Hitchikers Guide To The CCIE V011 Jan2014
Hitchikers Guide To The CCIE V011 Jan2014
Hitchikers Guide To The CCIE V011 Jan2014
COM
presents
2 cisqueros.blogspot.com
About
This is nothing more but a script of simple guidelines I made during my CCIE preparations, 2012-2014. Have in mind that I created this script throughout the entire preparation period, so some topics might be pretty basic as my level was CCNP, while some othersrequire the reader to have the almost-CCIE level. I will keep updating the script, and you will always be able to find the last version on my blog, and on the CertCollection blog: http://certcollection.org/ If you find my notes useful Im more than glad I could help. You can use it, share it, whatever, as long as you dont try to sell it or publish it as your own. If for any reason youd like to get in touch with me, regardless if its just to give me the feedback about the script, or propose any kind of collaboration, youre more than welcome to contact me via my Blog, or via my LinkedIn profile: http://cisqueros.blogspot.com.es/ http://es.linkedin.com/in/matejajovanovic
3 cisqueros.blogspot.com
Table of Contents
About............................................................................................................................................................................. 3 LAN Switching ................................................................................................................................................................. 10 Tips and Tricks ............................................................................................................................................................. 11 VLAN Filters for NON-IP Traffic ................................................................................................................................... 11 MEMORY OPTIMIZATION - SDM (Switch Database Management) ............................................................................ 12 INTERFACE Statuses .................................................................................................................................................... 13 CAM TABLE .................................................................................................................................................................. 13 VTP - VLAN Trunking Protocol ..................................................................................................................................... 13 VMPS - VLAN Membership Policy Server .................................................................................................................... 14 TRUNKS and DTP (Dynamic Trunking Protocol) .......................................................................................................... 14 PRIVATE VLANS ........................................................................................................................................................... 15 Dot1q Tunneling: 802.1q, QinQ Tunneling ................................................................................................................. 16 SPANNING TREE PROTOCOL (STP) .............................................................................................................................. 16 MULTIPLE SPANNING TREE (MSTP) ............................................................................................................................ 18 PORTFAST .................................................................................................................................................................... 18 BPDU GUARD .............................................................................................................................................................. 18 UDLD - Unidirectional Link Detection ......................................................................................................................... 19 SOURCE GUARD and DHCP SNOOPING....................................................................................................................... 20 ETHERCHANNEL .......................................................................................................................................................... 20 DAI (Dynamic ARP Inspection) .................................................................................................................................... 22 SNMP........................................................................................................................................................................... 23 MONITORING .............................................................................................................................................................. 24 LOGGING ..................................................................................................................................................................... 24 STORM CONTROL ........................................................................................................................................................ 25 HTTP Server (HTTP access) on a Switch ...................................................................................................................... 25 Router on a STICK and IP BRIDGING ........................................................................................................................... 25 IP Services ....................................................................................................................................................................... 26 IP Services Tips and Tricks ........................................................................................................................................... 27 HSRP - Hot Standby Routing Protocol ......................................................................................................................... 27 VRRP - Virtual Routing Redundancy Protocol ............................................................................................................. 28 GLBP - Global Load Balancing Protocol ....................................................................................................................... 29 IRDP - ICMP Router Discovery Protocol ...................................................................................................................... 30 DRP - Cisco Distributed Route Processor .................................................................................................................... 31 WAAS and WCCP Protocol .......................................................................................................................................... 31 4 cisqueros.blogspot.com
NTP - Network Time Protocol ..................................................................................................................................... 32 IP SLA - Monitor the Network Performance ............................................................................................................... 33 STATIC NAT.................................................................................................................................................................. 34 DYNAMIC NAT ............................................................................................................................................................. 35 Load Balancing using NAT ........................................................................................................................................... 35 PAT (NAT Overload) .................................................................................................................................................... 36 PAR - When you need to implement traffic redirections using NAT .......................................................................... 36 Static NAT redundancy with HSRP .............................................................................................................................. 37 Scalability for Stateful NAT (SNAT) ............................................................................................................................. 37 NAT Translations with the Outside Source ................................................................................................................. 38 NAT on a Stick ............................................................................................................................................................. 38 DHCP Server ................................................................................................................................................................ 39 CNS (Cisco Networking Services) ................................................................................................................................ 39 GRE Tunnels ................................................................................................................................................................ 40 Various IOS Tricks........................................................................................................................................................ 40 IP Routing ........................................................................................................................................................................ 42 PBR - Policy Based Routing ......................................................................................................................................... 43 ODR - ON-DEMAND ROUTING .................................................................................................................................... 43 RIP ............................................................................................................................................................................... 43 RIP: Authentication ..................................................................................................................................................... 44 RIP: Timers .................................................................................................................................................................. 44 RIP: Updates Control ................................................................................................................................................... 45 RIP: OFFSET LISTS ........................................................................................................................................................ 45 RIP: Update Source Control ........................................................................................................................................ 46 RIP: Route Summarizing .............................................................................................................................................. 46 RIP: Route Filtering using Prefix Lists .......................................................................................................................... 46 OSPF ............................................................................................................................................................................ 48 OSPF over Frame-Relay, focus on Network Types ...................................................................................................... 48 OSPF: Configuration on INTERFACE LEVEL .................................................................................................................. 49 OSPF: Timers ............................................................................................................................................................... 49 OSPF: Authentication .................................................................................................................................................. 50 OSPF: Route Redistribution......................................................................................................................................... 50 OSPF Route Summarization ........................................................................................................................................ 51 OSPF Virtual Link ......................................................................................................................................................... 51 OSPF Cost .................................................................................................................................................................... 52 Redirecting Traffic (FORCING A PATH) ........................................................................................................................ 52 5 cisqueros.blogspot.com
OSPF and the GRE Tunnels .......................................................................................................................................... 53 OSPF LSA Types and AREA TYPES ................................................................................................................................ 53 OSPF STUBS ................................................................................................................................................................. 55 OSPF Route Filtering ................................................................................................................................................... 56 OSPF Non-Broadcast Networks................................................................................................................................... 57 OSPF NBMA (Non Broadcast Multiple Access) Networks ........................................................................................... 58 OSPF BROADCAST vs. POINT-TO-POINT vs. POINT-TO-MULTIPOINT Networks ......................................................... 58 DNS Lookup in OSPF .................................................................................................................................................... 59 ISPF .............................................................................................................................................................................. 59 Forward Address Suppression .................................................................................................................................... 59 OSPF Sham Link ........................................................................................................................................................... 60 OSPF in MPLS .............................................................................................................................................................. 61 EIGRP ........................................................................................................................................................................... 62 EIGRP "show neighbors" command ............................................................................................................................ 62 EIGRP Metric - K Values .............................................................................................................................................. 63 EIGRP Route Summarization and Leak Maps .............................................................................................................. 64 EIGRP Default Gateway ............................................................................................................................................... 64 VARIANCE Command .................................................................................................................................................. 65 EIGRP Authentication .................................................................................................................................................. 65 EIGRP: Maximum Hops ............................................................................................................................................... 65 EIGRP Administrative Distance ................................................................................................................................... 66 EIGRP Updates BW Percent ........................................................................................................................................ 66 EIGRP Redistribute Routes into EIGRP ........................................................................................................................ 66 EIGRP offset-list [metric adjustments] ........................................................................................................................ 66 EIGRP Stub................................................................................................................................................................... 66 MP-EIGRP .................................................................................................................................................................... 67 EIGRP Route Filtering .................................................................................................................................................. 67 BGP TIPs and Best Practices ........................................................................................................................................ 68 BGP Version................................................................................................................................................................. 70 BGP Peer-Group .......................................................................................................................................................... 70 BGP Peer-Session and Peer-Policy Templates ............................................................................................................ 71 BGP Authentication..................................................................................................................................................... 71 BGP Route Reflectors .................................................................................................................................................. 72 BGP BACKDOOR Route ................................................................................................................................................ 73 BGP CONDITIONAL Advertisements - Advertise Maps ............................................................................................... 73 BGP Route Dampening ................................................................................................................................................ 74 6 cisqueros.blogspot.com
BGP Route Summarization .......................................................................................................................................... 75 BGP INJECT and EXIST map ......................................................................................................................................... 75 BGP Community Attribute .......................................................................................................................................... 75 BGP & Load Balancing ................................................................................................................................................. 76 1. AS-Path (The less ASs in the path - the Better) ....................................................................................................... 77 2. Weight (the Higher - the Better) ............................................................................................................................. 78 3. MED (Multi Exit Discriminator) ............................................................................................................................... 79 4. LOCAL PREFERENCE................................................................................................................................................. 79 BGP Filters: Distribution and Prefix lists ..................................................................................................................... 80 BGP: Regular Expressions............................................................................................................................................ 80 BGP Confederations .................................................................................................................................................... 81 MP-BGP (Multi-Protocol BGP)..................................................................................................................................... 82 Route Redistribution TIPs ....................................................................................................................................... 83 QoS .................................................................................................................................................................................. 84 QoS TIPS ...................................................................................................................................................................... 85 QoS on Access Ports ................................................................................................................................................ 85 DSCP and COS MAPPING ......................................................................................................................................... 87 Map COS to DSCP on a device ................................................................................................................................. 88 QoS POLICING - INDIVIDUAL and AGGREGATE POLICER......................................................................................... 88 PRIORITY QUEUING (priority-list) & CUSTOM QUEUING (queue-list) .................................................................... 88 WFQ - By default works with IP PRESEDENCE ........................................................................................................ 89 RSVP - Resource Reservation Protocol ................................................................................................................... 90 IPv6 QoS .................................................................................................................................................................. 90 Match MAC ADDRESS ............................................................................................................................................. 90 QoS Frame-Relay SHAPING ..................................................................................................................................... 91 QoS Frame-Relay PIPQ (PER-INTERFACE PRIORITY QUEUING) ............................................................................... 93 QoS Frame-Relay PAYLOAD and HEADER COMPRESSION ...................................................................................... 94 QoS CBWFQ - configured using MQC...................................................................................................................... 94 QoS LLQ (Low Latency Queuing) - "priority" and "priority percent" command ..................................................... 94 Define the QoS Schedule (TIME-RANGE command) ............................................................................................... 95 QoS CAR (Committed Access Rate) - "rate-limit" Interface Command .................................................................. 95 NBAR (match protocol XXX) - if you need to match the port without the ACL ...................................................... 95 DUAL RATE - DUAL BUCKET..................................................................................................................................... 96 WRED - Weighted Random Early Detection and CB-WRED .................................................................................... 96 WAN ................................................................................................................................................................................ 97 Frame-Relay TIPS ........................................................................................................................................................ 98 7 cisqueros.blogspot.com
FRAME RELAY QoS ...................................................................................................................................................... 98 PHYSICAL INTERFACE CONFIGURATION: .................................................................................................................... 99 POINT-TO-POINT SUB-INTERFACE: ............................................................................................................................. 99 POINT-TO-MULTIPOINT SUB-INTERFACE: ................................................................................................................. 100 VIRTUAL TEMPLATE .................................................................................................................................................. 100 FRAME RELAY AUTHENTICATION.............................................................................................................................. 101 FRAME RELAY End-to-End KEEPALIVE ....................................................................................................................... 102 FRAME-RELAY MULTILINKING ................................................................................................................................... 103 FRAME-RELAY AUTO-INSTALL ................................................................................................................................... 104 IP Multicast ................................................................................................................................................................... 105 Multicast TIPS............................................................................................................................................................ 106 Multicast - IGMP ....................................................................................................................................................... 106 Configure PIM Multicast ........................................................................................................................................... 107 PIM Dense Mode, PIM-DM - For the applications EVERYONE wants ....................................................................... 109 STATIC RENDEZVOUZ POINT (RP) Configuration ...................................................................................................... 110 DESIGNATED ROUTER (DR) Configuration ................................................................................................................ 110 IP MULTICAST: AUTOMATIC RENDEZVOUZ POINT (Auto-RP) Configuration............................................................ 111 IP MULTICAST: BSR (Bootstrap Router) Configuration ............................................................................................. 112 IP MULTICAST: MSDP (Multicast Source Discovery Protocol) Configuration ........................................................... 113 Multiprotocol BGP (MP-BGP) & IP Multicast ............................................................................................................ 113 IP MULTICAST: Configuring SSM (Source Specific Multicast) ................................................................................... 114 IP MULTICAST: Bidirectional PIM (Bidir-PIM) ........................................................................................................... 115 IP MULTICAST: Helper Map....................................................................................................................................... 116 MULTICAST Helper Map & Helper-address .............................................................................................................. 117 Security ......................................................................................................................................................................... 118 Security TIPS .............................................................................................................................................................. 119 Router Security - Best Practices ................................................................................................................................ 119 KNOWN ATTACKS and how to prevent ..................................................................................................................... 120 BANNER and MENU Configuration ........................................................................................................................... 121 Configure SSH Access ................................................................................................................................................ 121 ADVANCED Access Lists (ACL) Configuration ............................................................................................................ 122 DYNAMIC ACL (aka Lock and key ACL) ...................................................................................................................... 123 REFLEXIVE ACL - For Session Filtering ....................................................................................................................... 123 TCP INTERCEPT - To prevent TCP SYN DoS attacks ................................................................................................... 124 CBAC - Context Based Access Control Firewall ......................................................................................................... 124 PAM - Port to Application Mapping .......................................................................................................................... 125 8 cisqueros.blogspot.com
uRPF - Unicast Reverse Path Forwarding .................................................................................................................. 126 Zone Based Firewall .................................................................................................................................................. 127 CONTROL Plane Policy (CPPr).................................................................................................................................... 128 IOS IPS (Intrusion Prevention System) ...................................................................................................................... 129 AAA Authentication .................................................................................................................................................. 130 MPLS.............................................................................................................................................................................. 131 MPLS Configuration .................................................................................................................................................. 132 MPLS LFIB and Labels (Label Spacing) ....................................................................................................................... 133 MPLS Session Protection........................................................................................................................................... 134 MPLS VRFs, RD (Route Distinguisher) and RT (Route Target) ................................................................................... 135 L2VPN - AToM (Any Transport over MPLS) ............................................................................................................... 136 IPv6................................................................................................................................................................................ 137 IPv6 TIPS .................................................................................................................................................................... 138 IPv6 Basics ................................................................................................................................................................. 138 Convert MAC to Link Local IPv6 Address .................................................................................................................. 140 IPv6 Routing .............................................................................................................................................................. 141 OSPFv3 ...................................................................................................................................................................... 142 EIGRP IPv6 ................................................................................................................................................................. 143 IPv6 Tunnels .............................................................................................................................................................. 144 IPv6 Multicast Routing .............................................................................................................................................. 145
9 cisqueros.blogspot.com
LAN Switching
10 cisqueros.blogspot.com
____________________________________________________________________________________________________________________
TIP: When there is a CISCO Phone attached to an access port- configure the "switchport voice vlan X" on an access port.
____________________________________________________________________________________________________________________
STEP 2: After the MAC ACL is created, we need to Applying a MAC ACL to a Layer 2 Interface. This can be done in one of 2 ways: 1. 2. Directly using the "mac access-group MACL in" command Using the VLAN Maps
VLAN Maps are the only way to control filtering within a VLAN. You can define the DROP or FWD action:
(config)#vlan access-map VLANACM 10 <-10 IS THE SEQ NUMBER (config-access-map)#action drop (config-access-map)#match mac address DENY_BPDU <-MATCH THE DEFINED MAC ACL
!!!IMPORTANT: ORDER IS IRRELEVANT HERE!!! First we're saying DROP, and then matching what to drop.
(config)#vlan access-map VLANACM 20 (config-access-map)#action forward <-TO PERMIT ALL OTHER TRAFFIC
STEP 3: At the end you need to APPLY the VLAN Access-Map to the VLAN (MEMORIZE THIS STUFF):
(config)#vlan filter VLANACM vlan-list ? <1-4094> VLAN id all Add this filter to all VLANs
11 cisqueros.blogspot.com
____________________________________________________________________________________________________________________
(config)#sdm prefer [routing | dual-ipv4-and-ipv6 | vlan] (config)#sdm prefer ? access Access bias default Default bias dual-ipv4-and-ipv6 Support both IPv4 and IPv6 <-USE THIS MODE WHEN YOU HAVE BOTH, IPv4 and IPv6 ipe IPe bias routing Unicast bias <-SWITCH TO YOU USE AS A ROUTER, ONLY IPv4 vlan VLAN bias <-ONLY L2 SWITCH
1K
It can happen that you need to use IPv6 on a switch, and the command "ipv6 unicast routing" is not working. If the switch seems not to support the command, in reality you only need to change the buffer allocation first (Apply a different SDM template). The problem is that you have to SAVE and RELOAD, so be sure you do it before the LAB if you know you'll be using both ipv4 and ipv6. Make sure you need to reconfigure by checking the current SDM:
settings "show SDM prefer" (config)#sdm prefer dual-ipv4-and-ipv6 routing
12 cisqueros.blogspot.com
____________________________________________________________________________________________________________________
INTERFACE Statuses
____________________________________________________________________________________________________________________ INTERFACE "no shut" BUT NOT CONNECTED TO ANYTHING:
GigabitEthernet3/0/1 unassigned YES unset down down
INTERFACE "shutdown":
GigabitEthernet3/0/17 unassigned YES unset administratively down down
____________________________________________________________________________________________________________________
CAM TABLE
____________________________________________________________________________________________________________________ You can set up the MAC Aging Time, and Security (enable the known and secure MAC addresses)
(config)#mac address-table aging-time 600 <--- if not active for 10 minutes REMOVE from the CAM table (config)#mac-address-table secure 48BIT_MAC_ADDRESS Gi3/0/15
____________________________________________________________________________________________________________________
To restrict FLOOD TRAFFIC to TRUNK Interfaces, use VTP PRUNING. 4 types of VTP Advertisements are being exchanged between the switches: 1. 2. 3. 4. Summary Advertisements - every time VTP database changes (every 300 ms) Subset Advertisements - sent right after SUMMARY, includes what exactly changed Advertisements requested from clients - client requests info to update the VTP database, server responds VTP Membership announcements - when PRUNING is enabled, they tell the neighbor WHAT VLANs they want (if the VLAN is not announced with this message, it is not on the trunk)
You can adjust the VLANs that are being pruned on the interface, so for example to PRUNE ALL BUT VLAN 8:
(config-if)#switchport trunk pruning vlan 2-7,9-1001
OR
(config-if)#switchport trunk pruning vlan remove 8
13 cisqueros.blogspot.com
____________________________________________________________________________________________________________________
Define how many times you want Client to contact the Server, like if you want to retry 5 times:
(config)#vmps retry 5 (config)#vmps reconfirm 30 <--- RETRY IN 30 MINUTES IF 5 ATTEMPTS FAIL
____________________________________________________________________________________________________________________
Dynamic Desirable - Actively attempts to convert to TRUNK, but it's NOT in PERMANENT TRUNK mode:
(config-if)#switchport mode dynamic desirable
Dynamic Auto - Negotiate TRUNK ONLY if Negotiation Packet received from a Neighbour
(config-if)#switchport mode dynamic auto
Nonegotiate - Prevents the interface from generating DTP frames. You can use this command only when the interface
switchport mode is access or trunk (config-if)#switchport mode nonegotiate
14 cisqueros.blogspot.com
____________________________________________________________________________________________________________________
PRIVATE VLANS
____________________________________________________________________________________________________________________ *REQUIRES VTP MODE TO BE SET TO TRANSPARENT, which disables VTP!!!
(config-if)#vtp mode transparent
This topic belongs to L2 SECURITY rather than L2 SWITCHING. Primary VLAN can have MANY COMMUNITIES but ONLY ONE ISOLATED VLAN!!! 1. Promiscuous - belongs to PRIMARY VLAN, can communicate with EVERYONE
(config)#vlan 10 (config-vlan)#private-vlan primary (config-vlan)#private-vlan association add 20,30,40 <-DONT FORGET TO ASSOCIATE EVEN WITH ISOLATED
DONT FORGET TO ASSOCIATE Secondary VLANs to the Primary, so that they can all communicate with Promiscuous:
(config-vlan)#private-vlan association add 20,30,40 #show vlan private-vlan Primary Secondary Type Ports ------- --------- ----------------- -----------------------------------------10 20 community Et0/2 10 30 community Et0/0 10 40 isolated Et0/0
GREAT Example of PRIVATE VLANs is 2 HOSTS on a SWITCH that should NOT communicate to each other, and 1 router that should communicate with BOTH HOSTS. You should do VLAN XXX for HOSTS as ISOLATED, and VLAN for the ROUTER as the PROMISCUOUS, and associate it to the ISOLATED VLAN.
15 cisqueros.blogspot.com
____________________________________________________________________________________________________________________
You can also configure L2 TUNNELING (CDP, STP and VTP can be tunnelled)
(config-if)#l2protocol-tunnel [cdp | stp | vtp]
*Take SPECIAL CARE about the MTU SIZE on Switches (might need to set to 1504 due to the ADDED 4 BYTES IN THE TUNNEL)
(config)#system mtu 1504
Make sure if you need to define a TUNNEL PORT for QinQ!!! When is this necessary? When the ROUTER is TAGGING the traffic towards the switch (using the 802.1Q TRUNK), you have to establish the DOT1Q TUNNEL, along with L2 tunnel. If you are using the NATIVE VLAN to do this, make sure that the TRUNK port is also tagging the NATIVE VLAN:
(config-if)#switchport mode dot1q-tunnel (config)#vlan dot1q tag native <-TO TAG THE NATIVE PORT ON 802.1q TRUNK WITH THE ROUTER
____________________________________________________________________________________________________________________
GREAT COMMAND:
#show spanning-tree bridge <- See the MAC address of the Switch #show version | i Base #show spanning-tree vlan 12 VLAN0012 Spanning tree enabled protocol ieee Root ID Priority 24588 <-ABOUT THE ROOT BRIDGE, 24588 = 32768 + 12 (vlan 12) - 8192 Address ec44.768a.6d80 This bridge is the root Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec Bridge ID Priority 24588 (priority 24576 sys-id-ext 12) <--- ABOUT THIS SWITCH (LOCAL Bridge) Address ec44.768a.6d80 <-- ON ROOT BridgeID and RootID have the same MAC Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec Aging Time 300
Interface Role Sts Cost Prio.Nbr Type <-ABOUT INTERFACES IN THIS VLAN ------------------- ---- --- --------- -------- -----Gi3/0/19 Desg FWD 4 128.127 P2p <--- COST IS 4 CAUSE THIS IS GigabitEthernet Port
16 cisqueros.blogspot.com
Gi3/0/20
Desg FWD 4
128.128
P2p
BEST PRACTICE:
Change the COST on the interface level to change the PATH Change the PORT PRIORITY to influence ONLY the NEIGHBORING SWITCH !!!IMPORTANT: WHEN GOING TOWARDS THE STP ROOT - USE COST WHEN GOING AWAY FROM THE ROOT - USE PORT-PRIORITY
UPLINKFAST: FAST Convergence in case of DIRECT failure of the ROOT port (Natively included in RSTP)
If a switch loses connectivity, it begins using the alternate paths as soon as the spanning tree selects a new root port. By enabling UPLINKFAST Globally you SPEED UP the choice of NEW ROOT PORT when a link or switch fails or when the spanning tree reconfigures itself:
(config)#spanning-tree uplinkfast
!!!UplinkFast is most useful in wiring-closet switches at the access or edge of the network. It is not appropriate for backbone devices
BACKBONEFAST: Complementary feature to UPLINKFAST, detects indirect failures in the core of the backbone.
When a switch receives an inferior BPDU from the designated port of another switch, the BPDU is a signal that the other switch might have lost its path to the root, and BackboneFast tries to find an alternate path to the root.
(config)#spanning-tree backbonefast
17 cisqueros.blogspot.com
____________________________________________________________________________________________________________________
SW2#show spanning-tree mst configuration Name [] Revision 1 Instances configured 3 Instance Vlans mapped -------- --------------------------------------------------------------------0 1-11,13-33,35-55,57-89,91-4094 1 12,34 2 56,90 -------------------------------------------------------------------------------
____________________________________________________________________________________________________________________
PORTFAST
____________________________________________________________________________________________________________________ Quick transition, BYPASS LISTENING & LEARNING (config-if-range)#spanning-tree portfast %Warning: portfast should only be enabled on ports connected to a single host. Connecting hubs, concentrators, switches, bridges, etc... to this interface when portfast is enabled, can cause temporary bridging loops. PORTFAST reduces significantly the overhead, because TCN (Topology Change Notification) BPDUs will not be generated. ____________________________________________________________________________________________________________________
BPDU GUARD
____________________________________________________________________________________________________________________ This feature is used to disable anything but a Workstation to be connected to a port we are configuring with PortFast. It should be configured on the Interfaces where BPDU should NEVER be received. If BPDU received go into "ERRDISABLE" state (disable the port)
(config-if-range)#spanning-tree bpduguard enable
There are to options to return to the normal state. One is to manually type shut and no shut command. Another option is to define an ERRDISABLE RECOVERY:
(config)#errdisable recovery cause bpduguard <-MANY CAUSES CAN BE DEFINED HERE, do show errdisable recovery (config)#errdisable recovery cause interval 360
18 cisqueros.blogspot.com
____________________________________________________________________________________________________________________
GLOBAL COMMAND "udld enable" ONLY APPLIES TO FIBER OPTIC INTERFACES!!! ITS RECOMMENDED TO USE UDLD WITH LOOPGUARD!!! (For the port to enter the DISABLE state when BPDU are no longer received) Normally when unidirectional link occurs, the other side stops receiving BPDUs, and assumes that STP ROOT is no longer available, so - it declares itself as a NEW STP ROOT. Loopguard prevents this.
(config-if)#spanning-tree guard loop <-CONFIGURE ON UPLINK PORTS
If its a TWISTED PAIR - use AGGRESSIVE mode! To automatically recover from err-disable state in x seconds (x=120 in this case)
(config)#errdisable recovery cause udld (config)#errdisable recovery interval 120
19 cisqueros.blogspot.com
____________________________________________________________________________________________________________________
When configuring the DHCP Snooping, make sure you set the DHCP TRUST on all the UPLINK TRUNKS, or the DHCP responses will be IGNORED!!!
(config-if)#ip dhcp snooping trust
!!!DONT FORGET TO EITHER DISABLE INFORMATION OPTION (option 82), OR CONFIGURE DHCP SERVER TO REJECT TRANSIT DHCP MESSAGES, because DHCP SNOOPING can insert EMPTY GIADDR FIELD!!!
(config)#ip dhcp relay information trust-all
First Enable Source Guard directly on the interface, WILL VERIFY IP ADDRESS ONLY!
