aNOTES TO CCIE

1. ETHERNET SWITCHING
Show interface fa 0/0 switchport- vlan and trunking parameters DTP modesDynamic auto- negotiates without sending trunking , defaults to access Dynamic desirable negotiates, tries to reach trunk state Tip: If DTP is disabled and there is a misconfiguration there can be a failure of STP calculation and a L2 loop. Trunking modes Switchport trunk encapsulation ISL- Encapsulates native vlan. Full header and trailer (30byte) Dot1Q- Does not tag native vlan. Can be configured to tag native vlan with global command vlan dot1q tag native. Less overhead (tag vs encapsulation) (4 byte) Vlans 1-1001 standard 1002-1005 Default (token ring) 1006-4094 Extended

VTP configuration Show vtp status- mode, revision number, MD5 hash Default server mode, domain name null. Automatically inherits VTP domain from neighboring switches on trunking interfaces. Configuration Revision- Tracks history of vlan configuration. Higher number configuration replaces all previous ones . VTP sends updates each time there is a change in the vlan configuration (even a client device would send updates to all devices replacing their databases if revision number is higher) MD5- Even without configuring a password there is an MD5 default hash based on configuration revision number .

VTP Pruning Prevents unnecessary flooding of broadcasts through trunking links to switches where there are no access ports connected to the specific vlan Enabled only on server and client VTP mode (not Transparent) Pruning eligible vlans- switchport trunk pruning remove vlan Each switch sends a request to neighboring switches on trunk links requesting qhich vlans they are on the transit path for. Trunking with non-vtp devices- Trouble with pruning, since it doesnt send request for anything the switch assumes all vlans are active towards it. Possible solution- allowing only interesting vlans on the trunk vlan Trouble with pruning and transparent devices- Transparent mode switches forward VTP pruning updates to next switch unaltered therefore causing misconfiguration of pruning

Router on a Stick Native vlan goes to main interface unless tagged Tagged vlans go to matching subinterfaces

Ether-Channel (config-if)# channel-protocol Pagp- Cisco proprietary ( Auto, Desirable) Lacp- Open standard (Active, Passive) Show etherchannel summary- status, members Global config port-channel load-balance Load balancing cant be seen from Mac addreses since its a L1 issue. You can choose different methods of load balancing, in which basically you choose how to use a hex value from different combinations to forward through this or that link Advantage of using negotiation protocols- other side of link gets notified if link fails, therefore avoiding loop.

Example of suspended due to misconfig 1 Po1(SU) Fa0/0(P) Fa0/1(s)

Layer 3 Etherchannel- port channel with routed port members Tip- Order of operations important!!! First ports must be configured as no switchport and only then channel-group X Layer 2 Tunneling Switchport mode dot1q-tunnel Switchport access vlan sets Svlan Adds metro tag- there is a separation between customer and provide Vlans MTU issue- End to End Ethernet does not support fragmentation- there are 4 Bytes added, therefore least recommended MTU- 1504 System Mtu 1504 Does not forward control protocols by default (Cdp, Etc) A solution is tunneling those protocols L2protocol-tunnel cdp | vtp | stp L2protocol-tunnel point-to-point lacp|pagp|udld-Etherchannel over l2-protocol tunnel

Spanning-Tree Protocol
Basic operationA root bridge gets chosen, then a root port on each switch for upstream to the root and designated / blocking ports on the down path. Choosing a Root- Lowest Bridge id PRIORITY = -Priority ( 0-61440, in increments of 4096) + -System id extension (Vlan number)

-MAC address Spanning-tree vlan priority Default mode PVST+, runs different instance for each vlan with different root Designated ports are chosen based on lower cost to the root (after root port has been chosen of course) Root and designated ports selection: -cost -neighbor BID - PID (only if multiple link to same neighbor) Timers- Hello ( root)- 2 sec default, Forward Delay(listening, learning)- 15 sec default, Maxage (aging of root)- 20 sec default. Set on the root (only root sends BPD on converged network in legacy SPT) Topology change is advertised by bridges by setting CAM to MaxAge therefore causing bridges to flush their CAM tables for the specific table PortFast- Enables port to go up without transitioning listening / learning. When a port is configured as Portfast the bridge does not generate a topology change if the port changes state Spanning-tree portfast default-enables portfast on all interfaces (except for turnks. If you want to enable it on trunks you must do specifically portfast default trunk) Uplinkfast (config)#spanning-tree uplinkfast Switches to alternate port in event of directly connected root port failure. Sets high root priority (49152) and high port cost (3000) so that ports do not become designated Backbonefast With this feature enabled, once the switch receives an inferior BPDU (higher cost, meaning there was a root port failure further upstream) it sends an RLQ request carrying for an alternate path and resets Maxage to 0. Backbonefast only activates if the inferior BPDUs come from the designated bridge, so there is no issue if a new switch that does not know the root joins the topology. BPDU filter- Disregard BPDUs on edge ports spanning-tree bpdufilter enable . When configured globally it only filters outgoing BPDUs, together with portfast, spanning-tree portfast default bpdufilter enable the port will go automatically from edge to P2P when it receives BPDUs

BPDU guard Set port to inconsistent if BPDU is received on edge port. Interface- Spanning-tree bpduguard enable. If errdisabled timer is disabled, you have to manually shut port and turning it on again. You can chang this with command errdisable recovery cause bpduguard and set timer by errdisable recovery interval . Loop Guard Spanning-tree loopguard default / Spanning-tree guard loop- it protects against cases of failure of just one side of the ink, just like UDLD but using BPDUs Root Guard- Sets a STP instance on disabled on an interface when it receives a superior PDU on the interface. Spanning-tree guard root

