Hitchikers Guide to the CCIE V011 Jan2014

March 21, 2018 | Author: Tanzim Taj | Category: Network Protocols, Computer Architecture, Network Architecture, Technology, Computing
Share
Report this link


Comments



Description

CISQUEROS.BLOGSPOT.COM presents Hitchhikers Guide to the CCIE v0.1 This page was intentionally left blank. 2 cisqueros.blogspot.com About This is nothing more but a script of simple guidelines I made during my CCIE preparations, 2012-2014. Have in mind that I created this script throughout the entire preparation period, so some topics might be pretty basic as my level was CCNP, while some othersrequire the reader to have the almost-CCIE level. I will keep updating the script, and you will always be able to find the last version on my blog, and on the CertCollection blog: http://certcollection.org/ If you find my notes useful – I’m more than glad I could help. You can use it, share it, whatever, as long as you don’t try to sell it or publish it as your own. If for any reason you´d like to get in touch with me, regardless if it´s just to give me the feedback about the script, or propose any kind of collaboration, you’re more than welcome to contact me via my Blog, or via my LinkedIn profile: http://cisqueros.blogspot.com.es/ http://es.linkedin.com/in/matejajovanovic 3 cisqueros.blogspot.com ........................................................................................................................ 20 ETHERCHANNEL ......... 27 VRRP ............................................................................. 10 Tips and Tricks ...........................................................Unidirectional Link Detection ...... 18 BPDU GUARD ........................... 25 IP Services ............................................................................................................................................................. 24 STORM CONTROL ........................................................................................................................................................................................................................................... 18 PORTFAST ...................... 16 SPANNING TREE PROTOCOL (STP) ................................................................................................................................................................................................................................................................................................................ 30 DRP .............. 18 UDLD .......................................................................................... 23 MONITORING ....................................................................................................................................... 27 HSRP .............................................................................................................. 14 TRUNKS and DTP (Dynamic Trunking Protocol) ................................................... 25 Router on a STICK and IP BRIDGING ................................................................. 25 HTTP Server (HTTP access) on a Switch .........ICMP Router Discovery Protocol ...................................................................Hot Standby Routing Protocol ................................................................................................................................................................................................................... 13 VMPS ....................................Cisco Distributed Route Processor ........ 12 INTERFACE Statuses ............................................................................................ 24 LOGGING ........................................................................................................... 31 WAAS and WCCP Protocol ..Table of Contents About............................................................................. 26 IP Services Tips and Tricks ....................................................................................................... 3 LAN Switching ...................................................................................................................................Global Load Balancing Protocol .................................................................................................................................................................................................... QinQ Tunneling ..................................................................................................VLAN Trunking Protocol ........SDM (Switch Database Management) ................................................................... 11 MEMORY OPTIMIZATION .................................................................................................................................................................................... 15 Dot1q Tunneling: 802................ 14 PRIVATE VLANS ................................... 31 4 cisqueros..............blogspot.......... 22 SNMP.......................................... 13 VTP ..........................................................................................................................................................................................................................................................................................................................................................................................Virtual Routing Redundancy Protocol .......................................................................................................................... 19 SOURCE GUARD and DHCP SNOOPING............................................................................................................. 13 CAM TABLE .............................................................................................................................................................................................................................................................................................................. 20 DAI (Dynamic ARP Inspection) ..............................................................................................................................................................................................com .................................................................................................................................................................................................................. 29 IRDP ........................................................................................................ 16 MULTIPLE SPANNING TREE (MSTP) ... 28 GLBP ............... 11 VLAN Filters for NON-IP Traffic ......................................................................1q...................................................................................................................................VLAN Membership Policy Server ................................. .................................................................................................... 52 Redirecting Traffic (FORCING A PATH) ......................................................................................... 49 OSPF: Authentication ........................................................ 40 Various IOS Tricks.............................................................................................................................................................................................................. 37 Scalability for Stateful NAT (SNAT) ..... 52 5 cisqueros........ 44 RIP: Timers .. 36 Static NAT redundancy with HSRP ............................................................................................................................... 46 RIP: Route Filtering using Prefix Lists .................................................................................................................................................................................................................................................. 34 DYNAMIC NAT ................................................................... 50 OSPF Route Summarization ................................................................................ 48 OSPF: Configuration on INTERFACE LEVEL .........................................................................................................................................................................................com ......................................................... 45 RIP: Update Source Control ................................................................................................................................................................................................. 42 PBR ........ 35 PAT (NAT Overload) ..................................................................................................................................................................... 46 OSPF ...................................................................................................... 44 RIP: Updates Control ........................................................................................... 35 Load Balancing using NAT ......................................................................... 40 IP Routing ...................................................................................................................... focus on Network Types ......................... 39 CNS (Cisco Networking Services) ............................................................................................................... 51 OSPF Virtual Link ......................ON-DEMAND ROUTING ....................................................................................................................................................................................................................................blogspot.................... 51 OSPF Cost . 32 IP SLA ......................................................................................................................................................NTP .......................................................................................................................................................................................... 49 OSPF: Timers ................................................................................................................................................................................................................................................................................................. 46 RIP: Route Summarizing ................................................................................. 36 PAR ................... 43 RIP: Authentication ........................................................................................................................................................................................................................................................................... 37 NAT Translations with the Outside Source .............................................................. 43 RIP ....................................................Network Time Protocol ........................................................................................................................................................................................................................................... 38 DHCP Server ............................................................When you need to implement traffic redirections using NAT ........................................................................ 50 OSPF: Route Redistribution........ 39 GRE Tunnels .................. 45 RIP: OFFSET LISTS ..................................................................................................................................................................................................................................... 38 NAT on a Stick .....................................................................................................................................................................................................................................................................................................................................Policy Based Routing .................. 48 OSPF over Frame-Relay....................................................................................................Monitor the Network Performance ...................................................................................................................................................................................................................................................................................................................................................................... 43 ODR ................................................................................................................................... 33 STATIC NAT...................................... ............. 62 EIGRP Metric ............................................................................................................................................................................................................................................................................................................................................. POINT-TO-MULTIPOINT Networks ................... 53 OSPF LSA Types and AREA TYPES .................................................................. 66 EIGRP Updates BW Percent ........................................................................................ 73 BGP Route Dampening ...................................................................................................................................................................................................................................................................................................................................................................................................................................................... 66 EIGRP Redistribute Routes into EIGRP ......................... 73 BGP CONDITIONAL Advertisements ............................................................................................. 64 VARIANCE Command ........................................ 61 EIGRP ..............................................................................................................................................................................................K Values .................................................................................................................................................................. 66 EIGRP Stub............................................................................................................................................................................................................................... 66 MP-EIGRP ................... 70 BGP Peer-Group ..................................................... 71 BGP Authentication.................Advertise Maps ............... 64 EIGRP Default Gateway ..... 59 ISPF ................................................................................................OSPF and the GRE Tunnels ....................................................................... 60 OSPF in MPLS .......................................................................................................... 59 Forward Address Suppression .........................................blogspot..................................................................................................... 70 BGP Peer-Session and Peer-Policy Templates ................................... 65 EIGRP Administrative Distance ......................................... 65 EIGRP Authentication ............................................................. 57 OSPF NBMA (Non Broadcast Multiple Access) Networks ........................................... 56 OSPF Non-Broadcast Networks....... 65 EIGRP: Maximum Hops ..............................................................................com ........................................................... POINT-TO-POINT vs.................................................................................................................................. 67 BGP TIPs and Best Practices .................................................................................................................................... 68 BGP Version............................................... 58 DNS Lookup in OSPF ................................................................................................................................................................................................................. 59 OSPF Sham Link ...................................................................... 67 EIGRP Route Filtering ............................................................................................... 66 EIGRP offset-list [metric adjustments] ............................................. 55 OSPF Route Filtering ................................................................................................................................................................................................................................................................................................. 62 EIGRP "show neighbors" command ................................................................................................................................................................................................................................................................................................................................................................................................................................................ 53 OSPF STUBS .............................................. 71 BGP Route Reflectors . 74 6 cisqueros............................................................................................................................................................................................................... 63 EIGRP Route Summarization and Leak Maps ................................................................................................................................................................................................................................................................................................................................................ 72 BGP BACKDOOR Route .................................................................................................................................................................................................................................................................................................................... 58 OSPF BROADCAST vs.................................................................................... ........................................................................................................................................................................................... 84 QoS TIPS ......................if you need to match the port without the ACL ............................................................................................................................................................................................................................................................................................................................................................................................ 82 Route Redistribution TIPs ................................................ 91 QoS Frame-Relay PIPQ (PER-INTERFACE PRIORITY QUEUING) ................................................................................"rate-limit" Interface Command ............................................ 87 Map COS to DSCP on a device ............................................ 93 QoS Frame-Relay PAYLOAD and HEADER COMPRESSION ................................................................................................................................................. 90 Match MAC ADDRESS ......................................................................................DUAL BUCKET................ 95 DUAL RATE .. 96 WAN ........................................................................................................................................... 88 QoS POLICING ......................INDIVIDUAL and AGGREGATE POLICER..........."priority" and "priority percent" command ..................................................BGP Route Summarization . 77 2...........Resource Reservation Protocol .... 88 WFQ ...........................................................................................By default works with IP PRESEDENCE .................................................................................................. 89 RSVP ............................................................................................................................................................... 85 QoS on Access Ports ... 75 BGP INJECT and EXIST map ................................................................... Weight (the Higher ......................................................................................................................................................................... 97 Frame-Relay TIPS ................................ 95 NBAR (match protocol XXX) .................................................................................................................. 75 BGP & Load Balancing ............................................................................ MED (Multi Exit Discriminator) ........................................................................................... 81 MP-BGP (Multi-Protocol BGP)................................................................................................................................................................................................................................................................................................................................................................................................................................................................................ 80 BGP Confederations ...... 80 BGP: Regular Expressions....................... 78 3...............................the Better) ........................ 79 BGP Filters: Distribution and Prefix lists .....................................................................................................................................................................................configured using MQC............................................Weighted Random Early Detection and CB-WRED .............................................................................................................................. 90 IPv6 QoS .............................................blogspot.................................................. 96 WRED ................................. 75 BGP Community Attribute ................................................... 94 Define the QoS Schedule (TIME-RANGE command) ..................................................... 85 DSCP and COS MAPPING ............................................................................................................................................................................................................................................................................................... 90 QoS Frame-Relay SHAPING ......................................................................................................................................................................................... 76 1............... LOCAL PREFERENCE.......................................................................... 95 QoS CAR (Committed Access Rate) ............................................................................... 88 PRIORITY QUEUING (priority-list) & CUSTOM QUEUING (queue-list) ..... 94 QoS CBWFQ ......the Better) ...................... 83 QoS .......................................................................................................... 94 QoS LLQ (Low Latency Queuing) ..................................................................... 79 4..............................................................com ..................... AS-Path (The less ASs in the path ........................ 98 7 cisqueros..................................................................................................................................... ............................................................................................................................Context Based Access Control Firewall ................................................................... 118 Security TIPS ........................................................... 111 IP MULTICAST: BSR (Bootstrap Router) Configuration ................................ 119 Router Security ........................................................................................................................................................................................... 124 PAM .......... 113 IP MULTICAST: Configuring SSM (Source Specific Multicast) ........................................................... 110 IP MULTICAST: AUTOMATIC RENDEZVOUZ POINT (Auto-RP) Configuration........................................................................................................................ 103 FRAME-RELAY AUTO-INSTALL ..................................................................................................................... 110 DESIGNATED ROUTER (DR) Configuration ..........................................................................For the applications EVERYONE wants ....................................... 120 BANNER and MENU Configuration ................................ 113 Multiprotocol BGP (MP-BGP) & IP Multicast .......................................... 102 FRAME-RELAY MULTILINKING ............. 121 Configure SSH Access ........................................................................ 123 TCP INTERCEPT ................................................................................................................................... 106 Multicast ................................................................................................................................................................................................................................................ 100 FRAME RELAY AUTHENTICATION............................................................Port to Application Mapping ..................................................................................................................................................................................................................................................................................................................... 124 CBAC ...............For Session Filtering ....................FRAME RELAY QoS ..........................................Best Practices ..............................com ................................................................................................................................................................................................................................................................................. 119 KNOWN ATTACKS and how to prevent ............................................................................................... PIM-DM ......................................................................................... 107 PIM Dense Mode............................................................................ 125 8 cisqueros.................................. 123 REFLEXIVE ACL .................................................. 114 IP MULTICAST: Bidirectional PIM (Bidir-PIM) ............................................... 104 IP Multicast .................................................................................................................................................................................................................................................................................................................................................. 100 VIRTUAL TEMPLATE ................ 117 Security ........................ 112 IP MULTICAST: MSDP (Multicast Source Discovery Protocol) Configuration ............................................................................................................. 106 Configure PIM Multicast ...................................................................................... 99 POINT-TO-MULTIPOINT SUB-INTERFACE: .............................................................................. 109 STATIC RENDEZVOUZ POINT (RP) Configuration ............................... 105 Multicast TIPS.blogspot..................................................................................................................... 98 PHYSICAL INTERFACE CONFIGURATION: ........................................................................................................................................................................................................................................................................................................................................................................ 116 MULTICAST Helper Map & Helper-address ....................................................................................................................................... 99 POINT-TO-POINT SUB-INTERFACE: ...........................................................IGMP .....................To prevent TCP SYN DoS attacks ........................ 122 DYNAMIC ACL (aka Lock and key ACL) .......................................... 101 FRAME RELAY End-to-End KEEPALIVE ........................................................................................................................................................................... 121 ADVANCED Access Lists (ACL) Configuration ..................................................... 115 IP MULTICAST: Helper Map........................................................................................................ ................................................................................................................... 131 MPLS Configuration .................................................................................................................................................................................................................................................AToM (Any Transport over MPLS) .... 141 OSPFv3 ....................Unicast Reverse Path Forwarding ..... 140 IPv6 Routing .......... 136 IPv6..................................................................................................................................................................................................................................................................uRPF .............................................................................. 127 CONTROL Plane Policy (CPPr)................... 145 9 cisqueros....................................................... 132 MPLS LFIB and Labels (Label Spacing) ........................................ 138 IPv6 Basics ......................................................................................................... 143 IPv6 Tunnels .............. 129 AAA Authentication ........... 138 Convert MAC to Link Local IPv6 Address ............................. 126 Zone Based Firewall .................................................................................................................................................................................................................................................................................. 130 MPLS.............. 144 IPv6 Multicast Routing .................. 128 IOS IPS (Intrusion Prevention System) ...................................................... 134 MPLS VRFs............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................ 135 L2VPN ...........................................................................................com .......... 133 MPLS Session Protection............. 142 EIGRP IPv6 ..................blogspot........................................................................ RD (Route Distinguisher) and RT (Route Target) ....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................... 137 IPv6 TIPS ............................... com .LAN Switching 10 cisqueros.blogspot. (config)#vlan access-map VLANACM 20 (config-access-map)#action forward <-TO PERMIT ALL OTHER TRAFFIC STEP 3: At the end you need to APPLY the VLAN Access-Map to the VLAN (MEMORIZE THIS STUFF): (config)#vlan filter VLANACM vlan-list ? <1-4094> VLAN id all Add this filter to all VLANs 11 cisqueros.2_46_se/configuration/guide/swacl. 2.com . For example here there's an MAC Access-list created to filter out BPDU-s of a certain type (check all the NON-IP stuff we can filter out): (config)# mac access-list extended DENY_BPDU (config-ext-macl)# permit host 000.blogspot.cisco. You can define the DROP or FWD action: (config)#vlan access-map VLANACM 10 <-10 IS THE SEQ NUMBER (config-access-map)#action drop (config-access-map)#match mac address DENY_BPDU <-MATCH THE DEFINED MAC ACL !!!IMPORTANT: ORDER IS IRRELEVANT HERE!!! First we're saying DROP.com/en/US/docs/switches/lan/catalyst3560/software/release/12. hex. and then matching what to drop. This can be done in one of 2 ways: 1.configure the "switchport voice vlan X" on an access port. or octal aarp EtherType: AppleTalk ARP amber EtherType: DEC-Amber appletalk EtherType: AppleTalk/EtherTalk cos CoS value dec-spanning EtherType: DEC-Spanning-Tree decnet-iv EtherType: DECnet Phase IV diagnostic EtherType: DEC-Diagnostic dsm EtherType: DEC-DSM etype-6000 EtherType: 0x6000 etype-8042 EtherType: 0x8042 lat EtherType: DEC-LAT lavc-sca EtherType: DEC-LAVC-SCA lsap LSAP value mop-console EtherType: DEC-MOP Remote Console mop-dump EtherType: DEC-MOP Dump msdos EtherType: DEC-MSDOS mumps EtherType: DEC-MUMPS netbios EtherType: DEC-NETBIOS vines-echo EtherType: VINES Echo vines-ip EtherType: VINES IP xns-idp EtherType: XNS IDP STEP 2: After the MAC ACL is created. Directly using the "mac access-group MACL in" command Using the VLAN Maps VLAN Maps are the only way to control filtering within a VLAN.____________________________________________________________________________________________________________________ Tips and Tricks ____________________________________________________________________________________________________________________ Remove a FOLDER from the flash: #delete /force /recursive flash:c3750-ipbase-mz. On Cisco Docs can be found under the "Network Security with ACLs" under the Switch Configuration Guide: http://www.0c00.122-35. we need to Applying a MAC ACL to a Layer 2 Interface.html STEP 1: Basically instead of IP ACL. we're creating the MAC ACL in order to later apply it.SE5 TIP: When there is a CISCO Phone attached to an access port. but in the CCIE exam this can be useful to know. ____________________________________________________________________________________________________________________ VLAN Filters for NON-IP Traffic ____________________________________________________________________________________________________________________ These are not used in the production environment very often.0111 any (config-ext-macl)# permit any any ? <0-65535> An arbitrary EtherType in decimal. IPv4 and IPv6 ipe IPe bias routing Unicast bias <-SWITCH TO YOU USE AS A ROUTER. <--.for IP Routing VLAN . ONLY IPv4 vlan VLAN bias <-ONLY L2 SWITCH Check the achieved results: #show sdm prefer The current template is "desktop default" template.blogspot.Sets Switch to L2 and disables IP Routing Extended Match . so be sure you do it before the LAB if you know you'll be using both ipv4 and ipv6. and the command "ipv6 unicast routing" is not working.com . number of unicast mac addresses: 6K number of IPv4 IGMP groups + multicast routes: 1K number of IPv4 unicast routes: 8K number of directly-connected IPv4 hosts: 6K number of indirect IPv4 routes: 2K number of IPv4 policy based routing aces: 0 number of IPv4/MAC qos aces: 0.____________________________________________________________________________________________________________________ MEMORY OPTIMIZATION . number of unicast mac addresses: 3K number of IPv4 IGMP groups + multicast routes: 1K <--. in reality you only need to change the buffer allocation first (Apply a different SDM template). Make sure you need to reconfigure by checking the current SDM: settings "show SDM prefer" (config)#sdm prefer dual-ipv4-and-ipv6 routing 12 cisqueros.SDM (Switch Database Management) ____________________________________________________________________________________________________________________ Cisco Docs: 3560->Consolidated Platform Configuration Guides->SystemManagement->SDM Templates Depending on the Switch purpose (L2 Switching that uses CEF or IP Routing or IPv6).AFTER THE REBOOT SWITCH CHANGES THE SDM MODE The selected template optimizes the resources in the switch to support this level of features for 8 routed interfaces and 1024 VLANs. If the switch seems not to support the command.For QoS and Security ROUTING .5K number of IPv4/MAC security aces: 1K It can happen that you need to use IPv6 on a switch.5K number of IPv4/MAC qos aces: 0.for WCCP and multiple VRF (reformats memory space to allow 144-bit L3 TCAM support) (config)#sdm prefer [routing | dual-ipv4-and-ipv6 | vlan] (config)#sdm prefer ? access Access bias default Default bias dual-ipv4-and-ipv6 Support both IPv4 and IPv6 <-USE THIS MODE WHEN YOU HAVE BOTH. The problem is that you have to SAVE and RELOAD.MEMORY ALLOCATION HAS BEEN CHANGED number of IPv4 unicast routes: 11K number of directly-connected IPv4 hosts: 3K number of indirect IPv4 routes: 8K number of IPv4 policy based routing aces: 0. and there are 4 templates: ACCESS . <--. Memory allocations can be optimized using the SDM (Switch Database Management).5K number of IPv4/MAC security aces: 1K #show sdm prefer The current template is "desktop routing" template.COMMAND NOT ACTIVE BEFORE THE SWITCH HAS BEEN REBOOTED The selected template optimizes the resources in the switch to support this level of features for 8 routed interfaces and 1024 VLANs. 43.88.12.258 Fa1/0/21 1. CONFIGURE or DATABASE mode.It will not be propagated To restrict FLOOD TRAFFIC to TRUNK Interfaces.36. use VTP PRUNING.every time VTP database changes (every 300 ms) Subset Advertisements .45.blogspot.255.45. 2.258 Fa1/0/19 1. 4.12.43.255.255.com .258 Fa1/0/14 1. 4 types of VTP Advertisements are being exchanged between the switches: 1.77.43. Summary Advertisements .43.45.36.258 Fa1/0/15 1.12. includes what exactly changed Advertisements requested from clients .when PRUNING is enabled.if not active for 10 minutes REMOVE from the CAM table (config)#mac-address-table secure 48BIT_MAC_ADDRESS Gi3/0/15 ____________________________________________________________________________________________________________________ VTP .77.6-7.VLAN Trunking Protocol ____________________________________________________________________________________________________________________ Most commands can be configured in PRIVILEGED. You have to delete flash:vlan.45.dat and erase the startup-config and reload the router.sent right after SUMMARY. so for example to PRUNE ALL BUT VLAN 8: (config-if)#switchport trunk pruning vlan 2-7.45.client requests info to update the VTP database.77.7.12.77. 3.12.43.77.258 Fa1/0/20 1.45.258 13 cisqueros.36. it is not on the trunk) You can adjust the VLANs that are being pruned on the interface.255.36.255. Have in mind that there is no way to dis-configure the VTP DOMAIN NAME (by default it’s NULL). they tell the neighbor WHAT VLANs they want (if the VLAN is not announced with this message.6-8. and Security (enable the known and secure MAC addresses) (config)#mac address-table aging-time 600 <--.12. You can configure the source IP of all the VTP messages: (config)#vtp interface Loopback 1 [only] <.6-7.255.77.88.____________________________________________________________________________________________________________________ INTERFACE Statuses ____________________________________________________________________________________________________________________ INTERFACE "no shut" BUT NOT CONNECTED TO ANYTHING: GigabitEthernet3/0/1 unassigned YES unset down down INTERFACE "shutdown": GigabitEthernet3/0/17 unassigned YES unset administratively down down INTERFACE "no shut" and CONNECTED: GigabitEthernet3/0/19 unassigned YES unset up up ____________________________________________________________________________________________________________________ CAM TABLE ____________________________________________________________________________________________________________________ You can set up the MAC Aging Time.88.6-7.36.36. server responds VTP Membership announcements .6-7.9-1001 OR (config-if)#switchport trunk pruning vlan remove 8 Check the PRUNING STATUS: #show interfaces pruning Port Vlan traffic requested of neighbor <-!!!THE ALLOWED VLANS ARE DISPLAYED HERE!!! Fa1/0/13 1.88.88. SECURE MODE: If MAC not found in VMPS Server . a VMPS server searches its database for an entry of a MAC-address to VLAN mapping. The interface becomes a TRUNK even if the other side is not a trunk.Actively attempts to convert to TRUNK.Negotiate TRUNK ONLY if Negotiation Packet received from a Neighbour (config-if)#switchport mode dynamic auto Nonegotiate . On the VMPS Server: (config)#vmps server [ipaddress | hostname] primary And on all the switches in the LAN (VMPS Clients): (config-if)#switchport access vlan dynamic Define how many times you want Client to contact the Server.RETRY IN 30 MINUTES IF 5 ATTEMPTS FAIL ____________________________________________________________________________________________________________________ TRUNKS and DTP (Dynamic Trunking Protocol) ____________________________________________________________________________________________________________________ Dynamic Trunking Protocol PRE-REQUISITE: BOTH sides MUST have THE SAME SPEED and DUPLEX CONFIGURED!!! *You don't need to set the ENCAPSULATION on BOTH sides if you are using DTP To turn the DTP OFF. on Client and Server. like if you want to retry 5 times: (config)#vmps retry 5 (config)#vmps reconfirm 30 <--. (TURNS DTP OFF) and negotiates to CONVERT the Neighbor.ENABLE PRUNING (can be done ONLY ON VTP SERVER Switch): #vtp pruning <--. it is dynamically acquired from the VMPS based on the MAC-address on the port. Upon receiving a valid request from a VMPS client. it is not necessary for VMPS clients to know if the VMPS resides on a local or remote device on the network.provides a centralized server for selecting the VLAN for a port dynamically based on the MAC address of the device connected to the port.Prevents the interface from generating DTP frames.VLAN Membership Policy Server ____________________________________________________________________________________________________________________ VLAN Membership Policy Server . VMPS uses a UDP port to listen to VQP (VLAN Query Protocol) requests from clients. (config-if)#switchport mode trunk Dynamic Desirable .shut down the port Configuration is done on a per-role basis. The VLAN is not statically assigned to the port. VLANs that are ELIGIBLE for Pruning are 2-1001 only ____________________________________________________________________________________________________________________ VMPS . set the PERMANENT TRUNK MODE. so.com . When a port is configured as "dynamic. You can use this command only when the interface switchport mode is access or trunk (config-if)#switchport mode nonegotiate 14 cisqueros. but it's NOT in PERMANENT TRUNK mode: (config-if)#switchport mode dynamic desirable Dynamic Auto .PROPAGATED TO ALL SWITCHES WITHIN THE VTP DOMAIN Pruning switched on *VLAN 1 CANNOT BE PRUNED!!! **VLANs that are used locally also CANNOT BE PRUNED." it receives VLAN information based on the MAC-address that is on the port.blogspot. 30. Community .com . 15 cisqueros.-----------------------------------------10 20 community Et0/2 10 30 community Et0/0 10 40 isolated Et0/0 GREAT Example of PRIVATE VLANs is 2 HOSTS on a SWITCH that should NOT communicate to each other.blogspot. which disables VTP!!! (config-if)#vtp mode transparent This topic belongs to L2 SECURITY rather than L2 SWITCHING.