(config-if)#ip verify source (config-if)#ip verify source port-security <--- TO VERIFY MAC AND IP (config-if)#SWItchport PORT-security <--- MUST ENABLE (permits L3 checks on a pure L2 interface)
#show ip source binding MacAddress IpAddress ------------------ --------------00:00:22:22:22:22 10.1.1.2 00:00:33:33:33:33 10.1.1.3 00:00:11:11:11:11 10.1.1.1 Total number of bindings: 3
VLAN ---2 2 2
____________________________________________________________________________________________________________________
ETHERCHANNEL
____________________________________________________________________________________________________________________
TIP: To make SW1 Priority higher to allow it control the BUNDLE CREATION:
(config)#lacp system-priority 1
20 cisqueros.blogspot.com
Check the DEFAULT PARAMETERS: 2#show lacp 1 internal Flags: S - Device is requesting Slow LACPDUs F - Device is requesting Fast LACPDUs A - Device is in Active mode P - Device is in Passive mode Channel group 1 Port Gi3/0/19 Gi3/0/20 Flags SA SA State bndl bndl LACP port Priority 32768 32768 Admin Key 0x1 0x1 Oper Key 0x1 0x1 Port Number 0x7F 0x80 Port State 0x3D 0x3D
You can configure MAX 16 PORTS, out of which: MAXIMUM 8 ACTIVE PORTS, and the other HOT STANDBY (activate if one of the first 8 fail). Which ones belong to the ACTIVE group depends on the LACP PRIORITY that can be configured:
(config-if)#lacp port-priority 1 <--- LOWER IS BETTER!!! (default is 32768)
L3 ETHERCHANNEL: Configure the Port-Channel interface statically, and all L3 configuration under it
Summary: 32 Po32(RU) Gi1/0/23(P) Gi1/0/24(P)
* "show interface trunk" Will show only Port Channel, but "show interface XX switchport" will show that the INT IS TRUNK LOAD BALANCE the Etherchannel (CONFIGURED in the Global Config mode):
(config)#port-channel load-balance ? dst-ip Dst IP Addr dst-mac Dst Mac Addr src-dst-ip Src XOR Dst IP Addr src-dst-mac Src XOR Dst Mac Addr src-ip Src IP Addr src-mac Src Mac Addr
Ether Channel Load-Balancing Addresses Used Per-Protocol: Non-IP: Destination MAC address IPv4: Destination MAC address IPv6: Destination MAC address Spanning Tree treats the Etherchannel Link as a SINGLE LINK, by sending the BPDUs only over one of the physical links
21 cisqueros.blogspot.com
____________________________________________________________________________________________________________________
You can create an ARP Access List and map the IP to MAC, and apply it to DAI:
(config)#arp access-list ARP_ACL_20 (config-arp-nacl)#permit ip host 20.1.1.2 mac host 0000.1111.1111 (config-arp-nacl)#permit ip host 20.1.1.3 mac host 0000.3333.3333
The switch CPU performs dynamic ARP inspection validation checks; therefore, the number of incoming ARP packets is rate-limited to prevent a denial-of-service attack.
(config-if)#ip arp inspection limit rate 5 <--- DEFAULT IS 15 PPS (packets per second) #show ip arp inspection interfaces Interface Trust State Rate (pps) --------------- -------------------Gi3/0/1 Untrusted 5 Gi3/0/2 Untrusted 15
Burst Interval -------------1 <--- THE CHANGED ONE 1 <--- 15 pps IS THE DEFAULT VALUE
22 cisqueros.blogspot.com
____________________________________________________________________________________________________________________
SNMP
____________________________________________________________________________________________________________________ Send the SNMP traps, Community "Public" to the NMS Server:
(config)#snmp-server host 192.168.1.1 traps [Public | Private]
When the traps contain MAC Address Add/Remove notifications, have in mind the QUANTITY, so control it with:
(config)#mac address-table notification change history-size 150 <--- LIMIT THE TABLE CAPACITY TO 150 (config)#mac address-table notification change interval 1800 <--- SEND TRAP EVERY 30 MINUTES (1800 seconds)
If you need to configure some deeper changes, or set timers, they are done within each particular COMMAND/TRAP, so;
(config)#mac address-table notification [more options like INTERVAL...]
23 cisqueros.blogspot.com
____________________________________________________________________________________________________________________
MONITORING
____________________________________________________________________________________________________________________
RSPAN - Dont forget to CREATE the VLAN specially for the RSPAN
(config)#vlan 22 (config-vlan)#remote-span
____________________________________________________________________________________________________________________
LOGGING
____________________________________________________________________________________________________________________ Remote IP:
(config)#logging x.y.z.w
Or Localy in a FILE:
(config)#logging file flash:syslog 7 <--- 7 is DEBUGGING, so LOG EVERYTHING 0-7 emergencies System is unusable (severity=0) alerts Immediate action needed (severity=1) critical Critical conditions (severity=2) errors Error conditions (severity=3) warnings Warning conditions (severity=4) notifications Normal but significant conditions (severity=5) informational Informational messages (severity=6) debugging Debugging messages (severity=7)
Add/Remove TIMESTAMPS
(config)#no service timestamps debug (config)#no service timestamps log
Specific (more GRANULAR) logging settings can be configured on the INTERFACE LEVEL:
(config-if)#logging event ? bundle-status BUNDLE/UNBUNDLE messages link-status UPDOWN and CHANGE messages nfas-status NFAS D-channel status messages power-inline-status Inline power messages spanning-tree Spanning-tree Interface events status Spanning-tree state change messages subif-link-status Sub-interface UPDOWN and CHANGE messages trunk-status TRUNK status messages
24 cisqueros.blogspot.com
____________________________________________________________________________________________________________________
STORM CONTROL
____________________________________________________________________________________________________________________ To LIMIT the type of traffic (BROADCAST or MULTICAST or UNICAST). To limit the Broadcast to 50%:
(config-if)#storm-control broadcast level 50.00 <-LIMIT THIS TYPE OF TRAFFIC (also valid for MULTICAST or UNICAST) (config-if)#storm-control action [shutdown | trap] <-DEFINE THE ACTION
____________________________________________________________________________________________________________________
____________________________________________________________________________________________________________________
*BRIDGE GROUP is a VIRTUAL BRIDGE inside the Router, with its own MAC address table. To configure a VLAN associated with a bridge group with a default native VLAN:
(config)#interface FastEthernet0/0.16 (config-subif)#encapsulation dot1Q 16 <-FOR VLAN 16 (config-subif)#bridge-group 1
You need to define the BRIDGING PROTOCOL, and set it to ROUTE the IP traffic:
(config)#bridge 1 protocol ieee (config)#bridge 1 route ip
If, for example, VLAN 16 ends on the other side in a SVI, and you want it to be PING-able from the local router.
25 cisqueros.blogspot.com
IP Services
26 cisqueros.blogspot.com
____________________________________________________________________________________________________________________
IMPORTANT:
HSRP: UDP to Multicast Address 224.0.0.2 (all routers), VRRP: Directly over IP, Protocol 112 HSRPv2: Also UDP, solves the conflict between the CGMP Leave Messages, Multicast Address 224.0.0.105
TIP: When a CLIENT sends a request for an IP which is out of that segment, the router responds with its own MAC address. This is called the
ARP Proxy, it's ON by default on Fast Ethernet, and it can be disabled:
(config-if)#no ip proxy-arp
____________________________________________________________________________________________________________________
To check the current configuration, including the HSRP Status and whether the preempt option is configured:
#sh standby brief
If you need to TRACK an interface, be sure to define for how much you want to decrease the HSRP priority in order to fail over to the HSRP Peer, and be sure that the active neighbor has Preempt configured:
(config-if)#standby 1 track serial 0/1/0.21 60
27 cisqueros.blogspot.com
____________________________________________________________________________________________________________________
TIMERS are a bit different to configure. You need to tell Master to ADVERTISE the Hello Timer value to the Backup, and tell the Backup to LEARN the Hello Timer from the Master:
(config-if)#vrrp 1 timers advertise 10 (config-if)#vrrp 2 timers learn *Router is Master for VRRP Group 1 and Backup for VRRP Group 2
VRRP Authentication is configured PER GROUP using the command "vrrp X authentication text PASSWORD", and the debug on the VRRP Pair router is as follows (before the authentication is configured on BOTH):
#debug vrrp *13 15:04:37.585: VRRP: Grp 2 Advertisement from 172.25.12.1 *13 15:04:38.001: VRRP: Grp 1 sending Advertisement checksum *13 15:04:38.585: VRRP: Grp 2 Advertisement from 172.25.12.1 *13 15:04:39.001: VRRP: Grp 1 sending Advertisement checksum *13 15:04:39.585: VRRP: Grp 2 Advertisement from 172.25.12.1 *13 15:04:40.585: VRRP: Grp 2 Advertisement from 172.25.12.1 *13 15:04:40.973: VRRP: Grp 2 sending Advertisement checksum *13 15:04:41.001: VRRP: Grp 1 sending Advertisement checksum *13 15:04:41.585: VRRP: Grp 2 Advertisement from 172.25.12.1 *13 15:04:42.001: VRRP: Grp 1 sending Advertisement checksum #u all All possible debugging has been turned off has incorrect EBE4 has incorrect EBE4 has incorrect has incorrect 87E5 EBE4 has incorrect EBE4 authentication type 1 expected 0 authentication type 1 expected 0 authentication type 1 expected 0 authentication type 1 expected 0 authentication type 1 expected 0
!!!IMPORTANT DIFFERENCE between HSRP and VRRP: VRRP has Preempt enabled by default!
28 cisqueros.blogspot.com
____________________________________________________________________________________________________________________
AVG (Active Virtual Gateway) MASTER Router in charge of Assigning Virtual MAC Addresses to other Routers and it has to know ALL the
MACs of the AVFs
AVFs (Active Virtual Forwarders) the rest of the Routers, which take AVG function if AVG dies.
#sh glbp br Interface Fa0/0 Fa0/0 Fa0/0 Grp 1 1 1 Fwd 1 2 Pri 100 7 7 State Standby Active Listen Address 10.1.1.100 0007.b400.0101 0007.b400.0102 Active router 10.1.1.2 local 10.1.1.2 Standby route local -
You can tune GLBP as you like, which means that (besides all the stuff you can also do in HSRP and VRRP) you can choose the Load Balancing method:
(config-if)#glbp 1 load-balancing ? host-dependent Load balance equally, source MAC determines forwarder choice round-robin Load balance equally using each forwarder in turn weighted Load balance in proportion to forwarder weighting (GLBP places WEIGHT on each router) <cr>
As an additional GLBP feature, there is a REDIRECT timer, which sets the time-out for assigning the Virtual MAC of AVF that has failed.
(config-if)#glbp 1 timers ? <1-60> Hello interval in seconds msec Specify hello interval in milliseconds redirect Specify time-out values for failed forwarders
Tracking is also different on GLBP, as in - it's configured in the Global Configuration mode, with a global Track Object. The advantage is that you can track 2 interfaces at once!!!
(config)#track 1 interface fa0/0 ? ip IP parameters <- TO TRACK IP ROUTING line-protocol Track interface line-protocol <- TRACK IF THE INTERFACE IS DOWN (config)#track 1 interface fa0/0 line-protocol (config)#track 2 interface s0/1/0 line-protocol #show track Track 1 Interface FastEthernet0/1 line-protocol Line protocol is Up 1 change, last change 00:02:39 Track 2 Interface Serial0/1/0 line-protocol Line protocol is Up
1 change, last change 00:02:10 Now the TRACK OBJECTS need to be applied to the Interface where GLBP is configured (If any of the tracked interfaces go DOWN, the WEIGHT will be decremented by 10, but these values can be tuned):
(config-if)#glbp 1 weighting track (config-if)#glbp 1 weighting track 1 2
29 cisqueros.blogspot.com
____________________________________________________________________________________________________________________
Step 4: TEST by pinging the IP behind the routers that are supposedly advertising the GW. PING will work ONLY if Proxy-ARP is enabled on the IP Interface:
#sh ip inter fa0/0 | i ARP Proxy ARP is enabled <- THIS ONE MATTERS Local Proxy ARP is disabled #show ip route Gateway Using Interval Priority 10.187.117.2 IRDP 4 600 10.187.117.1 IRDP 4 200
When you do a DEBUG of ICMP, you see that IRDP is using the ICMP Type 9 Code 0 messages to advertise the GW:
#debug ip icmp ICMP packet debugging *Nov 14 16:03:08.288: *Nov 14 16:03:09.340: *Nov 14 16:03:12.288: *Nov 14 16:03:12.340: *Nov 14 16:03:16.288: *Nov 14 16:03:16.340: *Nov 14 16:03:19.340: *Nov 14 16:03:20.288: *Nov 14 16:03:23.288: *Nov 14 16:03:23.340: is on ICMP: ICMP: ICMP: ICMP: ICMP: ICMP: ICMP: ICMP: ICMP: ICMP:
rdp rdp rdp rdp rdp rdp rdp rdp rdp rdp
advert advert advert advert advert advert advert advert advert advert
rcvd rcvd rcvd rcvd rcvd rcvd rcvd rcvd rcvd rcvd
type type type type type type type type type type
9, 9, 9, 9, 9, 9, 9, 9, 9, 9,
code code code code code code code code code code
0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
from from from from from from from from from from
10.187.117.2 10.187.117.1 10.187.117.2 10.187.117.1 10.187.117.2 10.187.117.1 10.187.117.1 10.187.117.2 10.187.117.2 10.187.117.1
30 cisqueros.blogspot.com
____________________________________________________________________________________________________________________
Step 2: Define the ACL to define who will be able to send queries to DRP
(config)#access-list 11 permit 10.182.131.15
Step 4: Create the key-chain and set the DRP to use it for authentication:
(config)#ip drp authentication key-chain DRP_CHAIN
____________________________________________________________________________________________________________________
On the WAN interface enable checking if the packets need to be redirected to a web cache. Enable the redirection of outgoing destination port 80 packets on the interface:
(config-if)#ip wccp web-cache redirect out
Define the ACL that only contains the Cache Engine IP:
(config)#access-list 11 permit 10.182.131.15
31 cisqueros.blogspot.com
____________________________________________________________________________________________________________________
Now if you set this time really well, and the Switch is new generation and you really trust it, then in order to have an entire network to be synchronized (and absolutely no external NTP available), set the most awesome switch to be a NTP Server:
(config)#ntp master ? <1-15> Stratum number <- STRATUM Number, all DOWNFLOW routers shall have SERVER + Number of HOPS
#show ntp status Clock is synchronized, stratum 2, reference is 127.127.7.1 nominal freq is 250.0000 Hz, actual freq is 250.0000 Hz, precision is 2**18 reference time is D630D0D3.99A45AAB (16:56:51.600 UTC Fri Nov 15 2013) clock offset is 0.0000 msec, root delay is 0.00 msec root dispersion is 0.02 msec, peer dispersion is 0.02 msec
Then configure ALL the other Devices to synchronize their time based on the Awesome NTP Master Switch:
(config)#ntp server 131.1.13.1
Dont forget to configure the NTP BROADCAST on the Interfaces of the NTP Master/Client Switches:
(config-if)#ntp broadcast <- On the NTP MASTER (config-if)#ntp broadcast client <-ON NTP CLIENTS
If you want to PEER two switches within the network, so that they synchronize the time together:
(config)#ntp peer 150.1.2.2
32 cisqueros.blogspot.com
____________________________________________________________________________________________________________________
Make sure you configure the CLIENT device in accordance with these defined parameters:
(config)#ip sla monitor 10 (config-sla-monitor)#type udpEcho dest-ipaddr 10.187.122.2 dest-port 500 (config-sla-monitor-udp)#frequency 5 <- IN SECONDS (config-sla-monitor-udp)#hours-of-statistics-kept 1 <-HOW MUCH TIME THE STATISCICS ARE KEPT (config-sla-monitor-udp)#request-data-size 1500 <- PACKET SIZE
And then just START the IP SLA on the CLIENT (in this case starts immediately and lasts for 100 seconds only):
(config)#ip sla monitor schedule 10 start-time now life 100
Number of errors: 0 Dec Dec Dec Dec Dec 6 6 6 6 6 2013] 2013] 2013] 2013] 2013]
If you are using IP SLA for ROUTING, meaning - you want to TRACK a certain route using ICMP (ping), and depending on the result - "tune" the routing table, you have 2 options:
OPTION 1: Use a simple TRACK object to track a certain route, and attach it to the STATIC ROUTE:
(config)#track 10 ip route 10.1.12.0 255.255.255.0 reachability (config)#ip route 1.0.0.0 255.0.0.0 10.1.12.2 track 10
Check the status of the TRACK 10 object, and based on that - you can know if your STATIC route is UP:
#sh track 10 Track 10 IP route 10.1.12.0 255.255.255.0 reachability Reachability is Up (connected) 3 changes, last change 00:04:04 First-hop interface is Serial0/1/0 Tracked by: STATIC-IP-ROUTING 0
IMPORTANT: Make sure that the prefix you are tracking isn't available using some other protocol, like OSPF:
33 cisqueros.blogspot.com
#sh track 10 Track 10 IP route 10.1.12.0 255.255.255.0 reachability Reachability is Up (OSPF) <- THIS IS NOT WHAT WE WANTED TO ACHIEVE HERE 3 changes, last change 00:03:59 First-hop interface is FastEthernet0/0 Tracked by: STATIC-IP-ROUTING 0
OPTION 2: Use the IP SLA ICMP ECHO (ipIcmpEcho) to monitor end-to-end response
STEP 1: DEFINE THE IP SLA OBJECT
(config)#ip sla monitor 10 (config-sla-monitor)#$type echo protocol ipIcmpEcho 10.1.12.2 source-ipaddr 10.1.12.1 (config-sla-monitor-echo)#frequency 5
STEP 4: Attach the TRACK OBJECT to the STATIC ROUTE, like in the option 1. ____________________________________________________________________________________________________________________
STATIC NAT
____________________________________________________________________________________________________________________ You can do STATIC NAT and just "go out" of the router with a different IP address:
(config)#ip nat inside source static 10.2.2.1 131.1.12.3 [extendable] *Traffic sourced from 10.2.2.1 sent to ALL destinations will seem from 131.1.12.3 to the outside world *Extendable is used if you need 1 LOCAL IP to be mapped to Various Public IPs
IP (Global) IP
(config-if)#int s0/1/0.21 <- PUBLIC (config-subif)#ip nat outside #sh ip nat translations Pro Inside global Inside local --- 131.1.12.3 10.2.2.1
Inside Local - Private IP of the host in your Network Inside Global - Public IP that the outside network sees your hosts as Outside Local - How the local network sees IP of the remote host Outside Global - Public IP of the remote host If you want to do static NAT for a SUBNET:
(config)#ip nat inside source static network 10.2.2.0 200.2.2.0 /24
34 cisqueros.blogspot.com
____________________________________________________________________________________________________________________
DYNAMIC NAT
____________________________________________________________________________________________________________________ Step 1: Define the POOL of the Inside Global IPs (Public), which your Private IPs will be NAT-ed into:
(config)#ip nat pool INSIDE_GLOBAL 131.1.12.3 131.1.12.8 prefix-length 24
Step 2: Define the ACCESS-LIST of the PRIVATE IPs, which are the ones that will be NAT-ed (Inside Local)
(config)#access-list 1 permit 10.2.2.0 0.0.0.255
Do not forget to specify the INSIDE and the OUTSIDE Interface (I often do, and the Troubleshooting is not as much fun as you might expect)
#sh ip nat translations <- BE SURE TO PING SOMETHING BEFORE YOU CHECK THE TRANSLATIONS: Pro Inside global Inside local Outside local Outside global icmp 131.1.12.3:2 10.2.2.2:2 15.10.1.1:2 15.10.1.1:2 --- 131.1.12.3 10.2.2.2 -----
DEBUG IP NAT:
*Oct 29 16:25:54.766: NAT: s=10.2.2.1->131.1.12.3, d=15.10.1.1 [64]
If you need the HOST portion matched, add the "type match-host" argument to the NAT POOL definition:
(config)#ip nat pool LAB4 200.2.2.1 200.2.2.5 prefix-length 24 type match-host
If you need the SOURCE&DESTINATION matched, define it in the EXTENDED ACL, and match it in Route Map, do not attach the ACL directly to the "ip nat" configuration line. ____________________________________________________________________________________________________________________
Step 2: Define an ACL with the Inside Global IP (Public ones, the one were NAT-ing into):
(config)#access-list 1 permit 200.2.2.2
Step 3: Do the inside NAT with the ACL 1 as the DESTINATION list, and the POOL or LOCAL IPs:
(config)#ip nat inside destination list 1 pool ? WORD Pool name for local addresses
35 cisqueros.blogspot.com
Step 4: Define the NAT inside and outside interfaces, exactly like in case of Static/Dynamic NAT:
(config)#int lo0 (config-if)#ip nat inside (config-if)# (config-if)#int s0/1/0.21 (config-subif)#ip nat outside
Be sure that the routing is in place (both, go and return path towards the NAT-ed IP, 200.2.2.2)!!! Step 5: Make sure that the IP NAT Translations are correct, and that the sources VARY:
#sh ip nat translations Pro Inside global Inside local tcp 200.2.2.2:23 10.2.2.1:23 tcp 200.2.2.2:23 10.2.2.2:23 tcp 200.2.2.2:23 10.2.2.3:23 Outside local 131.1.12.1:20186 131.1.12.1:25096 131.1.12.1:20389 Outside global 131.1.12.1:20186 131.1.12.1:25096 131.1.12.1:20389
____________________________________________________________________________________________________________________
Step 2: There are 2 ways to configure PAT, described in Steps 2.1 and 2.2: Step 2.1: Create the Inside Global IP Pool of any addresses from the Link towards the other Router and Configure the NAT Overload with the defined pool:
(config)#ip nat pool OVERLOAD 15.10.1.2 15.10.1.2 prefix-length 24 (config)#ip nat inside source list 1 pool TASK2 overload
Step 2.2: Configure the NAT to point to the Interface you need the traffic to go out from:
(config)#ip nat inside source list 1 interface s0/1/0.21
____________________________________________________________________________________________________________________
So when you try to telnet R1s IP using the port 80, from the router on the s0/0.5 side you see the following debug:
*Nov 6 15:54:48.703: we telnet *Nov 6 15:54:48.707: 15.10.123.3 *Nov 6 15:54:48.735: *Nov 6 15:54:48.739: *Nov 6 15:55:48.739: *Nov 6 15:55:48.767: *Nov 6 15:56:48.763: *Nov 6 15:56:48.791: *Nov 6 15:57:12.959: NAT*: s=131.1.14.4, d=131.1.14.1->15.10.123.3 [23053] <- 131.1.14.4: Router from where NAT*: s=15.10.123.3->131.1.14.1, d=131.1.14.4 [31747] <- NATed and FWD-ed to to NAT*: NAT*: NAT*: NAT*: NAT*: NAT*: NAT*: s=131.1.14.4, d=131.1.14.1->15.10.123.3 s=131.1.14.4, d=131.1.14.1->15.10.123.3 s=15.10.123.3->131.1.14.1, d=131.1.14.4 s=131.1.14.4, d=131.1.14.1->15.10.123.3 s=15.10.123.3->131.1.14.1, d=131.1.14.4 s=131.1.14.4, d=131.1.14.1->15.10.123.3 s=131.1.14.4, d=131.1.14.1->15.10.123.3 [23054] [23055] [31748] [23056] [31749] [23057] [23058]
36 cisqueros.blogspot.com
____________________________________________________________________________________________________________________
Step 3: Static NAT redundancy with HSRP. After you've named the HSRP group, configure the Redundancy NAT:
(config)#ip nat inside source static 10.185.117.1 152.168.13.9 redundancy HSRP-1
This means that the traffic originated from the IP 10.185.117.1 will be NAT-ed into 152.168.13.9 Tests: In this example the router 10.185.117.1 is pinging the IP 10.185.117.4. The final router (232.32.32.4) does have the route back to 152.168.13.9. When the DEBUG is done on the router, the PING done from 10.185.117.1 gives the following display:
*Nov *Nov *Nov *Nov *Nov *Nov *Nov *Nov *Nov 7 7 7 7 7 7 7 7 7 11:34:02.606: 11:34:02.606: 11:34:02.610: 11:34:04.606: 11:34:04.606: 11:34:04.606: 11:34:04.606: 11:34:04.610: 11:34:04.610: NAT*: NAT*: NAT*: NAT*: NAT*: NAT*: NAT*: NAT*: NAT*: s=10.185.117.1->152.168.13.9, d=232.32.32.4 s=232.32.32.4, d=152.168.13.9->10.185.117.1 s=10.185.117.1->152.168.13.9, d=232.32.32.4 s=10.185.117.1->152.168.13.9, d=232.32.32.4 s=232.32.32.4, d=152.168.13.9->10.185.117.1 s=10.185.117.1->152.168.13.9, d=232.32.32.4 s=232.32.32.4, d=152.168.13.9->10.185.117.1 s=10.185.117.1->152.168.13.9, d=232.32.32.4 s=232.32.32.4, d=152.168.13.9->10.185.117.1 [226] [226] [227] [228] [228] [229] [229] [230] [230]
____________________________________________________________________________________________________________________
Step 2: In order to configure the Stateful Failover, you need to have the HSRP previously configured. Within the Stateful NAT group configuration, assign the HSRP redundancy name to the router:
(config-ipnat-snat)#redundancy HSRP-1
Step 3: The Active HSRP Router sends the NAT Translation to the Standby Routers. This translation is assigned an ID, which is called "mappingid" and it MUST BE THE SAME ON THE ENTIRE GROUP.
(config-ipnat-snat-red)#mapping-id 1
Step 4: Consider adding features such Asymmetric queuing, or define a specific protocol for the redundancy group. IP Stateful NAT Redundancy mode configuration commands:
as-queuing exit mapping-id no protocol Disable asymmetric process for this redundancy group Exit from IP Stateful NAT Redundancy config mode Configure mapping-id for this redundancy group Negate or set default values of a command Select transport protocol for this redundancy group
37 cisqueros.blogspot.com
Step 5: Configure the Dynamic NAT, as described in my previous posts, and just attach the configured mapping-id:
(config)#ip nat inside source route-map ROUTE_MAP_MATCHING_ACL pool INSIDE_GLOBAL mapping-id 1
No entries will appear until you perform a PING, and when you do, and do a debug, you'll see:
*Nov *Nov *Nov *Nov *Nov *Nov *Nov *Nov *Nov *Nov *Nov *Nov *Nov 7 7 7 7 7 7 7 7 7 7 7 7 7 14:47:12.081: 14:47:12.081: 14:47:12.081: 14:47:12.081: 14:47:12.081: 14:47:12.085: 14:47:12.085: 14:47:12.085: 14:47:12.085: 14:47:12.089: 14:47:12.089: 14:47:12.089: 14:47:12.089: SNAT (Add_node): Allocated database distributed-id 1 SNAT (Add_node): Init RTree for distributed-id 1 SNAT (Add_node): Allocate Node for nat-id 19, Router-id 1 NAT: s=15.10.1.1->172.25.185.1, d=10.185.117.4 [271] NAT*: s=10.185.117.4, d=172.25.185.1->15.10.1.1 [271] NAT*: s=15.10.1.1->172.25.185.1, d=10.185.117.4 [272] NAT*: s=10.185.117.4, d=172.25.185.1->15.10.1.1 [272] NAT*: s=15.10.1.1->172.25.185.1, d=10.185.117.4 [273] NAT*: s=10.185.117.4, d=172.25.185.1->15.10.1.1 [273] NAT*: s=15.10.1.1->172.25.185.1, d=10.185.117.4 [274] NAT*: s=10.185.117.4, d=172.25.185.1->15.10.1.1 [274] NAT*: s=15.10.1.1->172.25.185.1, d=10.185.117.4 [275] NAT*: s=10.185.117.4, d=172.25.185.1->15.10.1.1 [275]
____________________________________________________________________________________________________________________
____________________________________________________________________________________________________________________
NAT on a Stick
____________________________________________________________________________________________________________________ When a NAT router has the same interface for both, INSIDE and OUTSIDE NAT, the trick is to use: Step 1: Define the following: - One normal interface, Fa0/0 for example for ip nat outside and PBR (ip policy-route map NAT_MAP) & "no ip redirect" - One Loopback interface for ip nat inside Step 2: Define the Policy Map MATCHING the Source and Destination IP ACL, and SETTING the Loopback interface
(config)#route-map NAT_MAP (config-rmap)#match ip add ACL_1 (config-rmap)#set interface lo0
38 cisqueros.blogspot.com
____________________________________________________________________________________________________________________
DHCP Server
____________________________________________________________________________________________________________________ Using the DHCP Pool configured on an IOS device is somewhat obsolete, but in cases of smaller companies where this solution is inevitable (or in a case such as mine, preparations for a CCIE exam) - you should know how to configure a full DHCP on a Cisco Router: Step 1: Enable a DHCP Server on a Device (Dont forget this step!!!):
(config)#service dhcp
Step 3: Configure the IP Exclusions (IPs) you do not want to lease, in the Global Config mode:
(config)#ip dhcp excluded-address 172.25.185.252 172.25.185.254
Step 4: Disable the DSCP Logging of the Conflicts, because quite a few are likely to occur, and your log file can fill in the memory:
(config)#no ip dhcp conflict logging
Step 5: Static DHCP entries must be configured IN A SEPARATE POOL!!! This is a trick that you need to know by heart because there is no other (more intuitive) way to do it. So - create another DHCP pool, and assign the hosts IP and the MAC address (THIS HOST WILL INHERIT THE CONFIG FROM THE DEFAULT POOL):
(dhcp-config)#host 10.184.117.37 (dhcp-config)#hardware-address 0014.2526.ef46
Type Manual
____________________________________________________________________________________________________________________
KRON - The Command Scheduler (KRON) Policy for System Startup feature enables support for the Command Scheduler upon system startup.