Multiple Spanning-Tree Protocol

Spanning-tree mst configuration-mapping instances and vlans Spanning-tree mode mst setting mst Automatically uses RSTP Two- Ways BPDUs in which there is a proposal and a response RSTP Avoids listening process by using a proposal and request format. Link types: -point to point full duplex no edge ports -shared half duplex / connected to hub -edge connected to end devices, enabled by Portfast Port roles: -Root -designated Alternate- like Uplinkfast (backup to root) Backup- Backup to designated on same link to segment Port states: -Discarding -Learning -Forwarding MSTP with multiple regions

Same region means same Vlan to instance mappings, same revision number and same region number. Inter - region operations behave like a hidden cloud that collpases to a virtual bridge in respect to other regions. CST-common spanning-tree (inter-region) IST-intra-region IST- MST instance 0 (IST) Special instance to which all vlans belong by default and which is the one that sende BPDUs and represents the region. The CST root (common spanning tree root among regions) must always be in an MST region and not in a PVST or RSTP region that does not run MST.

Flex Links
Switchport backup interface Switchport backup interface mmu primary vlan- Allows mac table to move to the backup interface and be advertised

2.

FRAME RELAY

NBMA- non native broadcast Multipoint vs point-to-point: Multipoint requires address resolution (in the case of frame relay, resolving destination ip to local DLCI) DLCI- link local L2 adddress LMI-Local Management Interface, communicates with the frame relay switch and queries information about the circuit. Active, inactive, deleted (wrong DLCI) , static (LMI disabled) Address resolution- Dynamic (inverse arp) or static (frame-relay map) Show frame-relay map: equivalent to show arp Inverse Arp automatically enabled whenever the l3 protocol that is configured supports it (ipv4 does, ipv6 and CLNS no). Inverse Arp does not check if l3 address is on same subnet. Static Mapping frame-relay map {ip}{DLCI} when configured disables all inarp for circuit,protocol pair

Auto Config- router automatically attempts to get an address, and in order to do so it will learn the encapsulation (this only when it does not have a config).

TIP: this is significant because while loading the router can create inverse arp to 0.0.0.0 destinations which can later cause problems on l3. In this case, you should save your config and reload.
Show frame-relay pvc circuit status When Broadcast is enabled on a circuit, and there is handed down from L3 a packet that is broadcast or multicast, it is sent in pseudo-broadcast. The Broadcast keyword on the mapping does not refer to the mapping itself, it refers to the whole { circuit, protocol} pair. Point-to-point subinterfaces do not perforn Inverse Arp and do not allow static mappings, for every packet will be sent out same circuit Frame Relay SwitchGlobally enable frame-relay switching . Per interface define encapsulation frame-relay and frame-relay intf-type DCE. Then there are 2 ways of configuring the CC: Legacy-Per interface frame-relay route [in-dlci] interface [int] [out-dlci] Current global connect [name] [interface -1] DLCI-1] [interface-2] [DLCI-2]

Back to Back Frame relayDirectly connected, no switching, no lmi End-to-End keepalives Map-Class Frame-relay End to End keepalive reply|request|passive-reply|bidirectional Can be applied on interface with frame-relay class or on circuit with class command

3.

PPP

LCP-lower control protocol Each higher layer protocol has its own control protocol IP negotiation learns the address of the neighbor and installs it on the routing table with a /32 prefix (besides the normal connected route) PAP

One-Way process Authentication PAP- Request for credentials ppp pap sent-username {user} password {pass}-Response providing credentials CHAP Because passwords are hashed they have to match Ppp authentication chap Username {other router} password {shared password} PPP over other protocols Inter face virtual-template Frame-relay interface-dlci {DLCI} pppVirtual-Template {Virtual Template} PPP multilinkPPOE Server sideInterface virtual template Bba-group pppoe Virtual template Interface fa 0/0 Pppoe enable group Client sideInterface dialer Encap ppp Ip add Dialer pool Dialer group | persistent Interface fa 0/0

ppoe-client dial-pool-number ip mtu 1500- make Ethernet support fragmentation

Transparent bridging Bridge 1 protocol ieee Int fa 0/0 Bridge-group 1 No ip routing Show bridge 1 group IRB bridge 1 irb bridge 1 route ip bridge 1 bridge ip int BVI ip address X.X.X.X (from bridge domain) Fallback Bridging Feature on catalyst switches that bridges legacy protocols while routing IP and IPv6 Bridge 1 protocol vlan-bridge Int vlan 1 Bridge-group 1

4.

