Академический Документы
Профессиональный Документы
Культура Документы
IPexpert, Inc.
The Blueprint
Rev. 1700
IPexperts CCIE R&S Written VoD Series
IPexpert, Inc.
The Quiz
- OK
- WRONG
Rev. 1700
IPexperts CCIE R&S Written VoD Series
IPexpert, Inc.
Thank You!
IPexpert, Inc.
IPexpert, Inc.
IPexpert, Inc.
STP
Spanning Tree Protocol (802.1d)
Rev. 1700
IPexperts CCIE R&S Written VoD Series
IPexpert, Inc.
STP Example
S1
S2
S3
ARP
Rev. 1700
IPexperts CCIE R&S Written VoD Series
IPexpert, Inc.
Operations of STP
Rev. 1700
IPexperts CCIE R&S Written VoD Series
IPexpert, Inc.
Bridge ID = (Priority+SystemID).MAC
spanning-tree extend system-id cannot be disabled
Rev. 1700
IPexperts CCIE R&S Written VoD Series
IPexpert, Inc.
Rev. 1700
IPexperts CCIE R&S Written VoD Series
IPexpert, Inc.
IPexpert, Inc.
Tie breakers :
1. Lowest Sender Bridge ID. If the same on multiple
ports, it means that they connect to the same
switch
2. Lowest Sender Bridge PortID (Priority.Port_Nr)
Rev. 1700
IPexperts CCIE R&S Written VoD Series
IPexpert, Inc.
Rev. 1700
IPexperts CCIE R&S Written VoD Series
10
IPexpert, Inc.
Rev. 1700
IPexperts CCIE R&S Written VoD Series
11
IPexpert, Inc.
STP Timers
STP Timers are set by the Root Bridge for the entire
domain (sent in Hellos) :
Hello timer says says how often BPDUs are sent
(2 seconds by default)
Forward Delay determines how long are the
Listening and Learning phases (15 seconds by
default)
MaxAge is kind of a hold-time for BPDUs (20
seconds by default) how long to keep ports in the
blocking state when BPDUs are not received
Each switch port keeps a copy of the last Superior BPDU
received
Rev. 1700
IPexperts CCIE R&S Written VoD Series
12
IPexpert, Inc.
Rev. 1700
IPexperts CCIE R&S Written VoD Series
13
IPexpert, Inc.
STP Reconvergence
14
IPexpert, Inc.
15
IPexpert, Inc.
S2
D
RP
RP
RP
B
PC1
S3
S4
PC2
Rev. 1700
IPexperts CCIE R&S Written VoD Series
16
IPexpert, Inc.
Rev. 1700
IPexperts CCIE R&S Written VoD Series
17
IPexpert, Inc.
STP Configuration
IPexpert, Inc.
STP Configuration
Root Bridge
spanning-tree vlan vlan_nr root primary
Rev. 1700
IPexperts CCIE R&S Written VoD Series
19
IPexpert, Inc.
STP Cost
spanning-tree cost cost
Port Priority
spanning-tree port-priority priority
Rev. 1700
IPexperts CCIE R&S Written VoD Series
20
IPexpert, Inc.
Configuration Verification
show spanning-tree [detail|root]
- Displays STP
information
- Displays STP
information
for a
specified VLAN
Rev. 1700
IPexperts CCIE R&S Written VoD Series
21
IPexpert, Inc.
STP Optimizations
IPexpert, Inc.
STP Optimizations
Built-in to RSTP
PortFast
UplinkFast
BackboneFast
Rev. 1700
IPexperts CCIE R&S Written VoD Series
23
IPexpert, Inc.
PortFast
IPexpert, Inc.
Rev. 1700
IPexperts CCIE R&S Written VoD Series
25
IPexpert, Inc.
PortFast Configuration
IPexpert, Inc.
PortFast Configuration
Per-interface
spanning-tree portfast [trunk]
Rev. 1700
IPexperts CCIE R&S Written VoD Series
27
IPexpert, Inc.