STEP 1: Define the KRONE Policy Map, and enter the KRON configuration mode:
(config)#kron policy-list cns-weekly
LINE Exec level cli to be executed, E Example: (config-kron-policy)#cli coy startup-config tftp//r4-config
39 cisqueros.blogspot.com
____________________________________________________________________________________________________________________
GRE Tunnels
____________________________________________________________________________________________________________________ Cisco Documentation: Interface and Hardware Component Configuration Guide->Implementing Tunnels GRE is the Generic Encapsulation Tunnel, and it's the basic one and the most simple to implement. For starters you need to define the Tunnel interface:
(config)#interface tunnel 0
Define the IP Address of the Tunnel Interface, and assign it the SOURCE and DESTINATION IP (These must be mutually PINGable):
(config-if)#ip address 10.187.134.121 (config-if)#tunnel source 131.1.12.1 <-YOU CAN USE IP ADDRESS OR AN INTERFACE AS A SOURCE (config-if)#tunnel destination 131.1.12.2
*you'll get a message that the interface went UP **Check if you need to tune the routing protocols metrics on the Tunnel interfaces, if you want to prefer those, because by default the Tunnel Interface will have a higher metric. BEST PRACTICE is to configure the tunnel using the Loopback Interfaces, and make sure you have enough redundancy so that the Loopbacks are always PING-able ____________________________________________________________________________________________________________________
To use the decompressed IOS in the DRAM, and not the compressed one in the flash
(config)#warm-reboot
40 cisqueros.blogspot.com
To prevent the stupid message "Password required but none set" (don't do this!!!):
(config)#line vty 0 4 (config-vty)#no login (config-vty)#privilege level 15 <- TO GO TO PRIVILEGE MODE DIRECTLY
To "tune" CDP:
(config)#cdp timer 10
To test:
#show archive config differences
41 cisqueros.blogspot.com
IP Routing
42 cisqueros.blogspot.com
____________________________________________________________________________________________________________________
This will not work for traffic transiting this router. For that you need to apply it on the interface
____________________________________________________________________________________________________________________
*dont configure ANY routing protocol on a STUB Step 2: Adjust CDP timers, as ODR uses CDP as a transport protocol (Ensure CDP versions match)
(config)#cdp timer seconds
____________________________________________________________________________________________________________________
RIP
____________________________________________________________________________________________________________________ RIP Protocol uses the Multicast Address 224.0.0.9 to send Hellos/updates via port UDP-520. "no summary" - disables the CLASSFULL NATURE of RIP, allows classless routing, so when you check the RIP database:
#show ip rip database 1.0.0.0/8 auto-summary *** <--- the AUTO SUMMARIES are not ADVERTISED 1.0.0.0/8 directly connected, Loopback0 10.0.0.0/8 auto-summary *** 10.1.1.0/24 directly connected, Serial1/0.123
Network Layer Reachability Information (NLRI) - Means pure reachability contained by ROUTING UPDATES When you need to send the RIP Updates using the UNICAST instead of Multicast packets, the neighbor command is used. Be sure to check the SPLIT HORIZON in the case of HUB-and-SPOKE configuration. If you need to DISABLE it for routing, BE SURE TO CONFIGURE FRAME-RELAY IP-DLCI mappings manually! * BY DEFAULT SPLIT HORIZON is DISABLED ON PHYSICAL, AND ENABLED ON MULTIPOINT INT.
#show ip inter s1/0.123 | i Split Split horizon is enabled
To avoid the SPLIT HORIZON and ADDITIONAL IP-DLCI mappings, you can use PPP and VIRTUAL TEMPLATES
43 cisqueros.blogspot.com
____________________________________________________________________________________________________________________
RIP: Authentication
____________________________________________________________________________________________________________________
TIP: If you configure a "neighbor" command, that neighbor will RECEIVE the RIP updates using UNICAST, because this way the router updates
are sent as UNICAST, not MULTICAST. Don't forget to define the "passive-interface default" to stop the MULTICAST updates. RIP Version 2 supports clear text and MD5 Authentication. The key-chain needs to be defined, and applied to the physical interface using the command:
(config-if)#ip rip authentication mode md5 (config-if)#ip rip authentication key-chain CISQUEROS_CHAIN
If configured on one side only, the DEBUG IP RIP EVENTS will show:
*Aug 18 08:57:04.391: RIP: ignored v2 packet from 10.1.1.1 (invalid authentication)
IT WILL TAKE A LOOONG TIME FOR RIP TO UPDATE THE DATABASE!!! So do the:
#clear ip route *
IMPORTANT: The passwords and the key numbers MUST be the same on all the routers for MD5. In case the Key numbers are different: - Router with the HIGHER key number will receive ALL the routes - Router with the LOWER key number will IGNORE (reject) the received all routes received from the other router ____________________________________________________________________________________________________________________
RIP: Timers
____________________________________________________________________________________________________________________ *To see the default values:
#show ip protocol ... Sending updates every 30 seconds, next due in 20 seconds Invalid after 180 seconds, hold down 180, flushed after 240 (config-router)#timers basic ? <1-4294967295> Interval between updates for RIP (config-router)#timers basic 60 ? <1-4294967295> Invalid (config-router)#timers basic 60 360 ? <0-4294967295> Holddown (config-router)#timers basic 60 360 360 ? <1-4294967295> Flush (config-router)#timers basic 60 360 360 480 ? <1-4294967295> Sleep time, in milliseconds <cr> (config-router)#timers basic 60 360 360 480
To AVOID COLLISIONS you can INSERT A DELAY every time updates are sent by adding the last attribute to the TIMER SETTING:
(config-router)#timers basic 60 360 360 480 ? <1-4294967295> Sleep time, in milliseconds
44 cisqueros.blogspot.com
Other RIP Specific Configuration parameters: SUPRESS flash updates when the periodic update comes in less than configured time:
(config-router)#flash-update-threshold
Change the unprocessed RIP queue depth. Good practice on SLOW ROUTERS, and also prevents routing info from being lost
(config-router)#input-queue 75 <-DEFAULT IS 50
Define the DELAY when sending the UPDATES, when FAST router is neighbors with the SLOW one:
(config-router)#output-delay 10 <-BY DEFAULT THERE IS NO INTER-PACKET DELAY, this timer is in range 8-50ms
____________________________________________________________________________________________________________________
There is a way to "force" the routing updates to only one of the neighbors (UNICAST UPDATES). To achieve this you need to manually define the neighbor using the "neighbor" command, and define the interface towards the defined neighbor as PASSIVE, to prevent the Multicast Updates that are sent by default (If the interface is not defined as passive, both UNICAST and MULTICAST Updates will be sent). There is also a way to force Broadcast Updates (ip 255.255.255.255 instead of default multicast destination 224.0.0.9) in Version 2 of RIP, and its achieved using the Interface Command:
(config-if)#ip rip v2-broadcast
Another RIP-specific feature is injecting the default route using the "ip default-network" command. This is done in the Global Configuration mode. Dont forget to advertise the network into RIP protocol:
(config)#ip default-network 4.0.0.0 (config-router)#network 4.0.0.0
____________________________________________________________________________________________________________________
45 cisqueros.blogspot.com
____________________________________________________________________________________________________________________
This way the RIP routes will be exchanged, but if the L3 Reachability is not established between the routers - the RIP routes will not be reachable. If you need to define the EXACT SOURCES (RIP Neighbors) you want to receive the RIP Updates from - use "gateway" word on a distribute-list. This will work for RIP and EIGRP only. Start by defining 2 PREFIX LISTS, one for WHERE you want updates from, another to filter UPDATES you want. Once youve got your Prefix Lists configured, apply them via Distribute List in the Router Configuration Mode:
(config-router)#distribute-list UPDATE_PREFIXES gateway PREFIX_UPDATE_SOURCES in Fa0/0
____________________________________________________________________________________________________________________
____________________________________________________________________________________________________________________
Step 1: Define the IP Prefix List. In this example were allowing only the prefix 192.1.1.0/24, & denying everything else (remember this structure of selecting ALL in the Prefix List: deny 0.0.0.0/0 le 32):
(config)#ip prefix-list TEST_MAT_2 seq 5 permit 192.1.1.0/24 (config)#ip prefix-list TEST_MAT_2 seq 10 deny 0.0.0.0/0 le 32 *NOTE that THERE IS A DEFAULT DENY ALL IN THE END, so the Second Entry was added ONLY FOR LOGGING
Step 2: Apply the filtering using the Distribution List within the Router Protocol configuration, in the INBOUND direction, meaning filter the routes learned via RIP:
(config-router)#distribute-list prefix TEST_MAT_2 in
Step 3: Clear the routing table and check if the filtering has been applied correctly by reviewing the Routing Table
#clear ip route *
46 cisqueros.blogspot.com
Prefix-list with the last deletion/insertion: TEST_MAT_2 ip prefix-list TEST_MAT_2: count: 2, range entries: 1, sequences: 5 - 10, refcount: 3 seq 5 permit 192.1.1.0/24 (hit count: 37, refcount: 1) seq 10 deny 0.0.0.0/0 le 32 (hit count: 595, refcount: 1) <-CHECK HOW MANY HITS PER ENTRY *The HITS are actually from the ROUTING PROTOCOL UPDATE PACKETS If you want to use PREFIX LISTS to filter, for example, all subnets that DO NOT belong to RFC 1918 class A:
ip prefix-list FILTER_A seq 5 permit 0.0.0.0/1 le 8 ge 8 <- CLASS A has a first bit 0, and Subnet Mask 8
Class A would be: permit 0.0.0.0/1 ge 8 le 8 Class B would be: permit 128.0.0.0/2 ge 16 le 16 Class C would be: permit 192.0.0.0/3 ge 24 le 24
47 cisqueros.blogspot.com
____________________________________________________________________________________________________________________
OSPF
____________________________________________________________________________________________________________________ OSPF Multicasts: 224.0.0.5 send Hello packets to all OSPF routers on a network segment, 224.0.0.6 Send info to the DR
TIP: When using BROADCAST and NON-BROADCAST in order to PEER you MUST ADJUST THE TIMERS!!! TIP: When you need to do a CONDITION, like do something if a certain route exists in a routing table - just use the PREFIX-LIST, and match it
in the route-map "match ip address prefix-list ROUTE_EXISTS"
TIP: When you have the L2 tunnel directly attached to an OSPF interface, better configure ignoring of MTU:
(config-if)#ip ospf mtu-ignore
TIP: To IGNORE stuff in the ospf, like LSA6 (MOSPF), under the routing process:
(config-router)#ignore lsa mospf
WHEN you need to advertise Loopbacks with the CORRECT MASKS, be sure to do "ip ospf network point-to-point", otherwise it will be sent with /32 (/32 Might be required for Multicast or MPLS, so be careful with this!) ____________________________________________________________________________________________________________________
TIP: When doing a HUB-AND-SPOKE, configure Point-to-Multipoint on a HUB, and ADJUST THE TIMERS!!!
48 cisqueros.blogspot.com
Type 4: POINT-TO-MULTIPOINT No DR, no "neighbor" commands. Slow timers (120/30 seconds). "broadcast" is mandatory on FR Mappings!!! HUB will just advertise the learned routes from ONE SPOKE to the other, like if it were the DR. !!!HUB must have .multipoint Sub-interface, while on SPOKES you can do .multipoint or Physical Interface. Type 5: POINT-TO-MULTIPOINT NON-BROADCAST Cisco Proprietary, like P2MP, with NO BROADCASTS ALLOWED! Timers are still slow, 30 and 120 Seconds. Next hop is ALWAYS the router you are directly connected to.
(config-if)#ip ospf network point-to-multipoint non-broadcast
____________________________________________________________________________________________________________________
Even so, you should define "router ospf 1" process in the Global Configuration mode before the interface (it's not necessary for the OSPF PEERING, but to avoid restarting the OSPF process later cause of Router ID change). Being defined as a P2P network - DR and BDR election will not take place. The state of all the OSPF Neighbors will be "FULL/-", as presented below:
#show ip ospf neighbor Neighbor ID Pri State 3.3.3.3 0 FULL/ 1.1.1.1 0 FULL/ Dead Time 00:00:30 00:00:34 Address 10.1.23.3 10.1.12.1 Interface GigabitEthernet0/0 Serial1/0
This way the interface is configured to automatically belong to the Area 0, and the interface Subnet will be "injected" into the OSPF Area. If there is SECONDARY IP configured on the interface - it will also be advertised. If however you do NOT want to advertise the Secondary IP, you can do the following specific OSPF command:
(config-if)#ip ospf 1 area 0 secondaries none
____________________________________________________________________________________________________________________
OSPF: Timers
____________________________________________________________________________________________________________________ Standard commands for setting the OSPF timers are "ip ospf hello-timer" and "ip ospf dead-timer" on the interface level. If you need smaller values then 1 second for hello, you need to use the following (minimal means less then 1 second):
(config-if)#ip ospf dead-interval minimal hello-multiplier 4
*VALUE MUST MATCH BETWEEN THE NEIGHBORING INTERFACES When ACK hasnt been received for the LSA, the router keeps LSA, and default is to wait 5 secs to re-send. To change:
(config-if)#ip ospf retransmit-interval 10 retransmit-interval Time between retransmitting lost link state advertisements
49 cisqueros.blogspot.com
____________________________________________________________________________________________________________________
OSPF: Authentication
____________________________________________________________________________________________________________________ You can enable the OSPF Authentication: 1. Globally on the Router, in the "router ospf" configuration, so it's enabled on all the Interfaces:
(config-router)#area 0 authentication <- Plain Text Authentication (config-router)#area 0 message-digest <- MD5 Authentication
Check what type of OSPF Authentication has been configured and what Key/Password is applied:
#show ip ospf interface s1/0.12 | b authentic Simple password authentication enabled
When you need to CHANGE the PASSWORD without the service interruption, configure the 2nd KEY, and remove the 1st:
(config-if)#ip ospf message-digest-key 2 MD5 SECOND_KEY
*Authentication always uses the YOUNGEST KEY (the one that was configured last) ____________________________________________________________________________________________________________________
- Be sure to include the word "subnets", otherwise it's going to redistribute the classfull ONLY! - By default the routes are being redistributed into OSPF with the Metric 20, Metric-type 2 (E2). AD is still 110. You can define the MAXIMAL NUMBER of prefixes to be redistributed into OSPF, and the % when to give the first warning message. Here MAX 10 prefixes can be redistributed, and on 70% of that Warning Message is displayed:
(config-router)#redistribute maximum-prefix 10 70 warning-only
50 cisqueros.blogspot.com
____________________________________________________________________________________________________________________
ASBR for the External (redistributed into OSPF) Routes, using the "summary-address" command
(config-router)#summary-address 4.4.0.0 255.255.252.0
If you want to prevent the route Null0 in the routing table, just exclude the discard-route:
(config-router)#no discard-route [internal | external] <- INTERNAL on ABR, EXTERNAL on ASBR
____________________________________________________________________________________________________________________
Can multiple Virtual Links be formed? YES!!! So for example if we have the following scenario: Cisqueros_R1 - Area 0 - Cisqueros_R2 - Area 1 - Cisqueros_R3 - Area 2 - Cisqueros_R4 - Area 3 - Cisqueros_R5 We would need to create 2 virtual links: - AREA 1 VIRTUAL LINK between Cisqueros_R2 and Cisqueros_R3 so that Area 2 would have the communication with the Area 0 - AREA 2 VIRTUAL LINK between Cisqueros_R3 and Cisqueros_R4 so that Area 3 could communicate with Area 1, and therefore with Area 0 Cisqueros_R2:
(config-router)#area 1 virtual-link 3.3.3.3
Cisqueros_R3:
(config-router)#area 1 virtual-link 2.2.2.2 (config-router)#area 2 virtual-link 4.4.4.4
Cisqueros_R4: (config-router)#area 2 virtual-link 3.3.3.3 Let's check the OSPF Neighbors again on Cisqueros_R3 router:
#show ip ospf neighbor Neighbor ID Pri State 2.2.2.2 0 FULL/ 4.4.4.4 0 FULL/ 2.2.2.2 0 FULL/ 4.4.4.4 0 FULL/ Dead Time 00:00:34 00:00:33 Address 10.1.23.2 10.1.34.4 10.1.23.2 10.1.34.4 Interface OSPF_VL1 OSPF_VL0 Serial1/0.32 Serial1/0.34
51 cisqueros.blogspot.com
Have in mind that routers Cisqueros_R3 and Cisqueros_R4 are now VIRTUALLY connected to Area 0, so if you enable the authentication on the Cisqueros_R1 interface towards Cisqueros_R2, you also must enable it on Cisqueros_R3 and Cisqueros_R4 FOR AREA 0!!! If you need AUTHENTICATION for the Virtual Link, configure in the continuation:
(config-router)#area 1 virtual-link 2.2.2.2 authentication [md5 | WORD]
____________________________________________________________________________________________________________________
OSPF Cost
____________________________________________________________________________________________________________________ NLRI - Network Layer Reachability Information OSPF routes are mainly classified based on their metric, where the Metric and Cost are calculated based only on the Link Bandwidth. Cost = 100/(BW[Mbps]) There are two things you could play with here: 1. Set the REFERENCE BW (because with the formula above the Max cost value is 1, and we dont want the same values for 100M and 10G link). Dont forget to clear the OSPF process in order for the changes to take effect:
(config-router)#auto-cost reference-bandwidth 10000 <--- it's in Mbps #clear ip ospf process
Metric is 84, which is the cost of the Serial interface between routers 1 and 2, and the Cost of the Loopback0 interface on Router 1. Default cost of the Loopback interface is 1, so it actually increased for 20-1 = 19 ____________________________________________________________________________________________________________________
52 cisqueros.blogspot.com
____________________________________________________________________________________________________________________
Step 2. Define the SOURCE and the DESTINATION of the tunnel, MAKE SURE THESE ARE REACHABLE
(config-if)#tunnel source 100.10.34.3 (config-if)#tunnel destination 100.10.34.4
If we are using OSPF then the Tunnel subnet needs to be advertised with the "network" command on both ends of tunnel:
(config-router)#network 172.25.185.0 0.0.0.255 area 0 *The IP Address of the Tunnel MUST be advertised into Area 0 on BOTH ENDS OF TUNNEL!!!
You will see that the OSPF Neighbor will be formed on the Tunnel 1 interface.
#show ip ospf neighbor Neighbor ID Pri State 3.3.3.3 0 FULL/ 3.3.3.3 0 FULL/ 5.5.5.5 1 FULL/DR Dead Time 00:00:38 00:00:38 00:00:38 Address 172.25.185.3 100.10.34.3 100.10.45.5 Interface Tunnel1 Serial1/0.43 GigabitEthernet5/12
____________________________________________________________________________________________________________________
LSA 1 - Router LSA, One per Router (Generated by Each Router) LSA 2 - Network LSA, One per Network (Generated by DR) LSA 3 - Summary LSA, One per Area (generated by ABR when LSAs 1 and 2 are injected into another Area).
LSA3 = Subnet + Mask + Cost to reach the Network
LSA 4 - Summary External LSA, One per Autonomous System (Generated by ASBR) LSA 5 - External LSA, Injected into OSPF from another routing process (non-ospf), Generated by ASBR LSA 6 - Grout Membership LSA, used for Multicast OSPF (MOSPF). Its not supported by Cisco
Cisco routers do not support LSA Type 6 Multicast OSPF (MOSPF), and they generate syslog messages if they receive such packets. If the router is receiving many MOSPF packets, you might want to configure the router to ignore the packets and thus prevent a large number of syslog messages. To disable SYSLOG generation (IGNORE LSA Type-6):
(config-router)#ignore lsa mospf
LSA 7 - NSSA External, Generated by ASBR inside the NSSA instead of LSA 5 (details explained below, NSSA Section)
53 cisqueros.blogspot.com
Reason R R R, N, SN R, SN
Check the OSPF DATABASE and all the LSAs currently in it:
#show ip ospf database OSPF Router with ID (3.3.3.3) (Process ID 1) Router Link States (Area 0) <- LSA1 Link ID ADV Router Age Seq# Checksum 2.2.2.2 2.2.2.2 79 0x80000003 0x000E94 3.3.3.3 3.3.3.3 78 0x80000007 0x006F2C 4.4.4.4 4.4.4.4 52 0x80000004 0x007781 Net Link States (Area 0) <- LSA2 Link ID ADV Router Age Seq# Checksum 10.1.23.3 3.3.3.3 78 0x80000001 0x00658F Summary Net Link States (Area 0) <- LSA3 Link ID ADV Router Age Seq# Checksum 1.1.1.0 2.2.2.2 124 0x80000002 0x00B33C 2.2.2.0 2.2.2.2 124 0x80000002 0x000D20 10.1.12.0 2.2.2.2 124 0x80000002 0x00BA22 10.1.45.0 4.4.4.4 43 0x80000001 0x00F5F4 44.4.4.0 4.4.4.4 43 0x80000001 0x008077 Router Link States (Area 1) <- LSA1 Link ID ADV Router Age Seq# Checksum 3.3.3.3 3.3.3.3 89 0x80000007 0x00AC78 Router Link States (Area 2) <- LSA1 Link ID ADV Router Age Seq# Checksum 3.3.3.3 3.3.3.3 90 0x80000006 0x00AE77
Link count 2 4 3
54 cisqueros.blogspot.com
____________________________________________________________________________________________________________________
OSPF STUBS
____________________________________________________________________________________________________________________
STUB Area - Blocks OSPF External Routes (LSA4 and LSA5), so - all the LSAs are generated by the ASBR. Totally-Stubby Area is a STUB Area, with no LSA3 (Summary LSAs originated by the ABR). ABR generates a DEFAULT ROUTE and advertises it
into the Totally Stubby area. The "no-summary" attribute is ONLY necessary on ABR, because the ABR is the only router that actually originates the LSA 3.
NSSA Area - Like a STUB (blocks LSA4&5) where the REDISTRIBUTION is allowed from the NSSA area, using the LSA7. ASBR Generates the LSA
type 7 instead of LSA 5 because the LSA 5 is not supported by NSSA. Then the ABR transforms it into the LSA 5 on the ingress from NSSA to the regular OSPF Area (shown as "N1 or N2" in the routing table):
(config-router)#do sh ip route N1 - OSPF NSSA external E1 - OSPF external type O N2 11.1.0.0 [110/20] via O N2 11.1.1.0 [110/20] via O N2 11.1.2.0 [110/20] via O N2 11.1.3.0 [110/20] via | i E1|E2|N type 1, N2 - OSPF NSSA external type 2 1, E2 - OSPF external type 2 10.1.12.1, 00:01:27, Serial1/0.21 10.1.12.1, 00:01:27, Serial1/0.21 10.1.12.1, 00:01:27, Serial1/0.21 10.1.12.1, 00:01:27, Serial1/0.21
When you need the ABR to also inject the DEFAULT ROUTE, use on the ABR:
(config-router)#area X nssa default-information-originate *Default Route will be injected as N2 route, as in NSSA the LSA5 is not allowed **When its a "Totally Stubby NSSA" no need for this, because "no-summary" ALLWAYS generates default route!
NOT-SO-Totally-Stubby Area - NSSA without LSA3, ALSO originates the default route by default
IMPORTANT: Stubby Areas DO NOT SUPPORT VIRTUAL LINKS!!! The only way to solve this is the Tunnel No LSA 5 (E1 and E2) advertised on ABRs. ABR Injects the DEFAULT ROUTE (with Cost 1) to Stub Area, to reach external routes. You cannot use a Virtual Link here, but GRE Tunnel is an option. STUB Area cannot contain an ASBR, because if it does its considered a NSSA. Backbone Area cannot be a STUB. To configure an area as a Stub, configure on ALL ROUTERS in an Area:
(config-router)#area X stub
When you apply STUB configuration on 1 router within an AREA, the Neighbor goes down. Then apply it on the others, and observe the ADJACENCY DEBUG:
319: OSPF: Rcv DBD from 2.2.2.2 on Serial1/0.12 seq 0x1001 opt0x50 flag 0x7 319: OSPF: 2 Way Communication to 2.2.2.2 on Serial1/0.12, state 2WAY 319: OSPF: Serial1/0.12 Nbr 2.2.2.2: Prepare dbase exchange 319: OSPF: Send DBD to 2.2.2.2 on Serial1/0.12 seq 0x1000 opt 0x50 flag 0x7 319: OSPF: NBR Negotiation Done. We are the SLAVE 319: OSPF: Serial1/0.12 Nbr 2.2.2.2: Summary list built, size 12 319: OSPF: Send DBD to 2.2.2.2 on Serial1/0.12 seq 0x1001 opt 0x50 flag 0x2 515: OSPF: Rcv DBD from 2.2.2.2 on Serial1/0.12 seq 0x1002 opt0x50 flag 0x1 515: OSPF: Exchange Done with 2.2.2.2 on Serial1/0.12 515: OSPF: Send LS REQ to 2.2.2.2 length 120 LSA count 10 515: OSPF: Send DBD to 2.2.2.2 on Serial1/0.12 seq 0x1002 opt 0x50 flag 0x0 735: OSPF: Rcv LS UPD from 2.2.2.2 on Serial1/0.12 length 328 LSA count 10 735: OSPF: Synchronized with 2.2.2.2 on Serial1/0.12, state FULL 735: %OSPF-5-ADJCHG: Process 1, Nbr 2.2.2.2 on Serial1/0.12 from LOADING to 735: OSPF: Rcv LS REQ from 2.2.2.2 on Serial1/0.12 length 60 LSA count 3 *Oct 5 11:04:08.235: OSPF: Build router LSA for area 1, router ID 1.1.1.1, #u all All possible debugging has been turned off len 32 len 32 len 272 len 272 len 32 FULL, Loading Done seq0x80000005, process 1 mtu 1500 state INIT
If you need to change the cost of the DEFAULT ROUTE Injected by default by ABR into the STUB Area:
(config-router)#area X default-cost 10 <- Change COST from 1 (default) to 10
55 cisqueros.blogspot.com
____________________________________________________________________________________________________________________
1. DISTRIBUTE LIST - Filters all LSAs from the Routing Table, but they stay in the OSPF Database. You can use IN or OUT filter, but have in
mind that the distribute-list OUT even though works on both, routing table and OSPF database, but ONLY on ASBR for LSA5 and 7!!! The easiest way to filter the OSPF routes from being added to the Routing Table is the distribute-list. DISTRIBUTE-LIST only affects the local router!!! Meaning - the Update will be distributed to the other routers; the subnets will only be filtered out the local IP ROUTING TABLE The advantage is that it's rather easy to implement, and it can filter any type of LSA:
(config-router)#distribute-list prefix MY_PREFIX_LIST in <-OUT would only work on ASBR TO FILTER LSA5 & LSA7
The big CON is that even though the Route is not added to the Routing Table - it will stay in the database, and it will be further propagated to the other OSPF Neighbors. The route will therefore appear in the Routing Table, but it will not be reachable, as one of the routers along the path does not have it in its Routing Table. The second way is reserved ONLY for the External Routes, and it's the "not-advertised" applied to the "summary-address" command:
(config-router)#summary-address 172.29.189.0 255.255.255.0 not-advertise <--- NEEDS TO BE APPLIED ON ASBR
2. FILTER LIST - Filters only LSA3, so - only on ABR, but filters from OSPF Database. Filter-list can be applied: IN - into the area, OUT - out of
the area. This ONLY works for LSA-3 (Summary), and therefore needs to be configured on the ABR only. Lets say that we want to filter the network 172.25.185.0/24 from the Area 2. Then on the ABR we define the prefix list that DENIES that network, and ALLOWS everything else
(config)#ip prefix-list JEDANES seq 10 deny 172.25.185.0/24 (config)#ip prefix-list JEDANES seq 20 permit 0.0.0.0/0 le 32
Then apply the prefix-list as a filter-list within a OSPF configuration process for Area 2:
(config-router)#area 2 filter-list prefix JEDANES in
This will prevent the network from being redistributed into Area 2. Note that IN/OUT means that the network is being advertised into or outfrom the AREA 2.