Protocol Independent Routing

Process Lookup for every packet Fast Caches entries once it forwarded packets

CEF- Build table automatically from routing table Show ip cef exact-route {source} {destination}-shows which path the packet will take Static route to interface on multipoint interface- attempts to resolve final destination (through ARP for example) IP default-gateway: only with ip routing turned off Ip default-network: classful network not directly connected tagged as default on routing advertisements ODR Uses CDP to advertise routing. On Hub you configure router odr, on spokes you only have to ensure CDP is on. The hub advertises itself as default gateway and learns connected networks to spokes. No routing protocols can be running on spokes. Backup InterfaceConfigured on Primary interface, line protocol goes up only when primary goes down Backup interface Enhanced Tracking Ip sla monitor 1 Type {action} Frequency Ip sla monitor schedule 1 start-time Track 1 rtr 1 / line protocol/etc Many options for btoh ip sla (ip icmp, tcp connect,etc) and for track objects Policy Routing Ip policy Local traffic-Ip local policy Set ip next-hop verify reachability 10.0.0.138 track 6 GRE Ip protocol 47

Default gre/ip Recursive routing failure- when a route for the tunnel destination is received through the loopback Keepalive- tracks reachability to destination (pings destination from source), can be used to track connectivity. An option for reliability routing is configuring the secondary interface as backup to the tunnel, then it will come up when the tunnel goes down which means reachability came down (even if physical interface is up)

5.

RIP
Rip version 1- classful, broadcast

UDP port 520

Rip version 2 classless, multicast 224.0.0.9 Version 1- if it receives a subnetted prefix it assumes the mask is of the interface on which the prefix is received, or the classful summary To change version per link, configure on interface ip rip send|receive version Split-horizon: Enabled by default on all interfaces except main interface of frame relay Timers DefaultUpdate 30 Invalid 180 Hold Down 180 Flush 240 Sleep Delay regular update for this time after receiving a triggered update Global rip- timers basic , interface ip rip advertise Flash-update-threshold suppreses flash update if regular is due in this time or less Output-delay delays time between packets in same update Neighbor x.x.x.x- enables unicast updates Passive-interface- suppresses only multicast/broadcast updates

Metric Hop Count -15 maximum Metric is incremented by a hop on the outbound update Offset list 0|acc-list out|in {number of hops incremented} {interface} Authentication Int e0/o Ip rip authentication mode text|md5 Ip rip authentication key-chain {key-chain} Summarization Interface Ip summary-address rip Cannot advertise supernets (only summarizes up to classful boundary) Filtering Useful because can filter based on prefix lists When you filter based on extended access-lists the source address is the one tha appears as source, not the next-hop. You can also filter source on prefix lists by using distribute-list {prefix-matching} gateway {neighbor matching} Default Route Default-information originate {route-map} Advertises 0.0.0.0/0- by specifying route-map we can set interface and match addreses- in which case will only advertise default if specified addresses are in routing table. Triggered updatesInterface e0/0 Ip rip triggered-updates Disables regular updates and sends only triggered updates on particular interface

Validate update source check to see if update comes from valid source (same subnet as interface). By default no check is performed on unnumbered interfaces

6.

EIGRP

-ip protocol 88 -224.0.0.10 multicast for establishing adjacecies -RTP (own transport protocol) -uses unicast in normal running of protocol (except for updates) -AS number fundamental to establishing adjacencies ( not merely local) -queue count should be 0 between neighbors (show ip eigrp neighbors) -debug eigrp packets -feasible Succesors- succesors with lower AD than my FD -show ip eigrp topology- shows succesors and feasible succesors Auto-Summary Creates null route for summary Packet types Mixed multicast and unicast Hello- Multicast to 224.0.0.10. Can be changed with neighbor command. Not reliable (does not wait for ACK) Ack-Always unicast, basically a hello packet with no data and non zero ack number Update- Unicast if its advertising topology to new neighbor, multicast in regular updates. Uses RTP Query Multicast when looking for route, unicast when replying there is no route. Uses RTP Reply- Unicast reply to query with route Timers Hello- Interval for sending hellos. Default 5 for fast links, 60 for slow. Configured under interface ip eigrp hello-time/ ip hello-interva eigrp

Hold-time- sent in hello and we say to neighbor how long to wait to declare me unreachable. Default 15 for fast and 180 for slow. Configured under interface ip eigrp hold-time/ ip hold-time eigrp Authentication -supports only MD5 -key number must match interface Ip authentication mode eigrp {as} md5 Ip authentication key-chain eigrp {as} {key-chain} Time-based: On key-chain use send-lifetime and accept-lifetime

Metric Bandwidth- 10^7*256/lowest link Delay 256* Total delay Load Reliability MTU AD- Metric as calculated by next hop neighbor. If it is better than my FD, it will be feasible successor Best practice is modifying relay for traffic engineering purposes since it is cumulative Unequal load sharing Only looks for feasible succesors Router eigrp Variance X Traffic-share balanced (on by default) Eigrp summary and leak-maps

Summarization helps in not only reducing routing table size but also reducing number of queriesrouters dont send queries for subnets they never had in their routing tables. Besides, it can be used fror traffic manipulation with leak maps- because you can advertise both a summary and longer matches to specific neighbors. Stub Routers Router eigrp 100 Eigrp stub Does not receive any query messages- and does not advertise any routes from neighbors to other neighbors by default. The default options is stub connected summary- only advertises those routes to neighbors. Therefore though we dont pass on routes from neighbors, we can summarize and pass hoe prefixes Eigrp stub leak-map Default distribution The command default-information controls only the accepting of default routes on eigrp, not the distribution. In order to actually distribute default information we have to obtain such a network, and then distribute it with either network command ( for 0.0.0.0 net) or ip default-network (for any network)

Filtering Distribute-list {standard|extended ACL}|prefix-lit {name}| route-map {name} in-extended matches source (neighbor), route-map can match also tags or metric Router-id : Essentially its a mechanism for preventing loops in redistributed routes, so that redistributed routes never go again through the same router Router eigrp xxxx Eigrp router-id Improtant Review!!!!

