust the Phone CoS markings:

(config-if)#mls qos trust device cisco-phone
Mark all incoming traffic:

(config-if)#mls qos cos 2 <-ONLY MARKS THE NON-MARKED TRAFFIC, use OVERRIDE to MARK ALL
And to REMARK the DATA traffic (VLAN 3 IN THIS CASE)

(config-if)#switchport priority extend CoS 1
If you want to check how the traffic is reaching the router from the configured switched interface, make the class map on a ROUTER matching the DSCP or COS values you are interested in:
(config)#class-map cos2 (config-cmap)#match CoS 2
... Then create a Policy Map that includes this Class:

(config)#policy-map QoS_test (config-pmap)#Class cos2 ...
And apply it to an Interface directly connected to the Switch that marks the traffic:
(config-if)#service-policy QoS_test in
To check:
#show policy-map interface Fa0/1.100 FastEthernet0/1.100 Service-policy input: QOS_IN Class-map: COS1 (match-all) 0 packets, 0 bytes 5 minute offered rate 0 bps <--- LOAD INTERVAL is 5 Minutes by default, can be changed ON INTERFACE Match: cos 1 Class-map: COS2 (match-all) 5 packets, 590 bytes 5 minute offered rate 0 bps Match: cos 2 Class-map: COS4 (match-all) 0 packets, 0 bytes 5 minute offered rate 0 bps Match: cos 4 Class-map: COS5 (match-all) 0 packets, 0 bytes 5 minute offered rate 0 bps Match: cos 5
*Change LOAD INTERVAL:

(config-if)#load-interval ? <30-600> Load interval delay in seconds <--- DEFAULT IS 5 MINUTES, as shown above (config-if)#load-interval 30
And now:
#show policy-map interface FastEthernet0/1 Service-policy input: MATCHES Class-map: DSCP10 (match-all) 0 packets, 0 bytes 30 second offered rate 0 bps <--- TA-DAAAAA Match: ip dscp af11 (10)
Make sure you have "mls qos trust cos" OR "mls qos cos override" configured!
#show mls qos interface GigabitEthernet 3/0/2 GigabitEthernet3/0/2 trust state: trust cos trust mode: trust cos trust enabled flag: ena COS override: dis default COS: 2 DSCP Mutation Map: Default DSCP Mutation Map Trust device: none qos mode: port-based
If you want all the traffic going out of a port to be marked with a particular DSCP value, use the "class-default":
(config)@policy-map SET-ALL-5 (config-pmap)#class class-default (config-pmap-c)#set ip presedence 5
And then apply it in the OUTBOUND direction on the interface:

(config-if)#service-policy out SET-ALL-5
____________________________________________________________________________________________________________________
DSCP and COS MAPPING

____________________________________________________________________________________________________________________ QoS MUTATION: If you need to RE-MARK all the packets with the particular value of DSCP/CoS Step 1: Check if the QoS has been globally enabled on the Switch:
QoS_UP_SW1#show mls qos QoS is enabled QoS ip packet dscp rewrite is enabled
Step 2: Define the DSCP Mutation Map:

(config)#mls qos map dscp-mutation MUTATION_NAME 1 to 60
This map will re-mark all the DSCP value to 60, but only of all the packets that have it set to 1
Step 3: Check if the "mls qos trust" command has been applied, its a must. Apply the Mutation Map to the Physical Interface:
(config-if)#mls qos dscp-mutation MUTATION_NAME
Note that for this to work, the DSCP REWRITE has to be enabled globally on a switch *IT IS ENABLED BY DEFAULT:
(config)#mls qos rewrite ip dscp <--- DISABLE IF YOU NEED TO CONFIGURE QoS, BUT DONT WANT TRAFFIC TO BE REMARKED TO 0
Check if it "worked":
#show mls qos map dscp-mutation Dscp-dscp mutation map (D1D2 = VALUE OF DSCP): MUTATION_NAME: d1 : d2 0 1 2 3 4 5 6 7 8 9 --------------------------------------0 : 00 60 02 03 04 05 06 07 08 09 <--- HERE, THE D1:D2=0:1 MUTATES TO D1:D2=0:60 1 : 10 11 12 13 14 15 16 17 18 19 2 : 20 21 22 23 24 25 26 27 28 29 3 : 30 31 32 33 34 35 36 37 38 39 4 : 40 41 42 43 44 45 46 47 48 49 5 : 50 51 52 53 54 55 56 57 58 59 6 : 60 61 62 63
Dscp-dscp mutation map:

Default DSCP Mutation Map: d1 : d2 0 1 2 3 4 5 6 7 8 9 --------------------------------------0 : 00 01 02 03 04 05 06 07 08 09 <--- BY DEFAULT IT STAYS 0:1 1 : 10 11 12 13 14 15 16 17 18 19 2 : 20 21 22 23 24 25 26 27 28 29 3 : 30 31 32 33 34 35 36 37 38 39 4 : 40 41 42 43 44 45 46 47 48 49 5 : 50 51 52 53 54 55 56 57 58 59
____________________________________________________________________________________________________________________
Map COS to DSCP on a device

____________________________________________________________________________________________________________________
#show mls qos maps cos-dscp Cos-dscp map: cos: 0 1 2 3 4 5 6 7 -------------------------------dscp: 0 8 16 24 32 40 48 56 (config)#mls qos map cos-dscp 0 8 16 24 32 40 48 7 <--- MAP COS 7 to DSCP 7 #show mls qos maps cos-dscp Cos-dscp map: cos: 0 1 2 3 4 5 6 7 -------------------------------dscp: 0 8 16 24 32 40 48 7
____________________________________________________________________________________________________________________
QoS POLICING - INDIVIDUAL and AGGREGATE POLICER

____________________________________________________________________________________________________________________ ! Be sure to do "no mls qos", and after a few seconds "mls qos" to be sure POLICING takes effect
INDIVIDUAL POLICER: Basic, per CLASS that matches a DSCP value AGGREGATE POLICER: "mls aggregate-policer":
mls qos aggregate-policer AGGREG 500000 25000 exceed-action drop (config)#policy-map CISQUEROS (config-pmap)#class DSCP10 <--- APPLY TO ALL CLASSES YOU WANT TO AGGREGATE THE POLICY ON (config-pmap-c)#police aggregate AGGREG
____________________________________________________________________________________________________________________
PRIORITY QUEUING (priority-list) & CUSTOM QUEUING (queue-list)

____________________________________________________________________________________________________________________ Uses 4 queues: 1. HIGH 2. MEDIUM 3. NORMAL 4. LOW Define the PRIORITY LIST. Priority-list works like an access-list, it's processed from top to the bottom so define the MORE SPECIFFIC policies first:
(config)#priority-list 1 protocol http ? high medium normal low (config)#priority-list 1 protocol ip normal udp tftp <--- for IP protocols (config)#priority-list 1 default LOW
Then just apply it on an interface:

(config-if)#priority-group 1 <--- ITS ALLWAYS AN OUTBOUND DIRECTION
If you also need to LIMIT THE QUEUE sizes PER CLASS :

(config)#priority-list 1 queue-limit 80 60 40 20 <--- HIGH>80 , MEDIUM>60 , NORMAL>40 , DEFAULT>20
QUEUE LIST defines !!!17 QUEUES!!! All queues have the SAME WEIGHT, and are serviced in ROUND ROBIN Queue 1 - System or Priority queue (IP Routing UPDATES do NOT go here!!! only L2 Keepalives & Neighbor Discovery)
(config)#queue-list (config)#queue-list (config)#queue-list (config)#queue-list 1 1 1 1 protocol http 4 protocol ip 3 tcp telnet protocol ip 6 udp tftp default 5
Also applied on the interface:

(config-if)#custom-queue-list 1 <--- ALWAYS OUTBOUND!!!
#show queueing custom Current custom queue configuration: List Queue Args 1 5 default 1 4 protocol http 1 3 protocol ip tcp port telnet 1 6 protocol ip udp port tftp
Also the BANDWIDTH can be allocated to each of the queues using the "byte-count" parameter:
(config)#queue-list 1 queue 1 byte-count 1500
____________________________________________________________________________________________________________________
WFQ - By default works with IP PRESEDENCE

____________________________________________________________________________________________________________________ DEDICATES MORE BANDWIDTH TO THE HIGHER IP PRECEDENCE TRAFFIC!!! Check the Interface Capabilities and Thresholds on a Router:
#show inter s0/1/0 | b Output Output queue: 0/1000/64/0 (size/max total/threshold/drops)<-HOLD-QUEUE LIMIT is 1000,DISCARD THRESHOLD is 64 Conversations 0/2/256 (active/max active/max total) <--- MAX DYNAMIC QUEUE NUMBER IS 256 Reserved Conversations 0/0 (allocated/max allocated) Available Bandwidth 1158 kilobits/sec
Check the current FAIR QUEUE settings:

#show queueing fair Current fair queue configuration: Interface Discard Dynamic threshold queues Serial0/1/0 64 256 Serial0/1/1 64 256
Reserved queues 0 0
Link queues 8 8
Priority queues 1 1
And apply the changes on the INTERFACE level:

(config-if)#fair-queue 128 512 <-DISCARD THRESHOLD 128, DYNAMIC QUEUES 256 (config-if)#hold-queue 1200 out <-HOLD QUEUE, Max number of queues a system can hold
____________________________________________________________________________________________________________________
RSVP - Resource Reservation Protocol

____________________________________________________________________________________________________________________ SENDER sends PATH MESSAGES through the network. When RSVP is enabled, router receives PATH message:
| FROM | TO | PREV_HOP | BW | <--- PATH message, stored on the Router and forwarded down the PATH
RECEIVER receives the PATH MESSAGE and forms the RESERVATION MESSAGE (RSVP Reservation Request), which is propagated up the exactly same route of the path message. Each ROUTER on the PATH either ACCEPTS or REJECTS the RSVP Reservation Request, based on its RESOURCES. SENDER receives the RESERVATION MESSAGE and it's ready to start the transmission First under the SOURCE and DESTINATION interface reserve the BW:
(config-if)#ip rsvp bandwidth 400 180 <--- 400 RESERVATION, AND 180 is SINGLE reservation
To define the SENDER and the RECEIVER:

(config)#ip rsvp sender-host 10.1.112.2 10.1.112.1 tcp 0 0 10 5 <-to GENERATE and SEND PATH MESSAGES,
These 0s mean - IGNORE THE PORT ADDRESSES

(config)#ip rsvp reservation-host 1.1.1.1 2.2.2.2 tcp 0 0 ?
ff se wf
Single Reservation Shared Reservation, Limited Scope Shared Reservation, Unlimited Scope
(config)#ip rsvp reservation-host 10.1.112.2 10.1.112.1 tcp 0 0 ff rate 10 5 <-RECEIVER WITH SINGLE RESERVATION
DEBUG RSVP:
*Aug 22 15:54:23.323: RSVP refresh interval=30000mSec *Aug 22 15:54:23.323: RSVP *Aug 22 15:54:33.595: RSVP (on FastEthernet0/0) 10.1.112.1_0->10.1.112.2_0[0.0.0.0]: Refresh RESV, req=659606AC, [cleanup timer is not awake] 10.1.112.1_0->10.1.112.2_0[0.0.0.0]: Sending Resv message to 10.1.112.1 10.1.112.1_0->10.1.112.2_0[0.0.0.0]: Received Path message from 10.1.112.1
If you want the Router to be the RSVP PROXY:

ip rsvp sender 10.1.112.2 1.1.1.1 tcp 0 0 1.1.1.1 lo0 10 5
____________________________________________________________________________________________________________________
IPv6 QoS
____________________________________________________________________________________________________________________ "match ip precedence" ONLY matches the IPv4, not IPv6 If you want IPv4 AND IPv6 to be matched - use "match precedence" ___________________________________________________________________________________________________________________
Match MAC ADDRESS

____________________________________________________________________________________________________________________
(config)#class-map SRV1 (config-cmap)#match sou (config-cmap)#match source-address ? mac MAC address
Be careful, because if you match the SOURCE MAC - you wont be able to apply the service-policy OUTBOUND!!! Therefore - create the ACL matching the MAC, and match the ACCESS-GROUP
____________________________________________________________________________________________________________________
QoS Frame-Relay SHAPING

____________________________________________________________________________________________________________________ FRTS - Frame-Relay Traffic Shaping. There are 4 general ways to implement the TRAFFIC SHAPING: 1. Legacy Generic Traffic Shaping (GTS) 2. Legacy Frame-Relay Traffic Shaping (for FR it's the MOST USED method) 3. MQC-Based Frame-Relay Traffic Shaping 4. MQC-Based Class Based Traffic Shaping
Shaping is used only to "spread" the queue, it adds the delay and jitter, but it doesnt cause drops unless the entire queue is full. For LEGACY FRTS to be implemented, frame relay traffic shaping must be enabled first:
(config-if)#frame-relay traffic-shaping
#show traffic-shape <--- SHOW THE FR TRAFFIC SHAPING Interface Se0/1/0 Access Target Byte Sustain(Bc) Excess(Be) VC(DLCI)List Rate Limit bits/int bits/int 103 56000 875 7000 0 104 56000 875 7000 0 102 56000 875 7000 0
Interval(Tc) (ms) 125 125 125
Increment Adapt (bytes) 875 875 875
Active -
AR, or AIR - Max number of bits that can be sent by a router (actual interface speed) CIR - Average Speed, Target Rate Mincir - This is a TELCO DEFINED CIR (Contracted Rate, Guaranteed by the Provider where the DE bit is set in the frames above this rate) Bc - Committed Burst, by default it's CIR/8 because the default Tc is 125ms (Bc = CIR x Tc)
!!!Magic Formula is Bc = CIR x 1.5s because RTT is by average ~ 1.5 seconds over the big networks
Be - Number of NON-COMMITED bits accepted by Frame-relay switch. If Be is not configured in Class-Based FRTS - it's equal to Bc
For granular QoS Frame Relay control - use the MAP CLASS:
(config)#MAP-class frame-relay FRTS (config-map-class)#frame-relay ? adaptive-shaping Adaptive traffic rate adjustment, Default = none bc Committed burst size (Bc), Default = 7000 bits be Excess burst size (Be), Default = 0 bits cir Committed Information Rate (CIR), Default = 56000 bps congestion Congestion management parameters custom-queue-list VC custom queueing end-to-end Configure frame-relay end-to-end VC parameters fair-queue VC fair queueing fecn-adapt Enable Traffic Shaping reflection of FECN as BECN fragment fragmentation - Requires Frame Relay traffic-shaping to be configured at the interface level holdq Hold queue size for VC idle-timer Idle timeout for a SVC, Default = 120 sec interface-queue PVC interface queue parameters ip Assign a priority queue for RTP streams mincir Minimum acceptable CIR, Default = CIR/2 bps priority-group VC priority queueing tc Policing Measurement Interval (Tc) traffic-rate VC traffic rate voice voice options
2. Legacy Frame-Relay Traffic Shaping (for FR it's the MOST USED method)
Normally you do something like this:
map-class frame-relay FRTS frame-relay cir 64000 <-- AVERAGE BW frame-relay mincir 32000 <-- MINIMUM GUARANTEED BW frame-relay adaptive-shaping becn <-- Turn ADAPTIVE shaping with BECN marking enabled to indicate congestion frame-relay bc 8000 <-- CIR*1/8 frame-relay be 16000 <-- Depends on the requirements
And then APPLY it under the INTERFACE:

(config-if)#frame-relay class FRTS
Or under the DLCI, if you need it to apply only to ONE DLCI:

(config-if)#frame-relay interface-dlci 102 (config-fr-dlci)#class FRTS
To check the configured shaping do:

#show frame-relay pvc 201 PVC Statistics for interface Serial0/1/0 (Frame Relay DTE) DLCI = 201, DLCI USAGE = LOCAL, PVC STATUS = ACTIVE, INTERFACE = Serial0/1/0 input pkts 30 output pkts 31 in bytes 31120 out bytes 31154 dropped pkts 0 in pkts dropped 0 out pkts dropped 0 out bytes dropped 0 in FECN pkts 0 in BECN pkts 0 out FECN pkts 0 out BECN pkts 0 in DE pkts 0 out DE pkts 0 out bcast pkts 1 out bcast bytes 34 5 minute input rate 0 bits/sec, 0 packets/sec 5 minute output rate 0 bits/sec, 0 packets/sec Shaping adapts to BECN <--- BECN SHAPING ENABLED pvc create time 2d19h, last time pvc status changed 00:40:28 cir 64000 bc 8000 be 0 byte limit 1000 interval 125 <--- SHAPING ATTRIBUTES mincir 32000 byte increment 1000 Adaptive Shaping BECN pkts 0 bytes 0 pkts delayed 0 bytes delayed 0 shaping inactive traffic shaping drops 0 Queueing strategy: fifo Output queue 0/40, 0 drop, 0 dequeued #show traffic-shape Interface Se0/1/0 Access Target VC List Rate 513 128000 504 512000 503 56000 502 56000 501 56000
Byte Limit 800 12800 875 875 875
Sustain bits/int 6400 25600 7000 7000 7000
Excess bits/int 0 76800 0 0 0
Interval (ms) 50 50 125 125 125
Increment (bytes) 800 3200 875 875 875
Adapt Active -
3. MQC-Based Frame-Relay Traffic Shaping

If you want to do the same effect using the MQC method, the equivalent commands within the class map are:
policy-map FRTS class class-default <-- ONLY ALLOWED CLASS ON FR VC shape average 64000 8000 0 <-- CIR = 64 kbps, Bc = 8 kbps, Be = 0 kbps shape adaptive 32000 <-- MINCIR (Minimum Guaranteed BW) !!!ONLY CLASS-DEFAULT IS ALLOWED OVER FR VCs!!!
Now, STILL in Frame-Relay the ONLY WAY TO APPLY IS THROUGH THE MAP-CLASS:
(config)#map-class frame-relay FRTS (config-mc)#service-policy out FRTS (config-if)#frame-relay interface-dlci 102 (config-fr-dlci)#class FRTS
#show policy-map interface s0/1/0 Serial0/1/0: DLCI 201 Service-policy output: TASK2 Class-map: class-default (match-any) 0 packets, 0 bytes 5 minute offered rate 0 bps, drop rate Match: any Traffic Shaping Target/Average Byte Sustain Rate Limit bits/int 64000/64000 1000 8000 Adapt Queue Active Depth BECN 0 Packets 0 Bytes 0
0 bps Excess bits/int 0 Packets Delayed 0 Interval (ms) 125 Bytes Delayed 0 Increment (bytes) 1000 <--- SHAPING ATTRIBUTES Shaping Active no
Frame-Relay FRAGMENTATION (define the largest packet size, end-to-end):