3. NOT-ADVERTISE - ONLY filter LSA Types 1 and 2, apply on ABR (filters both, routing table and OSPF Database). It can be used with both,
"area X range" (ABR) and "summary-address" (ASBR) commands. If you need to filter LSAs 1 and 2, you can use the "not-advertise" command, but also ONLY ON ABR!
(config-router)#area 1 range 172.25.182.0 255.255.255.0 not-advertise
4. Tune the ADVERTISED DISTANCE - Set the AD of the advertised routes to 255, so that they are UNREACHABLE
(config-router)#distance 255 3.3.3.3 0.0.0.0 10 <- 10 is an ACL, it's OPTIONAL
5. DATABASE-FILTER
- If you want to prevent ANY LSAs from being advertised (can be applied per neighbor or on INT):
(config-subif)#ip ospf database-filter all out <- PER INTERFACE (config-router)#neighbor x.x.x.x database-filter all out <- PER NEIGHBOR
6. MATCH IP ROUTE-SOURCE in the Route-map - In OSPF it's not the NEXT HOP but the ORIGINATOR Router-ID of the PREFIX
(config-route-map)#match ip route-source 4 <- ACL 4 includes the Router-ID
Enhanced Interior Gateway Routing Protocol (EIGRP) ISO IS-IS Mobile routes Open Shortest Path First (OSPF) Routing Information Protocol (RIP) Static routes
56 cisqueros.blogspot.com
Be sure which type of LSA you need to filter by making sure in which part of database the route is:
#show ip ospf database [router | network | summary | internal | external]
*If you need to reach the route without passing through the router that cannot reach it - define the route-map with the next hop pointing towards an alternative path, and apply it in the Global Configuration mode:
(config-router)#ip local policy route-map ROUTE_MAP
7. Filter OSPF per Interface - If you wish to prevent LSAs to be sent via particular Interface:
(config-if)#ip ospf database-filter all out
* ALL and OUT are the only options, which means you cannot apply a specific filter on the OSPF interface
8. Filter OSPF per NEIGHBOR - Even though OSPF doesn't require that we manually configure the Neighbors, we do need to use the
"neighbor" command in order to configure the OSPF database filtering:
(config-router)#neighbor 5.5.5.5 database-filter all out
____________________________________________________________________________________________________________________
On the Multipoint Frame-Relay network the default OSPF type is NON-BROADCAST. This means that the OSPF Neighbors will not be formed like on the standard Broadcast Network Segment.
#show ip ospf inter s1/0 Serial1/0 is up, line protocol is up Internet Address 10.1.1.1/24, Area 0 Process ID 1, Router ID 1.1.1.1, Network Type NON_BROADCAST, Cost: 64 Topology-MTID Cost Disabled Shutdown Topology Name 0 64 no no Base ...
So in order to establish the OSPF Neighbors, we can for example use the "network" command in order to transform the OSPF link from MULTICAST to UNICAST:
(config-router)#neighbor 172.128.185.66
No need to keep "broadcast" on frame relay configuration if you use "neighbor" command, as only UNICAST is then used, so also do this:
(config-if)#frame-relay map ip 10.1.1.4 104 broadcast -> frame-relay map ip 10.1.1.4 104 (REMOVE "broadcast")
*In HUB-AND-SPOKE the Spokes do not have the Layer 2 reachability, so this command makes no sense. Instead just be sure to set their (HUBS) OSPF priority to 0, so that they dont participate the DR/BDR Election
(config-if)#ip ospf priority 0
The HUB Router will be elected as DR on every Link and exchange OSPF Database with each of the Spokes:
57 cisqueros.blogspot.com
#show ip ospf neighbor <--- R1 IS THE HUB Neighbor ID 2.2.2.2 3.3.3.3 4.4.4.4 Pri 0 0 0 State FULL/DROTHER FULL/DROTHER FULL/DROTHER Dead Time 00:01:51 00:01:51 00:01:56 Address 10.1.1.2 10.1.1.3 10.1.1.4 Interface Serial1/0 Serial1/0 Serial1/0
*In this kind of OSPF Topology - it's not necessary to have the Frame-Relay interface configured with the "broadcast" keyword, because we are manually defining the OSPF Neighbor and turning the Links into UNICASTS. ____________________________________________________________________________________________________________________
!!!BE SURE TO ADJUST THE TIMERS ON BOTH SIDE INTERFACES, otherwise the Routers will establish the peering, but they will not exchange the routes!!!
#sh ip ospf int s0/1/0.14 | i Hello|Network Process ID 1, Router ID 1.1.1.1, Network Type POINT_TO_POINT, Cost: 64 Timer intervals configured, Hello 10, Dead 40, Wait 40, Retransmit 5 Hello due in 00:00:05
Also you need to match AREA ID and Area STUB FLAG and they must be of the SAME TYPE (Normal, BB, Stub or NSSA) ____________________________________________________________________________________________________________________
In HUB AND SPOKE topology you want to AVOID the SPOKE being elected as the DR, so set the OSPF priority to 0:
(config-if)#ip ospf priority 0 <- ON ALL THE SPOKE Routers
A router with a router priority set to zero is ineligible to become the DR or BDR, which is why its better to set the Priority on Spokes to 0, otherwise we have to clear the OSPF process. Then check on the HUB router, and make sure all SPOKEs appear as DROTHERs:
#sh ip ospf nei Neighbor ID Pri 2.2.2.2 0 3.3.3.3 0 4.4.4.4 0 State FULL/DROTHER FULL/DROTHER FULL/DROTHER Dead Time 00:00:32 00:00:38 00:00:33 Address 10.1.1.2 10.1.1.3 10.1.1.4 Interface Serial1/0 Serial1/0 Serial1/0
58 cisqueros.blogspot.com
____________________________________________________________________________________________________________________
ISPF
____________________________________________________________________________________________________________________ Incremental SPF is more efficient than the full SPF algorithm, thereby allowing OSPF to converge faster on a new routing topology in reaction to a network event. ____________________________________________________________________________________________________________________
Before the command has been applied the external (LSA5) subnet within the area 0 is seen as:
#sh ip ospf database external 6.0.0.0 OSPF Router with ID (1.1.1.1) (Process ID 1) Type-5 AS External Link States LS age: 557 Options: (No TOS-capability, DC) LS Type: AS External Link Link State ID: 6.0.0.0 (External Network Number ) Advertising Router: 3.3.3.3 LS Seq Number: 80000003 Checksum: 0x1286 Length: 36 Network Mask: /8 Metric Type: 2 (Larger than any link state path) MTID: 0 Metric: 20 Forward Address: 200.1.36.6 External Route Tag: 0
59 cisqueros.blogspot.com
If you add "no-summary" to this command, LSA3s are filtered, and the default route is advertised instead. You can use the similar approach to NOT ADVERTISE THE SPECIFIC PREFIXES into the NSSA, but advertise only the default route on the ABR. In this example the Area 1 is NSSA:
(config-router)#area 1 nssa default-information-originate no-summary
Area 1 (NSSA Area) will learn the Default Route as the LSA7 (N2):
#sh ip route ... Gateway of last resort is 205.1.36.3 to network 0.0.0.0 O*N2 0.0.0.0/0 [110/1] via 205.1.36.3, 00:05:21, Serial1/0.63 1.0.0.0/32 is subnetted, 1 subnets
The Default Route will be injected into that area regardless of whether youre using the "nssa default-information-originate" or the "nssa no-summary" command in the OSPF Area. The difference is the route type: NSSA NO-SUMMARY Gateway of last resort is 10.1.34.3 to network 0.0.0.0
60 cisqueros.blogspot.com
The OSPF will always be preferred, simply because nothing beats the INTERNAL (Intra Area) OSPF route (O). Regardless of the COST and the AD of E1/E2 and O IA (Inter-Area) Routes will never be preferred. The way to solve this is using the SHAM links, that have been designed specifically for such a scenario. Namely the LINK is created between the PE routers, so that ALL the OSPF Prefixes appear as INTERNAL OSPF routes on the CE routers, and that we can just influence the preferred path using the OSPF COST on the Interface.
STEP 1: Create /32 Loopback Interfaces to the PE routers, and add them into the appropriate VRF: PE1:
(config)#interface Loopback1 (config-if)#ip vrf forwarding CA (config-if)#ip address 192.168.1.1 255.255.255.255
PE2:
(config)#interface Loopback1 (config-if)#ip vrf forwarding CA (config-if)#ip address 192.168.1.1 255.255.255.255
STEP 2: Advertise these networks via the BGP process in the PEs, so that they are reachable:
(config)#address-family ipv4 vrf CA (config-router)#redistribute ospf 15 vrf CA (config-router)#network 192.168.1.1 mask 255.255.255.255
STEP 3: Create OSPF SHAM-LINK between the PR Routers, with the Loopback1 /32 addresses as SOURCE and DESTINATION (these should already be reachable via BGP). Make sure that new OSPF adjacency appears between the PEs:
(config)#router ospf 15 vrf CA (config-router)#area 0 sham-link 192.168.1.1 192.168.1.2 cost 1 *Dec 20 11:59:28.206: %OSPF-5-ADJCHG: Process 15, Nbr 10.1.45.4 on OSPF_SL2 from LOADING to FULL, Loading Done
TIP: Filter these Loopbacks from the CUSTOMERS network, so that the Tunnel which is the Sham Link isnt routed through the Customers
routers. STEP 4: The LAST step is now to tune the OSPF COST on the link between the CEs, so that it would be LESS PREFERRED:
(config-if)#ip ospf cost 500
____________________________________________________________________________________________________________________
OSPF in MPLS
____________________________________________________________________________________________________________________
TIP: Be sure the set the domain-id to match (default domain is based on the OSPF Process Number):
(config)#ip ospf 1 vrf VRF_XXX (config-router)#domain-id 55.55.55.55
61 cisqueros.blogspot.com
____________________________________________________________________________________________________________________
EIGRP
____________________________________________________________________________________________________________________ EIGRP uses the IP Protocol 88 (doesn't use specific TCP or UDP port), HELLOs - Multicast to 224.0.0.10
TIP: When you need to FILTER EIGRP, you can do "permit eigrp any any" within the extended ACL TIP: "default-information [ in|out ]" in EIGRP does NOT generate the Default Route, it only allows it to be sent to the neighbor or received, if
it already exists. The EIGRP timers are configured on the interface towards the EIGRP neighbor. Set the Hello timer and the HOLD Time (which is actually the Dead Timer) for the EIGRP 100 process:
(config-if)#ip hello-interval eigrp 100 30 (config-if)#ip hold-time eigrp 100 120
Pending Routes 0
____________________________________________________________________________________________________________________
RTO
H - The order in which neighbors were formed, starting from 0 Address - Neighbors IP Interface - From where we see the Neighbor Holdtime - How long we have left before we declare the neighbor down (if no Hello is received) Uptime - How long since we first found out about the neighbor SRTT - Smooth Round Trip Time - time required for EIGRP packet to reach the neighbor and receive the ACK RTO - Retransmission Time-Out - how long before the packet is re-transmitted Q Count - Number of packets in the EIGRP queue SeqNum - Sequence Number of the last received EIGRP packet
62 cisqueros.blogspot.com
____________________________________________________________________________________________________________________
Metric = (K1*BW + (K2*BW)/(256-Load) + K3*Delay) * 256 Little better explained: Metric = (10.000.000/LowestPathBW + Sum of all DELAYS/10)*256
By default K2 = K4 = K5 = 0, so the Metric depends on the Bandwidth and Delay only. To check the parameters on the interface:
#SHOW Interfaces e0/0 | i BW MTU 1500 bytes, BW 10000 Kbit, DLY 1000 usec
If you need the EIGRP Metric to depend on some other values the command is (ToS should be left 0):
(config-router)#metric weight tos k1 k2 k3 k4 k5
BE CAREFULL when you change this BECAUSE K VALUES NEED TO MATCH BETWEEN THE EIGRP NEIGHBORS!!! The following MUST match in order for 2 routers to become EIGRP adjacent: K values AS numbers They must share same L2 data link Authentication
63 cisqueros.blogspot.com
____________________________________________________________________________________________________________________
The interface towards Null0 Interface is created automatically. So dont worry, because EIGRP adds this "discard route" for Loop Avoidance. Check if "it worked":
#show ip route | i summ i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2 D 3.0.0.0/8 is a summary, 00:02:52, Null0
If you wish to have greater granular control the solution presented since 12.3(13) is - the LEAK MAP (Its something like the SUPRESS Maps in the BGP, but itp cannot be used under the SUB-Interface). If the Leak Map is configured, and it references a non-existing Route Map - The summary route is advertised, more specific routes are suppressed. If the Route Map however exists, and references a non-existing ACCESS LIST - both the summary route and the more specific routes are advertised. If the Access List also exists - it lets us define the routes that will be advertised IN ADDITION to the Summarized Route! To configure the Leak Map just attach a route-map to the "eigrp summary" command:
(config-if)#ip summary-address eigrp 100 2.2.4.0 255.255.252.0 leak-map ROUTE_MAP
SUB-INTERFACE LEAK MAPS: Since the LEAK Maps are not available on the SUB-interface, there is a workaround, and its done using the VIRTUAL TEMPLATE Interface. We would then configure the Route Summarization and a Leak Map under it:
(config-if)#interface Virtual-template 13 (config-if)#ip summary-address eigrp 100 2.2.4.0 255.255.252.0 leak-map ROUTE_MAP
And then under the SUB-Interface assign the Virtual Template (SUB-INTERFACE needs to be of a MULTIPOINT TYPE, or this will not work)
(config-subif)#no ip add (config-subif)#frame-relay interface-dlci 103 ppp Virtual-template 13
____________________________________________________________________________________________________________________
Option 1: Configure the static route and redistribute it into the EIGRP Option 2: Summarize the routes into a Default Route using the previously described summarization method (leak map is added if we wish to
inject another routes besides the default route)
(config-if)#ip summary-address eigrp 100 0.0.0.0 0.0.0.0 [leak-map ROUTE_MAP]
64 cisqueros.blogspot.com
____________________________________________________________________________________________________________________
VARIANCE Command
____________________________________________________________________________________________________________________ Variance is an EIGRP feature that enables UNEQUAL load balancing. The only condition that needs to be met is that all the Paths need to be in the routing table and MEAT THE FEASIBILITY CONDITION! (Routes ADVERTISED Distance must be lower than the local routes FAESIBLE Distance). Its configured in the EIGRP configuration mode:
(config-router)#variance 2
This means that it will include the routes with the metric value up to 2 times greater than the Best Route metric. If you need more GRANULAR control, or more precise variance, get the METRIC from the EIGRP TOPOLOGY:
#show ip ei 400 topology 10.1.56.0/24 | i metric Composite metric is (2195456/281600), route is Internal Vector metric: Composite metric is (319545/281600), route is Internal Vector metric:
There are 2 routes, 1 with metric 2195456, and the other with metric 319545, and both meet the Feasibility Condition. To get the VARIANCE you need, divide them and circle up to the BIGGER value:
2195456/319545 = 6.87 => Variance will be 7!
____________________________________________________________________________________________________________________
EIGRP Authentication
____________________________________________________________________________________________________________________ Like in OSPF - the configuration is done in the Interface Configuration mode. Unlike OSPF - EIGRP supports only MD5 authentication. You need to set the mode to MD5, even though it's the default mode on most devices. This is an example of Frame relay P2P Interface and EIGRP authentication:
(config)#interface Serial4/1.25 point-to-point (config-if)#ip authentication mode eigrp 100 md5 (config-if)#ip authentication key-chain eigrp 100 EIGRP_CHAIN
____________________________________________________________________________________________________________________
To change the Maximum number of Hops to, for example, 110 (Its 100 by Default):
(config-router)#metric maximum-hops 110 #show eigrp protocols | i hop Maximum hopcount 110
65 cisqueros.blogspot.com
____________________________________________________________________________________________________________________
170 - External EIGRP Routes 90 - Internal EIGRP Routes 5 - EIGRP Summary Routes
You can make EIGRP External routes smaller if you need them to not be less preferred then, for example, OSPF, that has AD 110 for External routes:
(config-router)#distance eigrp 90 100
____________________________________________________________________________________________________________________
____________________________________________________________________________________________________________________
____________________________________________________________________________________________________________________
____________________________________________________________________________________________________________________
EIGRP Stub
____________________________________________________________________________________________________________________ First a heads up - it's a bit complicated because there are just too many details... Subjective impression! The command is rather straight forward:
(config-router)#eigrp stub [connected | summary | static | receive-only | redistributed]
You can ALSO use LEAK-MAPS here, like in the SUMMARIZATION, to allow some subnets out (matched in route-map). When the EIGRP process is configured as STUB on a router using the "stub connected" command:
(config-router)#eigrp stub connected
66 cisqueros.blogspot.com
That Router will ONLY see the Summary (if configured), and also Static and Redistributed routes (because the STUB doesn't affect the Router where it's configured). The EIGRP Neighbor(s) will NOT see the Summary, Static or Redistributed Routes, ONLY the specific routes BECAUSE ONLY Connected Routes are advertised If however we use the "stub summary" command to configure the STUB:
(config-router)#eigrp stub stub summary
The router will keep the same EIGRP routes in the routing table. The EIGRP Neighbor(s) will ONLY see the Summary Now with the "stub static" or "stub redistributed":
(config-router)#eigrp stub stub [static | redistributed]
This router keeps behaving exactly the same, while the EIGRP Neighbors ONLY receive the Static OR Redistributed routes With the "stub receive-only":
(config-router)#eigrp stub receive-only
This router keeps behaving exactly the same, while the EIGRP Neighbors stop receiving ANY routes from the Router And finally the "eigrp stub" command can be configured without any attributes, so just:
(config-router)#eigrp stub
in which case the EIGRP neighbors ONLY receive the Summary Route ____________________________________________________________________________________________________________________
MP-EIGRP
____________________________________________________________________________________________________________________ When configuring the ADDRESS FAMILY within the EIGRP process, the most important thing to have in mind is to DEFINE THE AS NUMBER AGAIN WITHIN THE AF CONFIGURATION, or the peering will not be established.
(config)#router eigrp 100 (config-router)#no auto-summary ! (config-router)#address-family ipv4 vrf CA (config-router-af)#network 4.4.4.4 0.0.0.0 (config-router-af)# network 10.1.45.4 0.0.0.0 (config-router-af)# no auto-summary (config-router-af)#autonomous-system 200
____________________________________________________________________________________________________________________
PREFIX-LIST ALLOW_ALL - which you can play with to filter some incoming PREFIXES:
(config)#ip prefix-list ALLOW_ALL permit 0.0.0.0/0 le 32
Apply the 1st PREFIX-LIST as the GATEWAY to the second PREFIX-LIST route filter:
(config-router)#distribute-list prefix ALLOW_ALL gateway NOT_R4 in
67 cisqueros.blogspot.com
____________________________________________________________________________________________________________________
Synchronization - it's an old loop prevention mechanism that is no longer used, so there is no need to have it enabled. In the newer versions of IOS it's disabled by default. It was originally created to prevent the BLACK HOLE Advertising. Basically the SYNC Logic is: Do not consider an iBGP route in the BGP table BEST unless the EXACT PREFIX was learned via IGP and is currently in the routing table.
(config-router)#no synchronization
When adding a new NEIGHBOR, you need to specify their AS Number using the "remote-as":
(config-router)#neighbor 10.1.1.2 remote-as 100
Once you've got the neighbors configured using the "neighbor" command, you should be able to identify the outputs:
(config-router)#do show ip bgp summary | b Neighbor Neighbor V AS MsgRcvd MsgSent TblVer InQ OutQ 100.11.1.1 4 100 9 9 5 0 100.11.1.3 4 100 9 9 5 0 100.11.1.4 4 100 8 8 5 0 (config-router)#do show ip bgp BGP table version is 5, local router ID is 192.168.2.2 Status codes: s suppressed, d damped, h history, * valid, > best, r RIB-failure, S Stale Origin codes: i - IGP, e - EGP, ? - incomplete Network Next Hop Metric LocPrf Weight Path *>i1.0.0.0 10.1.1.1 0 100 0 i *> 2.0.0.0 0.0.0.0 0 32768 i *>i4.0.0.0 10.1.1.4 0 100 0 i Up/Down State/PfxRcd 0 00:05:23 1 0 00:05:12 1 0 00:04:57 1 i - internal,
* - The entry in the table is valid > - It's the BEST entry for that prefix i - learned via iBGP Network - prefix entry, mask is assumed Next Hop - Next Hop IP (if it's 0.0.0.0 - it's locally originated prefix) Metric - MED Attribute LocPrf - Local Preference, HIGHER IS BETTER, and default is 100. It can be changed by "bgp default local-preference" Weight - No.1 Attribute for Path Determination, LOCAL will have 32768, Originated by NEIGHBOR will have 0 Path - iBGP will have "i", and eBGP will have all BGP AS Numbers you need to traverse to get to the prefix (max 255)
68 cisqueros.blogspot.com
(config-router)#do show ip bgp <-CASE OF ONLY Ebgp ROUTES BGP table version is 5, local router ID is 192.168.4.4 Status codes: s suppressed, d damped, h history, * valid, > best, i - internal, r RIB-failure, S Stale Origin codes: i - IGP, e - EGP, ? - incomplete Network Next Hop Metric LocPrf Weight Path * 1.0.0.0 10.1.1.1 0 300 100 i * 10.1.1.1 0 200 100 i *> 10.1.1.1 0 0 100 i * 2.0.0.0 10.1.1.2 0 100 200 i * 10.1.1.2 0 300 200 i *> 10.1.1.2 0 0 200 i *> 3.0.0.0 10.1.1.3 0 0 300 i
*> 4.0.0.0
0.0.0.0
32768 i
Notice that the PATH is no longer marked as "i" for iBGP, but it shows an entire AS-PATH now (list of all the BGP Autonomous Systems the route needs to pass in order to reach the route) Also Local Preference is no longer marked as 100 (default for iBGP) MED is 0 or BLANC. MED is set to 0 when the advertised by the originating AS, but when the SAME prefix is advertised by another AS, then the MED value is removed. If you are peering eBGP using the LOOPBACKS, don't forget to use the "ebgp-multihop" command!!!
From Cisco Docs: By design, a BGP routing process expects eBGP peers to be directly connected, for example, over a WAN connection.
However, there are many real-world scenarios where this rule would prevent routing from occurring. Peering sessions for multihop neighbors are configured with the neighbor ebgp-multihop command:
(config-router)#neighbor 2.2.2.2 ebgp-multihop 2
ALTERNATIVE TO MULTIHOP: If loopback interfaces are used to connect single-hop eBGP peers, you can configure the "neighbor disable-connected-check" command before you can establish the eBGP peering session:
(config-router)#neighbor 10.1.12.1 disable-connected-check <-DISABLES CONNECTION VERIFICATION
When you want to DISABLE prefixes removed from the BGP table when the neighbor goes down:
(config-router)#fast-external-failover
When you want to advertise the prefixes and HIDE THE LOCAL AS number:
(config-router)#neighbor 10.1.45.5 remove-private-as
SECURITY in BGP can be also provided by TTL check, but it's considered a LIGHT security. It's done by DEFINING THE MAXIMAL TTL on the received routes; lets say we want to define max 2 hops:
(config-router)#neighbor 10.1.45.5 ttl-security hops 2
Also the MAXIMUM AS NUMBER can be defined, so that routes that go through more than 10 ASs are rejected:
(config-router)#bgp maxas-limit 20
69 cisqueros.blogspot.com
There is another BGP TUNING, when you want to ADVERTISE the prefix to the AS, learn from the SAME AS: (AS 100)-->(AS 200)-->(AS 100) On the EGRESS of AS200 the route will not be advertised to AS100 due to the LOOP PREVENTION mechanism. If you need to correct this on your network, there is a "allow-as" command which stops this loop prevention. On the EDGE router of AS 100 towards the AS 200 do:
(config-router)#neighbor 100.1.1.100 allowas-in <- WILL ALLOW THE PREFIXES WITH OUR OWN AS
___________________________________________________________________________________________________________________
BGP Version
____________________________________________________________________________________________________________________ Cisco IOS 12.0 support BGP versions 2, 3 and 4, but the NEWER IOS versions support ONLY BGP Version 4. In order to change that (on the IOS models where it's allowed), in order to peer with, for example, different vendor routers:
(config-router)#neighbor version 4
____________________________________________________________________________________________________________________
BGP Peer-Group
____________________________________________________________________________________________________________________ It's a simple concept, just a group of neighbors we want to configure with the same group of parameters. It's defined in 3 steps: Step 1. Define/Configure the Peer Group
(config-router)#neighbor CISQUEROS peer-group
Step 2. Add the individual neighbors into the configured peer group *Be sure to configure the interface used as the UPDATE-SOURCE, using the "neighbor x.x.x.x update-source lo0"
(config-router)#neighbor 2.2.2.2 peer-group CISQUEROS (config-router)#NEIghbor 3.3.3.3 PEER-group CISQUEROS
Be sure to configure ROUTER-ID Manually using "bgp router-id" command, or you will get this message:
*Nov 23 13:48:02.535: %BGP-4-NORTRID: BGP could not pick a router-id. Please configure manually.