Router eigrp xxx Eigrp router-id Metric maximum-hops Distance eigrp {internal} {external} Log-neighbor-changes Log-neighbor-warnings {minutes} Timers {inactive} disable

OSPF
-Links State -djikstra -only works as link state for intra area topology -Most specific match for network statement determines which area the interface is in -transport 89 -hello multicast to 224.0.0.5/224.0.0.6 or unicast Paramteters for forming adjacency: Common -interface area id -intervals -interface MTU -interface network address -network type -authentication -stub flags Unique

-router id -ip address of interface OSPF ADJACENCY Down Init- hello has been received but has not contained yet our router-id meaning it has not acknowledged that it received a hello 2-way bidirectional communication is present ( we share each other ids in our hellos) Ex-Start- Negotating adjacency and checking for matching of parameters Exchange- Exchanging databases Loading Full Basic Lsas (intraarea) Router LSA The advertisement of its links is going to depend on the network type of the link. For loopback interfaces, the link state is going to be stub with a /32 address advertised. For P2P interfaces, if there are no neighbors it is going to be a stub, if there are neighbors it will be point-to-point. For Broadcast networks, it will be advertised as transit and it will contain the address of the DR. Lsa type 1- router Lsa Lsa type 2- network lsa, advertised by LSA Network Types Network Broadcast -Elects DR and BDR -DR and BDR form full adjacencies with all routers. Other adjacencies remain 2WAY. -Routers send their LSU to DRs on 224.0.0.6 and DRs flood to 224.0.0.5 -DR is chosen by priority and router-id, but there is no preemption, meaning ultimately what matters most is time of start of OSPF process. Best practice is configuring priority 0 on those routers we dont want to be DR or BDR. Interface fa 0/0

Ip ospf priority 0 Network Non-Broadcast Behaves just as Broadcast, but neighbors must be defined statically. We must remember that in order for this to work properly, there must be a full mesh L2, otherwise we run into issues with DR election, and even if we make the hub be the DR, since the DR doesnt change the next hop, we still wont have connectivity between networks behind the spokes. Point to Multipoint Neighbors are discovered dynamically and each adjacency is treated separately as a P2P link. No DR/BDR is elected. Point to Point Similar to multipoint, but supports only two neighbors on link. Network types are compatible between them if DR election election process is the same. However, care must be taken that other parameters match as well. Important: If network types dont agree on DR/no DR, adjacencies will form, however the database will not be truly synchronized (LSAs will differ on their view of the network), and therefore no routes will be installed Point to Multipoint Non Broadcast Same as multipoint, however neighbors must be statically defined. It is good in order to define perneighbor cost. Router ospf XXXX Neighbor y.y.y.y cost {cost} Loopback Network Always advertises as /32 independently of subnet mask in the LB itself Path Selection -cost is 100,000,000 / BW in ciscos implementation -reference bandwidth can be changed Router osfp xxx Auto-cost reference-bandwidth O>O(IA)>O(E1)>O(E2)>O(N1)>O(<N2>)

O(IA):When a router receives an IA route, it adds the cost that is advertised in the summary to the cost it calculates through SPF to the ABR and that is the cost to the destination O(E2): The cost is comprised basically only of the metric advertised by the ASBR, which by default is 20. If there is a tie, the tie-breaker is the forward metric, which is the cost of the router to the ASBR. If the ASBR is in another area, then there are going to be LSA4 describing them from the ABR.

Timers Default 10 for hello, 40 for dead-Broadcast and Point to Point Default 30 for hello, 120 for dead- Other network types Interface fast-ethernet 0/0 Ip ospf hello-time Ip ospf dead-time OR Ip ospf dead-time {minimal/xxx} hello-multiplier {y} Minimizing timers to a certain point can elevate CPU and cause flapping of adjacencies. The best option probably would be to implement BFD. OSPF Authentication Can be configured at area level or link level. However, the password ro key itself is always configured under the link. Interface fa Ip ospf message-digest-key X md5 {password} Ospf Summarization Generated only at points in which it does not influence SPF -ABR Area {area} range {address} {mask} -ASBR Summary address {address} {mask} Generates a summary route to NULL can be disable with no discard-route {external|internal} The cost of a summarized route is by default the cost of the lowest of the subnets. To make the behavior change to that of RFC 2328 that it should be the highest metric you must issue no compatible rfc1583

Stub Areas Stub flag must match for adjacencies to form Stub area- removes LSA 5 and LSA4 and advertises instead a default within the LSA 3. Area {x} stub Totally stubby area- removes also type 3 LSA and replaces with default area {x} stub no summary-only needs be configured on the ABR Nssa- Generates type 7 LSAs. Does not generate default route automatically-only if you issue area {x} nssa default-information-originate. NSSA areas wont accept external routes that came not from an ASBR on their own area. Once a type 7 LSA gets to the ABR, it is translated to a type 5 LSA. NOTICE: this LSA contains the original address of the ASBR, and it is preserved when translated (unlike type 5 in which the LSA says 0.0.0.0) Totally not so stubby area- same as NSSA but filters summary as well