(config-if)#frame-relay fragment 80 end-to-end
4. MQC-Based Class Based Traffic Shaping

Like in the standard MQC configuration, with one difference - the policy-map can be directly applied to the DLCI:
(config-if)#frame interface-dlci 513 (config-fr-dlci)#service-policy output CBWFQ
____________________________________________________________________________________________________________________
QoS Frame-Relay PIPQ (PER-INTERFACE PRIORITY QUEUING)

____________________________________________________________________________________________________________________ First enable the PIPQ globally on the Router:
(config)#frame-relay interface-queue priority
Then define the MAP-CLASSes:

(config)#map-class frame-relay R2 (config-map-class)#frame-relay interface-queue priority ? high medium normal low
And then apply the map classes to different PVCs:

(config-fr-dlci)#frame-relay interface-dlci 102 (config-fr-dlci)#class R2
And define the QUEUE SIZES on the interface:

(config-if)#frame-relay interface-queue <1-1024> High limit (config-if)#frame-relay interface-queue <1-1024> Medium limit (config-if)#frame-relay interface-queue <1-1024> Normal limit (config-if)#frame-relay interface-queue <1-1024> Lower limit priority ? priority 40 ? priority 40 80 ? priority 40 80 120 ?
Now check the PRIORITY on the DLCI:

#sh frame-relay pvc 102 | i pri priority low
____________________________________________________________________________________________________________________
QoS Frame-Relay PAYLOAD and HEADER COMPRESSION

____________________________________________________________________________________________________________________ (has to be configured on BOTH ENDS). PAYLOAD COMPRESSION POINT-TO-POINT LINK:
(config-subif)#frame-relay payload-compression ? FRF9 FRF9 encapsulation data-stream cisco proprietary encapsulation packet-by-packet cisco proprietary encapsulation <--- WHEN THE SUB-INTERFACE IS POINT-TO-POINT
PAYLOAD COMPRESSION, MULTIPOINT LINK:

If the SUB-interface is MULTIPOINT:
(config-subif)#frame map ip 10.1.13.3 103 payload-compression packet-by-packet
HEADER COMPRESSION:
(config-subif)#frame-relay ip tcp header-compression ? passive Compress for destinations sending compressed headers <--- COMPRESS IF THE RECEIVED TRAFFIS IS COMPRESSED <cr>
You can also configure RTP Header Compression, not only TCP:
(config-if)#frame-relay map ip 162.1.0.3 403 broadcast rtp header-compression
____________________________________________________________________________________________________________________
QoS CBWFQ - configured using MQC

____________________________________________________________________________________________________________________ - Guarantee a MINIMUM BANDWIDTH, multiple FIFO queues - Can be combined with WRED to prevent CONGESTION - Default queue limit is 64, after this the packets are dropped, to change do:
(config-pmap-c)#queue-limit 128
- Only 75% of the BW can be defined (can be changed, "max-reserved bandwidth" command) - To define the Fair Queuing:
(config-pmap-c)#fair-queue [1024] <-1024 is the number of Dynamic Conversation Queues
____________________________________________________________________________________________________________________
QoS LLQ (Low Latency Queuing) - "priority" and "priority percent" command
____________________________________________________________________________________________________________________ LLQ Introduces STRICT PRIORITY to CBWFQ. Unlike PRIORITY-QUEUING it uses ONLY 1 QUEUE and is NOT subject to starvation "priority 256" ensures that all traffic UP TO 256kbps is SERVED FIRST. The LLQ scheduler only triggers WHEN THERE IS CONGESTION (When Tx ring is FULL), so in the non-congestion situations - this class CAN USE MORE BW!!! "priority" - Guarantees the BW, during congestion the exceeded traffic is DROPPED Can also be defined using the percentage using the command "priority percent X" You can define the BURST bits, because for the VoIP traffic for example it's much better to burst in small packets:
(config-pmap-c)#priority 128000 6400 <-Bc is 6400 BYTES
____________________________________________________________________________________________________________________
Define the QoS Schedule (TIME-RANGE command)

____________________________________________________________________________________________________________________ Start by defining the time using the "time-range" command:
(config)#time-range WEEKDAYS (config-time-range)#periodic weekdays 11:00 to 15:00
and ATTACH it to the ACL:

(config)#access-list 100 permit tcp any any eq www time-range WEEKDAYS
____________________________________________________________________________________________________________________
QoS CAR (Committed Access Rate) - "rate-limit" Interface Command

____________________________________________________________________________________________________________________ It is another way of defining the CIR/Bc/Be and EXCEED, CONFORM and VIOLATE Action directly on interface. Instead of CLASS-MAP the ACL needs to be defined to match the traffic, in this case ACCESS-LIST 100
(config-if)#rate-limit output access-group 100 24000 3750 3750
(3750 is the BURST, and ITS IN BYTES not bites!!! Consult the proctor about this!)
#show interface Fa0/0 rate-limit <-- Check the PARAMETERS
____________________________________________________________________________________________________________________
NBAR (match protocol XXX) - if you need to match the port without the ACL
____________________________________________________________________________________________________________________ The QoS policy can also be applied in order to filter traffic of some protocol. For example if oyu want to filter URL of the HTTP request, first define the class map where you match the protocol HTTP and the URL:
(config)#class-map match-all FILTER_HTTP: (config-cmap)#match protocol http url *.mp3|*.avi <-- THIS WILL FILTER ALL THE MP3 AND AVI FILES VIA HTTP
and then configure the DROP action within the policy:

policy-map FILTER_HTTP_POLICY class FILTER_HTTP drop
CEF must be enabled to run NBAR!!! (config)#ip cef First time it will take some time to MATCH the PROTOCOL as NBAR is DOWNLOADING PDLMs (Signature Files) into memory, but then it will go faster. IMPORTANT: If the Bc isnt specified - it will match the CIR/32 or 1500 Bytes (Whichever is HIGHER!!!) with Tc = 250 ms
SINGLE RATE - SINGLE BUCKET: Be is DISABLED (If its configure the system will ignore it)
BURST: Minimal Amount:
(config-pmap-c)#police 10000000 bc ? <1000-512000000> Burst bytes <--- so 1000 is the MINIMAL BURST conform-action action when rate is less than conform burst pir Peak Information Rate <cr> (config-pmap-c)#police 10000000 bc 1000 conform-action transmit exceed-actio$
Conform burst size increased to 5000 <--- SETS IT TO THE MINIMUM DEPENDING ON THE BW
____________________________________________________________________________________________________________________
DUAL RATE - DUAL BUCKET

____________________________________________________________________________________________________________________ DUAL RATE traffic contract: supply customer with two sending rates (CIR and PIR), but only guarantee the smaller one. In case of congestion in the network, discard traffic that exceeds the committed rate more aggressively and signal the customer to slow down to the committed rate. Peak Information Rate (PIR) is the Additional parameter compared to SINGLE BUCKET Traffic Contract. It defines the MAXIMUM average sending rate for the customer. Bc: If Bc is not configured - the HIGHEST value is chosen between 1500 Bytes and CIR/32 Be: If Be is not configured - the HIGHEST value is chosen between 1500 Bytes and PIR/32 (PIR-Peak Information Rate) => Either define PIR and CIR, or Bc and Be !!!In DUAL RATE - Be has a different meaning, Be = PIR x Te ____________________________________________________________________________________________________________________
WRED - Weighted Random Early Detection and CB-WRED

____________________________________________________________________________________________________________________ THRESHOLDS need to be defined (how many packets from the end of the queue are to be dropped) WRED drops SOME packets between MIN and MAX THRESHOLD (based on mark probability denominator) WRED drops ALL packets above the MAX
(config-pmap-c)#random-detect <1-4096> minimum threshold (config-pmap-c)#random-detect <1-4096> maximum threshold (config-pmap-c)#random-detect <1-65535> mark probability <cr> precedence 4 ? <- PRECEDENCE VALUE 4 (number of packets) precedence 4 24 ? <- MINIMUM THRESHOLD (DROPPED packet number in the queue) (number of packets) precedence 4 24 40 ? <- MAXIMUM THRESHOLD is 40 denominator
(config-pmap-c)#random-detect precedence 4 24 40 10
Mark probability denominator means one in how many packets are dropped. So, by the time there are 40 packets in the queue ONE IN EVERY 10 PACKETS will be dropped if the mark probability denominator has a value of 10. *To configure RED, rather than WRED, use the same parameters for each precedence
WAN
____________________________________________________________________________________________________________________
Frame-Relay TIPS
____________________________________________________________________________________________________________________ TIP: Make sure KEEPALIVEs are ENABLED on a Frame-Relay interface!!! The MODE of the operation of the EEK (End to End Keepalive) requests can be configured within the class-map:
(config)#map-class frame-relay KEEPALIVE (config-map-class)#frame-relay end-to-end keepalive mode ? bidirectional Set bidirectional mode passive-reply Set passive-reply mode reply Set unidirectional reply mode request Set unidirectional request mode
TIP: When you want to configure one interface to be another's BACKUP, just do this command on the primary interface:
(config-subif)#backup interface Serial 0/1/1 *Jan 12 18:23:49.599: %LINEPROTO-5-UPDOWN: Line protocol on Interface Serial0/1/1, changed state to down (config-subif)#backup delay 0 300 <-CONFIGURE A 5 MINUTE PREEMPT DELAY
____________________________________________________________________________________________________________________
FRAME RELAY QoS

____________________________________________________________________________________________________________________ QoS is different on Frame-relay links. First of all - about the QoS marking and how to collect this information. There is an implemented feature called IP ACCOUNTING, used to collect various data.
(config-if)#ip accounting ? access-violations Account for IP packets violating access lists on this interface output-packets Account for IP packets output on this interface precedence Count packets by IP precedence on this interface (config-if)#ip accounting precedence input <-CHECK IP PRESEDENCE OF THE INCOMMING PACKETS
Define the THRESHOLD (how many packets to monitor):

(config)#ip accounting-threshold 5000
Check the accounted PRESEDENCE values:

#sh inter s0/1/0 precedence Serial0/1/0 Input Precedence 0: 50 packets, 5200 bytes Precedence 6: 16 packets, 850 bytes
To configure the traffic SHAPING on Frame Relay interface, you can use the MQC, CBTS or simplest- Legacy MAP-CLASS:
(config)#map-class frame-relay R4_504 frame-relay cir 512000 frame-relay bc 25600 frame-relay be 76800 <-SPECIAL ATTENTION WHEN CONFIGURING Be!!! *Be is a BURST when enough CREDIT has been acumulated. This still means that the Bc and the Be together cannot exceed the PHYSICAL INTERFACE RATE (AIR) => (Bc+Be) x Tc <= AIR frame-relay mincir 384000 frame-relay adaptive-shaping interface-congestion (config)#map-class frame-relay R3_513 frame-relay cir 128000 frame-relay bc 6400 frame-relay be 0 <-YOU HAVE TO SET IT TO 0 IF NO BURST IT ALLOWED frame-relay mincir 96000 frame-relay adaptive-shaping [interface-congestion | becn] <-BE SURE WHAT YOU'RE ASKED TO DO HERE
*BECN is a CONGESTION NOTIFICATION for the senders to slow down with SENDING RATE, so if you set BECN here this router will engage the SHAPING feature upon receiving the BECN flag in the frame And then apply it on the INTERFACE, or directly to the DLCI:
(config-if)#frame interface-dlci 513 (config-fr-dlci)#class R3_513 (config-if)#frame-relay interface-dlci 504 (config-fr-dlci)#class R4_504
____________________________________________________________________________________________________________________
PHYSICAL INTERFACE CONFIGURATION:

____________________________________________________________________________________________________________________ - Disable Inverse ARP because IP/DLCI Mapping is configured manually - BROADCAST at the end of the MAPPING line On a HUB Router:
interface Serial1/0 ip address 10.1.100.1 255.255.255.0 encapsulation frame-relay frame-relay map ip 10.1.100.2 102 broadcast frame-relay map ip 10.1.100.3 103 broadcast frame-relay map ip 10.1.100.4 104 broadcast no frame-relay inverse-arp
On SPOKE Routers:
interface Serial1/0 ip address 10.1.100.2 255.255.255.0 encapsulation frame-relay frame-relay map ip 10.1.100.4 201 <--- NO NEED TO ""Broadcast" TO OTHER HUBS, creates extra traffic frame-relay map ip 10.1.100.3 201 frame-relay map ip 10.1.100.2 201 frame-relay map ip 10.1.100.1 201 broadcast no frame-relay inverse-arp
!!! Dont forget to check THE CONTROLLER on the interface, and see if we are DTE or DCE
#show controllers s1/0
If we are DCE - CLOCKRATE NEEDS TO BE SET or VC will not transition into UP/UP LMI - Keepalives in Frame Relay, you can see them:
#show frame-relay lmi | i Status Invalid Status Message 0 Num Status Enq. Sent 108 Invalid Lock Shift 0 Num Status msgs Rcvd 108
If you want to FORCE the DCE and provide the clocking:

(config-if)#frame-relay intf-type dce
Frame Relay Header - 2 BYTES:

| DLCI (6) | C/R (1) | EA(1) || DLCI(4) | FECN(1) | BECN(1) | DE(1) | EA(1) | | Byte 1 || Byte 2 |
____________________________________________________________________________________________________________________
POINT-TO-POINT SUB-INTERFACE:
____________________________________________________________________________________________________________________ - No need for Inverse ARP disabling, as it's P2P Link so it's disabled by default - Only define a INTERFACE DLCI, because it's a direct connection
interface Serial1/0.21 point-to-point ip address 10.1.12.2 255.255.255.0 frame-relay interface-dlci 201 #show frame-relay map Serial1/0.12 (up): point-to-point dlci, dlci 102(0x66,0x1860), broadcast status defined, active Serial1/0.13 (up): point-to-point dlci, dlci 103(0x67,0x1870), broadcast status defined, active Serial1/0.14 (up): point-to-point dlci, dlci 104(0x68,0x1880), broadcast status defined, active
____________________________________________________________________________________________________________________
POINT-TO-MULTIPOINT SUB-INTERFACE:
____________________________________________________________________________________________________________________ - Configure the DLCI-to-IP mapping, without broadcast ____________________________________________________________________________________________________________________
VIRTUAL TEMPLATE (CAN ONLY BE DONE ON MULTIPOINT OR PHYSICAL INTERFACE)

____________________________________________________________________________________________________________________ If MAPPING is not allowed:
(config-if)#frame-relay interface-dlci 102 ? ppp Use RFC1973 Encapsulation to support PPP over FR switched Define a switched DLCI <cr>
(config-if)#frame-relay interface-dlci 102 ppp ? Virtual-Template Virtual Template interface
(config-if)#frame-relay interface-dlci 102 ppp Vir (config-if)#frame-relay interface-dlci 102 ppp Virtual-Template ? <1-200> Virtual-Template interface number
(config-if)#frame-relay interface-dlci 102 ppp Virtual-Template 1
And only assign the IP Address (L3) to the Virtual Template interface:
interface Virtual-Template1 ip address 10.1.100.1 255.255.255.0
OR, if you want to RE-USE the defined IP on a Loopback:

(config-if)#ip unnumbered lo0 <-under the Virtual Template interface
Now on the Routing Table the INJECTED HOST ROUTES can be found:
#show ip route 10.0.0.0/8 is variably subnetted, 3 subnets, 2 masks C 10.1.100.0/24 is directly connected, Virtual-Access1 L 10.1.100.1/32 is directly connected, Virtual-Access1 C 10.1.100.2/32 is directly connected, Virtual-Access1
____________________________________________________________________________________________________________________
FRAME RELAY AUTHENTICATION

____________________________________________________________________________________________________________________
CONFIGURED IN THE VIRTUAL TEMPLATE (refer to the description above)

First in the Global Config mode define the credentials (username and password):
(config)#username R2 password 0 cisco12 <--- R2 is HOSTNAME of the OTHER SIDE!!!
Create a VIRTUAL TEMPLATE and assign IP ADDRESSES to VIRTUAL TEMPLATE:

(config-subif)#frame-relay interface-dlci 102 ppp Virtual-Template 1 *Aug 17 11:12:46.763: %LINK-3-UPDOWN: Interface Virtual-Access2, changed state to up
Then configure the authentication details:

(config-if)#ppp chap hostname R1 (config-if)#ppp authentication chap ? <---DEFINE WHEN TO AUTHENTICATE WORD Use an authentication list with this name callback Authenticate remote on callback only callin Authenticate remote on incoming call only <---SEND CHALLENGE WHEN CALLED callout Authenticate remote on outgoing call only default Use the default authentication list eap Extensible Authentication Protocol (EAP) ms-chap Microsoft Challenge Handshake Authentication Protocol (MS-CHAP) ms-chap-v2 Microsoft CHAP Version 2 (MS-CHAP-V2) one-time Allow use of username*OTP for one-time passwords optional Allow peer to refuse to authenticate pap Password Authentication Protocol (PAP) <cr>
On the other side of the P2P link, configure USERNAME as CHAP HOSTNAME:
(config)#username R1 password 0 cisco12
And here is some PPP Authentication DEBUG:

*Aug *Aug *Aug *Aug *Aug *Aug *Aug *Aug *Aug *Aug 17 17 17 17 17 17 17 17 17 17 11:42:23.371: 11:42:23.371: 11:42:23.371: 11:42:23.443: 11:42:23.443: 11:42:23.447: 11:42:23.447: 11:42:23.447: 11:42:23.447: 11:42:23.463: Vi1 Vi1 Vi1 Vi1 Vi1 Vi1 Vi1 Vi1 Vi1 Vi1 PPP: Using default call direction PPP: Treating connection as a dedicated line PPP: Session handle[C400010C] Session id[266] CHAP: I CHALLENGE id 1 len 23 from "R1" <--- CHALLENGE INBOUND PPP: Sent CHAP SENDAUTH Request PPP: Received SENDAUTH Response PASS CHAP: Using hostname from interface CHAP CHAP: Using password from AAA CHAP: O RESPONSE id 1 len 23 from "R2" <--- RESPONSE OUTBOUND CHAP: I SUCCESS id 1 len 4
For PAP the HOSTNAME is sent outbound (as a Challenge) using:

(config-if)#ppp pap sent-username USERNAME password 0 Cisqueros
____________________________________________________________________________________________________________________
FRAME RELAY End-to-End KEEPALIVE

____________________________________________________________________________________________________________________ Routers depend on LMI to maintain the ACTIVE CONNECTION, but its not END-TO-END as intermediate switches may not support NNI LMIs. => FREEK (Frame Relay End-to-End Keepalive) is used to provide a local router status of the other end FREEK Maintains 2 interval keepalives: 1. Send side> Send keepalive and handle the responses 2. Receive side> Handle and reply the requests So it needs to be configured ON BOTH SIDES! It's configured within the MAP CLASS!!!
(config)#map-class frame-relay FREEK (config-map-class)#frame-relay end-to-end keepalive ? error-threshold End-to-end keepalive error threshold event-window End-to-end keepalive event window mode End-to-end keepalive mode success-events End-to-end keepalive success events timer End-to-end keepalive timer
(config-map-class)#frame-relay end-to-end keepalive mode ? bidirectional Set bidirectional mode <--- BOTH SIDES REPLY AND REQUEST passive-reply Set passive-reply mode reply Set unidirectional reply mode <--- THE OTHER SIDE REQUESTS, THIS SIDE REPLIES request Set unidirectional request mode <--- THIS SIDE REQUESTS, OTHER SIDE REPLIES
Once the MAP CLASS has been defined, apply under DLCI on the SUB-INF:
(config-map-class)#int s1/0.21 (config-subif)#frame-relay interface-dlci 201 (config-fr-dlci)#class FREEK <--- APPLY THE DEFINED MAP CLASS *Aug 17 13:47:13.179: %FR_EEK-5-FAILED: Interface Serial1/0.21 - DLCI 201
Before applying the FREEK to the other side of the link:

#show frame-relay end-to-end keepalive
End-to-end Keepalive Statistics DLCI = 102, DLCI USAGE = LOCAL, SEND SIDE STATISTICS Send Sequence Number: 7, Configured Event Window: 3, Total Observed Events: 9, Monitored Events: 3, Successive Successes: 0, RECEIVE SIDE STATISTICS Send Sequence Number: 3, Configured Event Window: 3, Total Observed Events: 8, Monitored Events: 3, Successive Successes: 0, Failures Since Started: 1,
for Interface Serial1/0 (Frame Relay DTE) VC STATUS = ACTIVE (EEK DOWN) Receive Sequence Number: 4 Configured Error Threshold: 2 Total Observed Errors: 3 Monitored Errors: 3 End-to-end VC Status: DOWN
Receive Sequence Number: 2 Configured Error Threshold: 2 Total Observed Errors: 3 Monitored Errors: 3 End-to-end VC Status: DOWN Last Failure: 00:00:16
Once the FREEK has been applied to BOTH SIDES, the VC goes "UP" (both SEND and RECEIVE side). DEBUG FREEK:
#debug frame-relay end-to-end keepalive events Frame-relay EEK events debugging is on *Aug 17 13:51:42.775: EEK SUCCESS (reply, Serial1/0.12 DLCI 102) *Aug 17 13:51:44.063: EEK SUCCESS (request, Serial1/0.12 DLCI 102)
FREEK TIMERS can also be tuned, using:

(config-map-class)#frame-relay end-to-end keepalive timer [send | receive] 3 <--- DEPENDS IF ITS SEND OR RECEIVE SIDE
____________________________________________________________________________________________________________________
FRAME-RELAY MULTILINKING
____________________________________________________________________________________________________________________ If you need 2 LINKS to appear as ONE FRAME RELAY LINK => use PPP MULTILINK. This might seem a bit illogical in the beginning, but once youve been through it a few times - you get the philosophy of it. This feature is also used when you need to implement the features not supported natively on Frame Relay, such as Authentication, fragmentation schemes Start by creating a MULTILINK INTERFACE, and define it as PPP Multilink:
(config)#interface multilink 12 (config-if)#ppp multilink
Define the MAX number of links within the MULTILINK, if you want:
(config-if)#ppp multilink links maximum 2 (config-if)#ppp multilink links minimum 1
Create the MULTILINK GROUP:

(config-if)#ppp multilink group 12 <--- PPP MULTILINK GROUP
Now, create a VIRTUAL-TEMPLATE interface and assign the created MULTILINK GROUP to it:
(config)#interface virtual-template 12 (config-if)#ppp multilink group 12
Lastly create the MULTIPOINT sub-interface, and connect it to the VIRTUAL TEMPLATE
(config)#inter serial 1/0.12 multipoint <--- ON ALL THE INTERFACES WE WANT "MULTILINKED" (config-subif)#frame-relay interface-dlci 102 ppp virtual-Template 12
Check the Multilink:

#show ppp multilink Multilink12 Bundle name: R2 Remote Endpoint Discriminator: [1] R2 Local Endpoint Discriminator: [1] R1 Bundle up for 00:01:10, total bandwidth 100000, load 1/255 Receive buffer limit 12000 bytes, frag timeout 1000 ms 0/0 fragments/bytes in reassembly list 0 lost fragments, 0 reordered 0/0 discarded fragments/bytes, 0 lost received 0x0 received sequence, 0x0 sent sequence Member links: 1 active, 1 inactive (max 2, min not set) Vi4, since 00:01:10 Vt12 (inactive) No inactive multilink interfaces
*If you want AUTHENTICATION, be sure to configure it under the VIRTUAL TEMPLATE interface:
(config)#int Virtual-Template23 (config-if)#ppp authentication chap
NO FRAME RELAY SWITCH: If there is NO FRAMERELAY SWITCH : THERE IS NO LMI, so KEEPALIVE needs to be DISABLED!!! - DLCI should be identical on both sides - clock rate HAS TO BE SET ON DCE SIDE
____________________________________________________________________________________________________________________
FRAME-RELAY AUTO-INSTALL
____________________________________________________________________________________________________________________ A router is a BOOTP server by default, unless the feature has been turned off. So if you need a FR interface to get the IP address from a remote server, use the "ip helper-address", and POINT TO THE BROADCAST
(config-if)#ip helper-address 172.28.185.255
Make sure that the DIRECTED INTERFACE supports broadcast:

(config-if)#ip directed-broadcast
IP Multicast
____________________________________________________________________________________________________________________
Multicast TIPS
____________________________________________________________________________________________________________________
TIP: On Frame-Relay, besides the "pim sparse-mode" configure the "ip pim nbma-mode". This way there will not be a pseudo broadcast to
detect PIM neighbors, and multicast sources. Each node will be treated as a P2P connection, and its done ONLY on the interfaces that should RECEIVE from ONE and SEND to ANOTHER PIM Neighbor on SAME INTERFACE
TIP: Use interface commands ip multicast boundary ACL and ip pim neighbor-filter ACL to filter out IGMP Groups and PIM Neighbors TIP: To LIMIT the OUTBOUND Multicast RATE on the interface, in this example to 1Mbps, use the command:
(config-if)#ip multicast rate-limit out 1000
REMINDER:
SHARED TREE - The traffic goes to the RP first SOURCE BASED TREE - Directly send the traffic to the Multicast clients
If you need to define the BW limit to switch to the SOURCE BASED TREE:
(config)#ip pim spt-threshold 128
____________________________________________________________________________________________________________________
Multicast - IGMP
____________________________________________________________________________________________________________________ Applications that take advantage of multicast include video conferencing, corporate communications, distance learning and distribution of software, stock quotes, and news. IP multicast routing enables a host (source) to send packets to a group of hosts (receivers) anywhere within the IP network by using a special form of IP address called the IP multicast group address. The sending host inserts the multicast group address into the IP destination address field. Any host, regardless of whether it is a member of a group, can send to a group. However, only the members of a group receive the message. IOS supports the following protocols to implement IP multicast routing: 1. IGMP - used between hosts on a LAN and routers on that LAN to track multicast groups of which hosts are members. 2. PIM (Protocol Independent Multicast) - used between routers so that they can track which multicast packets to forward to each other and to their directly connected LANs. 3. DVMRP (Distance Vector Multicast Routing Protocol) is used on the MBONE (the multicast backbone of the Internet). The software supports PIM-to-DVMRP interaction. 4. CGMP (Cisco Group Management Protocol) perform tasks similar to IGMP
Any Source Multicast (ASM)

G group - a multicast group for ASM. By joining this group, the receiver HOST IS INDICATING THAT HE WANTS TO RECEIVE IP multicast traffic SENT BY ANY SOURCE to group G. ASM group should only be used by a single application!!!
Source Specific Multicast (SSM)

A datagram delivery model that best supports one-to-many applications (targeted for AUDIO and VIDEO) IP multicast receiver host must use IGMP Version 3 (IGMPv3) to subscribe to channel (S,G) if he wants to receive IP MULTICAST TRAFFIC SENT BY SOURCE HOST S TO GROUP G. IP multicast packets are delivered to all hosts in the network that have subscribed to the channel (S, G).
PIM (Protocol Independent Multicast)

PIM is not dependent on a specific unicast routing protocol; it is IP routing protocol independent and can leverage whichever unicast routing protocols are used to populate the unicast routing table. It uses the unicast routing table to perform the REVERSE PATH FORWARDING (RPF) check function instead of building up a completely independent multicast routing table. PIM can operate in dense mode or sparse mode.
PIM DENSE mode (PIM-DM) uses a push model to flood multicast traffic to every corner of the network. In dense mode, a router assumes
that all other routers want to forward multicast packets for a group. If a router receives a multicast packet and has no directly connected members or PIM neighbors present, a prune message is sent back to the source. *Dense mode is not often used and its use is not recommended.
PIM SPARSE mode (PIM-SM) uses a pull model to deliver multicast traffic. Only network segments with active receivers that have
EXPLICITLY requested the data will receive the traffic. Sparse mode interfaces are added to the multicast routing table only when periodic Join messages are received from downstream routers, or when a directly connected member is on the interface. If a group has no known RP and the interface is configured to be sparse-dense mode, the interface is treated as if it were in dense mode, and data is flooded over the interface. ____________________________________________________________________________________________________________________
Configure PIM Multicast

____________________________________________________________________________________________________________________ PIM (Protocol Independent Multicast) sends HELLOs to 224.0.0.13 Multicast every 30s, uses the Protocol number 103
DENSE MODE - Sends to ALL unless the Prune Message received from the DOWNSTREAM ROUTER SPARSE MODE - Sends ONLY if the downstream router JOINS the Multicast Group using IGMP Protocol
IGMP operates between the client computer and a local multicast router. Switches featuring IGMP snooping derive useful information by observing these IGMP transactions. Protocol Independent Multicast (PIM) is then used between the local and remote multicast routers, to direct multicast traffic from multicast server to many multicast clients. Once you decide the Multicast mode you will be configuring, the configuration is rather simple. STEP 1: Enable the Multicast Routing on a Device:
(config)#ip multicast-routing
STEP 2: Configure the PIM MODE on the Interface (or a range), in this case were doing the PIM, DENSE MODE:
(config-if-range)#ip pim dense-mode
You will see the MULTICAST NEIGHBORS getting up:

*Dec 9 14:37:26.975: %PIM-5-NBRCHG: neighbor 10.1.100.1 UP on interface FastEthernet0/0 (vrf default) #sh ip pim neighbor PIM Neighbor Table Mode: B - Bidir Capable, DR - Designated Router, N - Default DR Priority, S - State Refresh Capable Neighbor Interface Uptime/Expires Ver DR Address Prio/Mode 10.1.100.1 FastEthernet0/0 00:01:43/00:01:29 v2 1 / S
NOTE that there is still no RENDEZVOUZ POINT (RP):

#sh ip pim rp NO OUTPUT
STEP 3: Check the MULTICAST ROUTING Table NOTE that when PIM is enabled, IGMP is ALSO ENABLED!!!
#sh ip mroute IP Multicast Routing Table Flags: D - Dense, S - Sparse, B - Bidir Group, s - SSM Group, C - Connected, L - Local, P - Pruned, R - RP-bit set, F - Register flag, T - SPT-bit set, J - Join SPT, M - MSDP created entry, X - Proxy Join Timer Running, A - Candidate for MSDP Advertisement, U - URD, I - Received Source Specific Host Report, Z - Multicast Tunnel, z - MDT-data group sender, Y - Joined MDT-data group, y - Sending to MDT-data group Outgoing interface flags: H - Hardware switched, A - Assert winner Timers: Uptime/Expires Interface state: Interface, Next-Hop or VCD, State/Mode (*, 224.0.1.40), 00:17:16/00:02:23, RP 0.0.0.0, flags: DCL <-AUTOMATICALLY GENERATED WHEN PIM IS ENABLED Incoming interface: Null, RPF nbr 0.0.0.0 Outgoing interface list: FastEthernet0/0, Forward/Dense, 00:17:16/00:00:00
STEP 4: Check the IGMP on the interface:

#show ip igmp interface fa0/0 FastEthernet0/0 is up, line protocol is up Internet address is 10.1.100.1/24 IGMP is enabled on interface <-THIS IS IMPORTANT, THAT IGMPv2 IS ON WHEN PIM IS ENABLED Current IGMP host version is 2 Current IGMP router version is 2 IGMP query interval is 60 seconds<-FREQUENCY OF QUERIES, SET BY "ip igmp query-interval" IGMP querier timeout is 120 seconds<-"ip igmp query-timeout" IGMP max query response time is 10 seconds Last member query count is 2 Last member query response interval is 1000 ms Inbound IGMP access group is not set IGMP activity: 1 joins, 0 leaves Multicast routing is enabled on interface Multicast TTL threshold is 0 Multicast designated router (DR) is 10.1.100.2<-LOWEST SOURCE IP AS THE IGMP QUERIER IGMP querying router is 10.1.100.1 (this system) Multicast groups joined by this system (number of users): 224.0.1.40(1)
STEP 4: IMPORTANT: Neither of the following 2 commands are not needed if the APPLICATION supports IGMP!!! If you want the host to JOIN a specific MULTICAST GROUP, you can do it with 2 similar commands:
(config-if)#ip igmp join-group 224.1.1.1<-RESPONDS TO PING, EXPIRE TIMER WILL SHOW "STOPPED"
(ICMP: This device will respond to pings to 224.1.1.1, THROUGH THE RPF-FREE PATH) OR
(config-if)#ip igmp static-group 224.1.1.1<-STATIC MEMBERSHIP,IT WILL CAUSE UPSTREAM ROUTERS TO MAINTAIN MROUTE TABLE
*static-group cannot respond to PINGs, it doesn't cause the devices to process multicast packets themselves. Instead they just FORWARD the packets out the interface. ALSO "static-group" command will cause the device to FAST-SWITCH the group, not like with "join-group" command where the groups are PROCESS SWITCHED.
#sh ip igmp membership | b Uptime Channel/Group Reporter *,224.1.1.1 0.0.0.0 *,224.0.1.39 136.1.245.5 *,224.0.1.40 136.1.245.2 Uptime 00:01:23 1d17h 2d03h Exp. stop 02:53 02:43 Flags 2SA 2A 2LA Interface Fa0/0 Se0/1/0 Se0/1/0
MULTICAST TIMERS AND STATE LIMITS

To IMMEDIATELY STOP any kind of MULTICAST upon receiving a LEAVE message apply the "immediate leave" command (if you apply it in a Global Config mode, it will apply to ALL the interfaces), and define the ACL 1 to cover all the multicast IPs (224.0.0.0/4):
(config-if)#ip igmp immediate-leave group-list 1 (config)#access-list 1 permit 224.0.0.0 15.255.255.255
If you want to send some QUERY messages before the Router stops forwarding Multicast Traffic:
(config-if)#ip igmp last-member-query-count 2 <-SEND 2 QUERY MESSAGES (config-if)#ip igmp last-member-query-interval 500 <-SEND QUERIES EVERY 500ms
Another interesting setting within the mroute table is the NUMBER OF STATE CHANGES (could be configured on the interface, or in the global config more)
(config-if)#ip igmp limit 3
The other tune-able timers are:

(config-if)#ip igmp quer? querier-timeout DEAD time of the querier query-interval INTERVAL between each 2 queries query-max-response-time - MAX time to wait between 2 queries
Have in mind that PIM-SM actually builds 2 TREES: UNIDIRECTIONAL SPT (Shortest Path Tree) from SOURCE to the RP and the
UNIDIRECTIONAL SHARED TREE from RP to RECEIVERS. Remember that the SOURCE BASED TREE is the DEFAULT type, and it's rooted at
the SOURCE of the Multicast Stream, while the SHARED TREE is where all the packets are sent to RP first, and then redistributed to the receivers. ____________________________________________________________________________________________________________________
PIM Dense Mode, PIM-DM - For the applications EVERYONE wants

____________________________________________________________________________________________________________________ The DENSE mode would be a good choice if you're implementing the MULTICAST to support one of the applications that many users within your network will use, because it forwards the traffic assuming that there are users on all routers. The basic configuration consists of 2 steps: Enable the Multicast on the router and configure the Dense Mode on the interface:
(config)#ip multicast-routing (config)#int lo0 (config-if)#ip pim dense-mode <-IGMPv2 IS ENABLED BY DEFAULT #debug ip pim hello <-AND OBSERVE WHAT HAPPENS *Dec 10 17:24:50.139: PIM(0): Send periodic v2 Hello on Serial0/1/0.34 with GenID = 3542869676 *Dec 10 17:24:50.159: PIM(0): Received v2 hello on Serial0/1/1 from 10.1.13.1 *Dec 10 17:24:50.159: PIM(0): Neighbor (10.1.13.1) Hello GENID = 4018201785 *Dec 10 17:24:50.199: PIM(0): Received v2 hello on Serial0/1/0.34 from 10.1.34.4 *Dec 10 17:24:50.199: PIM(0): Neighbor (10.1.34.4) Hello GENID = 6520 *Dec 10 17:24:51.075: PIM(0): Send periodic v2 Hello on Serial0/1/1 with GenID = 3542792495 *Dec 10 17:24:51.131: PIM(0): Send periodic v2 Hello on Loopback0 with GenID = 3542761484 *Dec 10 17:24:51.131: PIM(0): Received v2 hello on Loopback0 from 3.3.3.3 *Dec 10 17:25:19.455: PIM(0): Send periodic v2 Hello on Serial0/1/0.34 with GenID = 3542869676 *Dec 10 17:25:19.631: PIM(0): Received v2 hello on Serial0/1/1 from 10.1.13.1 *Dec 10 17:25:19.635: PIM(0): Neighbor (10.1.13.1) Hello GENID = 4018201785 *Dec 10 17:25:20.107: PIM(0): Received v2 hello on Serial0/1/0.34 from 10.1.34.4 *Dec 10 17:25:20.107: PIM(0): Neighbor (10.1.34.4) Hello GENID = 6520 *Dec 10 17:25:20.395: PIM(0): Send periodic v2 Hello on Serial0/1/1 with GenID = 3542792495 #sh ip pim neighbor | i v2 10.1.13.1 Serial0/1/1 10.1.34.4 Serial0/1/0.34 Prio/Mode 00:14:14/00:01:17 v2 00:13:14/00:01:18 v2 1 / S 1 / S
PRUNING
PIM-DM keeps a timer on a PRUNED INTERFACE, and when the timer expires - Multicast traffic runs again, until the new PRUNE message is received from a DOWNSTREAM router. You can change how often the CONTROL PACKET is sent down it's PRUNED INTERFACE
(config-if)#ip pim state-refresh origination-interval 60
____________________________________________________________________________________________________________________
STATIC RENDEZVOUZ POINT (RP) Configuration