Member added to peergroup *May 5 10:13:21.395: %BGP-5-ADJCHANGE: neighbor 3.3.3.3 Down Member added to peergroup *May 5 10:13:22.283: %BGP-5-ADJCHANGE: neighbor 3.3.3.3 Up Both neighbors remain UP! If you CANNOT bring the BGP neighbors UP, use the PHYSICAL IPs. Then both Neighbors will appear. Once you've got the peering - you can remove the neighbor added using the Physical IP. Step 3. Apply the set of parameters to the Peer Group, and the parameters will apply to each of the Peers. For example, lets configure the Password:
(config-router)#neighbor CISQUEROS password cisco
70 cisqueros.blogspot.com
____________________________________________________________________________________________________________________
Step 3: If you have more groups of neighbors, and they all have some common settings (for example the ones defined in the template IBGP), and some different ones. Then create another template, and inherit the first template:
(config-router)#template peer-session GROUP_1 (config-router-stmp)#inherit peer-session MYBGP (config-router-stmp)#remote-as 100 (config-router)#template peer-session GROUP_2 (config-router-stmp)#inherit peer-session MYBGP (config-router-stmp)#remote-as 200
Step 4: Apply the LAST defined Template to RELEVANT NEIGHBORS, which inherited the settings of the initial Templates:
(config-router)#neighbor 1.1.1.1 inherit peer-session GROUP_1 (config-router)#neighbor 2.2.2.2 inherit peer-session GROUP_1 (config-router)#neighbor 3.3.3.3 inherit peer-session GROUP_2
Peer-Policy has the similar purpose. The difference is the commands inside, and Peer-Session CANNOT INHERIT Peer-Policy template. Here is an example of a peer policy template:
(config)#router bgp 200 (config-router)#template peer-policy FORCE_SELF_AS_NEXT_HOP (config-router-ptmp)#next-hop-self (config-router-ptmp)#exit-peer-policy
____________________________________________________________________________________________________________________
BGP Authentication
____________________________________________________________________________________________________________________ It's configured on PER-NEIGHBOR, or as described in the Previous Post - on the PER-PEER-GROUP basis.
(config-router)#neighbor CISQUEROS password cisco
From Jeff Doyle ROUTING TCP/IP Vol2 (Routing Bible in my opinion, even though I hope it gets updated soon, it's been 12 years !): The IOS uses MD5 authentication when a BGP neighbor password is configured. MD5 is a one-way message digest or secure hash function produced by RSA Data Security, Inc. It also is occasionally referred to as a cryptographic checksum, because it works in somewhat the same way as an arithmetic checksum. MD5 computes a 128-bit hash value from a plain-text message of arbitrary length (in this case, a BGP message) and a password. This "fingerprint" is transmitted along with the message. The receiver, knowing the same password, calculates its own hash value. If nothing in the message has changed, the receiver's hash value should match the sender's value transmitted with the message. The hash value is impossible to decipher (without a huge amount of computing power) without knowing the password so that an unauthorized router cannot, either maliciously or by accident, peer with a router running neighbor authentication.
71 cisqueros.blogspot.com
____________________________________________________________________________________________________________________
Route Reflector SERVERS: Allowed to learn the iBGP routes from their CLIENTS, and advertise them to other iBGP peers. RR Servers act as
normal BGP peers with the NON-RR-CLIENT peers and the eBGP peers; they send all the BGP Updates
Route Reflector CLUSTER - One or more RR Servers and their clients. With MULTIPLE Clusters - at least one of the RRs must be peered with
at least one RR in Each Cluster. There are 3 implemented LOOP PREVENTION Mechanisms: 1. CLUSTER_LIST - The Cluster ID is automatically included into the BGP PA (path attribute) when generated, so the RR rejects the prefixes where their own Cluster ID appears. It's similar to AS_PATH attribute, but instead of AS it has a list of CLUSTED IDs. 2. ORIGINATOR_ID - Attribute created by the RR. It's the Router ID of the first iBGP peer to advertise the route into the AS. RR will not advertise the prefix back to the originator. 3. Only advertise BEST routes The configuration is rather simple, and it contains of 2 steps: Step 1: Define the CLUSTER ID on ALL the routers (this is NOT MANDATORY)
(config-router)#bgp cluster-id 3
Step 2: There is a difference between the RR SERVER and RR CLIENT (under the BGP configuration). On RR SERVER configure ALL the clients:
(config-router)#neighbor 172.25.185.22 route-reflector-client (config-router)#neighbor 172.25.186.59 route-reflector-client
Also make sure that the routes you expect to learn from RR Clients look like this:
#sh ip bgp 2.0.0.0/8 BGP routing table entry for 2.0.0.0/8, version 23 Paths: (1 available, best #1, table default) Advertised to update-groups: 4 Local, (Received from a RR-client) #sh ip bgp 6.6.6.6 BGP routing table entry for 6.0.0.0/8, version 7 Paths: (1 available, best #1, table default) Not advertised to any peer Local 10.1.46.6 (metric 2) from 10.1.13.1 (1.1.1.1) Origin IGP, metric 0, localpref 100, valid, internal, best Originator: 6.6.6.6, Cluster list: 1.1.1.1, 4.4.4.4 <- CLUSTER LIST
DONT forget to remove the iBGP sessions between CLIENTS, because... well, that's the point of implementing the RRs, to decrease the number of BGP peering The Route Reflector will "reflect" the routes received from one iBGP peer to the others. In the normal configuration (without root reflectors) the iBGP neighbors must be FULLY MESHED due to the SPLIT HORIZON rule (a prefix learned from iBGP peer will NEVER be announced to another iBGP peer). Have in mind that the RR is a single point of failure in the Network, so - BEST PRACTICE is to have MULTIPLE RR SERVERS, and make sure that RR SERVERS HAVE A FULL MESH.
72 cisqueros.blogspot.com
____________________________________________________________________________________________________________________
Note that you will not SEE this route in the routing table unless the route with the bigger AD is down. Also, in the BGP table it will have the "r" symbol, meaning - not eligible to be added to the routing table
#sh ip bgp | i 150.1.2 r> 150.1.2.0/24 10.1.13.1 0 100 200 ?
____________________________________________________________________________________________________________________
And ONLY if it's NOT in the routing table, we want to advertise 2.0.0.0
(config)#access-list 1 permit 1.0.0.0 (config)#route-map ADVERTISE permit 10 (config-rmap)#match ip address 1
Step 2: Configure the advertise map and the condition in the BGP routing process:
(config)#router bgp 65545 (config-router)#neighbor 10.1.12.2 advertise-map exist-map advertise prefix only if prefix non-exist-map advertise prefix only if prefix (config-router)#neighbor 10.1.12.2 advertise-map ADVERTISE ? is in the condition exists <- CHECK THESE OPTIONS in the condition does not exist ADVERTISE non-exist-map CHECK
Intuitively we can see that the ADV_ROUTE_MAP is the route map that defines the routes that will be broadcast, in this case if the conditions defined in the route-map CONDITION_ROUTE_MAP is NOT satisfied, meaning - if the prefixes are NOT in the table.
73 cisqueros.blogspot.com
____________________________________________________________________________________________________________________
TIP: Don't forget to define the "set dampening ..." within the route-map configuration or you will be getting the following message when
checking the parameters:
#sh ip bgp dampening parameters % dampening reconfiguration in progress for IPv4 Unicast
When you check the BGP prefixes using the "show ip bgp", besides the arguments that appeared so far (*, >, r) there is another "Tag" that can appear, and it's a letter "d", which stands for DAMPENING.
#show ip bgp BGP table version is 5, local router ID is 192.168.2.2 Status codes: s suppressed, d damped, h history, * valid, > best, i - internal <- CHECK THIS LINE r RIB-failure, S Stale
From Cisco Docs: "Route dampening is a BGP feature designed to minimize the propagation of flapping routes across an internetwork. A route is considered to be flapping when its availability alternates repeatedly" If you're configuring it without any parameter tuning, there is an enable command under the BGP process:
(config-router)#bgp dampening
If you want to use this feature - make sure you understand the concept of PENALTIES being "rewarded" to a route every time it FLAPS, and make sure you're familiar with the PARAMETERS of BGP DAMPENING:
#sh ip bgp dampening parameters dampening 15 750 2000 60 (DEFAULT) Half-life time : 15 mins Max suppress penalty: 12000 Suppress penalty : 2000
Decay Time : 2320 secs Max suppress time: 60 mins Reuse penalty : 750
1. HALF-TIME (default 15 minutes): When the penalty is assigned to a route, the accumulated penalty is decreased every 5 seconds. When
the half-time expires, accumulated penalties are reduced by half. Default HALF-TIME is 15 minutes, and range 1-45 minutes.
2. REUSE (default 750): The route can be REUSABLE if the penalties for flapping route go BELOW THIS VALUE. By default it's 750, and the
range is 1 to 20000
3. SUPRESS: The route is SUPRESSED when the penalties REACH THIS VALUE. Default is 2000, and the range is 1-20000 4. MAX-SUPRESS-TIME: Max time that the route can STAY SUPRESSED. Default is 4 times Half-Time value (60 minutes), range is 1-255
If you need to configure the BGP DAMPENING for a certain routes, use the ROUTE-MAP:
(config-router)#route-map DAMPEN_1 (config-route-map)#match ip add 15 <- CONFIGURE THE ROUTES YOU ARE DAMPENING IN AN ACL (config-route-map)#set dampening 15 700 2000 60 <- SET DESIRED DAMPENING PARAMETERS *Parameters can be defined directly under the BGP process, or within the Route-Map like here
This configuration can get quite complicated, so you might need to MATCH THE AS-PATH, for this you need to be quite comfortable with META CHARACTERS, so for example match prefixes originated in AS 300:
(config)#ip as-path access-list 15 permit ^300$
And then MATCH it in the route-map and SET the dampening parameters:
(config-router)#route-map DAMPEN_2 (config-route-map)#match as-path 15 (config-route-map)#set dampening 15 700 2000 60
74 cisqueros.blogspot.com
____________________________________________________________________________________________________________________
*If you need to UN-SUPRESS some prefixes from the Summary route, the command is applied PER NEIGHBOR Another way to achieve the same effect is to create STATIC ROUTE to Null0, and advertise using "network" command. ATOMIC-AGGREGATE is an attribute that is assigned AUTOMATICALLY to the aggregate route if the "as-set" argument is NOT used in the "aggregate-address" command (AS-SET reveals the AS number that some routes were originated from) Additional arguments (route-maps) are a bit complicated, so you need to know exactly what which one is for:
Suppress-map - suppress the prefix defined in the ACL (it ADVERTISES prefixes DENIED by the ACL). The reverse (UNSUPRESS with the
____________________________________________________________________________________________________________________
____________________________________________________________________________________________________________________
*IMPORTANT: Do not forget to actually SEND the community to the neighbor, or your configuration will not work!!!
(config-router)#neighbor x.x.x.x send-community
75 cisqueros.blogspot.com
You can of course apply the BGP community attributes on the INBOUND and OUTBOUND direction, where you automatically override the existing value. Besides these well-known community values, you can also assign a random community number and use them later as BGP TAGS.
Extended community attributes are used to configure, filter, and identify routes for virtual routing and forwarding (VRF) instances and
Multi-protocol Label Switching (MPLS) Virtual Private Networks (VPNs) COST is an example of an EXTENDED COMMUNITY Attribute. It allows you to customize the local route preference, and in that way influence the best path selection. It's configured under the route-map:
(config-route-map)#set extcommunity cost ? <0-255> Community ID igp Compare following IGP cost comparison pre-bestpath Compare before all other steps in bestpath calculation <-CHECK
THIS OUT!!!
____________________________________________________________________________________________________________________
You can increase the MAXIMUM PATH number, and add 2 (or more) different paths to the routing table:
(config-router)#maximum-paths 2
And make sure the routing table has been updated (happens intermediately)
#sh ip route bgp B 10.1.23.0/24 [20/0] via 10.1.13.3, 00:00:04 [20/0] via 10.1.12.2, 00:00:04
76 cisqueros.blogspot.com
UNIQUAL COST BALANCING When you wish to Load Balance based on each the Link BW. This feature is used together with BGP
MULTIPATH to advertise the exit links BW as EXTENDED COMMUNITY to iBGP peers. The configuration is somewhat weird: Step 1: Enable DMZLINK-BW
(config-router)#bgp dmzlink-bw <ON BORDER AND INTERNAL ROUTERS
Step 2: Configure BGP to include the BW value to external interface on extended community, per neighbor:
(config-router)#neighbor 10.1.1.2 dmzlink-bw
BE SURE the neighbor is a SINGLE HOP eBGP PEER, or you will get a message:
%BGP: Propagation of DMZ-Link-Bandwidth is supported only for single-hop EBGP peers
____________________________________________________________________________________________________________________
You can do a pretty granular control here using the AS-PATCH Access Lists. You do need a basic knowledge of META Language for this, so basically if you need to match all the prefixes that pass through the AS 65505 you do this:
(config)#ip as-path access-list 10 permit ^65505$ <-you can go wild with the filters
*in this case we are filtering the prefixes originated and advertised directly by AS 65505 The AS-PATH ACL can also be applied to a neighbor as a FILTER-LIST
(config-router)#neighbor 172.25.185.45 filter-list 10 in
77 cisqueros.blogspot.com
After this you just match this condition in the route-map in order to set some parameter later:
(config-route-map)#match as-path 10
____________________________________________________________________________________________________________________
And apply the route-map to a neighbor in the INBOUND direction (prefixes coming IN, meaning - are announced by that neighbor):
router bgp 65535 neighbor 172.21.12.2 remote-as 64500 neighbor 172.21.12.2 route-map SET_WEIGHT in
Or you can simply apply the WEIGHT attribute to the neighbor directly:
router bgp 65535 neighbor 172.21.12.2 remote-as 64500 neighbor 172.21.12.2 weight 500
78 cisqueros.blogspot.com
____________________________________________________________________________________________________________________
*BE CAREFULL with the second command, the TAB key will not work and the "?" will not show you the "as-path" option
By default the MISSING MED value is considered the BEST one because on most IOS-s it picks up the value 0. To change this use:
(config-router)#bgp bestpath med missing-as-worst <- Treat the non-defined MED as the WORST
____________________________________________________________________________________________________________________
4. LOCAL PREFERENCE
____________________________________________________________________________________________________________________ It's used to PREFER AN EXIT POINT of a LOCAL BGP AS. Bigger is Better, DEFAULT: 100. There are 2 ways to configure the LOCAL PREFERENCE
The same effect is achieved by defining a ROUTE-MAP, setting the Local Preference and applying it OUTBOUND:
(config-router)#nei 10.1.34.4 route-map LOCPREF_PREFIXESRM out *configuration similar to the one explained below, within the Way2.
Step 2: Define a ROUTE-MAP to match the PREFIX and SET THE LOCAL PREFERENCE (in this case 500):
(config)#route-map LOCPREF_PREFIXESRM permit 10 (config-route-map)# match ip address prefix-list LOCPREF_PREFIXES (config-route-map)#set local-preference 500
79 cisqueros.blogspot.com
Step 4: Clear the BGP process INBOUND, and check the BGP table:
#clear ip bgp * in #sh ip bgp | i 1.0.0.0 Network Next Hop *>i1.0.0.0 10.1.14.1
BE CAREFULL WITH THE NEXT HOP!!! So, if you cannot reach the IP in the Next Hop, do this:
(config-router)#neighbor 10.1.34.4 next-hop-self <-POINT TO ME TO REACH ALL THE PREFIXES I KNOW AND YOU DONT
The alternative to this is to add a ROUTE-MAP pointing to the neighbor, and within it alter the next hop. ____________________________________________________________________________________________________________________
DISTRIBUTE LIST: You need to define the ACL, and apply it in the form of a Distribution List:
(config)#access-list 1 deny 172.12.25.0 0.0.0.255 (config-router)#neighbor 5.5.5.5 distribute-list 1 in
PREFIX LIST: You define the PREFIX list, and apply the same prefix list to the BGP neighbor
(config-router)#neighbor 5.5.5.5 prefix-list PREF_LIST in
____________________________________________________________________________________________________________________
80 cisqueros.blogspot.com
^[0-9]+$ - All the prefixes from DIRECTLY CONNECTED ASs (meaning - they have only 1 AS in the AS PAth) BEFORE CREATING THE AS-PATH ACL: If you want to STOP using the recursive algorithm in order to be able to control more complex regular expressions
(config-router)#bgp regexp deterministic
Now you can actually DISPLAY the prefixes that match your condition in the AS-PATH before defining the AS-PATH ACL
#show ip bgp regexp REGULAR_EXPRESSION
*There is a TRICK here; you need to add a MEMORY location you want to temporarily place the results, so instead of the expression ^300$ you would have to type #show ip bgp regexp (^300$)(_\1)*$ You can also display the Filter List before applying it to the neighbor:
#show ip bgp filter-list 1
____________________________________________________________________________________________________________________
BGP Confederations
____________________________________________________________________________________________________________________ BGP Confederation Identifier is used to configure a GROUP OF SMALL ASs as a SINGLE AS. It's used to reduce iBGP mesh. On ALL the routers within ALL ASs issue the command:
(config-router)#bgp confederation identifier 250
Once the Identifier is configured, you need to configure all the directly connected eBGP peers (this command is not needed if there are no eBGP sub confederation peers):
(config-router)#bgp confederation peers 65505 65409 65111 <-DEFINE ALL ASs WITHIN CONFEDERATION, BUT LOCAL
If you want to create the NEIGHBOR with the confederation, use the CONFEDERATION IDENTIFIER AS THE AS:
(config-router)#neighbor 10.1.45.4 remote-as 250
Check the BGP table, and make sure all the prefixes are sourced by the VIRTUAL AS 250:
(config-router)#do sh ip bgp BGP table version is 14, local router ID is 5.5.5.5 Status codes: s suppressed, d damped, h history, * valid, > best, i - internal, r RIB-failure, S Stale Origin codes: i - IGP, e - EGP, ? - incomplete *> *> *> *> *> Network 1.0.0.0 2.0.0.0 3.0.0.0 4.0.0.0 5.0.0.0 Next Hop 10.1.45.4 10.1.45.4 10.1.45.4 10.1.45.4 0.0.0.0 Metric LocPrf Weight 0 0 0 0 0 0 32768 Path 250 i 250 i 250 i 250 i i
81 cisqueros.blogspot.com
____________________________________________________________________________________________________________________
Make sure youre checking for the neighbors under the VPNv4 UNICAST Address Family:
#sh bgp vpnv4 unicast all summary BGP router identifier 4.4.4.4, local AS number 65001 BGP table version is 1, main routing table version 1 Neighbor V AS MsgRcvd MsgSent TblVer 3.3.3.3 4 65001 19 19 1
State/PfxRcd 0
When you have various VRFs on the router, and youre configuring the BGP peering with the CLIENT router within the VRF assigned to that client, note 2 things: 1. The separate IPv4 VRF process has been created under the BGP. When you configure the BGP PEERING with the CLIENT, you should configure it under that specific AF:
router bgp 65001 no bgp default ipv4-unicast bgp log-neighbor-changes neighbor 3.3.3.3 remote-as 65001 neighbor 3.3.3.3 update-source Loopback0 ! address-family vpnv4 neighbor 3.3.3.3 activate neighbor 3.3.3.3 send-community extended exit-address-family ! address-family ipv4 vrf CLIENT_VRF <-AUTOMATICALLY CREATED AF UNDER THE BGP neighbor 10.1.45.5 remote-as 65015 <-ADD PEERING WITH THE CLIENT neighbor 10.1.45.5 activate <-COMMAND ADDED AUTOMATICALLY STARTING FROM 12.4 no synchronization exit-address-family
2. On the CLIENT side you will NOT LEARN the BGP routes announced by other CEs of the same client, due to the LOOP PREVENTION mechanism implemented in BGP (routes that have the same AS in the AS-PATH will not be accepted in the routing table). To change this behavior, on clients CE do:
(config-router)#neighbor 10.1.45.4 allowas-in ? <1-10> Number of occurances of AS number (I RECOMMEND TO NOT EXAGERATE, SO - ONLY 1!)
Another way would be to OVERRIDE the AS number on the PE. This way the PE advertises BGP routes with its own AS number attached instead of the ORIGINATING AS:
(config-router-af)#neighbor 10.1.13.1 as-override
82 cisqueros.blogspot.com
____________________________________________________________________________________________________________________
RIP: Metric are HOPS, so if you want next router not to learn it set the HOPS to 16 (max):
(config-rmap)#set metric 16 !!!NOTE that RIP will not advertise a route if it didnt make the ROUTING TABLE OSPF: You might need to TUNE THE ADMINISTRATIVE DISTANCE:
(config-router)#distance 150 3.3.3.3 0.0.0.0 10 <- 10 is an ACL, it's OPTIONAL, and 150 is the new AD
DISCARD ROUTE is a route injected automatically when we SUMMARIZE OSPF, for LOOP PREVENTION. To remove it:
(config-router)#no discard-route [internal | external] <- INTERNAL on ABR, EXTERNAL on ASBR
HAVE IN MIND that SOURCE IP and SOURCE PROTOCOL can be matched within the Route-maps. MATCH IP ROUTE-SOURCE in the Route-map In OSPF it's not the NEXT HOP but the ORIGINATOR Router-ID of the PREFIX
(config-route-map)#match ip route-source 4 <- ACL 4 includes the Router-ID
Also the SOURCE PROTOCOL can be matched, when we wont to PREVENT certain protocol prefixes in the Route Table:
(config-route-map)#match source-protocol ? bgp Border Gateway Protocol (BGP) connected Connected eigrp Enhanced Interior Gateway Routing Protocol (EIGRP) isis ISO IS-IS mobile Mobile routes ospf Open Shortest Path First (OSPF) rip Routing Information Protocol (RIP) static Static routes <cr>
EIGRP: When you have a COMPOSITE METRIC, like 22222 and 44444, then the METRIC VALUE is the MIDDLE, so> METRIC = 22222 + 44444 /2 = 33333 DEVIATION = (44444 - 22222)/2 = 11111 So when you're MATCHIN THE METRIC of the EIGRP within the Route Map: (config-route-map)#match metric 33333 +- 11111
83 cisqueros.blogspot.com
QoS
84 cisqueros.blogspot.com
____________________________________________________________________________________________________________________
QoS TIPS
____________________________________________________________________________________________________________________
TIP: When you need to MAXIMIZE EFFICIENCY on a Serial Link, use the COMPRESS PREDICTOR or COMPRESS STACKER (STACKER is more CPU
consuming, but better for MEMORY, and PREDICTOR the other way around)
(config)#compress predictor | stacker
TIP: Shape AVERAGE - In the default conditions, Shape ADAPTIVE - when the notification was received, like BECN
(config-pmap-c)#shape ?
Enable Traffic Shaping adaptation to BECN configure token bucket: CIR (bps) [Bc (bits) [Be (bits)]], send out Bc only per interval Enable Traffic Shaping reflection of FECN as BECN
If normal shaping is needed on a Frame-Relay link, just configure DIRECTLY ON THE INTERFACE AND configure the rest of the required parameters within the Map-Class:
(config-if)#frame-relay traffic-shaping
____________________________________________________________________________________________________________________
If you want to check how the traffic is reaching the router from the configured switched interface, make the class map on a ROUTER matching the DSCP or COS values you are interested in:
(config)#class-map cos2 (config-cmap)#match CoS 2
And apply it to an Interface directly connected to the Switch that marks the traffic:
(config-if)#service-policy QoS_test in
85 cisqueros.blogspot.com
To check:
#show policy-map interface Fa0/1.100 FastEthernet0/1.100 Service-policy input: QOS_IN Class-map: COS1 (match-all) 0 packets, 0 bytes 5 minute offered rate 0 bps <--- LOAD INTERVAL is 5 Minutes by default, can be changed ON INTERFACE Match: cos 1 Class-map: COS2 (match-all) 5 packets, 590 bytes 5 minute offered rate 0 bps Match: cos 2 Class-map: COS4 (match-all) 0 packets, 0 bytes 5 minute offered rate 0 bps Match: cos 4 Class-map: COS5 (match-all) 0 packets, 0 bytes 5 minute offered rate 0 bps Match: cos 5
And now:
#show policy-map interface FastEthernet0/1 Service-policy input: MATCHES Class-map: DSCP10 (match-all) 0 packets, 0 bytes 30 second offered rate 0 bps <--- TA-DAAAAA Match: ip dscp af11 (10)
Make sure you have "mls qos trust cos" OR "mls qos cos override" configured!