Filtering -area {x} filter-list prefix {xxxx} in]out Area is the area it comes from, and out/in is the direction to area 0 or in from area 0 Interface e 1/0 Ip ospf {x} database-filter all out OR Router ospf {x} Neighbor {x.x.x.x} database-filter all out-must be configured as point-to-point or point-tomultipoint If we need to suppress forwarding address and set it to be on the translator to type 5 we define Area {x} nssa translate type7 supress-fa Miscellaneous Router ospf XXX Ignore lsa mospf ignore syslog for lsa type 6 timers pacing retransmission {sec}-time in queue of consecutive updates (including retransmitted)

int fa 0/0 ip ospf retransmit-interval-time the process waits ont his interface before retransmitting an LSA that wasnt acknowledged summary-address x.x.x.x y.y.y.y no-advertise- a different way of filtering a prefix (only on an ASBR) range area 0 x.x.x.x y.y.y.y not-advertise- same as above for IA routes on ABR max-lsaredistribute maximum-prefix-both this and max-lsa have options for either issuing warning or ignoring after maximum prefix number. {warning-only} {percentage-threshold}

REDISTRIBUTION
-routing redistribution occurs fro the routing table, not the underlying databases. The redistribution command takes the routes learned from a particular protocol + the subnets of interfaces included on a protocol -when the manual redistribute connected is issued, the interfaces dont get advertised anymore in the redistribute {protocol} -RIP and EIGRP forward information from the routing table only in their advertisements, while in OSPF and BGP the advertisements come from their respective databases Redistribution into RIP -does not differentiate between external and internal routes-does not have a default metric, therefore must be specified on the command redistribute {protocol} metric or default-metric Redistributing into eigrp -external routes 170/ internal 90 -uses router id for additional loop prevention -no default metric unless redistribution is from another EIGRP/IGRP process

Redistribtuing into OSPF -same AD of external/internal by default, but can be changed -O>O(IA)>E1>E2>N1>N2 -defaults to metric 20 and metric type E2 -must use subnets keyword so that no only classful subnet is advertised -O(E2)-metric remains as advertised by the AASBR (internal cost is not added). Only if there is a tie the internal cost is considered -O(E1)-preffered over E2, cost is the sum of internal cost to the ASBR and the advertised metric by the ASBR. Redistributing into BGP -Uses Origin code to recognize redistributed routes -does not redistribute external ospf routes by default -When redistributing BGP into an IGP, by default only EBGP is redistributed

Preventing Loops -Two general kind of loops: metric loops among same protocol, and AD loops among different protocols -With distance vector protocols, since the information is distributed from the routing table, we can run into the case where a rotuter receives an update but does not distribute it because it was npot installed in the routing table. For eigrp we will see FD unreachable Metric Issue 1: On RIP, which does not have a difference between internal and external routes, you can get a redistributed route back thorugh another redistribution point with a better metric. The best solution is tagging routes so that they dont get redistributed again AD Issue: When a route is received on a looped path with lower AD, the higher AD is withdrawn then the other one a s well, which makes the higher AD reinstall and so on. Ip route profile-measures routing table stability Distance {x} {source} {ACL}

BGP
-Difference between policy and metric mainly resides in that while metric is based on the topology and the path, attributes are assigned to a destination -If both speakers begin their TCP process simultaneously, the higher id becomes CLIENT EBGP -neighbor {x.x.x.x} ebgp-multihop-increases ttl beyond default (1) -neighbor {x.x.x.x} ttl-security hops{y}-increases ttl but also implements security (packets are discarded if incorrect TTL) -neighbor {x.x.x.x} disable-connected-check-disble connectivity requirement for EBGP without increasing TTL -next-hop is set to my source-update for particular neighbor IBGP -TTL default 255 -does not advertise IBGP routes to IBGP neighbors -does not modify NEXT_HOP by default PEERING -uses the update source of whatever outgoing interface the routing table assigns (unless configured) -negotiation settles on lower timers -IDLE -CONNECT -ACTIVE -OpenSent -OpenConfirmed -Established 4-BYTE AS -Format 0.0-65535.65535

-versions that do not support 4 byte see a 4 byte AS as 2354 IBGP rules -Local-As can be set to specific neighbor neighbor {xxxx} {RAS} local-as {{dual-as}} -dual-as makes the router send both its global as and the local one -peer-group {name} -neighbor x.x.x.x peer-group {name} -show ip bgp {x.x.x.x}- shows also routes that are inaccessible -neighbor x.x.x.x|peer-group next-hop-self- changes next-hop to whatever source-update to that neighbor -next-hop can also be set with route-map to a third party Route Reflector -centralized -loop prevention through cluster-id and originator-id -non-client peer are advertised only to ebgp peers and clients -best practice for RRs is applying a peer group to client routers, so that the RR doe s not need to run path selection multiple times -show ip bgp regexp ^$-locally originated -If we have multiple RRs on same cluster, we should set cluster-id to be manually the same to prevent loops (they arent going to loop in data plane, just the updates) Router bgp x Bgp cluster-id -One of the issues that may arise when configuring multiple RRs is that they may not agree on best path selection if left randomly BGP confederation Confederation identifier- True AS Confederation peers-remote Ases that belong to same confederation -Next hop is not changed when advertised to a confederation ebgp peer