____________________________________________________________________________________________________________________ A rendezvous point (RP) is required in networks running Protocol Independent Multicast sparse mode (PIM-SM). In PIM-SM, traffic will be forwarded only to segments with active receivers that explicitly requested multicast data. STATIC RP CONFIGURATION NEEDS TO BE SAME ON ALL THE ROUTERS, including the RP!!! Specify the router to be the RP for a specific group:
(config)#ip pim rp-address 192.168.0.0 [override] [access-list 1]
*If the override keyword is not specified and there is RP address conflict, dynamic group-to-RP mappings will take precedence over static group-to-RP mappings.
*Dec 14 19:45:20.411: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel0, changed state to up #sh ip pim rp map PIM Group-to-RP Mappings Acl: 1, Static RP: 1.1.1.2 (?) Group(s): 224.0.0.0/4, Static <-WHEN ACL IS NOT SPECIFIED, BEST PRACTICE: CONFIGURE ACL WITH GROUPS TO DENY RP: 1.1.1.3 (?)
If two RPs have OVERLAPPING SCOPE of Groups - HIGHER SOURCE IP WINS ____________________________________________________________________________________________________________________
DESIGNATED ROUTER (DR) Configuration

____________________________________________________________________________________________________________________ IMPORTANT: Designated Router works ONLY with IGMPv1, and it determines the Router that sends the IGMP Queries. In IGMPv2 the Querier is elected directly by the protocol (router with the LOWEST IP address), so no DR is needed. To check who the DR is currently, check for the PIM neighbors:
#SH ip pim nei | i DR 10.1.12.2 FastEthernet0/0 2d01h/00:01:28 v2 1 / DR S
The criteria for determining the DR on the subnet is similar like in the OSPF: - Choose the router with the HIGHEST DR PRIORITY (default is 1) - If the priorities are the same - choose the router with the highest IP address To change the DR priority, go to the interface configuration:
(config-if)#ip pim dr-priority 100
To FILTER and not become NEIGHBOR with certain IPs, use the "ip pim neighbor-filter 1", where 1 is an ACL.
(config-if)#ip pim neighbor-filter 1
____________________________________________________________________________________________________________________
IP MULTICAST: AUTOMATIC RENDEZVOUZ POINT (Auto-RP) Configuration

____________________________________________________________________________________________________________________ Auto-RP automates the distribution of group-to-rendezvous point (RP) mappings in a PIM network. IANA has assigned two group addresses, 224.0.1.39 and 224.0.1.40, for Auto-RP. NOTE that these will work ONLY IN A DENSE MODE, which is why SPARSE-DENSE mode is REQUIRED for Auto-RP to be configured. If you need SPARSE mode you will need to manually configure the Auto-RP listener:
(config)#ip pim autorp listener
*If the interfaces have been configured in the SPARSE-DENSE mode, no need to manually configure the listener. You can configure 2 Routers as the RP and have them ANNOUNCE themselves as the RPs, and aside you would have the MAPPING AGENT who will COLLECT the announcements and DECIDE THE REAL RP. Auto-RP Configuration requires you to define the CANDIDATE RP, and MAPPING AGENT before you get into the configuration. STEP 1: Configure CANDIDATE-RP, so that the RP can announce itself as the RP to the other routers. The destination for these announcements is by default 239.0.1.39. SCOPE CAN BE USED TO LIMIT THE RANGE THE RP IS ANNOUNCED.
(config)#ip pim send-rp-announce Loopback0 scope 2 group-list 1 *SCOPE defines the TTL, and 1 is the ACL for Multicast Groups you want the RP to announce
STEP 2: ALL routers receive the announcements; ONLY MAPPING AGENT will process them. Configure the MAPPING AGENT, that will PROCESS the RP announce messages and decide RP to Group mapping. If there are more than one RPs, the one with HIGHEST SOURCE IP wins and gets announced.
(config)# ip pim send-rp-discovery lo1 scope 31
When you DEBUG the Auto-RP on the MAPPING AGENT:

*Dec 14 11:42:26.019: *Dec 14 11:42:26.019: rp=1.1.1.4, repl = 0, *Dec 14 11:42:26.019: *Dec 14 11:42:26.019: *Dec 14 11:42:26.019: *Dec 14 11:42:26.019: *Dec 14 11:42:26.019: *Dec 14 11:42:26.019: *Dec 14 11:42:26.019: *Dec 14 11:42:26.019: *Dec 14 11:45:02.551: *Dec 14 11:45:02.551: *Dec 14 11:45:02.551: rp=1.1.1.3, repl = 0, *Dec 14 11:45:02.551: Auto-RP(0): Received RP-announce packet of length 48, from 1.1.1.4, RP_cnt 1, ht 181 (0): pim_add_prm:: 238.0.0.0/255.0.0.0, ver =3, is_neg =0, bidir = 0, crp = 0 create_new = 1 Auto-RP(0): Added with prm_rp->bidir_mode = 0 vs bidir = 0 (238.0.0.0/8, RP:1.1.1.4), PIMv2 v1 Auto-RP(0): Build RP-Discovery packet Auto-RP(0): Build mapping (238.0.0.0/8, RP:1.1.1.4), PIMv2 v1, Auto-RP(0): Send RP-discovery packet of length 48 on Ethernet0/0 (1 RP entries) Auto-RP(0): Send RP-discovery packet of length 48 on Serial1/0.53 (1 RP entries) Auto-RP(0): Send RP-discovery packet of length 48 on Serial1/0.45 (1 RP entries) Auto-RP(0): Send RP-discovery packet of length 48 on Loopback0(*) (1 RP entries) prm_rp->bidir_mode = 0 vs bidir = 0 (238.0.0.0/8, RP:1.1.1.3), PIMv2 v1 Auto-RP(0): Received RP-announce packet of length 48, from 1.1.1.3, RP_cnt 1, ht 181 (0): pim_add_prm:: 238.0.0.0/255.0.0.0, ver =3, is_neg =0, bidir = 0, crp = 0 Auto-RP(0): Update
So if you have 2 CANDIDATE-RPs and check the MAPPING AGENT:

#sh ip pim rp mapping | b Group Group(s) 238.0.0.0/8 RP 1.1.1.4 (?), v2v1 Info source: 1.1.1.4 (?), elected via Auto-RP <-ELECTED DUE TO THE HIGHER IP ADDRESS VALUE Uptime: 00:01:52, expires: 00:02:05 RP 1.1.1.3 (?), v2v1 Info source: 1.1.1.3 (?), via Auto-RP Uptime: 00:02:15, expires: 00:02:43
The other routers within the domain will learn the RP IP address with the Mapping Agent as the Source:
#sh ip pim rp mapp | i RP|source RP 1.1.1.4 (?), v2v1 Info source: 1.1.1.5 (?), elected via Auto-RP
If you want to LIMIT (FILTER) WHERE the RP announcements are forwarded, define the MULTICAST BOUNDARY on the interface towards that HOST, and add the known Auto-RP Multicast IP 224.0.1.40 in ACL 1:
(config)#access-list 1 deny host 224.0.1.40 (config-if)#ip multicast boundary 1
*NOTE that the DEAD TIMER is 3 minutes, so you have to be patient here When you're filtering the MULTICAST GROUPS you're announcing to the other hosts, use ANNOUNCE-FILTER:
(config)#ip pim rp-announce-filter group-list 6 <-6 IS THE ACL OF ANNOUNCE DESTINATIONS
FILTERING of the RP Announcements can be done using the RP-LIST, BUT WATCH OUT, THESE HAVE THE OPPOSITE LOGIC:
(config)# ip pim rp-announce-filter rp-list 4 [group-list 5]<-ACL 4 PERMITS the RPs that will NOT be advertised!!!
*GROUP-LIST is ACL with MULTICAST GROUPS for which you DONT want this RP to be advertised
You can set the ROUTER to run the STP (shortest path tree) SWITCH ONLY if group reaches certain BW, in this case we're analysing Multicast groups in the ACL 1 if they reach 20kbps:
(config)#ip pim spt-threshold 20 group-list 1
If you want to FILTER THE INCOMING groups, define the ACL and apply it DIRECTLY on the incoming interface:
(config)#access-list 52 permit host 225.25.25.25 <-MULTICAST SOURCES WE WANT TO PERMIT (config)#access-list 52 permit host 226.26.26.26 (config-if)#ip igmp access-group 52 <-YOU WILL NOT HAVE IN|OUT OPTION HERE, as logical
____________________________________________________________________________________________________________________
IP MULTICAST: BSR (Bootstrap Router) Configuration

____________________________________________________________________________________________________________________ BSR has the same function as the Auto-RP, but the BSR is part of the PIM Version 2 specification. BSR interoperates with Auto-RP on Cisco routers. A BSR is elected among the candidate BSRs automatically; they use bootstrap messages to discover which BSR has the highest priority. This router then announces to all PIM routers in the PIM domain that it is the BSR. BSR ADVANTAGE: There is a PRIORITY COMMAND! Auto-RP doesn't have the option to set the Router with the Lower IP as the RP. STEP 1: Enable Multicast Routing and configure all the relevant interfaces in PIM SPARSE MODE STEP 2: Configures the router to announce its candidacy as a bootstrap router (BSR). Note that if you get the message "Warning: PIMv2 not configured", you need to configure "ip pim sparse-mode" on the interface:
(config)#ip pim BSR-candidate lo0
STEP 3: Configure PIM Version 2 candidates to be the RP to the BSR, also defining the priority if needed:
(config)#ip pim RP-candidate lo0 priority 100 <-LOWER PRIORITY IS BETTER, default is 0
Once the CANDIDATE RPs know the BSR address - they send UNICAST messages to BSR identifying themselves as candidates. To check the RP election, the command is the same like in Auto-RP:
#sh ip pim rp mapp | b Group Group(s) 224.0.0.0/4 RP 1.1.1.3 (?), v2 Info source: 1.1.1.4 (?), via bootstrap, priority 0, holdtime 150 <-INFO SOURCE IS ALWAYS RP Uptime: 00:14:16, expires: 00:02:18 RP 1.1.1.4 (?), v2 Info source: 1.1.1.4 (?), via bootstrap, priority 50, holdtime 150 <-INFO SOURCE IS ALWAYS RP Uptime: 00:14:09, expires: 00:02:18
FILTERING WITH TTL is another option not to forget when working on MULTICAST. There is an interface command that sets the TTL THRESHOLD for MULTICAST packets, so like SCOPE feature in Auto-RP - you can use this to control the remote Multicast packets. In these example routers more than 3 hops away (255-252) will not reach local router.
(config-if)#ip multicast ttl-threshold 252
The same filter can be used OUTBOUND, using the SAME command, so if you want to make sure that no multicast packet with TTL<13 goes out the interface, use:
(config-if)#ip multicast ttl-threshold 13
*This command is under "PIM>Using MSDP to Interconnect Multiple PIM-SM Domains" in Cisco Docs (MSDP is a mechanism to connect multiple PIM-SM domains. The purpose of MSDP is to discover multicast sources in other PIM domains.)
____________________________________________________________________________________________________________________
IP MULTICAST: MSDP (Multicast Source Discovery Protocol) Configuration

____________________________________________________________________________________________________________________ MSDP is the mechanism to connect multiple PIM-SM domains. MSDP peering is configured BETWEEN THE RPs (RPs run port 639 to synchronize the sources each one knows). In anycast RP, all the RPs are configured to be MSDP peers of each other. When MULTICAST SOURCE is initiated - the first hop router encapsulates register messages and UNICASTSs it to the RP. RP de-encapsulates and sends towards the last hop. SA (Source Active) messages identify the Source IP and the Group. MSDP peering connections need to be established between all MSDP peers:
(config)#ip msdp peer 1.1.1.5 connect-source lo0 #sh ip msdp peer MSDP Peer 1.1.1.5 (?), AS ? Connection status: State: Up, Resets: 0, Connection source: Loopback0 (1.1.1.2)
*SA messages are used to advertise active sources in a domain.
Anycast-IP
In anycast RP, two or more RPs are configured with the SAME IP ADDRESS on their loopback interfaces. The anycast RP loopback address should be configured with a 32-bit mask, making it a host address. IP routing will automatically select the topologically closest RP. IMPORTANT: In anycast RP, all the RPs are configured to be MSDP peers of each other ____________________________________________________________________________________________________________________
Multiprotocol BGP (MP-BGP) & IP Multicast

____________________________________________________________________________________________________________________ First you would need to DISABLE the default BGP behavior, which is IPv4-Unicast:
(config-router)#no bgp default ipv4-unicast
Now within the BGP process you can define the Address Families (AF) Configuration Commands apart, among them you can define the "address-family ipv4 UNICAST" and "address-family ipv4 MULTICAST":
(config-router)#address-family ipv4 unicast (config-router-af)#neighbor 100.1.34.4 activate (config-router-af)#network 1.1.1.1 mask 255.255.255.255 <-CAN BE KNOWN VIA OTHER PROTOCOL (config-router-af)#no auto-summary <-ALSO NEEDED WITHIN AF
____________________________________________________________________________________________________________________
IP MULTICAST: Configuring SSM (Source Specific Multicast)

____________________________________________________________________________________________________________________ Source Specific Multicast (SSM) is an extension of IP multicast where datagram traffic is forwarded to receivers from only those multicast sources that the receivers have explicitly joined. For multicast groups configured for SSM, only source-specific multicast distribution trees (not shared trees) are created. SSM best supports ONE-TO-MANY applications, also known as BROADCAST applications. The following two components together support the implementation of SSM: Protocol Independent Multicast source-specific mode (PIM-SSM) Internet Group Management Protocol Version 3 (IGMPv3), that introduces the ability for hosts to signal group membership that allows filtering capabilities with respect to sources.
Default SSM Scope is 232.0.0.0/8. The router CLOSEST to the RECEIVING HOSTS should have SSM enabled. Configuration is quite simple, define the ACL, and enable the SSM for that range in the Global Configuration mode:
(config-router)#access-list 1 permit 230.0.0.0 0.255.255.255 (config)#ip pim ssm [range ACL | default] <-DEFAULT COVERS STANDARD SSM RANGE 239.0.0.0/8
DO NOT FORGET to set the IGMP version to IGMPv3 on the interfaces:

(config-subif)#ip igmp version 3
Then in the Global Configuration mode set the DEFAULT mode to SSM:
(config)#ip pim ssm default <-SETS USAGE OF SSM DEDICATED RANGE 232.0.0.0/8 ON
Once the interface IGMP version is set, you can configure a SOURCE SPEFICIS Multicast:
(config-if)#ip igmp join-group 232.6.6.6 source 10.1.56.6
Now Verify in the Multicast Routing Table of the UPSTREAM ROUTER (interface towards this router must be IGMPv3):
#sh ip mroute | s 232.6.6.6 (10.1.56.6, 232.6.6.6), 00:00:27/00:02:32, flags: sTI Incoming interface: Serial1/0.24, RPF nbr 10.1.24.4 Outgoing interface list: Ethernet0/0, Forward/Sparse, 00:00:27/00:02:32
There is another option IGMPv3 allows you, and it's called "explicit-tracking" (IGMPv3 Interface command). It causes the router to TRACK ALL REPORTERS and not only the last one, and it enables LEAVING (S,G) as soon as the last host leaves that (S,G) without sending a query:
(config-if)#ip igmp explicit-tracking
*Make sure you see the "T" flag in the MROUTE table:
#sh ip mroute | i 232.6.6.6 (10.1.56.6, 232.6.6.6), 00:09:16/00:02:25, flags: sTI <-T means TRACKED
____________________________________________________________________________________________________________________
IP MULTICAST: Bidirectional PIM (Bidir-PIM)

____________________________________________________________________________________________________________________ In bidirectional mode, traffic is routed only along a bidirectional shared tree that is rooted at RP for the group. Membership in a bidirectional group is signaled by way of explicit Join messages. Traffic is ALWAYS sent to RP, and passed down the tree. PIM-SM has been improved, so now traffic can go UPSTREAM if needed just to reach the RP. The new concept was introduced as the LOOP PREVENTION within the BIDIR-PIM, it's called DESIGNATED FORWARDER (DF). BIDIRECTIONAL PIM removes the RPF (Reverse Path Forwarding) rules, and it REMOVES (S,G) entries from the route table, leaves ALL (*,G) entries DESIGNATED FORWARDER (DF) is the Multicast Router that can forward (*,G) state in 2 DIFFERENT DIRECTIONS for the same group address. DF winner is determined by IGP cost on a link by link basis. STEP 1: First the Bidirectional PIM needs to be enabled on ALL THE ROUTERS:
(config)# ip pim bidir-enable
STEP 2: Statically configure the RP, also on ALL the routers (INCLUDING THE RP ITSELF):
(config)#ip pim rp-address 1.1.1.3 bidir
To make sure that the router 1.1.1.3 is REALLY the DF on the interface:
#sh ip pim inter s1/0.32 df 1.1.1.3 Designated Forwarder election for Serial1/0.32, 10.1.23.3, RP 1.1.1.3 State DF Offer count is 0 Current DF ip address 10.1.23.3 DF winner up time 00:04:19 Last winner metric preference 0 Last winner metric 0 Next winner will be sent in 45360 ms
Once a host joins a Multicast Group, for example 234.1.2.3, in a network configured as BIDIR-PIM:
#sh ip mroute bidirectional | s 224.1.2.3 (*, 224.1.2.3), 00:00:41/00:02:48, RP 1.1.1.3, flags: B <-BIDIRECTIONAL FLAG Bidir-Upstream: Serial1/0.53, RPF nbr 10.1.35.3 Outgoing interface list: Ethernet0/0, Forward/Sparse, 00:00:41/00:02:48 Serial1/0.53, Bidir-Upstream/Sparse, 00:00:41/00:00:00
____________________________________________________________________________________________________________________
IP MULTICAST: Helper Map