--------.40.40 <-DONT FORGET TO ASSOCIATE EVEN WITH ISOLATED Then configure the interface: (config-if)#switchport mode private-vlan promiscuous (config-if)#switchport private-vlan mapping 10 add 30. Primary VLAN can have MANY COMMUNITIES but ONLY ONE ISOLATED VLAN!!! 1. Isolated .Can communicate within the SAME community or with Promiscuous (config)#vlan 30 (config-vlan)#private-vlan community (config-if)#switchport mode private-vlan host (config-if)#switchport private-vlan host-association 10 20 <-Associate Community VLAN 20 with Promiscuous VLAN 10 DONT FORGET TO ASSOCIATE Secondary VLANs to the Primary. can communicate with EVERYONE (config)#vlan 10 (config-vlan)#private-vlan primary (config-vlan)#private-vlan association add 20.50 <-Map Promiscuous VLAN 10 to Community and Isolated VLANs 2.30. and associate it to the ISOLATED VLAN. so that they can all communicate with Promiscuous: (config-vlan)#private-vlan association add 20. Promiscuous . You should do VLAN XXX for HOSTS as ISOLATED.----------------. and 1 router that should communicate with BOTH HOSTS.____________________________________________________________________________________________________________________ PRIVATE VLANS ____________________________________________________________________________________________________________________ *REQUIRES VTP MODE TO BE SET TO TRANSPARENT.belongs to PRIMARY VLAN. and VLAN for the ROUTER as the PROMISCUOUS.can only communicate with Promiscuous (config)#vlan 40 (config-vlan)#private-vlan isolated (config-if)#switchport mode private-vlan host (config-if)#switchport private-vlan host-association 10 40 3.40 #show vlan private-vlan Primary Secondary Type Ports ------. If you are using the NATIVE VLAN to do this. you can set the priority. or use the command "root primary" that sets the priority to: If CURRENT ROOT PRIORITY > 24576 . STP and VTP can be tunnelled) (config-if)#l2protocol-tunnel [cdp | stp | vtp] #show l2protocol-tunnel summary *Take SPECIAL CARE about the MTU SIZE on Switches (might need to set to 1504 due to the ADDED 4 BYTES IN THE TUNNEL) (config)#system mtu 1504 Make sure if you need to define a TUNNEL PORT for QinQ!!! When is this necessary? When the ROUTER is TAGGING the traffic towards the switch (using the 802. INGRESS PORT adds 2 Byte Ether Type field 0x8100 + 2 Bytes for CoS and VLAN Egress tunnel port STRIPS THESE 4 BYTES (config-if)#switchport access vlan 100 (config-if)#switchport mode dot1q-tunnel <-CHECK THE EXPLANATION BELOW You can also configure L2 TUNNELING (CDP. make sure that the TRUNK port is also tagging the NATIVE VLAN: (config-if)#switchport mode dot1q-tunnel (config)#vlan dot1q tag native <-TO TAG THE NATIVE PORT ON 802.768a.-------.See the MAC address of the Switch #show version | i Base #show spanning-tree vlan 12 VLAN0012 Spanning tree enabled protocol ieee Root ID Priority 24588 <-ABOUT THE ROOT BRIDGE.8192 Address ec44.-----Gi3/0/19 Desg FWD 4 128.1q TRUNK WITH THE ROUTER ____________________________________________________________________________________________________________________ SPANNING TREE PROTOCOL (STP) ____________________________________________________________________________________________________________________ When setting the root.6d80 <-.____________________________________________________________________________________________________________________ Dot1q Tunneling: 802.sets the priority to 4096 The "root secondary" command always sets the priority to 28762 GREAT COMMAND: #show spanning-tree bridge <. along with L2 tunnel.--. QinQ Tunneling ____________________________________________________________________________________________________________________ When a TUNNEL port receives Customers Traffic.--------.com .Nbr Type <-ABOUT INTERFACES IN THIS VLAN ------------------.127 P2p <--.ABOUT THIS SWITCH (LOCAL Bridge) Address ec44.1q.768a. 24588 = 32768 + 12 (vlan 12) .COST IS 4 CAUSE THIS IS GigabitEthernet Port 16 cisqueros.ON ROOT BridgeID and RootID have the same MAC Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec Aging Time 300 Interface Role Sts Cost Prio.6d80 This bridge is the root Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec Bridge ID Priority 24588 (priority 24576 sys-id-ext 12) <--.blogspot. you have to establish the DOT1Q TUNNEL.---.1Q TRUNK).sets the priority to 24576 (priority 24576 sys-id-ext 12) If CURRENT ROOT PRIORITY =< 24576 . USE COST WHEN GOING AWAY FROM THE ROOT .cc00. and BackboneFast tries to find an alternate path to the root.-----------32769 aabb. SO I'm the ROOT!!! BEST PRACTICE: Change the COST on the interface level to change the PATH Change the PORT PRIORITY to influence ONLY the NEIGHBORING SWITCH !!!IMPORTANT: WHEN GOING TOWARDS THE STP ROOT .com .--------.----.cc00.476: %SPANTREE_FAST-7-PORT_FWD_UPLINK: VLAN0044 GigabitEthernet1/0/15 moved to Forwarding (UplinkFast) !!!UplinkFast is most useful in wiring-closet switches at the access or edge of the network.COST TO ROOT IS 0.USE PORT-PRIORITY UPLINKFAST: FAST Convergence in case of DIRECT failure of the ROOT port (Natively included in RSTP) If a switch loses connectivity.0800 100 2 20 15 Et3/1 24976 aabb.Gi3/0/20 Desg FWD 4 128. detects indirect failures in the core of the backbone. (config)#spanning-tree backbonefast 17 cisqueros. it begins using the alternate paths as soon as the spanning tree selects a new root port.0600 200 2 20 15 Et2/2 24776 aabb.0900 0 2 20 15 <--.--.128 P2p (on FastEth is would be 19) Great command to check the ROOT: #show spanning-tree root Vlan ---------------VLAN0001 VLAN0100 VLAN0200 VLAN0300 VLAN0400 Root Hello Max Fwd Root ID Cost Time Age Dly Root Port -------------------.blogspot. the BPDU is a signal that the other switch might have lost its path to the root.--. It is not appropriate for backbone devices BACKBONEFAST: Complementary feature to UPLINKFAST.cc00.cc00. When a switch receives an inferior BPDU from the designated port of another switch.0700 100 2 20 15 Et2/2 24876 aabb.0600 200 2 20 15 Et2/2 24676 aabb.cc00. By enabling UPLINKFAST Globally you SPEED UP the choice of NEW ROOT PORT when a link or switch fails or when the spanning tree reconfigures itself: (config)#spanning-tree uplinkfast *Transitions to FWD STATE without going through LISTENING or LEARNING STATE: *Mar 1 08:46. cc00. One is to manually type “shut” and “no shut” command.MST REGION NAME SW2#show spanning-tree mst configuration Name [] Revision 1 Instances configured 3 Instance Vlans mapped -------. ____________________________________________________________________________________________________________________ BPDU GUARD ____________________________________________________________________________________________________________________ This feature is used to disable anything but a Workstation to be connected to a port we are configuring with PortFast.com . to this interface when portfast is enabled. 90 (config-mst)#name CCIE <--. If BPDU received go into "ERRDISABLE" state (disable the port) (config-if-range)#spanning-tree bpduguard enable There are to options to return to the normal state. bridges.-------------------. PORTFAST reduces significantly the overhead.--------. because TCN (Topology Change Notification) BPDUs will not be generated..0600 0 2 20 15 MST2 4098 aabb. do “show errdisable recovery” (config)#errdisable recovery cause interval 360 18 cisqueros. Connecting hubs..91-4094 1 12.--MST0 32768 aabb.--------------------------------------------------------------------0 1-11. switches. concentrators. It should be configured on the Interfaces where BPDU should NEVER be received.35-55.34 2 56.____________________________________________________________________________________________________________________ MULTIPLE SPANNING TREE (MSTP) ____________________________________________________________________________________________________________________ Supports up to 4096 instances of Spanning Tree (config)#spanning-tree mode mst (config)#spanning-tree mst configuration (config-mst)#revision 1 (config-mst)#instance 1 vlan 12.13-33. etc.90 ------------------------------------------------------------------------------- Check the ROOT: #show spanning-tree root Root Hello Max Fwd MST Instance Root ID Cost Time Age Dly ---------------.57-89.blogspot.0600 0 2 20 15 Root Port ------------ ____________________________________________________________________________________________________________________ PORTFAST ____________________________________________________________________________________________________________________ Quick transition.cc00.----.--. can cause temporary bridging loops. 34 (config-mst)#instance 2 vlan 56. BYPASS LISTENING & LEARNING (config-if-range)#spanning-tree portfast %Warning: portfast should only be enabled on ports connected to a single host.cc00.0600 0 2 20 15 MST1 1 aabb. Another option is to define an ERRDISABLE RECOVERY: (config)#errdisable recovery cause bpduguard <-MANY CAUSES CAN BE DEFINED HERE. use AGGRESSIVE mode! To automatically recover from err-disable state in x seconds (x=120 in this case) (config)#errdisable recovery cause udld (config)#errdisable recovery interval 120 To RESET all ports from the ERRSISABLE state: #udld reset #show errdisable recovery ErrDisable Reason ----------------arp-inspection bpduguard channel-misconfig dhcp-rate-limit dtp-flap gbic-invalid inline-power l2ptguard link-flap mac-limit loopback pagp-flap port-mode-failure psecure-violation security-violation sfp-config-mismatch small-frame storm-control udld vmps Timer interval: 120 seconds Timer Status -------------Disabled Disabled Disabled Disabled Disabled Disabled Disabled Disabled Disabled Disabled Disabled Disabled Disabled Disabled Disabled Disabled Disabled Disabled Enabled <--. To enable Unidirectional Link Detection on an Interface: (config-if)#udld port aggressive GLOBAL COMMAND "udld enable" ONLY APPLIES TO FIBER OPTIC INTERFACES!!! IT’S RECOMMENDED TO USE UDLD WITH LOOPGUARD!!! (For the port to enter the DISABLE state when BPDU are no longer received) Normally when unidirectional link occurs. the other side stops receiving BPDUs. Loopguard prevents this. and assumes that STP ROOT is no longer available.Unidirectional Link Detection ____________________________________________________________________________________________________________________ UDLD is used to detect the SEND part of the cable as DOWN. UDLD sends L2 pings between neighbors to check if it's responding.com . so . while the RECEIVE part is still active.UDLD CAUSE IS ON FOR ERRDISABLE Disabled 19 cisqueros.blogspot. This happens on a Fiber Optic cable quite often.____________________________________________________________________________________________________________________ UDLD . (config-if)#spanning-tree guard loop <-CONFIGURE ON UPLINK PORTS If it´s a TWISTED PAIR .it declares itself as a NEW STP ROOT. 1.1. Static: (config)#ip source binding 0000.1. or the "switchport nonegotiate" command .ACTIVE or PASSIVE .1.1 Total number of bindings: 3 Lease(sec) ---------infinite infinite infinite Type ------------static static static VLAN ---2 2 2 Interface -------------------Ethernet0/1 Ethernet0/2 Ethernet0/0 ____________________________________________________________________________________________________________________ ETHERCHANNEL ____________________________________________________________________________________________________________________ PAgP (Port Aggregation Protocol) .2 00:00:33:33:33:33 10. DESIRABLE or AUTO or NONEGOTIATE *in case the link is configured as ACCESS. because DHCP SNOOPING can insert EMPTY GIADDR FIELD!!! (config)#ip dhcp relay information trust-all First Enable Source Guard directly on the interface.During Detection transmits packets every second TIP: To make SW1 Priority higher to allow it control the BUNDLE CREATION: (config)#lacp system-priority 1 20 cisqueros.2 interface e0/1 #show ip source binding MacAddress IpAddress -----------------.Protocol Value: 0x0104 .1.3 00:00:11:11:11:11 10.DONT FORGET TO ENABLE IT FIRST!!! (config)#ip dhcp snooping vlan 2 When configuring the DHCP Snooping. or the DHCP responses will be IGNORED!!! (config-if)#ip dhcp snooping trust !!!DONT FORGET TO EITHER DISABLE INFORMATION OPTION (option 82).1.blogspot.1.Multicast MAC: 01-80-C2-00-00-02 .3ad .Cisco Prop. WILL VERIFY IP ADDRESS ONLY! (config-if)#ip verify source (config-if)#ip verify source port-security <--.Same multicast group MAC like CDP LACP (Link Aggregation Control Protocol) . make sure you set the DHCP TRUST on all the UPLINK TRUNKS.TO VERIFY MAC AND IP (config-if)#SWItchport PORT-security <--.com .2222. OR CONFIGURE DHCP SERVER TO REJECT TRANSIT DHCP MESSAGES.--------------00:00:22:22:22:22 10.MUST ENABLE (permits L3 checks on a pure L2 interface) Then add Dynamic or Static IP-to-MAC bindings.2222 vlan 2 10.802.1.____________________________________________________________________________________________________________________ SOURCE GUARD and DHCP SNOOPING ____________________________________________________________________________________________________________________ !!!! SOURCE GUARD WILL NOT WORK IF DHCP SNOOPING IS NOT ENABLED!!! (config)#ip dhcp snooping <--. Device is in Passive mode Channel group 1 Port Gi3/0/19 Gi3/0/20 Flags SA SA State bndl bndl LACP port Priority 32768 32768 Admin Key 0x1 0x1 Oper Key 0x1 0x1 Port Number 0x7F 0x80 Port State 0x3D 0x3D "ON" .Default Interface .Device is requesting Fast LACPDUs A .(Mode ON) You can configure MAX 16 PORTS.SHUT -> NO SHUT on PHYSICAL INTERFACES Summary: 24 Po24(SU) PAgP Gi1/0/21(P) Gi1/0/22(P) * "show interface trunk" Will show only Port Channel. and all L3 configuration under it Summary: 32 Po32(RU) Gi1/0/23(P) Gi1/0/24(P) L2 ETHERCHANNEL: LOGICAL INTERFACE CREATED AUTOMATICALLY.Doesn’t use LACP or PaGP.Device is in Active mode P . and the other HOT STANDBY (activate if one of the first 8 fail).Configure TRUNKING ENCAPSULATION under the PORT CHANNEL directly .blogspot.Check the DEFAULT PARAMETERS: 2#show lacp 1 internal Flags: S . by sending the BPDUs only over one of the physical links 21 cisqueros.com . Which ones belong to the ACTIVE group depends on the LACP PRIORITY that can be configured: (config-if)#lacp port-priority 1 <--. but "show interface XX switchport" will show that the INT IS TRUNK LOAD BALANCE the Etherchannel (CONFIGURED in the Global Config mode): (config)#port-channel load-balance ? dst-ip Dst IP Addr dst-mac Dst Mac Addr src-dst-ip Src XOR Dst IP Addr src-dst-mac Src XOR Dst Mac Addr src-ip Src IP Addr src-mac Src Mac Addr #show etherchannel load-balance Ether Channel Load-Balancing Configuration: dst-mac Ether Channel Load-Balancing Addresses Used Per-Protocol: Non-IP: Destination MAC address IPv4: Destination MAC address IPv6: Destination MAC address Spanning Tree treats the Etherchannel Link as a SINGLE LINK. Best Practice (CONFIGURATION): .Channel Protocol and Group on physical interface (this creates Port Channel) . out of which: MAXIMUM 8 ACTIVE PORTS.LOWER IS BETTER!!! (default is 32768) L3 ETHERCHANNEL: Configure the Port-Channel interface statically.Device is requesting Slow LACPDUs F . BOTH sides MUST BE ON!!! #do show etherch protocol Channel-group listing: ---------------------Group: 13 ---------Protocol: . DEFAULT IS 15 PPS (packets per second) #show ip arp inspection interfaces Interface Trust State Rate (pps) --------------. 22 cisqueros.____________________________________________________________________________________________________________________ DAI (Dynamic ARP Inspection) ____________________________________________________________________________________________________________________ (config)#ip arp inspection vlan 2 <--.1.3333.1111 (config-arp-nacl)#permit ip host 20.-------------------Gi3/0/1 Untrusted 5 Gi3/0/2 Untrusted 15 Burst Interval -------------1 <--.2 mac host 0000.1111.1.1.3 mac host 0000.NO SYSTEM MESSAGE GENERATED Check the log for details: #show ip arp inspection log Total Log Buffer Size : 32 Syslog rate : 0 entries per 5 seconds.15 pps IS THE DEFAULT VALUE To monitor the DROPPED packets due to DAI: (config)#ip arp inspection log-buffer logs 0 interval 5 <--. and apply it to DAI: (config)#arp access-list ARP_ACL_20 (config-arp-nacl)#permit ip host 20.THE CHANGED ONE 1 <--. the number of incoming ARP packets is rate-limited to prevent a denial-of-service attack. therefore.1.blogspot.3333 And now APPLY: (config)#ip arp inspection filter ARP_ACL_20 vlan 2 #show ip arp inspection Source Mac Validation : Disabled Destination Mac Validation : Disabled IP Address Validation : Disabled Vlan ---2 Vlan ---2 Vlan ---2 Configuration ------------Enabled ACL Logging ----------Deny Forwarded --------0 Operation --------Active ACL Match --------ARP_ACL_20 Static ACL ---------No DHCP Logging -----------Deny Dropped ------0 Probe Logging ------------Off DHCP Drops ---------0 ACL Drops --------0 The switch CPU performs dynamic ARP inspection validation checks. (config-if)#ip arp inspection limit rate 5 <--.Inspect ARP within the VLAN 2 You can create an ARP Access List and map the IP to MAC.com .LOG 0 . 168.1.READ ONLY COMMUNITY STRING (config)#snmp-server community TST-RW rw <--. they are done within each particular COMMAND/TRAP...com .] 23 cisqueros.---------------GigabitEthernet3/0/1 Enabled Enabled #show mac address-table notification change MAC Notification Feature is Enabled on the switch Interval between Notification Traps : 1800 secs Number of MAC Addresses Added : 0 Number of MAC Addresses Removed : 0 Number of Notifications sent to NMS : 0 Maximum Number of entries configured in History Table : 150 Current History Table Length : 0 MAC Notification Traps are Enabled History Table contents ---------------------- And apply to the interface to GENERATE A TRAP when something happens: (config-if)#snmp trap mac-notification change added If you need to configure some deeper changes. have in mind the QUANTITY.SEND TRAP EVERY 30 MINUTES (1800 seconds) DO NOT FORGET to ENABLE the CAM notifications in Global Configure mode: (config)#mac address-table notification change And to make sure: #show mac address-table notification change interface Gi3/0/1 MAC Notification Feature is Enabled on the switch Interface MAC Added Trap MAC Removed Trap ---------------------.blogspot. or set timers. so control it with: (config)#mac address-table notification change history-size 150 <--.RE-WRITE COMMUNITY STRING Specify the TRAPS TYPE: (config)#snmp-server enable traps [mac-notification | bgp | pim | .100 traps version 2c cisco [mac-notification | bgp | pim…] <-SEND TRAPS When the traps contain MAC Address Add/Remove notifications..] <-FIRST ENABLE TRAPS OF A TYPE (config)#snmp-server host 192.1..100 traps version 2c cisco To define RO and RW COMMUNITY: (config)#snmp-server community TST-RO ro <--.168. Community "Public" to the NMS Server: (config)#snmp-server host 192.1 traps [Public | Private] If you need to define the VERSION and the COMMUNITY STRING: (config)#snmp-server host 192. so.LIMIT THE TABLE CAPACITY TO 150 (config)#mac address-table notification change interval 1800 <--. (config)#mac address-table notification [more options like INTERVAL.____________________________________________________________________________________________________________________ SNMP ____________________________________________________________________________________________________________________ Send the SNMP traps.1.168. "SERVICE" command IS FOR SYSTEM GENERAL SETTINGS Add/Remove TIMESTAMPS (config)#no service timestamps debug (config)#no service timestamps log Set the LOGGING messages to be saved in Local: (config)#logging facility local4 Specific (more GRANULAR) logging settings can be configured on the INTERFACE LEVEL: (config-if)#logging event ? bundle-status BUNDLE/UNBUNDLE messages link-status UPDOWN and CHANGE messages nfas-status NFAS D-channel status messages power-inline-status Inline power messages spanning-tree Spanning-tree Interface events status Spanning-tree state change messages subif-link-status Sub-interface UPDOWN and CHANGE messages trunk-status TRUNK status messages 24 cisqueros.FROM WARNING-4 (INCLUDING 4) TO MORE CRITICAL (ALERT-1.w Or Localy in a FILE: (config)#logging file flash:syslog 7 <--.____________________________________________________________________________________________________________________ MONITORING ____________________________________________________________________________________________________________________ RSPAN .7 is DEBUGGING.y.com . so LOG EVERYTHING 0-7 emergencies System is unusable (severity=0) alerts Immediate action needed (severity=1) critical Critical conditions (severity=2) errors Error conditions (severity=3) warnings Warning conditions (severity=4) notifications Normal but significant conditions (severity=5) informational Informational messages (severity=6) debugging Debugging messages (severity=7) Set SEVERITY level: (config)#logging trap 4 <--.z. CRITICAL-2.Dont forget to CREATE the VLAN specially for the RSPAN (config)#vlan 22 (config-vlan)#remote-span ____________________________________________________________________________________________________________________ LOGGING ____________________________________________________________________________________________________________________ Remote IP: (config)#logging x. ERROR-3) Add SEQUENCE numbers: (config)#service sequence-numbers <--.blogspot. with its own MAC address table.blogspot. 25 cisqueros. (config)#ip http server (config)#ip http path flash: <-.------------. To limit the Broadcast to 50%: (config-if)#storm-control broadcast level 50.____________________________________________________________________________________________________________________ STORM CONTROL ____________________________________________________________________________________________________________________ To LIMIT the type of traffic (BROADCAST or MULTICAST or UNICAST).com . Normally the protocol can be ROUTED or BRIDGED. and set it to ROUTE the IP traffic: (config)#bridge 1 protocol ieee (config)#bridge 1 route ip If.00 <-LIMIT THIS TYPE OF TRAFFIC (also valid for MULTICAST or UNICAST) (config-if)#storm-control action [shutdown | trap] <-DEFINE THE ACTION OR LIMIT the number of packets per second: (config-if)#storm-control unicast level pps 250 #sh storm-control unicast Interface Filter State Upper Lower --------. and you want it to be PING-able from the local router.----------Fa1/0/1 Forwarding 250 pps 250 pps Current ---------1 pps ____________________________________________________________________________________________________________________ HTTP Server (HTTP access) on a Switch ____________________________________________________________________________________________________________________ This is a simple feature. So the first step here is to define the BRIDGE MODE to be the IRB: (config)#bridge irb *BRIDGE GROUP is a VIRTUAL BRIDGE inside the Router. which we don´t really recommend in the production environment.16 (config-subif)#encapsulation dot1Q 16 <-FOR VLAN 16 (config-subif)#bridge-group 1 You need to define the BRIDGING PROTOCOL.define the PATH where files are #show ip http server status HTTP server status: Enabled HTTP server port: 80 HTTP server authentication method: enable HTTP server access class: 0 HTTP server base path: flash: ____________________________________________________________________________________________________________________ Router on a STICK and IP BRIDGING ____________________________________________________________________________________________________________________ Integrated Routing and Bridging enables a user to route a given protocol between routed interfaces and bridge groups or route a given protocol between the bridge groups. By using IRB (INTEGRATED ROUTING and BRIDGING) we overcome this. To configure a VLAN associated with a bridge group with a default native VLAN: (config)#interface FastEthernet0/0. for example. VLAN 16 ends on the other side in a SVI.----------. blogspot.com .IP Services 26 cisqueros. to tell others that it should be ACTIVE) and RESIGN Configuration is quite straight-forward.0.25.255.25.Group 1 VIRTUAL IP Address standby 1 timers 5 15 <.25.25.55 If you need to TRACK an interface.blogspot.0 standby 1 ip 172.0.255.22 172.25.25.Hot Standby Routing Protocol ____________________________________________________________________________________________________________________ HSRP is a Cisco Proprietary protocol.2 255.0c07. and it can be disabled: (config-if)#no ip proxy-arp ____________________________________________________________________________________________________________________ HSRP . Protocol 112 HSRPv2: Also UDP.Can also be done in milliseconds using "standby 1 timers msec 250 800" standby 1 priority 150 <.____________________________________________________________________________________________________________________ IP Services Tips and Tricks ____________________________________________________________________________________________________________________ IMPORTANT: HSRP: UDP to Multicast Address 224. the router responds with its own MAC address. There are 3 types of HSRP messages: HELLO.0. but there are many ways to tune it. and be sure that the active neighbor has Preempt configured: (config-if)#standby 1 track serial 0/1/0. COUP (used by a router with the highest priority. This is called the ARP Proxy.25.22 <.2 (all routers). Interface Fa0/0 Fa0/0 Grp Prio P State 1 100 Standby 2 200 P Active Active 172. Multicast Address 224.2 local Standby local 172.55 standby 2 timers 5 15 standby 2 authentication Cisco standby 2 name R5-Act <-Name of the HSRP Group 2 "07-ac" is the SIGNARURE part of Virtual MAC Address of the HSRP: #sh standby | i 07 Active virtual MAC address is 0000.25.105 TIP: When a CLIENT sends a request for an IP which is out of that segment.0c07. VRRP: Directly over IP.25.25.Default it 100 standby 1 preempt <-TAKE BACK THE ACTIVE ROLE standby 1 authentication Cisco standby 1 name R2-Act <-Name of the HSRP Group 1 standby 2 ip 172. be sure to define for how much you want to decrease the HSRP priority in order to fail over to the HSRP Peer.ac01 (v1 default) To check the current configuration.com .25.0. solves the conflict between the CGMP Leave Messages. including the HSRP Status and whether the preempt option is configured: #sh standby brief P indicates configured to preempt.25. in accordance with your needs: interface FastEthernet0/0 ip address 172.25. it's ON by default on Fast Ethernet.21 60 27 cisqueros.ac01 Local virtual MAC address is 0000.25. which is currently NOT ACTIVE.2 Virtual IP 172. 25.25.22 vrrp 1 timers learn vrrp 1 authentication cisco vrrp 2 description MAT2 vrrp 2 ip 172. You need to tell Master to ADVERTISE the Hello Timer value to the Backup.1 *13 15:04:38.255.1 *13 15:04:40.585: VRRP: Grp 2 Advertisement from 172.2 255. but MASTER and BACKUP router.585: VRRP: Grp 2 Advertisement from 172.12.12.12.11 vrrp 2 timers advertise 10 vrrp 2 priority 200 end !!!IMPORTANT DIFFERENCE between HSRP and VRRP: VRRP has Preempt enabled by default! 28 cisqueros.25.12. as shown below: #show vrrp brief Interface Fa0/0 Fa0/0 Grp Pri Time 1 200 3218 2 100 3609 Own Pre State Y Master Y Backup Master addr 172.12.001: VRRP: Grp 1 sending Advertisement checksum *13 15:04:41.12.25.12.25.2 Group addr 172. and tell the Backup to LEARN the Hello Timer from the Master: (config-if)#vrrp 1 timers advertise 10 (config-if)#vrrp 2 timers learn *Router is Master for VRRP Group 1 and Backup for VRRP Group 2 VRRP Authentication is configured PER GROUP using the command "vrrp X authentication text PASSWORD".Virtual Routing Redundancy Protocol ____________________________________________________________________________________________________________________ The VRRP configuration is similar to the HSRP.585: VRRP: Grp 2 Advertisement from 172.1 *13 15:04:42.12.973: VRRP: Grp 2 sending Advertisement checksum *13 15:04:41.com .12. with a few slight differences.25. For example.12.11 TIMERS are a bit different to configure.255.001: VRRP: Grp 1 sending Advertisement checksum *13 15:04:39.25.blogspot. there are no ACTIVE and STANDBY.585: VRRP: Grp 2 Advertisement from 172. and the debug on the VRRP Pair router is as follows (before the authentication is configured on BOTH): #debug vrrp *13 15:04:37.25.22 172.____________________________________________________________________________________________________________________ VRRP .12.12.1 172.1 *13 15:04:39.25.001: VRRP: Grp 1 sending Advertisement checksum #u all All possible debugging has been turned off has incorrect EBE4 has incorrect EBE4 has incorrect has incorrect 87E5 EBE4 has incorrect EBE4 authentication type 1 expected 0 authentication type 1 expected 0 authentication type 1 expected 0 authentication type 1 expected 0 authentication type 1 expected 0 The configuration on the interface will look similar to the HSRP: interface FastEthernet0/0 ip address 172.25.001: VRRP: Grp 1 sending Advertisement checksum *13 15:04:38.1 *13 15:04:40.25.585: VRRP: Grp 2 Advertisement from 172.0 vrrp 1 description MAT1 vrrp 1 ip 172.25. (config-if)#glbp 1 timers ? <1-60> Hello interval in seconds msec Specify hello interval in milliseconds redirect Specify time-out values for failed forwarders Tracking is also different on GLBP.1. the WEIGHT will be decremented by 10. source MAC determines forwarder choice round-robin Load balance equally using each forwarder in turn weighted Load balance in proportion to forwarder weighting (GLBP places WEIGHT on each router) <cr> As an additional GLBP feature. and VARIOUS MACs.TO TRACK IP ROUTING line-protocol Track interface line-protocol <.100 0007. with a global Track Object.TRACK IF THE INTERFACE IS DOWN (config)#track 1 interface fa0/0 line-protocol (config)#track 2 interface s0/1/0 line-protocol #show track Track 1 Interface FastEthernet0/1 line-protocol Line protocol is Up 1 change.it's more complex and gives more possibilities.0. as in . last change 00:02:10 Now the TRACK OBJECTS need to be applied to the Interface where GLBP is configured (If any of the tracked interfaces go DOWN. which take AVG function if AVG dies.0101 0007. You can have UP TO 4 ROUTERS IN A GLBP GROUP!!! GLBP Group Members communicate using HELLOs 224.blogspot. last change 00:02:39 Track 2 Interface Serial0/1/0 line-protocol Line protocol is Up 1 change.b400.1. by default Hello Timer = 3 sec Basically there are 2 roles: AVG (Active Virtual Gateway) MASTER Router in charge of Assigning Virtual MAC Addresses to other Routers and it has to know ALL the MACs of the AVFs AVFs (Active Virtual Forwarders) the rest of the Routers. such as Load Balancing Feature.0.1.b400.2 local 10.2 Standby route local - You can tune GLBP as you like.com . which means that (besides all the stuff you can also do in HSRP and VRRP) you can choose the Load Balancing method: (config-if)#glbp 1 load-balancing ? host-dependent Load balance equally. but these values can be tuned): (config-if)#glbp 1 weighting track (config-if)#glbp 1 weighting track 1 2 <-MEMORIZE as it's a bit NON-INTUITIVE 29 cisqueros. which sets the time-out for assigning the Virtual MAC of AVF that has failed. UDP/3222.0102 Active router 10. #sh glbp br Interface Fa0/0 Fa0/0 Fa0/0 Grp 1 1 1 Fwd 1 2 Pri 100 7 7 State Standby Active Listen Address 10.it's configured in the Global Configuration mode. The advantage is that you can track 2 interfaces at once!!! (config)#track 1 interface fa0/0 ? ip IP parameters <.1. as in .102.Global Load Balancing Protocol ____________________________________________________________________________________________________________________ GLBP is different from HSRP and VRRP. there is a REDIRECT timer.1. It's got 1 VIRTUAL IP. where the AVG (defined below) is deciding the times when to announce which MAC of the destination router to the client.1.____________________________________________________________________________________________________________________ GLBP . 288: *Nov 14 16:03:09. you see that IRDP is using the ICMP Type 9 Code 0 messages to advertise the GW: #debug ip icmp ICMP packet debugging *Nov 14 16:03:08.340: *Nov 14 16:03:16. from from from from from from from from from from 10.187. Potential GW Routers periodically announce the IP address of their IRDP configured interface to a broadcast destination.117. PING will work ONLY if Proxy-ARP is enabled on the IP Interface: #sh ip inter fa0/0 | i ARP Proxy ARP is enabled <.117.1 10. 0.340: *Nov 14 16:03:19.ICMP Router Discovery Protocol ____________________________________________________________________________________________________________________ IRDP enables Routers to automatically discover the IP of their potential Default Gateway.187. 9.2 10.____________________________________________________________________________________________________________________ IRDP .117. 9. along with the IP Address. 9. 0.DEFINE THE ADVERTISING TIMERS 3 DEFINE THE ROUTER PREFERENCE Step 4: TEST by pinging the IP behind the routers that are supposedly advertising the GW.117.187.288: *Nov 14 16:03:16. 9.288: *Nov 14 16:03:23.2 10. IRDP Preference value is advertised with these messages.1 10.187.2 10.THIS ONE MATTERS Local Proxy ARP is disabled #show ip route Gateway Using Interval Priority 10.2 10.com .288: *Nov 14 16:03:23. 0.1 IRDP 4 200 Interface FastEthernet0/0 FastEthernet0/0 When you do a DEBUG of ICMP. 9.117. 9. 0.187. 0.187.117. 0.2 IRDP 4 600 10.ENABLE IRDP ON maxadvertinterval minadvertinterval holdtime 15 preference 600 <THE INTERFACE 5 <. It uses ICMP and Solicitation Messages. 0.187. Step 1: The configuration is pretty straight-forward. First you MUST turn the Routing off on the router that you want to discover its own GW: (config)#no ip routing Step 2: IRDP needs to be enabled on the Router: (config)#ip gdp ? eigrp Discover routers transmitting EIGRP router updates irdp Discover routers transmitting IRDP router updates <.340: is on ICMP: ICMP: ICMP: ICMP: ICMP: ICMP: ICMP: ICMP: ICMP: ICMP: rdp rdp rdp rdp rdp rdp rdp rdp rdp rdp advert advert advert advert advert advert advert advert advert advert rcvd rcvd rcvd rcvd rcvd rcvd rcvd rcvd rcvd rcvd type type type type type type type type type type 9.187.1 10.117.117.blogspot.340: *Nov 14 16:03:12.288: *Nov 14 16:03:12. 0.117.117.340: *Nov 14 16:03:20.187.187.2 10.1 10.117.THIS ONE is the one we want here rip Discover routers transmitting RIP router updates Step 3: Here is what needs to be defined on the interface: (config-if)#ip (config-if)#ip (config-if)#ip (config-if)#ip (config-if)#ip irdp irdp irdp irdp irdp <.187. 9. 9.187.117. code code code code code code code code code code 0. 0.1 30 cisqueros. 9. and it enables the redirection of client web requests to one or more Web Cache Engines. First you need to enable the WCCP (protocol for web caching) globally on a router: (config)#ip wccp web-cache On the WAN interface enable checking if the packets need to be redirected to a web cache.____________________________________________________________________________________________________________________ DRP .the Router is listening to the HTTP requests going OUT of that interface. The only INTERFACE command to allow this for the users of that VLAN is " ip wccp webcache redirect [in | out]" If you set OUT . Enable the redirection of outgoing destination port 80 packets on the interface: (config-if)#ip wccp web-cache redirect out Define the ACL that only contains the Cache Engine IP: (config)#access-list 11 permit 10.15 Attach the configured ACL to the WCCP configuration: (config)#ip wccp web-cache group-list 11 31 cisqueros. It transparently REDIRECTS end-user service requests to CLOSEST RESPONSIVE SERVER.Cisco Distributed Route Processor ____________________________________________________________________________________________________________________ It's a UDP based application.blogspot.182. which improves Web Browsing on the slow links. which enables Cisco Distributed Director to QUERY ROUTES (DRP Agent).15 Step 3: Attach the ACL to the DRP: (config)#ip drp access-group 11 Step 4: Create the key-chain and set the DRP to use it for authentication: (config)#ip drp authentication key-chain DRP_CHAIN ____________________________________________________________________________________________________________________ WAAS and WCCP Protocol ____________________________________________________________________________________________________________________ WCCP is a Web Cache Communication Protocol.131.182. and it's most commonly enabled on the WAN interface.com . The configuration is straight-forward: Step 1: Enable the DRP Server Agent: (config)#ip drp server Step 2: Define the ACL to define who will be able to send queries to DRP (config)#access-list 11 permit 10.131. then in order to have an entire network to be synchronized (and absolutely no external NTP available).127. .000 16000. stratum 2.Network Time Protocol ____________________________________________________________________________________________________________________ First there is an "old school" method of setting time on your IOS Device.On the NTP MASTER (config-if)#ntp broadcast client <-ON NTP CLIENTS If you want to PEER two switches within the network.2 .7. x falseticker.3.600 UTC Fri Nov 15 2013) clock offset is 0.3 . which is fine if you're one of those :) #clock set 16:50:00 15 NOVEMBER 2013 *%SYS-6-CLOCKUPDATE: System clock has been updated from 15:50:31 UTC Fri Nov 15 2013 to 16:50:00 UTC Fri Nov 15 2013.2.1. set the most awesome switch to be a NTP Server: (config)#ntp master ? <1-15> Stratum number <. peer dispersion is 0.peer.1 Don’t forget to configure the NTP BROADCAST on the Interfaces of the NTP Master/Client Switches: (config-if)#ntp broadcast <. actual freq is 250.000 0.INIT. # selected.0000 Hz.outlyer.2 Make sure that it "worked": #sh ntp associations address ref clock st when poll reach delay offset disp ~150.02 msec.0000 msec.1. * sys.99A45AAB (16:56:51.2.____________________________________________________________________________________________________________________ NTP .STRATUM Number. ~ configured 32 cisqueros. configured from console by console.1. + candidate. 16 64 0 0.1.000 0.1 nominal freq is 250. ~150.INIT.02 msec Then configure ALL the other Devices to synchronize their time based on the Awesome NTP Master Switch: (config)#ntp server 131. Now if you set this time really well.000 15937. precision is 2**18 reference time is D630D0D3.blogspot.00 msec root dispersion is 0. all DOWNFLOW routers shall have SERVER + Number of HOPS #show ntp status Clock is synchronized. reference is 127.13. root delay is 0. so that they synchronize the time together: (config)#ntp peer 150. and the Switch is new generation and you really trust it.com . 16 64 0 0.0000 Hz. 255.923 UTC Fri Dec 6 2013 Latest operation return code: OK Number of successes: 10 Number of failures: 0 Operation time to live: 52 sec And on the RESPONDER: #sh ip sla monit responder IP SLA Monitor Responder is: Enabled Number of control message received: 17 Recent sources: 10.you can know if your STATIC route is UP: #sh track 10 Track 10 IP route 10.12.IN SECONDS (config-sla-monitor-udp)#hours-of-statistics-kept 1 <-HOW MUCH TIME THE STATISCICS ARE KEPT (config-sla-monitor-udp)#request-data-size 1500 <. and based on that .122. in order to make sure that the path is good enough to send the sensitive VoIP traffic.1 [14:24:51.12.1 [14:25:06.187.1 [14:24:56.187.1.241 UTC Fri 10.122. last change 00:04:04 First-hop interface is Serial0/1/0 Tracked by: STATIC-IP-ROUTING 0 IMPORTANT: Make sure that the prefix you are tracking isn't available using some other protocol.0 255.237 UTC Fri 10. Two sides need to be configured. configure NTP if you're not certain the devices are synced.187.Monitor the Network Performance ____________________________________________________________________________________________________________________ Probably the most typical usage of IP SLA is to measure the UDP Jitter and Echo. meaning . IP SLA can be configured without configuring a specific PROBE.122.0 255.255.241 UTC Fri 10."tune" the routing table.187. CAREFULL with the times.2 track 10 Check the status of the TRACK 10 object.122.1.0.com . and depending on the result . and attach it to the STATIC ROUTE: (config)#track 10 ip route 10. you have 2 options: OPTION 1: Use a simple TRACK object to track a certain route. where the RESPONDER is configured to respond with a TIME STAMP information.PACKET SIZE And then just START the IP SLA on the CLIENT (in this case starts immediately and lasts for 100 seconds only): (config)#ip sla monitor schedule 10 start-time now life 100 Check the statistics: #sh ip sla monit statistics Round trip time (RTT) Index 10 Latest RTT: 2 ms <.____________________________________________________________________________________________________________________ IP SLA .122.1 [14:25:11. CLIENT and SERVER (RESPONDER).0 255.0.1 [14:25:01.255.blogspot.0 10.237 UTC Fri Number of errors: 0 Dec Dec Dec Dec Dec 6 6 6 6 6 2013] 2013] 2013] 2013] 2013] If you are using IP SLA for ROUTING.THIS IS WHAT YOU WANT TO KNOW.255.1. like OSPF: 33 cisqueros. so the source can calculate the performance values.0.0.2 dest-port 500 (config-sla-monitor-udp)#frequency 5 <.122. just configure sending a generated packet to the RESPONDER.187.you want to TRACK a certain route using ICMP (ping). To configure the RESPONDER with the IP and PORT of the RESPONDER: (config)#ip sla monitor responder Make sure you configure the CLIENT device in accordance with these defined parameters: (config)#ip sla monitor 10 (config-sla-monitor)#type udpEcho dest-ipaddr 10.12.0 reachability (config)#ip route 1.0 reachability Reachability is Up (connected) 3 changes.237 UTC Fri 10.187. the ROUND TRIP TIME (RTT) Latest operation start time: *14:47:06. 2.1.2.1 131.21 <.PUBLIC (config-subif)#ip nat outside #sh ip nat translations Pro Inside global Inside local --.#sh track 10 Track 10 IP route 10.2 source-ipaddr 10.0 reachability Reachability is Up (OSPF) <. ____________________________________________________________________________________________________________________ STATIC NAT ____________________________________________________________________________________________________________________ You can do STATIC NAT and just "go out" of the router with a different IP address: (config)#ip nat inside source static 10.1.Private IP of the host in your Network Inside Global .2.131.1.THIS IS NOT WHAT WE WANTED TO ACHIEVE HERE 3 changes.Public IP of the remote host If you want to do static NAT for a SUBNET: (config)#ip nat inside source static network 10. last change 00:03:59 First-hop interface is FastEthernet0/0 Tracked by: STATIC-IP-ROUTING 0 OPTION 2: Use the IP SLA ICMP ECHO (ipIcmpEcho) to monitor end-to-end response STEP 1: DEFINE THE IP SLA OBJECT (config)#ip sla monitor 10 (config-sla-monitor)#$type echo protocol ipIcmpEcho 10. like in the option 1.12.2.blogspot.3 to the outside world *Extendable is used if you need 1 LOCAL IP to be mapped to Various Public IPs Be sure to DEFINE the NAT INTERFACES: (config)#int lo0 <.12.15 is RTR NUMBER.1 (config-sla-monitor-echo)#frequency 5 STEP 2: DONT FORGET TO LAUNCH THE IP SLA: (config)#ip sla monitor schedule 10 start-time now life forever STEP 3: DEFINE THE TRACK Object using the defined IP SLA: (config)#track 15 rtr 10 reachability <.3 10.12. last change 00:00:18 Latest operation return code: OK Latest RTT (millisecs) 36 Tracked by: STATIC-IP-ROUTING 0 STEP 4: Attach the TRACK OBJECT to the STATIC ROUTE.0 200.0 255.PRIVATE (config-if)#ip nat inside IP (Global) IP (config-if)#int s0/1/0.1.2.2.1 Outside local --- Outside global --- Inside Local .2.2.2. 10 is the IP SLA we're attaching Make sure the TRACK is UP before you attach it to the route: #sh track 15 Track 15 Response Time Reporter 10 reachability Reachability is Up 2 changes.0 /24 34 cisqueros.How the local network sees IP of the remote host Outside Global .Public IP that the outside network sees your hosts as Outside Local .12.12.2.1.3 [extendable] *Traffic sourced from 10.255.1.255.com .12.1 sent to ALL destinations will seem from 131. d=131.1.3->10.1:2 15.2.1.2.1 (SOURCE ACL)->inside global 131.2.2.2.1.10. and define the pool type "type rotary": (config)#ip nat pool TASK1 10.1 [67] NAT: s=10.1 [65] NAT*: s=15.2.1.10.3:2 10.2.2.1.0.12.10.0 0.3.1.3.1.1.1. do not attach the ACL directly to the "ip nat" configuration line.2.878: 16:25:54. which are the ones that will be NAT-ed (Inside Local) (config)#access-list 1 permit 10.2.822: 16:25:54.2:2 15.12. d=131.2.2.1.12.3.10.1 [68] If you need the HOST portion matched.2.938: 16:25:54.2.12.