Configuration Verification
show spanning-tree interface portfast - Shows if PortFast
is enabled
on an
interface
- Displays the
summary
of port
states of the STP
section
Rev. 1700
IPexperts CCIE R&S Written VoD Series
28
IPexpert, Inc.
UplinkFast
IPexpert, Inc.
Should be used
redundant uplinks
on
access-layer
switches
with
Rev. 1700
IPexperts CCIE R&S Written VoD Series
30
IPexpert, Inc.
UplinkFast example
Rev. 1700
IPexperts CCIE R&S Written VoD Series
31
IPexpert, Inc.
UplinkFast Configuration
IPexpert, Inc.
UplinkFast Configuration
Global Command
spanning-tree uplinkfast
Rev. 1700
IPexperts CCIE R&S Written VoD Series
33
IPexpert, Inc.
Configuration Verification
show spanning-tree detail
- Displays detailed
information about STP
STP
Rev. 1700
IPexperts CCIE R&S Written VoD Series
34
IPexpert, Inc.
BackboneFast
IPexpert, Inc.
36
IPexpert, Inc.
37
IPexpert, Inc.
BackboneFast Example
S1 (Root)
RLQ Request
RLQ Response
D
D
F0/1
(B)
F0/2
(RP)
RP
D
F0/3
B
S3
S2
Rev. 1700
IPexperts CCIE R&S Written VoD Series
38
IPexpert, Inc.
BackboneFast Configuration
IPexpert, Inc.
BackboneFast Configuration
Global Command
spanning-tree backbonefast
Rev. 1700
IPexperts CCIE R&S Written VoD Series
40
IPexpert, Inc.
Configuration Verification
show spanning-tree backbonefast
Displays
STP
BackboneFast status
show spanning-tree summary
- Displays the
summary of port
states of the
STP
section
Rev. 1700
IPexperts CCIE R&S Written VoD Series
41
IPexpert, Inc.
RSTP
IPexpert, Inc.
RSTP (802.1w)
Rapid convergence
Rev. 1700
IPexperts CCIE R&S Written VoD Series
43
IPexpert, Inc.
Rev. 1700
IPexperts CCIE R&S Written VoD Series
44
IPexpert, Inc.
45
IPexpert, Inc.
Rev. 1700
IPexperts CCIE R&S Written VoD Series
46
IPexpert, Inc.
Rev. 1700
IPexperts CCIE R&S Written VoD Series
47
IPexpert, Inc.
RSTP Convergence
Proposal-Agreement mechanism
48
IPexpert, Inc.
49
IPexpert, Inc.
S1
F0/0
F0/3
F0/1
S2
F0/2
S3
S4
Rev. 1700
IPexperts CCIE R&S Written VoD Series
50
IPexpert, Inc.
RSTP Configuration
IPexpert, Inc.
RSTP Configuration
RSTP Mode
spanning-tree mode rapid-pvst
Rev. 1700
IPexperts CCIE R&S Written VoD Series
52
IPexpert, Inc.
Configuration Verification
show spanning-tree
Rev. 1700
IPexperts CCIE R&S Written VoD Series
53
IPexpert, Inc.
MSTP
IPexpert, Inc.
MSTP (802.1s)
Rev. 1700
IPexperts CCIE R&S Written VoD Series
55
IPexpert, Inc.
S1
S2
Link #1
Link #2
MST #1
VLANs 1-400
MST #2
VLANs 401-800
S3
Rev. 1700
IPexperts CCIE R&S Written VoD Series
56
IPexpert, Inc.
MSTP Region
57
IPexpert, Inc.
Rev. 1700
IPexperts CCIE R&S Written VoD Series
58
IPexpert, Inc.
MSTP Configuration
IPexpert, Inc.
MSTP Configuration
Enable MSTP
spanning-tree mode mst
Rev. 1700
IPexperts CCIE R&S Written VoD Series
60
IPexpert, Inc.
61
IPexpert, Inc.
Configuration Verification
show spanning-tree mst configuration - Displays the MSTP
region
configuration
- Displays MSTP
information for a
specified region
Rev. 1700
IPexperts CCIE R&S Written VoD Series
62
IPexpert, Inc.
Loop Guard
IPexpert, Inc.