#show mls qos interface GigabitEthernet 3/0/2 GigabitEthernet3/0/2 trust state: trust cos trust mode: trust cos trust enabled flag: ena COS override: dis default COS: 2 DSCP Mutation Map: Default DSCP Mutation Map Trust device: none qos mode: port-based
If you want all the traffic going out of a port to be marked with a particular DSCP value, use the "class-default":
(config)@policy-map SET-ALL-5 (config-pmap)#class class-default (config-pmap-c)#set ip presedence 5
86 cisqueros.blogspot.com
____________________________________________________________________________________________________________________
This map will re-mark all the DSCP value to 60, but only of all the packets that have it set to 1
Step 3: Check if the "mls qos trust" command has been applied, its a must. Apply the Mutation Map to the Physical Interface:
(config-if)#mls qos dscp-mutation MUTATION_NAME
Note that for this to work, the DSCP REWRITE has to be enabled globally on a switch *IT IS ENABLED BY DEFAULT:
(config)#mls qos rewrite ip dscp <--- DISABLE IF YOU NEED TO CONFIGURE QoS, BUT DONT WANT TRAFFIC TO BE REMARKED TO 0
Check if it "worked":
#show mls qos map dscp-mutation Dscp-dscp mutation map (D1D2 = VALUE OF DSCP): MUTATION_NAME: d1 : d2 0 1 2 3 4 5 6 7 8 9 --------------------------------------0 : 00 60 02 03 04 05 06 07 08 09 <--- HERE, THE D1:D2=0:1 MUTATES TO D1:D2=0:60 1 : 10 11 12 13 14 15 16 17 18 19 2 : 20 21 22 23 24 25 26 27 28 29 3 : 30 31 32 33 34 35 36 37 38 39 4 : 40 41 42 43 44 45 46 47 48 49 5 : 50 51 52 53 54 55 56 57 58 59 6 : 60 61 62 63
87 cisqueros.blogspot.com
____________________________________________________________________________________________________________________
____________________________________________________________________________________________________________________
INDIVIDUAL POLICER: Basic, per CLASS that matches a DSCP value AGGREGATE POLICER: "mls aggregate-policer":
mls qos aggregate-policer AGGREG 500000 25000 exceed-action drop (config)#policy-map CISQUEROS (config-pmap)#class DSCP10 <--- APPLY TO ALL CLASSES YOU WANT TO AGGREGATE THE POLICY ON (config-pmap-c)#police aggregate AGGREG
____________________________________________________________________________________________________________________
88 cisqueros.blogspot.com
QUEUE LIST defines !!!17 QUEUES!!! All queues have the SAME WEIGHT, and are serviced in ROUND ROBIN Queue 1 - System or Priority queue (IP Routing UPDATES do NOT go here!!! only L2 Keepalives & Neighbor Discovery)
(config)#queue-list (config)#queue-list (config)#queue-list (config)#queue-list 1 1 1 1 protocol http 4 protocol ip 3 tcp telnet protocol ip 6 udp tftp default 5
#show queueing custom Current custom queue configuration: List Queue Args 1 5 default 1 4 protocol http 1 3 protocol ip tcp port telnet 1 6 protocol ip udp port tftp
Also the BANDWIDTH can be allocated to each of the queues using the "byte-count" parameter:
(config)#queue-list 1 queue 1 byte-count 1500
____________________________________________________________________________________________________________________
Reserved queues 0 0
Link queues 8 8
Priority queues 1 1
89 cisqueros.blogspot.com
____________________________________________________________________________________________________________________
RECEIVER receives the PATH MESSAGE and forms the RESERVATION MESSAGE (RSVP Reservation Request), which is propagated up the exactly same route of the path message. Each ROUTER on the PATH either ACCEPTS or REJECTS the RSVP Reservation Request, based on its RESOURCES. SENDER receives the RESERVATION MESSAGE and it's ready to start the transmission First under the SOURCE and DESTINATION interface reserve the BW:
(config-if)#ip rsvp bandwidth 400 180 <--- 400 RESERVATION, AND 180 is SINGLE reservation
ff se wf
Single Reservation Shared Reservation, Limited Scope Shared Reservation, Unlimited Scope
(config)#ip rsvp reservation-host 10.1.112.2 10.1.112.1 tcp 0 0 ff rate 10 5 <-RECEIVER WITH SINGLE RESERVATION
DEBUG RSVP:
*Aug 22 15:54:23.323: RSVP refresh interval=30000mSec *Aug 22 15:54:23.323: RSVP *Aug 22 15:54:33.595: RSVP (on FastEthernet0/0) 10.1.112.1_0->10.1.112.2_0[0.0.0.0]: Refresh RESV, req=659606AC, [cleanup timer is not awake] 10.1.112.1_0->10.1.112.2_0[0.0.0.0]: Sending Resv message to 10.1.112.1 10.1.112.1_0->10.1.112.2_0[0.0.0.0]: Received Path message from 10.1.112.1
____________________________________________________________________________________________________________________
IPv6 QoS
____________________________________________________________________________________________________________________ "match ip precedence" ONLY matches the IPv4, not IPv6 If you want IPv4 AND IPv6 to be matched - use "match precedence" ___________________________________________________________________________________________________________________
Be careful, because if you match the SOURCE MAC - you wont be able to apply the service-policy OUTBOUND!!! Therefore - create the ACL matching the MAC, and match the ACCESS-GROUP
90 cisqueros.blogspot.com
____________________________________________________________________________________________________________________
Shaping is used only to "spread" the queue, it adds the delay and jitter, but it doesnt cause drops unless the entire queue is full. For LEGACY FRTS to be implemented, frame relay traffic shaping must be enabled first:
(config-if)#frame-relay traffic-shaping
#show traffic-shape <--- SHOW THE FR TRAFFIC SHAPING Interface Se0/1/0 Access Target Byte Sustain(Bc) Excess(Be) VC(DLCI)List Rate Limit bits/int bits/int 103 56000 875 7000 0 104 56000 875 7000 0 102 56000 875 7000 0
Active -
AR, or AIR - Max number of bits that can be sent by a router (actual interface speed) CIR - Average Speed, Target Rate Mincir - This is a TELCO DEFINED CIR (Contracted Rate, Guaranteed by the Provider where the DE bit is set in the frames above this rate) Bc - Committed Burst, by default it's CIR/8 because the default Tc is 125ms (Bc = CIR x Tc)
!!!Magic Formula is Bc = CIR x 1.5s because RTT is by average ~ 1.5 seconds over the big networks
Be - Number of NON-COMMITED bits accepted by Frame-relay switch. If Be is not configured in Class-Based FRTS - it's equal to Bc
For granular QoS Frame Relay control - use the MAP CLASS:
(config)#MAP-class frame-relay FRTS (config-map-class)#frame-relay ? adaptive-shaping Adaptive traffic rate adjustment, Default = none bc Committed burst size (Bc), Default = 7000 bits be Excess burst size (Be), Default = 0 bits cir Committed Information Rate (CIR), Default = 56000 bps congestion Congestion management parameters custom-queue-list VC custom queueing end-to-end Configure frame-relay end-to-end VC parameters fair-queue VC fair queueing fecn-adapt Enable Traffic Shaping reflection of FECN as BECN fragment fragmentation - Requires Frame Relay traffic-shaping to be configured at the interface level holdq Hold queue size for VC idle-timer Idle timeout for a SVC, Default = 120 sec interface-queue PVC interface queue parameters ip Assign a priority queue for RTP streams mincir Minimum acceptable CIR, Default = CIR/2 bps priority-group VC priority queueing tc Policing Measurement Interval (Tc) traffic-rate VC traffic rate voice voice options
91 cisqueros.blogspot.com
2. Legacy Frame-Relay Traffic Shaping (for FR it's the MOST USED method)
Normally you do something like this:
map-class frame-relay FRTS frame-relay cir 64000 <-- AVERAGE BW frame-relay mincir 32000 <-- MINIMUM GUARANTEED BW frame-relay adaptive-shaping becn <-- Turn ADAPTIVE shaping with BECN marking enabled to indicate congestion frame-relay bc 8000 <-- CIR*1/8 frame-relay be 16000 <-- Depends on the requirements
Adapt Active -
Now, STILL in Frame-Relay the ONLY WAY TO APPLY IS THROUGH THE MAP-CLASS:
(config)#map-class frame-relay FRTS (config-mc)#service-policy out FRTS (config-if)#frame-relay interface-dlci 102 (config-fr-dlci)#class FRTS
92 cisqueros.blogspot.com
#show policy-map interface s0/1/0 Serial0/1/0: DLCI 201 Service-policy output: TASK2 Class-map: class-default (match-any) 0 packets, 0 bytes 5 minute offered rate 0 bps, drop rate Match: any Traffic Shaping Target/Average Byte Sustain Rate Limit bits/int 64000/64000 1000 8000 Adapt Queue Active Depth BECN 0 Packets 0 Bytes 0
0 bps Excess bits/int 0 Packets Delayed 0 Interval (ms) 125 Bytes Delayed 0 Increment (bytes) 1000 <--- SHAPING ATTRIBUTES Shaping Active no
____________________________________________________________________________________________________________________
93 cisqueros.blogspot.com
____________________________________________________________________________________________________________________
HEADER COMPRESSION:
(config-subif)#frame-relay ip tcp header-compression ? passive Compress for destinations sending compressed headers <--- COMPRESS IF THE RECEIVED TRAFFIS IS COMPRESSED <cr>
You can also configure RTP Header Compression, not only TCP:
(config-if)#frame-relay map ip 162.1.0.3 403 broadcast rtp header-compression
____________________________________________________________________________________________________________________
- Only 75% of the BW can be defined (can be changed, "max-reserved bandwidth" command) - To define the Fair Queuing:
(config-pmap-c)#fair-queue [1024] <-1024 is the number of Dynamic Conversation Queues
____________________________________________________________________________________________________________________
QoS LLQ (Low Latency Queuing) - "priority" and "priority percent" command
____________________________________________________________________________________________________________________ LLQ Introduces STRICT PRIORITY to CBWFQ. Unlike PRIORITY-QUEUING it uses ONLY 1 QUEUE and is NOT subject to starvation "priority 256" ensures that all traffic UP TO 256kbps is SERVED FIRST. The LLQ scheduler only triggers WHEN THERE IS CONGESTION (When Tx ring is FULL), so in the non-congestion situations - this class CAN USE MORE BW!!! "priority" - Guarantees the BW, during congestion the exceeded traffic is DROPPED Can also be defined using the percentage using the command "priority percent X" You can define the BURST bits, because for the VoIP traffic for example it's much better to burst in small packets:
(config-pmap-c)#priority 128000 6400 <-Bc is 6400 BYTES
94 cisqueros.blogspot.com
____________________________________________________________________________________________________________________
____________________________________________________________________________________________________________________
(3750 is the BURST, and ITS IN BYTES not bites!!! Consult the proctor about this!)
#show interface Fa0/0 rate-limit <-- Check the PARAMETERS
____________________________________________________________________________________________________________________
NBAR (match protocol XXX) - if you need to match the port without the ACL
____________________________________________________________________________________________________________________ The QoS policy can also be applied in order to filter traffic of some protocol. For example if oyu want to filter URL of the HTTP request, first define the class map where you match the protocol HTTP and the URL:
(config)#class-map match-all FILTER_HTTP: (config-cmap)#match protocol http url *.mp3|*.avi <-- THIS WILL FILTER ALL THE MP3 AND AVI FILES VIA HTTP
CEF must be enabled to run NBAR!!! (config)#ip cef First time it will take some time to MATCH the PROTOCOL as NBAR is DOWNLOADING PDLMs (Signature Files) into memory, but then it will go faster. IMPORTANT: If the Bc isnt specified - it will match the CIR/32 or 1500 Bytes (Whichever is HIGHER!!!) with Tc = 250 ms
SINGLE RATE - SINGLE BUCKET: Be is DISABLED (If its configure the system will ignore it)
BURST: Minimal Amount:
(config-pmap-c)#police 10000000 bc ? <1000-512000000> Burst bytes <--- so 1000 is the MINIMAL BURST conform-action action when rate is less than conform burst pir Peak Information Rate <cr> (config-pmap-c)#police 10000000 bc 1000 conform-action transmit exceed-actio$
Conform burst size increased to 5000 <--- SETS IT TO THE MINIMUM DEPENDING ON THE BW
95 cisqueros.blogspot.com
____________________________________________________________________________________________________________________
(config-pmap-c)#random-detect precedence 4 24 40 10
Mark probability denominator means one in how many packets are dropped. So, by the time there are 40 packets in the queue ONE IN EVERY 10 PACKETS will be dropped if the mark probability denominator has a value of 10. *To configure RED, rather than WRED, use the same parameters for each precedence
96 cisqueros.blogspot.com
WAN
97 cisqueros.blogspot.com
____________________________________________________________________________________________________________________
Frame-Relay TIPS
____________________________________________________________________________________________________________________ TIP: Make sure KEEPALIVEs are ENABLED on a Frame-Relay interface!!! The MODE of the operation of the EEK (End to End Keepalive) requests can be configured within the class-map:
(config)#map-class frame-relay KEEPALIVE (config-map-class)#frame-relay end-to-end keepalive mode ? bidirectional Set bidirectional mode passive-reply Set passive-reply mode reply Set unidirectional reply mode request Set unidirectional request mode
TIP: When you want to configure one interface to be another's BACKUP, just do this command on the primary interface:
(config-subif)#backup interface Serial 0/1/1 *Jan 12 18:23:49.599: %LINEPROTO-5-UPDOWN: Line protocol on Interface Serial0/1/1, changed state to down (config-subif)#backup delay 0 300 <-CONFIGURE A 5 MINUTE PREEMPT DELAY
____________________________________________________________________________________________________________________
To configure the traffic SHAPING on Frame Relay interface, you can use the MQC, CBTS or simplest- Legacy MAP-CLASS:
(config)#map-class frame-relay R4_504 frame-relay cir 512000 frame-relay bc 25600 frame-relay be 76800 <-SPECIAL ATTENTION WHEN CONFIGURING Be!!! *Be is a BURST when enough CREDIT has been acumulated. This still means that the Bc and the Be together cannot exceed the PHYSICAL INTERFACE RATE (AIR) => (Bc+Be) x Tc <= AIR frame-relay mincir 384000 frame-relay adaptive-shaping interface-congestion (config)#map-class frame-relay R3_513 frame-relay cir 128000 frame-relay bc 6400 frame-relay be 0 <-YOU HAVE TO SET IT TO 0 IF NO BURST IT ALLOWED frame-relay mincir 96000 frame-relay adaptive-shaping [interface-congestion | becn] <-BE SURE WHAT YOU'RE ASKED TO DO HERE
*BECN is a CONGESTION NOTIFICATION for the senders to slow down with SENDING RATE, so if you set BECN here this router will engage the SHAPING feature upon receiving the BECN flag in the frame And then apply it on the INTERFACE, or directly to the DLCI:
(config-if)#frame interface-dlci 513 (config-fr-dlci)#class R3_513 (config-if)#frame-relay interface-dlci 504 (config-fr-dlci)#class R4_504
98 cisqueros.blogspot.com
____________________________________________________________________________________________________________________
On SPOKE Routers:
interface Serial1/0 ip address 10.1.100.2 255.255.255.0 encapsulation frame-relay frame-relay map ip 10.1.100.4 201 <--- NO NEED TO ""Broadcast" TO OTHER HUBS, creates extra traffic frame-relay map ip 10.1.100.3 201 frame-relay map ip 10.1.100.2 201 frame-relay map ip 10.1.100.1 201 broadcast no frame-relay inverse-arp
!!! Dont forget to check THE CONTROLLER on the interface, and see if we are DTE or DCE
#show controllers s1/0
If we are DCE - CLOCKRATE NEEDS TO BE SET or VC will not transition into UP/UP LMI - Keepalives in Frame Relay, you can see them:
#show frame-relay lmi | i Status Invalid Status Message 0 Num Status Enq. Sent 108 Invalid Lock Shift 0 Num Status msgs Rcvd 108
____________________________________________________________________________________________________________________
POINT-TO-POINT SUB-INTERFACE:
____________________________________________________________________________________________________________________ - No need for Inverse ARP disabling, as it's P2P Link so it's disabled by default - Only define a INTERFACE DLCI, because it's a direct connection
interface Serial1/0.21 point-to-point ip address 10.1.12.2 255.255.255.0 frame-relay interface-dlci 201 #show frame-relay map Serial1/0.12 (up): point-to-point dlci, dlci 102(0x66,0x1860), broadcast status defined, active Serial1/0.13 (up): point-to-point dlci, dlci 103(0x67,0x1870), broadcast status defined, active Serial1/0.14 (up): point-to-point dlci, dlci 104(0x68,0x1880), broadcast status defined, active
99 cisqueros.blogspot.com
____________________________________________________________________________________________________________________
POINT-TO-MULTIPOINT SUB-INTERFACE:
____________________________________________________________________________________________________________________ - Configure the DLCI-to-IP mapping, without broadcast ____________________________________________________________________________________________________________________
(config-if)#frame-relay interface-dlci 102 ppp Vir (config-if)#frame-relay interface-dlci 102 ppp Virtual-Template ? <1-200> Virtual-Template interface number
And only assign the IP Address (L3) to the Virtual Template interface:
interface Virtual-Template1 ip address 10.1.100.1 255.255.255.0
Now on the Routing Table the INJECTED HOST ROUTES can be found:
#show ip route 10.0.0.0/8 is variably subnetted, 3 subnets, 2 masks C 10.1.100.0/24 is directly connected, Virtual-Access1 L 10.1.100.1/32 is directly connected, Virtual-Access1 C 10.1.100.2/32 is directly connected, Virtual-Access1
100 cisqueros.blogspot.com
____________________________________________________________________________________________________________________
On the other side of the P2P link, configure USERNAME as CHAP HOSTNAME:
(config)#username R1 password 0 cisco12
101 cisqueros.blogspot.com
____________________________________________________________________________________________________________________
(config-map-class)#frame-relay end-to-end keepalive mode ? bidirectional Set bidirectional mode <--- BOTH SIDES REPLY AND REQUEST passive-reply Set passive-reply mode reply Set unidirectional reply mode <--- THE OTHER SIDE REQUESTS, THIS SIDE REPLIES request Set unidirectional request mode <--- THIS SIDE REQUESTS, OTHER SIDE REPLIES
Once the MAP CLASS has been defined, apply under DLCI on the SUB-INF:
(config-map-class)#int s1/0.21 (config-subif)#frame-relay interface-dlci 201 (config-fr-dlci)#class FREEK <--- APPLY THE DEFINED MAP CLASS *Aug 17 13:47:13.179: %FR_EEK-5-FAILED: Interface Serial1/0.21 - DLCI 201
End-to-end Keepalive Statistics DLCI = 102, DLCI USAGE = LOCAL, SEND SIDE STATISTICS Send Sequence Number: 7, Configured Event Window: 3, Total Observed Events: 9, Monitored Events: 3, Successive Successes: 0, RECEIVE SIDE STATISTICS Send Sequence Number: 3, Configured Event Window: 3, Total Observed Events: 8, Monitored Events: 3, Successive Successes: 0, Failures Since Started: 1,
for Interface Serial1/0 (Frame Relay DTE) VC STATUS = ACTIVE (EEK DOWN) Receive Sequence Number: 4 Configured Error Threshold: 2 Total Observed Errors: 3 Monitored Errors: 3 End-to-end VC Status: DOWN
Receive Sequence Number: 2 Configured Error Threshold: 2 Total Observed Errors: 3 Monitored Errors: 3 End-to-end VC Status: DOWN Last Failure: 00:00:16
Once the FREEK has been applied to BOTH SIDES, the VC goes "UP" (both SEND and RECEIVE side). DEBUG FREEK:
#debug frame-relay end-to-end keepalive events Frame-relay EEK events debugging is on *Aug 17 13:51:42.775: EEK SUCCESS (reply, Serial1/0.12 DLCI 102) *Aug 17 13:51:44.063: EEK SUCCESS (request, Serial1/0.12 DLCI 102)
102 cisqueros.blogspot.com
____________________________________________________________________________________________________________________
FRAME-RELAY MULTILINKING
____________________________________________________________________________________________________________________ If you need 2 LINKS to appear as ONE FRAME RELAY LINK => use PPP MULTILINK. This might seem a bit illogical in the beginning, but once youve been through it a few times - you get the philosophy of it. This feature is also used when you need to implement the features not supported natively on Frame Relay, such as Authentication, fragmentation schemes Start by creating a MULTILINK INTERFACE, and define it as PPP Multilink:
(config)#interface multilink 12 (config-if)#ppp multilink
Define the MAX number of links within the MULTILINK, if you want:
(config-if)#ppp multilink links maximum 2 (config-if)#ppp multilink links minimum 1
Now, create a VIRTUAL-TEMPLATE interface and assign the created MULTILINK GROUP to it:
(config)#interface virtual-template 12 (config-if)#ppp multilink group 12
Lastly create the MULTIPOINT sub-interface, and connect it to the VIRTUAL TEMPLATE
(config)#inter serial 1/0.12 multipoint <--- ON ALL THE INTERFACES WE WANT "MULTILINKED" (config-subif)#frame-relay interface-dlci 102 ppp virtual-Template 12
*If you want AUTHENTICATION, be sure to configure it under the VIRTUAL TEMPLATE interface:
(config)#int Virtual-Template23 (config-if)#ppp authentication chap
NO FRAME RELAY SWITCH: If there is NO FRAMERELAY SWITCH : THERE IS NO LMI, so KEEPALIVE needs to be DISABLED!!! - DLCI should be identical on both sides - clock rate HAS TO BE SET ON DCE SIDE
103 cisqueros.blogspot.com
____________________________________________________________________________________________________________________
FRAME-RELAY AUTO-INSTALL
____________________________________________________________________________________________________________________ A router is a BOOTP server by default, unless the feature has been turned off. So if you need a FR interface to get the IP address from a remote server, use the "ip helper-address", and POINT TO THE BROADCAST
(config-if)#ip helper-address 172.28.185.255
104 cisqueros.blogspot.com
IP Multicast
105 cisqueros.blogspot.com
____________________________________________________________________________________________________________________
Multicast TIPS
____________________________________________________________________________________________________________________
TIP: On Frame-Relay, besides the "pim sparse-mode" configure the "ip pim nbma-mode". This way there will not be a pseudo broadcast to
detect PIM neighbors, and multicast sources. Each node will be treated as a P2P connection, and its done ONLY on the interfaces that should RECEIVE from ONE and SEND to ANOTHER PIM Neighbor on SAME INTERFACE
TIP: Use interface commands ip multicast boundary ACL and ip pim neighbor-filter ACL to filter out IGMP Groups and PIM Neighbors TIP: To LIMIT the OUTBOUND Multicast RATE on the interface, in this example to 1Mbps, use the command:
(config-if)#ip multicast rate-limit out 1000
REMINDER:
SHARED TREE - The traffic goes to the RP first SOURCE BASED TREE - Directly send the traffic to the Multicast clients
If you need to define the BW limit to switch to the SOURCE BASED TREE:
(config)#ip pim spt-threshold 128
____________________________________________________________________________________________________________________
Multicast - IGMP
____________________________________________________________________________________________________________________ Applications that take advantage of multicast include video conferencing, corporate communications, distance learning and distribution of software, stock quotes, and news. IP multicast routing enables a host (source) to send packets to a group of hosts (receivers) anywhere within the IP network by using a special form of IP address called the IP multicast group address. The sending host inserts the multicast group address into the IP destination address field. Any host, regardless of whether it is a member of a group, can send to a group. However, only the members of a group receive the message. IOS supports the following protocols to implement IP multicast routing: 1. IGMP - used between hosts on a LAN and routers on that LAN to track multicast groups of which hosts are members. 2. PIM (Protocol Independent Multicast) - used between routers so that they can track which multicast packets to forward to each other and to their directly connected LANs. 3. DVMRP (Distance Vector Multicast Routing Protocol) is used on the MBONE (the multicast backbone of the Internet). The software supports PIM-to-DVMRP interaction. 4. CGMP (Cisco Group Management Protocol) perform tasks similar to IGMP
106 cisqueros.blogspot.com
PIM DENSE mode (PIM-DM) uses a push model to flood multicast traffic to every corner of the network. In dense mode, a router assumes
that all other routers want to forward multicast packets for a group. If a router receives a multicast packet and has no directly connected members or PIM neighbors present, a prune message is sent back to the source. *Dense mode is not often used and its use is not recommended.
PIM SPARSE mode (PIM-SM) uses a pull model to deliver multicast traffic. Only network segments with active receivers that have
EXPLICITLY requested the data will receive the traffic. Sparse mode interfaces are added to the multicast routing table only when periodic Join messages are received from downstream routers, or when a directly connected member is on the interface. If a group has no known RP and the interface is configured to be sparse-dense mode, the interface is treated as if it were in dense mode, and data is flooded over the interface. ____________________________________________________________________________________________________________________
DENSE MODE - Sends to ALL unless the Prune Message received from the DOWNSTREAM ROUTER SPARSE MODE - Sends ONLY if the downstream router JOINS the Multicast Group using IGMP Protocol
IGMP operates between the client computer and a local multicast router. Switches featuring IGMP snooping derive useful information by observing these IGMP transactions. Protocol Independent Multicast (PIM) is then used between the local and remote multicast routers, to direct multicast traffic from multicast server to many multicast clients. Once you decide the Multicast mode you will be configuring, the configuration is rather simple. STEP 1: Enable the Multicast Routing on a Device:
(config)#ip multicast-routing
STEP 2: Configure the PIM MODE on the Interface (or a range), in this case were doing the PIM, DENSE MODE:
(config-if-range)#ip pim dense-mode
107 cisqueros.blogspot.com
STEP 3: Check the MULTICAST ROUTING Table NOTE that when PIM is enabled, IGMP is ALSO ENABLED!!!
#sh ip mroute IP Multicast Routing Table Flags: D - Dense, S - Sparse, B - Bidir Group, s - SSM Group, C - Connected, L - Local, P - Pruned, R - RP-bit set, F - Register flag, T - SPT-bit set, J - Join SPT, M - MSDP created entry, X - Proxy Join Timer Running, A - Candidate for MSDP Advertisement, U - URD, I - Received Source Specific Host Report, Z - Multicast Tunnel, z - MDT-data group sender, Y - Joined MDT-data group, y - Sending to MDT-data group Outgoing interface flags: H - Hardware switched, A - Assert winner Timers: Uptime/Expires Interface state: Interface, Next-Hop or VCD, State/Mode (*, 224.0.1.40), 00:17:16/00:02:23, RP 0.0.0.0, flags: DCL <-AUTOMATICALLY GENERATED WHEN PIM IS ENABLED Incoming interface: Null, RPF nbr 0.0.0.0 Outgoing interface list: FastEthernet0/0, Forward/Dense, 00:17:16/00:00:00
STEP 4: IMPORTANT: Neither of the following 2 commands are not needed if the APPLICATION supports IGMP!!! If you want the host to JOIN a specific MULTICAST GROUP, you can do it with 2 similar commands:
(config-if)#ip igmp join-group 224.1.1.1<-RESPONDS TO PING, EXPIRE TIMER WILL SHOW "STOPPED"
(ICMP: This device will respond to pings to 224.1.1.1, THROUGH THE RPF-FREE PATH) OR
(config-if)#ip igmp static-group 224.1.1.1<-STATIC MEMBERSHIP,IT WILL CAUSE UPSTREAM ROUTERS TO MAINTAIN MROUTE TABLE
*static-group cannot respond to PINGs, it doesn't cause the devices to process multicast packets themselves. Instead they just FORWARD the packets out the interface. ALSO "static-group" command will cause the device to FAST-SWITCH the group, not like with "join-group" command where the groups are PROCESS SWITCHED.
#sh ip igmp membership | b Uptime Channel/Group Reporter *,224.1.1.1 0.0.0.0 *,224.0.1.39 136.1.245.5 *,224.0.1.40 136.1.245.2 Uptime 00:01:23 1d17h 2d03h Exp. stop 02:53 02:43 Flags 2SA 2A 2LA Interface Fa0/0 Se0/1/0 Se0/1/0
108 cisqueros.blogspot.com
If you want to send some QUERY messages before the Router stops forwarding Multicast Traffic:
(config-if)#ip igmp last-member-query-count 2 <-SEND 2 QUERY MESSAGES (config-if)#ip igmp last-member-query-interval 500 <-SEND QUERIES EVERY 500ms
Another interesting setting within the mroute table is the NUMBER OF STATE CHANGES (could be configured on the interface, or in the global config more)
(config-if)#ip igmp limit 3
Have in mind that PIM-SM actually builds 2 TREES: UNIDIRECTIONAL SPT (Shortest Path Tree) from SOURCE to the RP and the
UNIDIRECTIONAL SHARED TREE from RP to RECEIVERS. Remember that the SOURCE BASED TREE is the DEFAULT type, and it's rooted at
the SOURCE of the Multicast Stream, while the SHARED TREE is where all the packets are sent to RP first, and then redistributed to the receivers. ____________________________________________________________________________________________________________________
PRUNING
PIM-DM keeps a timer on a PRUNED INTERFACE, and when the timer expires - Multicast traffic runs again, until the new PRUNE message is received from a DOWNSTREAM router. You can change how often the CONTROL PACKET is sent down it's PRUNED INTERFACE
(config-if)#ip pim state-refresh origination-interval 60
109 cisqueros.blogspot.com
____________________________________________________________________________________________________________________
*If the override keyword is not specified and there is RP address conflict, dynamic group-to-RP mappings will take precedence over static group-to-RP mappings.
*Dec 14 19:45:20.411: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel0, changed state to up #sh ip pim rp map PIM Group-to-RP Mappings Acl: 1, Static RP: 1.1.1.2 (?) Group(s): 224.0.0.0/4, Static <-WHEN ACL IS NOT SPECIFIED, BEST PRACTICE: CONFIGURE ACL WITH GROUPS TO DENY RP: 1.1.1.3 (?)
If two RPs have OVERLAPPING SCOPE of Groups - HIGHER SOURCE IP WINS ____________________________________________________________________________________________________________________
The criteria for determining the DR on the subnet is similar like in the OSPF: - Choose the router with the HIGHEST DR PRIORITY (default is 1) - If the priorities are the same - choose the router with the highest IP address To change the DR priority, go to the interface configuration:
(config-if)#ip pim dr-priority 100
To FILTER and not become NEIGHBOR with certain IPs, use the "ip pim neighbor-filter 1", where 1 is an ACL.