-TTL is set to1 by default, just like true EBGP Bgp bestpath med confed-include med in intra-confederation path selection Local-as vs no-export- If we set community no-export, routes will be advertised to confed peers, and only not to true EBGP peers. However, with local-as community, they wont be advertised to confed ebgp peers either Router Advertisement -metric is inherited from IGP metric (both when configured with network statement or with redistribute) -network statement is installed as origin I -for network statement to be installed, there must be exact match on routing table -redistribute is installed as Incomplete (?) -metric is non transitive, so will not be forwarded beyond 1 ebgp neighbor Aggregation -aggreggate address x.x.x.x mask y.y.y.y summary only| suppress-map status code s (suppressed) -neighbor x.x.x.x unsupress-map similar to leak-map in EIGRP -attribute-map| route-map- at the end of network command or of aggregate command, changes the attributes of the prefix locally -advertise-map used to control which Ases area passed on when AS-SET is configured -bgp inject-map {xxx} exist-map {yyy}-generates longer prefixes froma an aggregate Best-Path -Weight, Local Preference, Locally originated, As-Path, Origin, Metric, Ebgp vs Ibgp, IGP Metric -If all of the above are equal the BGP looks at the maximum-paths configured to decide for installing multiple routes. -Even if multiple routes are installed only one will be chosen as best (based on tie breakers) and advertised to neighbors -Outbound traffic is easy to influence through weight and Local Preference, however inbound traffic is harder to influence because metric is not transitive and with As-Path prepending you also have little control.

-A partial solution to inbound traffic engineering is provided in agreements about setting cpolicy through communities. That way, I can influence the local preference that an ISP assigns to my prefixes through a community that I signal -ip bgp-community new-format-sets to AA:NN -well known communities: no-export, no-advertise and local-as (like no export but includes confedebgp) -a community can be set on a route-map, but it must me matched from inside a community-list -send-community must be specified for community values to be advertised Filtering -extended access-lists can be configured to match prefix as well (in this case source is prefix and destination is mask) -Order of filtering: -Inbound : filter-list, Route-map, distribute-list -Outbound: distribute-list, ORF, filter-list, route-map

MPLS
-4 byte header -LFIB: CEF table + labels -PE adds labels label push -label operations : push (add label), swap (forward towards new label), pop (remove tag) -neighbor discovery on UDP 646 to 224.0.0.2 -neighbor adjacency on TCP 646 between routers, sourced with router-id -penultimate pop-tagging: instead of the PE having to do MPLS lookup for incoming packets, the penultimate hop in the LSP pops the mpls lable and forwards it to the PE untagged -If we set next-hop-self and DO NOT set the LB as next-hop in BGP, we are going to remove the tag a step too early which will result in traffic being dropped L3 VPNs

-vpnv4 route: prefix+ RD -vpn label: from BGP VPNV4 -transport label: label to the other PE -RIP and EIGRP are both established with global process and address families -On EIGRP auntonomous-system must be configured under address family as well, since it can be different for various A.F -no bgp default route-target filter : do not discard vpnv4 prefixes if you dont have corresponding RTused on vpnv4 reflectors -ospf is configured per process (no address families, each process is assigned to a VRF) -redistributed routes come as IA routes. This is why if we need to choose them over other O routes we need sham links -loopbacks for sham-links should NOT get advertised into OSPF

IPV6
-unspecified-::0/128 -loopback ::1/128 -multicast FF00::/8 -link-local FE80::/10 -private FC00::/7. FC00::/8-40bit Global ID is assigned automatically by router. FD00::/8-assigned by central registar -Globally routable: 2000::/3. The first 48 bits are organizationally unique, next 16 bits SLA (site level aggregation) for your purposes -Neighbor Discovery is built in on ICMP and replaces completely ARP for broadcast networks -eui format: 64-bit, derived: 7th bit from mac is inverted, padding added in middle : 0xFF 0xFE -Neighbor discovery and Neighbor advertisement is like ARP, Router discovery and Router Advertisement is only for gateways -no equivalent on IOS to InArp, therefore static maps are always needed on multipoint FR -no proxy ND (all resolutions are static)

-sdm prefer dual-ipv4-and-ipv6 necessary on most switches to support ipv6 unicast-routing -link-local address can be same on multiple interfaces, therefore route to link-local address has to specify exit interface -local routes- routes to specific interface address with /128 --next-hop on dynamic protocols is always link-local address EIGRPv6 -protocol 88 multicast FF02::A -process needs to be enabled per interface but also with no shutdown on global level -router-id is an ipv4 address OSPFv3 -protocol 89 FF02::5 & FF02::6 -ipv4 router-id -authentication uses ipv6 methods (including the ipsec that is in-built) -Type 8 Lsa: for link-local addresses -Type 9: Intra-Area prefix LSA -ipv6 ospf authentication ipsec spi {x} sha1/md5 {hex} MP-BGP IPv6 -transport (neighborships) can be either ipv4 or ipv6 and that is unrelated to the NLRI advertisement, which are defined on ipv6 address family -next-hop must be set to be from same address space (ipv4/ipv6) to be reachable IPV6 transitions -GRE -IPV6IP(protocol 41) -TEREDO tunnels (over UDP)-not implemented really on routers but on end hosts -6to4 : ipv6 addresses are assigned on a 2002:{ipv4 address in hex}::/48 -ISATAP