____________________________________________________________________________________________________________________ DYNAMIC NAT ____________________________________________________________________________________________________________________ Step 1: Define the POOL of the Inside Global IPs (Public).2. ____________________________________________________________________________________________________________________ Load Balancing using NAT ____________________________________________________________________________________________________________________ Step 1: Create a POOL of all the INSIDE LOCAL IPs.1->131. d=15.10.255 Step 3: Implement the NAT from-ACL-to-POOL IPs (config)#ip nat inside source list 1 pool INSIDE_GLOBAL Do not forget to specify the INSIDE and the OUTSIDE Interface (I often do.2.1.994: 16:25:55.1 [65] NAT: s=10.10.10.12.0.2.2.1 [68] NAT*: s=15.10.BE SURE TO PING SOMETHING BEFORE YOU CHECK THE TRANSLATIONS: Pro Inside global Inside local Outside local Outside global icmp 131.1 200.1.2.1.1->131.050: NAT*: s=15.1.822: 16:25:54.1.3 10. and the POOL or LOCAL IPs: (config)#ip nat inside destination list 1 pool ? WORD Pool name for local addresses 35 cisqueros.1->131.1 [66] NAT: s=10.1.12.3->10.2.2. define it in the EXTENDED ACL.12.12.3->10.1 [64] NAT: s=10.3->10.1.10. d=15.1.12.2.2.10.1:2 --.878: 16:25:54. d=131. the one we´re NAT-ing into): (config)#access-list 1 permit 200.10.2.2.12.1.2 ----- DEBUG IP NAT: *Oct 29 16:25:54.766: NAT: s=10.blogspot.12.2.1.com .1.1. d=15.2.5 prefix-length 24 type rotary Step 2: Define an ACL with the Inside Global IP (Public ones.2.2.131.8 prefix-length 24 Step 2: Define the ACCESS-LIST of the PRIVATE IPs. which your Private IPs will be NAT-ed into: (config)#ip nat pool INSIDE_GLOBAL 131.1->131.1.3 (NAT POOL) *Oct *Oct *Oct *Oct *Oct *Oct *Oct *Oct *Oct 29 29 29 29 29 29 29 29 29 16:25:54.2.1->131.2.1 10.1 [64] Meaning: source=10.2. and the Troubleshooting is not as much fun as you might expect) #sh ip nat translations <. and match it in Route Map.3 131. d=131.938: 16:25:54.2.2.2 Step 3: Do the inside NAT with the ACL 1 as the DESTINATION list.994: 16:25:54.1.2. d=15.1.3->10.2.12.1 [67] NAT*: s=15.10.1. add the "type match-host" argument to the NAT POOL definition: (config)#ip nat pool LAB4 200. d=131.1.1 [66] NAT*: s=15.12.1.1.1. d=15.1.12.3.5 prefix-length 24 type match-host If you need the SOURCE&DESTINATION matched.2.2.1.3.12. 1:23 tcp 200.1.1.1. go and return path towards the NAT-ed IP.3 instead. d=131.3:23 Outside local 131.21 overload ____________________________________________________________________________________________________________________ PAR .735: *Nov 6 15:54:48. but there is a trick.12.1:25096 131.1.131.1->15.1.. 80 .703: we telnet *Nov 6 15:54:48.2.1.14. exactly like in case of Static/Dynamic NAT: (config)#int lo0 (config-if)#ip nat inside (config-if)# (config-if)#int s0/1/0.1.1.1->15.10.14.791: *Nov 6 15:57:12.2)!!! Step 5: Make sure that the IP NAT Translations are correct.1 80 (131.123.4 s=131.1.959: NAT*: s=131.1.14.5 of R1 to be REDIRECTED to the IP 15. 200.2.1.2: Step 2.3->131.14.12.14.1.14.4.3 s=15.2. described in Steps 2.1.123. You can configure this by defining the static NAT: (config)#ip nat inside source static tcp 15.14.2. IT’S A BIT BACKWORDS!!! #telnet 131. Open So when you try to telnet R1s IP using the port 80.12.3 [23053] <.2.2.1 is the IP configured on the s0/0. d=131.blogspot.10.3->131.10. d=131.1.14.1->15.14. Step 1: Create an ACL with all the Inside Local addresses: (config)#access-list 1 permit 10.5 side you see the following debug: *Nov 6 15:54:48.10.1->15.12.1..10.14.3->131.14.7 Step 2: There are 2 ways to configure PAT.10.1.3 [23054] [23055] [31748] [23056] [31749] [23057] [23058] 36 cisqueros.123. d=131.0 0.2.1.14.767: *Nov 6 15:56:48.12.2.1:25096 131.2.2. d=131.14.2.14. d=131.3 s=131.14. d=131.1.1 and 2.123.1:20186 131.2.10.10.10.1. d=131.com .4.123.1.3 s=15.123.1.4 s=131.1.123.5 80 *MAKE SURE YOU UNDERSTAND THIS COMMAND.14.1.2:23 10.3 *Nov 6 15:54:48.123.21 *The system adds "overload" argument: (config)#do sh run | i nat inside ip nat inside ip nat inside source list 1 interface Serial0/1/0.10.4.When you need to implement traffic redirections using NAT ____________________________________________________________________________________________________________________ You can define the traffic redirection using Static Entries.2 15. d=131.14.707: 15.14.4.1.1.1.5 interface of R1) Trying 131.123. and that the sources VARY: #sh ip nat translations Pro Inside global Inside local tcp 200.1. For example you want all the http traffic DESTINED FOR s0/0.2.NATed and FWD-ed to to NAT*: NAT*: NAT*: NAT*: NAT*: NAT*: NAT*: s=131.1.12.1.1.123.21 (config-subif)#ip nat outside Be sure that the routing is in place (both.10.2:23 tcp 200.739: *Nov 6 15:55:48.2: Configure the NAT to point to the Interface you need the traffic to go out from: (config)#ip nat inside source list 1 interface s0/1/0.10.3 80 int s0/0.4 [31747] <.0.1.14.10.2.4.2.1->15.2:23 10.123.1:20389 ____________________________________________________________________________________________________________________ PAT (NAT Overload) ____________________________________________________________________________________________________________________ Port Address Translation (PAT) means using PORTS in order to NAT various Inside Local IPs to ONE SINGLE Inside Global IP.2:23 10.2 prefix-length 24 (config)#ip nat inside source list 1 pool TASK2 overload Step 2.1:20186 131. from the router on the s0/0.4: Router from where NAT*: s=15.0.Step 4: Define the NAT inside and outside interfaces.1.1.3 s=131.739: *Nov 6 15:55:48.14.14.14.1.2.123.1: Create the Inside Global IP Pool of any addresses from the Link towards the other Router and Configure the NAT Overload with the defined pool: (config)#ip nat pool OVERLOAD 15.1:20389 Outside global 131.4.10.1->15.763: *Nov 6 15:56:48. 117.117.13. In order to do this.1 is pinging the IP 10.9->10.32. IP Stateful NAT Redundancy mode configuration commands: as-queuing exit mapping-id no protocol Disable asymmetric process for this redundancy group Exit from IP Stateful NAT Redundancy config mode Configure mapping-id for this redundancy group Negate or set default values of a command Select transport protocol for this redundancy group 37 cisqueros.4) does have the route back to 152. d=232.185.168.____________________________________________________________________________________________________________________ Static NAT redundancy with HSRP ____________________________________________________________________________________________________________________ This approach is used when you want to configure NAT and integrate it with HSRP (enable the same NAT on all the routers that form the HSRP group).117.606: 11:34:04.4. After you've named the HSRP group.610: 11:34:04. This translation is assigned an ID.32.606: 11:34:02.185.1 s=10.168.185.4 s=10.606: 11:34:02.1->152.32. and assign a unique identifier to each router within the group: (config)#ip nat stateful id 1 Step 2: In order to configure the Stateful Failover. which is called "mappingid" and it MUST BE THE SAME ON THE ENTIRE GROUP.185.NAT inside interface Step 3: Static NAT redundancy with HSRP.9.1 will be NAT-ed into 152.168. When the DEBUG is done on the router.13.185.13.610: 11:34:04.13.1->152.168.32.32.9. d=232.185.117.13.610: NAT*: NAT*: NAT*: NAT*: NAT*: NAT*: NAT*: NAT*: NAT*: s=10. Within the Stateful NAT group configuration.1->152.32. it's necessary to NAME each of the HSRP groups: Step 1: Name the already configured HSRP group: (config-if)#standby name HSRP-1 <. configure the Redundancy NAT: (config)#ip nat inside source static 10. d=152.168.117.13.4.168.117. d=152.1->152.185.1 gives the following display: *Nov *Nov *Nov *Nov *Nov *Nov *Nov *Nov *Nov 7 7 7 7 7 7 7 7 7 11:34:02.168.32.4.185.117.32.9 redundancy HSRP-1 This means that the traffic originated from the IP 10.32.9->10.4.9->10. d=152.185.13.32.com/en/US/docs/ios/12_4/12_4_mainline/snatsca. d=232.32.117.117.168.32.32. you need to have the HSRP previously configured.1 [226] [226] [227] [228] [228] [229] [229] [230] [230] ____________________________________________________________________________________________________________________ Scalability for Stateful NAT (SNAT) ____________________________________________________________________________________________________________________ Scalability for Stateful NAT feature allows Stateful Network Address Translation (SNAT) to control the Hot Standby Router Protocol (HSRP) state change until the NAT information is completely exchanged.185.html Step 1: You need to create the SNAT group.606: 11:34:04.13.185.32.32. (config-ipnat-snat-red)#mapping-id 1 Step 4: Consider adding features such Asymmetric queuing.117.9.4 s=232. Reference: http://www.32.13. the PING done from 10.168.1 152.blogspot.168.9.9.13.1->152.cisco. The final router (232.4 s=232.606: 11:34:04.9 Tests: In this example the router 10.168.117.HSRP Group Name is HSRP-1 Step 2: Configure NAT on the relevant interfaces (config-if)#ip nat inside <.1 s=10. assign the HSRP redundancy name to the router: (config-ipnat-snat)#redundancy HSRP-1 Step 3: The Active HSRP Router sends the NAT Translation to the Standby Routers.com .32. d=232.606: 11:34:04.13.185.117.117.13.4 s=232.32. d=152.32.185.9. d=232.32.185. or define a specific protocol for the redundancy group.168.9->10.1 s=10.117.4.4 s=232. 1->172. d=10.085: 14:47:12. and do a debug.4 [273] NAT*: s=10.1.1 [274] NAT*: s=15.4 [272] NAT*: s=10.2.117.1->15.1. This will translate the incoming traffic with the source 2.2.25.1.25.1 [272] NAT*: s=15.25. d=172.1->172.185.4.185.2: (config)#ip nat outside source static 2. and just attach the configured mapping-id: (config)#ip nat inside source route-map ROUTE_MAP_MATCHING_ACL pool INSIDE_GLOBAL mapping-id 1 Step 6: Check the translations #sh ip snat distributed Stateful NAT Connected Peers No entries will appear until you perform a PING.25.blogspot.185.1. as described in my previous posts.10.10.10.2.185.One normal interface.1.10. d=10.1.Step 5: Configure the Dynamic NAT.1.081: 14:47:12.117.1.10. d=172.4 [275] NAT*: s=10.1->172.25.2 into the LOCAL traffic with the source 200.One Loopback interface for ip nat inside Step 2: Define the Policy Map MATCHING the Source and Destination IP ACL.085: 14:47:12. INSIDE and OUTSIDE NAT.1 [275] ____________________________________________________________________________________________________________________ NAT Translations with the Outside Source ____________________________________________________________________________________________________________________ Just the other way around from the standard NAT.089: 14:47:12.4.117.185. d=172.2. Fa0/0 for example for ip nat outside and PBR (ip policy-route map NAT_MAP) & "no ip redirect" .185.185.1.1.117.4 [271] NAT*: s=10.117.081: 14:47:12.2 ____________________________________________________________________________________________________________________ NAT on a Stick ____________________________________________________________________________________________________________________ When a NAT router has the same interface for both. d=10.1 [273] NAT*: s=15.10.4.1->172.4.1.1. d=10.25.185.185.085: 14:47:12.1->172.2. do the "ip nat outside" and define the interface from where the traffic will be coming with "ip nat outside".089: 14:47:12.185.185.185.4.4 [274] NAT*: s=10.1->15.1.1.10.117.117.2.185.117.10.089: 14:47:12.185.25.185.2.089: SNAT (Add_node): Allocated database distributed-id 1 SNAT (Add_node): Init RTree for distributed-id 1 SNAT (Add_node): Allocate Node for nat-id 19. you'll see: *Nov *Nov *Nov *Nov *Nov *Nov *Nov *Nov *Nov *Nov *Nov *Nov *Nov 7 7 7 7 7 7 7 7 7 7 7 7 7 14:47:12.185. and SETTING the Loopback interface (config)#route-map NAT_MAP (config-rmap)#match ip add ACL_1 (config-rmap)#set interface lo0 Step 3: Define "inside" AND "outside" static NAT 38 cisqueros.117.25.081: 14:47:12.117.081: 14:47:12.185.1->15. d=10.1 [271] NAT*: s=15.1->15.10.25. and when you do. d=172.185.com . d=172.2.085: 14:47:12.1.25.081: 14:47:12.2 200. the trick is to use: Step 1: Define the following: .1->15.185.185.10. Router-id 1 NAT: s=15. 255. because quite a few are likely to occur.0 <.185. STEP 1: Define the KRONE Policy Map.253 <.____________________________________________________________________________________________________________________ DHCP Server ____________________________________________________________________________________________________________________ Using the DHCP Pool configured on an IOS device is somewhat obsolete.The Command Scheduler (KRON) Policy for System Startup feature enables support for the Command Scheduler upon system startup. preparations for a CCIE exam) .37 (dhcp-config)#hardware-address 0014.185.ef46 Infinite Type Manual ____________________________________________________________________________________________________________________ CNS (Cisco Networking Services) ____________________________________________________________________________________________________________________ KRON .254 Step 4: Disable the DSCP Logging of the Conflicts.25.blogspot.185.185.184.255.If you're using WINS.2526.201 <.200 172. and enter the KRON configuration mode: (config)#kron policy-list cns-weekly STEP 2: Define the CLI command you want executed: (config-kron-policy)#cli ? LINE Exec level cli to be executed.25. and your log file can fill in the memory: (config)#no ip dhcp conflict logging Step 5: Static DHCP entries must be configured IN A SEPARATE POOL!!! This is a trick that you need to know by heart because there is no other (more intuitive) way to do it.185.117.ef46 Check if your manual entry was configured: #sh ip dhcp binding Bindings from all pools not associated with VRF: IP address Client-ID/ Lease expiration Hardware address/ User name 10.Primary and Secondary IPs (config-dhcp)#lease 3 5 <.0 255.The duration of the DHCP Lease (3 days 5 hours) (config-dhcp)#update arp <-Router updates ARP table based on DHCP Database Contents (config-dhcp)#default-router 172.Network Range (config-dhcp)#netbios-note-type h-node <.254 <-GW to be ALLOCATED TO THE HOSTS Step 3: Configure the IP Exclusions (IPs) you do not want to lease.create another DHCP pool.185.25.185. E Example: (config-kron-policy)#cli coy startup-config tftp//r4-config 39 cisqueros.you should know how to configure a full DHCP on a Cisco Router: Step 1: Enable a DHCP Server on a Device (Don’t forget this step!!!): (config)#service dhcp Step 2: Configure global DHCP options: (config)#ip dhcp pool Cisco (config-dhcp)#network 172.25. So .25.252 172. and assign the hosts IP and the MAC address (THIS HOST WILL INHERIT THE CONFIG FROM THE DEFAULT POOL): (dhcp-config)#host 10.117.25.WINS Server IP (config-dhcp)#dns-server 172.2526.com .25.184.37 0014. but in cases of smaller companies where this solution is inevitable (or in a case such as mine. set the HYBRID TYPE (config-dhcp)#netbios-name-server 172. in the Global Config mode: (config)#ip dhcp excluded-address 172. For starters you need to define the Tunnel interface: (config)#interface tunnel 0 Define the IP Address of the Tunnel Interface.1 <-YOU CAN USE IP ADDRESS OR AN INTERFACE AS A SOURCE (config-if)#tunnel destination 131.1. and make sure you have enough redundancy so that the Loopbacks are always PING-able ____________________________________________________________________________________________________________________ Various IOS Tricks ____________________________________________________________________________________________________________________ Define a name of a remote host: (config)#ip host REMOTE_HOST 10.121 (config-if)#tunnel source 131. and it's the basic one and the most simple to implement.STEP 3: Define when the KRON is being executed: (config)#kron occurrence week in 7:1:30 recurring (config-kron-occurrence)# policy-list cns-weekly STEP 4: Check the KRON status: #show kron schedule Kron Occurrence Schedule week inactive.12.2 *you'll get a message that the interface went UP **Check if you need to tune the routing protocols metrics on the Tunnel interfaces.blogspot. will run again in 7 days 01:25:17 ____________________________________________________________________________________________________________________ GRE Tunnels ____________________________________________________________________________________________________________________ Cisco Documentation: Interface and Hardware Component Configuration Guide->Implementing Tunnels GRE is the Generic Encapsulation Tunnel.12.134.1 Configure a "Busy-message" (response when the hos/service is not available) (config)#Busy-message REMOTE_HOST @NOT AVAILABLE@ To hide a hostname IP when doing a Telnet: (config)#service hide-telnet-addresses To use the decompressed IOS in the DRAM. BEST PRACTICE is to configure the tunnel using the Loopback Interfaces.1.187.12. because by default the Tunnel Interface will have a higher metric.1. if you want to prefer those.com . and assign it the SOURCE and DESTINATION IP (These must be mutually PINGable): (config-if)#ip address 10. and not the compressed one in the flash (config)#warm-reboot To make a prompt dissapear: (config)#prompt New_prompt (config)#no service prompt config 40 cisqueros. To prevent the stupid message "Password required but none set" (don't do this!!!): (config)#line vty 0 4 (config-vty)#no login (config-vty)#privilege level 15 <- TO GO TO PRIVILEGE MODE DIRECTLY To avoid sending a packet for each keystroke typed: (config)#service nagle To "tune" CDP: (config)#cdp timer 10 If you want to keep your configuration change logs in the NVRAM: (config)#archive (config-archive)#log config <- TO LOG ALL THE CONFIGURATION CHANGES *"config" is the only option you will have here (config-archive-log-config)#logging enable (config-archive-log-config)#logging size SIZE <- in KB (config-archive-log-config)#hidekeys (config-archive-log-config)#notify syslog <- TO DISPLAY THE CONFIG CHANGE To test: #show archive config differences 41 cisqueros.blogspot.com IP Routing 42 cisqueros.blogspot.com ____________________________________________________________________________________________________________________ PBR - Policy Based Routing ____________________________________________________________________________________________________________________ The most important thing here is to know how to DEBUG the Policy Map: #debug ip policy To match the SOURCE IP use the standard ACL: (config)#access-list 2 permit host 100.1.1.1 To match the FLOW use the EXTENDED ACL: (config)#ip access-list extended FLOW1 (config-ext-nacl)#permit ip host 1.1.1.1 host 2.2.2.2 <-TO MATCH THE FLOW (config-ext-nacl)#permit tcp any any eq 23 <- TO MATCH THE PROTOCOL (PORT) ROUTE-MAP can be applied GLOBALLY on a router, to change the Routing Table: (config)#ip local policy route-map ROUTE_MAP This will not work for traffic transiting this router. For that you need to apply it on the interface ____________________________________________________________________________________________________________________ ODR - ON-DEMAND ROUTING ____________________________________________________________________________________________________________________ On-Demand Routing is not a routing protocol. It uses Cisco Discovery Protocol (CDP) to propagate the IP prefix. ODR is a perfect solution for hub and spoke topology when the spoke routers act as stub routers by connecting to. ODR is a feature that provides IP routing for stub sites, with minimum overhead. Configuration is quite simple: Step 1: Enable ODR globally on a HUB router: (config)#router odr <-HUB router begins installing stub network routes in the IP forwarding table *don’t configure ANY routing protocol on a STUB Step 2: Adjust CDP timers, as ODR uses CDP as a transport protocol (Ensure CDP versions match) (config)#cdp timer seconds ____________________________________________________________________________________________________________________ RIP ____________________________________________________________________________________________________________________ RIP Protocol uses the Multicast Address 224.0.0.9 to send Hellos/updates via port UDP-520. "no summary" - disables the CLASSFULL NATURE of RIP, allows classless routing, so when you check the RIP database: #show ip rip database 1.0.0.0/8 auto-summary *** <--- the AUTO SUMMARIES are not ADVERTISED 1.0.0.0/8 directly connected, Loopback0 10.0.0.0/8 auto-summary *** 10.1.1.0/24 directly connected, Serial1/0.123 Network Layer Reachability Information (NLRI) - Means pure reachability contained by ROUTING UPDATES When you need to send the RIP Updates using the UNICAST instead of Multicast packets, the “neighbor” command is used. Be sure to check the SPLIT HORIZON in the case of HUB-and-SPOKE configuration. If you need to DISABLE it for routing, BE SURE TO CONFIGURE FRAME-RELAY IP-DLCI mappings manually! * BY DEFAULT SPLIT HORIZON is DISABLED ON PHYSICAL, AND ENABLED ON MULTIPOINT INT. #show ip inter s1/0.123 | i Split Split horizon is enabled To avoid the SPLIT HORIZON and ADDITIONAL IP-DLCI mappings, you can use PPP and VIRTUAL TEMPLATES 43 cisqueros.blogspot.com 1 (invalid authentication) IT WILL TAKE A LOOONG TIME FOR RIP TO UPDATE THE DATABASE!!! So do the: #clear ip route * First step is to build a KEY-CHAIN key chain RIP_12 key 1 <--. and applied to the physical interface using the command: (config-if)#ip rip authentication mode md5 (config-if)#ip rip authentication key-chain CISQUEROS_CHAIN If configured on one side only.blogspot.1. because this way the router updates are sent as UNICAST.. MD5 key-string cisco .1. not MULTICAST.Numbers MUST MATCH!!! IMPORTANT: The passwords and the key numbers MUST be the same on all the routers for MD5. RIP Version 2 supports clear text and MD5 Authentication. The key-chain needs to be defined. Don't forget to define the "passive-interface default" to stop the MULTICAST updates. next due in 20 seconds Invalid after 180 seconds.. in milliseconds <cr> (config-router)#timers basic 60 360 360 480 To AVOID COLLISIONS you can INSERT A DELAY every time updates are sent by adding the last attribute to the TIMER SETTING: (config-router)#timers basic 60 360 360 480 ? <1-4294967295> Sleep time. the DEBUG IP RIP EVENTS will show: *Aug 18 08:57:04. hold down 180. that neighbor will RECEIVE the RIP updates using UNICAST. In case the Key numbers are different: .com .____________________________________________________________________________________________________________________ RIP: Authentication ____________________________________________________________________________________________________________________ TIP: If you configure a "neighbor" command.TEXT Authentication KEY NUMBERS DONT HAVE TO MATCH.Router with the LOWER key number will IGNORE (reject) the received all routes received from the other router ____________________________________________________________________________________________________________________ RIP: Timers ____________________________________________________________________________________________________________________ *To see the default values: #show ip protocol .391: RIP: ignored v2 packet from 10.Router with the HIGHER key number will receive ALL the routes . in milliseconds 44 cisqueros. flushed after 240 (config-router)#timers basic ? <1-4294967295> Interval between updates for RIP (config-router)#timers basic 60 ? <1-4294967295> Invalid (config-router)#timers basic 60 360 ? <0-4294967295> Holddown (config-router)#timers basic 60 360 360 ? <1-4294967295> Flush (config-router)#timers basic 60 360 360 480 ? <1-4294967295> Sleep time. Sending updates every 30 seconds. Don’t forget to advertise the network into RIP protocol: (config)#ip default-network 4.9.9) in Version 2 of RIP. Good practice on SLOW ROUTERS. with the destination address 224. and define the interface towards the defined neighbor as PASSIVE. Needs to be disabled when you are playing with LOOPBACKS Change the unprocessed RIP queue depth. To achieve this you need to manually define the neighbor using the "neighbor" command.255.0.set METRIC to 16. when FAST router is neighbors with the SLOW one: (config-router)#output-delay 10 <-BY DEFAULT THERE IS NO INTER-PACKET DELAY.0. There is also a way to force Broadcast Updates (ip 255. and also prevents routing info from being lost (config-router)#input-queue 75 <-DEFAULT IS 50 Define the DELAY when sending the UPDATES. both UNICAST and MULTICAST Updates will be sent).0.0. to prevent the Multicast Updates that are sent by default (If the interface is not defined as passive. so if you want it to be UNREACHABLE .blogspot.0. RIP offset list is used to INCREASE the Hop Count.Other RIP Specific Configuration parameters: SUPRESS flash updates when the periodic update comes in less than configured time: (config-router)#flash-update-threshold Validate the Update Source: (config-router)#validate-update-source *Enabled by default. Define the ACL (10 in this example).255 instead of default multicast destination 224.255. This is done in the Global Configuration mode.0. and set the Hop Count to be increased by a value. makes sure source IP of RIP advertising router matches connection IP.com . this timer is in range 8-50ms ____________________________________________________________________________________________________________________ RIP: Updates Control ____________________________________________________________________________________________________________________ By default Version 1 uses Broadcast to send its updates. in this example 13: (config-router)#offset-list 10 out 13 Fa0/0 Offset Lists work only with RIP and EIGRP 45 cisqueros.0. If you need to send the Updates only when something changes in the topology.0 ____________________________________________________________________________________________________________________ RIP: OFFSET LISTS ____________________________________________________________________________________________________________________ In the RIP Protocol the METRIC IS ACTUALLY the HOP COUNT. there is an INTERFACE command "ip rip triggered": (config-if)#ip rip triggered There is a way to "force" the routing updates to only one of the neighbors (UNICAST UPDATES). Version 2 uses Multicast. and it´s achieved using the Interface Command: (config-if)#ip rip v2-broadcast Another RIP-specific feature is injecting the default route using the "ip default-network" command.0.0 (config-router)#network 4. If you need to define the EXACT SOURCES (RIP Neighbors) you want to receive the RIP Updates from . The same principle applies to most of the Routing Protocols. you can force the route updates by turning off the Source IP Validation: (config-router)#no validate-update-source This way the RIP routes will be exchanged.blogspot.0/0 le 32 *NOTE that THERE IS A DEFAULT DENY ALL IN THE END.use "gateway" word on a distribute-list.0.1. & denying everything else (remember this structure of selecting ALL in the Prefix List: deny 0.0. apply them via Distribute List in the Router Configuration Mode: (config-router)#distribute-list UPDATE_PREFIXES gateway PREFIX_UPDATE_SOURCES in Fa0/0 ____________________________________________________________________________________________________________________ RIP: Route Summarizing ____________________________________________________________________________________________________________________ Done on the interface level: (config-if)#ip summary-address rip 150.0. This will work for RIP and EIGRP only.____________________________________________________________________________________________________________________ RIP: Update Source Control ____________________________________________________________________________________________________________________ RIP Validates the source for the Update packets. like in the case the routes are sourced by a Loopback.0/0 le 32): (config)#ip prefix-list TEST_MAT_2 seq 5 permit 192. another to filter UPDATES you want.0 #show ip rip database 150.1. so they need to be from the same subnet as the interconnection is.1. Once you’ve got your Prefix Lists configured. #clear ip route * Step 1: Define the IP Prefix List.the RIP routes will not be reachable.0.0/24 (config)#ip prefix-list TEST_MAT_2 seq 10 deny 0. but if the L3 Reachability is not established between the routers . In this example we´re allowing only the prefix 192.1. meaning – filter the routes learned via RIP: (config-router)#distribute-list prefix TEST_MAT_2 in Step 3: Clear the routing table and check if the filtering has been applied correctly by reviewing the Routing Table #clear ip route * 46 cisqueros. Start by defining 2 PREFIX LISTS. The main trick is to wait for the timer to END before checking if the filter worked. so the Second Entry was added ONLY FOR LOGGING Step 2: Apply the filtering using the Distribution List within the Router Protocol configuration. one for WHERE you want updates from. If they are not.0 255. or even better CLEAR THE ROUTING TABLE.0. in the INBOUND direction.1.252.0/24.1.0/22 int-summary <-MANUAL SUMMARY ____________________________________________________________________________________________________________________ RIP: Route Filtering using Prefix Lists ____________________________________________________________________________________________________________________ PREFIX LISTS are used to implement the Route Filtering in RIP.com .0.255. and are applied via the DISTRIBUTION LISTS. and Subnet Mask 8 So.10.1.0.0. for example.0/3 ge 24 le 24 47 cisqueros.0/24 (hit count: 37. all subnets that DO NOT belong to RFC 1918 class A: ip prefix-list FILTER_A seq 5 permit 0. refcount: 3 seq 5 permit 192.Also make sure how your Prefix List is doing: #sh ip prefix-list detail Prefix-list with the last deletion/insertion: TEST_MAT_2 ip prefix-list TEST_MAT_2: count: 2. check the following examples: Class A would be: permit 0.CLASS A has a first bit 0.0/1 le 8 ge 8 <. sequences: 5 .blogspot.0.0/2 ge 16 le 16 Class C would be: permit 192.com .0.0/1 ge 8 le 8 Class B would be: permit 128.0/0 le 32 (hit count: 595. refcount: 1) seq 10 deny 0.0.0.1.0. refcount: 1) <-CHECK HOW MANY HITS PER ENTRY *The HITS are actually from the ROUTING PROTOCOL UPDATE PACKETS If you want to use PREFIX LISTS to filter. range entries: 1.0.0.0. which Router considers to be a kind of Broadcast.blogspot. ON BOTH SIDES of the pvc!!! What this does is tell the routers “Hey if you have any broadcast messages.just use the PREFIX-LIST. and match it in the route-map "match ip address prefix-list ROUTE_EXISTS" TIP: When you have the L2 tunnel directly attached to an OSPF interface.0. configure Point-to-Multipoint on a HUB.Really simple.0. Type 1: NON-BROADCAST .com . like – do something if a certain route exists in a routing table . we don’t want them to be DR Type 3: POINT-TO-POINT .As BROADCAST is meant to be FASTER timers are 10/40 seconds by default . 224. . better configure ignoring of MTU: (config-if)#ip ospf mtu-ignore TIP: To IGNORE stuff in the ospf. like LSA6 (MOSPF). go ahead and send them down this DLCI as a unicast” So basically it is a way to send broadcast messages on a non-broadcast medium. under the routing process: (config-router)#ignore lsa mospf WHEN you need to advertise Loopbacks with the CORRECT MASKS.____________________________________________________________________________________________________________________ OSPF ____________________________________________________________________________________________________________________ OSPF Multicasts: 224.5 send Hello packets to all OSPF routers on a network segment.6 Send info to the DR TIP: When using BROADCAST and NON-BROADCAST in order to PEER you MUST ADJUST THE TIMERS!!! TIP: When you need to do a CONDITION. so HUB is elected as the DR. Type 2: BROADCAST .Include the "broadcast" when mapping DLCI to IP.Timers 10/40 seconds TIP: When doing a HUB-AND-SPOKE. POINT-TO-XXX (P2P or P2MP) does not do the DR/BDR election . otherwise it will be sent with /32 (/32 Might be required for Multicast or MPLS. as all neighbor types match. be sure to do "ip ospf network point-to-point".0. so be careful with this!) ____________________________________________________________________________________________________________________ OSPF over Frame-Relay. Here it will not affect us. as the Hellos won't be able to traverse the HUB.two important things: . and SPOKEs neither DR nor BDR . Also set the SPOKEs OSPF Priority to 0. and ADJUST THE TIMERS!!! 48 cisqueros. Don't include "broadcast" between the SPOKEs. focus on Network Types ____________________________________________________________________________________________________________________ TIP: Revise DR->"neighbor" command->TIMERS Don't forget that in Frame-Relay "broadcast" is defined ONLY DIRECTLY HUB AND A SPOKE.Set the OSPF Priority to 0 on all the SPOKEs.Non-broadcast network type in OSPF uses “slow” timers meaning 30 second hello and 120 second dead-time.use "neighbor" command on HUB to use UNICAST for OSPF OSPF uses Multicast. Due to the non-broadcast nature of Frame-Relay it can be assumed that this is the DEFULT OSPF network type over FR.0. Slow timers (120/30 seconds).1.3 10.23. you can do the following specific OSPF command: (config-if)#ip ospf 1 area 0 secondaries none ____________________________________________________________________________________________________________________ OSPF: Timers ____________________________________________________________________________________________________________________ Standard commands for setting the OSPF timers are "ip ospf hello-timer" and "ip ospf dead-timer" on the interface level. like P2MP. and the interface Subnet will be "injected" into the OSPF Area. the router keeps LSA. Type 5: POINT-TO-MULTIPOINT NON-BROADCAST Cisco Proprietary. "broadcast" is mandatory on FR Mappings!!! HUB will just advertise the learned routes from ONE SPOKE to the other.3 0 FULL/ 1. (config-if)#ip ospf network point-to-multipoint non-broadcast ____________________________________________________________________________________________________________________ OSPF: Configuration on INTERFACE LEVEL ____________________________________________________________________________________________________________________ The routes can be advertised using the "network" command. you need to use the following (minimal means less then 1 second): (config-if)#ip ospf dead-interval minimal hello-multiplier 4 *VALUE MUST MATCH BETWEEN THE NEIGHBORING INTERFACES When ACK hasnt been received for the LSA.3.12.multipoint Sub-interface.multipoint or Physical Interface. you should define "router ospf 1" process in the Global Configuration mode before the interface (it's not necessary for the OSPF PEERING. and default is to wait 5 secs to re-send.Type 4: POINT-TO-MULTIPOINT No DR. Being defined as a P2P network . 30 and 120 Seconds. but there is also another way. !!!HUB must have . no "neighbor" commands. as presented below: #show ip ospf neighbor Neighbor ID Pri State 3. with NO BROADCASTS ALLOWED! Timers are still slow.DR and BDR election will not take place. Next hop is ALWAYS the router you are directly connected to. like if it were the DR. If there is SECONDARY IP configured on the interface .com .1. To change: (config-if)#ip ospf retransmit-interval 10 retransmit-interval Time between retransmitting lost link state advertisements 49 cisqueros. You can do an entire OSPF configuration on the Interface Level: (config-if)#ip ospf network point-to-point (config-if)#ip ospf 1 area 0 This will automatically CREATE the OSPF process on the router: #sh run | s router ospf router ospf 1 log-adjacency-changes Even so.1 Interface GigabitEthernet0/0 Serial1/0 - This way the interface is configured to automatically belong to the Area 0.blogspot.1.3. while on SPOKES you can do . If however you do NOT want to advertise the Secondary IP.1.it will also be advertised. but to avoid restarting the OSPF process later cause of Router ID change). If you need smaller values then 1 second for hello. The state of all the OSPF Neighbors will be "FULL/-".1 0 FULL/ Dead Time 00:00:30 00:00:34 Address 10. Globally on the Router. configure the 2nd KEY.blogspot.____________________________________________________________________________________________________________________ OSPF: Authentication ____________________________________________________________________________________________________________________ You can enable the OSPF Authentication: 1. Here MAX 10 prefixes can be redistributed. so it's enabled on all the Interfaces: (config-router)#area 0 authentication <. and on 70% of that Warning Message is displayed: (config-router)#redistribute maximum-prefix 10 70 warning-only 50 cisqueros. You can define the MAXIMAL NUMBER of prefixes to be redistributed into OSPF. Directly on the Interface (config-if)#ip ospf authentication message-digest <-MD5 Authentication OSPF supports two types of Authentication: 1.By default the routes are being redistributed into OSPF with the Metric 20.Plain Text Authentication (config-router)#area 0 message-digest <.MD5 Authentication 2.Be sure to include the word "subnets". and the % when to give the first warning message. AD is still 110. and remove the 1st: (config-if)#ip ospf message-digest-key 2 MD5 SECOND_KEY *Authentication always uses the YOUNGEST KEY (the one that was configured last) ____________________________________________________________________________________________________________________ OSPF: Route Redistribution ____________________________________________________________________________________________________________________ (config-router)#redistribute eigrp 1 subnets .12 | b authentic Simple password authentication enabled When you need to CHANGE the PASSWORD without the service interruption. Plain Text (64-bit Password) (config-if)#ip ospf authentication-key ^&*(^*&&% 2. Metric-type 2 (E2). MD5 (ID + 128-bit Password): (config-if)#ip ospf message-digest-key 1 MD5 ^&*^&^* To DISABLE the authentication on an interface: (config-if)#ip ospf authentication null Check what type of OSPF Authentication has been configured and what Key/Password is applied: #show ip ospf interface s1/0. otherwise it's going to redistribute the classfull ONLY! . in the "router ospf" configuration.com . 4.Cisqueros_R5 We would need to create 2 virtual links: .4.2 0 FULL/ 4.252.2 10.AREA 1 VIRTUAL LINK between Cisqueros_R2 and Cisqueros_R3 so that Area 2 would have the communication with the Area 0 .4 0 FULL/ 2.252.4 10.4.1.a new OSPF neighbor will be added as a Virtual-Link neighbor: #show ip ospf neighbor Neighbor ID Pri State 4.2.0.4.34.2 0 FULL/ 4.2 10.2.1.3 Cisqueros_R3: (config-router)#area 1 virtual-link 2.23.4.0 advertise cost 10 ASBR for the External (redistributed into OSPF) Routes.Area 1 .Area 3 .4 10.0 If you want to prevent the route Null0 in the routing table.0 255.AREA 2 VIRTUAL LINK between Cisqueros_R3 and Cisqueros_R4 so that Area 3 could communicate with Area 1.4.Cisqueros_R3 . Routing process auto-injects DISCARD ROUTE (Null0) to avoid loops.2 10.3.Cisqueros_R4 . EXTERNAL on ASBR ____________________________________________________________________________________________________________________ OSPF Virtual Link ____________________________________________________________________________________________________________________ Configure between two routers out of which none is in the Area 0 (Backbone Area).4.3 Let's check the OSPF Neighbors again on Cisqueros_R3 router: #show ip ospf neighbor Neighbor ID Pri State 2.Area 0 .34.Cisqueros_R2 .INTERNAL on ABR.2.34 - Can multiple Virtual Links be formed? YES!!! So for example if we have the following scenario: Cisqueros_R1 .34.4 Cisqueros_R4: (config-router)#area 2 virtual-link 3.2.4. and therefore with Area 0 Cisqueros_R2: (config-router)#area 1 virtual-link 3. using the "AREA X RANGE" command (config-router)#area 2 range 4.3.0 255.255. Once it's configured .3.1. just exclude the discard-route: (config-router)#no discard-route [internal | external] <.2.blogspot.4.4.34 - 51 cisqueros.1.23. ABR for the Internal Routes.2 (config-router)#area 2 virtual-link 4.1.2 0 FULL/ 4.4 0 FULL/ Dead Time 00:00:34 00:00:33 Address 10.2.com .4 Interface OSPF_VL0 <--.23.4 Interface OSPF_VL1 OSPF_VL0 Serial1/0.4. using the "summary-address" command (config-router)#summary-address 4.Area 2 .32 Serial1/0.0.1.4.255.34.3.1.2.____________________________________________________________________________________________________________________ OSPF Route Summarization ____________________________________________________________________________________________________________________ This is to be done under the ROUTING PROCESS configuration.4 0 FULL/ Dead Time 00:00:05 00:00:30 00:00:34 Address 10.4 0 FULL/ 2.2.32 Serial1/0.VIRTUAL LINK NEIGHBOR Serial1/0. 2 authentication [md5 | WORD] ____________________________________________________________________________________________________________________ OSPF Cost ____________________________________________________________________________________________________________________ NLRI . you also must enable it on Cisqueros_R3 and Cisqueros_R4 FOR AREA 0!!! If you need AUTHENTICATION for the Virtual Link.0.1.Check the Virtual Link Details: #show ip ospf virtual-links Have in mind that routers Cisqueros_R3 and Cisqueros_R4 are now VIRTUALLY connected to Area 0.1.1.0/8 Known via "ospf 1". type intra area Last update from 10.1. which is the cost of the Serial interface between routers 1 and 2. and the Cost of the Loopback0 interface on Router 1. so it actually increased for 20-1 = 19 ____________________________________________________________________________________________________________________ Redirecting Traffic (FORCING A PATH) ____________________________________________________________________________________________________________________ http://www. Don’t forget to clear the OSPF process in order for the changes to take effect: (config-router)#auto-cost reference-bandwidth 10000 <--.Network Layer Reachability Information OSPF routes are mainly classified based on their metric. Cost: 20 Then check the metric on the OSPF Neighbor: #show ip route 1. This way the other routers DONT PREFER this router as a TRANSIT HOP: (config-router)#max-metric router-lsa <-Configured "ON-STARTUP" or on graceful shutdown (no argument) 52 cisqueros. distance 110. so if you enable the authentication on the Cisqueros_R1 interface towards Cisqueros_R2. Set the REFERENCE BW (because with the formula above the Max cost value is 1.1.html "max-metric" command is used for the router to originate LSAs with a max metric of 0xffff (INFINITY).com/en/US/docs/ios-xml/ios/iproute_ospf/configuration/12-4t/iro-stub-router. metric 84.1 on Serial1/0. via Serial1/0. Default cost of the Loopback interface is 1.1.1.0.0 Routing entry for 1.0.blogspot. from 1.cisco. Router ID 1. 00:02:31 ago.21 Route metric is 84.it's in Mbps #clear ip ospf process 2.2.21.0. 00:02:31 ago Routing Descriptor Blocks: * 10. traffic share count is 1 Metric is 84. where the Metric and Cost are calculated based only on the Link Bandwidth. and we don’t want the same values for 100M and 10G link). configure in the continuation: (config-router)#area 1 virtual-link 2.com .12.12.1. Cost = 100/(BW[Mbps]) There are two things you could play with here: 1.1. Network Type POINT_TO_POINT. Directly change the COST in the Interface Configuration (config-if)#ip ospf cost 20 #show ip ospf inter Lo0 | i Cost Process ID 1.2. 0 Step 2.5 1 FULL/DR Dead Time 00:00:38 00:00:38 00:00:38 Address 172. GRE is a pretty simple concept. One per Autonomous System (Generated by ASBR) LSA 5 . Each LSA has a LSID (Link State ID. One per Network (Generated by DR) LSA 3 .4 If we are using OSPF then the Tunnel subnet needs to be advertised with the "network" command on both ends of tunnel: (config-router)#network 172.3 255.External LSA.Summary External LSA.5 Interface Tunnel1 Serial1/0.34.3.25. and they generate syslog messages if they receive such packets.10. Generated by ASBR LSA 6 . used for Multicast OSPF (MOSPF).3 100. where you basically create a TUNNEL between 2 points. do on BOTH ENDS of the tunnel: Step 1. you might want to configure the router to ignore the packets and thus prevent a large number of syslog messages. Generated by ASBR inside the NSSA instead of LSA 5 (details explained below.3.185.0. LSA is the OSPF Link State Advertisement.5.185.3 (config-if)#tunnel destination 100.10. and we do not want to use the Virtual Links.255 area 0 *The IP Address of the Tunnel MUST be advertised into Area 0 on BOTH ENDS OF TUNNEL!!! You will see that the OSPF Neighbor will be formed on the Tunnel 1 interface.25.0.3 0 FULL/ 5. Create a Tunnel Interface and assign the IP Address (config)#int tunnel 1 (config-if)#ip add 172.185.0 0. One per Area (generated by ABR when LSAs 1 and 2 are injected into another Area). LSA3 = Subnet + Mask + Cost to reach the Network LSA 4 .Grout Membership LSA. To configure it.3.Network LSA.com . Define the SOURCE and the DESTINATION of the tunnel. MAKE SURE THESE ARE REACHABLE (config-if)#tunnel source 100.Summary LSA.NSSA External.34.10. because you will not understand Stubs before you understand all the LSAs and who exactly CREATES and ADVERTISES each type. Injected into OSPF from another routing process (non-ospf).25.5.3.255.blogspot.255.Router LSA.43 GigabitEthernet5/12 ____________________________________________________________________________________________________________________ OSPF LSA Types and AREA TYPES ____________________________________________________________________________________________________________________ First let’s make sure we're comfortable with the LSA types.10.34. One per Router (Generated by Each Router) LSA 2 .45. and extend the Area 0 to the other end of the tunnel. like Router-ID for the LSAs) LSA 1 . If the router is receiving many MOSPF packets. #show ip ospf neighbor Neighbor ID Pri State 3.3 0 FULL/ 3. To disable SYSLOG generation (IGNORE LSA Type-6): (config-router)#ignore lsa mospf LSA 7 . NSSA Section) 53 cisqueros.