____________________________________________________________________________________________________________________ Perform this task to convert broadcast traffic to IP multicast traffic on the first hop router. The first hop router is on the border between the broadcast-only network and IP multicast network. *NOTE that you MUST have Multicast configured between the two broadcast-only networks, even on the interfaces towards the BROADCASTONLY network segments. You can use this for ROUTING PROTOCOLS, but remember to change the updates to BROADCASTS, for example RIP:
(config-if)#ip rip v2-broadcast
STEP 1: Create an extended IP access list to control which UDP broadcast packets are translated. in this example the RIP protocol is configured, and how the BROADCAST RIP packets going from source 10.1.12.1 are matched:
(config)#access-list 101 permit udp host 10.1.12.1 eq rip host 255.255.255.255 eq rip (config)#ip forward-protocol udp rip <-SPECIFY HOW BROADCAST MESSAGES ARE FORWARDED
STEP 2: Define the HELPER MAP to convert the INCOMING BROADCAST traffic on the interface towards the incoming BROADCAST traffic INTO the MULTICAST traffic sourced by 224.1.1.1 with TTL 3 (only 3 hops allowed):
(config-if)#ip multicast helper-map broadcast 224.1.1.1 101 ttl 3
STEP 3: On the LAST HOP router towards another BROADCAST network segment identify the RIP traffic using the ACL:
(config)#access-list 102 permit udp host 10.1.12.1 any eq rip (config)#ip forward-protocol udp
STEP 4: Use the HELPER MAP on the LAST HOP INTERFACE towards the MULTICAST segment (to from where the MULTICAST traffic will be coming) to CONVERT MULTICAST BACK TO BROADCAST (10.1.45.255 is the RIP packets final destination):
(config-subif)#ip multicast helper-map 224.1.1.1 10.1.45.255 102
STEP 5: On the INTERFACE towards the BROADCAST SEGMENT:

(config-if)#ip directed-broadcast
In this particular case we would also have to TUNE RIP a little bit, not to validate the UPDATE SOURCE:
(config-router)#no validate-update-source
____________________________________________________________________________________________________________________
MULTICAST Helper Map & Helper-address

____________________________________________________________________________________________________________________ Helper Map is used to convert the UDP BROADCAST to MULTICAST packets. So when by default the application is sending the BROADCAST, we need to use this feature. Another option would be to convert BROADCAST to UNICAST packets, using the "ip helper-address". Two major steps need to be taken here: *Helper-Map is configured on BOTH INCOMING INTERFACES!!! IMPORTANT: The traffic needs to be PROCESS SWITCHED in order for Helper Map to work, so if you're using the broadcasts on port UDP/3999, on BOTH routers also configure:
(config)#ip forward-protocol udp 3999
STEP 1: On the BROADCAST SOURCE convert the BROADCAST traffic to MULTICAST

(config-if)#ip multicast helper-map broadcast MULTICAST_GROUP ACL_PERMITTING_THE_PORT
Example:
(config-if)#ip multicast helper-map broadcast 239.39.39.39 101 (config)#access-list 101 permit udp any any eq 3999
STEP 2: On the CLIENT, convert the traffic BACK TO BROADCAST for the client to receive it as the application was designed.
(config-if)#ip multicast helper-map MULTICAST_GROUP 192.168.1.255 101
*192.168.1.255 is the IP of the final interface, but in the broadcast form

(config-if)#ip directed-broadcast - TARGET INTERFACE MUST SUPPORT A DIRECTED BROADCAST
This feature is also used in a MULTICAST STUB. When the next router cannot (or we don't want it to) become a PIM neighbor, configure the IGMP Helper Address in order to still receive the Multicast from that router:
(config-if)#ip igmp helper-address 10.1.15.66
*configure on the interface towards the receiver of Multicast
Security
____________________________________________________________________________________________________________________
Security TIPS
____________________________________________________________________________________________________________________
TIP - ICMP: When you want to prevent the router response with "Host Unreachable" messages (U.U.U), on the interface:
(config-if)#no ip unreachables (config-if)#no ip mask-reply <-DONT REVEAL NETWORK MASK
TIP - TELNET: When you need to control only access to TELNET, apply directly to the VTY:
(config)#line vty 0 4 (config-line)#access-class 1 in <-1 IS THE LIST OF CLIENTS ALLOWED TO TELNET
TIP - SNMP: You can allow only some of the HOSTS to access the routers SNMP agent:
(config)#snmp-server community mYcOMMUNITY RO 22 (config)#access-list 22 permit host 11.187.123.11
TIP: 802.1x, Don't forget to enable the 802.1x GLOBALLY:

(config)#dot1x system-auth-control #sh dot1x all | i auth <-CHECK IF IT WORKED Sysauthcontrol Enabled
EAP - Extensible Authentication Protocol allows the device to forward authentication request to the server, bypassing the local security.
TIP: When creating a USER with only one function, or a MENU, implement the AUTOCOMMAND feature:
(config)#username TEST_USER autocommand menu NOC <-NOC IS A MENU NAME
TIP: When you want to DISABLE the DOMAIN LOOKUP, but only on the CONSOLE port, there is a TRICK:
(config)#line con 0 (config-line)#transport preferred none
TIP: Don't forget the POLICE RATE command within the Policy-Map when you need to polica by PPS:
(config-pmap-c)#police rate 100 pps
TIP: When you want to DISABLE SOURCE ROUTING, just do the global command:
(config)#no ip source-route
____________________________________________________________________________________________________________________
Router Security - Best Practices

____________________________________________________________________________________________________________________ First you should define some RULES for the password definitions. For example - Minimal Password Length:
(config)#security passwords min-length 7
Permit users to have to wait for 1 minute if they attempt to log in for 3 times, and LOG it:
(config)#login block-for 60 attempts 3 within 60 <- ALLOW 3 ATTEMPTS WITHIN 1 MINUTE (config)#security authentication failure rate 3 log <- LOG FAILED ATTEMPTS
To set up a PRIVILEGE mode password, that used an MD5 hashing:

(config)#enable secret level 15 0 Cisco07
*TIP: If your password contains "?", you need to press "ESC+Q" or CTRL+V before you enter the "?" sign.
To define the USERNAME and assign it a MD5 Hash Password:

(config)#username cisqueros secret 0 Cisco07 (config)#do sh run | i username username cisqueros secret 5 $1$YyRE$V60bOcwZ7ZK0LMusIVnhs/
No Service Password-Recovery feature is a security enhancement to prevent anyone with console access from accessing the router configuration and clearing the password. If you want to do this, make sure the Conf.Register is 0x2102:
#sh ver | i register Configuration register 0x2102 (Ignores break, Boots into ROM if initial boot fails, 9600 console baud rate default)
More about Configuration Register Values: http://www.cisco.com/en/US/products/hw/routers/ps133/products_tech_note09186a008022493f.shtml The apply the command. *This command is HIDDEN, so the "?" will not display it! You will also be WARNED by IOS:
(config)#no service password-recovery
WARNING: Executing this command will disable password recovery mechanism. Do not execute this command without another plan for password recovery. Are you sure you want to continue? [yes/no]: Dont forget to configure both - CONSOLE Port (line con 0) and AUXILIARY Port as a backup solution (line aux 0). You should automatically DISCONNECT these sessions (CON & AUX) after some time of inactivity:
(config-line)#session-timeout 300 <-DISCONNECT IF NO INPUT FOR 5 MINUTES (config-line)#exit-timeout 300 <-TERMINATE CONSOLE CONNECTION IF NO INPUT FOR 5 MINUTES
If you have more than one administrator, and you want to limit them to a certain commands, use "privilege EXEC", and define the Privilege Level 9 commands:
(config)#privilege exec level 9 show interfaces <- BOTH "SHOW" AND "SHOW INT" WILL APPEAR IN "SHOW RUN" (config)#privilege exec level 9 ping (config)#privilege exec level 9 traceroute
Be sure to apply the usage of the local user database on the CONSOLE PORT:
(config)#line con 0 (config-line)#login local
To disable showing WHO IS CURRENTLU LOGGED INTO the device:

(config)#no ip finger
____________________________________________________________________________________________________________________
KNOWN ATTACKS and how to prevent

____________________________________________________________________________________________________________________
SMURF ATTACK: Large number of ICMPs sent to the Router subnets BROADCAST to provoke DoS. You can create the ACL that denies the
x.x.x.255, or do the INTERFACE command (enabled by default in new IOS):
(config-subif)#no ip directed-broadcast
Trin00 ATTACK: SYN DoS attack that uses UDP FLOODS, uses TCP 1524,27665 and UDP 27444,31335 Trinityv3 ATTACK: Include UDP Fragment, SYN, RST, ACK. It uses IRC, mainly TCP/6667 with a client TCP/33270
ICMP echo, are used for many ATTACKS, so they should be disabled on the entrance to your network:
(config)#access-list 102 deny icmp any any mask-request (config)#access-list 102 deny icmp any any redirect (config)#access-list 102 deny icmp any any echo
TRACEROUTE uses the PORT range 33400-34400, so think if you want to disable those as well.
____________________________________________________________________________________________________________________
BANNER and MENU Configuration

____________________________________________________________________________________________________________________ If you need to define a BANNNER to display the user restrictions, have in mind that you can use the variables:
$(hostname) $(line) $(domain)
You also have an option of creating the DYNAMIC ENTRIES as a banner, and let user use the VARIABLES as a response: Cisco Docs: Cisco IOS Configuration Fundamentals Configuration Guide, Release 12.4T>Banner Configuration
Step 1: Define the MENU TITLE

(config)#menu MYMENU title & This is the AXA menu
Step 2: Define the TEXT ITEMS:

(config)#meny (config)#meny (config)#meny (config)#meny MYMENU MYMENU MYMENU MYMENU text text text text 1 2 3 4 Display all interfaces with their IPs Display the configuration of Fa1/0/1 Logout Exit the Menu
Step 3: Specify the UNDERLYING COMMAND of each item in the MENU:

(config)#menu MYMENU command 1 sh ip int br (config)#menu MYMENU command 2 sh run int fa1/0/1 (config)#menu MYMENU command 9 sh menu-exit
Step 4: Define the DEFAULT action:

(config)#menu MYMENU default 9
Step 5: Define the GLOBAL commands, for example to clean the screen when the MENU starts:
(config)#menu MYMENU clear-screen
____________________________________________________________________________________________________________________
Configure SSH Access

____________________________________________________________________________________________________________________ Cisco Documents:Security>AAA>Secure Shell Configuration Guide: http://www.cisco.com/en/US/docs/ios-xml/ios/sec_usr_ssh/configuration/12-4t/sec-cfg-secure-shell.html First step would be to make sure that all the devices within your network SUPPORT the Secure Shell. The you need to make sure HOW you want to implement it, as there are 2 options: 1. Configuring a Router for SSH Version 2 Using a Hostname and Domain Name 2. Configuring a Router for SSH Version 2 Using RSA Key Pairs In the first configuration type, these are the steps to follow: Step 1: Be sure to have the Hostname and the IP Domain Name configured:
(config)#ip domain name SNArchs
Step 2: Decide the key pair (in bits, by defaut its 512 bits) and generate the RSA key. This ENABLES SSHv2:
(config)#crypto key generate rsa usage-keys
The name for the keys will be: ES-MAT-AES-SR04.SNArchs

Choose the size of the key modulus in the range of 360 to 2048 for your Signature Keys. Choosing a key modulus greater than 512 may take a few minutes. How many bits in the modulus [512]: Choose the size of the key modulus in the range of 360 to 2048 for your Encryption Keys. Choosing a key modulus greater than 512 may take a few minutes. How many bits in the modulus [512]: 512 % Generating 512 bit RSA keys, keys will be non-exportable...[OK] % Generating 512 bit RSA keys, keys will be non-exportable...[OK] *Dec 5 12:58:48.123: %SSH-5-ENABLED: SSH 2.0 has been enabled
Then configure the VTY port for the user database to use (TACACS or LOCAL), and to use SSH:
(config)#line vty 0 4 (config-line)#login local <-WONT BE AVAILABLE AFTER SSH IS ENABLED (config-line)#transport input ssh
*When testing the access via SSH dont forget to use the "-l" to define the username:
#ssh -l mat 10.1.12.2
You can also use AAA to define the AUTHENTICATION PROFILE (AAA_AUTH), that can later be applied to ALL VTY ports:
(config)#aaa new-model (config)#aaa authentication login AAA_AUTH local
Now apply it to the VTY port:

(config)#line vty 0 4 (config-line)#transport input ssh (config-line)#login authentication AAA_AUTH
*"rotary" command under the VTY changes the telnet port to that line. "rotary 5" sets the port on that line to 3005 ____________________________________________________________________________________________________________________
ADVANCED Access Lists (ACL) Configuration

____________________________________________________________________________________________________________________
TIP: ACL is applied directly to the interface using the "ip access-group" command:
(config-subif)#ip access-group EXTENDED_OR_STANDARD_ACL [in | out]
TIP: Watch out not to ban the routing protocol traffic!!! You might need to add this to your filter ACL:
(config-ext-nacl)#permit ospf any any
TIP: deny any any doesn't affect the locally generated traffic on the router
It's enough to configure the extended ACL, and hit a question mark when you want to define a PORT, just to realize that there is an entire world of ACL configuration options that we never knew about. One of the awesome features is playing with the ESTABLISHED attribute, which means - allow back the traffic from the hosts TCP session has already been established with. In this example we're allowing back in the TELNET and HTTP traffic to HOST 10.187.12.1:
(config-ext-nacl)#permit tcp any range 80 23 host 10.187.12.1 established
TIME-BASED ACL
STEP 1: define the time range using the "time-range TIMERANGE" command in the global configuration mode. Be sure the Clock is correct using the "show clock", and if not - set it using the "clock set", or with NTP server STEP 2: attach the time-range to the ACL:
(Config)#access-list 120 permit tcp any any eq 23 time-range TIMERANGE
____________________________________________________________________________________________________________________
DYNAMIC ACL (aka Lock and key ACL)

____________________________________________________________________________________________________________________ Special Feature used for AUTHENTICATION of other devices. Like the time-range, but instead of the time we permit or deny ACLs actions based on Authentication. The ACL is defined using "access-list 102 dynamic..." STEP 1: Create and EXTENDED ACL, but be sure to allow all the needed protocols before you apply it on the interface:
(config)#access-list 100 permit eigrp any any (config)#access-list 100 permit icmp any any
STEP 2: Create a DYNAMIC entry in the defined ACL, which will create a Dynamic ACL called DYN_ACL:
(config)#access-list 100 dynamic DYN_ACL permit ip any any
STEP 3: Apply the ACL on the interface:

(config-if)#ip access-group 100 in
STEP 4: Configure the VTY line for the dynamic ACL using the AUTOCOMMAND feature:
(config-line)#autocommand access-enable host *"access-enable" is an EXEC, it doesn't appear when "?" is pressed **AUTOCOMMAND links the DYNAMIC ACL to TELNET AUTHENTICATION *"rotary" command under the VTY changes the telnet port to that line. "rotary 5" sets the port on that line to 3005
You can also apply the "autocommand" sirectly to the USERNAME, if we want to apply the DYNAMIC ACL to one user:
(config)#username TELNET password CISCO (config)#username TELNET autocommand access-enable
____________________________________________________________________________________________________________________
REFLEXIVE ACL - For Session Filtering

____________________________________________________________________________________________________________________ Applied on the outbound interface of the router, we're taking care of the outgoing traffic, and then we CHECK THE RETURNING TRAFFIC, meaning - we are making sure that the returning traffic is opposite of what went out. When configuring, you need 2 ACLs: STEP 1 - OUTBOUND ACL, for the outbound within the extended ACL configure:
(config)#ip access-list extended OUT_ACL (config-ext-nacl)#permit tcp host any any eq www reflect REFLECT_ACL (config-ext-nacl)#permit tcp host any any eq telnet reflect REFLECT_ACL (config-ext-nacl)#permit tcp host any any eq https reflect REFLECT_ACL
STEP 2: And on the INBOUND ACL within the extended ACL configuration:
(config)#ip access-list extended IN_ACL (config-ext-nacl)#permit ospf any any <-YOU HAVE TO ALLOW THESE MANUALLY CAUSE THE PACKETS ORIGINATED BY THE ROUTER ITSELF WILL NOT BE REFLECTED (config-ext-nacl)#permit tcp any any eq bgp (config-ext-nacl)#permit tcp any eq bgp any (config-ext-nacl)#evaluate REFLECT_ACL
*You should consider permitting ICMP time-excedeed and port-unreachable packets, for when you're pinging stuff outside your network STEP 3: Then apply the first one outbound, and the second one inbound on the same interface.
(config-subif)#ip access-group OUT_ACL out (config-subif)#ip access-group IN_ACL in
After 5 minutes of inactivity the entries expire. it can be modified using the command "ip reflexive-list timeout X":
(config)#ip reflexive-list timeout 120 <-TIME REFLEXIVE ACL EXISTS WHEN NO PACKETS ARE DETECTED (default 300 seconds)
____________________________________________________________________________________________________________________
TCP INTERCEPT - To prevent TCP SYN DoS attacks