MULTICAST
-IGMP host to router -PIM/MSDP IGMP -IGMP default version is 2 -IGMP version 1 & 2 only allow {*,G} join, while IGMP version 3 allows {S, G} -ip igmp static-group : statically assigns a group PIM -protocol independent (does not advertise topology, relies on IGP calculated topology for loop prevention) -pim version 2 by default -version 1 sent queries embedded on IGMP, version 2 uses 224.0.0.13 protocol 103 -dense mode: considered implicit join -dense sparse mode : considered explicit join -sparse-dense mode : sparse for groups with an RP, dense for others -MSDP: signaling between RPs -RPF check: checks to see if multicast was received on same interface as the outgoing interface for unicast forwarding to the source -in Multicast Routing Table {S,G} is preferred over {*,G} PIM DM -finds neighbors on 224.0.0.13 -automatically enables IGMP -Assert message: used when there are multiple mcast routers on same segment. The winner fr the segment will be based on lowest unicast metric to source -Graft message: used for unpruning an interface which was previously announced as pruned PIM SM

-register message make the RP know the senders -join messages advertise the receivers -after packets are started to be forwarded, the STP is changed to the SPT -RPF failures can be dealt with static mroutes, or from MP BGP -static mroutes do not choose on longest match, but on ordered match. (Newer versions appear to fix this) -RPF is done aso on PIM register messages (by RP) -show ip mroute count Auto RP -mapping agent 224.0.1.39 and listeners to 224.0.1.40Auto-rp listener (for those groups, uses DM) -GRE tunnel can be used to avoid split-horizon issues or send multicast ovr non-multicast routing networks -ip pim spt-threshold infinity: do not switch to SPT

BSR -RP candidate, bootstrap router (similar to mapping agent) Bi-Directional PIM -only allows shared-trees (does not switch to SPT, and ony linstalls {*,G}) -ip pim bidir enable -ip pim rp-address x.x.x.x bidir SSM -no {*, S}, therefore no need for RP -ip pim sss default: uses range reserved for source specific multicast -has to be configured with igmp version 3 MSDP -used to communicate between RPs

-can be used to provide for anycast -anycast is simply based on same address which is forwarded on shortst path due to IGP -ip msdp peer x.x.x.x connect-source y -show ip msdp sa-cache: see entries learned from an msdp peer IPv6 -MLD replaces IGMP, and is in-built on ICMPv6 -FFXY::/8, x-flags, y-scope -FF02 are link-local scope, FF05 are site local, FF0E global -those values are defined on RFC but not enforced automatically on IOS (filtering is up to you) -PIM behaves similarly to ipv4 PIM but supports only sparse mode -by default when you enable ipv6 multicast-routing it is enabled on all ipv6 interfaces, to disable it you use no ipv6 pim -MLD version 1 is equivalent to IGMP version 2, version 2 is equivalent to IGMP version 3 -RP can be configured either statically or with BSR (no auto-rp supported) -embedded rp : begins with FF7Y and embeds rp -instead of mroute ipv6 route {} multicast

QOS
-Intserv vs Diffserv: Intserv reserves bandwidth end to end for each flow, DiffServ classifies traffic into classes and defined at network edges -DSCP has 6 bits to manipulate, while ip precedence and L2 markings (MPLS EXP, CoS) have 3 bits -DSCP custom classes: default (0), EF (46), AF (AFxy)(x is 1-4, where higher is better, y is 1-3 drop precedence where lower is better), CSx (x=1-7) -When configuring a Policy-map, once a packet matches a class no further testing is done against other classes, therefore the order should be from more specific to less -match destination-address|source-address: mostly useful on ehternet sub-ifs

-ip nbar port-map: can create custom mappings of our own for protocols. You can see associations through show ip nbar port-map -when configured as match-all, if matching is on same line it is still OR logic FIFO -disable fair-queuing -hold-queue out: configure depth of the queue FQ -fair queue starts from lowest flow and allocates bandwidth equally to each flow each time dividing the remaining difference equally -Weighted fair queuing operates similarly but weights each flow according to TOS CBWFQ -specifying weight manually (through bandwidth)

Flow/Conversation Numbers

Weight

Description Dynamic flows, unclassified traffic. This is the classic fair-queue.

Below 2^N

Weight(i)=32384/(IP_Precedence(i)+1)

2^N2^N+7

Weight(i)=1024

2^N+8

Weight(i)=0

Link Queues. Routing updates, Layer 2 Keepalives etc. Basically its the traffic marked as PAK_PRIORITY inside the router. LLQ or the priority queue. CBWFQ always service this queue first, but de-queued packets are policed using the defined token bucket parameters.

Above 2^N+8

User-defined classes. Those Weight(i) = classes are treated by Const*Interface_BW/Class_BW CBWFQ as the RSVP flows, OR with relatively low weights. Weight(i)=Const*100/Bandwidth_Percent Their weights are

LLQ -priority class is always served best, policer is engaged only during congestion -equivalent to weight 0 -in general, if you have multiple classes configured with priority they will share same queue but can be policed differently WRED -designed for congestion avoidance in TCP. Due to tail drop, the issue that can arise is multiple retransmissions and synchronization -assigns drop probability to prioritize high precedence traffic -parameters: minimum threshold, maximum threshold, mark probability -higher precedence traffic has higher minimum threshold -can also be configured to look at DSCP SHAPING -delays traffic to smoothen it -Bc/Tc=CIR (CIR measures time in sec, while Tc is in ms) -Be accumulates over idle periods POLICING -colors ( conform,exceed violate) -Two rate Frame relay Shaping Legacy: -frame-relay traffic-shaping -map-class MQC: -no frame-relay traffic-shaping command -map-class is configured, but only to insert on it the service-policy