____________________________________________________________________________________________________________________ OSPF and the GRE Tunnels ____________________________________________________________________________________________________________________ In this example there is a need to establish the connectivity between some OSPF Areas that are not connected to the Area 0. It’s not supported by Cisco Cisco routers do not support LSA Type 6 Multicast OSPF (MOSPF).3 100. 1. SN R.12.3.2 124 0x80000002 0x000D20 10.2 79 0x80000003 0x000E94 3.0 4.2.2.3 90 0x80000006 0x00AE77 Link count 2 4 3 Link count 0 Link count 0 To LIMIT the LSAs that can be STORED IN THE LOCAL DATABASE: (config-router)#max-lsa 900 ? <1-100> Threshold value (%) at which to generate a warning msg ignore-count maximum number of times adjacencies can be suppressed ignore-time time during which all adjacencies are suppressed reset-time time after which ignore-count is reset to zero warning-only Only give warning message when limit is exceeded <cr> 54 cisqueros.4 4.LSA1 Link ID ADV Router Age Seq# Checksum 3.3 3.3) (Process ID 1) Router Link States (Area 0) <.3 89 0x80000007 0x00AC78 Router Link States (Area 2) <.LSA3 Link ID ADV Router Age Seq# Checksum 1.2.3. N.4 43 0x80000001 0x008077 Router Link States (Area 1) <.3.0 2.1.45. SN Check the OSPF DATABASE and all the LSAs currently in it: #show ip ospf database OSPF Router with ID (3.3.3 3.3 78 0x80000007 0x006F2C 4.2 2.3.4.2.4.3.2.LSA2 Link ID ADV Router Age Seq# Checksum 10.4.4.23.0 2.4.blogspot.4.3.4.4 52 0x80000004 0x007781 Net Link States (Area 0) <.3.com .4.2 124 0x80000002 0x00B33C 2.3.1.3.2.3 78 0x80000001 0x00658F Summary Net Link States (Area 0) <.3.2.2.LSA 8-11 .2.2 124 0x80000002 0x00BA22 10.3.3.3 3.2.0 4.0 2.4.LSA1 Link ID ADV Router Age Seq# Checksum 3.3.4.3.1.3) (Process ID 1) Area 0: SPF algorithm executed 4 times Summary OSPF SPF statistic SPF calculation time Delta T Intra D-Intra Summ D-Summ Ext D-Ext Total 00:22:26 0 0 0 0 0 0 0 00:22:16 0 0 0 0 0 0 0 00:21:47 0 0 0 0 0 0 0 00:20:01 0 0 0 0 0 0 0 Reason R R R.Not implemented by Cisco Check the LSA Statistics using the command: (config-router)#do show ip ospf stat OSPF Router with ID (3.3.LSA1 Link ID ADV Router Age Seq# Checksum 2.2.1.3.4 43 0x80000001 0x00F5F4 44.2.3.3 3. ASBR Generates the LSA type 7 instead of LSA 5 because the LSA 5 is not supported by NSSA.1.21 10.12 Nbr 2.12 seq 0x1001 opt0x50 flag 0x7 319: OSPF: 2 Way Communication to 2.2.1.2.2.1. Backbone Area cannot be a STUB.2 on Serial1/0.235: OSPF: Build router LSA for area 1.2. because "no-summary" ALLWAYS generates default route! NOT-SO-Totally-Stubby Area .2.2.1.21 10. To configure an area as a Stub.21 When you need the ABR to also inject the DEFAULT ROUTE. #u all All possible debugging has been turned off len 32 len 32 len 272 len 272 len 32 FULL. The "no-summary" attribute is ONLY necessary on ABR.2.2 on Serial1/0. with no LSA3 (Summary LSAs originated by the ABR).2 on Serial1/0. the Neighbor goes down.____________________________________________________________________________________________________________________ OSPF STUBS ____________________________________________________________________________________________________________________ STUB Area . use on the ABR: (config-router)#area X nssa default-information-originate *Default Route will be injected as N2 route. Serial1/0.1.2.1.2 on Serial1/0. Nbr 2. 00:01:27.com .12.all the LSAs are generated by the ASBR. 00:01:27.2.OSPF NSSA external E1 .2.2 on Serial1/0.1. router ID 1.1.1.2 on Serial1/0.OSPF external type 2 10.2 on Serial1/0.1. and observe the ADJACENCY DEBUG: 319: OSPF: Rcv DBD from 2.2.12 from LOADING to 735: OSPF: Rcv LS REQ from 2.Change COST from 1 (default) to 10 55 cisqueros. process 1 mtu 1500 state INIT mtu 1500 state EXCHANGE If you need to change the cost of the DEFAULT ROUTE Injected by default by ABR into the STUB Area: (config-router)#area X default-cost 10 <.1. Then apply it on the others.2. Then the ABR transforms it into the LSA 5 on the ingress from NSSA to the regular OSPF Area (shown as "N1 or N2" in the routing table): (config-router)#do sh ip route N1 .1.2.2: Summary list built.OSPF external type O N2 11.1. Loading Done seq0x80000005.2.12.12 seq 0x1002 opt 0x50 flag 0x0 735: OSPF: Rcv LS UPD from 2.1. configure on ALL ROUTERS in an Area: (config-router)#area X stub When you apply STUB configuration on 1 router within an AREA.0 [110/20] via | i E1|E2|N type 1. You cannot use a Virtual Link here. E2 .2 on Serial1/0. as in NSSA the LSA5 is not allowed **When it’s a "Totally Stubby NSSA" no need for this. to reach external routes.blogspot.2 on Serial1/0. ABR Injects the DEFAULT ROUTE (with Cost 1) to Stub Area.12.2.2. We are the SLAVE 319: OSPF: Serial1/0. but GRE Tunnel is an option. so .2. size 12 319: OSPF: Send DBD to 2.2.0 [110/20] via O N2 11. N2 . 00:01:27.12 seq 0x1000 opt 0x50 flag 0x7 319: OSPF: NBR Negotiation Done.0 [110/20] via O N2 11. state 2WAY 319: OSPF: Serial1/0.0.12.2.2: Prepare dbase exchange 319: OSPF: Send DBD to 2.21 10.2 on Serial1/0.Blocks OSPF External Routes (LSA4 and LSA5).2.12.1.12 515: OSPF: Send LS REQ to 2.3. STUB Area cannot contain an ASBR. 00:01:27. Totally-Stubby Area is a STUB Area.2.Like a STUB (blocks LSA4&5) where the REDISTRIBUTION is allowed from the NSSA area. Serial1/0.2.2.12 length 60 LSA count 3 *Oct 5 11:04:08.12 Nbr 2. because if it does – it’s considered a NSSA.2 length 120 LSA count 10 515: OSPF: Send DBD to 2.2. state FULL 735: %OSPF-5-ADJCHG: Process 1.12.0 [110/20] via O N2 11.12 seq 0x1002 opt0x50 flag 0x1 515: OSPF: Exchange Done with 2.2.2 on Serial1/0. Serial1/0. Serial1/0.OSPF NSSA external type 2 1.NSSA without LSA3.1. ALSO originates the default route by default IMPORTANT: Stubby Areas DO NOT SUPPORT VIRTUAL LINKS!!! The only way to solve this is the Tunnel No LSA 5 (E1 and E2) advertised on ABRs. using the LSA7. ABR generates a DEFAULT ROUTE and advertises it into the Totally Stubby area.2.12 length 328 LSA count 10 735: OSPF: Synchronized with 2.2. NSSA Area .2. because the ABR is the only router that actually originates the LSA 3.2.12 seq 0x1001 opt 0x50 flag 0x2 515: OSPF: Rcv DBD from 2. MATCH IP ROUTE-SOURCE in the Route-map .NEEDS TO BE APPLIED ON ASBR 2. but also ONLY ON ABR! (config-router)#area 1 range 172.182. Filter-list can be applied: IN . you can use the "not-advertise" command. Let’s say that we want to filter the network 172.the Update will be distributed to the other routers.10 is an ACL. but have in mind that the “distribute-list OUT” even though works on both. The second way is reserved ONLY for the External Routes.0 255. Then on the ABR we define the prefix list that DENIES that network.0.ACL 4 includes the Router-ID Also the SOURCE PROTOCOL can be matched: (config-route-map)#match source-protocol ? bgp Border Gateway Protocol (BGP) connected Connected eigrp isis mobile ospf rip static <cr> Enhanced Interior Gateway Routing Protocol (EIGRP) ISO IS-IS Mobile routes Open Shortest Path First (OSPF) Routing Information Protocol (RIP) Static routes 56 cisqueros. NOT-ADVERTISE .____________________________________________________________________________________________________________________ OSPF Route Filtering ____________________________________________________________________________________________________________________ 1. routing table and OSPF database.0 10 <. FILTER LIST .0 255.0. It can be used with both.255. and it will be further propagated to the other OSPF Neighbors. This ONLY works for LSA-3 (Summary).255. 3. Tune the ADVERTISED DISTANCE . but filters from OSPF Database.In OSPF it's not the NEXT HOP but the ORIGINATOR Router-ID of the PREFIX (config-route-map)#match ip route-source 4 <.3.29.0/0 le 32 Then apply the prefix-list as a filter-list within a OSPF configuration process for Area 2: (config-router)#area 2 filter-list prefix JEDANES in This will prevent the network from being redistributed into Area 2. as one of the routers along the path does not have it in its Routing Table.blogspot. "area X range" (ABR) and "summary-address" (ASBR) commands.25. it's OPTIONAL 5.into the area.25. You can use IN or OUT filter.only on ABR.If you want to prevent ANY LSAs from being advertised (can be applied per neighbor or on INT): (config-subif)#ip ospf database-filter all out <. If you need to filter LSAs 1 and 2. apply on ABR (filters both. but they stay in the OSPF Database.out of the area.PER NEIGHBOR 6. DISTRIBUTE-LIST only affects the local router!!! Meaning . Note that IN/OUT means that the network is being advertised into or outfrom the AREA 2.0 not-advertise 4.0/24 (config)#ip prefix-list JEDANES seq 20 permit 0. and it can filter any type of LSA: (config-router)#distribute-list prefix MY_PREFIX_LIST in <-OUT would only work on ASBR TO FILTER LSA5 & LSA7 The big CON is that even though the Route is not added to the Routing Table . and ALLOWS everything else (config)#ip prefix-list JEDANES seq 10 deny 172. OUT . but it will not be reachable.255.it will stay in the database.3. DISTRIBUTE LIST . so that they are UNREACHABLE (config-router)#distance 255 3.x.Filters only LSA3.185. and therefore needs to be configured on the ABR only. the subnets will only be filtered out the local IP ROUTING TABLE The advantage is that it's rather easy to implement.Filters all LSAs from the Routing Table. and it's the "not-advertised" applied to the "summary-address" command: (config-router)#summary-address 172.0 not-advertise <--. The route will therefore appear in the Routing Table.0/24 from the Area 2. but ONLY on ASBR for LSA5 and 7!!! The easiest way to filter the OSPF routes from being added to the Routing Table is the distribute-list.0. DATABASE-FILTER .ONLY filter LSA Types 1 and 2.189.PER INTERFACE (config-router)#neighbor x.255. so .3 0.185.x database-filter all out <.Set the AD of the advertised routes to 255.0.x.25. routing table and OSPF Database).com . so this command makes no sense.13.1.1.41 1 4 IP Address/Mask 1. we can for example use the "network" command in order to transform the OSPF link from MULTICAST to UNICAST: (config-router)#neighbor 172.14 1 2 Se0/1/0.12.1.5.4 104 broadcast -> frame-relay map ip 10.13 1 3 Se0/1/0.4 104 (REMOVE "broadcast") *In HUB-AND-SPOKE the Spokes do not have the Layer 2 reachability. Filter OSPF per Interface .1/24 10.1/24. so also do this: (config-if)#frame-relay map ip 10.blogspot.1. as only UNICAST is then used. Router ID 1.1. This means that the OSPF Neighbors will not be formed like on the standard Broadcast Network Segment.Be sure which type of LSA you need to filter by making sure in which part of database the route is: #show ip ospf database [router | network | summary | internal | external] *If you need to reach the route without passing through the router that cannot reach it .Even though OSPF doesn't require that we manually configure the Neighbors.1. #show ip ospf inter s1/0 Serial1/0 is up. do the following command and check the column "State": #sh ip ospf interface brief Interface PID Area Lo0 1 0 Se0/1/0.1..1.1. so that they don’t participate the DR/BDR Election (config-if)#ip ospf priority 0 The HUB Router will be elected as DR on every Link and exchange OSPF Database with each of the Spokes: 57 cisqueros.185.com .If you wish to prevent LSAs to be sent via particular Interface: (config-if)#ip ospf database-filter all out * ALL and OUT are the only options.1/8 10.5.1.1/24 10.1.1. Network Type NON_BROADCAST. Instead just be sure to set their (HUBS) OSPF priority to 0. Cost: 64 Topology-MTID Cost Disabled Shutdown Topology Name 0 64 no no Base . Filter OSPF per NEIGHBOR . we do need to use the "neighbor" command in order to configure the OSPF database filtering: (config-router)#neighbor 5.1.1/24 Cost 1 64 64 64 State P2P P2P P2P DR Nbrs F/C 0/0 1/1 1/1 1/1 On the Multipoint Frame-Relay network the default OSPF type is NON-BROADCAST.66 No need to keep "broadcast" on frame relay configuration if you use "neighbor" command. So in order to establish the OSPF Neighbors. which means you cannot apply a specific filter on the OSPF interface 8.1.define the route-map with the next hop pointing towards an alternative path.14.128. and apply it in the Global Configuration mode: (config-router)#ip local policy route-map ROUTE_MAP 7. Area 0 Process ID 1. line protocol is up Internet Address 10.5 database-filter all out *Network MUST be configured as POINT-TO-POINT (on the Interface Configuration) (config-if)#ip ospf network point-to-point ____________________________________________________________________________________________________________________ OSPF Non-Broadcast Networks ____________________________________________________________________________________________________________________ To check the NEIGHBOR NETWORK TYPE.. 1. First you need to define the interface as a OSPF non-broadcast: (config)#interface Serial0/1/0.1. otherwise the Routers will establish the peering.blogspot.4. the "neighbor" command should be used to establish OSPF peering. and make sure all SPOKEs appear as DROTHERs: #sh ip ospf nei Neighbor ID Pri 2.2.com .4 Pri 0 0 0 State FULL/DROTHER FULL/DROTHER FULL/DROTHER Dead Time 00:01:51 00:01:51 00:01:56 Address 10.2.1. BB. Wait 40.1. POINT-TO-POINT vs.4 Interface Serial1/0 Serial1/0 Serial1/0 *In this kind of OSPF Topology . but they will not exchange the routes!!! #sh ip ospf int s0/1/0.3 4.1.1. the following command needs to be applied: (config-if)#ip ospf network broadcast In HUB AND SPOKE topology you want to AVOID the SPOKE being elected as the DR.1.ON ALL THE SPOKE Routers A router with a router priority set to zero is ineligible to become the DR or BDR.3 10.1. which is why it´s better to set the Priority on Spokes to 0.1.3 0 4.3 10.2 3. so set the OSPF priority to 0: (config-if)#ip ospf priority 0 <.3. Router ID 1.2 10.PRIORITY 0 if you want the other side to not be the DR !!!BE SURE TO ADJUST THE TIMERS ON BOTH SIDE INTERFACES. because we are manually defining the OSPF Neighbor and turning the Links into UNICASTS. ____________________________________________________________________________________________________________________ OSPF NBMA (Non Broadcast Multiple Access) Networks ____________________________________________________________________________________________________________________ Once the interface is defined as NON-BROADCAST.it's not necessary to have the Frame-Relay interface configured with the "broadcast" keyword.1.4.R1 IS THE HUB Neighbor ID 2.1.12.1.1. Then check on the HUB router.3.2 10.14 | i Hello|Network Process ID 1. (config-router)#neighbor 10.#show ip ospf neighbor <--.1. Stub or NSSA) ____________________________________________________________________________________________________________________ OSPF BROADCAST vs.3.4.2 [priority 0] <.4 Interface Serial1/0 Serial1/0 Serial1/0 And in case it needs to be Point-to-Point: (config-if)#ip ospf network point-to-point 58 cisqueros. Hello 10.4. Network Type POINT_TO_POINT. Cost: 64 Timer intervals configured.1.4 0 State FULL/DROTHER FULL/DROTHER FULL/DROTHER Dead Time 00:00:32 00:00:38 00:00:33 Address 10.3.14 point-to-point (config-if)# ip ospf network non-broadcast Then under the OSPF process define the neighbor. POINT-TO-MULTIPOINT Networks ____________________________________________________________________________________________________________________ If you wish to convert the previous network into the Broadcast Network.1. otherwise we have to clear the OSPF process.2. Dead 40. Retransmit 5 Hello due in 00:00:05 Also you need to match AREA ID and Area STUB FLAG and they must be of the SAME TYPE (Normal.2.2 0 3. 0. and you want CONTROL the remap process of the LSA7 to LSA5.1. but use 0.36.3.0 as the forwarding address instead of the one specified in the LSA7: (config-router)#area 1 nssa translate type7 suppress-fa ? default-information-originate Originate Type 7 default into NSSA area no-redistribution No redistribution into this NSSA area no-summary Do not send summary LSA into NSSA <cr> Before the command has been applied the external (LSA5) subnet within the area 0 is seen as: #sh ip ospf database external 6.The main difference here is the NEXT HOP: BROADCAST: Next Hop is the router that ORIGINATED the Route POINT-TO-POINT: Next Hop is the router that ADVERTISED the Route POINT-TO-MULTIPOINT: Next Hop is also the router that ADVERTISED the Route.0.5.0.blogspot.3 LS Seq Number: 80000003 Checksum: 0x1286 Length: 36 Network Mask: /8 Metric Type: 2 (Larger than any link state path) MTID: 0 Metric: 20 Forward Address: 200.com .3.0.1) (Process ID 1) Type-5 AS External Link States LS age: 557 Options: (No TOS-capability.5 ____________________________________________________________________________________________________________________ ISPF ____________________________________________________________________________________________________________________ Incremental SPF is more efficient than the full SPF algorithm. ____________________________________________________________________________________________________________________ Forward Address Suppression ____________________________________________________________________________________________________________________ The aim is to SUPRESS the address of the router that originated the Prefix. When the area is NSSA.0 OSPF Router with ID (1.1.6 External Route Tag: 0 59 cisqueros. ____________________________________________________________________________________________________________________ DNS Lookup in OSPF ____________________________________________________________________________________________________________________ Enable OSPF to lookup the names: (config)#ip ospf name-lookup And define the NAME-IP correlation: (config)#ip host R5 5.0.0 (External Network Number ) Advertising Router: 3.0. but NLRI is achieved because it fixes the Spoke-to-Spoke reachability from L3 perspective. DC) LS Type: AS External Link Link State ID: 6. thereby allowing OSPF to converge faster on a new routing topology in reaction to a network event.5.1. The difference is the route type: NSSA NO-SUMMARY Gateway of last resort is 10. we have: #sh ip ospf database external 6. 00:04:22.. 1 subnets ____________________________________________________________________________________________________________________ OSPF Sham Link ____________________________________________________________________________________________________________________ In an MPLS VPN configuration.0.3 LS Seq Number: 80000004 Checksum: 0x3952 Length: 36 Network Mask: /8 Metric Type: 2 (Larger than any link state path) MTID: 0 Metric: 20 Forward Address: 0.0/0 [110/1] via 10. You can use the similar approach to NOT ADVERTISE THE SPECIFIC PREFIXES into the NSSA.1) (Process ID 1) Type-5 AS External Link States Routing Bit Set on this LSA in topology Base with MTID 0 LS age: 41 Options: (No TOS-capability.0 O*N2 0.THE FORWARD ADDRESS HAD CHANGED External Route Tag: 0 If you add "no-summary" to this command.1.35.1.0.0.63 1.0 <.3.0/32 is subnetted.53 1. Gateway of last resort is 205.0.0 O*IA 0.3 to network 0. Serial1/0.34.0.0.0.0.1.0.36.0.0 OSPF Router with ID (1. In this example the Area 1 is NSSA: (config-router)#area 1 nssa default-information-originate no-summary Area 1 (NSSA Area) will learn the Default Route as the LSA7 (N2): #sh ip route .0.While after the command has been implemented. 60 cisqueros.0. when there are 2 ways for the CE routers to communicate: 1 over the PEs and the MPLS link 2 over the OSPF link *It is assumed that Customer CEs and the PEs have the OSPF implemented between them.0 (External Network Number ) Advertising Router: 3.43 NSSA DEFAULT-INFORMATION-ORIGINATE Gateway of last resort is 10.0.0 O*N2 0..1.0.34.1.0.3.0.3. Serial1/0. and the default route is advertised instead.36.0/0 [110/65] via 10.0. DC) LS Type: AS External Link Link State ID: 6. Serial1/0. 00:00:22.1.0.3 to network 0. LSA3s are filtered.1.3.0. 00:05:21.35.1.0.3 to network 0.0.0/32 is subnetted.0/0 [110/1] via 205.blogspot.0.com . 1 subnets The Default Route will be injected into that area regardless of whether you´re using the "nssa default-information-originate" or the "nssa no-summary" command in the OSPF Area.3. but advertise only the default route on the ABR. 206: %OSPF-5-ADJCHG: Process 15.168.168.1.1.1.1 mask 255.255.com . that have been designed specifically for such a scenario.45. and add them into the appropriate VRF: PE1: (config)#interface Loopback1 (config-if)#ip vrf forwarding CA (config-if)#ip address 192. Regardless of the COST and the AD of E1/E2 and O IA (Inter-Area) Routes will never be preferred. so that they are reachable: (config)#address-family ipv4 vrf CA (config-router)#redistribute ospf 15 vrf CA (config-router)#network 192.1.255.168.4 on OSPF_SL2 from LOADING to FULL. Loading Done TIP: Filter these Loopbacks from the CUSTOMERS network.1.2 cost 1 *Dec 20 11:59:28.168.55 *this way the LSA Type 3 will be translated properly 61 cisqueros.1 255. Namely the LINK is created between the PE routers.255.blogspot. STEP 4: The LAST step is now to tune the OSPF COST on the link between the CEs.The OSPF will always be preferred.1. The way to solve this is using the SHAM links.255 STEP 3: Create OSPF SHAM-LINK between the PR Routers.255.55.255 PE2: (config)#interface Loopback1 (config-if)#ip vrf forwarding CA (config-if)#ip address 192. so that it would be LESS PREFERRED: (config-if)#ip ospf cost 500 ____________________________________________________________________________________________________________________ OSPF in MPLS ____________________________________________________________________________________________________________________ TIP: Be sure the set the domain-id to match (default domain is based on the OSPF Process Number): (config)#ip ospf 1 vrf VRF_XXX (config-router)#domain-id 55.255. so that the Tunnel which is the Sham Link isn’t routed through the Customers routers. Nbr 10.255 STEP 2: Advertise these networks via the BGP process in the PEs. simply because nothing beats the INTERNAL (Intra Area) OSPF route (O). STEP 1: Create /32 Loopback Interfaces to the PE routers. and that we can just influence the preferred path using the OSPF COST on the Interface.168.255. with the Loopback1 /32 addresses as SOURCE and DESTINATION (these should already be reachable via BGP). Make sure that new OSPF adjacency appears between the PEs: (config)#router ospf 15 vrf CA (config-router)#area 0 sham-link 192.55.1 192.1 255. so that ALL the OSPF Prefixes appear as INTERNAL OSPF routes on the CE routers. 12 Hold Uptime SRTT (sec) (ms) 115 00:10:04 26 Q Seq Cnt Num 200 0 32 RTO How to interpret this output: H . The EIGRP timers are configured on the interface towards the EIGRP neighbor. starting from 0 Address .From where we see the Neighbor Holdtime . if it already exists. you can do "permit eigrp any any" within the extended ACL TIP: "default-information [ in|out ]" in EIGRP does NOT generate the Default Route.time required for EIGRP packet to reach the neighbor and receive the ACK RTO .1.Neighbors IP Interface .The order in which neighbors were formed. Set the Hello timer and the HOLD Time (which is actually the Dead Timer) for the EIGRP 100 process: (config-if)#ip hello-interval eigrp 100 30 (config-if)#ip hold-time eigrp 100 120 Check the configured Timers using the command: #show ip eigrp interfaces detail EIGRP-IPv4 Interfaces for AS(200) Xmit Queue Mean Pacing Time Multicast Interface Peers Un/Reliable SRTT Un/Reliable Flow Timer Et0/0 1 0/0 12 0/2 80 Hello-interval is 30.____________________________________________________________________________________________________________________ EIGRP ____________________________________________________________________________________________________________________ EIGRP uses the IP Protocol 88 (doesn't use specific TCP or UDP port).How long we have left before we declare the neighbor down (if no Hello is received) Uptime .10 TIP: When you need to FILTER EIGRP.Multicast to 224.Retransmission Time-Out .blogspot. HELLOs .0.0.com .2 Se1/0.TIMERS VALUES Split-horizon is enabled Next xmit serial <none> Un/reliable mcasts: 0/2 Un/reliable ucasts: 1/6 Mcast exceptions: 2 CR packets: 0 ACKs suppressed: 1 Retransmissions sent: 0 Out-of-sequence rcvd: 0 Topology-ids on interface . Hold-time is 120 <--.How long since we first found out about the neighbor SRTT .0 Authentication mode is not set Pending Routes 0 ____________________________________________________________________________________________________________________ EIGRP "show neighbors" command ____________________________________________________________________________________________________________________ #show ip eigrp neighbors EIGRP-IPv4 Neighbors for AS(100) H Address Interface 0 10.how long before the packet is re-transmitted Q Count .Number of packets in the EIGRP queue SeqNum .12.Sequence Number of the last received EIGRP packet 62 cisqueros. it only allows it to be sent to the neighbor or received.Smooth Round Trip Time . Bandwidth K2 .If you want to disable the logging of neighbor changes: (config-router)#no eigrp log-neighbor-changes OR log-neighbor-warnings Once it's enabled/disabled.blogspot.com . define the TIMES for WARNINGS only: (config-router)#eigrp log-neighbor-warnings X (X is seconds) ____________________________________________________________________________________________________________________ EIGRP Metric . BW 10000 Kbit. so the Metric depends on the Bandwidth and Delay only.000/LowestPathBW + Sum of all DELAYS/10)*256 By default K2 = K4 = K5 = 0.K Values ____________________________________________________________________________________________________________________ 5 K-Values are used to calculate the EIGRP Metric.Delay K4 . DLY 1000 usec If you need the EIGRP Metric to depend on some other values the command is (ToS should be left 0): (config-router)#metric weight tos k1 k2 k3 k4 k5 BE CAREFULL when you change this BECAUSE K VALUES NEED TO MATCH BETWEEN THE EIGRP NEIGHBORS!!! The following MUST match in order for 2 routers to become EIGRP adjacent: K values AS numbers They must share same L2 data link Authentication 63 cisqueros. To check the parameters on the interface: #SHOW Interfaces e0/0 | i BW MTU 1500 bytes. It´s pretty important to know at least which one is which of the K values: K1 .Reliability K5 .Reliability Metric = (K1*BW + (K2*BW)/(256-Load) + K3*Delay) * 256 Little better explained: Metric = (10.000.Load K3 . The summary route is advertised.12. and it references a non-existing Route Map .0 255.2. If the Route Map however exists. If the Leak Map is configured.IS-IS. Null0 If you wish to have greater granular control the solution presented since 12.0.1 (Serial1/0) is resync: summary configured The interface towards Null0 Interface is created automatically.1. but itp cannot be used under the SUB-Interface).0 leak-map ROUTE_MAP SUB-INTERFACE LEAK MAPS: Since the LEAK Maps are not available on the SUB-interface. L1 . there is a workaround.0 0. su .0.0.IS-IS level-2 D 3.both the summary route and the more specific routes are advertised.____________________________________________________________________________________________________________________ EIGRP Route Summarization and Leak Maps ____________________________________________________________________________________________________________________ The EIGRP route Summarization is done exactly the same like RIP Summarization. more specific routes are suppressed.255. We would then configure the Route Summarization and a Leak Map under it: (config-if)#interface Virtual-template 13 (config-if)#ip summary-address eigrp 100 2.0 [leak-map ROUTE_MAP] 64 cisqueros.252. If the Access List also exists .it lets us define the routes that will be advertised IN ADDITION to the Summarized Route! To configure the Leak Map just attach a route-map to the "eigrp summary" command: (config-if)#ip summary-address eigrp 100 2. So don’t worry.0. It can also be done on ANY of the routers within the same EIGRP process.4.the LEAK MAP (It’s something like the SUPRESS Maps in the BGP.blogspot. Instead we need to: Option 1: Configure the static route and redistribute it into the EIGRP Option 2: Summarize the routes into a Default Route using the previously described summarization method (leak map is added if we wish to inject another routes besides the default route) (config-if)#ip summary-address eigrp 100 0.0.0. It's done on the Interface using the command: (config-if)#ip summary-address eigrp 100 3. and it’s done using the VIRTUAL TEMPLATE Interface.0.4.0 And don’t be afraid when you see the following message: *Apr 27 12:53:32.0.203: %DUAL-5-NBRCHANGE: EIGRP-IPv4 100: Neighbor 10.com .0/8 is a summary.252.0 leak-map ROUTE_MAP And then under the SUB-Interface assign the Virtual Template (SUB-INTERFACE needs to be of a MULTIPOINT TYPE. L2 .0 255. or this will not work) (config-subif)#no ip add (config-subif)#frame-relay interface-dlci 103 ppp Virtual-template 13 ____________________________________________________________________________________________________________________ EIGRP Default Gateway ____________________________________________________________________________________________________________________ The command we all know from OSPF and BGP "default-information originate [always]" will not work in EIGRP. Check if "it worked": #show ip route | i summ i . because EIGRP adds this "discard route" for Loop Avoidance.255.IS-IS level-1. which makes sense because both protocols have the Distance Vector nature.0 255. unlike the Link State protocols. and references a non-existing ACCESS LIST .0.3(13) is .0. 00:02:52.2.IS-IS summary. com . This is an example of Frame relay P2P Interface and EIGRP authentication: (config)#interface Serial4/1.1. for example. minimum MTU 1500 bytes Loading 1/255. route is Internal Vector metric: There are 2 routes. via Serial1/0. metric 2297856.28. from 131. If you need more GRANULAR control.0/24 | i metric Composite metric is (2195456/281600).12 Route metric is 2297856.____________________________________________________________________________________________________________________ VARIANCE Command ____________________________________________________________________________________________________________________ Variance is an EIGRP feature that enables UNEQUAL load balancing.12. The only condition that needs to be met is that all the Paths need to be in the routing table and MEAT THE FEASIBILITY CONDITION! (Routes ADVERTISED Distance must be lower than the local routes FAESIBLE Distance). route is Internal Vector metric: Composite metric is (319545/281600). It’s configured in the EIGRP configuration mode: (config-router)#variance 2 This means that it will include the routes with the metric value up to 2 times greater than the Best Route metric.56. 110 (Its 100 by Default): (config-router)#metric maximum-hops 110 #show eigrp protocols | i hop Maximum hopcount 110 65 cisqueros.EIGRP supports only MD5 authentication.the configuration is done in the Interface Configuration mode. traffic share count is 1 Total delay is 25000 microseconds.blogspot. type internal Redistributing via eigrp 100 Last update from 131. 00:13:47 ago.1.25 point-to-point (config-if)#ip authentication mode eigrp 100 md5 (config-if)#ip authentication key-chain eigrp 100 EIGRP_CHAIN ____________________________________________________________________________________________________________________ EIGRP: Maximum Hops ____________________________________________________________________________________________________________________ Another attribute that can be useful for controlling the routes is the "maximum-hops". even though it's the default mode on most devices.12 HOPS TO THIS ROUTE!!! To change the Maximum number of Hops to. get the METRIC from the EIGRP TOPOLOGY: #show ip ei 400 topology 10.12. Hops 12 <-. distance 90. To see each routes hop count: #show ip route 172.0 Known via "eigrp 100".12. Unlike OSPF . To get the VARIANCE you need.2 on Serial1/0.2.87 => Variance will be 7! ____________________________________________________________________________________________________________________ EIGRP Authentication ____________________________________________________________________________________________________________________ Like in OSPF .1.185. You need to set the mode to MD5. divide them and circle up to the BIGGER value: 2195456/319545 = 6. and the other with metric 319545.1. 00:13:47 ago Routing Descriptor Blocks: * 131. or more precise variance. and both meet the Feasibility Condition. 1 with metric 2195456. minimum bandwidth is 1544 Kbit Reliability 255/255.12.2. com .Internal EIGRP Routes 5 . When the EIGRP process is configured as STUB on a router using the "stub connected" command: (config-router)#eigrp stub connected 66 cisqueros. but this can be changed with the following command on the interface level: (config-if)#ip bandwidth-percent eigrp 200 30 ____________________________________________________________________________________________________________________ EIGRP Redistribute Routes into EIGRP ____________________________________________________________________________________________________________________ *YOU NEED TO DEFINE THE METRIC. to allow some subnets out (matched in route-map). that has AD 110 for External routes: (config-router)#distance eigrp 90 100 ____________________________________________________________________________________________________________________ EIGRP Updates BW Percent ____________________________________________________________________________________________________________________ The default configuration for EIGRP is to use up to 50 percent of the available bandwidth. Subjective impression! The command is rather straight forward: (config-router)#eigrp stub [connected | summary | static | receive-only | redistributed] You can ALSO use LEAK-MAPS here. INCREASE the metric for 50 on routes learned on s1/1 ____________________________________________________________________________________________________________________ EIGRP Stub ____________________________________________________________________________________________________________________ First a heads up . for example.it's a bit complicated because there are just too many details.. like in the SUMMARIZATION. either a DEFAULT one: (config-router)#default-metric 1500 20000 255 1 1500 Or when configuring the redistribution: (config-router)#redistribute static metric 150 20000 255 1 1500 ____________________________________________________________________________________________________________________ EIGRP offset-list [metric adjustments] ____________________________________________________________________________________________________________________ Offset List is used to INCREASE or DECREASE an EIGRP or RIP metric for the OFFSET value you define: (config-router)#offset-list 3 in 50 s1/1 <-Match ACL 3.EIGRP Summary Routes You can make EIGRP External routes smaller if you need them to not be less preferred then.External EIGRP Routes 90 . OSPF..blogspot.____________________________________________________________________________________________________________________ EIGRP Administrative Distance ____________________________________________________________________________________________________________________ By default EIGRP has the following Administrative Distance values: 170 . 1.4 0.That Router will ONLY see the Summary (if configured). but there is also an advanced option .0.1.0.10.4. Static or Redistributed Routes.0/0 le 32 – Allow updates from everyone else PREFIX-LIST ALLOW_ALL .blogspot.0 (config-router-af)# network 10.10.45. The EIGRP Neighbor(s) will NOT see the Summary.0.0. the most important thing to have in mind is to DEFINE THE AS NUMBER AGAIN WITHIN THE AF CONFIGURATION.0 (config-router-af)# no auto-summary (config-router-af)#autonomous-system 200 ____________________________________________________________________________________________________________________ EIGRP Route Filtering ____________________________________________________________________________________________________________________ EIGRP uses the DISTRIBUTE LIST to filter the prefixes. while the EIGRP Neighbors stop receiving ANY routes from the Router And finally the "eigrp stub" command can be configured without any attributes.4: (config)#ip prefix-list NOT_R4 deny 10.0.0.0.4. (config)#router eigrp 100 (config-router)#no auto-summary ! (config-router)#address-family ipv4 vrf CA (config-router-af)#network 4.1.0. So if you configure 2 PREFIX LISTS: PREFIX-LIST NOT_R4 to filter OUT the updates ORIGINATED by 10. so just: (config-router)#eigrp stub in which case the EIGRP neighbors ONLY receive the Summary Route ____________________________________________________________________________________________________________________ MP-EIGRP ____________________________________________________________________________________________________________________ When configuring the ADDRESS FAMILY within the EIGRP process. while the EIGRP Neighbors ONLY receive the Static OR Redistributed routes With the "stub receive-only": (config-router)#eigrp stub receive-only This router keeps behaving exactly the same.which you can play with to filter some incoming PREFIXES: (config)#ip prefix-list ALLOW_ALL permit 0.4/32 – Deny updates from this neighbor (config)#ip prefix-list NOT_R4 permit 0. The EIGRP Neighbor(s) will ONLY see the Summary Now with the "stub static" or "stub redistributed": (config-router)#eigrp stub stub [static | redistributed] This router keeps behaving exactly the same.it also filters the PREFIX GATEWAYS (Originator IPs). or the peering will not be established.com .0/0 le 32 Apply the 1st PREFIX-LIST as the GATEWAY to the second PREFIX-LIST route filter: (config-router)#distribute-list prefix ALLOW_ALL gateway NOT_R4 in 67 cisqueros. ONLY the specific routes BECAUSE ONLY Connected Routes are advertised If however we use the "stub summary" command to configure the STUB: (config-router)#eigrp stub stub summary The router will keep the same EIGRP routes in the routing table. and also Static and Redistributed routes (because the STUB doesn't affect the Router where it's configured).4 0. 223: 12:34:55.0.1.1.223: 12:34:55.1. Basically the SYNC Logic is: Do not consider an iBGP route in the BGP table BEST unless the EXACT PREFIX was learned via IGP and is currently in the routing table.incomplete Network Next Hop Metric LocPrf Weight Path *>i1.Local Preference.1.0.223: 12:34:55.2.11.0.2 remote-as 100 Debug looks like this: *Nov *Nov *Nov *Nov *Nov *Nov *Nov *Nov *Nov *Nov *Nov 23 23 23 23 23 23 23 23 23 23 23 12:34:55.2 active OPEN has MULTISESSION capability.1. ? .it's locally originated prefix) Metric .0.1. local router ID is 192. LOCAL will have 32768.223: 12:34:55.EGP.0. It can be changed by "bgp default local-preference" Weight .1.1.0 0 32768 i *>i4.1 4 100 9 9 5 0 100.1. d damped.1.1.No.____________________________________________________________________________________________________________________ BGP TIPs and Best Practices ____________________________________________________________________________________________________________________ Two first things that are considered the "BGP configuration best practice" are to disable the SYNCHRONIZATION and disable the Auto Summarization.0. In the newer versions of IOS it's disabled by default.223: 12:34:55.11.223: 12:34:55.2 active rcvd OPEN w/ optional parameter type 2 (Capability) len 6 BGP: 10. HIGHER IS BETTER.0 10.iBGP will have "i".2 active OPEN has CAPABILITY code: 131.1.0.it's an old loop prevention mechanism that is no longer used. length 4 BGP: 10.1. > best. * valid.0.223: BGP: 10.1.1. length 1 BGP: 10.com . Why? Auto-summary .4 4 100 8 8 5 0 (config-router)#do show ip bgp BGP table version is 5.2 Up Once you've got the neighbors configured using the "neighbor" command.blogspot. and default is 100.1.1.0.1. without grouping BGP: 10.0 10. and eBGP will have all BGP AS Numbers you need to traverse to get to the prefix (max 255) 68 cisqueros. mask is assumed Next Hop . * .1. Originated by NEIGHBOR will have 0 Path .2 Status codes: s suppressed.3 4 100 9 9 5 0 100. r RIB-failure.2 active OPEN has CAPABILITY code: 65. 4-byte remote AS 100 BGP: 10.223: 12:34:55.internal.learned via iBGP Network .2 active went from OpenConfirm to Established BGP: ses global 10. h history.223: 12:34:55. It was originally created to prevent the BLACK HOLE Advertising.1.1. so there is no need to have it enabled.1.0 .2 (0xAF0217D0:1) Up %BGP-5-ADJCHANGE: neighbor 10.MED Attribute LocPrf .1. e .2 neighbor does not have IPv4 MDT topology activated BGP: 10.1.223: 12:34:55.1.IGP.1.11. you should be able to identify the outputs: (config-router)#do show ip bgp summary | b Neighbor Neighbor V AS MsgRcvd MsgSent TblVer InQ OutQ 100.1. S Stale Origin codes: i .0 0.2 active OPEN has 4-byte ASN CAP for: 100 BGP: nbr global 10.223: 12:34:55.1.to enable the CLASSLESS BGP behavior (config-router)#no auto-summary Synchronization .0.The entry in the table is valid > .2 active went from OpenSent to OpenConfirm BGP: 10.1.It's the BEST entry for that prefix i . you need to specify their AS Number using the "remote-as": (config-router)#neighbor 10.1 0 100 0 i *> 2. (config-router)#no synchronization When adding a new NEIGHBOR.1 Attribute for Path Determination.2 active rcvd OPEN w/ remote AS 100.1.168.Next Hop IP (if it's 0.prefix entry.1.4 0 100 0 i Up/Down State/PfxRcd 0 00:05:23 1 0 00:05:12 1 0 00:04:57 1 i . 1.0 10.1.1. but it's considered a LIGHT security.4. then the MED value is removed.1.1.1.internal.0 10.0. but it shows an entire AS-PATH now (list of all the BGP Autonomous Systems the route needs to pass in order to reach the route) Also Local Preference is no longer marked as 100 (default for iBGP) MED is 0 or BLANC.OTHER AS : LOCAL AS : LOCALLY ORIGINATED 69 cisqueros.2.3 0 0 300 i *> 4.0. you can configure the "neighbor disable-connected-check" command before you can establish the eBGP peering session: (config-router)#neighbor 10. Peering sessions for multihop neighbors are configured with the neighbor ebgp-multihop command: (config-router)#neighbor 2.2 0 300 200 i *> 10.0.5 remove-private-as SECURITY in BGP can be also provided by TTL check.com .IGP.1.incomplete Network Next Hop Metric LocPrf Weight Path * 1.1.0.1.1 0 200 100 i *> 10.45. for example.1.1.0.1.1 0 300 100 i * 10. over a WAN connection. If you are peering eBGP using the LOOPBACKS.0 0 32768 i Notice that the PATH is no longer marked as "i" for iBGP.0. there are many real-world scenarios where this rule would prevent routing from occurring.1 disable-connected-check <-DISABLES CONNECTION VERIFICATION When you want to DISABLE prefixes removed from the BGP table when the neighbor goes down: (config-router)#fast-external-failover When you want to advertise the prefixes and HIDE THE LOCAL AS number: (config-router)#neighbor 10.blogspot.1.0.45.1 0 0 100 i * 2. d damped. r RIB-failure.0 10.0.EGP. MED is set to 0 when the advertised by the originating AS. e . However.2 ebgp-multihop 2 ALTERNATIVE TO MULTIHOP: If loopback interfaces are used to connect single-hop eBGP peers.4 Status codes: s suppressed.5 ttl-security hops 2 Also the MAXIMUM AS NUMBER can be defined. let’s say we want to define max 2 hops: (config-router)#neighbor 10. ? . i .2 0 0 200 i *> 3.0.2 0 100 200 i * 10.12.1. so that routes that go through more than 10 ASs are rejected: (config-router)#bgp maxas-limit 20 To CHANGE the ADMINISTRATIVE DISTANCE (AD): (config-router)#distance bgp 150 200 1 <.168.0. h history.