____________________________________________________________________________________________________________________ When you want to perform LOGGING of the SYN ATTACKS using the ACLs, you can automatically include into the log the MAC address of the Device that forwarded the packet into the segment by simply adding to the Extended ACL:
(config-ext-nacl)# permit tcp any host 192.1.28.100 eq www syn log-input (config-ext-nacl)# permit ip any any <-DONT FORGET TO ADD THIS, OR YOU JEAPARDIZE THE FLOWS
TCP INTERCEPT takes care that the 3-WAY TCP Handshake is correctly performed. So it observes the SYN done from the OUTSIDE towards the inside Web Server (for example), server replies with the "SYN ACK", and that's where the TCP INTERCEPT does it's job waiting for the CLIENT to send the ACK and establish the TCP Session. If the ACK is NOT received - the Router decides to TIME OUT the session, and send RESET to the Server. (in TCP SYN attack thousands of TCP sessions are started with the servers, taking out Server resources). There are 2 modes of TCP INTERCEPT:
INTERCEPT MODE - router actively intercepts the TCP session WATCH MODE - router only MONITORS the TCP session and sends the RST (session reset) to the Server if ACK not received
(config)#ip tcp intercept list 101 <-SERVERS YOU'RE PROTECTING (config)#ip tcp intercept watch-timeout 15 <-IF ACK NOT RECEIVED IN 15 SECONDS, SEND RST (config)#ip tcp intercept mode watch
____________________________________________________________________________________________________________________
CBAC - Context Based Access Control Firewall

____________________________________________________________________________________________________________________ Cisco Docs: Secure DATA PLANE>Security Configuration Guide: Context-Based Access Control Firewall http://www.cisco.com/en/US/docs/ios-xml/ios/sec_data_cbac_fw/configuration/12-4t/sec-data-cbac-fw-12-4t-book.html Without CBAC, traffic filtering is limited to access list implementations that examine packets at the network layer, or at most, the transport layer. However, CBAC examines not only network layer and transport layer information but also examines the application-layer protocol information (such as FTP connection information) to learn about the state of the session. This allows support of protocols that involve multiple channels created as a result of negotiations in the control channel. Most of the multimedia protocols as well as some other protocols (such as FTP, RPC, and SQL*Net) involve multiple channels. CBAC creates TEMPORARY OPENINGS in ACLs at firewall interfaces. These openings are created when specified traffic exits your internal network through the firewall. The openings ALLOW RETURNING TRAFFIC (that would normally be blocked) and additional data channels to enter your internal network back through the firewall. You can also configure CBAC to specifically inspect certain application-layer protocols. The following application-layer protocols can all be configured for CBAC:
CU-SeeMe (only the White Pine version) FTP H.323 (such as NetMeeting, ProShare) HTTP (Java blocking) Microsoft NetShow UNIX R-commands (such as rlogin, rexec, and rsh) RealAudio RTSP (Real Time Streaming Protocol) RPC (Sun RPC, not DCE RPC) SMTP (Simple Mail Transport Protocol)
The basic (GENERIC) CBAC is quite simple to configure. Define the INSPECTION RULES, and apply them on the interface:
(config)#ip inspect name INP_POL1 tcp (config)#ip inspect name INP_POL1 udp (config)#ip inspect name INP_POL1 icmp
APPLY the Inspection Rules to the interface, towards the OUTSIDE network:
(config-if)#ip inspect INP_POL1 out
To allow the initiated traffic BACK IN, define the ACL with what you want to permit and apply it:
(config)#access-list 100 permit eigrp any any (config)#access-list 100 permit icmp any any (config-if)#ip access-group 100 in
Check the established sessions:

#sh ip inspect sessions Established Sessions Session AEA5F2E0 (10.1.13.3:52287)=>(10.1.12.2:23) tcp SIS_OPEN
CBAC can be configured to inspect various traffic types. These are the global CBAC parameters that can be tuned:
(config)#ip inspect ? WAAS Firewall and Cisco WAE interoperability configuration alert-off Disable alert audit-trail Enable the logging of session information (addresses and bytes) dns-timeout Specify timeout for DNS hashtable-size Specify size of hashtable log Inspect packet logging max-incomplete Specify maximum number of incomplete connections before clamping name Specify an inspection rule one-minute Specify one-minute-sample watermarks for clamping tcp Config timeout values for tcp connections udp Config timeout values for udp flows <cr>
Also some specific HTTP types of traffic can be inspected, such as JAVA:
(config)#ip inspect name FW_INSPECT http ? alert Turn on/off alert audit-trail Turn on/off audit trail java-list Specify a standard access-list to apply the Java blocking. If specified, MUST appear directly after option "http" timeout Specify the inactivity timeout time urlfilter Specify URL filtering for HTTP traffic <cr>
____________________________________________________________________________________________________________________
PAM - Port to Application Mapping

____________________________________________________________________________________________________________________ Cisco Docs: Secure DATA PLANE>Security Configuration Guide: Context-Based Access Control Firewall http://www.cisco.com/en/US/docs/ios-xml/ios/sec_data_cbac_fw/configuration/12-4t/sec-data-cbac-fw-12-4t-book.html PAM is a way to MAP a PORT (or a group of ports) to the already defined, or a new application. For example http is already mapped to port TCP 80, but we can also add 8000 and 8080 to HTTP:
(config)#ip port-map http port tcp 8080 (config)#ip port-map http port tcp 8000
Check if it "worked"
#sh ip port-map http Default mapping: http Default mapping: http Default mapping: http tcp port 80 tcp port 8000 tcp port 8080 system defined user defined user defined
Now if you want to inspect the NEW http, define the INSPECT operation and apply it just like in CBAC:
(config)#ip inspect name INS_WEB http (config-if)#ip inspect INS_WEB out
____________________________________________________________________________________________________________________
uRPF - Unicast Reverse Path Forwarding

____________________________________________________________________________________________________________________ Designed for DoS attacks based on SPOOFING (forging the IP source)
TIP: When you see IP SPOOFING - it's a "trigger" to use the uRPF
Cisco Docs: Cisco Docs: Secure DATA PLANE>Security Configuration Guide: Unicast Reverse Path Forwarding http://www.cisco.com/en/US/docs/ios-xml/ios/sec_data_urpf/configuration/12-4t/sec-data-urpf-12-4t-book.html The Unicast RPF feature helps to mitigate problems that are caused by the introduction of malformed or forged (spoofed) IP source addresses into a network by discarding IP packets that lack a verifiable IP source address. Configure the receiving interface, which allows Unicast RPF to verify the best return path before forwarding the packet on to the next destination. For example, verify if the SOURCE IP is reachable via that exact interface:
(config-subif)#ip verify unicast source reachable-via ? any Source is reachable via any interface rx Source is reachable via interface on which packet was received <-EXACT INTERFACE
#sh ip int s1/0.21 | b verify IP verify source reachable-via RX 0 verification drops 0 suppressed verification drops 0 verification drop-rate
!!!If the check fails, and this is NOT the best interface to reach the IP from which the incoming packed was sourced the packed it DROPPED. This feature can also be configured using the multiple extended ACLs, where you would DENY the traffic with your LAN IPs as source to come from the PROVIDERs network.
____________________________________________________________________________________________________________________
Zone Based Firewall

____________________________________________________________________________________________________________________ Cisco Docs: Secure DATA PLANE>Security Configuration Guide:Zone-Based Policy Firewall: http://www.cisco.com/en/US/docs/ios-xml/ios/sec_data_zbf/configuration/12-4t/sec-data-zbf-12-4t-book.html To configure the Zone Based FW, the approach is somewhat similar to the MQC method in the QoS configuration. STEP 1: Start by creating a class map of INSPECT TYPE, and match HTTP, and DROP everything else:
(config)#class-map type inspect match-any OUTSIDE (config-cmap)#match protocol http <-WITHIN HTTP YOU CAN ALSO MATCH URL, JUST ADDING "http url "blabla" " (config-pmap)#class type inspect OUTSIDE (config-pmap-c)#drop
STEP 2: Create a inspect type POLICY-MAP that matches the defined CLASS-MAP, and INSPECTS:
(config)#policy-map type inspect OUTSIDE_POLICY (config-pmap)#class OUTSIDE (config-pmap-c)#inspect ? WORD Parameter-map (inspect) name <PARAMETER MAP CAN BE DEFINED to tune the inspection <cr> (config-pmap-c)#inspect
STEP 3: Define the SECURITY ZONES for the interfaces you need, and assign them to the interfaces:
(config)#zone security DMZ (config-if)#zone-member security DMZ (config)#zone security OUTSIDE (config-if)#zone-member security OUTSIDE
STEP 4: Set the POLICIES between each ZONE PAIR:

(config)#zone-pair security OUT-to-DMZ source OUTSIDE destination DMZ (config-sec-zone-pair)#service-policy type inspect OUTSIDE_POLICY #show policy-map type inspect zone-pair session policy exists on zp OUT-to-DMZ Zone-pair: OUT-to-DMZ Service-policy inspect : OUTSIDE_POLICY Class-map: INSIDE (match-any) Match: protocol tcp 0 packets, 0 bytes 30 second rate 0 bps Match: protocol udp 0 packets, 0 bytes 30 second rate 0 bps Match: protocol icmp 0 packets, 0 bytes 30 second rate 0 bps Inspect Class-map: class-default (match-any) Match: any Drop 0 packets, 0 bytes
PARAMETER MAP can be created to tune to drop logs, handle alarms, max&min session numbers and much more, for example:
(config)#parameter-map type inspect eng-network-profile (config-profile)#tcp synwait-time 3 <-HOW LONG TO WAIT FOR SYN FOR THE TCP SESSION
____________________________________________________________________________________________________________________
CONTROL Plane Policy (CPPr)

____________________________________________________________________________________________________________________ QoS: Policing and Shaping Configuration Guide>Control Plane Policing http://www.cisco.com/en/US/docs/ios-xml/ios/qos_plcshp/configuration/12-4t/qos-plcshp-ctrl-pln-plc.html CPPr works treating the RP (Route Processor) as the VIRTUAL INTERFACE attached to the Router. You need to take care which EXACT control plane VIRTUAL SUB-INTERFACE you want to apply the policy to. 1. Control-plane HOST - Control plane for TCP/UDP traffic destined for one of the Physical Interfaces. Here you can use the PORT-FILTERING and drop automatically packets destined to a certain port. Within the class-map do, for example:
(config-cmap)#match port tcp 1996
Per-Protocol filtering is also possible, so you can set selective QUEUE LIMITS for BGP, OSPF, HTTP, SNMP... 2. Control-plane TRANSIT - For transit IP packets not handled by CEF 3. Control-plane cef-exception - For the NON TCP/UDP Traffic When you are asked to limit the packets going to Routers CPU to protect from Flood Attacks - this is the answer. It's very simple actually. Define the Policy Map like in MQC for QoS, and instead of the interface,
APPLY IT DIRECTLY TO THE CONTROL PLANE

CBAC and Zone Based FW are all DATA Plane policies. Another type of Security Policies is a Control Plane Policy. This is quite similar to Cisco's MQC used for the QoS traffic shaping and policing. You can also use the commands like from MQC to limit (POLICE) the Control Traffic. You can use STANDARD CLASS-MAPS like in MQC to match PROTOCOL or ACLs (access-group), but you can also use, for example, the LOGGING TYPE CLASS-MAPS:
(config)#class-map type logging match-any LOGGING (config-cmap)#match packets ? dropped Packets dropped by control-plane protection features <-IN ORDER TO VIEW THE CONTROL PLANE error Error packets dropped by control-plane protection features permitted Packets permitted by control-plane protection features
You can also MATCH the CLOSED PORTS within the class-map, or match the FRAGMENTED PACKETS within the ACL. Within the POLICY-MAP, the actions are to POLICE based on the number of PACKETS PER SECOND and allow BURST PACKETS, or based on BW, or just PASS or DROP the traffic within the matched Class-Map
(config)#policy-map POLICE_50KBPS (config-pmap)#class CONTROL_BW (config-pmap-c)#police 50000 conform-action transmit exceed-action drop violate-action drop
OR
(config-pmap-c)#police rate 100 pps burst 20 packets
The trick is to APPLY the Policy Map to the CONTROL PLANE:

(config)#control-plane (config-cp)#service-policy input POLICE_50KBPS *Jan 3 16:34:23.467: %CP-5-FEATURE: Control-plane Policing feature enabled on Control plane cef-exception path
Don't forget to check if your changes have been applied:

#sh control-plane features
____________________________________________________________________________________________________________________
IOS IPS (Intrusion Prevention System)

____________________________________________________________________________________________________________________ Cisco Docs: Secure DATA PLANE>Security Configuration Guide:Cisco IOS Intrusion Prevention System http://www.cisco.com/en/US/docs/ios-xml/ios/sec_data_ios_ips/configuration/12-4t/sec-data-ios-ips-12-4t-book.html IPS is watching packets and sessions as they flow through the router and scanning each packet to match any of the Cisco IOS IPS signatures. When packets in a session match a signature, Cisco IOS IPS can take any of the actions: - Send an alarm to a syslog server or a centralized management interface - Drop the packet - Reset the connection - Deny traffic from the source IP address of the attacker for a specified amount of time - Deny traffic on the connection for which the signature was seen for a specified amount of time SDEE is application-level communication protocol, used to exchange IPS messages between IPS clients and IPS servers. If you want to configure transparent Cisco IOS IPS, you must configure bridge group before loading IPS onto a device:
(config)#bridge 1 protocol [dec | ibm | ieee | vlan-bridge] *1 IS A BRIDGE-GROUP NUMBER
Then apply the defined bridge group 1 to the interface you want:
(config-if)#bridge-group 1
First you need to specify the location in which the router loads the SDF (Signature Definition File), because in the IOS there are NO DEFAULT SIGNATURES:
(config)# ip ips sdf location disk2:attack-drop.sdf
If you're configuring the IP IPS on a new router, first CREATE the IPS, name it, and define it, in this case to send the events as SYSLOG messages:
(config)#ip ips name MYIPS (config)#ip ips notify log
*Be sure to have a SYSLOG SERVER defined:

(config)#logging 10.187.145.12 (config)#logging ON
Specify where the IPS configuration will be stored:

(config)#ip ips config location flash:MYIPS
Apply the configured IPS to the interface:

(config-if)#ip ips MYIPS out
*THIS WILL NOT WORK UNLESS YOU HAVE THE SIGNATURES. To check the signatures:
#sh ip ips signatures Cisco SDF release version S0.0 Trend SDF release version V0.0 En - possible values are Y, Y*, N, or N* Y: signature is enabled N: enabled=false in the signature definition file *: retired=true in the signature definition file Cmp - possible values are Y, Ni, Nr, Nf, or No Y: signature is compiled Ni: signature not compiled due to invalid or missing parameters
Nr: signature not compiled because it is retired Nf: signature compile failed No: signature is obsoleted Nd: signature is disallowed Action=(A)lert, (D)eny, (R)eset, Deny-(H)ost, Deny-(F)low Trait=alert-traits EC=event-count AI=alert-interval GST=global-summary-threshold SI=summary-interval SM=summary-mode SW=swap-attacker-victim SFR=sig-fidelity-rating Rel=release Signature Micro-Engine: atomic-ip (INACTIVE) Signature Micro-Engine: normalizer (INACTIVE) Signature Micro-Engine: service-http-v2 (INACTIVE) Signature Micro-Engine: service-http (INACTIVE) ...
You might need to generate the SDF using the .txt file downloaded from the cisco.com to your flash:
#more flash:downloaded_key.txt <-COPY THE CONTENT TO LATER PASTE INTO THE KEY
Now create the key:

(config)#crypto key pubkey-chain rsa (config-pubkey-chain)#named-key DOWNLOADED_KEY signature (config-pubkey-key)#key-string Enter a public key as a hexidecimal number .... (config-pubkey)#(ENTER THE COPIED CONTENT HERE, and type "quit")
____________________________________________________________________________________________________________________
AAA Authentication
____________________________________________________________________________________________________________________ Cisco Docs: Securing User Services Configuration>Authentication Authorization and Accounting http://www.cisco.com/en/US/docs/ios-xml/ios/sec_usr_aaa/configuration/12-4t/sec-cfg-authentifcn.html This is pretty straight forward, because on CCIE R&S exam you wont have to configure an actual ACS server. For starters be sure that the " aaa new-model" is configured. Turn the TACACS+ authentication ON, and set LOCAL DB as backup:
(config)#aaa authentication login MYTACACS group tacacs+ local enable
*MYTACACS is the authentication policy. If you put "default" instead of specifying the policy, there is no need to assign the policy to VTY line later, it's a default policy on a device, from where ever you try to authenticate. In case you have a default policy, you need to ALSO define a NO_AUTH policy to apply where you dont want TACACS, like AUX and CONSOLE ports maybe.
Define the TACACS+ as a server, and set the Shared Secret:

(config)#tacacs-server host 10.1.1.10 key cisco
Define the source interface from which you will authenticate:

(config)#ip tacacs source-interface Loopback0
Apply the authentication settings to the VTY line:

(config-line)#login authentication MYTACACS
Test the access via TACACS:

#test aaa group tacacs+ USERNAME PASSWORD legacy
MPLS
____________________________________________________________________________________________________________________
MPLS Configuration
____________________________________________________________________________________________________________________ This post will assume that youve already know how the protocol works. If you dont - go read that first, what are you waiting for... dont you know how important MPLS is. MPLS Neighbor Discovery uses Hello messages, 224.0.0.2, Port UDP-646 LSR - Label Switching Router LDP - Label Distribution Protocol To configure the MPLS you first need to enable it globally on a router and on all the relevant interfaces. You also have to define the actual PROTOCOL for the LABEL DISTRIBUTION (LDP or TDP, which is a DEFAULT setting to IOS versions prior to 12.4, but it's no longer in use):
(config)#mpls ip (config)#mpls label protocol ldp <-ALL THE INTERFACES WILL INHERIT IT (config)#int fa0/1 (config-if)#mpls ip <-TURN IT ON ON THE INTERFACE You will get this message: *Dec 17 18:11:50.430: %LDP-5-NBRCHG: LDP Neighbor 11.1.1.1:0 (1) is UP
As the ALTERNATIVE you can use the Auto configuration, so under the ROUTING PROTOCOL (OSPF in this example):
(config)#router ospf 1 (config-router)#mpls ldp autoconfig area 0
*if you need to specifically disable MPLS on some interface, do:

(config)#no mpls ldp igp autoconfig
As in most other protocol LDP Router-ID needs to be assigned. The "mpls ldp router-id" command allows you to establish the IP address of an interface as the LDP router ID (L-ID), in this example Loopback 0 IP. Be sure that all the routers have to have the L-ID reachability:
config)#mpls ldp router-id lo0 [force]
When you issue the mpls ldp router-id command without the force keyword, the router select selects the IP address of the specified interface (provided that the interface is operational) the next time it is necessary to select an LDP router ID, which is typically the next time the interface is shut down or the address is configured. IMPORTANT: VPMv4 Peering If MUST be /32, so make sure you're learning the Lo0 with the /32 mask, so set it:
(config-if)#ip address 150.1.5.5 255.255.255.255
If, however, you wish to force the Router-ID to be the PHYSICAL INTERFACE of the router:
(config-if)#mpls ldp discovery transport-address interface
#sh mpls interfaces Interface FastEthernet0/1 Serial0/1/0.34 Serial0/1/0.35 #sh mpls Peer Peer Peer ldp LDP LDP LDP
IP Yes (ldp) Yes (ldp) Yes (ldp)
Tunnel No No No
BGP No No No
Static No No No
Operational Yes Yes Yes
neighbor | i Peer Ident: 4.4.4.4:0; Local LDP Ident 3.3.3.3:0 Ident: 2.2.2.2:0; Local LDP Ident 3.3.3.3:0 Ident: 5.5.5.5:0; Local LDP Ident 3.3.3.3:0
When you want to see other LDP PARAMETERS (can be usefull if you're looking to see what can be optimized):
#sh mpls ldp param Protocol version: 1 Session hold time: 90 sec; keep alive interval: 30 sec Discovery hello: holdtime: 45 sec; interval: 15 sec Discovery targeted hello: holdtime: 90 sec; interval: 10 sec Downstream on Demand max hop count: 255 Downstream on Demand Path Vector Limit: 255 LDP for targeted sessions LDP initial/maximum backoff: 15/120 sec LDP loop detection: off
DISCOVERY process in MPLS: There are 2 Types of Discovery:

1. BASIC Discovery - for the DIRECTLY CONNECTED LDP LSRs, the Hellos are sent of ALL interfaces LDP is enabled 2. EXTENDED Discovery - for the NON DIRECTLY CONNECTED LDP LSRs. LSR sends TARGETED Hellos to a SPECIFIC IP. Authentication between two MPLS neighbors can be configured PER-NEIGHBOR, or GLOBALLY.
(config)#mpls ldp neighbor 11.1.1.1 password cisco
To FILTER for which IPs exactly youre generating the labels, define the ACL and apply in the global config mode:
(config)#access-list 41 permit 150.1.0.0 0.0.255.255 (config)#no mpls ldp advertise-labels <-FIRST DISABLE FOR ALL (config)#mpls ldp advertise-labels for 41 ? to Access-list specifying controls on LDP peers <-OPTIONAL, TO CONTROL WHERE YOURE SENDING WHICH LABELS <cr>
____________________________________________________________________________________________________________________
MPLS LFIB and Labels (Label Spacing)

____________________________________________________________________________________________________________________ Maybe the MOST important thing in the LDP, and the overall MPLS LABEL CONTROL is understanding all the TABLES, and how they are formed.
FIB (FORWARDING Information Base) - CEF table, gets build based on RIB (Routing Information Base)
#show ip cef LIB - LABEL INFORMATION BASE #sh mpls ldp bindings 177.7.7.0 24 lib entry: 177.7.7.0/24, rev 35 local binding: label: 113 remote binding: lsr: 2.2.2.2:0, label: 213
LFIB - LABEL FORWARDING INFORMATION BASE

#show mpls forwarding-table
IN THE CCIE LAB, FIRST CHECK IF THE LABEL RANGE IS CHANGED BECAUSE ROUTERS NEED TO BE RELOADED!!! The LABEL SPACE is PlatformDependent, and the LABEL planning is done in the DESIGN phase of the Project. You can SET the RANGE of labels you want to be used on that router:
(config)#mpls label range 100 199 % Label range changes will take effect at the next reload. #sh mpls label range Downstream Generic label region: Min/Max label: 17/199 [Configured range for next reload: Min/Max label: 100/199] #sh mpls ldp bin local tib entry: 1.1.1.0/24, rev local binding: tag: tib entry: 2.2.2.0/24, rev local binding: tag: tib entry: 3.3.3.0/24, rev local binding: tag: 14 103 16 104 18 105
...
LFIB is the MOST IMPORTANT table in the MPLS Architecture. You can literally follow exactly what's happening on the router regarding the
MPLS Labels and the IPs:
#sh mpls forwarding-table Local Outgoing Prefix Label Label or VC or Tunnel Id 17 Untagged 7.7.7.0/24 18 18 6.6.6.6/32 27 28 1.1.1.0/24 28 Pop Label 2.2.2.0/24 29 Pop Label 4.4.4.0/24 30 Pop Label 5.5.5.0/24 32 Pop Label 10.1.12.0/24 33 Pop Label 10.1.45.0/24 Pop Label 10.1.45.0/24 34 Pop Label 10.1.56.0/24 35 34 10.1.67.0/24 36 38 11.1.1.0/24 37 Pop Label 55.5.5.0/24 Bytes Label Switched 0 0 0 0 0 0 0 0 0 0 0 0 0 Outgoing interface Se0/1/0.35 Se0/1/0.35 Fa0/1 Fa0/1 Se0/1/0.34 Se0/1/0.35 Fa0/1 Se0/1/0.34 Se0/1/0.35 Se0/1/0.35 Se0/1/0.35 Fa0/1 Se0/1/0.35 Next Hop point2point point2point 10.1.23.2 10.1.23.2 point2point point2point 10.1.23.2 point2point point2point point2point point2point 10.1.23.2 point2point
"Untagged" as Outgoing Label - Remove ALL the labe;s and forward as the IP traffic "Pop Label" as Outgoing Label - Remove the TOP label, and forward the packet to the defined interface NOTHING in the Local Label column - Refers to the label above, this means that Load Balancing is occurring Local & Outgoing Labels
Numerical Value - SWAP the Local with the Outgoing Label IMPORTANT: FIB (ip cef) and LFIB information MUST be IN ACCORDANCE!!! EXPLICIT NULL should be configured for all the DIRECTLY CONNECTED prefixes for which you want the previous router to replace the label with "EXPLICIT NULL" label. Next router will perform the PHP (Penultimate Hop Popping) by default because Implicit Null is marked by default for all the directly connected subnets.
(config)#mpls ldp explicit-null
LDP Conditional Label Advertising

If you want to advertise or stop advertising some prefixes, there is a special command for that. First you need to define the ACL where you PERMIT the prefixes you WANT and DENY prefixes you DONT WANT to advertise (ACL_FROM). Then you need ANOTHER ACL where you will define the peers these labels will be advertised to (ACL_TO)
(config)#mpls ldp advertise-labels for ACL_FROM to ACL_TO
If you need to HIDE the MPLS LABELS from the Customer, there is command that STOPS the TTL propagation, and therefore stops the MPLS structure from the LSRs:
(config)#no mpls ip propagate-ttl forwarded (config)#no mpls ip propagate-ttl local
____________________________________________________________________________________________________________________
MPLS Session Protection

____________________________________________________________________________________________________________________ When a link between two LSRs go down - LDP session goes down, and if they come back LIB and LFIB need to be re-populated. This is why it might be a good idea to PROTECT THE SESSION. This feature provides faster label distribution protocol convergence when a link recovers following an outage. The configuration consists of building a REDUNDANT link that stays up, which is used to maintain the targeted LDP session UP until the primary link comes back up. To enable this use the Global Config command, that needs to be configured on ALL the routers, or configured on one router and configure the ACCEPTANCE Of TARGETED LDP HELLOs on the other router using the "mpls ldp discovery targeted-hello accept":
(config)#mpls ldp session protection
____________________________________________________________________________________________________________________
MPLS VRFs, RD (Route Distinguisher) and RT (Route Target)

____________________________________________________________________________________________________________________ VRF stands for Virtual Router Forwarding. Simply put - represents another routing process within the same router. STEP 1: VRF. To configure a VRF instance on a router with a name VRF_1 do (This name is LOCALLY SIGNIFICANT):
(config)#ip vrf VRF_1
STEP 2: RD and RT Within the VRF you will need a Route Distinguisher (RD), used to make the VRF prefix unique within the cloud, and the Route Target (RT) that you will later IMPORT/EXPORT to define the end-to-end communication of the VRF:
(config-vrf)#rd 1:10 <-VRF IS NOT ACTIVE UNTIL RD IS DEFINED (config-vrf)#route-target [import|export|both] 1:100 *RD does NOT indicate to which VRF the prefix belongs to!!! Route-Target is used for that.
RD is a 64 bit value used to transform users IPv4 IP address into UNIQUE 96 bit address called VPNv4. THESE ADDRESSES ARE EXCHANGED ONLY BETWEEN PEs, NEVER BETWEEN CEs!!! PE takes the update it receives from CE, and sticks the RD to it, making the VPNv4 96-bit address. "Route Target Import|Export" command defines the RT, which is a BGP Extended Community that indicated which routes should be exported/imported from MP-BGP to VRF. That is why when you configure the VPNv4 AF under the MP-BGP, you automatically get the following command under the BGP process (IF NOT, ADD IT MANUALLY)
(config-router-af)#neighbor 3.3.3.3 send-community extended
"route-target export" - Specifies RT attached to every routed exported from the Local VRF to MP-BGP. "route-target import" - RT to be used as an IMPORT FILTER, so only the routes matching the filter are imported to VRF STEP 3: VRF INTERFACES. If you check the configured VRF at this point:
#sh ip vrf det VRF CB; default RD 1:20; default VPNID <not set> No interfaces <-NO INTERFACES!!! VRF Table ID = 212 Export VPN route-target communities RT:1:100 Import VPN route-target communities RT:1:100
VRFs have more or less similar phylosophy like VLANs - you need to assign the interfaces to the VLAN. NOTE that the IP address of the interface will automatically be removed:
(config-if)#ip vrf forwarding CA % Interface Serial0/1/1 IP address 10.1.13.3 removed due to enabling VRF CA (config-if)#ip add 10.1.13.3 255.255.255.0 *YOU WILL BE ABLE TO PING THE NEIGHBOR ON THIS INTERFACE ONLY UNDER THE VRF: #ping vrf CA 10.1.13.1
Sending 5, 100-byte ICMP Echos to 10.1.13.1, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 28/28/32 ms
MP-BGP: When you create RD and RT, and you have the BGP configured, notice that the new address family appears within the BGP process:
address-family ipv4 vrf CB
*When the ROUTE-TARGET is not imported and exported where needed between the MP-BGP neighbors - the routes will NOT advertised via BGP.
____________________________________________________________________________________________________________________
L2VPN - AToM (Any Transport over MPLS)

____________________________________________________________________________________________________________________ AToM encapsulates Layer 2 frames at the ingress PE and sends them to a corresponding PE at the other end of a pseudo wire, which is a connection between the two PE routers. The egress PE removes the encapsulation and sends out the Layer 2 frame. The combination of the peer router ID and the VC ID must be unique on the router. Two circuits cannot use the same combination of the peer router ID and VC ID. Specify the tunneling method used to encapsulate data in the pseudo wire. AToM uses MPLS as the tunneling method.
(config-if)# xconnect peer-router-id vcid encapsulation mpls
Used to interconnect VLANs of the remote MPLS CE routers. Configured on the PE interface towards the CE.Create a SUB-INTERFACE under the interface pointing to your VLAN, and define the Dot1Q encapsulation on it:
(config)#interface FastEthernet0/1.4 encapsulation dot1Q 4 no cdp enable xconnect 150.1.6.6 2 encapsulation mpls <-DESTINATION PE IP ADDRESS, and 2 is a VIRTUAL CIRCUIT IDENTIFIER (VCI) remote circuit id 2
If there is no MPLS IN THE ENTIRE PATH - you need to create a TUNNEL to traverse the NON-MPLS part
#show mpls l2transport vc detail Local interface: Fa0/1.4 up, line protocol up, Eth VLAN 4 up Destination address: 150.1.6.6, VC ID: 2, VC status: down Output interface: none, imposed label stack {} Preferred path: not configured Default path: no route No adjacency Create time: 00:04:55, last status change time: 00:04:48 Signaling protocol: LDP, peer 150.1.6.6:0 up MPLS VC labels: local 32, remote 31 Group ID: local 0, remote 0 MTU: local 1500, remote 1500 Remote interface description: Sequencing: receive disabled, send disabled VC statistics: packet totals: receive 0, send 0 byte totals: receive 0, send 0 packet drops: receive 0, seq error 0, send 0
IPv6
____________________________________________________________________________________________________________________
IPv6 TIPS
____________________________________________________________________________________________________________________
TIP: When doing IPv6 over Frame-Relay, ALWAYS configure, and MAP the Link-Local address as well!!! TIP: To filter the IPv6 traffic have in mind 2 things:
1. When you try to configure the IPv6 ACL, it will not give you the NAME options, but it can be done:
(config)#ipv6 access-list ACL_IPV6
2. Apply the filter DIRECTLY ON THE INTERFACE using the IPv6 Traffic Filter:
(config-if)#ipv6 traffic-filter ACL_IPV6 in
____________________________________________________________________________________________________________________
IPv6 Basics
____________________________________________________________________________________________________________________ Loopback: ::1/128 Multicast: FF00::/8 Link Local: FE80::/10 - used for stateless auto-configuration, Neighbor discovery, Router discovery FC00::/7 Unique Local, Unicast (equivalent to the IPv4 private addresses), not routable via global BGP EUI-64 - always use the /64 addresses for all the INTERFACES (MAC can be converted into EUI-64 format to get the interface address) Router can assign the HOST portion of the Network AUTOMATICALLY using the MAC of the first LAN interface:
(config-if)#ipv add 2:2:2:2::/64 eui-64
When you need to MANUALY do this, find the MAC address of the highest interface, for example Fa0/0, and modify it.
#sh int fa0/0 | i bia Hardware is Gt96k FE, address is 001e.be5d.27f0 (bia 001e.be5d.27f0)
So MAC is 001e.be5d.27f0. Add "FFFE" in the middle, and you get the HOST PORTION: 001e:beff:ee5d:27f0 ARP has been replaced with ICMPv6 Neighbor Discovery (ND). Inverse ARP has been removed, so for NBMA networks we need to provide a static L2-L3 mapping
TIP: before enabling IPv6 on a router and configuring the interfaces male sure there is a IPv4 connectivity
IPv6 is not enabled by default, so first enable IPv6 globally on the Router/Switch:
(config)#ipv6 unicast-routing
On a ROUTER you should enable IPv6 on an interface:

(config-if)#ipv6 enable
LINK-LOCAL address is generated based on the interfaces MAC Address by doing "ipv6 enable" Assign the UNICAST IPv6 address:
(config-if)#no switchport <--- DONT FORGET on 3560 OR 3750 (config-if)#ipv6 add 12:1:1::3/64
#show ipv6 inter lo0 Loopback0 is up, line protocol is up IPv6 is enabled, link-local address is FE80::21E:BEFF:FE5D:27F0 Global unicast address(es): 2:2:2:2:21E:BEFF:FE5D:27F0, subnet is 2:2:2:2::/64 [EUI]
Assign a LINK-LOCAL IPv6 Address, if you want to configure it STATICALLY:

(config-if)#ipv6 address FE80::1 link-local *Be sure it starts with FE80, or you will get a message "% Invalid link-local address"
By default IPv6 has Neighbor Discovery as a L2-L3 mapping mechanism, instead of ARP. To debug it do:
#debug ipv6 nd
When you configure the "ipv6 enable" on the interface, the Link Local address is assigned:
*Nov 21 08:21:02.068: ICMPv6-ND: Sending NS for FE80::21E:BEFF:FE5D:27F0 on FastEthernet0/0
!!!NS -Neighbor Solicitation

*Nov 21 08:21:03.068: ICMPv6-ND: DAD: FE80::21E:BEFF:FE5D:27F0 is unique.
!!!FE80::21E:BEFF:FE5D:27F0 Assigned. DAD - Duplicate Address Detection confirms IP is UNIQUE!