RSVP -path messages from source (Tspec, Rspec) -RSV messages from destination to source -ip rsvp bandwidth(on interface level) -used for MPLS -TE (outside scope of R&S) -assigns weight of its own to reserved queue -ip rsvp-sender host-configures router to send PATH messages CATALYST QOS -enabled with mls qos -by default, when mls is enabled, markings made by previous devices are erased. The feature can be disabled by no mls qos rewrite dscp -trust boundaries can be established by mls qos trust cos|dscp|ip-precedence -mls qos map(dscp-cos, cos-dscp, dscp-mutation) -mls qos aggregate-policer -priority-queue out: similar to priority in MQC but without policer -srr-queue bandwidth shape

SECURITY
-an ip access-list applied on an interface does not affect locally generated traffic -established flag matches pacets that are response to session initiated -log: created in order to log traffic, causes packets to be process-switched -time based ACL: Time range {leon} Periodic|absolute Access-list {xx} {arguments} time-range {name of time range} -lock and key- allows access with authentication

-ip access-list resequence -ip access-list {x}dynamic {name of entry} {arguments} -must run access-enable command to activate Line vty Autocommand access-enable host timeout {x} Reflexive ACL -on outbound ACL permit {statements} reflect {name} -on inbound ACL evaluate {name} -reflexive ACL do not classify locally generated traffic (like all ACL) so to permit incoming traffic that is a response to local traffic you must create manual entry TCP Intercept -ip tcp intercept -ip tcp intercept mode watch|intercept (default intercept) -intercept proxies connections, watch only monitors them and sends RST for half-open -ip port-map: changes port-protocol associations CBAC

-ip inspect name {name} -interface fa 0/0 Ip inspect {name} out|in -ip eaccess-group {ACL} in

ZBF -parameter-map inspect| inspect protocol is used to configure general settings -class-map type inspect -policy-map type inspect

-zone-pair Service-policy type inspect

-interface fa 0/0 Zone-member AAA -AAA new-model -AAA authentication login|enable default group {radius|tacacs} {local|line|none} -radius-server|tacacs-host {x.x.x.x} -radius-server key Port-security -can be configured on both access and trunk links but not on dynamic DTP links -static, sticky CAM table -switchport port-security -if you use protected mode on trun lins, learning is going to be disabled for all vlans when limit is reached -static mac-address-table configurations disables dynamic learning -stormguard- level is a percentage of interface speed. There is a caveat with multicast limit,that when it is reached all traffic is suppressed -aaa authentication dot1x : authenticates a port based on credentials requested from the connected host and passed to a radius/tacacs server -dot1x system-auth-control -on interface: dot1x port-control auto PACL Port ACL L3/L2, can only be applied inbound Mac ACL on PACL do not affect IP traffic RACL

Applied on routed ports/ SVIs VACL Applied on vlan, applies to all traffic -vlan access-map Match Action -vlan filter {name of vlan map} vlan-list {x}

SNMP -udp ports 161/162 -SNMP polling is the NMS querying the devices, while SNMP trap or inform is the device sending unsolicited updates

-snmp-server community -snmp-server enable traps -snmp-server host {X.X.X.X} {traps} RMON -monitors MIBs -based on a delta (change) of a variable -rmon alarm {x} {mib} {time-sample} delta|absolute r ising-threshold {x} {event number} -rmon event {y} log description DHCP snooping -ip dhcp snooping -ip dhcp snooping trust {interface} -ip arp inspection vlan {x} -ip arp inspection filter {xxxx} vlan {y}

Interface fa 0/0 Ip verify source -no ip dhcp snooping information-option Protected ports -switchport protected : forbids communication with other protected ports on same vlan (only for one switch) Private vlan -promiscous, community, isolated -vtp mode must be transparent -vlan x Private-vlan primary Private-vlan association x,y,z -vlan y Private-vlan community|associated -interface fa 0/0 Switchport mode private-vlan host|promiscous Switchport private-vlan mapping {primary} {secondary} OR Switchport private-vlan host-assoication {primary} {secondary} HSRP 224.0.0.2 port UDP 1985 -default non preempt -virtual mac 0000.0c07.acXX(group id)-can be changed with standby use-bia

VRRP -is preemptive by default

-0000.5E00.01XX -ip protocol 112 -224.0.0.18 GLBP -enables load-sharing -not preemptive by default -glbp load-balancing {weight} -224.0.0.102 -UDP 3222 NAT DHCP -UDP ports 67, 68 -dhcp option 82 (information option) -ip dhcp host uses client-id DNS -client enabled by default (disabled with no ip domain-lookup) -ip name-server if not configured will broadcast requests -ip dns server -ip host {name} {ip} NETFLOW -ip flow ingress|egress -ip flow-export {destination}

WCCP

Ip wccp web-cache Int fa 0/1 Ip wccp web-cache redirect in|out -the router will learn dynamically the content engines once WCCP is enabled globally NTP -stratum refers to reliability (1 is most reliable) -ntp master {stratum} -clock can be immediately synchronized or sqeued towards time -in order for the time to be immediately synchronized you should first configure time and then configure NTP -NTP authentication-key {x} md5 {yyyy} -ntp trusted-key {x} -ntp authenticate -ntp server {x.x.x.x} key 1

Syslog -debugging levels 0-7 in decreasing order of criticality -logging {host} ip sends to remote syslog server -service timestamps -Banners: Motd-first banner when connecting Login banner Enable banner EEM -applet

-event, action