(config-router)#do show ip bgp <-CASE OF ONLY Ebgp ROUTES BGP table version is 5. S Stale Origin codes: i . don't forget to use the "ebgp-multihop" command!!! From Cisco Docs: By design. but when the SAME prefix is advertised by another AS.2.1. > best. a BGP routing process expects eBGP peers to be directly connected.0 0. It's done by DEFINING THE MAXIMAL TTL on the received routes.1. local router ID is 192.1. * valid. when you want to ADVERTISE the prefix to the AS.2 peer-group CISQUEROS (config-router)#NEIghbor 3. Once you've got the peering . and the parameters will apply to each of the Peers.2. or you will get this message: *Nov 23 13:48:02.23.x. using the "neighbor x. Please configure manually.0 support BGP versions 2. Add the individual neighbors into the configured peer group *Be sure to configure the interface used as the UPDATE-SOURCE.0. It's defined in 3 steps: Step 1.3 IPv4 Unicast topology base removed from session Member added to peergroup *May 5 10:13:21.WILL ALLOW THE PREFIXES WITH OUR OWN AS ___________________________________________________________________________________________________________________ BGP Version ____________________________________________________________________________________________________________________ Cisco IOS 12.ATTACH AN ACL TO CHOOSE THE PREFIXES TO APPLY THE AD There is another BGP TUNING.3.3.100 allowas-in <.283: %BGP-5-ADJCHANGE: neighbor 3. For example.0 [ACL] <.3.3. If you need to correct this on your network.3 Up Both neighbors remain UP! If you CANNOT bring the BGP neighbors UP.com .0.x update-source lo0" (config-router)#neighbor 2.395: %BGP-5-ADJCHANGE: neighbor 3. use the PHYSICAL IPs.1.395: %BGP_SESSION-5-ADJCHANGE: neighbor 3. different vendor routers: (config-router)#neighbor version 4 ____________________________________________________________________________________________________________________ BGP Peer-Group ____________________________________________________________________________________________________________________ It's a simple concept. lets configure the Password: (config-router)#neighbor CISQUEROS password cisco 70 cisqueros.3.blogspot.3. just a group of neighbors we want to configure with the same group of parameters. Step 3.3 PEER-group CISQUEROS Be sure to configure ROUTER-ID Manually using "bgp router-id" command.OR to change the AD of the PREFIXES originated by the PARTICULAR NEIGHBOR: (config-router)#distance 150 10. there is a "allow-as" command which stops this loop prevention. but the NEWER IOS versions support ONLY BGP Version 4.3. Then both Neighbors will appear.3.1.535: %BGP-4-NORTRID: BGP could not pick a router-id. Define/Configure the Peer Group (config-router)#neighbor CISQUEROS peer-group Step 2.3 Down Member added to peergroup *May 5 10:13:22. Expect the following message: *May 5 10:13:21. Apply the set of parameters to the Peer Group. In order to change that (on the IOS models where it's allowed).3 0. On the EDGE router of AS 100 towards the AS 200 do: (config-router)#neighbor 100. learn from the SAME AS: (AS 100)-->(AS 200)-->(AS 100) On the EGRESS of AS200 the route will not be advertised to AS100 due to the LOOP PREVENTION mechanism. 3 and 4. for example. in order to peer with.2.you can remove the neighbor added using the Physical IP.x.1. even though I hope it gets updated soon.blogspot.3 inherit peer-session GROUP_2 Peer-Policy has the similar purpose. or as described in the Previous Post . Step 1: Define the peer-session and give it a name: (config-router)#template peer-session MYBGP Step 2: Assign the attributes to the peer-session: (config-router-stmp)#version 4 (config-router-stmp)#update-source lo0 (config-router-stmp)#password Cisqueros Step 3: If you have more groups of neighbors.on the PER-PEER-GROUP basis.3.” 71 cisqueros. and Peer-Session CANNOT INHERIT Peer-Policy template. and inherit the first template: (config-router)#template peer-session GROUP_1 (config-router-stmp)#inherit peer-session MYBGP (config-router-stmp)#remote-as 100 (config-router)#template peer-session GROUP_2 (config-router-stmp)#inherit peer-session MYBGP (config-router-stmp)#remote-as 200 Step 4: Apply the LAST defined Template to RELEVANT NEIGHBORS. the receiver's hash value should match the sender's value transmitted with the message.____________________________________________________________________________________________________________________ BGP Peer-Session and Peer-Policy Templates ____________________________________________________________________________________________________________________ Another way to make the BGP configuration easier by avoiding configuring the same command set on every router. Then create another template.1. (config-router)#neighbor CISQUEROS password cisco From Jeff Doyle ROUTING TCP/IP Vol2 (Routing Bible in my opinion.2 inherit peer-session GROUP_1 (config-router)#neighbor 3. calculates its own hash value.2. The hash value is impossible to decipher (without a huge amount of computing power) without knowing the password so that an unauthorized router cannot. If nothing in the message has changed.2. knowing the same password. because it works in somewhat the same way as an arithmetic checksum. and they all have some common settings (for example the ones defined in the template IBGP). It also is occasionally referred to as a cryptographic checksum. MD5 computes a 128-bit hash value from a plain-text message of arbitrary length (in this case.com . and some different ones. either maliciously or by accident. Inc. MD5 is a one-way message digest or secure hash function produced by RSA Data Security. a BGP message) and a password. This "fingerprint" is transmitted along with the message. The receiver.3.1 inherit peer-session GROUP_1 (config-router)#neighbor 2. which inherited the settings of the initial Templates: (config-router)#neighbor 1.1. it's been 12 years !): “The IOS uses MD5 authentication when a BGP neighbor password is configured. The difference is the commands inside. peer with a router running neighbor authentication. Here is an example of a peer policy template: (config)#router bgp 200 (config-router)#template peer-policy FORCE_SELF_AS_NEXT_HOP (config-router-ptmp)#next-hop-self (config-router-ptmp)#exit-peer-policy ____________________________________________________________________________________________________________________ BGP Authentication ____________________________________________________________________________________________________________________ It's configured on PER-NEIGHBOR. valid.4 <. so . localpref 100.1.6 (metric 2) from 10. metric 0. Have in mind that the RR is a single point of failure in the Network.1) Origin IGP.BEST PRACTICE is to have MULTIPLE RR SERVERS.0.6.59 route-reflector-client Step 3: Check the status of each Client on the RR SERVER ROUTER: #show ip bgp neighbors 172. best Originator: 6. table default) Advertised to update-groups: 4 Local.4.25. so the RR rejects the prefixes where their own Cluster ID appears. There are 3 implemented LOOP PREVENTION Mechanisms: 1. version 23 Paths: (1 available. that's the point of implementing the RRs.0.com .0. Only advertise BEST routes The configuration is rather simple. because.One or more RR Servers and their clients. table default) Not advertised to any peer Local 10. version 7 Paths: (1 available.4.6. internal. Route Reflectors let all the routers learn all the iBGP routes.0/8.13. Cluster list: 1.22 | i Reflector Route-Reflector Client Also make sure that the routes you expect to learn from RR Clients look like this: #sh ip bgp 2. 72 cisqueros.1.22 route-reflector-client (config-router)#neighbor 172.25.6 BGP routing table entry for 6. It's similar to AS_PATH attribute.0.1.185.Route Reflectors REMOVE THE NEED FOR FULL-MESH iBGP peering. RR Servers act as normal BGP peers with the NON-RR-CLIENT peers and the eBGP peers. ORIGINATOR_ID . With MULTIPLE Clusters ..25. well.The Cluster ID is automatically included into the BGP PA (path attribute) when generated.1. to decrease the number of BGP peering The Route Reflector will "reflect" the routes received from one iBGP peer to the others.. (Received from a RR-client) #sh ip bgp 6. 4.6. In the normal configuration (without root reflectors) the iBGP neighbors must be FULLY MESHED due to the SPLIT HORIZON rule (a prefix learned from iBGP peer will NEVER be announced to another iBGP peer). and advertise them to other iBGP peers. Route Reflector SERVERS: Allowed to learn the iBGP routes from their CLIENTS. 3.1 (1. On RR SERVER configure ALL the clients: (config-router)#neighbor 172. and make sure that RR SERVERS HAVE A FULL MESH.0/8. 2. and prevent loops.at least one of the RRs must be peered with at least one RR in Each Cluster.185.1.6.0. and it contains of 2 steps: Step 1: Define the CLUSTER ID on ALL the routers (this is NOT MANDATORY) (config-router)#bgp cluster-id 3 Step 2: There is a difference between the RR SERVER and RR CLIENT (under the BGP configuration).CLUSTER LIST DON’T forget to remove the iBGP sessions between CLIENTS.186. RR will not advertise the prefix back to the originator.blogspot.6. best #1.____________________________________________________________________________________________________________________ BGP Route Reflectors ____________________________________________________________________________________________________________________ *Configuring Multi-protocol BGP (MP-BGP) Support for CLNS on Cisco Docs Like the BGP Confederations . It's the Router ID of the first iBGP peer to advertise the route into the AS.0. best #1.Attribute created by the RR. but instead of AS it has a list of CLUSTED IDs.1. CLUSTER_LIST .1.0/8 BGP routing table entry for 2. they send all the BGP Updates Route Reflector CLUSTER .46. Also.blogspot.you need a way to tune it. For example we want to CHECK if the 2. but it will note add it to the routing table unless the same prefix doesn’t appear in the routing table at all. but add a "backdoor" argument at the end. one for the CHECK condition.0 (config)#route-map CHECK permit 10 (config-rmap)#match ip address 2 And ONLY if it's NOT in the routing table. not from you like in the normal "network" command application.0. The trick is to change the behavior of the BGP advertisements depending on the routes that are being learned. meaning .2.1. (config-router)#network 150. and alters the order of preference in the routing table. Step 1: Configure 2 Route Maps.Advertise Maps ____________________________________________________________________________________________________________________ This is a simple feature.13.0. and another for PREFIXES you will advertise if CHECK passes .1 0 100 200 ? ____________________________________________________________________________________________________________________ BGP CONDITIONAL Advertisements .1.if the prefixes are NOT in the table.255.not eligible to be added to the routing table #sh ip bgp | i 150.1.2 advertise-map exist-map advertise prefix only if prefix non-exist-map advertise prefix only if prefix (config-router)#neighbor 10.1. 73 cisqueros. in the BGP table it will have the "r" symbol.0.0.0 is learned: (config)#access-list 2 permit 2.0 (config)#route-map ADVERTISE permit 10 (config-rmap)#match ip address 1 Step 2: Configure the advertise map and the condition in the BGP routing process: (config)#router bgp 65545 (config-router)#neighbor 10.0 (config)#access-list 1 permit 1.CHECK THESE OPTIONS in the condition does not exist ADVERTISE non-exist-map CHECK Intuitively we can see that the ADV_ROUTE_MAP is the route map that defines the routes that will be broadcast.1. because not many routing protocols "beat" the eBGPs Administrative Distance (20). It's quite easy to configure .0 backdoor Note that you will not SEE this route in the routing table unless the route with the bigger AD is down.255.com .12.0.2 r> 150.0 mask 255.2. in this case if the conditions defined in the route-map CONDITION_ROUTE_MAP is NOT satisfied.2 advertise-map ADVERTISE ? is in the condition exists <. we want to advertise 2.12. *BE CAREFUL!!! The BACKDOOR argument is applied to the network advertised TO YOU. but you really need to know the BGP philosophy and maybe even have some basic experience in programming.0/24 10.0.0. The "backdoor" argument sets the routes AD to 200 (like it were an iBGP instead of eBGP route).1.____________________________________________________________________________________________________________________ BGP BACKDOOR Route ____________________________________________________________________________________________________________________ When you need to prefer LESS the eBGP route .you configure a regular network using a "network" command. meaning . This will advertise the route into the BGP process.0. h history. When the half-time expires. d damped. r) there is another "Tag" that can appear. i . and range 1-45 minutes.make sure you understand the concept of PENALTIES being "rewarded" to a route every time it FLAPS. S Stale From Cisco Docs: "Route dampening is a BGP feature designed to minimize the propagation of flapping routes across an internetwork. #show ip bgp BGP table version is 5. and make sure you're familiar with the PARAMETERS of BGP DAMPENING: #sh ip bgp dampening parameters dampening 15 750 2000 60 (DEFAULT) Half-life time : 15 mins Max suppress penalty: 12000 Suppress penalty : 2000 Decay Time : 2320 secs Max suppress time: 60 mins Reuse penalty : 750 1. or within the Route-Map like here Then apply it within the BGP configuration process: (config-router)#bgp dampening route-map DAMPEN_1 This configuration can get quite complicated.com . 2.. A route is considered to be flapping when its availability alternates repeatedly" If you're configuring it without any parameter tuning. * valid. Default HALF-TIME is 15 minutes. and it's a letter "d". the accumulated penalty is decreased every 5 seconds. HALF-TIME (default 15 minutes): When the penalty is assigned to a route. so you might need to MATCH THE AS-PATH.SET DESIRED DAMPENING PARAMETERS *Parameters can be defined directly under the BGP process." within the route-map configuration or you will be getting the following message when checking the parameters: #sh ip bgp dampening parameters % dampening reconfiguration in progress for IPv4 Unicast When you check the BGP prefixes using the "show ip bgp".2 Status codes: s suppressed.2. MAX-SUPRESS-TIME: Max time that the route can STAY SUPRESSED. By default it's 750. use the ROUTE-MAP: (config-router)#route-map DAMPEN_1 (config-route-map)#match ip add 15 <. and the range is 1 to 20000 3.CONFIGURE THE ROUTES YOU ARE DAMPENING IN AN ACL (config-route-map)#set dampening 15 700 2000 60 <. Default is 2000.168. and the range is 1-20000 4. which stands for DAMPENING. >.blogspot. besides the arguments that appeared so far (*. for this you need to be quite comfortable with META CHARACTERS.CHECK THIS LINE r RIB-failure. Default is 4 times Half-Time value (60 minutes). local router ID is 192.internal <. so for example match prefixes originated in AS 300: (config)#ip as-path access-list 15 permit ^300$ And then MATCH it in the route-map and SET the dampening parameters: (config-router)#route-map DAMPEN_2 (config-route-map)#match as-path 15 (config-route-map)#set dampening 15 700 2000 60 74 cisqueros. there is an enable command under the BGP process: (config-router)#bgp dampening If you want to use this feature ..____________________________________________________________________________________________________________________ BGP Route Dampening ____________________________________________________________________________________________________________________ Cisco Docs: Advanced BGP Features TIP: Don't forget to define the "set dampening . > best. SUPRESS: The route is SUPRESSED when the penalties REACH THIS VALUE. REUSE (default 750): The route can be REUSABLE if the penalties for flapping route go BELOW THIS VALUE. accumulated penalties are reduced by half. range is 1-255 If you need to configure the BGP DAMPENING for a certain routes. (config-router)#aggregate-address 2. none No community attribute <cr> *IMPORTANT: Do not forget to actually SEND the community to the neighbor. AGGREGATE is ONLY created if at least one of the specific prefixes exists in BGP table.x.x send-community 75 cisqueros. ATOMIC-AGGREGATE is an attribute that is assigned AUTOMATICALLY to the aggregate route if the "as-set" argument is NOT used in the "aggregate-address" command (AS-SET reveals the AS number that some routes were originated from) Additional arguments (route-maps) are a bit complicated.2.blogspot.0.0 ? advertise-map Set condition to advertise attribute <. no-export Do not export to next AS (well-known community) <-Do not advertise to eBGP peers. the command is applied PER NEIGHBOR Another way to achieve the same effect is to create STATIC ROUTE to Null0.x. For example. The reverse (UNSUPRESS with the REVERSE logic) can be configured on the NEIGHBOR basis: (config-router)#neighbor x.x.x.suppress the prefix defined in the ACL (it ADVERTISES prefixes DENIED by the ACL).ASSIGN THE ROUTE-MAP as-confed-set Generate AS confed set path information as-set Generate AS set path information attribute-map Set attributes of aggregate <. so you need to know exactly what which one is for: Suppress-map . and they are used for a more granular control of the advertised routes. and advertise using "network" command.0 255. then inject the specific prefixes (INJECT) into the routers BGP table: (config-router)#bgp inject-map INJECT exist-map EXIST ____________________________________________________________________________________________________________________ BGP Community Attribute ___________________________________________________________________________________________________________________ *Under SERVICE PROVIDER in the Cisco Docs Community attribute is one of those non-standard BGP attributes that you really need to know well if you wish to use.255.x unsupress-map UNSUPP ____________________________________________________________________________________________________________________ BGP INJECT and EXIST map ___________________________________________________________________________________________________________________ This is not so common.ONLY THE SUMMARY.com . The down side is that it's a bit tacky. For example if you want to make sure that a certain prefix is learned (EXIST) from a certain router (match route-source). or your configuration will not work!!! (config-router)#neighbor x.____________________________________________________________________________________________________________________ BGP Route Summarization ____________________________________________________________________________________________________________________ BGP Routes can be summarized in the BGP process configuration using the "aggregate-address" command. SUPRESSES OTHER PREFIXES suppress-map Conditionally filter more specific routes from updates <cr> *If you need to UN-SUPRESS some prefixes from the Summary route. The big advantage is that from time to time you will just swoop in and solve a big architecture problem your colleague Network Engineers are having.SET ATTRIBUTES such as COST/METRIC using ROUTE-MAP route-map Set parameters of aggregate summary-only Filter more specific routes from updates <.0. these are the communities you can set within the route-map configuration: (config-route-map)#set community ? <1-4294967295> community number aa:nn community number in aa:nn format additive Add to the existing community internet Internet (well-known community) <-ADVERTISE these networks to ALL neighbors local-AS Do not send outside local AS (well-known community) <-ONLY advertise within the AS no-advertise Do not advertise to any peer (well-known community) <-Do not advertise to any peer. 0/24 10.0/24 [20/0] via 10.1.1.You can of course apply the BGP community attributes on the INBOUND and OUTBOUND direction.2.1.2 *> 10.13.12.FOR MPLS soo Site-of-Origin extended community ____________________________________________________________________________________________________________________ BGP & Load Balancing ____________________________________________________________________________________________________________________ If you see the same route from 2 different sources: #sh ip bgp | b Network Network Next Hop * 10. Besides these well-known community values.1.12. 00:00:04 76 cisqueros. and identify routes for virtual routing and forwarding (VRF) instances and Multi-protocol Label Switching (MPLS) Virtual Private Networks (VPNs) COST is an example of an EXTENDED COMMUNITY Attribute. Extended community attributes are used to configure. 00:00:04 [20/0] via 10.23.3. where you automatically override the existing value. It allows you to customize the local route preference.1.23.1.1.23.0/24 [20/0] via 10.13.13. It's configured under the route-map: (config-route-map)#set extcommunity cost ? <0-255> Community ID igp Compare following IGP cost comparison pre-bestpath Compare before all other steps in bestpath calculation <-CHECK THIS OUT!!! So if you need to influence the path ABSOLUTELY: (config-route-map)#set extcommunity cost PRE-bestpath 100 ? <-COST ID) IS USED AS A TIE BREAKER <0-4294967295> Cost Value (No-preference Cost = 2147483647) <-LOWER VALUE IS BETTER There are 3 EXTENDED COMMUNITY attributes: (config-route-map)#set extcommunity ? cost Cost extended community rt Route Target extended community <. 00:00:01 You can increase the MAXIMUM PATH number.3.blogspot.1. filter. and add 2 (or more) different paths to the routing table: (config-router)#maximum-paths 2 Check if the parameter "took": #sh ip protocols | i Maxim Maximum path: 1 And make sure the routing table has been updated (happens intermediately) #sh ip route bgp B 10. and in that way influence the best path selection. you can also assign a random community number and use them later as BGP TAGS.com .3 Metric LocPrf Weight Path 0 0 300 i 0 0 300 i And in the routing table only one of them appears: #sh ip route bgp B 10. blogspot.1.1.1.WITHIN ROUTE-MAP CONFIG When you want to NOT-PREPEND the LOCAL AS to the advertised prefixes: (config-router)#neighbor 10.1.the Better) ____________________________________________________________________________________________________________________ Used to influence another AS by adding or PREPENDING the AS's to the prefix using the Route Map: (config-route-map)#set as-path prepend 111 <.com .25.2 send-community extended ____________________________________________________________________________________________________________________ 1.1.1.UNIQUAL COST BALANCING When you wish to Load Balance based on each the Link BW. or you will get a message: %BGP: Propagation of DMZ-Link-Bandwidth is supported only for single-hop EBGP peers Step 3: Send the COMMUNITY (config-router)#neighbor 10.185.2 local-as 100 no-prepend When you want to REPLACE the PREPENDED AS to the advertised prefixes: (config-router)#nei 10. The configuration is somewhat weird: Step 1: Enable DMZLINK-BW (config-router)#bgp dmzlink-bw <ON BORDER AND INTERNAL ROUTERS Step 2: Configure BGP to include the BW value to external interface on extended community.1. so basically if you need to match all the prefixes that pass through the AS 65505 you do this: (config)#ip as-path access-list 10 permit ^65505$ <-you can go wild with the filters *in this case we are filtering the prefixes originated and advertised directly by AS 65505 The AS-PATH ACL can also be applied to a neighbor as a FILTER-LIST (config-router)#neighbor 172.2 local-as 100 no-prepend replace-as *"replace-as" Instructs NOT TO PREPEND the REAL AS You can do a pretty granular control here using the AS-PATCH Access Lists.2 dmzlink-bw BE SURE the neighbor is a SINGLE HOP eBGP PEER. per neighbor: (config-router)#neighbor 10.1. AS-Path (The less ASs in the path . This feature is used together with BGP MULTIPATH to advertise the exit links BW as EXTENDED COMMUNITY to iBGP peers. You do need a basic knowledge of META Language for this.45 filter-list 10 in 77 cisqueros. or _ or whatever) .12.blogspot.com .Logical OR .REMINDER of the META Characters: ^ $ | _ ? * + (x) [x] .2 remote-as 64500 neighbor 172.ZERO OR MODE instances of the PRECEDING character . Weight (the Higher .END of Line .ZERO instances of the PRECEDING character .Wildcard where any position can match the position in AS-Path . You can use the MATCH condition. set weight 500 And apply the route-map to a neighbor in the INBOUND direction (prefixes coming IN. First you need to set up the route-map.2 weight 500 78 cisqueros.12. route-map SET_WEIGHT permit 10 match .. meaning .are announced by that neighbor): router bgp 65535 neighbor 172.21..Any Character After this you just match this condition in the route-map in order to set some parameter later: (config-route-map)#match as-path 10 ____________________________________________________________________________________________________________________ 2.12.ANY DELIMETER (.21.12. In this case we will apply the weight to all the prefixes announced by a neighbor. .2 remote-as 64500 neighbor 172.21.21.START of Line .2 route-map SET_WEIGHT in Or you can simply apply the WEIGHT attribute to the neighbor directly: router bgp 65535 neighbor 172. but you don’t have to.ONE OR MORE instances of the PRECEDING character . Used ONLY LOCALY to influence the LOCAL AS by assigning the WEIGHT attribute to prefixes learned from a BGP Neighbor.the Better) ____________________________________________________________________________________________________________________ It's a CISCO Proprietary Attribute.Combine the enclosed String as a single entity . to IGNORE the AS-Path attribute.____________________________________________________________________________________________________________________ 3. unless RE-WRITTEN. WAY 2: SUPERSEEDS the 1st way Applied INBOUND to the LEARNED routes we want to PREFER.0. but in the real world most ISPs will DISCARD the MED attribute to try and enforce the HOT POTATO strategy. Step 1: Define a PREFIX LIST with the PREFIXES you want to assign the Local preference to: (config-router)#ip prefix-list LOCPREF_PREFIXES seq 5 permit 1.4 route-map LOCPREF_PREFIXESRM out *configuration similar to the one explained below. HIDDEN COMMAND on IOS!!! *BE CAREFULL with the second command.Optional and Non-Transitive.blogspot. If you wish to RE-ARRANGE the Attribute Comparison order. regardless of the AS-Path). This is the most similar Attribute to the OSPF Metric that there is in BGP. and for example wish to compare the MED value before the AS-Path (meaning prefer the lower MED. MED (Multi Exit Discriminator) ____________________________________________________________________________________________________________________ * Attribute. setting the Local Preference and applying it OUTBOUND: (config-router)#nei 10.0/8 Step 2: Define a ROUTE-MAP to match the PREFIX and SET THE LOCAL PREFERENCE (in this case 500): (config)#route-map LOCPREF_PREFIXESRM permit 10 (config-route-map)# match ip address prefix-list LOCPREF_PREFIXES (config-route-map)#set local-preference 500 79 cisqueros. you can use this command under the BGP configuration: (config-router)#bgp always-compare-med <-to compare MED value even if there is higher ranked attribute (config-router)#bgp bestpath as-path ignore <--. the TAB key will not work and the "?" will not show you the "as-path" option By default the MISSING MED value is considered the BEST one because on most IOS-s it picks up the value 0.1. If we configure this one.0.com . It OVERWRITES the Local Preference announced by the upstream BGP Neighbors. DEFAULT: 100. In the CCIE the MED can be used to also influence the ISP BGP Neighbors to prefer one or the other point of exit of your network. It makes no sense to compare MED values of the learned BGP routes from different ASs. because they are both used to influence the other AS by tuning the attributes of the Locally Originated and Advertised Prefixes. and apply it to the BGP Neighbor in the OUTBOUND direction MED is used only for the routes from one AS to another. within the Way2. There are 2 ways to configure the LOCAL PREFERENCE WAY 1: TRY AND INFLUENCE DOWNSTREAM BGP NEIGHBORS. You can simply set it (set metric X) within the route-map configuration. LOCAL PREFERENCE ____________________________________________________________________________________________________________________ It's used to PREFER AN EXIT POINT of a LOCAL BGP AS.34. The nature of this attribute is similar to the AS-Path. Bigger is Better. The Smaller the Better Router will compare the MED attribute for paths only from BGP peers that reside in the same autonomous system. To change this use: (config-router)#bgp bestpath med missing-as-worst <.Treat the non-defined MED as the WORST ____________________________________________________________________________________________________________________ 4. RFC 1771 . (config-router)#bgp default local-preference 500 The same effect is achieved by defining a ROUTE-MAP. all the routes we announce will have Local Preference 500. where if the route is not destined for the providers network it prefers sending the traffic out to another provider ASAP. 255 (config-router)#neighbor 5.0.com .5.START of Line . INBOUND!!! (config-router)#nei 10.1 Metric LocPrf Weight Path 0 500 0 100 i <. if you cannot reach the IP in the Next Hop.0. and check the BGP table: #clear ip bgp * in #sh ip bgp | i 1.ONE OR MORE instances of the PRECEDING character .0.LOC. and apply the same prefix list to the BGP neighbor (config-router)#neighbor 5.Step 3: Apply the ROUTE-MAP to the BGP process. .Any Character 80 cisqueros.PREF IS 500 BE CAREFULL WITH THE NEXT HOP!!! So.0 10.5 distribute-list 1 in PREFIX LIST: You define the PREFIX list.5.0.END of Line .5 prefix-list PREF_LIST in ____________________________________________________________________________________________________________________ BGP: Regular Expressions ____________________________________________________________________________________________________________________ !!!Additional and Legacy protocols>IOS Terminal Services Configuration Guide>APPENDIXES (within the Cisco Docs) REMINDER of the META Characters ^ $ | _ ? * + (x) [x] .25.Logical OR .14. and within it alter the next hop.12.1.ZERO instances of the PRECEDING character .5.5.4 route-map LOCPREF_PREFIXESRM in Step 4: Clear the BGP process INBOUND. ____________________________________________________________________________________________________________________ BGP Filters: Distribution and Prefix lists ____________________________________________________________________________________________________________________ The main difference between applying the DISTRIBUTE list and the PREFIX list to the BGP neighbor is: DISTRIBUTE LIST: You need to define the ACL.0 0.0 Network Next Hop *>i1. do this: (config-router)#neighbor 10.1.0.34.ZERO OR MODE instances of the PRECEDING character .0.Combine the enclosed String as a single entity . and apply it in the form of a Distribution List: (config)#access-list 1 deny 172.4 next-hop-self <-POINT TO ME TO REACH ALL THE PREFIXES I KNOW AND YOU DONT The alternative to this is to add a ROUTE-MAP pointing to the neighbor.Wildcard where any position can match the position in AS-Path .34.1.ANY DELIMETER .blogspot. h history.5 Status codes: s suppressed. It's used to reduce iBGP mesh.0.* . use the CONFEDERATION IDENTIFIER AS THE AS: (config-router)#neighbor 10.45.Prefixes that traversed the AS 65505 ^$ .Locally Originated Prefixes (START and END of the line) .ANY prefix (zero or more instances of ANY character) ^[0-9]+$ .1.0 2.Prefixes that END with the AS 65505.0 4.4 10.5. meaning .0 3.internal.1.1.EGP.0. so instead of the expression ^300$ you would have to type #show ip bgp regexp (^300$)(_\1)*$ You can also display the Filter List before applying it to the neighbor: #show ip bgp filter-list 1 ____________________________________________________________________________________________________________________ BGP Confederations ____________________________________________________________________________________________________________________ BGP Confederation Identifier is used to configure a GROUP OF SMALL ASs as a SINGLE AS.5.0 Next Hop 10.0 Metric LocPrf Weight 0 0 0 0 0 0 32768 Path 250 i 250 i 250 i 250 i i 81 cisqueros.4 10.45.0.com .0.45.IGP.0.incomplete *> *> *> *> *> Network 1. local router ID is 5. BUT LOCAL If you want to create the NEIGHBOR with the confederation. you need to add a MEMORY location you want to temporarily place the results. e .45. S Stale Origin codes: i . > best.they were originated by that AS _65505_ . r RIB-failure.1.0. and make sure all the prefixes are sourced by the VIRTUAL AS 250: (config-router)#do sh ip bgp BGP table version is 14.All the prefixes from DIRECTLY CONNECTED ASs (meaning .0. d damped.4 0.45.4 remote-as 250 Check the BGP table.0.0 5.4 10.0.0.EXAMPLES (REMEMBER THESE!!!) _65505$ .blogspot.they have only 1 AS in the AS PAth) BEFORE CREATING THE AS-PATH ACL: If you want to STOP using the recursive algorithm in order to be able to control more complex regular expressions (config-router)#bgp regexp deterministic Now you can actually DISPLAY the prefixes that match your condition in the AS-PATH before defining the AS-PATH ACL #show ip bgp regexp REGULAR_EXPRESSION *There is a TRICK here. i .1.0. ? . * valid. you need to configure all the directly connected eBGP peers (this command is not needed if there are no eBGP sub confederation peers): (config-router)#bgp confederation peers 65505 65409 65111 <-DEFINE ALL ASs WITHIN CONFEDERATION.0. On ALL the routers within ALL ASs issue the command: (config-router)#bgp confederation identifier 250 Once the Identifier is configured. 3. local AS number 65001 BGP table version is 1.3 update-source Loopback0 ! address-family vpnv4 neighbor 3.45.3 activate Make sure you´re checking for the neighbors under the VPNv4 UNICAST Address Family: #sh bgp vpnv4 unicast all summary BGP router identifier 4.3 activate neighbor 3.3 remote-as 65001 neighbor 3.4.3. When you configure the BGP PEERING with the CLIENT. due to the LOOP PREVENTION mechanism implemented in BGP (routes that have the same AS in the AS-PATH will not be accepted in the routing table). commands entered under the router bgp command apply to the IPv4 address family. This will continue to be the case unless you enter the ¨"no bgp default ipv4-unicast" as the first command under the router bgp command: (config-router)#no bgp default ipv4-unicast *The PEERING will NOT be established. you should configure it under that specific AF: router bgp 65001 no bgp default ipv4-unicast bgp log-neighbor-changes neighbor 3.com .blogspot.4.3.ONLY 1!) Another way would be to OVERRIDE the AS number on the PE.1.4.5 activate <-COMMAND ADDED AUTOMATICALLY STARTING FROM 12.1. unless you do the ACTIVATE command under the BGP process: (config-router)#address-family vpnv4 (config-router-af)#neighbor 3. To change this behavior.4 no synchronization exit-address-family 2.____________________________________________________________________________________________________________________ MP-BGP (Multi-Protocol BGP) ____________________________________________________________________________________________________________________ By default. This way the PE advertises BGP routes with its own AS number attached instead of the ORIGINATING AS: (config-router-af)#neighbor 10. note 2 things: 1.3. The separate IPv4 VRF process has been created under the BGP.1.3.3. and you´re configuring the BGP peering with the CLIENT router within the VRF assigned to that client. on clients CE do: (config-router)#neighbor 10.1.3.1 as-override 82 cisqueros.3 4 65001 19 19 1 InQ OutQ Up/Down 0 0 00:03:47 State/PfxRcd 0 When you have various VRFs on the router.13.4 allowas-in ? <1-10> Number of occurances of AS number (I RECOMMEND TO NOT EXAGERATE. SO .3.3.3 send-community extended exit-address-family ! address-family ipv4 vrf CLIENT_VRF <-AUTOMATICALLY CREATED AF UNDER THE BGP neighbor 10.45.5 remote-as 65015 <-ADD PEERING WITH THE CLIENT neighbor 10. On the CLIENT side you will NOT LEARN the BGP routes announced by other CEs of the same client.45.3.3. main routing table version 1 Neighbor V AS MsgRcvd MsgSent TblVer 3.3. 22222)/2 = 11111 So when you're MATCHIN THE METRIC of the EIGRP within the Route Map: (config-route-map)#match metric 33333 +.0.____________________________________________________________________________________________________________________ Route Redistribution TIPs ____________________________________________________________________________________________________________________ RIP: Metric are HOPS.INTERNAL on ABR.0 10 <. so> METRIC = 22222 + 44444 /2 = 33333 DEVIATION = (44444 .ACL 4 includes the Router-ID Also the SOURCE PROTOCOL can be matched. for LOOP PREVENTION.10 is an ACL. EXTERNAL on ASBR HAVE IN MIND that SOURCE IP and SOURCE PROTOCOL can be matched within the Route-maps. MATCH IP ROUTE-SOURCE in the Route-map In OSPF it's not the NEXT HOP but the ORIGINATOR Router-ID of the PREFIX (config-route-map)#match ip route-source 4 <. like 22222 and 44444. when we wont to PREVENT certain protocol prefixes in the Route Table: (config-route-map)#match source-protocol ? bgp Border Gateway Protocol (BGP) connected Connected eigrp Enhanced Interior Gateway Routing Protocol (EIGRP) isis ISO IS-IS mobile Mobile routes ospf Open Shortest Path First (OSPF) rip Routing Information Protocol (RIP) static Static routes <cr> EIGRP: When you have a COMPOSITE METRIC. then the METRIC VALUE is the MIDDLE.blogspot.com . it's OPTIONAL.3.3 0. To remove it: (config-router)#no discard-route [internal | external] <.0. so if you want next router not to learn it set the HOPS to 16 (max): (config-rmap)#set metric 16 !!!NOTE that RIP will not advertise a route if it didn’t make the ROUTING TABLE OSPF: You might need to TUNE THE ADMINISTRATIVE DISTANCE: (config-router)#distance 150 3. and 150 is the new AD DISCARD ROUTE is a route injected automatically when we SUMMARIZE OSPF.11111 83 cisqueros.3. QoS 84 cisqueros.com .blogspot. like BECN (config-pmap-c)#shape ? adaptive average fecn-adapt Enable Traffic Shaping adaptation to BECN configure token bucket: CIR (bps) [Bc (bits) [Be (bits)]].In the default conditions.com .. but better for MEMORY. send out Bc only per interval Enable Traffic Shaping reflection of FECN as BECN If normal shaping is needed on a Frame-Relay link.____________________________________________________________________________________________________________________ QoS TIPS ____________________________________________________________________________________________________________________ TIP: When you need to MAXIMIZE EFFICIENCY on a Serial Link. And apply it to an Interface directly connected to the Switch that marks the traffic: (config-if)#service-policy QoS_test in 85 cisqueros. just configure DIRECTLY ON THE INTERFACE AND configure the rest of the required parameters within the Map-Class: (config-if)#frame-relay traffic-shaping ____________________________________________________________________________________________________________________ QoS on Access Ports ____________________________________________________________________________________________________________________ When there is a CISCO Phone behind.when the notification was received.. use the COMPRESS PREDICTOR or COMPRESS STACKER (STACKER is more CPU consuming. use OVERRIDE to MARK ALL And to REMARK the DATA traffic (VLAN 3 IN THIS CASE) (config-if)#switchport priority extend CoS 1 If you want to check how the traffic is reaching the router from the configured switched interface.Cisco Phone VLAN If you want to trust the Phone CoS markings: (config-if)#mls qos trust device cisco-phone Mark all incoming traffic: (config-if)#mls qos cos 2 <-ONLY MARKS THE NON-MARKED TRAFFIC.. Shape ADAPTIVE .blogspot. and PREDICTOR the other way around) (config)#compress predictor | stacker TIP: Shape AVERAGE . make the class map on a ROUTER matching the DSCP or COS values you are interested in: (config)#class-map cos2 (config-cmap)#match CoS 2 . Then create a Policy Map that includes this Class: (config)#policy-map QoS_test (config-pmap)#Class cos2 ..data VLAN (config-if)#switchport mode access (config-if)#switchport voice vlan 5 <--. configure the port as ACCESS: (config-if)#switchport access vlan 3 <--. 0 bytes 5 minute offered rate 0 bps <--.100 Service-policy input: QOS_IN Class-map: COS1 (match-all) 0 packets. use the "class-default": (config)@policy-map SET-ALL-5 (config-pmap)#class class-default (config-pmap-c)#set ip presedence 5 And then apply it in the OUTBOUND direction on the interface: (config-if)#service-policy out SET-ALL-5 86 cisqueros. can be changed ON INTERFACE Match: cos 1 Class-map: COS2 (match-all) 5 packets. 590 bytes 5 minute offered rate 0 bps Match: cos 2 Class-map: COS4 (match-all) 0 packets. 0 bytes 5 minute offered rate 0 bps Match: cos 5 *Change LOAD INTERVAL: (config-if)#load-interval ? <30-600> Load interval delay in seconds <--.To check: #show policy-map interface Fa0/1. 0 bytes 30 second offered rate 0 bps <--.blogspot. 0 bytes 5 minute offered rate 0 bps Match: cos 4 Class-map: COS5 (match-all) 0 packets.DEFAULT IS 5 MINUTES.LOAD INTERVAL is 5 Minutes by default.com . as shown above (config-if)#load-interval 30 And now: #show policy-map interface FastEthernet0/1 Service-policy input: MATCHES Class-map: DSCP10 (match-all) 0 packets.100 FastEthernet0/1.TA-DAAAAA Match: ip dscp af11 (10) Make sure you have "mls qos trust cos" OR "mls qos cos override" configured! #show mls qos interface GigabitEthernet 3/0/2 GigabitEthernet3/0/2 trust state: trust cos trust mode: trust cos trust enabled flag: ena COS override: dis default COS: 2 DSCP Mutation Map: Default DSCP Mutation Map Trust device: none qos mode: port-based If you want all the traffic going out of a port to be marked with a particular DSCP value. blogspot.com . the DSCP REWRITE has to be enabled globally on a switch *IT IS ENABLED BY DEFAULT: (config)#mls qos rewrite ip dscp <--. THE D1:D2=0:1 MUTATES TO D1:D2=0:60 1 : 10 11 12 13 14 15 16 17 18 19 2 : 20 21 22 23 24 25 26 27 28 29 3 : 30 31 32 33 34 35 36 37 38 39 4 : 40 41 42 43 44 45 46 47 48 49 5 : 50 51 52 53 54 55 56 57 58 59 6 : 60 61 62 63 Dscp-dscp mutation map: Default DSCP Mutation Map: d1 : d2 0 1 2 3 4 5 6 7 8 9 --------------------------------------0 : 00 01 02 03 04 05 06 07 08 09 <--. it´s a must.HERE.DISABLE IF YOU NEED TO CONFIGURE QoS.____________________________________________________________________________________________________________________ DSCP and COS MAPPING ____________________________________________________________________________________________________________________ QoS MUTATION: If you need to RE-MARK all the packets with the particular value of DSCP/CoS Step 1: Check if the QoS has been globally enabled on the Switch: QoS_UP_SW1#show mls qos QoS is enabled QoS ip packet dscp rewrite is enabled Step 2: Define the DSCP Mutation Map: (config)#mls qos map dscp-mutation MUTATION_NAME 1 to 60 This map will re-mark all the DSCP value to 60. BUT DONT WANT TRAFFIC TO BE REMARKED TO 0 Check if it "worked": #show mls qos map dscp-mutation Dscp-dscp mutation map (D1D2 = VALUE OF DSCP): MUTATION_NAME: d1 : d2 0 1 2 3 4 5 6 7 8 9 --------------------------------------0 : 00 60 02 03 04 05 06 07 08 09 <--. but only of all the packets that have it set to 1 Step 3: Check if the "mls qos trust" command has been applied.BY DEFAULT IT STAYS 0:1 1 : 10 11 12 13 14 15 16 17 18 19 2 : 20 21 22 23 24 25 26 27 28 29 3 : 30 31 32 33 34 35 36 37 38 39 4 : 40 41 42 43 44 45 46 47 48 49 5 : 50 51 52 53 54 55 56 57 58 59 87 cisqueros. Apply the Mutation Map to the Physical Interface: (config-if)#mls qos dscp-mutation MUTATION_NAME Note that for this to work. ITS ALLWAYS AN OUTBOUND DIRECTION 88 cisqueros. and after a few seconds "mls qos" to be sure POLICING takes effect INDIVIDUAL POLICER: Basic.com .APPLY TO ALL CLASSES YOU WANT TO AGGREGATE THE POLICY ON (config-pmap-c)#police aggregate AGGREG ____________________________________________________________________________________________________________________ PRIORITY QUEUING (priority-list) & CUSTOM QUEUING (queue-list) ____________________________________________________________________________________________________________________ Uses 4 queues: 1. NORMAL 4. HIGH 2.for IP protocols (config)#priority-list 1 default LOW Then just apply it on an interface: (config-if)#priority-group 1 <--.MAP COS 7 to DSCP 7 #show mls qos maps cos-dscp Cos-dscp map: cos: 0 1 2 3 4 5 6 7 -------------------------------dscp: 0 8 16 24 32 40 48 7 ____________________________________________________________________________________________________________________ QoS POLICING .