Loop Guard
Rev. 1700
IPexperts CCIE R&S Written VoD Series
64
IPexpert, Inc.
Root
D
RP
S1
D
S2
D
BPDUs
BPDUs
RP
B
S3
Loop Guard
Rev. 1700
IPexperts CCIE R&S Written VoD Series
65
IPexpert, Inc.
66
IPexpert, Inc.
IPexpert, Inc.
Per-interface
spanning-tree guard loop
Rev. 1700
IPexperts CCIE R&S Written VoD Series
68
IPexpert, Inc.
Configuration Verification
show spanning-tree detail
- Displays detailed
information about STP
STP
Rev. 1700
IPexperts CCIE R&S Written VoD Series
69
IPexpert, Inc.
UDLD
IPexpert, Inc.
UDLD
Rev. 1700
IPexperts CCIE R&S Written VoD Series
71
IPexpert, Inc.
UDLD Operations
Rev. 1700
IPexperts CCIE R&S Written VoD Series
72
IPexpert, Inc.
UDLD Summary
UDLD Summary :
- Detects unidirectional links
- Per-port granularity (LoopGuard offers per-VLAN
function)
- Enabled on all redundant links
- Can auto-recover using the errdisable feature
- Does NOT protect against STP failures caused by
problems in software
Rev. 1700
IPexperts CCIE R&S Written VoD Series
73
IPexpert, Inc.
UDLD Configuration
IPexpert, Inc.
UDLD Configuration
Copper interfaces
udld port [aggressive]
Rev. 1700
IPexperts CCIE R&S Written VoD Series
75
IPexpert, Inc.
Configuration Verification
show udld
of UDLD
show spanning-tree detail
- Displays detailed
information about STP
STP
Rev. 1700
IPexperts CCIE R&S Written VoD Series
76
IPexpert, Inc.
BPDU Guard
IPexpert, Inc.
BPDU Guard
Rev. 1700
IPexperts CCIE R&S Written VoD Series
78
IPexpert, Inc.
IPexpert, Inc.
Per-interface
spanning-tree bpduguard enable
Re-enabling a port
shut
no shut
Auto-Recovery
errdisable recovery cause bpduguard
Rev. 1700
IPexperts CCIE R&S Written VoD Series
80
IPexpert, Inc.
Configuration Verification
show spanning-tree detail
- Displays detailed
information about STP
STP
Rev. 1700
IPexperts CCIE R&S Written VoD Series
81
IPexpert, Inc.
Root Guard
IPexpert, Inc.
Root Guard
Rev. 1700
IPexperts CCIE R&S Written VoD Series
83
IPexpert, Inc.
Root
D
PC2
RP
S1
S2
S3
Root Guard
Rev. 1700
IPexperts CCIE R&S Written VoD Series
84
IPexpert, Inc.
Rev. 1700
IPexperts CCIE R&S Written VoD Series
85
IPexpert, Inc.
IPexpert, Inc.
Per-interface
spanning-tree guard root
Rev. 1700
IPexperts CCIE R&S Written VoD Series
87
IPexpert, Inc.
Configuration Verification
show spanning-tree interface detail - Displays detailed
information
about
STP
Rev. 1700
IPexperts CCIE R&S Written VoD Series
88
IPexpert, Inc.
Storm Control
IPexpert, Inc.
Storm Control
90
IPexpert, Inc.
IPexpert, Inc.
Per-interface
storm-control
{broadcast|multicast|unicast}
level | bps | pps
Rev. 1700
IPexperts CCIE R&S Written VoD Series
92
IPexpert, Inc.
Configuration Verification
show storm-control [interface]
Rev. 1700
IPexperts CCIE R&S Written VoD Series
93
IPexpert, Inc.
Unicast Flooding
IPexpert, Inc.
Unicast Flooding
95
IPexpert, Inc.
PC1
ARP = 4 hours
CAM = 5 minutes
TRUNK
R1
S1
S2
R2
PC2
Rev. 1700
IPexperts CCIE R&S Written VoD Series
96
IPexpert, Inc.
IPexpert, Inc.