(config-if)#ip pim neighbor-filter 1
110 cisqueros.blogspot.com
____________________________________________________________________________________________________________________
*If the interfaces have been configured in the SPARSE-DENSE mode, no need to manually configure the listener. You can configure 2 Routers as the RP and have them ANNOUNCE themselves as the RPs, and aside you would have the MAPPING AGENT who will COLLECT the announcements and DECIDE THE REAL RP. Auto-RP Configuration requires you to define the CANDIDATE RP, and MAPPING AGENT before you get into the configuration. STEP 1: Configure CANDIDATE-RP, so that the RP can announce itself as the RP to the other routers. The destination for these announcements is by default 239.0.1.39. SCOPE CAN BE USED TO LIMIT THE RANGE THE RP IS ANNOUNCED.
(config)#ip pim send-rp-announce Loopback0 scope 2 group-list 1 *SCOPE defines the TTL, and 1 is the ACL for Multicast Groups you want the RP to announce
STEP 2: ALL routers receive the announcements; ONLY MAPPING AGENT will process them. Configure the MAPPING AGENT, that will PROCESS the RP announce messages and decide RP to Group mapping. If there are more than one RPs, the one with HIGHEST SOURCE IP wins and gets announced.
(config)# ip pim send-rp-discovery lo1 scope 31
The other routers within the domain will learn the RP IP address with the Mapping Agent as the Source:
#sh ip pim rp mapp | i RP|source RP 1.1.1.4 (?), v2v1 Info source: 1.1.1.5 (?), elected via Auto-RP
111 cisqueros.blogspot.com
If you want to LIMIT (FILTER) WHERE the RP announcements are forwarded, define the MULTICAST BOUNDARY on the interface towards that HOST, and add the known Auto-RP Multicast IP 224.0.1.40 in ACL 1:
(config)#access-list 1 deny host 224.0.1.40 (config-if)#ip multicast boundary 1
*NOTE that the DEAD TIMER is 3 minutes, so you have to be patient here When you're filtering the MULTICAST GROUPS you're announcing to the other hosts, use ANNOUNCE-FILTER:
(config)#ip pim rp-announce-filter group-list 6 <-6 IS THE ACL OF ANNOUNCE DESTINATIONS
FILTERING of the RP Announcements can be done using the RP-LIST, BUT WATCH OUT, THESE HAVE THE OPPOSITE LOGIC:
(config)# ip pim rp-announce-filter rp-list 4 [group-list 5]<-ACL 4 PERMITS the RPs that will NOT be advertised!!!
*GROUP-LIST is ACL with MULTICAST GROUPS for which you DONT want this RP to be advertised
You can set the ROUTER to run the STP (shortest path tree) SWITCH ONLY if group reaches certain BW, in this case we're analysing Multicast groups in the ACL 1 if they reach 20kbps:
(config)#ip pim spt-threshold 20 group-list 1
If you want to FILTER THE INCOMING groups, define the ACL and apply it DIRECTLY on the incoming interface:
(config)#access-list 52 permit host 225.25.25.25 <-MULTICAST SOURCES WE WANT TO PERMIT (config)#access-list 52 permit host 226.26.26.26 (config-if)#ip igmp access-group 52 <-YOU WILL NOT HAVE IN|OUT OPTION HERE, as logical
____________________________________________________________________________________________________________________
STEP 3: Configure PIM Version 2 candidates to be the RP to the BSR, also defining the priority if needed:
(config)#ip pim RP-candidate lo0 priority 100 <-LOWER PRIORITY IS BETTER, default is 0
Once the CANDIDATE RPs know the BSR address - they send UNICAST messages to BSR identifying themselves as candidates. To check the RP election, the command is the same like in Auto-RP:
#sh ip pim rp mapp | b Group Group(s) 224.0.0.0/4 RP 1.1.1.3 (?), v2 Info source: 1.1.1.4 (?), via bootstrap, priority 0, holdtime 150 <-INFO SOURCE IS ALWAYS RP Uptime: 00:14:16, expires: 00:02:18 RP 1.1.1.4 (?), v2 Info source: 1.1.1.4 (?), via bootstrap, priority 50, holdtime 150 <-INFO SOURCE IS ALWAYS RP Uptime: 00:14:09, expires: 00:02:18
112 cisqueros.blogspot.com
FILTERING WITH TTL is another option not to forget when working on MULTICAST. There is an interface command that sets the TTL THRESHOLD for MULTICAST packets, so like SCOPE feature in Auto-RP - you can use this to control the remote Multicast packets. In these example routers more than 3 hops away (255-252) will not reach local router.
(config-if)#ip multicast ttl-threshold 252
The same filter can be used OUTBOUND, using the SAME command, so if you want to make sure that no multicast packet with TTL<13 goes out the interface, use:
(config-if)#ip multicast ttl-threshold 13
*This command is under "PIM>Using MSDP to Interconnect Multiple PIM-SM Domains" in Cisco Docs (MSDP is a mechanism to connect multiple PIM-SM domains. The purpose of MSDP is to discover multicast sources in other PIM domains.)
____________________________________________________________________________________________________________________
Anycast-IP
In anycast RP, two or more RPs are configured with the SAME IP ADDRESS on their loopback interfaces. The anycast RP loopback address should be configured with a 32-bit mask, making it a host address. IP routing will automatically select the topologically closest RP. IMPORTANT: In anycast RP, all the RPs are configured to be MSDP peers of each other ____________________________________________________________________________________________________________________
Now within the BGP process you can define the Address Families (AF) Configuration Commands apart, among them you can define the "address-family ipv4 UNICAST" and "address-family ipv4 MULTICAST":
(config-router)#address-family ipv4 unicast (config-router-af)#neighbor 100.1.34.4 activate (config-router-af)#network 1.1.1.1 mask 255.255.255.255 <-CAN BE KNOWN VIA OTHER PROTOCOL (config-router-af)#no auto-summary <-ALSO NEEDED WITHIN AF
113 cisqueros.blogspot.com
____________________________________________________________________________________________________________________
Default SSM Scope is 232.0.0.0/8. The router CLOSEST to the RECEIVING HOSTS should have SSM enabled. Configuration is quite simple, define the ACL, and enable the SSM for that range in the Global Configuration mode:
(config-router)#access-list 1 permit 230.0.0.0 0.255.255.255 (config)#ip pim ssm [range ACL | default] <-DEFAULT COVERS STANDARD SSM RANGE 239.0.0.0/8
Then in the Global Configuration mode set the DEFAULT mode to SSM:
(config)#ip pim ssm default <-SETS USAGE OF SSM DEDICATED RANGE 232.0.0.0/8 ON
Once the interface IGMP version is set, you can configure a SOURCE SPEFICIS Multicast:
(config-if)#ip igmp join-group 232.6.6.6 source 10.1.56.6
Now Verify in the Multicast Routing Table of the UPSTREAM ROUTER (interface towards this router must be IGMPv3):
#sh ip mroute | s 232.6.6.6 (10.1.56.6, 232.6.6.6), 00:00:27/00:02:32, flags: sTI Incoming interface: Serial1/0.24, RPF nbr 10.1.24.4 Outgoing interface list: Ethernet0/0, Forward/Sparse, 00:00:27/00:02:32
There is another option IGMPv3 allows you, and it's called "explicit-tracking" (IGMPv3 Interface command). It causes the router to TRACK ALL REPORTERS and not only the last one, and it enables LEAVING (S,G) as soon as the last host leaves that (S,G) without sending a query:
(config-if)#ip igmp explicit-tracking
*Make sure you see the "T" flag in the MROUTE table:
#sh ip mroute | i 232.6.6.6 (10.1.56.6, 232.6.6.6), 00:09:16/00:02:25, flags: sTI <-T means TRACKED
114 cisqueros.blogspot.com
____________________________________________________________________________________________________________________
STEP 2: Statically configure the RP, also on ALL the routers (INCLUDING THE RP ITSELF):
(config)#ip pim rp-address 1.1.1.3 bidir
To make sure that the router 1.1.1.3 is REALLY the DF on the interface:
#sh ip pim inter s1/0.32 df 1.1.1.3 Designated Forwarder election for Serial1/0.32, 10.1.23.3, RP 1.1.1.3 State DF Offer count is 0 Current DF ip address 10.1.23.3 DF winner up time 00:04:19 Last winner metric preference 0 Last winner metric 0 Next winner will be sent in 45360 ms
Once a host joins a Multicast Group, for example 234.1.2.3, in a network configured as BIDIR-PIM:
#sh ip mroute bidirectional | s 224.1.2.3 (*, 224.1.2.3), 00:00:41/00:02:48, RP 1.1.1.3, flags: B <-BIDIRECTIONAL FLAG Bidir-Upstream: Serial1/0.53, RPF nbr 10.1.35.3 Outgoing interface list: Ethernet0/0, Forward/Sparse, 00:00:41/00:02:48 Serial1/0.53, Bidir-Upstream/Sparse, 00:00:41/00:00:00
115 cisqueros.blogspot.com
____________________________________________________________________________________________________________________
STEP 1: Create an extended IP access list to control which UDP broadcast packets are translated. in this example the RIP protocol is configured, and how the BROADCAST RIP packets going from source 10.1.12.1 are matched:
(config)#access-list 101 permit udp host 10.1.12.1 eq rip host 255.255.255.255 eq rip (config)#ip forward-protocol udp rip <-SPECIFY HOW BROADCAST MESSAGES ARE FORWARDED
STEP 2: Define the HELPER MAP to convert the INCOMING BROADCAST traffic on the interface towards the incoming BROADCAST traffic INTO the MULTICAST traffic sourced by 224.1.1.1 with TTL 3 (only 3 hops allowed):
(config-if)#ip multicast helper-map broadcast 224.1.1.1 101 ttl 3
STEP 3: On the LAST HOP router towards another BROADCAST network segment identify the RIP traffic using the ACL:
(config)#access-list 102 permit udp host 10.1.12.1 any eq rip (config)#ip forward-protocol udp
STEP 4: Use the HELPER MAP on the LAST HOP INTERFACE towards the MULTICAST segment (to from where the MULTICAST traffic will be coming) to CONVERT MULTICAST BACK TO BROADCAST (10.1.45.255 is the RIP packets final destination):
(config-subif)#ip multicast helper-map 224.1.1.1 10.1.45.255 102
In this particular case we would also have to TUNE RIP a little bit, not to validate the UPDATE SOURCE:
(config-router)#no validate-update-source
116 cisqueros.blogspot.com
____________________________________________________________________________________________________________________
Example:
(config-if)#ip multicast helper-map broadcast 239.39.39.39 101 (config)#access-list 101 permit udp any any eq 3999
STEP 2: On the CLIENT, convert the traffic BACK TO BROADCAST for the client to receive it as the application was designed.
(config-if)#ip multicast helper-map MULTICAST_GROUP 192.168.1.255 101
This feature is also used in a MULTICAST STUB. When the next router cannot (or we don't want it to) become a PIM neighbor, configure the IGMP Helper Address in order to still receive the Multicast from that router:
(config-if)#ip igmp helper-address 10.1.15.66
117 cisqueros.blogspot.com
Security
118 cisqueros.blogspot.com
____________________________________________________________________________________________________________________
Security TIPS
____________________________________________________________________________________________________________________
TIP - ICMP: When you want to prevent the router response with "Host Unreachable" messages (U.U.U), on the interface:
(config-if)#no ip unreachables (config-if)#no ip mask-reply <-DONT REVEAL NETWORK MASK
TIP - TELNET: When you need to control only access to TELNET, apply directly to the VTY:
(config)#line vty 0 4 (config-line)#access-class 1 in <-1 IS THE LIST OF CLIENTS ALLOWED TO TELNET
TIP - SNMP: You can allow only some of the HOSTS to access the routers SNMP agent:
(config)#snmp-server community mYcOMMUNITY RO 22 (config)#access-list 22 permit host 11.187.123.11
EAP - Extensible Authentication Protocol allows the device to forward authentication request to the server, bypassing the local security.
TIP: When creating a USER with only one function, or a MENU, implement the AUTOCOMMAND feature:
(config)#username TEST_USER autocommand menu NOC <-NOC IS A MENU NAME
TIP: When you want to DISABLE the DOMAIN LOOKUP, but only on the CONSOLE port, there is a TRICK:
(config)#line con 0 (config-line)#transport preferred none
TIP: Don't forget the POLICE RATE command within the Policy-Map when you need to polica by PPS:
(config-pmap-c)#police rate 100 pps
TIP: When you want to DISABLE SOURCE ROUTING, just do the global command:
(config)#no ip source-route
____________________________________________________________________________________________________________________
Permit users to have to wait for 1 minute if they attempt to log in for 3 times, and LOG it:
(config)#login block-for 60 attempts 3 within 60 <- ALLOW 3 ATTEMPTS WITHIN 1 MINUTE (config)#security authentication failure rate 3 log <- LOG FAILED ATTEMPTS
*TIP: If your password contains "?", you need to press "ESC+Q" or CTRL+V before you enter the "?" sign.
119 cisqueros.blogspot.com
No Service Password-Recovery feature is a security enhancement to prevent anyone with console access from accessing the router configuration and clearing the password. If you want to do this, make sure the Conf.Register is 0x2102:
#sh ver | i register Configuration register 0x2102 (Ignores break, Boots into ROM if initial boot fails, 9600 console baud rate default)
More about Configuration Register Values: http://www.cisco.com/en/US/products/hw/routers/ps133/products_tech_note09186a008022493f.shtml The apply the command. *This command is HIDDEN, so the "?" will not display it! You will also be WARNED by IOS:
(config)#no service password-recovery
WARNING: Executing this command will disable password recovery mechanism. Do not execute this command without another plan for password recovery. Are you sure you want to continue? [yes/no]: Dont forget to configure both - CONSOLE Port (line con 0) and AUXILIARY Port as a backup solution (line aux 0). You should automatically DISCONNECT these sessions (CON & AUX) after some time of inactivity:
(config-line)#session-timeout 300 <-DISCONNECT IF NO INPUT FOR 5 MINUTES (config-line)#exit-timeout 300 <-TERMINATE CONSOLE CONNECTION IF NO INPUT FOR 5 MINUTES
If you have more than one administrator, and you want to limit them to a certain commands, use "privilege EXEC", and define the Privilege Level 9 commands:
(config)#privilege exec level 9 show interfaces <- BOTH "SHOW" AND "SHOW INT" WILL APPEAR IN "SHOW RUN" (config)#privilege exec level 9 ping (config)#privilege exec level 9 traceroute
Be sure to apply the usage of the local user database on the CONSOLE PORT:
(config)#line con 0 (config-line)#login local
____________________________________________________________________________________________________________________
SMURF ATTACK: Large number of ICMPs sent to the Router subnets BROADCAST to provoke DoS. You can create the ACL that denies the
x.x.x.255, or do the INTERFACE command (enabled by default in new IOS):
(config-subif)#no ip directed-broadcast
Trin00 ATTACK: SYN DoS attack that uses UDP FLOODS, uses TCP 1524,27665 and UDP 27444,31335 Trinityv3 ATTACK: Include UDP Fragment, SYN, RST, ACK. It uses IRC, mainly TCP/6667 with a client TCP/33270
ICMP echo, are used for many ATTACKS, so they should be disabled on the entrance to your network:
(config)#access-list 102 deny icmp any any mask-request (config)#access-list 102 deny icmp any any redirect (config)#access-list 102 deny icmp any any echo
TRACEROUTE uses the PORT range 33400-34400, so think if you want to disable those as well.
120 cisqueros.blogspot.com
____________________________________________________________________________________________________________________
You also have an option of creating the DYNAMIC ENTRIES as a banner, and let user use the VARIABLES as a response: Cisco Docs: Cisco IOS Configuration Fundamentals Configuration Guide, Release 12.4T>Banner Configuration
Step 5: Define the GLOBAL commands, for example to clean the screen when the MENU starts:
(config)#menu MYMENU clear-screen
____________________________________________________________________________________________________________________
121 cisqueros.blogspot.com
Step 2: Decide the key pair (in bits, by defaut its 512 bits) and generate the RSA key. This ENABLES SSHv2:
(config)#crypto key generate rsa usage-keys
Then configure the VTY port for the user database to use (TACACS or LOCAL), and to use SSH:
(config)#line vty 0 4 (config-line)#login local <-WONT BE AVAILABLE AFTER SSH IS ENABLED (config-line)#transport input ssh
*When testing the access via SSH dont forget to use the "-l" to define the username:
#ssh -l mat 10.1.12.2
You can also use AAA to define the AUTHENTICATION PROFILE (AAA_AUTH), that can later be applied to ALL VTY ports:
(config)#aaa new-model (config)#aaa authentication login AAA_AUTH local
*"rotary" command under the VTY changes the telnet port to that line. "rotary 5" sets the port on that line to 3005 ____________________________________________________________________________________________________________________
TIP: ACL is applied directly to the interface using the "ip access-group" command:
(config-subif)#ip access-group EXTENDED_OR_STANDARD_ACL [in | out]
TIP: Watch out not to ban the routing protocol traffic!!! You might need to add this to your filter ACL:
(config-ext-nacl)#permit ospf any any
TIP: deny any any doesn't affect the locally generated traffic on the router
It's enough to configure the extended ACL, and hit a question mark when you want to define a PORT, just to realize that there is an entire world of ACL configuration options that we never knew about. One of the awesome features is playing with the ESTABLISHED attribute, which means - allow back the traffic from the hosts TCP session has already been established with. In this example we're allowing back in the TELNET and HTTP traffic to HOST 10.187.12.1:
(config-ext-nacl)#permit tcp any range 80 23 host 10.187.12.1 established
TIME-BASED ACL
STEP 1: define the time range using the "time-range TIMERANGE" command in the global configuration mode. Be sure the Clock is correct using the "show clock", and if not - set it using the "clock set", or with NTP server STEP 2: attach the time-range to the ACL:
(Config)#access-list 120 permit tcp any any eq 23 time-range TIMERANGE
122 cisqueros.blogspot.com
____________________________________________________________________________________________________________________
STEP 2: Create a DYNAMIC entry in the defined ACL, which will create a Dynamic ACL called DYN_ACL:
(config)#access-list 100 dynamic DYN_ACL permit ip any any
STEP 4: Configure the VTY line for the dynamic ACL using the AUTOCOMMAND feature:
(config-line)#autocommand access-enable host *"access-enable" is an EXEC, it doesn't appear when "?" is pressed **AUTOCOMMAND links the DYNAMIC ACL to TELNET AUTHENTICATION *"rotary" command under the VTY changes the telnet port to that line. "rotary 5" sets the port on that line to 3005
You can also apply the "autocommand" sirectly to the USERNAME, if we want to apply the DYNAMIC ACL to one user:
(config)#username TELNET password CISCO (config)#username TELNET autocommand access-enable
____________________________________________________________________________________________________________________
STEP 2: And on the INBOUND ACL within the extended ACL configuration:
(config)#ip access-list extended IN_ACL (config-ext-nacl)#permit ospf any any <-YOU HAVE TO ALLOW THESE MANUALLY CAUSE THE PACKETS ORIGINATED BY THE ROUTER ITSELF WILL NOT BE REFLECTED (config-ext-nacl)#permit tcp any any eq bgp (config-ext-nacl)#permit tcp any eq bgp any (config-ext-nacl)#evaluate REFLECT_ACL
*You should consider permitting ICMP time-excedeed and port-unreachable packets, for when you're pinging stuff outside your network STEP 3: Then apply the first one outbound, and the second one inbound on the same interface.
(config-subif)#ip access-group OUT_ACL out (config-subif)#ip access-group IN_ACL in
After 5 minutes of inactivity the entries expire. it can be modified using the command "ip reflexive-list timeout X":
(config)#ip reflexive-list timeout 120 <-TIME REFLEXIVE ACL EXISTS WHEN NO PACKETS ARE DETECTED (default 300 seconds)
123 cisqueros.blogspot.com
____________________________________________________________________________________________________________________
TCP INTERCEPT takes care that the 3-WAY TCP Handshake is correctly performed. So it observes the SYN done from the OUTSIDE towards the inside Web Server (for example), server replies with the "SYN ACK", and that's where the TCP INTERCEPT does it's job waiting for the CLIENT to send the ACK and establish the TCP Session. If the ACK is NOT received - the Router decides to TIME OUT the session, and send RESET to the Server. (in TCP SYN attack thousands of TCP sessions are started with the servers, taking out Server resources). There are 2 modes of TCP INTERCEPT:
INTERCEPT MODE - router actively intercepts the TCP session WATCH MODE - router only MONITORS the TCP session and sends the RST (session reset) to the Server if ACK not received
(config)#ip tcp intercept list 101 <-SERVERS YOU'RE PROTECTING (config)#ip tcp intercept watch-timeout 15 <-IF ACK NOT RECEIVED IN 15 SECONDS, SEND RST (config)#ip tcp intercept mode watch
____________________________________________________________________________________________________________________
The basic (GENERIC) CBAC is quite simple to configure. Define the INSPECTION RULES, and apply them on the interface:
(config)#ip inspect name INP_POL1 tcp (config)#ip inspect name INP_POL1 udp (config)#ip inspect name INP_POL1 icmp
APPLY the Inspection Rules to the interface, towards the OUTSIDE network:
(config-if)#ip inspect INP_POL1 out
124 cisqueros.blogspot.com
To allow the initiated traffic BACK IN, define the ACL with what you want to permit and apply it:
(config)#access-list 100 permit eigrp any any (config)#access-list 100 permit icmp any any (config-if)#ip access-group 100 in
CBAC can be configured to inspect various traffic types. These are the global CBAC parameters that can be tuned:
(config)#ip inspect ? WAAS Firewall and Cisco WAE interoperability configuration alert-off Disable alert audit-trail Enable the logging of session information (addresses and bytes) dns-timeout Specify timeout for DNS hashtable-size Specify size of hashtable log Inspect packet logging max-incomplete Specify maximum number of incomplete connections before clamping name Specify an inspection rule one-minute Specify one-minute-sample watermarks for clamping tcp Config timeout values for tcp connections udp Config timeout values for udp flows <cr>
Also some specific HTTP types of traffic can be inspected, such as JAVA:
(config)#ip inspect name FW_INSPECT http ? alert Turn on/off alert audit-trail Turn on/off audit trail java-list Specify a standard access-list to apply the Java blocking. If specified, MUST appear directly after option "http" timeout Specify the inactivity timeout time urlfilter Specify URL filtering for HTTP traffic <cr>
____________________________________________________________________________________________________________________
Check if it "worked"
#sh ip port-map http Default mapping: http Default mapping: http Default mapping: http tcp port 80 tcp port 8000 tcp port 8080 system defined user defined user defined
Now if you want to inspect the NEW http, define the INSPECT operation and apply it just like in CBAC:
(config)#ip inspect name INS_WEB http (config-if)#ip inspect INS_WEB out
125 cisqueros.blogspot.com
____________________________________________________________________________________________________________________
TIP: When you see IP SPOOFING - it's a "trigger" to use the uRPF
Cisco Docs: Cisco Docs: Secure DATA PLANE>Security Configuration Guide: Unicast Reverse Path Forwarding http://www.cisco.com/en/US/docs/ios-xml/ios/sec_data_urpf/configuration/12-4t/sec-data-urpf-12-4t-book.html The Unicast RPF feature helps to mitigate problems that are caused by the introduction of malformed or forged (spoofed) IP source addresses into a network by discarding IP packets that lack a verifiable IP source address. Configure the receiving interface, which allows Unicast RPF to verify the best return path before forwarding the packet on to the next destination. For example, verify if the SOURCE IP is reachable via that exact interface:
(config-subif)#ip verify unicast source reachable-via ? any Source is reachable via any interface rx Source is reachable via interface on which packet was received <-EXACT INTERFACE
#sh ip int s1/0.21 | b verify IP verify source reachable-via RX 0 verification drops 0 suppressed verification drops 0 verification drop-rate
!!!If the check fails, and this is NOT the best interface to reach the IP from which the incoming packed was sourced the packed it DROPPED. This feature can also be configured using the multiple extended ACLs, where you would DENY the traffic with your LAN IPs as source to come from the PROVIDERs network.
126 cisqueros.blogspot.com
____________________________________________________________________________________________________________________
STEP 2: Create a inspect type POLICY-MAP that matches the defined CLASS-MAP, and INSPECTS:
(config)#policy-map type inspect OUTSIDE_POLICY (config-pmap)#class OUTSIDE (config-pmap-c)#inspect ? WORD Parameter-map (inspect) name <PARAMETER MAP CAN BE DEFINED to tune the inspection <cr> (config-pmap-c)#inspect
STEP 3: Define the SECURITY ZONES for the interfaces you need, and assign them to the interfaces:
(config)#zone security DMZ (config-if)#zone-member security DMZ (config)#zone security OUTSIDE (config-if)#zone-member security OUTSIDE
PARAMETER MAP can be created to tune to drop logs, handle alarms, max&min session numbers and much more, for example:
(config)#parameter-map type inspect eng-network-profile (config-profile)#tcp synwait-time 3 <-HOW LONG TO WAIT FOR SYN FOR THE TCP SESSION
127 cisqueros.blogspot.com
____________________________________________________________________________________________________________________
Per-Protocol filtering is also possible, so you can set selective QUEUE LIMITS for BGP, OSPF, HTTP, SNMP... 2. Control-plane TRANSIT - For transit IP packets not handled by CEF 3. Control-plane cef-exception - For the NON TCP/UDP Traffic When you are asked to limit the packets going to Routers CPU to protect from Flood Attacks - this is the answer. It's very simple actually. Define the Policy Map like in MQC for QoS, and instead of the interface,
You can also MATCH the CLOSED PORTS within the class-map, or match the FRAGMENTED PACKETS within the ACL. Within the POLICY-MAP, the actions are to POLICE based on the number of PACKETS PER SECOND and allow BURST PACKETS, or based on BW, or just PASS or DROP the traffic within the matched Class-Map
(config)#policy-map POLICE_50KBPS (config-pmap)#class CONTROL_BW (config-pmap-c)#police 50000 conform-action transmit exceed-action drop violate-action drop
OR
(config-pmap-c)#police rate 100 pps burst 20 packets
128 cisqueros.blogspot.com
____________________________________________________________________________________________________________________
Then apply the defined bridge group 1 to the interface you want:
(config-if)#bridge-group 1
First you need to specify the location in which the router loads the SDF (Signature Definition File), because in the IOS there are NO DEFAULT SIGNATURES:
(config)# ip ips sdf location disk2:attack-drop.sdf
If you're configuring the IP IPS on a new router, first CREATE the IPS, name it, and define it, in this case to send the events as SYSLOG messages:
(config)#ip ips name MYIPS (config)#ip ips notify log
*THIS WILL NOT WORK UNLESS YOU HAVE THE SIGNATURES. To check the signatures:
#sh ip ips signatures Cisco SDF release version S0.0 Trend SDF release version V0.0 En - possible values are Y, Y*, N, or N* Y: signature is enabled N: enabled=false in the signature definition file *: retired=true in the signature definition file Cmp - possible values are Y, Ni, Nr, Nf, or No Y: signature is compiled Ni: signature not compiled due to invalid or missing parameters
129 cisqueros.blogspot.com
Nr: signature not compiled because it is retired Nf: signature compile failed No: signature is obsoleted Nd: signature is disallowed Action=(A)lert, (D)eny, (R)eset, Deny-(H)ost, Deny-(F)low Trait=alert-traits EC=event-count AI=alert-interval GST=global-summary-threshold SI=summary-interval SM=summary-mode SW=swap-attacker-victim SFR=sig-fidelity-rating Rel=release Signature Micro-Engine: atomic-ip (INACTIVE) Signature Micro-Engine: normalizer (INACTIVE) Signature Micro-Engine: service-http-v2 (INACTIVE) Signature Micro-Engine: service-http (INACTIVE) ...