____________________________________________________________________________________________________________________ Map COS to DSCP on a device ____________________________________________________________________________________________________________________ #show mls qos maps cos-dscp Cos-dscp map: cos: 0 1 2 3 4 5 6 7 -------------------------------dscp: 0 8 16 24 32 40 48 56 (config)#mls qos map cos-dscp 0 8 16 24 32 40 48 7 <--. Priority-list works like an access-list.blogspot. it's processed from top to the bottom so define the MORE SPECIFFIC policies first: (config)#priority-list 1 protocol http ? high medium normal low (config)#priority-list 1 protocol ip normal udp tftp <--. LOW Define the PRIORITY LIST. per CLASS that matches a DSCP value AGGREGATE POLICER: "mls aggregate-policer": mls qos aggregate-policer AGGREG 500000 25000 exceed-action drop (config)#policy-map CISQUEROS (config-pmap)#class DSCP10 <--. MEDIUM 3.INDIVIDUAL and AGGREGATE POLICER ____________________________________________________________________________________________________________________ ! Be sure to do "no mls qos". blogspot.ALWAYS OUTBOUND!!! #show queueing custom Current custom queue configuration: List Queue Args 1 5 default 1 4 protocol http 1 3 protocol ip tcp port telnet 1 6 protocol ip udp port tftp Also the BANDWIDTH can be allocated to each of the queues using the "byte-count" parameter: (config)#queue-list 1 queue 1 byte-count 1500 ____________________________________________________________________________________________________________________ WFQ . and are serviced in ROUND ROBIN Queue 1 .MAX DYNAMIC QUEUE NUMBER IS 256 Reserved Conversations 0/0 (allocated/max allocated) Available Bandwidth 1158 kilobits/sec Check the current FAIR QUEUE settings: #show queueing fair Current fair queue configuration: Interface Discard Dynamic threshold queues Serial0/1/0 64 256 Serial0/1/1 64 256 Reserved queues 0 0 Link queues 8 8 Priority queues 1 1 And apply the changes on the INTERFACE level: (config-if)#fair-queue 128 512 <-DISCARD THRESHOLD 128.DISCARD THRESHOLD is 64 Conversations 0/2/256 (active/max active/max total) <--. DEFAULT>20 QUEUE LIST defines !!!17 QUEUES!!! All queues have the SAME WEIGHT.System or Priority queue (IP Routing UPDATES do NOT go here!!! only L2 Keepalives & Neighbor Discovery) (config)#queue-list (config)#queue-list (config)#queue-list (config)#queue-list 1 1 1 1 protocol http 4 protocol ip 3 tcp telnet protocol ip 6 udp tftp default 5 Also applied on the interface: (config-if)#custom-queue-list 1 <--.If you also need to LIMIT THE QUEUE sizes PER CLASS : (config)#priority-list 1 queue-limit 80 60 40 20 <--.com . DYNAMIC QUEUES 256 (config-if)#hold-queue 1200 out <-HOLD QUEUE. MEDIUM>60 . Max number of queues a system can hold 89 cisqueros.By default works with IP PRESEDENCE ____________________________________________________________________________________________________________________ DEDICATES MORE BANDWIDTH TO THE HIGHER IP PRECEDENCE TRAFFIC!!! Check the Interface Capabilities and Thresholds on a Router: #show inter s0/1/0 | b Output Output queue: 0/1000/64/0 (size/max total/threshold/drops)<-HOLD-QUEUE LIMIT is 1000. NORMAL>40 .HIGH>80 . 2.1.1.0.1 tcp 0 0 ff rate 10 5 <-RECEIVER WITH SINGLE RESERVATION DEBUG RSVP: *Aug 22 15:54:23.0. When RSVP is enabled.0.1.112.2_0[0.112.2 10.1 lo0 10 5 ____________________________________________________________________________________________________________________ IPv6 QoS ____________________________________________________________________________________________________________________ "match ip precedence" ONLY matches the IPv4.1.2_0[0. AND 180 is SINGLE reservation To define the SENDER and the RECEIVER: (config)#ip rsvp sender-host 10. req=659606AC.2_0[0.2 1. Each ROUTER on the PATH either ACCEPTS or REJECTS the RSVP Reservation Request.IGNORE THE PORT ADDRESSES (config)#ip rsvp reservation-host 1.112.1.0]: Sending Resv message to 10.1 2.112.1.112. Unlimited Scope (config)#ip rsvp reservation-host 10.1_0->10.112.0]: Received Path message from 10.1_0->10.you wont be able to apply the service-policy OUTBOUND!!! Therefore .323: RSVP refresh interval=30000mSec *Aug 22 15:54:23.1 10.112.1.2 tcp 0 0 ? ff se wf Single Reservation Shared Reservation.112.112.323: RSVP *Aug 22 15:54:33.use "match precedence" ___________________________________________________________________________________________________________________ Match MAC ADDRESS ____________________________________________________________________________________________________________________ (config)#class-map SRV1 (config-cmap)#match sou (config-cmap)#match source-address ? mac MAC address Be careful.0. stored on the Router and forwarded down the PATH RECEIVER receives the PATH MESSAGE and forms the RESERVATION MESSAGE (RSVP Reservation Request). not IPv6 If you want IPv4 AND IPv6 to be matched .1.1.blogspot.1.400 RESERVATION. [cleanup timer is not awake] 10.112.1.create the ACL matching the MAC.1. router receives PATH message: | FROM | TO | PREV_HOP | BW | <--.1.2.com . These 0s mean .0]: Refresh RESV. based on its RESOURCES.PATH message.1 tcp 0 0 10 5 <-to GENERATE and SEND PATH MESSAGES.0. which is propagated up the exactly same route of the path message.____________________________________________________________________________________________________________________ RSVP .1 If you want the Router to be the RSVP PROXY: ip rsvp sender 10. because if you match the SOURCE MAC .595: RSVP (on FastEthernet0/0) 10.1.1. Limited Scope Shared Reservation.1.1.1.Resource Reservation Protocol ____________________________________________________________________________________________________________________ SENDER sends PATH MESSAGES through the network.2 10.1. SENDER receives the RESERVATION MESSAGE and it's ready to start the transmission First under the SOURCE and DESTINATION interface reserve the BW: (config-if)#ip rsvp bandwidth 400 180 <--.112.112.0.1 tcp 0 0 1. and match the ACCESS-GROUP 90 cisqueros.112.1_0->10. Committed Burst. MQC-Based Class Based Traffic Shaping Shaping is used only to "spread" the queue. Guaranteed by the Provider where the DE bit is set in the frames above this rate) Bc .Requires Frame Relay traffic-shaping to be configured at the interface level holdq Hold queue size for VC idle-timer Idle timeout for a SVC.Frame-Relay Traffic Shaping. it adds the delay and jitter.SHOW THE FR TRAFFIC SHAPING Interface Se0/1/0 Access Target Byte Sustain(Bc) Excess(Be) VC(DLCI)List Rate Limit bits/int bits/int 103 56000 875 7000 0 104 56000 875 7000 0 102 56000 875 7000 0 Interval(Tc) (ms) 125 125 125 Increment Adapt (bytes) 875 875 875 Active - AR. If Be is not configured in Class-Based FRTS . Legacy Frame-Relay Traffic Shaping (for FR it's the MOST USED method) 3.Max number of bits that can be sent by a router (actual interface speed) CIR . but it doesn’t cause drops unless the entire queue is full.5s because RTT is by average ~ 1.blogspot. Default = none bc Committed burst size (Bc).use the MAP CLASS: (config)#MAP-class frame-relay FRTS (config-map-class)#frame-relay ? adaptive-shaping Adaptive traffic rate adjustment.com . MQC-Based Frame-Relay Traffic Shaping 4. by default it's CIR/8 because the default Tc is 125ms (Bc = CIR x Tc) !!!Magic Formula is Bc = CIR x 1. Default = 56000 bps congestion Congestion management parameters custom-queue-list VC custom queueing end-to-end Configure frame-relay end-to-end VC parameters fair-queue VC fair queueing fecn-adapt Enable Traffic Shaping reflection of FECN as BECN fragment fragmentation . Default = 0 bits cir Committed Information Rate (CIR).____________________________________________________________________________________________________________________ QoS Frame-Relay SHAPING ____________________________________________________________________________________________________________________ FRTS . Default = 7000 bits be Excess burst size (Be).it's equal to Bc For granular QoS Frame Relay control . Target Rate Mincir . Default = CIR/2 bps priority-group VC priority queueing tc Policing Measurement Interval (Tc) traffic-rate VC traffic rate voice voice options 91 cisqueros. Legacy Generic Traffic Shaping (GTS) 2.5 seconds over the big networks Be . For LEGACY FRTS to be implemented. or AIR . There are 4 general ways to implement the TRAFFIC SHAPING: 1.Average Speed. Default = 120 sec interface-queue PVC interface queue parameters ip Assign a priority queue for RTP streams mincir Minimum acceptable CIR. frame relay traffic shaping must be enabled first: (config-if)#frame-relay traffic-shaping #show traffic-shape <--.This is a TELCO DEFINED CIR (Contracted Rate.Number of NON-COMMITED bits accepted by Frame-relay switch. Bc = 8 kbps. MQC-Based Frame-Relay Traffic Shaping If you want to do the same effect using the MQC method.MINCIR (Minimum Guaranteed BW) !!!ONLY CLASS-DEFAULT IS ALLOWED OVER FR VCs!!! Now.com . 0 packets/sec Shaping adapts to BECN <--. last time pvc status changed 00:40:28 cir 64000 bc 8000 be 0 byte limit 1000 interval 125 <--. STILL in Frame-Relay the ONLY WAY TO APPLY IS THROUGH THE MAP-CLASS: (config)#map-class frame-relay FRTS (config-mc)#service-policy out FRTS (config-if)#frame-relay interface-dlci 102 (config-fr-dlci)#class FRTS 92 cisqueros.CIR*1/8 frame-relay be 16000 <-. PVC STATUS = ACTIVE.ONLY ALLOWED CLASS ON FR VC shape average 64000 8000 0 <-. 0 dequeued #show traffic-shape Interface Se0/1/0 Access Target VC List Rate 513 128000 504 512000 503 56000 502 56000 501 56000 Byte Limit 800 12800 875 875 875 Sustain bits/int 6400 25600 7000 7000 7000 Excess bits/int 0 76800 0 0 0 Interval (ms) 50 50 125 125 125 Increment (bytes) 800 3200 875 875 875 Adapt Active - 3.MINIMUM GUARANTEED BW frame-relay adaptive-shaping becn <-.2. Legacy Frame-Relay Traffic Shaping (for FR it's the MOST USED method) Normally you do something like this: map-class frame-relay FRTS frame-relay cir 64000 <-.BECN SHAPING ENABLED pvc create time 2d19h.AVERAGE BW frame-relay mincir 32000 <-. if you need it to apply only to ONE DLCI: (config-if)#frame-relay interface-dlci 102 (config-fr-dlci)#class FRTS To check the configured shaping do: #show frame-relay pvc 201 PVC Statistics for interface Serial0/1/0 (Frame Relay DTE) DLCI = 201.Turn ADAPTIVE shaping with BECN marking enabled to indicate congestion frame-relay bc 8000 <-. INTERFACE = Serial0/1/0 input pkts 30 output pkts 31 in bytes 31120 out bytes 31154 dropped pkts 0 in pkts dropped 0 out pkts dropped 0 out bytes dropped 0 in FECN pkts 0 in BECN pkts 0 out FECN pkts 0 out BECN pkts 0 in DE pkts 0 out DE pkts 0 out bcast pkts 1 out bcast bytes 34 5 minute input rate 0 bits/sec. 0 drop.SHAPING ATTRIBUTES mincir 32000 byte increment 1000 Adaptive Shaping BECN pkts 0 bytes 0 pkts delayed 0 bytes delayed 0 shaping inactive traffic shaping drops 0 Queueing strategy: fifo Output queue 0/40. 0 packets/sec 5 minute output rate 0 bits/sec.blogspot. Be = 0 kbps shape adaptive 32000 <-.Depends on the requirements And then APPLY it under the INTERFACE: (config-if)#frame-relay class FRTS Or under the DLCI. the equivalent commands within the class map are: policy-map FRTS class class-default <-. DLCI USAGE = LOCAL.CIR = 64 kbps. blogspot. with one difference .the policy-map can be directly applied to the DLCI: (config-if)#frame interface-dlci 513 (config-fr-dlci)#service-policy output CBWFQ ____________________________________________________________________________________________________________________ QoS Frame-Relay PIPQ (PER-INTERFACE PRIORITY QUEUING) ____________________________________________________________________________________________________________________ First enable the PIPQ globally on the Router: (config)#frame-relay interface-queue priority Then define the MAP-CLASSes: (config)#map-class frame-relay R2 (config-map-class)#frame-relay interface-queue priority ? high medium normal low And then apply the map classes to different PVCs: (config-fr-dlci)#frame-relay interface-dlci 102 (config-fr-dlci)#class R2 And define the QUEUE SIZES on the interface: (config-if)#frame-relay interface-queue <1-1024> High limit (config-if)#frame-relay interface-queue <1-1024> Medium limit (config-if)#frame-relay interface-queue <1-1024> Normal limit (config-if)#frame-relay interface-queue <1-1024> Lower limit priority ? priority 40 ? priority 40 80 ? priority 40 80 120 ? Now check the PRIORITY on the DLCI: #sh frame-relay pvc 102 | i pri priority low 93 cisqueros.#show policy-map interface s0/1/0 Serial0/1/0: DLCI 201 Service-policy output: TASK2 Class-map: class-default (match-any) 0 packets.SHAPING ATTRIBUTES Shaping Active no Frame-Relay FRAGMENTATION (define the largest packet size. end-to-end): (config-if)#frame-relay fragment 80 end-to-end 4. drop rate Match: any Traffic Shaping Target/Average Byte Sustain Rate Limit bits/int 64000/64000 1000 8000 Adapt Queue Active Depth BECN 0 Packets 0 Bytes 0 0 bps Excess bits/int 0 Packets Delayed 0 Interval (ms) 125 Bytes Delayed 0 Increment (bytes) 1000 <--. MQC-Based Class Based Traffic Shaping Like in the standard MQC configuration.com . 0 bytes 5 minute offered rate 0 bps. The LLQ scheduler only triggers WHEN THERE IS CONGESTION (When Tx ring is FULL).1.configured using MQC ____________________________________________________________________________________________________________________ .this class CAN USE MORE BW!!! "priority" . after this the packets are dropped.3 103 payload-compression packet-by-packet HEADER COMPRESSION: (config-subif)#frame-relay ip tcp header-compression ? passive Compress for destinations sending compressed headers <--.1. multiple FIFO queues . because for the VoIP traffic for example it's much better to burst in small packets: (config-pmap-c)#priority 128000 6400 <-Bc is 6400 BYTES 94 cisqueros. Unlike PRIORITY-QUEUING it uses ONLY 1 QUEUE and is NOT subject to starvation "priority 256" ensures that all traffic UP TO 256kbps is SERVED FIRST.blogspot. during congestion the exceeded traffic is DROPPED Can also be defined using the percentage using the command "priority percent X" You can define the BURST bits.COMPRESS IF THE RECEIVED TRAFFIS IS COMPRESSED <cr> You can also configure RTP Header Compression.3 403 broadcast rtp header-compression ____________________________________________________________________________________________________________________ QoS CBWFQ . so in the non-congestion situations .0. MULTIPOINT LINK: If the SUB-interface is MULTIPOINT: (config-subif)#frame map ip 10.Can be combined with WRED to prevent CONGESTION .WHEN THE SUB-INTERFACE IS POINT-TO-POINT PAYLOAD COMPRESSION.____________________________________________________________________________________________________________________ QoS Frame-Relay PAYLOAD and HEADER COMPRESSION ____________________________________________________________________________________________________________________ (has to be configured on BOTH ENDS).Guarantees the BW.com .Only 75% of the BW can be defined (can be changed."priority" and "priority percent" command ____________________________________________________________________________________________________________________ LLQ Introduces STRICT PRIORITY to CBWFQ.Default queue limit is 64.To define the Fair Queuing: (config-pmap-c)#fair-queue [1024] <-1024 is the number of Dynamic Conversation Queues ____________________________________________________________________________________________________________________ QoS LLQ (Low Latency Queuing) . PAYLOAD COMPRESSION POINT-TO-POINT LINK: (config-subif)#frame-relay payload-compression ? FRF9 FRF9 encapsulation data-stream cisco proprietary encapsulation packet-by-packet cisco proprietary encapsulation <--. to change do: (config-pmap-c)#queue-limit 128 . "max-reserved bandwidth" command) .13.Guarantee a MINIMUM BANDWIDTH. not only TCP: (config-if)#frame-relay map ip 162. blogspot.____________________________________________________________________________________________________________________ Define the QoS Schedule (TIME-RANGE command) ____________________________________________________________________________________________________________________ Start by defining the time using the "time-range" command: (config)#time-range WEEKDAYS (config-time-range)#periodic weekdays 11:00 to 15:00 and ATTACH it to the ACL: (config)#access-list 100 permit tcp any any eq www time-range WEEKDAYS ____________________________________________________________________________________________________________________ QoS CAR (Committed Access Rate) ."rate-limit" Interface Command ____________________________________________________________________________________________________________________ It is another way of defining the CIR/Bc/Be and EXCEED.it will match the CIR/32 or 1500 Bytes (Whichever is HIGHER!!!) with Tc = 250 ms SINGLE RATE .SETS IT TO THE MINIMUM DEPENDING ON THE BW 95 cisqueros.SINGLE BUCKET: Be is DISABLED (If it´s configure the system will ignore it) BURST: Minimal Amount: (config-pmap-c)#police 10000000 bc ? <1000-512000000> Burst bytes <--.Check the PARAMETERS ____________________________________________________________________________________________________________________ NBAR (match protocol XXX) .so 1000 is the MINIMAL BURST conform-action action when rate is less than conform burst pir Peak Information Rate <cr> (config-pmap-c)#police 10000000 bc 1000 conform-action transmit exceed-actio$ Conform burst size increased to 5000 <--.if you need to match the port without the ACL ____________________________________________________________________________________________________________________ The QoS policy can also be applied in order to filter traffic of some protocol. CONFORM and VIOLATE Action directly on interface. but then it will go faster. first define the class map where you match the protocol HTTP and the URL: (config)#class-map match-all FILTER_HTTP: (config-cmap)#match protocol http url *. Instead of CLASS-MAP the ACL needs to be defined to match the traffic. For example if oyu want to filter URL of the HTTP request.com .avi <-. and ITS IN BYTES not bites!!! Consult the proctor about this!) #show interface Fa0/0 rate-limit <-.THIS WILL FILTER ALL THE MP3 AND AVI FILES VIA HTTP and then configure the DROP action within the policy: policy-map FILTER_HTTP_POLICY class FILTER_HTTP drop CEF must be enabled to run NBAR!!! (config)#ip cef First time it will take some time to MATCH the PROTOCOL as NBAR is DOWNLOADING PDLMs (Signature Files) into memory. IMPORTANT: If the Bc isn’t specified .mp3|*. in this case ACCESS-LIST 100 (config-if)#rate-limit output access-group 100 24000 3750 3750 (3750 is the BURST. discard traffic that exceeds the committed rate more aggressively and signal the customer to slow down to the committed rate. by the time there are 40 packets in the queue ONE IN EVERY 10 PACKETS will be dropped if the mark probability denominator has a value of 10.Be has a different meaning. use the same parameters for each precedence 96 cisqueros.DUAL BUCKET ____________________________________________________________________________________________________________________ DUAL RATE traffic contract: supply customer with two sending rates (CIR and PIR).PRECEDENCE VALUE 4 (number of packets) precedence 4 24 ? <.the HIGHEST value is chosen between 1500 Bytes and PIR/32 (PIR-Peak Information Rate) => Either define PIR and CIR. Bc: If Bc is not configured .Weighted Random Early Detection and CB-WRED ____________________________________________________________________________________________________________________ THRESHOLDS need to be defined (how many packets from the end of the queue are to be dropped) WRED drops SOME packets between MIN and MAX THRESHOLD (based on mark probability denominator) WRED drops ALL packets above the MAX (config-pmap-c)#random-detect <1-4096> minimum threshold (config-pmap-c)#random-detect <1-4096> maximum threshold (config-pmap-c)#random-detect <1-65535> mark probability <cr> precedence 4 ? <.blogspot. *To configure RED. It defines the MAXIMUM average sending rate for the customer. rather than WRED. So.com .the HIGHEST value is chosen between 1500 Bytes and CIR/32 Be: If Be is not configured . In case of congestion in the network.____________________________________________________________________________________________________________________ DUAL RATE . but only guarantee the smaller one.MINIMUM THRESHOLD (DROPPED packet number in the queue) (number of packets) precedence 4 24 40 ? <. Be = PIR x Te ____________________________________________________________________________________________________________________ WRED .MAXIMUM THRESHOLD is 40 denominator (config-pmap-c)#random-detect precedence 4 24 40 10 Mark probability denominator means one in how many packets are dropped. or Bc and Be !!!In DUAL RATE . Peak Information Rate (PIR) is the Additional parameter compared to SINGLE BUCKET Traffic Contract. blogspot.com .WAN 97 cisqueros. or directly to the DLCI: (config-if)#frame interface-dlci 513 (config-fr-dlci)#class R3_513 (config-if)#frame-relay interface-dlci 504 (config-fr-dlci)#class R4_504 98 cisqueros.599: %LINEPROTO-5-UPDOWN: Line protocol on Interface Serial0/1/1.com . 850 bytes To configure the traffic SHAPING on Frame Relay interface. CBTS or simplest. There is an implemented feature called IP ACCOUNTING. changed state to down (config-subif)#backup delay 0 300 <-CONFIGURE A 5 MINUTE PREEMPT DELAY ____________________________________________________________________________________________________________________ FRAME RELAY QoS ____________________________________________________________________________________________________________________ QoS is different on Frame-relay links.Legacy MAP-CLASS: (config)#map-class frame-relay R4_504 frame-relay cir 512000 frame-relay bc 25600 frame-relay be 76800 <-SPECIAL ATTENTION WHEN CONFIGURING Be!!! *Be is a BURST when enough CREDIT has been acumulated. just do this command on the primary interface: (config-subif)#backup interface Serial 0/1/1 *Jan 12 18:23:49. (config-if)#ip accounting ? access-violations Account for IP packets violating access lists on this interface output-packets Account for IP packets output on this interface precedence Count packets by IP precedence on this interface (config-if)#ip accounting precedence input <-CHECK IP PRESEDENCE OF THE INCOMMING PACKETS Define the THRESHOLD (how many packets to monitor): (config)#ip accounting-threshold 5000 Check the accounted PRESEDENCE values: #sh inter s0/1/0 precedence Serial0/1/0 Input Precedence 0: 50 packets.blogspot. used to collect various data. so if you set BECN here this router will engage the SHAPING feature upon receiving the BECN flag in the frame And then apply it on the INTERFACE. First of all . This still means that the Bc and the Be together cannot exceed the PHYSICAL INTERFACE RATE (AIR) => (Bc+Be) x Tc <= AIR frame-relay mincir 384000 frame-relay adaptive-shaping interface-congestion (config)#map-class frame-relay R3_513 frame-relay cir 128000 frame-relay bc 6400 frame-relay be 0 <-YOU HAVE TO SET IT TO 0 IF NO BURST IT ALLOWED frame-relay mincir 96000 frame-relay adaptive-shaping [interface-congestion | becn] <-BE SURE WHAT YOU'RE ASKED TO DO HERE *BECN is a CONGESTION NOTIFICATION for the senders to slow down with SENDING RATE.about the QoS marking and how to collect this information. you can use the MQC. 5200 bytes Precedence 6: 16 packets.____________________________________________________________________________________________________________________ Frame-Relay TIPS ____________________________________________________________________________________________________________________ TIP: Make sure KEEPALIVEs are ENABLED on a Frame-Relay interface!!! The MODE of the operation of the EEK (End to End Keepalive) requests can be configured within the class-map: (config)#map-class frame-relay KEEPALIVE (config-map-class)#frame-relay end-to-end keepalive mode ? bidirectional Set bidirectional mode passive-reply Set passive-reply mode reply Set unidirectional reply mode request Set unidirectional request mode TIP: When you want to configure one interface to be another's BACKUP. 1.com .____________________________________________________________________________________________________________________ PHYSICAL INTERFACE CONFIGURATION: ____________________________________________________________________________________________________________________ .3 201 frame-relay map ip 10.255.2 255.1.0x1880).100.100.1.100.CLOCKRATE NEEDS TO BE SET or VC will not transition into UP/UP LMI .NO NEED TO ""Broadcast" TO OTHER HUBS.Disable Inverse ARP because IP/DLCI Mapping is configured manually .1.0x1870).255.255.0 encapsulation frame-relay frame-relay map ip 10.1.1 201 broadcast no frame-relay inverse-arp !!! Dont forget to check THE CONTROLLER on the interface.1.blogspot.4 201 <--.100. you can see them: #show frame-relay lmi | i Status Invalid Status Message 0 Num Status Enq.14 (up): point-to-point dlci.1 255.1.12 (up): point-to-point dlci. broadcast status defined.No need for Inverse ARP disabling.1. Sent 108 Invalid Lock Shift 0 Num Status msgs Rcvd 108 If you want to FORCE the DCE and provide the clocking: (config-if)#frame-relay intf-type dce Frame Relay Header .2 102 broadcast frame-relay map ip 10. as it's P2P Link so it's disabled by default . active 99 cisqueros.2 BYTES: | DLCI (6) | C/R (1) | EA(1) || DLCI(4) | FECN(1) | BECN(1) | DE(1) | EA(1) | | Byte 1 || Byte 2 | ____________________________________________________________________________________________________________________ POINT-TO-POINT SUB-INTERFACE: ____________________________________________________________________________________________________________________ . broadcast status defined.0 encapsulation frame-relay frame-relay map ip 10.1.Keepalives in Frame Relay.100.4 104 broadcast no frame-relay inverse-arp On SPOKE Routers: interface Serial1/0 ip address 10.12.100.100. and see if we are DTE or DCE #show controllers s1/0 If we are DCE .0 frame-relay interface-dlci 201 #show frame-relay map Serial1/0. creates extra traffic frame-relay map ip 10.21 point-to-point ip address 10. because it's a direct connection interface Serial1/0.0x1860).2 255.255.3 103 broadcast frame-relay map ip 10. active Serial1/0. dlci 104(0x68.100.100.Only define a INTERFACE DLCI. dlci 102(0x66.255.BROADCAST at the end of the MAPPING line On a HUB Router: interface Serial1/0 ip address 10. active Serial1/0.1. broadcast status defined.255. dlci 103(0x67.2 201 frame-relay map ip 10.13 (up): point-to-point dlci. 2 masks C 10.Configure the DLCI-to-IP mapping. Virtual-Access1 L 10.100.____________________________________________________________________________________________________________________ POINT-TO-MULTIPOINT SUB-INTERFACE: ____________________________________________________________________________________________________________________ . Virtual-Access1 C 10.0. 3 subnets.0/24 is directly connected.0/8 is variably subnetted.0.1.1 255. if you want to RE-USE the defined IP on a Loopback: (config-if)#ip unnumbered lo0 <-under the Virtual Template interface Now on the Routing Table the INJECTED HOST ROUTES can be found: #show ip route 10.2/32 is directly connected.100. Virtual-Access1 100 cisqueros.1/32 is directly connected.100.255. without broadcast ____________________________________________________________________________________________________________________ VIRTUAL TEMPLATE (CAN ONLY BE DONE ON MULTIPOINT OR PHYSICAL INTERFACE) ____________________________________________________________________________________________________________________ If MAPPING is not allowed: (config-if)#frame-relay interface-dlci 102 ? ppp Use RFC1973 Encapsulation to support PPP over FR switched Define a switched DLCI <cr> (config-if)#frame-relay interface-dlci 102 ppp ? Virtual-Template Virtual Template interface (config-if)#frame-relay interface-dlci 102 ppp Vir (config-if)#frame-relay interface-dlci 102 ppp Virtual-Template ? <1-200> Virtual-Template interface number (config-if)#frame-relay interface-dlci 102 ppp Virtual-Template 1 And only assign the IP Address (L3) to the Virtual Template interface: interface Virtual-Template1 ip address 10.255.0 OR.com .1.1.100.blogspot.1. 763: %LINK-3-UPDOWN: Interface Virtual-Access2.371: 11:42:23.447: 11:42:23.447: 11:42:23.371: 11:42:23.RESPONSE OUTBOUND CHAP: I SUCCESS id 1 len 4 For PAP the HOSTNAME is sent outbound (as a Challenge) using: (config-if)#ppp pap sent-username USERNAME password 0 Cisqueros 101 cisqueros.R2 is HOSTNAME of the OTHER SIDE!!! Create a VIRTUAL TEMPLATE and assign IP ADDRESSES to VIRTUAL TEMPLATE: (config-subif)#frame-relay interface-dlci 102 ppp Virtual-Template 1 *Aug 17 11:12:46. configure USERNAME as CHAP HOSTNAME: (config)#username R1 password 0 cisco12 And here is some PPP Authentication DEBUG: *Aug *Aug *Aug *Aug *Aug *Aug *Aug *Aug *Aug *Aug 17 17 17 17 17 17 17 17 17 17 11:42:23.447: 11:42:23.463: Vi1 Vi1 Vi1 Vi1 Vi1 Vi1 Vi1 Vi1 Vi1 Vi1 PPP: Using default call direction PPP: Treating connection as a dedicated line PPP: Session handle[C400010C] Session id[266] CHAP: I CHALLENGE id 1 len 23 from "R1" <--.443: 11:42:23.371: 11:42:23.blogspot.443: 11:42:23.447: 11:42:23. changed state to up Then configure the authentication details: (config-if)#ppp chap hostname R1 (config-if)#ppp authentication chap ? <---DEFINE WHEN TO AUTHENTICATE WORD Use an authentication list with this name callback Authenticate remote on callback only callin Authenticate remote on incoming call only <---SEND CHALLENGE WHEN CALLED callout Authenticate remote on outgoing call only default Use the default authentication list eap Extensible Authentication Protocol (EAP) ms-chap Microsoft Challenge Handshake Authentication Protocol (MS-CHAP) ms-chap-v2 Microsoft CHAP Version 2 (MS-CHAP-V2) one-time Allow use of username*OTP for one-time passwords optional Allow peer to refuse to authenticate pap Password Authentication Protocol (PAP) <cr> On the other side of the P2P link.CHALLENGE INBOUND PPP: Sent CHAP SENDAUTH Request PPP: Received SENDAUTH Response PASS CHAP: Using hostname from interface CHAP CHAP: Using password from AAA CHAP: O RESPONSE id 1 len 23 from "R2" <--.____________________________________________________________________________________________________________________ FRAME RELAY AUTHENTICATION ____________________________________________________________________________________________________________________ CONFIGURED IN THE VIRTUAL TEMPLATE (refer to the description above) First in the Global Config mode define the credentials (username and password): (config)#username R2 password 0 cisco12 <--.com . Successive Successes: 0. for Interface Serial1/0 (Frame Relay DTE) VC STATUS = ACTIVE (EEK DOWN) Receive Sequence Number: 4 Configured Error Threshold: 2 Total Observed Errors: 3 Monitored Errors: 3 End-to-end VC Status: DOWN Receive Sequence Number: 2 Configured Error Threshold: 2 Total Observed Errors: 3 Monitored Errors: 3 End-to-end VC Status: DOWN Last Failure: 00:00:16 Once the FREEK has been applied to BOTH SIDES. Serial1/0.775: EEK SUCCESS (reply.blogspot. THIS SIDE REPLIES request Set unidirectional request mode <--. Failures Since Started: 1.DEPENDS IF ITS SEND OR RECEIVE SIDE 102 cisqueros. => FREEK (Frame Relay End-to-End Keepalive) is used to provide a local router status of the other end FREEK Maintains 2 interval keepalives: 1. the VC goes "UP" (both SEND and RECEIVE side). RECEIVE SIDE STATISTICS Send Sequence Number: 3. Total Observed Events: 9.____________________________________________________________________________________________________________________ FRAME RELAY End-to-End KEEPALIVE ____________________________________________________________________________________________________________________ Routers depend on LMI to maintain the ACTIVE CONNECTION. DLCI USAGE = LOCAL. Configured Event Window: 3. Configured Event Window: 3.com . Send side> Send keepalive and handle the responses 2. Total Observed Events: 8. DEBUG FREEK: #debug frame-relay end-to-end keepalive events Frame-relay EEK events debugging is on *Aug 17 13:51:42. SEND SIDE STATISTICS Send Sequence Number: 7.063: EEK SUCCESS (request. Receive side> Handle and reply the requests So it needs to be configured ON BOTH SIDES! It's configured within the MAP CLASS!!! (config)#map-class frame-relay FREEK (config-map-class)#frame-relay end-to-end keepalive ? error-threshold End-to-end keepalive error threshold event-window End-to-end keepalive event window mode End-to-end keepalive mode success-events End-to-end keepalive success events timer End-to-end keepalive timer (config-map-class)#frame-relay end-to-end keepalive mode ? bidirectional Set bidirectional mode <--. Serial1/0.DLCI 201 Before applying the FREEK to the other side of the link: #show frame-relay end-to-end keepalive End-to-end Keepalive Statistics DLCI = 102. but it’s not END-TO-END as intermediate switches may not support NNI LMIs. using: (config-map-class)#frame-relay end-to-end keepalive timer [send | receive] 3 <--. Monitored Events: 3.THIS SIDE REQUESTS. Monitored Events: 3.THE OTHER SIDE REQUESTS. Successive Successes: 0. OTHER SIDE REPLIES Once the MAP CLASS has been defined.21 .BOTH SIDES REPLY AND REQUEST passive-reply Set passive-reply mode reply Set unidirectional reply mode <--.APPLY THE DEFINED MAP CLASS *Aug 17 13:47:13. apply under DLCI on the SUB-INF: (config-map-class)#int s1/0.12 DLCI 102) FREEK TIMERS can also be tuned.21 (config-subif)#frame-relay interface-dlci 201 (config-fr-dlci)#class FREEK <--.179: %FR_EEK-5-FAILED: Interface Serial1/0.12 DLCI 102) *Aug 17 13:51:44. if you want: (config-if)#ppp multilink links maximum 2 (config-if)#ppp multilink links minimum 1 Create the MULTILINK GROUP: (config-if)#ppp multilink group 12 <--. 0 reordered 0/0 discarded fragments/bytes. and define it as PPP Multilink: (config)#interface multilink 12 (config-if)#ppp multilink Define the MAX number of links within the MULTILINK. so KEEPALIVE needs to be DISABLED!!! .ON ALL THE INTERFACES WE WANT "MULTILINKED" (config-subif)#frame-relay interface-dlci 102 ppp virtual-Template 12 Check the Multilink: #show ppp multilink Multilink12 Bundle name: R2 Remote Endpoint Discriminator: [1] R2 Local Endpoint Discriminator: [1] R1 Bundle up for 00:01:10.12 multipoint <--.____________________________________________________________________________________________________________________ FRAME-RELAY MULTILINKING ____________________________________________________________________________________________________________________ If you need 2 LINKS to appear as ONE FRAME RELAY LINK => use PPP MULTILINK. but once you´ve been through it a few times . be sure to configure it under the VIRTUAL TEMPLATE interface: (config)#int Virtual-Template23 (config-if)#ppp authentication chap NO FRAME RELAY SWITCH: If there is NO FRAMERELAY SWITCH : THERE IS NO LMI. since 00:01:10 Vt12 (inactive) No inactive multilink interfaces *If you want AUTHENTICATION.com .blogspot. fragmentation schemes Start by creating a MULTILINK INTERFACE. load 1/255 Receive buffer limit 12000 bytes.you get the philosophy of it. This feature is also used when you need to implement the features not supported natively on Frame Relay. create a VIRTUAL-TEMPLATE interface and assign the created MULTILINK GROUP to it: (config)#interface virtual-template 12 (config-if)#ppp multilink group 12 Lastly create the MULTIPOINT sub-interface. such as Authentication. total bandwidth 100000. 1 inactive (max 2. 0x0 sent sequence Member links: 1 active. min not set) Vi4. and connect it to the VIRTUAL TEMPLATE (config)#inter serial 1/0.clock rate HAS TO BE SET ON DCE SIDE 103 cisqueros. 0 lost received 0x0 received sequence. frag timeout 1000 ms 0/0 fragments/bytes in reassembly list 0 lost fragments.DLCI should be identical on both sides . This might seem a bit illogical in the beginning.PPP MULTILINK GROUP Now. com . and POINT TO THE BROADCAST (config-if)#ip helper-address 172.185. unless the feature has been turned off.255 Make sure that the DIRECTED INTERFACE supports broadcast: (config-if)#ip directed-broadcast 104 cisqueros.____________________________________________________________________________________________________________________ FRAME-RELAY AUTO-INSTALL ____________________________________________________________________________________________________________________ A router is a BOOTP server by default.28. use the "ip helper-address".blogspot. So if you need a FR interface to get the IP address from a remote server. com .blogspot.IP Multicast 105 cisqueros. IGMP ____________________________________________________________________________________________________________________ Applications that take advantage of multicast include video conferencing. and news.a multicast group for ASM. PIM (Protocol Independent Multicast) . The sending host inserts the multicast group address into the IP destination address field. use the command: (config-if)#ip multicast rate-limit out 1000 REMINDER: SHARED TREE . IOS supports the following protocols to implement IP multicast routing: 1. corporate communications. CGMP (Cisco Group Management Protocol) perform tasks similar to IGMP Any Source Multicast (ASM) G group . distance learning and distribution of software.blogspot. Any host. only the members of a group receive the message.G) if he wants to receive IP MULTICAST TRAFFIC SENT BY SOURCE HOST S TO GROUP G.used between hosts on a LAN and routers on that LAN to track multicast groups of which hosts are members. IP multicast packets are delivered to all hosts in the network that have subscribed to the channel (S. the receiver HOST IS INDICATING THAT HE WANTS TO RECEIVE IP multicast traffic SENT BY ANY SOURCE to group G. 2. Each node will be treated as a P2P connection.used between routers so that they can track which multicast packets to forward to each other and to their directly connected LANs. and it´s done ONLY on the interfaces that should RECEIVE from ONE and SEND to ANOTHER PIM Neighbor on SAME INTERFACE TIP: Use interface commands “ip multicast boundary ACL” and “ip pim neighbor-filter ACL” to filter out IGMP Groups and PIM Neighbors TIP: To LIMIT the OUTBOUND Multicast RATE on the interface. IP multicast routing enables a host (source) to send packets to a group of hosts (receivers) anywhere within the IP network by using a special form of IP address called the IP multicast group address. DVMRP (Distance Vector Multicast Routing Protocol) is used on the MBONE (the multicast backbone of the Internet). ASM group should only be used by a single application!!! Source Specific Multicast (SSM) A datagram delivery model that best supports one-to-many applications (targeted for AUDIO and VIDEO) IP multicast receiver host must use IGMP Version 3 (IGMPv3) to subscribe to channel (S. This way there will not be a pseudo broadcast to detect PIM neighbors.com . 4. However. can send to a group. G). stock quotes. besides the "pim sparse-mode" configure the "ip pim nbma-mode". and multicast sources. The software supports PIM-to-DVMRP interaction.The traffic goes to the RP first SOURCE BASED TREE .____________________________________________________________________________________________________________________ Multicast TIPS ____________________________________________________________________________________________________________________ TIP: On Frame-Relay. 3. 106 cisqueros.Directly send the traffic to the Multicast clients If you need to define the BW limit to switch to the SOURCE BASED TREE: (config)#ip pim spt-threshold 128 ____________________________________________________________________________________________________________________ Multicast . IGMP . in this example to 1Mbps. regardless of whether it is a member of a group. By joining this group. Bidir Capable. PIM can operate in dense mode or sparse mode.13 Multicast every 30s. In dense mode. a prune message is sent back to the source.975: %PIM-5-NBRCHG: neighbor 10.1 UP on interface FastEthernet0/0 (vrf default) #sh ip pim neighbor PIM Neighbor Table Mode: B .Sends ONLY if the downstream router JOINS the Multicast Group using IGMP Protocol IGMP operates between the client computer and a local multicast router.1 FastEthernet0/0 00:01:43/00:01:29 v2 1 / S NOTE that there is still no RENDEZVOUZ POINT (RP): #sh ip pim rp NO OUTPUT 107 cisqueros. PIM SPARSE mode (PIM-SM) uses a pull model to deliver multicast traffic.0. STEP 1: Enable the Multicast Routing on a Device: (config)#ip multicast-routing STEP 2: Configure the PIM MODE on the Interface (or a range). If a group has no known RP and the interface is configured to be sparse-dense mode. uses the Protocol number 103 DENSE MODE .100.1.100.0. DR .com . S . a router assumes that all other routers want to forward multicast packets for a group.State Refresh Capable Neighbor Interface Uptime/Expires Ver DR Address Prio/Mode 10. Sparse mode interfaces are added to the multicast routing table only when periodic Join messages are received from downstream routers. N . Protocol Independent Multicast (PIM) is then used between the local and remote multicast routers. Once you decide the Multicast mode you will be configuring.Sends to ALL unless the Prune Message received from the DOWNSTREAM ROUTER SPARSE MODE . and data is flooded over the interface.Default DR Priority. to direct multicast traffic from multicast server to many multicast clients. or when a directly connected member is on the interface. If a router receives a multicast packet and has no directly connected members or PIM neighbors present. it is IP routing protocol independent and can leverage whichever unicast routing protocols are used to populate the unicast routing table. the interface is treated as if it were in dense mode. DENSE MODE: (config-if-range)#ip pim dense-mode You will see the MULTICAST NEIGHBORS getting up: *Dec 9 14:37:26. the configuration is rather simple.PIM (Protocol Independent Multicast) PIM is not dependent on a specific unicast routing protocol. PIM DENSE mode (PIM-DM) uses a push model to flood multicast traffic to every corner of the network.blogspot. It uses the unicast routing table to perform the REVERSE PATH FORWARDING (RPF) check function instead of building up a completely independent multicast routing table. *Dense mode is not often used and its use is not recommended. in this case we´re doing the PIM. Switches featuring IGMP snooping derive useful information by observing these IGMP transactions. ____________________________________________________________________________________________________________________ Configure PIM Multicast ____________________________________________________________________________________________________________________ PIM (Protocol Independent Multicast) sends HELLOs to 224.Designated Router. Only network segments with active receivers that have EXPLICITLY requested the data will receive the traffic.1. Sparse. THAT IGMPv2 IS ON WHEN PIM IS ENABLED Current IGMP host version is 2 Current IGMP router version is 2 IGMP query interval is 60 seconds<-FREQUENCY OF QUERIES.2<-LOWEST SOURCE IP AS THE IGMP QUERIER IGMP querying router is 10. J . flags: DCL <-AUTOMATICALLY GENERATED WHEN PIM IS ENABLED Incoming interface: Null. z . not like with "join-group" command where the groups are PROCESS SWITCHED.224. line protocol is up Internet address is 10.SPT-bit set. 00:17:16/00:02:23. ALSO "static-group" command will cause the device to FAST-SWITCH the group. it will apply to ALL the interfaces). X . I . T . #sh ip igmp membership | b Uptime Channel/Group Reporter *.100.255.1.255 108 cisqueros.0. it doesn't cause the devices to process multicast packets themselves.0.40(1) STEP 4: IMPORTANT: Neither of the following 2 commands are not needed if the APPLICATION supports IGMP!!! If you want the host to JOIN a specific MULTICAST GROUP. s .com .MSDP created entry.1.2 Uptime 00:01:23 1d17h 2d03h Exp.0.1<-STATIC MEMBERSHIP.1 0.1.255.1 (this system) Multicast groups joined by this system (number of users): 224.0 Outgoing interface list: FastEthernet0/0.1. RP 0.1. A . M .0.245.0.1. stop 02:53 02:43 Flags 2SA 2A 2LA Interface Fa0/0 Se0/1/0 Se0/1/0 MULTICAST TIMERS AND STATE LIMITS To IMMEDIATELY STOP any kind of MULTICAST upon receiving a LEAVE message apply the "immediate leave" command (if you apply it in a Global Config mode.0. y . EXPIRE TIMER WILL SHOW "STOPPED" (ICMP: This device will respond to pings to 224. 0 leaves Multicast routing is enabled on interface Multicast TTL threshold is 0 Multicast designated router (DR) is 10.Pruned.0. B .MDT-data group sender.0.1. SET BY "ip igmp query-interval" IGMP querier timeout is 120 seconds<-"ip igmp query-timeout" IGMP max query response time is 10 seconds Last member query count is 2 Last member query response interval is 1000 ms Inbound IGMP access group is not set IGMP activity: 1 joins. Instead they just FORWARD the packets out the interface. IGMP is ALSO ENABLED!!! #sh ip mroute IP Multicast Routing Table Flags: D .0. L .1. THROUGH THE RPF-FREE PATH) OR (config-if)#ip igmp static-group 224.Hardware switched. C . 00:17:16/00:00:00 STEP 4: Check the IGMP on the interface: #show ip igmp interface fa0/0 FastEthernet0/0 is up.40 136.0.40). U .1.Local. RPF nbr 0.245.1.1. A .1.100.0.Sending to MDT-data group Outgoing interface flags: H .Received Source Specific Host Report.Dense. Z .Join SPT. Forward/Dense.SSM Group.Multicast Tunnel.Candidate for MSDP Advertisement.Joined MDT-data group.0/4): (config-if)#ip igmp immediate-leave group-list 1 (config)#access-list 1 permit 224.RP-bit set.0.224. S .Proxy Join Timer Running. P .STEP 3: Check the MULTICAST ROUTING Table NOTE that when PIM is enabled.5 *.0. State/Mode (*.1. 224. F .100. and define the ACL 1 to cover all the multicast IPs (224.0 *.39 136.1.Bidir Group.blogspot.1.URD.Assert winner Timers: Uptime/Expires Interface state: Interface.0.Register flag. you can do it with 2 similar commands: (config-if)#ip igmp join-group 224.1.1.Connected.IT WILL CAUSE UPSTREAM ROUTERS TO MAINTAIN MROUTE TABLE *static-group cannot respond to PINGs.0 15.0. Next-Hop or VCD.1/24 IGMP is enabled on interface <-THIS IS IMPORTANT. Y .1.224.1<-RESPONDS TO PING. R . 