*Nov 21 08:21:03.068: ICMPv6-ND: Sending NA for FE80::21E:BEFF:FE5D:27F0 on FastEthernet0/0
!!!NA - Neighbor Advertisement for routers Link Local address

*Nov 21 08:21:03.068: ICMPv6-ND: Address FE80::21E:BEFF:FE5D:27F0/10 is up on FastEthernet0/0
!!!Interface comes UP because no one complained Check if the interface got the correct IPv6 Address:
#sh ipv6 int br FastEthernet0/0 [up/up] FE80::21E:BEFF:FE5D:27F0 FastEthernet0/1 [administratively down/down] Serial0/1/0 [up/down] Serial0/1/1 [administratively down/down] Serial0/2/0 [administratively down/down]
When you SHUT the local interface, the Link Local address is deleted:
*Nov 21 08:19:12.972: ICMPv6-ND: Sending Final RA on FastEthernet0/0 *Nov 21 08:19:12.984: ICMPv6-ND: STALE -> DELETE: FE80::213:60FF:FE85:AEEA
And we are finally reaching my favorite change in the IPv6, the NEIGHBOR DISCOVERY and DISPLAY:
#show ipv6 neighbors IPv6 Address 12:1:1:12::1 FE80::1 123::21E:BEFF:FE5D:27F0 FE80::3 Age 0 0 166 0 Link-layer Addr 0013.6085.aeea 0013.6085.aeea 001e.be5d.27f0 0013.6085.e3c6 State STALE STALE STALE REACH Interface Fa0/0 <- UNICAST Fa0/0 <- LINK-LOCAL Fa0/0 Fa0/0
You can configure the IPv6 Neighbor statically, using the Global Configuration command:
(config)#ipv6 neighbor 123::21E:BEFF:FE5D:27F0 Fa0/0 001e.be5d.27f0
The neighbors can have one of the following statuses: - REACH - STALE You can tune the TIMERS for STATE TRANSITIONING. To check the current values do:
#sh ipv int fa0/0 | i time ND reachable time is 30000 milliseconds <- When not responding for 30 Secs, Neighbor transitions to STALE ND advertised reachable time is 0 milliseconds
If you want to CHANGE this value (time it takes the neighbor to go to STALE from REACHABLE):
(config-if)#ipv6 nd reachable-time 50000
There is also an AUTOMATIC IPv6 address assigning, called STATELESS AUTOCONFIG. The SERVER that assigns the IPv6 addresses should have the "ipv6 unicast-routing" configured. The router assigns the addresses, and even if that router goes down - the IPs will remain active for 30 days if their interfaces don't go down. To activate this:
(config-if)#ipv6 address autoconfig
____________________________________________________________________________________________________________________
Convert MAC to Link Local IPv6 Address

____________________________________________________________________________________________________________________ Check how the Link Local address has been generated using the interface MAC address
#sh int fa0/0 | i Hard Hardware is Gt96k FE, address is 001e.be5d.27f0 (bia 001e.be5d.27f0) IPv6: FE80::21E:BEFF:FE5D:27F0 FE80:: - For Link Local IPv6 Addresses
First two 0s from MAC are replaced with a HEX 2, to complete MACs 48 bits up to 64 we need Then the "1e.be" part is COPIED and PAST 2|1E:BE|FF:FE|5D:27F0 FFFE is added after this, in the MIDDLE of the MAC address The rest of MAC follows So - 2 + 4HEXofMAC + FFEE + 6HEXofMAC Now check the complete IPv6 configuration of the interface:
#SH ipv6 int fa0/0 FastEthernet0/0 is up, line protocol is up IPv6 is enabled, link-local address is FE80::21E:BEFF:FE5D:27F0 No global unicast address is configured Joined group address(es): FF02::1 <- 0 after F means the IPv6 is PERMANENT (if it were 1 - it would be temporal) FF02::2 <- Subnet routers MULTICAST FF02::1:FF5D:27F0 <- Solicited-Node-Multicast Address
____________________________________________________________________________________________________________________
IPv6 Routing
____________________________________________________________________________________________________________________ STATIC ROUTING is similar to the IPv6 Static Routing, but have in mind that you need to point to the IPv6 address of the IPv6 Neighbor. Link Local IPv6 can also be used. In IPv6 REDISTRIBUTION the LOCAL CONNECTED routes are NOT included, even if they are part of local advertisement. Step 1: First check the neighbors IP displaying the IPv6 neighbors:
#sh ipv6 nei IPv6 Address 12:1:1:12::1 FE80::1 Age Link-layer Addr State Interface 1 0013.6085.aeea STALE Fa0/0 1 0013.6085.aeea STALE Fa0/0
Step 2: And then add the route pointing to the appropriate address:
(config)#ipv6 route 1:1:1:1::/64 12:1:1:12::1
If you want to use the LINK LOCAL address, you also need to specify the INTERFACE:
(config)#ipv6 route 1:1:1:1::/64 fa0/0 FE80::1
If you need to add the DEFAULT ROUTE only:

(config)#ipv6 route 0::/64 fa0/0 FE80::2
Step 3: And check the Routing Table for Static Entries:

#sh ipv6 route static | b 64 S 1:1:1:1::/64 [1/0] via 12:1:1:12::1
Or in the case of the Default Route:

#sh ipv6 route | b S S ::/64 [1/0] via FE80::2, FastEthernet0/0
Step 4: OPTIONAL: Configure HOST for the hosts you ping frequently, because IPv6 addresses are a bit robust. If you name the host R2_lo1, you can later ping is using "ping R2_lo1":
(config)#ipv6 <0-65535> X:X:X:X::X (config)#ipv6 host R2_lo1 ? Default telnet port number <- CAN BE USEFULL IPv6 address host R2_lo1 1:1:1:1:213:60FF:FE85:AEEA
____________________________________________________________________________________________________________________
OSPFv3
____________________________________________________________________________________________________________________ Dont forget to define the router-id, because if there are no IPv4 addresses on the router - it cannot pick one! So - FIRST define the RID, and THEN configure OSPF, to avoid restarting the OSPF process later In OSPFv3 over Frame-Relay DONT FORGET TO create frame relay mappings for the link-local (FE80::/10) addresses. This being said, you might as well create manually the Link Local addresses to the FR interfaces:
(config-if)#ipv6 address FE80::2 link-local
LSA Changes: Even though most LSA definitions stay the same, there are a few changes in OSPFv3:
OSPFv3
0x2001 Router LSA 0x2002 Network LSA 0x2003 Inter-area Prefix LSA 0x2004 Inter-area Router LSA 0x4005 AS-External LSA 0x2006 Group Membership LSA 0x2007 Type-7 LSA 0x0008 Link LSA 0x2009 Intra-area Prefix LSA 6 3 4 1 2
OSPFv2
Router LSA Network LSA
Network Summary LSA ASBR Summary LSA 5 AS-External LSA
Group Membership LSA 7 NSSA External LSA
*If you want an area not to receive LSA4 and LSA5, configure it as stub:
(config-rtr)#area 12 stub <- ADDS A DEFAULT ROUTE TO ISOLATED ROUTER (the router that only has stub area) Default Route added: OI ::/0 [110/2] via FE80::2, FastEthernet0/0 <- INSTEAD OF ALL EXTERNAL ROUTES
If you want the router to maintain IO INTRA AREA routes only, configure it as NSSA "stub no-summary" If you want not to propagate EXTERNAL routes- configure an area as NSSA (routes redistributed into NSSA area will appear marked with "ON2"). You can add "default-information-originate" to inject the default route into nssa area To change the METRIC/COST you can do two things. Either change the DEFAULT COST under OSPF process:
(config-rtr)#auto-cost reference-bandwidth 10000
Or use the "ipv6 ospf cost" command under EACH INTERFACE.
____________________________________________________________________________________________________________________
EIGRP IPv6
____________________________________________________________________________________________________________________ The difference with OSPF is that even if you configure it on the interface:
(config-if)#ipv6 eigrp 100
it will not form an adjacency unless you DEFINE THE ROUTER-ID, and do a NO SHUT:
(config-rtr)#eigrp router-id 1.1.1.1 (config-rtr)#no shut <-ON SOME IOS VERSIONS NOT NEEDED, BUT DO IT JUST IN CASE... *Dec 1 11:18:08.343: %DUAL-5-NBRCHANGE: EIGRP-IPv6 100: Neighbor FE80::4 (Serial1/0.14) is up: new adjacency
BE SURE TO DEFINE THE METRIC WHEN REDISTRIBUTING INTO EIGRP, or it will not work!!!
(config-rtr)#no redistribute ospf 1 metric 1 1 1 1 1
To change the timers on the interface the command is a bit BACKWARDS, as in - "" ipv6 hello-interval eigrp..":
(config-if)#ipv6 hello-time eigrp 100 10 <-HELLO (config-if)#ipv6 hold-time eigrp 100 40 <-DEAD
The command for checking the current timers is also unintuitive, cause you need to add "details" to the end:
#sh ipv6 eigrp interfaces detail | i Hello Hello-interval is 10, Hold-time is 40 Hello-interval is 60, Hold-time is 180
BE CAREFULL WITH FRAME RELAY, because EIGRP has SPLIT HORIZON enabled by default on multipoint interfaces:
(config-subif)#no ipv6 split-horizon eigrp 100
Like in EIGRPv4, on EIGRPv6 EIGRP Patckets use UP TO 50% of the Links BW. To change that (to 25% in this example):
(config-subif)#ipv6 bandwidth-percent eigrp 100 25
Another similarity to EIGRPv4, you can use "summary-address" to inject the default route:
(config-if)#ipv6 summary-address eigrp 100 ::0/0 %DUAL-5-NBRCHANGE: EIGRP-IPv6 100: Neighbor FE80::2 (Ethernet0/0) is resync: summary configured %DUAL-5-NBRCHANGE: EIGRP-IPv6 100: Neighbor FE80::3 (Ethernet0/0) is resync: summary configured
EIGRPv6 Authentication: Also similar to EIGRPv4

Step 1: Define the Key Chain
(config)#key chain MAT (config-keychain)#key 1 (config-keychain-key)#key-string Cisqueros
Step 2: Apply the key chain to the interface:

(config-if)#ipv6 authentication key-chain eigrp 100 MAT
Step 3: Turn ON the authentication on the interface, in this example MD5:

(config-if)#ipv6 authentication mode eigrp 100 md5
Some ADDITIONAL features: Make sure the incoming prefixes are in less than 50 hops (TTL <= 50)
(config-rtr)#metric maximum-hops 50
"Tune" the Active Time (time before declaring a router STUCK IN ACTIVE - SIA)
(config-rtr)#timers active-time ? <1-65535> active state time limit in minutes disabled disable time limit for active state
____________________________________________________________________________________________________________________
IPv6 Tunnels
____________________________________________________________________________________________________________________ When you configure them MANUALLY (this means that you define both, source and the destination of the tunnel) the Tunnel mode can be IPv6IP or GRE, depends what you are asked to do:
(config)#interface tunnel 0 (config-if)#tunnel mode ipv6ip <- DEFAULT IS GRE
The difference between IPv6IP and GRE will be in the TUNNEL PROTOCOL, so in GRE:
#sh int tunnel 3 | i transport Tunnel protocol/transport GRE/IP
While in IPv6IP:
#sh int tunnel 3 | i transport Tunnel protocol/transport IPv6/IP
GRE is Protocol 47, and IPV6IP is Protocol 41. You can check this by PINGING one side from another, and debuging "ip packet details" on the other side:
IPv6IP - PROTOCOL 41:

*Nov 29 18:23:52.126: RIB *Nov 29 18:23:52.126: proto=41 *Nov 29 18:23:52.126: *Nov 29 18:23:53.110: RIB *Nov 29 18:23:53.110: proto=41 IP: tableid=0, s=10.1.12.1 (Serial0/1/0.21), d=10.1.12.2 (Serial0/1/0.21), routed via IP: s=10.1.12.1 (Serial0/1/0.21), d=10.1.12.2 (Serial0/1/0.21), len 136, rcvd 3, IP: s=10.1.12.2 (Tunnel0), d=10.1.12.1 (Serial0/1/0.21), len 96, sending, proto=41 IP: tableid=0, s=10.1.12.1 (Serial0/1/0.21), d=10.1.12.2 (Serial0/1/0.21), routed via IP: s=10.1.12.1 (Serial0/1/0.21), d=10.1.12.2 (Serial0/1/0.21), len 120, rcvd 3,
GRE - PROTOCOL 47:

*Nov 29 18:25:30.506: RIB *Nov 29 18:25:30.506: proto=47 *Nov 29 18:25:30.574: *Nov 29 18:25:30.622: RIB *Nov 29 18:25:30.622: proto=47 IP: tableid=0, s=10.1.12.1 (Serial0/1/0.21), d=10.1.12.2 (Serial0/1/0.21), routed via IP: s=10.1.12.1 (Serial0/1/0.21), d=10.1.12.2 (Serial0/1/0.21), len 140, rcvd 3, IP: s=10.1.12.2 (Tunnel0), d=10.1.12.1 (Serial0/1/0.21), len 140, sending, proto=47 IP: tableid=0, s=10.1.12.1 (Serial0/1/0.21), d=10.1.12.2 (Serial0/1/0.21), routed via IP: s=10.1.12.1 (Serial0/1/0.21), d=10.1.12.2 (Serial0/1/0.21), len 140, rcvd 3,
6to4 Tunnels: AUTOMATICALLY established, allowing IPv6 connection through IPv4. They require SPECIAL ADDRESSING: IPv6 of 2002
followed by TRANSLATED IPv4 address. So, we need these steps: Step 1: Translate IPv4 into IPv6 address. For example 10.1.1.1: 10 0A 1 01 1 01 1 01
Step 2: Identify tunnel source. IMPORTANT: Tunnel is AUTOMATIC, so DONT CONFIGURE THE DESTINATION So using the 2002 which is the 6to4 marker, you get> 2002:A01:101::/128, so:
(config-if)#ipv6 add 2002:A01:101::/128
Step 3: Configure the TUNNEL MODE as IPV6IP 6to4:

(config-if)#tunnel mode ipv6ip 6to4
Step 4: Make sure that the Tunnel Interface is going UP/UP

*Nov 29 19:10:13.709: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel7, changed state to up
ISATAP Tunnel: It's a IETF transition mechanism that allows IPv6 networks to connect over IPv4 Networks. The IPv6 tunnel interface must be
configured with a modified EUI-64 address because the last 32 bits in the interface identifier are constructed using the IPv4 tunnel source address. ISATAP also has its own IPv6 Address Format, which is formed like this: NETWORK PORTION: can be any IPv6 address HOST PORTION: starts with 0000:5EFE, and the rest of host portion is TRANSLATED IPv4 of the TUNNEL SOURCE Step 1: Define the Tunnel SOURCE address
(config-if)#tunnel source 10.44:44:44
Step 2: Sending of IPv6 router advertisements is disabled by default on tunnel interfaces. This command re-enables the sending of IPv6 router advertisements to allow client auto-configuration:
(config-if)# no ipv6 nd ra suppress
Step 3: ISATAP The only difference from standard IPv6IP configuration is that the IPv6 address needs to be eui-64 generated, and that the MODE needs to be defined as ISATAP:
(config-if)#ipv6 address 46:1:46::/64 eui-64 <- EUI CONVERTS IPv4 TO IPv6 AUTOMATICALLY (config-if)#tunnel mode ipv6ip isatap
____________________________________________________________________________________________________________________
IPv6 Multicast Routing

____________________________________________________________________________________________________________________ To start implementing multicasting in the campus network, users must first define who receives the multicast. The MLD protocol is used by IPv6 routers to discover the presence of multicast listeners. MLD uses ICMP for messages. Multicast QUERIER is a ROUTER that sends queries to discover the group members. Multicast HOST is the RECEIVER (including routers) that sends REPORTS to inform the querier.
IPv6 RP and BSR (Boot-Strap Router)

BSR protocol for PIM-SM provides a mechanism to distribute group-to-RP mapping information throughout a domain.If the RP is unreachable BSR will detect it and modify the mapping tables. A few routers are configured as candidate bootstrap routers (C-BSRs) and a single BSR is selected for that domain. To set a router to be a BSR candidate - enable IPv6 Multicast globally, make sure IPv6 is also enabled, and use one of its local IPv6 addresses. Assign the router BSR priority:
(config)#ipv6 pim bsr candidate bsr 2001:CC1E:1:404:21A:E2FF:FEAB:FF29 priority 100
Configure a Router that will be Sending PIM RP Advertisements to the BSR:

(config)#ipv6 pim bsr candidate rp 2001:CC1E:1:505:21B:2AFF:FE0C:E0C0 #sh ipv pim bsr rp-cache PIMv2 BSR C-RP Cache BSR Candidate RP Cache Group(s) FF00::/8, RP count 1 RP 2001:CC1E:1:505:21B:2AFF:FE0C:E0C0 SM Priority 192, Holdtime 150 Uptime: 00:02:46, expires: 00:01:43
The big challenge in any Multicast configuration is the verification. This can be done by debuging the ICMP packets that are used for the MLD, and then pinging the MULTICAST IPv6 source from the other side:
#debug ipv6 icmp

Hitchikers Guide To The CCIE V011 Jan2014

Caricato da

Informazioni sul documento

Descrizione originale:

Titolo originale

Copyright

Formati disponibili

Condividi questo documento

Condividi o incorpora il documento

Opzioni di condivisione

Hai trovato utile questo documento?

Questo contenuto è inappropriato?

Copyright:

Formati disponibili

Hitchikers Guide To The CCIE V011 Jan2014

Caricato da

Copyright:

Formati disponibili

CISQUEROS.BLOGSPOT.

Hitchhikers Guide to the CCIE v0.1

This page was intentionally left blank.

Tips and Tricks

VLAN Filters for NON-IP Traffic

MEMORY OPTIMIZATION - SDM (Switch Database Management)

Check the achieved results:

number of IPv4/MAC security aces:

INTERFACE "no shut" and CONNECTED:

VTP - VLAN Trunking Protocol

Check the PRUNING STATUS:

ENABLE PRUNING (can be done ONLY ON VTP SERVER Switch):

VMPS - VLAN Membership Policy Server

And on all the switches in the LAN (VMPS Clients):

TRUNKS and DTP (Dynamic Trunking Protocol)

Then configure the interface:

2. Isolated - can only communicate with Promiscuous

3. Community - Can communicate within the SAME community or with Promiscuous

Dot1q Tunneling: 802.1q, QinQ Tunneling

#show l2protocol-tunnel summary

SPANNING TREE PROTOCOL (STP)

(on FastEth is would be 19)

Great command to check the ROOT:

*Transitions to FWD STATE without going through LISTENING or LEARNING STATE:

MULTIPLE SPANNING TREE (MSTP)

Check the ROOT:

UDLD - Unidirectional Link Detection

To RESET all ports from the ERRSISABLE state:

SOURCE GUARD and DHCP SNOOPING

Then add Dynamic or Static IP-to-MAC bindings. Static:

Lease(sec) ---------infinite infinite infinite

Type ------------static static static

Interface -------------------Ethernet0/1 Ethernet0/2 Ethernet0/0

PAgP (Port Aggregation Protocol) - Cisco Prop. DESIRABLE or AUTO or NONEGOTIATE

LACP (Link Aggregation Control Protocol) - 802.3ad - ACTIVE or PASSIVE

"ON" - Doesnt use LACP or PaGP. BOTH sides MUST BE ON!!!

L2 ETHERCHANNEL: LOGICAL INTERFACE CREATED AUTOMATICALLY. Best Practice (CONFIGURATION):

#show etherchannel load-balance Ether Channel Load-Balancing Configuration: dst-mac

DAI (Dynamic ARP Inspection)

And now APPLY:

DHCP Logging -----------Deny Dropped ------0

Probe Logging ------------Off DHCP Drops ---------0 ACL Drops --------0

To monitor the DROPPED packets due to DAI:

Check the log for details:

If you need to define the VERSION and the COMMUNITY STRING:

To define RO and RW COMMUNITY:

Specify the TRAPS TYPE:

DO NOT FORGET to ENABLE the CAM notifications in Global Configure mode:

And to make sure:

And apply to the interface to GENERATE A TRAP when something happens:

Set SEVERITY level:

Add SEQUENCE numbers:

Set the LOGGING messages to be saved in Local:

OR LIMIT the number of packets per second:

Current ---------1 pps

HTTP Server (HTTP access) on a Switch

Router on a STICK and IP BRIDGING

IP Services Tips and Tricks

HSRP - Hot Standby Routing Protocol

"07-ac" is the SIGNARURE part of Virtual MAC Address of the HSRP:

P indicates configured to preempt.

VRRP - Virtual Routing Redundancy Protocol