You might need to generate the SDF using the .txt file downloaded from the cisco.com to your flash:
#more flash:downloaded_key.txt <-COPY THE CONTENT TO LATER PASTE INTO THE KEY
____________________________________________________________________________________________________________________
AAA Authentication
____________________________________________________________________________________________________________________ Cisco Docs: Securing User Services Configuration>Authentication Authorization and Accounting http://www.cisco.com/en/US/docs/ios-xml/ios/sec_usr_aaa/configuration/12-4t/sec-cfg-authentifcn.html This is pretty straight forward, because on CCIE R&S exam you wont have to configure an actual ACS server. For starters be sure that the " aaa new-model" is configured. Turn the TACACS+ authentication ON, and set LOCAL DB as backup:
(config)#aaa authentication login MYTACACS group tacacs+ local enable
*MYTACACS is the authentication policy. If you put "default" instead of specifying the policy, there is no need to assign the policy to VTY line later, it's a default policy on a device, from where ever you try to authenticate. In case you have a default policy, you need to ALSO define a NO_AUTH policy to apply where you dont want TACACS, like AUX and CONSOLE ports maybe.
130 cisqueros.blogspot.com
MPLS
131 cisqueros.blogspot.com
____________________________________________________________________________________________________________________
MPLS Configuration
____________________________________________________________________________________________________________________ This post will assume that youve already know how the protocol works. If you dont - go read that first, what are you waiting for... dont you know how important MPLS is. MPLS Neighbor Discovery uses Hello messages, 224.0.0.2, Port UDP-646 LSR - Label Switching Router LDP - Label Distribution Protocol To configure the MPLS you first need to enable it globally on a router and on all the relevant interfaces. You also have to define the actual PROTOCOL for the LABEL DISTRIBUTION (LDP or TDP, which is a DEFAULT setting to IOS versions prior to 12.4, but it's no longer in use):
(config)#mpls ip (config)#mpls label protocol ldp <-ALL THE INTERFACES WILL INHERIT IT (config)#int fa0/1 (config-if)#mpls ip <-TURN IT ON ON THE INTERFACE You will get this message: *Dec 17 18:11:50.430: %LDP-5-NBRCHG: LDP Neighbor 11.1.1.1:0 (1) is UP
As the ALTERNATIVE you can use the Auto configuration, so under the ROUTING PROTOCOL (OSPF in this example):
(config)#router ospf 1 (config-router)#mpls ldp autoconfig area 0
As in most other protocol LDP Router-ID needs to be assigned. The "mpls ldp router-id" command allows you to establish the IP address of an interface as the LDP router ID (L-ID), in this example Loopback 0 IP. Be sure that all the routers have to have the L-ID reachability:
config)#mpls ldp router-id lo0 [force]
When you issue the mpls ldp router-id command without the force keyword, the router select selects the IP address of the specified interface (provided that the interface is operational) the next time it is necessary to select an LDP router ID, which is typically the next time the interface is shut down or the address is configured. IMPORTANT: VPMv4 Peering If MUST be /32, so make sure you're learning the Lo0 with the /32 mask, so set it:
(config-if)#ip address 150.1.5.5 255.255.255.255
If, however, you wish to force the Router-ID to be the PHYSICAL INTERFACE of the router:
(config-if)#mpls ldp discovery transport-address interface
#sh mpls interfaces Interface FastEthernet0/1 Serial0/1/0.34 Serial0/1/0.35 #sh mpls Peer Peer Peer ldp LDP LDP LDP
Tunnel No No No
BGP No No No
Static No No No
neighbor | i Peer Ident: 4.4.4.4:0; Local LDP Ident 3.3.3.3:0 Ident: 2.2.2.2:0; Local LDP Ident 3.3.3.3:0 Ident: 5.5.5.5:0; Local LDP Ident 3.3.3.3:0
When you want to see other LDP PARAMETERS (can be usefull if you're looking to see what can be optimized):
#sh mpls ldp param Protocol version: 1 Session hold time: 90 sec; keep alive interval: 30 sec Discovery hello: holdtime: 45 sec; interval: 15 sec Discovery targeted hello: holdtime: 90 sec; interval: 10 sec Downstream on Demand max hop count: 255 Downstream on Demand Path Vector Limit: 255 LDP for targeted sessions LDP initial/maximum backoff: 15/120 sec LDP loop detection: off
132 cisqueros.blogspot.com
To FILTER for which IPs exactly youre generating the labels, define the ACL and apply in the global config mode:
(config)#access-list 41 permit 150.1.0.0 0.0.255.255 (config)#no mpls ldp advertise-labels <-FIRST DISABLE FOR ALL (config)#mpls ldp advertise-labels for 41 ? to Access-list specifying controls on LDP peers <-OPTIONAL, TO CONTROL WHERE YOURE SENDING WHICH LABELS <cr>
____________________________________________________________________________________________________________________
FIB (FORWARDING Information Base) - CEF table, gets build based on RIB (Routing Information Base)
#show ip cef LIB - LABEL INFORMATION BASE #sh mpls ldp bindings 177.7.7.0 24 lib entry: 177.7.7.0/24, rev 35 local binding: label: 113 remote binding: lsr: 2.2.2.2:0, label: 213
IN THE CCIE LAB, FIRST CHECK IF THE LABEL RANGE IS CHANGED BECAUSE ROUTERS NEED TO BE RELOADED!!! The LABEL SPACE is PlatformDependent, and the LABEL planning is done in the DESIGN phase of the Project. You can SET the RANGE of labels you want to be used on that router:
(config)#mpls label range 100 199 % Label range changes will take effect at the next reload. #sh mpls label range Downstream Generic label region: Min/Max label: 17/199 [Configured range for next reload: Min/Max label: 100/199] #sh mpls ldp bin local tib entry: 1.1.1.0/24, rev local binding: tag: tib entry: 2.2.2.0/24, rev local binding: tag: tib entry: 3.3.3.0/24, rev local binding: tag: 14 103 16 104 18 105
...
133 cisqueros.blogspot.com
LFIB is the MOST IMPORTANT table in the MPLS Architecture. You can literally follow exactly what's happening on the router regarding the
MPLS Labels and the IPs:
#sh mpls forwarding-table Local Outgoing Prefix Label Label or VC or Tunnel Id 17 Untagged 7.7.7.0/24 18 18 6.6.6.6/32 27 28 1.1.1.0/24 28 Pop Label 2.2.2.0/24 29 Pop Label 4.4.4.0/24 30 Pop Label 5.5.5.0/24 32 Pop Label 10.1.12.0/24 33 Pop Label 10.1.45.0/24 Pop Label 10.1.45.0/24 34 Pop Label 10.1.56.0/24 35 34 10.1.67.0/24 36 38 11.1.1.0/24 37 Pop Label 55.5.5.0/24 Bytes Label Switched 0 0 0 0 0 0 0 0 0 0 0 0 0 Outgoing interface Se0/1/0.35 Se0/1/0.35 Fa0/1 Fa0/1 Se0/1/0.34 Se0/1/0.35 Fa0/1 Se0/1/0.34 Se0/1/0.35 Se0/1/0.35 Se0/1/0.35 Fa0/1 Se0/1/0.35 Next Hop point2point point2point 10.1.23.2 10.1.23.2 point2point point2point 10.1.23.2 point2point point2point point2point point2point 10.1.23.2 point2point
"Untagged" as Outgoing Label - Remove ALL the labe;s and forward as the IP traffic "Pop Label" as Outgoing Label - Remove the TOP label, and forward the packet to the defined interface NOTHING in the Local Label column - Refers to the label above, this means that Load Balancing is occurring Local & Outgoing Labels
Numerical Value - SWAP the Local with the Outgoing Label IMPORTANT: FIB (ip cef) and LFIB information MUST be IN ACCORDANCE!!! EXPLICIT NULL should be configured for all the DIRECTLY CONNECTED prefixes for which you want the previous router to replace the label with "EXPLICIT NULL" label. Next router will perform the PHP (Penultimate Hop Popping) by default because Implicit Null is marked by default for all the directly connected subnets.
(config)#mpls ldp explicit-null
If you need to HIDE the MPLS LABELS from the Customer, there is command that STOPS the TTL propagation, and therefore stops the MPLS structure from the LSRs:
(config)#no mpls ip propagate-ttl forwarded (config)#no mpls ip propagate-ttl local
____________________________________________________________________________________________________________________
134 cisqueros.blogspot.com
____________________________________________________________________________________________________________________
STEP 2: RD and RT Within the VRF you will need a Route Distinguisher (RD), used to make the VRF prefix unique within the cloud, and the Route Target (RT) that you will later IMPORT/EXPORT to define the end-to-end communication of the VRF:
(config-vrf)#rd 1:10 <-VRF IS NOT ACTIVE UNTIL RD IS DEFINED (config-vrf)#route-target [import|export|both] 1:100 *RD does NOT indicate to which VRF the prefix belongs to!!! Route-Target is used for that.
RD is a 64 bit value used to transform users IPv4 IP address into UNIQUE 96 bit address called VPNv4. THESE ADDRESSES ARE EXCHANGED ONLY BETWEEN PEs, NEVER BETWEEN CEs!!! PE takes the update it receives from CE, and sticks the RD to it, making the VPNv4 96-bit address. "Route Target Import|Export" command defines the RT, which is a BGP Extended Community that indicated which routes should be exported/imported from MP-BGP to VRF. That is why when you configure the VPNv4 AF under the MP-BGP, you automatically get the following command under the BGP process (IF NOT, ADD IT MANUALLY)
(config-router-af)#neighbor 3.3.3.3 send-community extended
"route-target export" - Specifies RT attached to every routed exported from the Local VRF to MP-BGP. "route-target import" - RT to be used as an IMPORT FILTER, so only the routes matching the filter are imported to VRF STEP 3: VRF INTERFACES. If you check the configured VRF at this point:
#sh ip vrf det VRF CB; default RD 1:20; default VPNID <not set> No interfaces <-NO INTERFACES!!! VRF Table ID = 212 Export VPN route-target communities RT:1:100 Import VPN route-target communities RT:1:100
VRFs have more or less similar phylosophy like VLANs - you need to assign the interfaces to the VLAN. NOTE that the IP address of the interface will automatically be removed:
(config-if)#ip vrf forwarding CA % Interface Serial0/1/1 IP address 10.1.13.3 removed due to enabling VRF CA (config-if)#ip add 10.1.13.3 255.255.255.0 *YOU WILL BE ABLE TO PING THE NEIGHBOR ON THIS INTERFACE ONLY UNDER THE VRF: #ping vrf CA 10.1.13.1
Sending 5, 100-byte ICMP Echos to 10.1.13.1, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 28/28/32 ms
MP-BGP: When you create RD and RT, and you have the BGP configured, notice that the new address family appears within the BGP process:
address-family ipv4 vrf CB
*When the ROUTE-TARGET is not imported and exported where needed between the MP-BGP neighbors - the routes will NOT advertised via BGP.
135 cisqueros.blogspot.com
____________________________________________________________________________________________________________________
Used to interconnect VLANs of the remote MPLS CE routers. Configured on the PE interface towards the CE.Create a SUB-INTERFACE under the interface pointing to your VLAN, and define the Dot1Q encapsulation on it:
(config)#interface FastEthernet0/1.4 encapsulation dot1Q 4 no cdp enable xconnect 150.1.6.6 2 encapsulation mpls <-DESTINATION PE IP ADDRESS, and 2 is a VIRTUAL CIRCUIT IDENTIFIER (VCI) remote circuit id 2
If there is no MPLS IN THE ENTIRE PATH - you need to create a TUNNEL to traverse the NON-MPLS part
#show mpls l2transport vc detail Local interface: Fa0/1.4 up, line protocol up, Eth VLAN 4 up Destination address: 150.1.6.6, VC ID: 2, VC status: down Output interface: none, imposed label stack {} Preferred path: not configured Default path: no route No adjacency Create time: 00:04:55, last status change time: 00:04:48 Signaling protocol: LDP, peer 150.1.6.6:0 up MPLS VC labels: local 32, remote 31 Group ID: local 0, remote 0 MTU: local 1500, remote 1500 Remote interface description: Sequencing: receive disabled, send disabled VC statistics: packet totals: receive 0, send 0 byte totals: receive 0, send 0 packet drops: receive 0, seq error 0, send 0
136 cisqueros.blogspot.com
IPv6
137 cisqueros.blogspot.com
____________________________________________________________________________________________________________________
IPv6 TIPS
____________________________________________________________________________________________________________________
TIP: When doing IPv6 over Frame-Relay, ALWAYS configure, and MAP the Link-Local address as well!!! TIP: To filter the IPv6 traffic have in mind 2 things:
1. When you try to configure the IPv6 ACL, it will not give you the NAME options, but it can be done:
(config)#ipv6 access-list ACL_IPV6
2. Apply the filter DIRECTLY ON THE INTERFACE using the IPv6 Traffic Filter:
(config-if)#ipv6 traffic-filter ACL_IPV6 in
____________________________________________________________________________________________________________________
IPv6 Basics
____________________________________________________________________________________________________________________ Loopback: ::1/128 Multicast: FF00::/8 Link Local: FE80::/10 - used for stateless auto-configuration, Neighbor discovery, Router discovery FC00::/7 Unique Local, Unicast (equivalent to the IPv4 private addresses), not routable via global BGP EUI-64 - always use the /64 addresses for all the INTERFACES (MAC can be converted into EUI-64 format to get the interface address) Router can assign the HOST portion of the Network AUTOMATICALLY using the MAC of the first LAN interface:
(config-if)#ipv add 2:2:2:2::/64 eui-64
When you need to MANUALY do this, find the MAC address of the highest interface, for example Fa0/0, and modify it.
#sh int fa0/0 | i bia Hardware is Gt96k FE, address is 001e.be5d.27f0 (bia 001e.be5d.27f0)
So MAC is 001e.be5d.27f0. Add "FFFE" in the middle, and you get the HOST PORTION: 001e:beff:ee5d:27f0 ARP has been replaced with ICMPv6 Neighbor Discovery (ND). Inverse ARP has been removed, so for NBMA networks we need to provide a static L2-L3 mapping
TIP: before enabling IPv6 on a router and configuring the interfaces male sure there is a IPv4 connectivity
IPv6 is not enabled by default, so first enable IPv6 globally on the Router/Switch:
(config)#ipv6 unicast-routing
LINK-LOCAL address is generated based on the interfaces MAC Address by doing "ipv6 enable" Assign the UNICAST IPv6 address:
(config-if)#no switchport <--- DONT FORGET on 3560 OR 3750 (config-if)#ipv6 add 12:1:1::3/64
138 cisqueros.blogspot.com
#show ipv6 inter lo0 Loopback0 is up, line protocol is up IPv6 is enabled, link-local address is FE80::21E:BEFF:FE5D:27F0 Global unicast address(es): 2:2:2:2:21E:BEFF:FE5D:27F0, subnet is 2:2:2:2::/64 [EUI]
By default IPv6 has Neighbor Discovery as a L2-L3 mapping mechanism, instead of ARP. To debug it do:
#debug ipv6 nd
When you configure the "ipv6 enable" on the interface, the Link Local address is assigned:
*Nov 21 08:21:02.068: ICMPv6-ND: Sending NS for FE80::21E:BEFF:FE5D:27F0 on FastEthernet0/0
!!!Interface comes UP because no one complained Check if the interface got the correct IPv6 Address:
#sh ipv6 int br FastEthernet0/0 [up/up] FE80::21E:BEFF:FE5D:27F0 FastEthernet0/1 [administratively down/down] Serial0/1/0 [up/down] Serial0/1/1 [administratively down/down] Serial0/2/0 [administratively down/down]
When you SHUT the local interface, the Link Local address is deleted:
*Nov 21 08:19:12.972: ICMPv6-ND: Sending Final RA on FastEthernet0/0 *Nov 21 08:19:12.984: ICMPv6-ND: STALE -> DELETE: FE80::213:60FF:FE85:AEEA
And we are finally reaching my favorite change in the IPv6, the NEIGHBOR DISCOVERY and DISPLAY:
#show ipv6 neighbors IPv6 Address 12:1:1:12::1 FE80::1 123::21E:BEFF:FE5D:27F0 FE80::3 Age 0 0 166 0 Link-layer Addr 0013.6085.aeea 0013.6085.aeea 001e.be5d.27f0 0013.6085.e3c6 State STALE STALE STALE REACH Interface Fa0/0 <- UNICAST Fa0/0 <- LINK-LOCAL Fa0/0 Fa0/0
You can configure the IPv6 Neighbor statically, using the Global Configuration command:
(config)#ipv6 neighbor 123::21E:BEFF:FE5D:27F0 Fa0/0 001e.be5d.27f0
The neighbors can have one of the following statuses: - REACH - STALE You can tune the TIMERS for STATE TRANSITIONING. To check the current values do:
139 cisqueros.blogspot.com
#sh ipv int fa0/0 | i time ND reachable time is 30000 milliseconds <- When not responding for 30 Secs, Neighbor transitions to STALE ND advertised reachable time is 0 milliseconds
If you want to CHANGE this value (time it takes the neighbor to go to STALE from REACHABLE):
(config-if)#ipv6 nd reachable-time 50000
There is also an AUTOMATIC IPv6 address assigning, called STATELESS AUTOCONFIG. The SERVER that assigns the IPv6 addresses should have the "ipv6 unicast-routing" configured. The router assigns the addresses, and even if that router goes down - the IPs will remain active for 30 days if their interfaces don't go down. To activate this:
(config-if)#ipv6 address autoconfig
____________________________________________________________________________________________________________________
First two 0s from MAC are replaced with a HEX 2, to complete MACs 48 bits up to 64 we need Then the "1e.be" part is COPIED and PAST 2|1E:BE|FF:FE|5D:27F0 FFFE is added after this, in the MIDDLE of the MAC address The rest of MAC follows So - 2 + 4HEXofMAC + FFEE + 6HEXofMAC Now check the complete IPv6 configuration of the interface:
#SH ipv6 int fa0/0 FastEthernet0/0 is up, line protocol is up IPv6 is enabled, link-local address is FE80::21E:BEFF:FE5D:27F0 No global unicast address is configured Joined group address(es): FF02::1 <- 0 after F means the IPv6 is PERMANENT (if it were 1 - it would be temporal) FF02::2 <- Subnet routers MULTICAST FF02::1:FF5D:27F0 <- Solicited-Node-Multicast Address
140 cisqueros.blogspot.com
____________________________________________________________________________________________________________________
IPv6 Routing
____________________________________________________________________________________________________________________ STATIC ROUTING is similar to the IPv6 Static Routing, but have in mind that you need to point to the IPv6 address of the IPv6 Neighbor. Link Local IPv6 can also be used. In IPv6 REDISTRIBUTION the LOCAL CONNECTED routes are NOT included, even if they are part of local advertisement. Step 1: First check the neighbors IP displaying the IPv6 neighbors:
#sh ipv6 nei IPv6 Address 12:1:1:12::1 FE80::1 Age Link-layer Addr State Interface 1 0013.6085.aeea STALE Fa0/0 1 0013.6085.aeea STALE Fa0/0
Step 2: And then add the route pointing to the appropriate address:
(config)#ipv6 route 1:1:1:1::/64 12:1:1:12::1
If you want to use the LINK LOCAL address, you also need to specify the INTERFACE:
(config)#ipv6 route 1:1:1:1::/64 fa0/0 FE80::1
Step 4: OPTIONAL: Configure HOST for the hosts you ping frequently, because IPv6 addresses are a bit robust. If you name the host R2_lo1, you can later ping is using "ping R2_lo1":
(config)#ipv6 <0-65535> X:X:X:X::X (config)#ipv6 host R2_lo1 ? Default telnet port number <- CAN BE USEFULL IPv6 address host R2_lo1 1:1:1:1:213:60FF:FE85:AEEA
141 cisqueros.blogspot.com
____________________________________________________________________________________________________________________
OSPFv3
____________________________________________________________________________________________________________________ Dont forget to define the router-id, because if there are no IPv4 addresses on the router - it cannot pick one! So - FIRST define the RID, and THEN configure OSPF, to avoid restarting the OSPF process later In OSPFv3 over Frame-Relay DONT FORGET TO create frame relay mappings for the link-local (FE80::/10) addresses. This being said, you might as well create manually the Link Local addresses to the FR interfaces:
(config-if)#ipv6 address FE80::2 link-local
LSA Changes: Even though most LSA definitions stay the same, there are a few changes in OSPFv3:
OSPFv3
0x2001 Router LSA 0x2002 Network LSA 0x2003 Inter-area Prefix LSA 0x2004 Inter-area Router LSA 0x4005 AS-External LSA 0x2006 Group Membership LSA 0x2007 Type-7 LSA 0x0008 Link LSA 0x2009 Intra-area Prefix LSA 6 3 4 1 2
OSPFv2
Router LSA Network LSA
*If you want an area not to receive LSA4 and LSA5, configure it as stub:
(config-rtr)#area 12 stub <- ADDS A DEFAULT ROUTE TO ISOLATED ROUTER (the router that only has stub area) Default Route added: OI ::/0 [110/2] via FE80::2, FastEthernet0/0 <- INSTEAD OF ALL EXTERNAL ROUTES
If you want the router to maintain IO INTRA AREA routes only, configure it as NSSA "stub no-summary" If you want not to propagate EXTERNAL routes- configure an area as NSSA (routes redistributed into NSSA area will appear marked with "ON2"). You can add "default-information-originate" to inject the default route into nssa area To change the METRIC/COST you can do two things. Either change the DEFAULT COST under OSPF process:
(config-rtr)#auto-cost reference-bandwidth 10000
142 cisqueros.blogspot.com
____________________________________________________________________________________________________________________
EIGRP IPv6
____________________________________________________________________________________________________________________ The difference with OSPF is that even if you configure it on the interface:
(config-if)#ipv6 eigrp 100
it will not form an adjacency unless you DEFINE THE ROUTER-ID, and do a NO SHUT:
(config-rtr)#eigrp router-id 1.1.1.1 (config-rtr)#no shut <-ON SOME IOS VERSIONS NOT NEEDED, BUT DO IT JUST IN CASE... *Dec 1 11:18:08.343: %DUAL-5-NBRCHANGE: EIGRP-IPv6 100: Neighbor FE80::4 (Serial1/0.14) is up: new adjacency
BE SURE TO DEFINE THE METRIC WHEN REDISTRIBUTING INTO EIGRP, or it will not work!!!
(config-rtr)#no redistribute ospf 1 metric 1 1 1 1 1
To change the timers on the interface the command is a bit BACKWARDS, as in - "" ipv6 hello-interval eigrp..":
(config-if)#ipv6 hello-time eigrp 100 10 <-HELLO (config-if)#ipv6 hold-time eigrp 100 40 <-DEAD
The command for checking the current timers is also unintuitive, cause you need to add "details" to the end:
#sh ipv6 eigrp interfaces detail | i Hello Hello-interval is 10, Hold-time is 40 Hello-interval is 60, Hold-time is 180
BE CAREFULL WITH FRAME RELAY, because EIGRP has SPLIT HORIZON enabled by default on multipoint interfaces:
(config-subif)#no ipv6 split-horizon eigrp 100
Like in EIGRPv4, on EIGRPv6 EIGRP Patckets use UP TO 50% of the Links BW. To change that (to 25% in this example):
(config-subif)#ipv6 bandwidth-percent eigrp 100 25
Another similarity to EIGRPv4, you can use "summary-address" to inject the default route:
(config-if)#ipv6 summary-address eigrp 100 ::0/0 %DUAL-5-NBRCHANGE: EIGRP-IPv6 100: Neighbor FE80::2 (Ethernet0/0) is resync: summary configured %DUAL-5-NBRCHANGE: EIGRP-IPv6 100: Neighbor FE80::3 (Ethernet0/0) is resync: summary configured
Some ADDITIONAL features: Make sure the incoming prefixes are in less than 50 hops (TTL <= 50)
(config-rtr)#metric maximum-hops 50
"Tune" the Active Time (time before declaring a router STUCK IN ACTIVE - SIA)
(config-rtr)#timers active-time ? <1-65535> active state time limit in minutes disabled disable time limit for active state
143 cisqueros.blogspot.com
____________________________________________________________________________________________________________________
IPv6 Tunnels
____________________________________________________________________________________________________________________ When you configure them MANUALLY (this means that you define both, source and the destination of the tunnel) the Tunnel mode can be IPv6IP or GRE, depends what you are asked to do:
(config)#interface tunnel 0 (config-if)#tunnel mode ipv6ip <- DEFAULT IS GRE
The difference between IPv6IP and GRE will be in the TUNNEL PROTOCOL, so in GRE:
#sh int tunnel 3 | i transport Tunnel protocol/transport GRE/IP
While in IPv6IP:
#sh int tunnel 3 | i transport Tunnel protocol/transport IPv6/IP
GRE is Protocol 47, and IPV6IP is Protocol 41. You can check this by PINGING one side from another, and debuging "ip packet details" on the other side:
6to4 Tunnels: AUTOMATICALLY established, allowing IPv6 connection through IPv4. They require SPECIAL ADDRESSING: IPv6 of 2002
followed by TRANSLATED IPv4 address. So, we need these steps: Step 1: Translate IPv4 into IPv6 address. For example 10.1.1.1: 10 0A 1 01 1 01 1 01
Step 2: Identify tunnel source. IMPORTANT: Tunnel is AUTOMATIC, so DONT CONFIGURE THE DESTINATION So using the 2002 which is the 6to4 marker, you get> 2002:A01:101::/128, so:
(config-if)#ipv6 add 2002:A01:101::/128
144 cisqueros.blogspot.com
ISATAP Tunnel: It's a IETF transition mechanism that allows IPv6 networks to connect over IPv4 Networks. The IPv6 tunnel interface must be
configured with a modified EUI-64 address because the last 32 bits in the interface identifier are constructed using the IPv4 tunnel source address. ISATAP also has its own IPv6 Address Format, which is formed like this: NETWORK PORTION: can be any IPv6 address HOST PORTION: starts with 0000:5EFE, and the rest of host portion is TRANSLATED IPv4 of the TUNNEL SOURCE Step 1: Define the Tunnel SOURCE address
(config-if)#tunnel source 10.44:44:44
Step 2: Sending of IPv6 router advertisements is disabled by default on tunnel interfaces. This command re-enables the sending of IPv6 router advertisements to allow client auto-configuration:
(config-if)# no ipv6 nd ra suppress
Step 3: ISATAP The only difference from standard IPv6IP configuration is that the IPv6 address needs to be eui-64 generated, and that the MODE needs to be defined as ISATAP:
(config-if)#ipv6 address 46:1:46::/64 eui-64 <- EUI CONVERTS IPv4 TO IPv6 AUTOMATICALLY (config-if)#tunnel mode ipv6ip isatap
____________________________________________________________________________________________________________________
The big challenge in any Multicast configuration is the verification. This can be done by debuging the ICMP packets that are used for the MLD, and then pinging the MULTICAST IPv6 source from the other side:
#debug ipv6 icmp
145 cisqueros.blogspot.com