1.1.631: PIM(0): Received v2 hello on Serial0/1/1 from 10.3 *Dec 10 17:25:19.3.159: PIM(0): Neighbor (10.1.Multicast traffic runs again.13.3.4 *Dec 10 17:25:20. and when the timer expires . until the new PRUNE message is received from a DOWNSTREAM router.1.455: PIM(0): Send periodic v2 Hello on Serial0/1/0.1 *Dec 10 17:24:50.34.4) Hello GENID = 6520 *Dec 10 17:25:20.34. because it forwards the traffic assuming that there are users on all routers.139: PIM(0): Send periodic v2 Hello on Serial0/1/0.34 from 10.4) Hello GENID = 6520 *Dec 10 17:24:51.4 *Dec 10 17:24:50.For the applications EVERYONE wants ____________________________________________________________________________________________________________________ The DENSE mode would be a good choice if you're implementing the MULTICAST to support one of the applications that many users within your network will use.1.blogspot.107: PIM(0): Neighbor (10.34 from 10.34.4 Serial0/1/0.1.1.1 *Dec 10 17:25:19.1.159: PIM(0): Received v2 hello on Serial0/1/1 from 10. while the SHARED TREE is where all the packets are sent to RP first.199: PIM(0): Neighbor (10. and it's rooted at the SOURCE of the Multicast Stream.com . ____________________________________________________________________________________________________________________ PIM Dense Mode.34 Prio/Mode 00:14:14/00:01:17 v2 00:13:14/00:01:18 v2 1 / S 1 / S PRUNING PIM-DM keeps a timer on a PRUNED INTERFACE.13.13.13.1) Hello GENID = 4018201785 *Dec 10 17:24:50. or in the global config more) (config-if)#ip igmp limit 3 The other tune-able timers are: (config-if)#ip igmp quer? querier-timeout DEAD time of the querier query-interval INTERVAL between each 2 queries query-max-response-time .34 with GenID = 3542869676 *Dec 10 17:24:50.107: PIM(0): Received v2 hello on Serial0/1/0.395: PIM(0): Send periodic v2 Hello on Serial0/1/1 with GenID = 3542792495 #sh ip pim neighbor | i v2 10.635: PIM(0): Neighbor (10.199: PIM(0): Received v2 hello on Serial0/1/0.13. and then redistributed to the receivers.131: PIM(0): Received v2 hello on Loopback0 from 3.131: PIM(0): Send periodic v2 Hello on Loopback0 with GenID = 3542761484 *Dec 10 17:24:51.34. You can change how often the CONTROL PACKET is sent down it's PRUNED INTERFACE (config-if)#ip pim state-refresh origination-interval 60 109 cisqueros.34.If you want to send some QUERY messages before the Router stops forwarding Multicast Traffic: (config-if)#ip igmp last-member-query-count 2 <-SEND 2 QUERY MESSAGES (config-if)#ip igmp last-member-query-interval 500 <-SEND QUERIES EVERY 500ms Another interesting setting within the mroute table is the NUMBER OF STATE CHANGES (could be configured on the interface.1 Serial0/1/1 10.1) Hello GENID = 4018201785 *Dec 10 17:25:20.1. The basic configuration consists of 2 steps: Enable the Multicast on the router and configure the Dense Mode on the interface: (config)#ip multicast-routing (config)#int lo0 (config-if)#ip pim dense-mode <-IGMPv2 IS ENABLED BY DEFAULT #debug ip pim hello <-AND OBSERVE WHAT HAPPENS *Dec 10 17:24:50.34 with GenID = 3542869676 *Dec 10 17:25:19. Remember that the SOURCE BASED TREE is the DEFAULT type.MAX time to wait between 2 queries Have in mind that PIM-SM actually builds 2 TREES: UNIDIRECTIONAL SPT (Shortest Path Tree) from SOURCE to the RP and the UNIDIRECTIONAL SHARED TREE from RP to RECEIVERS. PIM-DM .075: PIM(0): Send periodic v2 Hello on Serial0/1/1 with GenID = 3542792495 *Dec 10 17:24:51.1. ____________________________________________________________________________________________________________________ STATIC RENDEZVOUZ POINT (RP) Configuration ____________________________________________________________________________________________________________________ A rendezvous point (RP) is required in networks running Protocol Independent Multicast sparse mode (PIM-SM). In PIM-SM, traffic will be forwarded only to segments with active receivers that explicitly requested multicast data. STATIC RP CONFIGURATION NEEDS TO BE SAME ON ALL THE ROUTERS, including the RP!!! Specify the router to be the RP for a specific group: (config)#ip pim rp-address 192.168.0.0 [override] [access-list 1] *If the override keyword is not specified and there is RP address conflict, dynamic group-to-RP mappings will take precedence over static group-to-RP mappings. *Dec 14 19:45:20.411: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel0, changed state to up #sh ip pim rp map PIM Group-to-RP Mappings Acl: 1, Static RP: 1.1.1.2 (?) Group(s): 224.0.0.0/4, Static <-WHEN ACL IS NOT SPECIFIED, BEST PRACTICE: CONFIGURE ACL WITH GROUPS TO DENY RP: 1.1.1.3 (?) If two RPs have OVERLAPPING SCOPE of Groups - HIGHER SOURCE IP WINS ____________________________________________________________________________________________________________________ DESIGNATED ROUTER (DR) Configuration ____________________________________________________________________________________________________________________ IMPORTANT: Designated Router works ONLY with IGMPv1, and it determines the Router that sends the IGMP Queries. In IGMPv2 the Querier is elected directly by the protocol (router with the LOWEST IP address), so no DR is needed. To check who the DR is currently, check for the PIM neighbors: #SH ip pim nei | i DR 10.1.12.2 FastEthernet0/0 2d01h/00:01:28 v2 1 / DR S The criteria for determining the DR on the subnet is similar like in the OSPF: - Choose the router with the HIGHEST DR PRIORITY (default is 1) - If the priorities are the same - choose the router with the highest IP address To change the DR priority, go to the interface configuration: (config-if)#ip pim dr-priority 100 To FILTER and not become NEIGHBOR with certain IPs, use the "ip pim neighbor-filter 1", where 1 is an ACL. (config-if)#ip pim neighbor-filter 1 110 cisqueros.blogspot.com ____________________________________________________________________________________________________________________ IP MULTICAST: AUTOMATIC RENDEZVOUZ POINT (Auto-RP) Configuration ____________________________________________________________________________________________________________________ Auto-RP automates the distribution of group-to-rendezvous point (RP) mappings in a PIM network. IANA has assigned two group addresses, 224.0.1.39 and 224.0.1.40, for Auto-RP. NOTE that these will work ONLY IN A DENSE MODE, which is why SPARSE-DENSE mode is REQUIRED for Auto-RP to be configured. If you need SPARSE mode you will need to manually configure the Auto-RP listener: (config)#ip pim autorp listener *If the interfaces have been configured in the SPARSE-DENSE mode, no need to manually configure the listener. You can configure 2 Routers as the RP and have them ANNOUNCE themselves as the RPs, and aside you would have the MAPPING AGENT who will COLLECT the announcements and DECIDE THE REAL RP. Auto-RP Configuration requires you to define the CANDIDATE RP, and MAPPING AGENT before you get into the configuration. STEP 1: Configure CANDIDATE-RP, so that the RP can announce itself as the RP to the other routers. The destination for these announcements is by default 239.0.1.39. SCOPE CAN BE USED TO LIMIT THE RANGE THE RP IS ANNOUNCED. (config)#ip pim send-rp-announce Loopback0 scope 2 group-list 1 *SCOPE defines the TTL, and 1 is the ACL for Multicast Groups you want the RP to announce STEP 2: ALL routers receive the announcements; ONLY MAPPING AGENT will process them. Configure the MAPPING AGENT, that will PROCESS the RP announce messages and decide RP to Group mapping. If there are more than one RPs, the one with HIGHEST SOURCE IP wins and gets announced. (config)# ip pim send-rp-discovery lo1 scope 31 When you DEBUG the Auto-RP on the MAPPING AGENT: *Dec 14 11:42:26.019: *Dec 14 11:42:26.019: rp=1.1.1.4, repl = 0, *Dec 14 11:42:26.019: *Dec 14 11:42:26.019: *Dec 14 11:42:26.019: *Dec 14 11:42:26.019: *Dec 14 11:42:26.019: *Dec 14 11:42:26.019: *Dec 14 11:42:26.019: *Dec 14 11:42:26.019: *Dec 14 11:45:02.551: *Dec 14 11:45:02.551: *Dec 14 11:45:02.551: rp=1.1.1.3, repl = 0, *Dec 14 11:45:02.551: Auto-RP(0): Received RP-announce packet of length 48, from 1.1.1.4, RP_cnt 1, ht 181 (0): pim_add_prm:: 238.0.0.0/255.0.0.0, ver =3, is_neg =0, bidir = 0, crp = 0 create_new = 1 Auto-RP(0): Added with prm_rp->bidir_mode = 0 vs bidir = 0 (238.0.0.0/8, RP:1.1.1.4), PIMv2 v1 Auto-RP(0): Build RP-Discovery packet Auto-RP(0): Build mapping (238.0.0.0/8, RP:1.1.1.4), PIMv2 v1, Auto-RP(0): Send RP-discovery packet of length 48 on Ethernet0/0 (1 RP entries) Auto-RP(0): Send RP-discovery packet of length 48 on Serial1/0.53 (1 RP entries) Auto-RP(0): Send RP-discovery packet of length 48 on Serial1/0.45 (1 RP entries) Auto-RP(0): Send RP-discovery packet of length 48 on Loopback0(*) (1 RP entries) prm_rp->bidir_mode = 0 vs bidir = 0 (238.0.0.0/8, RP:1.1.1.3), PIMv2 v1 Auto-RP(0): Received RP-announce packet of length 48, from 1.1.1.3, RP_cnt 1, ht 181 (0): pim_add_prm:: 238.0.0.0/255.0.0.0, ver =3, is_neg =0, bidir = 0, crp = 0 Auto-RP(0): Update So if you have 2 CANDIDATE-RPs and check the MAPPING AGENT: #sh ip pim rp mapping | b Group Group(s) 238.0.0.0/8 RP 1.1.1.4 (?), v2v1 Info source: 1.1.1.4 (?), elected via Auto-RP <-ELECTED DUE TO THE HIGHER IP ADDRESS VALUE Uptime: 00:01:52, expires: 00:02:05 RP 1.1.1.3 (?), v2v1 Info source: 1.1.1.3 (?), via Auto-RP Uptime: 00:02:15, expires: 00:02:43 The other routers within the domain will learn the RP IP address with the Mapping Agent as the Source: #sh ip pim rp mapp | i RP|source RP 1.1.1.4 (?), v2v1 Info source: 1.1.1.5 (?), elected via Auto-RP 111 cisqueros.blogspot.com If you want to LIMIT (FILTER) WHERE the RP announcements are forwarded, define the MULTICAST BOUNDARY on the interface towards that HOST, and add the known Auto-RP Multicast IP 224.0.1.40 in ACL 1: (config)#access-list 1 deny host 224.0.1.40 (config-if)#ip multicast boundary 1 *NOTE that the DEAD TIMER is 3 minutes, so you have to be patient here When you're filtering the MULTICAST GROUPS you're announcing to the other hosts, use ANNOUNCE-FILTER: (config)#ip pim rp-announce-filter group-list 6 <-6 IS THE ACL OF ANNOUNCE DESTINATIONS FILTERING of the RP Announcements can be done using the RP-LIST, BUT WATCH OUT, THESE HAVE THE OPPOSITE LOGIC: (config)# ip pim rp-announce-filter rp-list 4 [group-list 5]<-ACL 4 PERMITS the RPs that will NOT be advertised!!! *GROUP-LIST is ACL with MULTICAST GROUPS for which you DONT want this RP to be advertised You can set the ROUTER to run the STP (shortest path tree) SWITCH ONLY if group reaches certain BW, in this case we're analysing Multicast groups in the ACL 1 if they reach 20kbps: (config)#ip pim spt-threshold 20 group-list 1 If you want to FILTER THE INCOMING groups, define the ACL and apply it DIRECTLY on the incoming interface: (config)#access-list 52 permit host 225.25.25.25 <-MULTICAST SOURCES WE WANT TO PERMIT (config)#access-list 52 permit host 226.26.26.26 (config-if)#ip igmp access-group 52 <-YOU WILL NOT HAVE IN|OUT OPTION HERE, as logical ____________________________________________________________________________________________________________________ IP MULTICAST: BSR (Bootstrap Router) Configuration ____________________________________________________________________________________________________________________ BSR has the same function as the Auto-RP, but the BSR is part of the PIM Version 2 specification. BSR interoperates with Auto-RP on Cisco routers. A BSR is elected among the candidate BSRs automatically; they use bootstrap messages to discover which BSR has the highest priority. This router then announces to all PIM routers in the PIM domain that it is the BSR. BSR ADVANTAGE: There is a PRIORITY COMMAND! Auto-RP doesn't have the option to set the Router with the Lower IP as the RP. STEP 1: Enable Multicast Routing and configure all the relevant interfaces in PIM SPARSE MODE STEP 2: Configures the router to announce its candidacy as a bootstrap router (BSR). Note that if you get the message "Warning: PIMv2 not configured", you need to configure "ip pim sparse-mode" on the interface: (config)#ip pim BSR-candidate lo0 STEP 3: Configure PIM Version 2 candidates to be the RP to the BSR, also defining the priority if needed: (config)#ip pim RP-candidate lo0 priority 100 <-LOWER PRIORITY IS BETTER, default is 0 Once the CANDIDATE RPs know the BSR address - they send UNICAST messages to BSR identifying themselves as candidates. To check the RP election, the command is the same like in Auto-RP: #sh ip pim rp mapp | b Group Group(s) 224.0.0.0/4 RP 1.1.1.3 (?), v2 Info source: 1.1.1.4 (?), via bootstrap, priority 0, holdtime 150 <-INFO SOURCE IS ALWAYS RP Uptime: 00:14:16, expires: 00:02:18 RP 1.1.1.4 (?), v2 Info source: 1.1.1.4 (?), via bootstrap, priority 50, holdtime 150 <-INFO SOURCE IS ALWAYS RP Uptime: 00:14:09, expires: 00:02:18 112 cisqueros.blogspot.com The anycast RP loopback address should be configured with a 32-bit mask. use: (config-if)#ip multicast ttl-threshold 13 *This command is under "PIM>Using MSDP to Interconnect Multiple PIM-SM Domains" in Cisco Docs (MSDP is a mechanism to connect multiple PIM-SM domains. MSDP peering is configured BETWEEN THE RPs (RPs run port 639 to synchronize the sources each one knows).4 activate (config-router-af)#network 1.1.255.1. so if you want to make sure that no multicast packet with TTL<13 goes out the interface.255 <-CAN BE KNOWN VIA OTHER PROTOCOL (config-router-af)#no auto-summary <-ALSO NEEDED WITHIN AF 113 cisqueros.255.1 mask 255. Resets: 0. MSDP peering connections need to be established between all MSDP peers: (config)#ip msdp peer 1. Anycast-IP In anycast RP.blogspot.5 (?).34. IMPORTANT: In anycast RP. all the RPs are configured to be MSDP peers of each other.1.1. two or more RPs are configured with the SAME IP ADDRESS on their loopback interfaces. IP routing will automatically select the topologically closest RP. When MULTICAST SOURCE is initiated . using the SAME command.) ____________________________________________________________________________________________________________________ IP MULTICAST: MSDP (Multicast Source Discovery Protocol) Configuration ____________________________________________________________________________________________________________________ MSDP is the mechanism to connect multiple PIM-SM domains.1. all the RPs are configured to be MSDP peers of each other ____________________________________________________________________________________________________________________ Multiprotocol BGP (MP-BGP) & IP Multicast ____________________________________________________________________________________________________________________ First you would need to DISABLE the default BGP behavior.1.1. The purpose of MSDP is to discover multicast sources in other PIM domains. so like SCOPE feature in Auto-RP . (config-if)#ip multicast ttl-threshold 252 The same filter can be used OUTBOUND. In anycast RP.the first hop router encapsulates register messages and UNICASTSs it to the RP.you can use this to control the remote Multicast packets.FILTERING WITH TTL is another option not to forget when working on MULTICAST. among them you can define the "address-family ipv4 UNICAST" and "address-family ipv4 MULTICAST": (config-router)#address-family ipv4 unicast (config-router-af)#neighbor 100. There is an interface command that sets the TTL THRESHOLD for MULTICAST packets. SA (Source Active) messages identify the Source IP and the Group.com .2) *SA messages are used to advertise active sources in a domain. which is IPv4-Unicast: (config-router)#no bgp default ipv4-unicast Now within the BGP process you can define the Address Families (AF) Configuration Commands apart. AS ? Connection status: State: Up.1.1. Connection source: Loopback0 (1.5 connect-source lo0 #sh ip msdp peer MSDP Peer 1. In these example routers more than 3 hops away (255-252) will not reach local router. making it a host address. RP de-encapsulates and sends towards the last hop. 00:09:16/00:02:25. Forward/Sparse. The following two components together support the implementation of SSM: Protocol Independent Multicast source-specific mode (PIM-SSM) Internet Group Management Protocol Version 3 (IGMPv3).G) without sending a query: (config-if)#ip igmp explicit-tracking *Make sure you see the "T" flag in the MROUTE table: #sh ip mroute | i 232.255 (config)#ip pim ssm [range ACL | default] <-DEFAULT COVERS STANDARD SSM RANGE 239. and it enables LEAVING (S.6).0. and enable the SSM for that range in the Global Configuration mode: (config-router)#access-list 1 permit 230.0.com .6.blogspot. SSM best supports ONE-TO-MANY applications.0 0.56. you can configure a SOURCE SPEFICIS Multicast: (config-if)#ip igmp join-group 232. 232. flags: sTI <-T means TRACKED 114 cisqueros.0.____________________________________________________________________________________________________________________ IP MULTICAST: Configuring SSM (Source Specific Multicast) ____________________________________________________________________________________________________________________ Source Specific Multicast (SSM) is an extension of IP multicast where datagram traffic is forwarded to receivers from only those multicast sources that the receivers have explicitly joined. flags: sTI Incoming interface: Serial1/0.G) as soon as the last host leaves that (S.1. 00:00:27/00:02:32. 232.6.6 (10.0.24. It causes the router to TRACK ALL REPORTERS and not only the last one.0.6.56. that introduces the ability for hosts to signal group membership that allows filtering capabilities with respect to sources.6.6). 00:00:27/00:02:32 There is another option IGMPv3 allows you.0.255.6. only source-specific multicast distribution trees (not shared trees) are created.6 (10. Configuration is quite simple.0.0/8.1.1.0/8 ON Once the interface IGMP version is set. define the ACL.24. For multicast groups configured for SSM.6 source 10.1. and it's called "explicit-tracking" (IGMPv3 Interface command).255.4 Outgoing interface list: Ethernet0/0.6.0/8 DO NOT FORGET to set the IGMP version to IGMPv3 on the interfaces: (config-subif)#ip igmp version 3 Then in the Global Configuration mode set the DEFAULT mode to SSM: (config)#ip pim ssm default <-SETS USAGE OF SSM DEDICATED RANGE 232. The router CLOSEST to the RECEIVING HOSTS should have SSM enabled.6 Now Verify in the Multicast Routing Table of the UPSTREAM ROUTER (interface towards this router must be IGMPv3): #sh ip mroute | s 232.6. also known as BROADCAST applications. RPF nbr 10.6.6.6.56.6.6.0. Default SSM Scope is 232. 53.3 bidir To make sure that the router 1.G) entries from the route table. BIDIRECTIONAL PIM removes the RPF (Reverse Path Forwarding) rules. Bidir-Upstream/Sparse.35.2.3 State DF Offer count is 0 Current DF ip address 10.1. Traffic is ALWAYS sent to RP. RP 1. traffic is routed only along a bidirectional shared tree that is rooted at RP for the group.23.1. 00:00:41/00:02:48 Serial1/0. 10. The new concept was introduced as the LOOP PREVENTION within the BIDIR-PIM.____________________________________________________________________________________________________________________ IP MULTICAST: Bidirectional PIM (Bidir-PIM) ____________________________________________________________________________________________________________________ In bidirectional mode.1. Membership in a bidirectional group is signaled by way of explicit Join messages.1.1.3 Outgoing interface list: Ethernet0/0.32 df 1.1.3.1.1. and it REMOVES (S. and passed down the tree.G) state in 2 DIFFERENT DIRECTIONS for the same group address.1. 224. STEP 1: First the Bidirectional PIM needs to be enabled on ALL THE ROUTERS: (config)# ip pim bidir-enable STEP 2: Statically configure the RP.3. it's called DESIGNATED FORWARDER (DF). in a network configured as BIDIR-PIM: #sh ip mroute bidirectional | s 224.1.3.3 (*.1.1.2.1. RPF nbr 10.1. RP 1.3 DF winner up time 00:04:19 Last winner metric preference 0 Last winner metric 0 Next winner will be sent in 45360 ms Once a host joins a Multicast Group. flags: B <-BIDIRECTIONAL FLAG Bidir-Upstream: Serial1/0. DF winner is determined by IGP cost on a link by link basis.2.G) entries DESIGNATED FORWARDER (DF) is the Multicast Router that can forward (*.com . leaves ALL (*. so now traffic can go UPSTREAM if needed just to reach the RP. 00:00:41/00:00:00 115 cisqueros.3 is REALLY the DF on the interface: #sh ip pim inter s1/0. also on ALL the routers (INCLUDING THE RP ITSELF): (config)#ip pim rp-address 1.3).3 Designated Forwarder election for Serial1/0.53.1.23.blogspot. for example 234. Forward/Sparse. PIM-SM has been improved.32. 00:00:41/00:02:48.1. The first hop router is on the border between the broadcast-only network and IP multicast network.45. not to validate the UPDATE SOURCE: (config-router)#no validate-update-source 116 cisqueros.com .12.255 is the RIP packets final destination): (config-subif)#ip multicast helper-map 224. You can use this for ROUTING PROTOCOLS.1 10.1 eq rip host 255.1. for example RIP: (config-if)#ip rip v2-broadcast STEP 1: Create an extended IP access list to control which UDP broadcast packets are translated.1 101 ttl 3 STEP 3: On the LAST HOP router towards another BROADCAST network segment identify the RIP traffic using the ACL: (config)#access-list 102 permit udp host 10.1.12.1.45.255 102 STEP 5: On the INTERFACE towards the BROADCAST SEGMENT: (config-if)#ip directed-broadcast In this particular case we would also have to TUNE RIP a little bit.1.1.1.255 eq rip (config)#ip forward-protocol udp rip <-SPECIFY HOW BROADCAST MESSAGES ARE FORWARDED STEP 2: Define the HELPER MAP to convert the INCOMING BROADCAST traffic on the interface towards the incoming BROADCAST traffic INTO the MULTICAST traffic sourced by 224.1.255.1. but remember to change the updates to BROADCASTS. *NOTE that you MUST have Multicast configured between the two broadcast-only networks. in this example the RIP protocol is configured.1 with TTL 3 (only 3 hops allowed): (config-if)#ip multicast helper-map broadcast 224.1. even on the interfaces towards the BROADCASTONLY network segments.1 any eq rip (config)#ip forward-protocol udp STEP 4: Use the HELPER MAP on the LAST HOP INTERFACE towards the MULTICAST segment (to from where the MULTICAST traffic will be coming) to CONVERT MULTICAST BACK TO BROADCAST (10.1.____________________________________________________________________________________________________________________ IP MULTICAST: Helper Map ____________________________________________________________________________________________________________________ Perform this task to convert broadcast traffic to IP multicast traffic on the first hop router. and how the BROADCAST RIP packets going from source 10.1.255.1 are matched: (config)#access-list 101 permit udp host 10.blogspot.12. 1. so if you're using the broadcasts on port UDP/3999.66 *configure on the interface towards the receiver of Multicast 117 cisqueros.168. When the next router cannot (or we don't want it to) become a PIM neighbor.blogspot. Two major steps need to be taken here: *Helper-Map is configured on BOTH INCOMING INTERFACES!!! IMPORTANT: The traffic needs to be PROCESS SWITCHED in order for Helper Map to work. configure the IGMP Helper Address in order to still receive the Multicast from that router: (config-if)#ip igmp helper-address 10.____________________________________________________________________________________________________________________ MULTICAST Helper Map & Helper-address ____________________________________________________________________________________________________________________ Helper Map is used to convert the UDP BROADCAST to MULTICAST packets.255 101 *192. Another option would be to convert BROADCAST to UNICAST packets. on BOTH routers also configure: (config)#ip forward-protocol udp 3999 STEP 1: On the BROADCAST SOURCE convert the BROADCAST traffic to MULTICAST (config-if)#ip multicast helper-map broadcast MULTICAST_GROUP ACL_PERMITTING_THE_PORT Example: (config-if)#ip multicast helper-map broadcast 239.39. we need to use this feature.15. So when by default the application is sending the BROADCAST.39 101 (config)#access-list 101 permit udp any any eq 3999 STEP 2: On the CLIENT.TARGET INTERFACE MUST SUPPORT A DIRECTED BROADCAST This feature is also used in a MULTICAST STUB.1. (config-if)#ip multicast helper-map MULTICAST_GROUP 192.39. convert the traffic BACK TO BROADCAST for the client to receive it as the application was designed.1.com . using the "ip helper-address".168.255 is the IP of the final interface. but in the broadcast form (config-if)#ip directed-broadcast . blogspot.Security 118 cisqueros.com . 187. For example .Minimal Password Length: (config)#security passwords min-length 7 Permit users to have to wait for 1 minute if they attempt to log in for 3 times. TIP: When creating a USER with only one function. 119 cisqueros.1x GLOBALLY: (config)#dot1x system-auth-control #sh dot1x all | i auth <-CHECK IF IT WORKED Sysauthcontrol Enabled EAP .____________________________________________________________________________________________________________________ Security TIPS ____________________________________________________________________________________________________________________ TIP .blogspot.11 TIP: 802.TELNET: When you need to control only access to TELNET.123.Best Practices ____________________________________________________________________________________________________________________ First you should define some RULES for the password definitions.U). on the interface: (config-if)#no ip unreachables (config-if)#no ip mask-reply <-DONT REVEAL NETWORK MASK TIP . bypassing the local security. Don't forget to enable the 802.Extensible Authentication Protocol allows the device to forward authentication request to the server.ICMP: When you want to prevent the router response with "Host Unreachable" messages (U. or a MENU. apply directly to the VTY: (config)#line vty 0 4 (config-line)#access-class 1 in <-1 IS THE LIST OF CLIENTS ALLOWED TO TELNET TIP . but only on the CONSOLE port. implement the AUTOCOMMAND feature: (config)#username TEST_USER autocommand menu NOC <-NOC IS A MENU NAME TIP: When you want to DISABLE the DOMAIN LOOKUP. and LOG it: (config)#login block-for 60 attempts 3 within 60 <.ALLOW 3 ATTEMPTS WITHIN 1 MINUTE (config)#security authentication failure rate 3 log <. that used an MD5 hashing: (config)#enable secret level 15 0 Cisco07 *TIP: If your password contains "?". there is a TRICK: (config)#line con 0 (config-line)#transport preferred none TIP: Don't forget the POLICE RATE command within the Policy-Map when you need to polica by PPS: (config-pmap-c)#police rate 100 pps TIP: When you want to DISABLE SOURCE ROUTING.1x. you need to press "ESC+Q" or “CTRL+V” before you enter the "?" sign.SNMP: You can allow only some of the HOSTS to access the routers SNMP agent: (config)#snmp-server community mYcOMMUNITY RO 22 (config)#access-list 22 permit host 11.com . just do the global command: (config)#no ip source-route ____________________________________________________________________________________________________________________ Router Security .LOG FAILED ATTEMPTS To set up a PRIVILEGE mode password.U. make sure the Conf.shtml The apply the command. SYN.x. Boots into ROM if initial boot fails. or do the INTERFACE command (enabled by default in new IOS): (config-subif)#no ip directed-broadcast Trin00 ATTACK: SYN DoS attack that uses UDP FLOODS. You should automatically DISCONNECT these sessions (CON & AUX) after some time of inactivity: (config-line)#session-timeout 300 <-DISCONNECT IF NO INPUT FOR 5 MINUTES (config-line)#exit-timeout 300 <-TERMINATE CONSOLE CONNECTION IF NO INPUT FOR 5 MINUTES If you have more than one administrator.Register is 0x2102: #sh ver | i register Configuration register 0x2102 (Ignores break. 120 cisqueros. 9600 console baud rate default) More about Configuration Register Values: http://www.cisco. If you want to do this. and you want to limit them to a certain commands. uses TCP 1524.com/en/US/products/hw/routers/ps133/products_tech_note09186a008022493f. It uses IRC. so the "?" will not display it! You will also be WARNED by IOS: (config)#no service password-recovery WARNING: Executing this command will disable password recovery mechanism. so they should be disabled on the entrance to your network: (config)#access-list 102 deny icmp any any mask-request (config)#access-list 102 deny icmp any any redirect (config)#access-list 102 deny icmp any any echo TRACEROUTE uses the PORT range 33400-34400. Do not execute this command without another plan for password recovery. You can create the ACL that denies the x. mainly TCP/6667 with a client TCP/33270 ICMP echo. use "privilege EXEC".BOTH "SHOW" AND "SHOW INT" WILL APPEAR IN "SHOW RUN" (config)#privilege exec level 9 ping (config)#privilege exec level 9 traceroute Be sure to apply the usage of the local user database on the CONSOLE PORT: (config)#line con 0 (config-line)#login local To disable showing WHO IS CURRENTLU LOGGED INTO the device: (config)#no ip finger ____________________________________________________________________________________________________________________ KNOWN ATTACKS and how to prevent ____________________________________________________________________________________________________________________ SMURF ATTACK: Large number of ICMPs sent to the Router subnets BROADCAST to provoke DoS.blogspot.27665 and UDP 27444. Are you sure you want to continue? [yes/no]: Don´t forget to configure both . ACK. *This command is HIDDEN. are used for many ATTACKS.CONSOLE Port (line con 0) and AUXILIARY Port as a backup solution (line aux 0).com .31335 Trinityv3 ATTACK: Include UDP Fragment.x.255.To define the USERNAME and assign it a MD5 Hash Password: (config)#username cisqueros secret 0 Cisco07 (config)#do sh run | i username username cisqueros secret 5 $1$YyRE$V60bOcwZ7ZK0LMusIVnhs/ No Service Password-Recovery feature is a security enhancement to prevent anyone with console access from accessing the router configuration and clearing the password. so think if you want to disable those as well. and define the Privilege Level 9 commands: (config)#privilege exec level 9 show interfaces <. RST. The you need to make sure HOW you want to implement it. for example to clean the screen when the MENU starts: (config)#menu MYMENU clear-screen ____________________________________________________________________________________________________________________ Configure SSH Access ____________________________________________________________________________________________________________________ Cisco Documents:Security>AAA>Secure Shell Configuration Guide: http://www.com/en/US/docs/ios-xml/ios/sec_usr_ssh/configuration/12-4t/sec-cfg-secure-shell.com . have in mind that you can use the variables: $(hostname) $(line) $(domain) You also have an option of creating the DYNAMIC ENTRIES as a banner. Configuring a Router for SSH Version 2 Using RSA Key Pairs In the first configuration type. Release 12.cisco. as there are 2 options: 1.____________________________________________________________________________________________________________________ BANNER and MENU Configuration ____________________________________________________________________________________________________________________ If you need to define a BANNNER to display the user restrictions.blogspot. and let user use the VARIABLES as a response: Cisco Docs: Cisco IOS Configuration Fundamentals Configuration Guide. Configuring a Router for SSH Version 2 Using a Hostname and Domain Name 2.4T>Banner Configuration Step 1: Define the MENU TITLE (config)#menu MYMENU title & This is the AXA menu Step 2: Define the TEXT ITEMS: (config)#meny (config)#meny (config)#meny (config)#meny MYMENU MYMENU MYMENU MYMENU text text text text 1 2 3 4 Display all interfaces with their IPs Display the configuration of Fa1/0/1 Logout Exit the Menu Step 3: Specify the UNDERLYING COMMAND of each item in the MENU: (config)#menu MYMENU command 1 sh ip int br (config)#menu MYMENU command 2 sh run int fa1/0/1 (config)#menu MYMENU command 9 sh menu-exit Step 4: Define the DEFAULT action: (config)#menu MYMENU default 9 Step 5: Define the GLOBAL commands. these are the steps to follow: Step 1: Be sure to have the Hostname and the IP Domain Name configured: (config)#ip domain name SNArchs 121 cisqueros.html First step would be to make sure that all the devices within your network SUPPORT the Secure Shell. blogspot.. In this example we're allowing back in the TELNET and HTTP traffic to HOST 10. which means . How many bits in the modulus [512]: Choose the size of the key modulus in the range of 360 to 2048 for your Encryption Keys.1 established TIME-BASED ACL STEP 1: define the time range using the "time-range TIMERANGE" command in the global configuration mode. This ENABLES SSHv2: (config)#crypto key generate rsa usage-keys The name for the keys will be: ES-MAT-AES-SR04.allow back the traffic from the hosts TCP session has already been established with.com .123: %SSH-5-ENABLED: SSH 2.. "rotary 5" sets the port on that line to 3005 ____________________________________________________________________________________________________________________ ADVANCED Access Lists (ACL) Configuration ____________________________________________________________________________________________________________________ TIP: ACL is applied directly to the interface using the "ip access-group" command: (config-subif)#ip access-group EXTENDED_OR_STANDARD_ACL [in | out] TIP: Watch out not to ban the routing protocol traffic!!! You might need to add this to your filter ACL: (config-ext-nacl)#permit ospf any any TIP: “deny any any” doesn't affect the locally generated traffic on the router It's enough to configure the extended ACL.SNArchs Choose the size of the key modulus in the range of 360 to 2048 for your Signature Keys.1.187. by defaut its 512 bits) and generate the RSA key. and to use SSH: (config)#line vty 0 4 (config-line)#login local <-WONT BE AVAILABLE AFTER SSH IS ENABLED (config-line)#transport input ssh *When testing the access via SSH don’t forget to use the "-l" to define the username: #ssh -l mat 10. keys will be non-exportable.12.12.set it using the "clock set"..[OK] % Generating 512 bit RSA keys.Step 2: Decide the key pair (in bits. or with NTP server STEP 2: attach the time-range to the ACL: (Config)#access-list 120 permit tcp any any eq 23 time-range TIMERANGE 122 cisqueros.2 You can also use AAA to define the AUTHENTICATION PROFILE (AAA_AUTH).[OK] *Dec 5 12:58:48. Choosing a key modulus greater than 512 may take a few minutes. keys will be non-exportable. that can later be applied to ALL VTY ports: (config)#aaa new-model (config)#aaa authentication login AAA_AUTH local Now apply it to the VTY port: (config)#line vty 0 4 (config-line)#transport input ssh (config-line)#login authentication AAA_AUTH *"rotary" command under the VTY changes the telnet port to that line.187. Be sure the Clock is correct using the "show clock".12. just to realize that there is an entire world of ACL configuration options that we never knew about. One of the awesome features is playing with the ESTABLISHED attribute. Choosing a key modulus greater than 512 may take a few minutes. How many bits in the modulus [512]: 512 % Generating 512 bit RSA keys. and hit a question mark when you want to define a PORT.1: (config-ext-nacl)#permit tcp any range 80 23 host 10..0 has been enabled Then configure the VTY port for the user database to use (TACACS or LOCAL). and if not . it can be modified using the command "ip reflexive-list timeout X": (config)#ip reflexive-list timeout 120 <-TIME REFLEXIVE ACL EXISTS WHEN NO PACKETS ARE DETECTED (default 300 seconds) 123 cisqueros.. "rotary 5" sets the port on that line to 3005 You can also apply the "autocommand" sirectly to the USERNAME. meaning .OUTBOUND ACL. and the second one inbound on the same interface. but instead of the time we permit or deny ACLs actions based on Authentication.we are making sure that the returning traffic is opposite of what went out. if we want to apply the DYNAMIC ACL to one user: (config)#username TELNET password CISCO (config)#username TELNET autocommand access-enable ____________________________________________________________________________________________________________________ REFLEXIVE ACL . we're taking care of the outgoing traffic.blogspot. for when you're pinging stuff outside your network STEP 3: Then apply the first one outbound." STEP 1: Create and EXTENDED ACL. it doesn't appear when "?" is pressed **AUTOCOMMAND links the DYNAMIC ACL to TELNET AUTHENTICATION *"rotary" command under the VTY changes the telnet port to that line..com .For Session Filtering ____________________________________________________________________________________________________________________ Applied on the outbound interface of the router. which will create a Dynamic ACL called DYN_ACL: (config)#access-list 100 dynamic DYN_ACL permit ip any any STEP 3: Apply the ACL on the interface: (config-if)#ip access-group 100 in STEP 4: Configure the VTY line for the dynamic ACL using the AUTOCOMMAND feature: (config-line)#autocommand access-enable host *"access-enable" is an EXEC. (config-subif)#ip access-group OUT_ACL out (config-subif)#ip access-group IN_ACL in After 5 minutes of inactivity the entries expire. for the outbound within the extended ACL configure: (config)#ip access-list extended OUT_ACL (config-ext-nacl)#permit tcp host any any eq www reflect REFLECT_ACL (config-ext-nacl)#permit tcp host any any eq telnet reflect REFLECT_ACL (config-ext-nacl)#permit tcp host any any eq https reflect REFLECT_ACL STEP 2: And on the INBOUND ACL within the extended ACL configuration: (config)#ip access-list extended IN_ACL (config-ext-nacl)#permit ospf any any <-YOU HAVE TO ALLOW THESE MANUALLY CAUSE THE PACKETS ORIGINATED BY THE ROUTER ITSELF WILL NOT BE REFLECTED (config-ext-nacl)#permit tcp any any eq bgp (config-ext-nacl)#permit tcp any eq bgp any (config-ext-nacl)#evaluate REFLECT_ACL *You should consider permitting ICMP time-excedeed and port-unreachable packets.____________________________________________________________________________________________________________________ DYNAMIC ACL (aka Lock and key ACL) ____________________________________________________________________________________________________________________ Special Feature used for AUTHENTICATION of other devices. Like the time-range. and then we CHECK THE RETURNING TRAFFIC. but be sure to allow all the needed protocols before you apply it on the interface: (config)#access-list 100 permit eigrp any any (config)#access-list 100 permit icmp any any STEP 2: Create a DYNAMIC entry in the defined ACL. The ACL is defined using "access-list 102 dynamic. When configuring. you need 2 ACLs: STEP 1 . com . There are 2 modes of TCP INTERCEPT: INTERCEPT MODE . CBAC creates TEMPORARY OPENINGS in ACLs at firewall interfaces. These openings are created when specified traffic exits your internal network through the firewall. server replies with the "SYN ACK".blogspot.cisco. towards the OUTSIDE network: (config-if)#ip inspect INP_POL1 out 124 cisqueros. The following application-layer protocols can all be configured for CBAC: CU-SeeMe (only the White Pine version) FTP H. SEND RST (config)#ip tcp intercept mode watch ____________________________________________________________________________________________________________________ CBAC .the Router decides to TIME OUT the session.router only MONITORS the TCP session and sends the RST (session reset) to the Server if ACK not received (config)#ip tcp intercept list 101 <-SERVERS YOU'RE PROTECTING (config)#ip tcp intercept watch-timeout 15 <-IF ACK NOT RECEIVED IN 15 SECONDS.html Without CBAC. and send RESET to the Server.323 (such as NetMeeting. and rsh) RealAudio RTSP (Real Time Streaming Protocol) RPC (Sun RPC. Most of the multimedia protocols as well as some other protocols (such as FTP. This allows support of protocols that involve multiple channels created as a result of negotiations in the control channel. and that's where the TCP INTERCEPT does it's job waiting for the CLIENT to send the ACK and establish the TCP Session.Context Based Access Control Firewall ____________________________________________________________________________________________________________________ Cisco Docs: Secure DATA PLANE>Security Configuration Guide: Context-Based Access Control Firewall http://www.28. The openings ALLOW RETURNING TRAFFIC (that would normally be blocked) and additional data channels to enter your internal network back through the firewall. the transport layer. ProShare) HTTP (Java blocking) Microsoft NetShow UNIX R-commands (such as rlogin. or at most. Define the INSPECTION RULES. CBAC examines not only network layer and transport layer information but also examines the application-layer protocol information (such as FTP connection information) to learn about the state of the session. If the ACK is NOT received . However.com/en/US/docs/ios-xml/ios/sec_data_cbac_fw/configuration/12-4t/sec-data-cbac-fw-12-4t-book. OR YOU JEAPARDIZE THE FLOWS TCP INTERCEPT takes care that the 3-WAY TCP Handshake is correctly performed.____________________________________________________________________________________________________________________ TCP INTERCEPT .To prevent TCP SYN DoS attacks ____________________________________________________________________________________________________________________ When you want to perform LOGGING of the SYN ATTACKS using the ACLs. not DCE RPC) SMTP (Simple Mail Transport Protocol) The basic (GENERIC) CBAC is quite simple to configure.100 eq www syn log-input (config-ext-nacl)# permit ip any any <-DONT FORGET TO ADD THIS. (in TCP SYN attack thousands of TCP sessions are started with the servers. So it observes the SYN done from the OUTSIDE towards the inside Web Server (for example). RPC.1. and SQL*Net) involve multiple channels. traffic filtering is limited to access list implementations that examine packets at the network layer. and apply them on the interface: (config)#ip inspect name INP_POL1 tcp (config)#ip inspect name INP_POL1 udp (config)#ip inspect name INP_POL1 icmp APPLY the Inspection Rules to the interface.router actively intercepts the TCP session WATCH MODE . you can automatically include into the log the MAC address of the Device that forwarded the packet into the segment by simply adding to the Extended ACL: (config-ext-nacl)# permit tcp any host 192. taking out Server resources). You can also configure CBAC to specifically inspect certain application-layer protocols. rexec. 1. These are the global CBAC parameters that can be tuned: (config)#ip inspect ? WAAS Firewall and Cisco WAE interoperability configuration alert-off Disable alert audit-trail Enable the logging of session information (addresses and bytes) dns-timeout Specify timeout for DNS hashtable-size Specify size of hashtable log Inspect packet logging max-incomplete Specify maximum number of incomplete connections before clamping name Specify an inspection rule one-minute Specify one-minute-sample watermarks for clamping tcp Config timeout values for tcp connections udp Config timeout values for udp flows <cr> Also some specific HTTP types of traffic can be inspected.Port to Application Mapping ____________________________________________________________________________________________________________________ Cisco Docs: Secure DATA PLANE>Security Configuration Guide: Context-Based Access Control Firewall http://www.13. MUST appear directly after option "http" timeout Specify the inactivity timeout time urlfilter Specify URL filtering for HTTP traffic <cr> ____________________________________________________________________________________________________________________ PAM .To allow the initiated traffic BACK IN.com .12. If specified. but we can also add 8000 and 8080 to HTTP: (config)#ip port-map http port tcp 8080 (config)#ip port-map http port tcp 8000 Check if it "worked" #sh ip port-map http Default mapping: http Default mapping: http Default mapping: http tcp port 80 tcp port 8000 tcp port 8080 system defined user defined user defined Now if you want to inspect the NEW http.2:23) tcp SIS_OPEN CBAC can be configured to inspect various traffic types. define the INSPECT operation and apply it just like in CBAC: (config)#ip inspect name INS_WEB http (config-if)#ip inspect INS_WEB out 125 cisqueros.html PAM is a way to MAP a PORT (or a group of ports) to the already defined.com/en/US/docs/ios-xml/ios/sec_data_cbac_fw/configuration/12-4t/sec-data-cbac-fw-12-4t-book.cisco. such as JAVA: (config)#ip inspect name FW_INSPECT http ? alert Turn on/off alert audit-trail Turn on/off audit trail java-list Specify a standard access-list to apply the Java blocking. For example http is already mapped to port TCP 80.3:52287)=>(10. define the ACL with what you want to permit and apply it: (config)#access-list 100 permit eigrp any any (config)#access-list 100 permit icmp any any (config-if)#ip access-group 100 in Check the established sessions: #sh ip inspect sessions Established Sessions Session AEA5F2E0 (10.blogspot.1. or a new application. verify if the SOURCE IP is reachable via that exact interface: (config-subif)#ip verify unicast source reachable-via ? any Source is reachable via any interface rx Source is reachable via interface on which packet was received <-EXACT INTERFACE #sh ip int s1/0.html The Unicast RPF feature helps to mitigate problems that are caused by the introduction of malformed or forged (spoofed) IP source addresses into a network by discarding IP packets that lack a verifiable IP source address.cisco. This feature can also be configured using the multiple extended ACLs.Unicast Reverse Path Forwarding ____________________________________________________________________________________________________________________ Designed for DoS attacks based on SPOOFING (forging the IP source) TIP: When you see IP SPOOFING . which allows Unicast RPF to verify the best return path before forwarding the packet on to the next destination.21 | b verify IP verify source reachable-via RX 0 verification drops 0 suppressed verification drops 0 verification drop-rate !!!If the check fails. 