Per-interface
switchport block unicast
Rev. 1700
IPexperts CCIE R&S Written VoD Series
98
IPexpert, Inc.
Configuration Verification
show interface switchport
Rev. 1700
IPexperts CCIE R&S Written VoD Series
99
IPexpert, Inc.
IPexpert, Inc.
VLANs
to
enable
inter-VLAN
Rev. 1700
IPexperts CCIE R&S Written VoD Series
101
IPexpert, Inc.
VLAN 10
10.1.1.0/24
VLAN 20
ARP
ARP
VLAN 10
VLAN 20
ARP
H1
IPexperts CCIE R&S Written VoD Series
H2
ARP
H3
H4
H2
102
Rev. 1700
IPexpert, Inc.
VLAN 10
GW1
10.1.1.10/24 - PRI
10.2.2.10/24 - SEC
H2 10.2.2.2/24
GW2
10.2.2.20/24 - PRI
H2 10.2.2.2/24
GW1
10.1.1.10/24 - PRI
Static Routes :
10.1.1.0/24 -> Connected
0.0.0.0/0 -> 10.1.1.10
IPexperts CCIE R&S Written VoD Series
Rev. 1700
103
IPexpert, Inc.
Switching Logic
Rev. 1700
IPexperts CCIE R&S Written VoD Series
104
IPexpert, Inc.
VLAN Configuration
IPexpert, Inc.
VLAN Configuration
Acces Port
switchport mode access
switchport access vlan vlan_nr
VLAN database
vlan vlan_nr
Rev. 1700
IPexperts CCIE R&S Written VoD Series
106
IPexpert, Inc.
Configuration Verification
show vlan [brief]
show mac-address-table
Rev. 1700
IPexperts CCIE R&S Written VoD Series
107
IPexpert, Inc.
IPexpert, Inc.
VTP
109
IPexpert, Inc.
VTP Operations
Rev. 1700
IPexperts CCIE R&S Written VoD Series
110
IPexpert, Inc.
111
IPexpert, Inc.
VTP Pruning
Rev. 1700
IPexperts CCIE R&S Written VoD Series
112
IPexpert, Inc.
S4
VLAN 10
H1
Broadcast
Packet
S2
S5
S3
VLAN 10
H2
Rev. 1700
IPexperts CCIE R&S Written VoD Series
113
IPexpert, Inc.
VTP Configuration
IPexpert, Inc.
VTP Configuration
VTP Mode
vtp mode client|server|transparent
VTP Pruning
vtp pruning
Rev. 1700
IPexperts CCIE R&S Written VoD Series
115
IPexpert, Inc.
Rev. 1700
IPexperts CCIE R&S Written VoD Series
116
IPexpert, Inc.
Configuration Verification
show vtp status
- Displays general
information about VTP
particular
interface
Rev. 1700
IPexperts CCIE R&S Written VoD Series
117
IPexpert, Inc.
IPexpert, Inc.
Trunking
ISL
802.1Q
Rev. 1700
IPexperts CCIE R&S Written VoD Series
119
IPexpert, Inc.
ISL
Cisco proprietary
Rev. 1700
IPexperts CCIE R&S Written VoD Series
120
IPexpert, Inc.
802.1Q
Open Standard
121
IPexpert, Inc.
DTP
122
Rev. 1700
IPexpert, Inc.
Rev. 1700
IPexperts CCIE R&S Written VoD Series
123
IPexpert, Inc.
Trunking Configuration
IPexpert, Inc.
Trunking Configuration
Switchport Mode
switchport mode [access|trunk|dynamic auto|
dynamic desirable]
Native VLAN
switchport trunk native vlan vlan_nr
Disable DTP
switchport trunk nonegotiate
Allowed VLANs
switchport trunk allowed vlan1,vlan2
Rev. 1700
125
IPexpert, Inc.
Rev. 1700
IPexperts CCIE R&S Written VoD Series
126
IPexpert, Inc.