126 cisqueros.it's a "trigger" to use the uRPF Cisco Docs: Cisco Docs: Secure DATA PLANE>Security Configuration Guide: Unicast Reverse Path Forwarding http://www.____________________________________________________________________________________________________________________ uRPF . where you would DENY the traffic with your LAN IPs as source to come from the PROVIDERs network.blogspot.com . Configure the receiving interface. and this is NOT the best interface to reach the IP from which the incoming packed was sourced the packed it DROPPED. For example.com/en/US/docs/ios-xml/ios/sec_data_urpf/configuration/12-4t/sec-data-urpf-12-4t-book. ____________________________________________________________________________________________________________________ Zone Based Firewall ____________________________________________________________________________________________________________________ Cisco Docs: Secure DATA PLANE>Security Configuration Guide:Zone-Based Policy Firewall: http://www.cisco.com/en/US/docs/ios-xml/ios/sec_data_zbf/configuration/12-4t/sec-data-zbf-12-4t-book.html To configure the Zone Based FW, the approach is somewhat similar to the MQC method in the QoS configuration. STEP 1: Start by creating a class map of INSPECT TYPE, and match HTTP, and DROP everything else: (config)#class-map type inspect match-any OUTSIDE (config-cmap)#match protocol http <-WITHIN HTTP YOU CAN ALSO MATCH URL, JUST ADDING "http url "blabla" " (config-pmap)#class type inspect OUTSIDE (config-pmap-c)#drop STEP 2: Create a inspect type POLICY-MAP that matches the defined CLASS-MAP, and INSPECTS: (config)#policy-map type inspect OUTSIDE_POLICY (config-pmap)#class OUTSIDE (config-pmap-c)#inspect ? WORD Parameter-map (inspect) name <PARAMETER MAP CAN BE DEFINED to tune the inspection <cr> (config-pmap-c)#inspect STEP 3: Define the SECURITY ZONES for the interfaces you need, and assign them to the interfaces: (config)#zone security DMZ (config-if)#zone-member security DMZ (config)#zone security OUTSIDE (config-if)#zone-member security OUTSIDE STEP 4: Set the POLICIES between each ZONE PAIR: (config)#zone-pair security OUT-to-DMZ source OUTSIDE destination DMZ (config-sec-zone-pair)#service-policy type inspect OUTSIDE_POLICY #show policy-map type inspect zone-pair session policy exists on zp OUT-to-DMZ Zone-pair: OUT-to-DMZ Service-policy inspect : OUTSIDE_POLICY Class-map: INSIDE (match-any) Match: protocol tcp 0 packets, 0 bytes 30 second rate 0 bps Match: protocol udp 0 packets, 0 bytes 30 second rate 0 bps Match: protocol icmp 0 packets, 0 bytes 30 second rate 0 bps Inspect Class-map: class-default (match-any) Match: any Drop 0 packets, 0 bytes PARAMETER MAP can be created to tune to drop logs, handle alarms, max&min session numbers and much more, for example: (config)#parameter-map type inspect eng-network-profile (config-profile)#tcp synwait-time 3 <-HOW LONG TO WAIT FOR SYN FOR THE TCP SESSION 127 cisqueros.blogspot.com ____________________________________________________________________________________________________________________ CONTROL Plane Policy (CPPr) ____________________________________________________________________________________________________________________ QoS: Policing and Shaping Configuration Guide>Control Plane Policing http://www.cisco.com/en/US/docs/ios-xml/ios/qos_plcshp/configuration/12-4t/qos-plcshp-ctrl-pln-plc.html CPPr works treating the RP (Route Processor) as the VIRTUAL INTERFACE attached to the Router. You need to take care which EXACT control plane VIRTUAL SUB-INTERFACE you want to apply the policy to. 1. Control-plane HOST - Control plane for TCP/UDP traffic destined for one of the Physical Interfaces. Here you can use the PORT-FILTERING and drop automatically packets destined to a certain port. Within the class-map do, for example: (config-cmap)#match port tcp 1996 Per-Protocol filtering is also possible, so you can set selective QUEUE LIMITS for BGP, OSPF, HTTP, SNMP... 2. Control-plane TRANSIT - For transit IP packets not handled by CEF 3. Control-plane cef-exception - For the NON TCP/UDP Traffic When you are asked to limit the packets going to Routers CPU to protect from Flood Attacks - this is the answer. It's very simple actually. Define the Policy Map like in MQC for QoS, and instead of the interface, APPLY IT DIRECTLY TO THE CONTROL PLANE CBAC and Zone Based FW are all DATA Plane policies. Another type of Security Policies is a Control Plane Policy. This is quite similar to Cisco's MQC used for the QoS traffic shaping and policing. You can also use the commands like from MQC to limit (POLICE) the Control Traffic. You can use STANDARD CLASS-MAPS like in MQC to match PROTOCOL or ACLs (access-group), but you can also use, for example, the LOGGING TYPE CLASS-MAPS: (config)#class-map type logging match-any LOGGING (config-cmap)#match packets ? dropped Packets dropped by control-plane protection features <-IN ORDER TO VIEW THE CONTROL PLANE error Error packets dropped by control-plane protection features permitted Packets permitted by control-plane protection features You can also MATCH the CLOSED PORTS within the class-map, or match the FRAGMENTED PACKETS within the ACL. Within the POLICY-MAP, the actions are to POLICE based on the number of PACKETS PER SECOND and allow BURST PACKETS, or based on BW, or just PASS or DROP the traffic within the matched Class-Map (config)#policy-map POLICE_50KBPS (config-pmap)#class CONTROL_BW (config-pmap-c)#police 50000 conform-action transmit exceed-action drop violate-action drop OR (config-pmap-c)#police rate 100 pps burst 20 packets The trick is to APPLY the Policy Map to the CONTROL PLANE: (config)#control-plane (config-cp)#service-policy input POLICE_50KBPS *Jan 3 16:34:23.467: %CP-5-FEATURE: Control-plane Policing feature enabled on Control plane cef-exception path Don't forget to check if your changes have been applied: #sh control-plane features 128 cisqueros.blogspot.com ____________________________________________________________________________________________________________________ IOS IPS (Intrusion Prevention System) ____________________________________________________________________________________________________________________ Cisco Docs: Secure DATA PLANE>Security Configuration Guide:Cisco IOS Intrusion Prevention System http://www.cisco.com/en/US/docs/ios-xml/ios/sec_data_ios_ips/configuration/12-4t/sec-data-ios-ips-12-4t-book.html IPS is watching packets and sessions as they flow through the router and scanning each packet to match any of the Cisco IOS IPS signatures. When packets in a session match a signature, Cisco IOS IPS can take any of the actions: - Send an alarm to a syslog server or a centralized management interface - Drop the packet - Reset the connection - Deny traffic from the source IP address of the attacker for a specified amount of time - Deny traffic on the connection for which the signature was seen for a specified amount of time SDEE is application-level communication protocol, used to exchange IPS messages between IPS clients and IPS servers. If you want to configure transparent Cisco IOS IPS, you must configure bridge group before loading IPS onto a device: (config)#bridge 1 protocol [dec | ibm | ieee | vlan-bridge] *1 IS A BRIDGE-GROUP NUMBER Then apply the defined bridge group 1 to the interface you want: (config-if)#bridge-group 1 First you need to specify the location in which the router loads the SDF (Signature Definition File), because in the IOS there are NO DEFAULT SIGNATURES: (config)# ip ips sdf location disk2:attack-drop.sdf If you're configuring the IP IPS on a new router, first CREATE the IPS, name it, and define it, in this case to send the events as SYSLOG messages: (config)#ip ips name MYIPS (config)#ip ips notify log *Be sure to have a SYSLOG SERVER defined: (config)#logging 10.187.145.12 (config)#logging ON Specify where the IPS configuration will be stored: (config)#ip ips config location flash:MYIPS Apply the configured IPS to the interface: (config-if)#ip ips MYIPS out *THIS WILL NOT WORK UNLESS YOU HAVE THE SIGNATURES. To check the signatures: #sh ip ips signatures Cisco SDF release version S0.0 Trend SDF release version V0.0 En - possible values are Y, Y*, N, or N* Y: signature is enabled N: enabled=false in the signature definition file *: retired=true in the signature definition file Cmp - possible values are Y, Ni, Nr, Nf, or No Y: signature is compiled Ni: signature not compiled due to invalid or missing parameters 129 cisqueros.blogspot.com (D)eny. there is no need to assign the policy to VTY line later. and set the Shared Secret: (config)#tacacs-server host 10. If you put "default" instead of specifying the policy.com/en/US/docs/ios-xml/ios/sec_usr_aaa/configuration/12-4t/sec-cfg-authentifcn. like AUX and CONSOLE ports maybe. Turn the TACACS+ authentication ON.txt file downloaded from the cisco. from where ever you try to authenticate. (config-pubkey)#(ENTER THE COPIED CONTENT HERE.txt <-COPY THE CONTENT TO LATER PASTE INTO THE KEY Now create the key: (config)#crypto key pubkey-chain rsa (config-pubkey-chain)#named-key DOWNLOADED_KEY signature (config-pubkey-key)#key-string Enter a public key as a hexidecimal number .. it's a default policy on a device. Deny-(F)low Trait=alert-traits EC=event-count AI=alert-interval GST=global-summary-threshold SI=summary-interval SM=summary-mode SW=swap-attacker-victim SFR=sig-fidelity-rating Rel=release Signature Micro-Engine: atomic-ip (INACTIVE) Signature Micro-Engine: normalizer (INACTIVE) Signature Micro-Engine: service-http-v2 (INACTIVE) Signature Micro-Engine: service-http (INACTIVE) .cisco..html This is pretty straight forward.Nr: signature not compiled because it is retired Nf: signature compile failed No: signature is obsoleted Nd: signature is disallowed Action=(A)lert. Deny-(H)ost. Define the TACACS+ as a server...com ..10 key cisco Define the source interface from which you will authenticate: (config)#ip tacacs source-interface Loopback0 Apply the authentication settings to the VTY line: (config-line)#login authentication MYTACACS Test the access via TACACS: #test aaa group tacacs+ USERNAME PASSWORD legacy 130 cisqueros. and set LOCAL DB as backup: (config)#aaa authentication login MYTACACS group tacacs+ local enable *MYTACACS is the authentication policy. In case you have a default policy.1.1. (R)eset. and type "quit") ____________________________________________________________________________________________________________________ AAA Authentication ____________________________________________________________________________________________________________________ Cisco Docs: Securing User Services Configuration>Authentication Authorization and Accounting http://www. because on CCIE R&S exam you wont have to configure an actual ACS server.blogspot. You might need to generate the SDF using the . For starters be sure that the " aaa new-model" is configured. you need to ALSO define a NO_AUTH policy to apply where you don’t want TACACS.com to your flash: #more flash:downloaded_key. blogspot.com .MPLS 131 cisqueros. 255.430: %LDP-5-NBRCHG: LDP Neighbor 11.0.5.1:0 (1) is UP As the ALTERNATIVE you can use the Auto configuration.3.4.255.3:0 Ident: 5.Label Switching Router LDP . in this example Loopback 0 IP.0.3. what are you waiting for. which is a DEFAULT setting to IOS versions prior to 12.com . If you don´t .1. however. You also have to define the actual PROTOCOL for the LABEL DISTRIBUTION (LDP or TDP. do: (config)#no mpls ldp igp autoconfig As in most other protocol LDP Router-ID needs to be assigned.2. 224.4:0. keep alive interval: 30 sec Discovery hello: holdtime: 45 sec. the router select selects the IP address of the specified interface (provided that the interface is operational) the next time it is necessary to select an LDP router ID.5. The "mpls ldp router-id" command allows you to establish the IP address of an interface as the LDP router ID (L-ID). interval: 15 sec Discovery targeted hello: holdtime: 90 sec.2:0.1.2.3. which is typically the next time the interface is shut down or the address is configured. MPLS Neighbor Discovery uses Hello messages.3.blogspot.3.3:0 When you want to see other LDP PARAMETERS (can be usefull if you're looking to see what can be optimized): #sh mpls ldp param Protocol version: 1 Session hold time: 90 sec.____________________________________________________________________________________________________________________ MPLS Configuration ____________________________________________________________________________________________________________________ This post will assume that you´ve already know how the protocol works.5:0.. Local LDP Ident 3.4. interval: 10 sec Downstream on Demand max hop count: 255 Downstream on Demand Path Vector Limit: 255 LDP for targeted sessions LDP initial/maximum backoff: 15/120 sec LDP loop detection: off 132 cisqueros. so make sure you're learning the Lo0 with the /32 mask. IMPORTANT: VPMv4 Peering If MUST be /32. Be sure that all the routers have to have the L-ID reachability: config)#mpls ldp router-id lo0 [force] When you issue the mpls ldp router-id command without the force keyword. dont you know how important MPLS is. you wish to force the Router-ID to be the PHYSICAL INTERFACE of the router: (config-if)#mpls ldp discovery transport-address interface #sh mpls interfaces Interface FastEthernet0/1 Serial0/1/0.Label Distribution Protocol To configure the MPLS you first need to enable it globally on a router and on all the relevant interfaces. Port UDP-646 LSR . so under the ROUTING PROTOCOL (OSPF in this example): (config)#router ospf 1 (config-router)#mpls ldp autoconfig area 0 *if you need to specifically disable MPLS on some interface..34 Serial0/1/0.2. Local LDP Ident 3.1.go read that first.255 If.3:0 Ident: 2. Local LDP Ident 3.4.5 255.35 #sh mpls Peer Peer Peer ldp LDP LDP LDP IP Yes (ldp) Yes (ldp) Yes (ldp) Tunnel No No No BGP No No No Static No No No Operational Yes Yes Yes neighbor | i Peer Ident: 4. but it's no longer in use): (config)#mpls ip (config)#mpls label protocol ldp <-ALL THE INTERFACES WILL INHERIT IT (config)#int fa0/1 (config-if)#mpls ip <-TURN IT ON ON THE INTERFACE You will get this message: *Dec 17 18:11:50.5. so set it: (config-if)#ip address 150.3. Authentication between two MPLS neighbors can be configured PER-NEIGHBOR. or GLOBALLY. 133 cisqueros.7. label: 213 LFIB .LABEL INFORMATION BASE #sh mpls ldp bindings 177.DISCOVERY process in MPLS: There are 2 Types of Discovery: 1.1. define the ACL and apply in the global config mode: (config)#access-list 41 permit 150.com . rev local binding: tag: tib entry: 3.7. rev local binding: tag: 14 103 16 104 18 105 .1 password cisco To FILTER for which IPs exactly you´re generating the labels.for the DIRECTLY CONNECTED LDP LSRs.0/24. and how they are formed. FIRST CHECK IF THE LABEL RANGE IS CHANGED BECAUSE ROUTERS NEED TO BE RELOADED!!! The LABEL SPACE is PlatformDependent.1.2:0.1.255. and the LABEL planning is done in the DESIGN phase of the Project..0.7.3. FIB (FORWARDING Information Base) .2. #sh mpls label range Downstream Generic label region: Min/Max label: 17/199 [Configured range for next reload: Min/Max label: 100/199] #sh mpls ldp bin local tib entry: 1.for the NON DIRECTLY CONNECTED LDP LSRs. rev 35 local binding: label: 113 remote binding: lsr: 2.7.0/24. TO CONTROL WHERE YOU´RE SENDING WHICH LABELS <cr> ____________________________________________________________________________________________________________________ MPLS LFIB and Labels (Label Spacing) ____________________________________________________________________________________________________________________ Maybe the MOST important thing in the LDP.CEF table.LABEL FORWARDING INFORMATION BASE #show mpls forwarding-table IN THE CCIE LAB.0/24.2.0 0.2. (config)#mpls ldp neighbor 11. the Hellos are sent of ALL interfaces LDP is enabled 2.blogspot.255 (config)#no mpls ldp advertise-labels <-FIRST DISABLE FOR ALL (config)#mpls ldp advertise-labels for 41 ? to Access-list specifying controls on LDP peers <-OPTIONAL.0 24 lib entry: 177.. rev local binding: tag: tib entry: 2. EXTENDED Discovery . and the overall MPLS LABEL CONTROL is understanding all the TABLES.2.0/24. BASIC Discovery .0. LSR sends TARGETED Hellos to a SPECIFIC IP. gets build based on RIB (Routing Information Base) #show ip cef LIB .1.1. You can SET the RANGE of labels you want to be used on that router: (config)#mpls label range 100 199 % Label range changes will take effect at the next reload.3. SWAP the Local with the Outgoing Label IMPORTANT: FIB (ip cef) and LFIB information MUST be IN ACCORDANCE!!! EXPLICIT NULL should be configured for all the DIRECTLY CONNECTED prefixes for which you want the previous router to replace the label with "EXPLICIT NULL" label.1.com .5.35 Next Hop point2point point2point 10.35 Fa0/1 Se0/1/0.LFIB is the MOST IMPORTANT table in the MPLS Architecture.6.23.0/24 30 Pop Label 5.0/24 35 34 10. You can literally follow exactly what's happening on the router regarding the MPLS Labels and the IPs: #sh mpls forwarding-table Local Outgoing Prefix Label Label or VC or Tunnel Id 17 Untagged 7.1.0/24 36 38 11.0/24 Bytes Label Switched 0 0 0 0 0 0 0 0 0 0 0 0 0 Outgoing interface Se0/1/0.2 point2point point2point 10.34 Se0/1/0. or configured on one router and configure the ACCEPTANCE Of TARGETED LDP HELLOs on the other router using the "mpls ldp discovery targeted-hello accept": (config)#mpls ldp session protection 134 cisqueros.1.34 Se0/1/0. and therefore stops the MPLS structure from the LSRs: (config)#no mpls ip propagate-ttl forwarded (config)#no mpls ip propagate-ttl local ____________________________________________________________________________________________________________________ MPLS Session Protection ____________________________________________________________________________________________________________________ When a link between two LSRs go down .45. and forward the packet to the defined interface NOTHING in the Local Label column .4.7.45. and if they come back LIB and LFIB need to be re-populated.blogspot. The configuration consists of building a REDUNDANT link that stays up.0/24 33 Pop Label 10.s and forward as the IP traffic "Pop Label" as Outgoing Label .2 point2point "Untagged" as Outgoing Label .35 Se0/1/0.1.0/24 32 Pop Label 10.2 10.2 point2point point2point point2point point2point 10.1. This is why it might be a good idea to PROTECT THE SESSION.0/24 18 18 6.6.1.1.67.23.0/24 29 Pop Label 4. there is a special command for that. (config)#mpls ldp explicit-null LDP Conditional Label Advertising If you want to advertise or stop advertising some prefixes.Remove the TOP label. First you need to define the ACL where you PERMIT the prefixes you WANT and DENY prefixes you DONT WANT to advertise (ACL_FROM). Next router will perform the PHP (Penultimate Hop Popping) by default because Implicit Null is marked by default for all the directly connected subnets.LDP session goes down.23.35 Fa0/1 Fa0/1 Se0/1/0.5.4.1.23.1.1.12. which is used to maintain the targeted LDP session UP until the primary link comes back up.56. there is command that STOPS the TTL propagation. This feature provides faster label distribution protocol convergence when a link recovers following an outage.Remove ALL the labe.35 Fa0/1 Se0/1/0.0/24 Pop Label 10.Refers to the label above.5.0/24 34 Pop Label 10. that needs to be configured on ALL the routers.1.0/24 37 Pop Label 55.35 Se0/1/0.1.6/32 27 28 1.7. this means that Load Balancing is occurring Local & Outgoing Labels Numerical Value . Then you need ANOTHER ACL where you will define the peers these labels will be advertised to (ACL_TO) (config)#mpls ldp advertise-labels for ACL_FROM to ACL_TO If you need to HIDE the MPLS LABELS from the Customer. To enable this use the Global Config command.2.35 Se0/1/0.2.5.0/24 28 Pop Label 2.1. 3 255. default VPNID <not set> No interfaces <-NO INTERFACES!!! VRF Table ID = 212 Export VPN route-target communities RT:1:100 Import VPN route-target communities RT:1:100 VRFs have more or less similar phylosophy like VLANs .blogspot.RT to be used as an IMPORT FILTER.3.____________________________________________________________________________________________________________________ MPLS VRFs. round-trip min/avg/max = 28/28/32 ms MP-BGP: When you create RD and RT.1.13. default RD 1:20. Simply put .3 send-community extended "route-target export" . That is why when you configure the VPNv4 AF under the MP-BGP. and sticks the RD to it.255.255. 135 cisqueros. "Route Target Import|Export" command defines the RT. used to make the VRF prefix unique within the cloud.13. "route-target import" . notice that the new address family appears within the BGP process: address-family ipv4 vrf CB *When the ROUTE-TARGET is not imported and exported where needed between the MP-BGP neighbors .0 *YOU WILL BE ABLE TO PING THE NEIGHBOR ON THIS INTERFACE ONLY UNDER THE VRF: #ping vrf CA 10. 100-byte ICMP Echos to 10.1.1.13.1.you need to assign the interfaces to the VLAN.13. To configure a VRF instance on a router with a name VRF_1 do (This name is LOCALLY SIGNIFICANT): (config)#ip vrf VRF_1 STEP 2: RD and RT Within the VRF you will need a Route Distinguisher (RD). STEP 1: VRF. and you have the BGP configured. RD (Route Distinguisher) and RT (Route Target) ____________________________________________________________________________________________________________________ VRF stands for Virtual Router Forwarding. NEVER BETWEEN CEs!!! PE takes the update it receives from CE.1 Sending 5. you automatically get the following command under the BGP process (IF NOT.the routes will NOT advertised via BGP. ADD IT MANUALLY) (config-router-af)#neighbor 3. NOTE that the IP address of the interface will automatically be removed: (config-if)#ip vrf forwarding CA % Interface Serial0/1/1 IP address 10. which is a BGP Extended Community that indicated which routes should be exported/imported from MP-BGP to VRF. and the Route Target (RT) that you will later IMPORT/EXPORT to define the end-to-end communication of the VRF: (config-vrf)#rd 1:10 <-VRF IS NOT ACTIVE UNTIL RD IS DEFINED (config-vrf)#route-target [import|export|both] 1:100 *RD does NOT indicate to which VRF the prefix belongs to!!! Route-Target is used for that.3.1. timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5). If you check the configured VRF at this point: #sh ip vrf det VRF CB. making the VPNv4 96-bit address.Specifies RT attached to every routed exported from the Local VRF to MP-BGP.represents another routing process within the same router.3 removed due to enabling VRF CA (config-if)#ip add 10. THESE ADDRESSES ARE EXCHANGED ONLY BETWEEN PEs. RD is a 64 bit value used to transform users IPv4 IP address into UNIQUE 96 bit address called VPNv4.com . so only the routes matching the filter are imported to VRF STEP 3: VRF INTERFACES. remote 0 MTU: local 1500. which is a connection between the two PE routers.6.4 encapsulation dot1Q 4 no cdp enable xconnect 150. send 0 packet drops: receive 0. Specify the tunneling method used to encapsulate data in the pseudo wire.1. line protocol up.com .blogspot.Create a SUB-INTERFACE under the interface pointing to your VLAN. Configured on the PE interface towards the CE. remote 1500 Remote interface description: Sequencing: receive disabled.____________________________________________________________________________________________________________________ L2VPN . VC status: down Output interface: none. send disabled VC statistics: packet totals: receive 0.6.6:0 up MPLS VC labels: local 32.you need to create a TUNNEL to traverse the NON-MPLS part #show mpls l2transport vc detail Local interface: Fa0/1. send 0 136 cisqueros. send 0 byte totals: receive 0.4 up. and 2 is a VIRTUAL CIRCUIT IDENTIFIER (VCI) remote circuit id 2 If there is no MPLS IN THE ENTIRE PATH . seq error 0.1.6. and define the Dot1Q encapsulation on it: (config)#interface FastEthernet0/1. last status change time: 00:04:48 Signaling protocol: LDP. VC ID: 2.1. imposed label stack {} Preferred path: not configured Default path: no route No adjacency Create time: 00:04:55.AToM (Any Transport over MPLS) ____________________________________________________________________________________________________________________ AToM encapsulates Layer 2 frames at the ingress PE and sends them to a corresponding PE at the other end of a pseudo wire. (config-if)# xconnect peer-router-id vcid encapsulation mpls Used to interconnect VLANs of the remote MPLS CE routers. AToM uses MPLS as the tunneling method.6 2 encapsulation mpls <-DESTINATION PE IP ADDRESS. The combination of the peer router ID and the VC ID must be unique on the router. Two circuits cannot use the same combination of the peer router ID and VC ID. The egress PE removes the encapsulation and sends out the Layer 2 frame. peer 150. remote 31 Group ID: local 0. Eth VLAN 4 up Destination address: 150.6. IPv6 137 cisqueros.com .blogspot. 27f0. find the MAC address of the highest interface. not routable via global BGP EUI-64 .be5d. it will not give you the NAME options. and modify it.27f0 (bia 001e. Router discovery FC00::/7 Unique Local.blogspot. but it can be done: (config)#ipv6 access-list ACL_IPV6 2.always use the /64 addresses for all the INTERFACES (MAC can be converted into EUI-64 format to get the interface address) Router can assign the HOST portion of the Network AUTOMATICALLY using the MAC of the first LAN interface: (config-if)#ipv add 2:2:2:2::/64 eui-64 When you need to MANUALY do this. so first enable IPv6 globally on the Router/Switch: (config)#ipv6 unicast-routing On a ROUTER you should enable IPv6 on an interface: (config-if)#ipv6 enable LINK-LOCAL address is generated based on the interfaces MAC Address by doing "ipv6 enable" Assign the UNICAST IPv6 address: (config-if)#no switchport <--. Inverse ARP has been removed. When you try to configure the IPv6 ACL. Neighbor discovery. Add "FFFE" in the middle. so for NBMA networks we need to provide a static L2-L3 mapping TIP: before enabling IPv6 on a router and configuring the interfaces male sure there is a IPv4 connectivity IPv6 is not enabled by default. for example Fa0/0.be5d. Apply the filter DIRECTLY ON THE INTERFACE using the IPv6 Traffic Filter: (config-if)#ipv6 traffic-filter ACL_IPV6 in ____________________________________________________________________________________________________________________ IPv6 Basics ____________________________________________________________________________________________________________________ Loopback: ::1/128 Multicast: FF00::/8 Link Local: FE80::/10 . and you get the HOST PORTION: 001e:beff:ee5d:27f0 ARP has been replaced with ICMPv6 Neighbor Discovery (ND).com . #sh int fa0/0 | i bia Hardware is Gt96k FE.be5d. and MAP the Link-Local address as well!!! TIP: To filter the IPv6 traffic have in mind 2 things: 1.DONT FORGET on 3560 OR 3750 (config-if)#ipv6 add 12:1:1::3/64 138 cisqueros. Unicast (equivalent to the IPv4 private addresses). ALWAYS configure.27f0) So MAC is 001e. address is 001e.used for stateless auto-configuration.____________________________________________________________________________________________________________________ IPv6 TIPS ____________________________________________________________________________________________________________________ TIP: When doing IPv6 over Frame-Relay. link-local address is FE80::21E:BEFF:FE5D:27F0 Global unicast address(es): 2:2:2:2:21E:BEFF:FE5D:27F0. To check the current values do: 139 cisqueros.Duplicate Address Detection confirms IP is UNIQUE! *Nov 21 08:21:03.972: ICMPv6-ND: Sending Final RA on FastEthernet0/0 *Nov 21 08:19:12.aeea 001e.LINK-LOCAL Fa0/0 Fa0/0 You can configure the IPv6 Neighbor statically.6085.27f0 The neighbors can have one of the following statuses: .com .be5d. line protocol is up IPv6 is enabled.984: ICMPv6-ND: STALE -> DELETE: FE80::213:60FF:FE85:AEEA And we are finally reaching my favorite change in the IPv6. or you will get a message "% Invalid link-local address" By default IPv6 has Neighbor Discovery as a L2-L3 mapping mechanism. subnet is 2:2:2:2::/64 [EUI] Assign a LINK-LOCAL IPv6 Address. the NEIGHBOR DISCOVERY and DISPLAY: #show ipv6 neighbors IPv6 Address 12:1:1:12::1 FE80::1 123::21E:BEFF:FE5D:27F0 FE80::3 Age 0 0 166 0 Link-layer Addr 0013.068: ICMPv6-ND: Address FE80::21E:BEFF:FE5D:27F0/10 is up on FastEthernet0/0 !!!Interface comes UP because no one complained Check if the interface got the correct IPv6 Address: #sh ipv6 int br FastEthernet0/0 [up/up] FE80::21E:BEFF:FE5D:27F0 FastEthernet0/1 [administratively down/down] Serial0/1/0 [up/down] Serial0/1/1 [administratively down/down] Serial0/2/0 [administratively down/down] When you SHUT the local interface.UNICAST Fa0/0 <.068: ICMPv6-ND: DAD: FE80::21E:BEFF:FE5D:27F0 is unique.27f0 0013.Neighbor Advertisement for routers Link Local address *Nov 21 08:21:03.068: ICMPv6-ND: Sending NA for FE80::21E:BEFF:FE5D:27F0 on FastEthernet0/0 !!!NA . !!!FE80::21E:BEFF:FE5D:27F0 Assigned.REACH .STALE You can tune the TIMERS for STATE TRANSITIONING. the Link Local address is assigned: *Nov 21 08:21:02.6085. the Link Local address is deleted: *Nov 21 08:19:12. DAD .aeea 0013.068: ICMPv6-ND: Sending NS for FE80::21E:BEFF:FE5D:27F0 on FastEthernet0/0 !!!NS -Neighbor Solicitation *Nov 21 08:21:03. using the Global Configuration command: (config)#ipv6 neighbor 123::21E:BEFF:FE5D:27F0 Fa0/0 001e.be5d. To debug it do: #debug ipv6 nd When you configure the "ipv6 enable" on the interface. instead of ARP.e3c6 State STALE STALE STALE REACH Interface Fa0/0 <.6085.#show ipv6 inter lo0 Loopback0 is up. if you want to configure it STATICALLY: (config-if)#ipv6 address FE80::1 link-local *Be sure it starts with FE80.blogspot. the IPs will remain active for 30 days if their interfaces don't go down.27f0) IPv6: FE80::21E:BEFF:FE5D:27F0 FE80:: . Neighbor transitions to STALE ND advertised reachable time is 0 milliseconds If you want to CHANGE this value (time it takes the neighbor to go to STALE from REACHABLE): (config-if)#ipv6 nd reachable-time 50000 There is also an AUTOMATIC IPv6 address assigning.Solicited-Node-Multicast Address 140 cisqueros.be5d.27f0 (bia 001e. To activate this: (config-if)#ipv6 address autoconfig ____________________________________________________________________________________________________________________ Convert MAC to Link Local IPv6 Address ____________________________________________________________________________________________________________________ Check how the Link Local address has been generated using the interface MAC address #sh int fa0/0 | i Hard Hardware is Gt96k FE. line protocol is up IPv6 is enabled.com .For Link Local IPv6 Addresses First two 0s from MAC are replaced with a HEX 2. link-local address is FE80::21E:BEFF:FE5D:27F0 No global unicast address is configured Joined group address(es): FF02::1 <.blogspot.Subnet routers MULTICAST FF02::1:FF5D:27F0 <.0 after F means the IPv6 is PERMANENT (if it were 1 . called STATELESS AUTOCONFIG.be" part is COPIED and PAST 2|1E:BE|FF:FE|5D:27F0 FFFE is added after this. address is 001e.it would be temporal) FF02::2 <. to complete MACs 48 bits up to 64 we need Then the "1e.#sh ipv int fa0/0 | i time ND reachable time is 30000 milliseconds <. The router assigns the addresses. in the MIDDLE of the MAC address The rest of MAC follows So .be5d.When not responding for 30 Secs. The SERVER that assigns the IPv6 addresses should have the "ipv6 unicast-routing" configured.2 + 4HEXofMAC + FFEE + 6HEXofMAC Now check the complete IPv6 configuration of the interface: #SH ipv6 int fa0/0 FastEthernet0/0 is up. and even if that router goes down . com . even if they are part of local advertisement. but have in mind that you need to point to the IPv6 address of the IPv6 Neighbor. you also need to specify the INTERFACE: (config)#ipv6 route 1:1:1:1::/64 fa0/0 FE80::1 If you need to add the DEFAULT ROUTE only: (config)#ipv6 route 0::/64 fa0/0 FE80::2 Step 3: And check the Routing Table for Static Entries: #sh ipv6 route static | b 64 S 1:1:1:1::/64 [1/0] via 12:1:1:12::1 Or in the case of the Default Route: #sh ipv6 route | b S S ::/64 [1/0] via FE80::2. you can later ping is using "ping R2_lo1": (config)#ipv6 <0-65535> X:X:X:X::X (config)#ipv6 host R2_lo1 ? Default telnet port number <.____________________________________________________________________________________________________________________ IPv6 Routing ____________________________________________________________________________________________________________________ STATIC ROUTING is similar to the IPv6 Static Routing.aeea STALE Fa0/0 1 0013. Step 1: First check the neighbors IP displaying the IPv6 neighbors: #sh ipv6 nei IPv6 Address 12:1:1:12::1 FE80::1 Age Link-layer Addr State Interface 1 0013. because IPv6 addresses are a bit robust.blogspot. FastEthernet0/0 Step 4: OPTIONAL: Configure HOST for the hosts you ping frequently. In IPv6 REDISTRIBUTION the LOCAL CONNECTED routes are NOT included.CAN BE USEFULL IPv6 address host R2_lo1 1:1:1:1:213:60FF:FE85:AEEA 141 cisqueros.6085. If you name the host R2_lo1. Link Local IPv6 can also be used.aeea STALE Fa0/0 Step 2: And then add the route pointing to the appropriate address: (config)#ipv6 route 1:1:1:1::/64 12:1:1:12::1 If you want to use the LINK LOCAL address.6085. it cannot pick one! So . there are a few changes in OSPFv3: OSPFv3 0x2001 Router LSA 0x2002 Network LSA 0x2003 Inter-area Prefix LSA 0x2004 Inter-area Router LSA 0x4005 AS-External LSA 0x2006 Group Membership LSA 0x2007 Type-7 LSA 0x0008 Link LSA 0x2009 Intra-area Prefix LSA 6 3 4 1 2 OSPFv2 Router LSA Network LSA Network Summary LSA ASBR Summary LSA 5 AS-External LSA Group Membership LSA 7 NSSA External LSA *If you want an area not to receive LSA4 and LSA5. 142 cisqueros.blogspot. and THEN configure OSPF.INSTEAD OF ALL EXTERNAL ROUTES If you want the router to maintain IO INTRA AREA routes only.com . You can add "default-information-originate" to inject the default route into nssa area To change the METRIC/COST you can do two things. configure it as stub: (config-rtr)#area 12 stub <.FIRST define the RID.ADDS A DEFAULT ROUTE TO ISOLATED ROUTER (the router that only has stub area) Default Route added: OI ::/0 [110/2] via FE80::2. because if there are no IPv4 addresses on the router . you might as well create manually the Link Local addresses to the FR interfaces: (config-if)#ipv6 address FE80::2 link-local LSA Changes: Even though most LSA definitions stay the same. This being said. Either change the DEFAULT COST under OSPF process: (config-rtr)#auto-cost reference-bandwidth 10000 Or use the "ipv6 ospf cost" command under EACH INTERFACE.configure an area as NSSA (routes redistributed into NSSA area will appear marked with "ON2"). to avoid restarting the OSPF process later In OSPFv3 over Frame-Relay DONT FORGET TO create frame relay mappings for the link-local (FE80::/10) addresses. FastEthernet0/0 <.____________________________________________________________________________________________________________________ OSPFv3 ____________________________________________________________________________________________________________________ Don’t forget to define the router-id. configure it as NSSA "stub no-summary" If you want not to propagate EXTERNAL routes. *Dec 1 11:18:08. BUT DO IT JUST IN CASE."" ipv6 hello-interval eigrp. in this example MD5: (config-if)#ipv6 authentication mode eigrp 100 md5 Some ADDITIONAL features: Make sure the incoming prefixes are in less than 50 hops (TTL <= 50) (config-rtr)#metric maximum-hops 50 "Tune" the Active Time (time before declaring a router STUCK IN ACTIVE .1 (config-rtr)#no shut <-ON SOME IOS VERSIONS NOT NEEDED.14) is up: new adjacency BE SURE TO DEFINE THE METRIC WHEN REDISTRIBUTING INTO EIGRP. Hold-time is 180 BE CAREFULL WITH FRAME RELAY.343: %DUAL-5-NBRCHANGE: EIGRP-IPv6 100: Neighbor FE80::4 (Serial1/0. To change that (to 25% in this example): (config-subif)#ipv6 bandwidth-percent eigrp 100 25 Another similarity to EIGRPv4. or it will not work!!! (config-rtr)#no redistribute ospf 1 metric 1 1 1 1 1 To change the timers on the interface the command is a bit BACKWARDS.": (config-if)#ipv6 hello-time eigrp 100 10 <-HELLO (config-if)#ipv6 hold-time eigrp 100 40 <-DEAD The command for checking the current timers is also unintuitive.. because EIGRP has SPLIT HORIZON enabled by default on multipoint interfaces: (config-subif)#no ipv6 split-horizon eigrp 100 Like in EIGRPv4.blogspot. Hold-time is 40 Hello-interval is 60. and do a NO SHUT: (config-rtr)#eigrp router-id 1. as in .____________________________________________________________________________________________________________________ EIGRP IPv6 ____________________________________________________________________________________________________________________ The difference with OSPF is that even if you configure it on the interface: (config-if)#ipv6 eigrp 100 it will not form an adjacency unless you DEFINE THE ROUTER-ID. on EIGRPv6 EIGRP Patckets use UP TO 50% of the Links BW.. cause you need to add "details" to the end: #sh ipv6 eigrp interfaces detail | i Hello Hello-interval is 10.. you can use "summary-address" to inject the default route: (config-if)#ipv6 summary-address eigrp 100 ::0/0 %DUAL-5-NBRCHANGE: EIGRP-IPv6 100: Neighbor FE80::2 (Ethernet0/0) is resync: summary configured %DUAL-5-NBRCHANGE: EIGRP-IPv6 100: Neighbor FE80::3 (Ethernet0/0) is resync: summary configured EIGRPv6 Authentication: Also similar to EIGRPv4 Step 1: Define the Key Chain (config)#key chain MAT (config-keychain)#key 1 (config-keychain-key)#key-string Cisqueros Step 2: Apply the key chain to the interface: (config-if)#ipv6 authentication key-chain eigrp 100 MAT Step 3: Turn ON the authentication on the interface.1.1.SIA) (config-rtr)#timers active-time ? <1-65535> active state time limit in minutes disabled disable time limit for active state 143 cisqueros.com . 1 (Serial0/1/0.21). proto=41 IP: tableid=0.1. and IPV6IP is Protocol 41. IP: s=10.2 (Serial0/1/0.____________________________________________________________________________________________________________________ IPv6 Tunnels ____________________________________________________________________________________________________________________ When you configure them MANUALLY (this means that you define both. len 140.1. d=10. you get> 2002:A01:101::/128. len 96. d=10.1 (Serial0/1/0. so: (config-if)#ipv6 add 2002:A01:101::/128 Step 3: Configure the TUNNEL MODE as IPV6IP 6to4: (config-if)#tunnel mode ipv6ip 6to4 144 cisqueros.1.1.12.21).PROTOCOL 41: *Nov 29 18:23:52.1.126: RIB *Nov 29 18:23:52.110: RIB *Nov 29 18:23:53.2 (Serial0/1/0. d=10.2 (Tunnel0).622: RIB *Nov 29 18:25:30.1.1. routed via IP: s=10.1 (Serial0/1/0.1.1.126: proto=41 *Nov 29 18:23:52.21). s=10.21).21).1 (Serial0/1/0. d=10. s=10. d=10.506: proto=47 *Nov 29 18:25:30. len 140.2 (Serial0/1/0.blogspot.12. so in GRE: #sh int tunnel 3 | i transport Tunnel protocol/transport GRE/IP While in IPv6IP: #sh int tunnel 3 | i transport Tunnel protocol/transport IPv6/IP GRE is Protocol 47. d=10. we need these steps: Step 1: Translate IPv4 into IPv6 address.1. d=10.2 (Serial0/1/0.21). rcvd 3. s=10. routed via IP: s=10.12.2 (Serial0/1/0.12.574: *Nov 29 18:25:30.622: proto=47 IP: tableid=0.12.1 (Serial0/1/0.1 (Serial0/1/0.1. d=10.12. GRE .1 (Serial0/1/0.1.110: proto=41 IP: tableid=0.1.21).21).com . depends what you are asked to do: (config)#interface tunnel 0 (config-if)#tunnel mode ipv6ip <.12.1.12. sending.21). sending.1.12.12.12. So.12.1.1 (Serial0/1/0.1 (Serial0/1/0.1 (Serial0/1/0.PROTOCOL 47: *Nov 29 18:25:30.1: 10 0A 1 01 1 01 1 01 Step 2: Identify tunnel source.2 (Serial0/1/0. You can check this by PINGING one side from another.2 (Serial0/1/0. For example 10.21). 6to4 Tunnels: AUTOMATICALLY established.12.506: RIB *Nov 29 18:25:30.1.21). rcvd 3. IMPORTANT: Tunnel is AUTOMATIC.12.21).21).12.1.12.DEFAULT IS GRE The difference between IPv6IP and GRE will be in the TUNNEL PROTOCOL. len 136. len 120.1.21). allowing IPv6 connection through IPv4.12. rcvd 3. len 140. d=10. and debuging "ip packet details" on the other side: IPv6IP .21).2 (Tunnel0).2 (Serial0/1/0. proto=47 IP: tableid=0.12.12. routed via IP: s=10.12.126: *Nov 29 18:23:53. They require SPECIAL ADDRESSING: IPv6 of 2002 followed by TRANSLATED IPv4 address. IP: s=10. so DONT CONFIGURE THE DESTINATION So using the 2002 which is the 6to4 marker. rcvd 3.1.1. source and the destination of the tunnel) the Tunnel mode can be IPv6IP or GRE.1. routed via IP: s=10. s=10. d=10.21).21).21). IPv6 RP and BSR (Boot-Strap Router) BSR protocol for PIM-SM provides a mechanism to distribute group-to-RP mapping information throughout a domain. Holdtime 150 Uptime: 00:02:46.blogspot.709: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel7. MLD uses ICMP for messages.enable IPv6 Multicast globally. Multicast QUERIER is a ROUTER that sends queries to discover the group members.Step 4: Make sure that the Tunnel Interface is going UP/UP *Nov 29 19:10:13. and that the MODE needs to be defined as ISATAP: (config-if)#ipv6 address 46:1:46::/64 eui-64 <. This can be done by debuging the ICMP packets that are used for the MLD. A few routers are configured as candidate bootstrap routers (C-BSRs) and a single BSR is selected for that domain. Assign the router BSR priority: (config)#ipv6 pim bsr candidate bsr 2001:CC1E:1:404:21A:E2FF:FEAB:FF29 priority 100 Configure a Router that will be Sending PIM RP Advertisements to the BSR: (config)#ipv6 pim bsr candidate rp 2001:CC1E:1:505:21B:2AFF:FE0C:E0C0 #sh ipv pim bsr rp-cache PIMv2 BSR C-RP Cache BSR Candidate RP Cache Group(s) FF00::/8. and use one of its local IPv6 addresses. and then pinging the MULTICAST IPv6 source from the other side: #debug ipv6 icmp 145 cisqueros. Multicast HOST is the RECEIVER (including routers) that sends REPORTS to inform the querier. which is formed like this: NETWORK PORTION: can be any IPv6 address HOST PORTION: starts with 0000:5EFE. ISATAP also has its own IPv6 Address Format. The MLD protocol is used by IPv6 routers to discover the presence of multicast listeners.com . RP count 1 RP 2001:CC1E:1:505:21B:2AFF:FE0C:E0C0 SM Priority 192.EUI CONVERTS IPv4 TO IPv6 AUTOMATICALLY (config-if)#tunnel mode ipv6ip isatap ____________________________________________________________________________________________________________________ IPv6 Multicast Routing ____________________________________________________________________________________________________________________ To start implementing multicasting in the campus network. The IPv6 tunnel interface must be configured with a modified EUI-64 address because the last 32 bits in the interface identifier are constructed using the IPv4 tunnel source address. To set a router to be a BSR candidate .If the RP is unreachable BSR will detect it and modify the mapping tables. users must first define who receives the multicast. expires: 00:01:43 The big challenge in any Multicast configuration is the verification. changed state to up ISATAP Tunnel: It's a IETF transition mechanism that allows IPv6 networks to connect over IPv4 Networks.44:44:44 Step 2: Sending of IPv6 router advertisements is disabled by default on tunnel interfaces. and the rest of host portion is TRANSLATED IPv4 of the TUNNEL SOURCE Step 1: Define the Tunnel SOURCE address (config-if)#tunnel source 10. make sure IPv6 is also enabled. This command re-enables the sending of IPv6 router advertisements to allow client auto-configuration: (config-if)# no ipv6 nd ra suppress Step 3: ISATAP The only difference from standard IPv6IP configuration is that the IPv6 address needs to be eui-64 generated.
Copyright © 2024 DOKUMEN.SITE Inc.