Configuration Verification
show int trunk
show dtp
Rev. 1700
IPexperts CCIE R&S Written VoD Series
127
IPexpert, Inc.
interface trunk
Mode
Encapsulation
desirable
802.1q
desirable
802.1q
Port
Gi0/1
Gi0/2
Port
Gi0/1
Gi0/2
Port
Gi0/1
Gi0/2
Status
trunking
trunking
Native vlan
1
1
Rev. 1700
IPexperts CCIE R&S Written VoD Series
128
IPexpert, Inc.
129
Rev. 1700
IPexpert, Inc.
EtherChannel
IPexpert, Inc.
EtherChannel
131
IPexpert, Inc.
EtherChannel cont.
132
IPexpert, Inc.
PAgP
Cisco proprietary
Rev. 1700
IPexperts CCIE R&S Written VoD Series
133
IPexpert, Inc.
LACP
Open Standard
134
IPexpert, Inc.
EtherChannel Load-Balancing
Rev. 1700
IPexperts CCIE R&S Written VoD Series
135
IPexpert, Inc.
S1
MAC-Based
H3
S2
H2
H4
H1
H3
IP-Based
R1
S1
S2
H2
R2
H4
Rev. 1700
IPexperts CCIE R&S Written VoD Series
136
IPexpert, Inc.
EtherChannel Configuration
IPexpert, Inc.
EtherChannel Configuration
EtherChannel
channel-group nr mode [desirable|auto|active|
passive|on]
Load-Balancing
port-channel load-balance [src-mac|dst-mac|srcdst-mac|src-ip|
dst-ip|src-dst-ip]
Rev. 1700
IPexperts CCIE R&S Written VoD Series
138
IPexpert, Inc.
int port-channel 2
ip add 10.1.1.1 255.255.255.0
IPexperts CCIE R&S Written VoD Series
139
Rev. 1700
IPexpert, Inc.
Configuration Verification
show etherchannel [summary]
- Displays EC
Displays one-line
EtherChannel
information
for a channel
Load-Balancing
scheme
show lacp
Displays
LACP
information
Rev. 1700
IPexperts CCIE R&S Written VoD Series
140
IPexpert, Inc.
IPexpert, Inc.
Ethernet, FastEthernet
FastEthernet 802.3u
- Runs at 100Mbps
- 100BASE-TX is the most common standard
Rev. 1700
IPexperts CCIE R&S Written VoD Series
142
IPexpert, Inc.
GigabitEthernet
GigabitEthernet
- 802.3z for optical cabling
- 802.3ab for copper
- Runs at 1000Mbps
- Cisco devices only support
CSMA/CD)
full-duplex
(no
Must be negotiated
Rev. 1700
143
IPexpert, Inc.
IPexpert, Inc.
Rev. 1700
IPexperts CCIE R&S Written VoD Series
145
IPexpert, Inc.
IPexpert, Inc.
Speed
speed
[10|100|1000|auto]
Duplex
duplex [half|full|auto]
Rev. 1700
IPexperts CCIE R&S Written VoD Series
147
IPexpert, Inc.
Configuration Verification
show interface status
settings
show interfaces capabilities
- Displays interface
capabilities
Rev. 1700
IPexperts CCIE R&S Written VoD Series
148
IPexpert, Inc.
PPPoE
IPexpert, Inc.
PPPoE
Client-Server architecture
Rev. 1700
IPexperts CCIE R&S Written VoD Series
150
IPexpert, Inc.
PPPoE Mechanics
Discovery Phase :
- PPPoE Active Discovery Initiation (PADI) packet
is sent
- Server replies with PPPoE Active Discovery Offer
(PADO)
- Client sends PPPoE Active Discovery Request
(PADR)
- Server agress sending PPPoE Active Discovery
Session-confirmation message (PADS)
151
IPexpert, Inc.
Rev. 1700
IPexperts CCIE R&S Written VoD Series
152
IPexpert, Inc.
PPPoE Configuration
IPexpert, Inc.
PPPoE Configuration
Dialer Interface
interface dialer nr
Cloning
pppoe-client dial-pool-number nr
Rev. 1700
154
IPexpert, Inc.
Rev. 1700
IPexperts CCIE R&S Written VoD Series
155
IPexpert, Inc.
Configuration Verification
show pppoe session
PPPoE
Rev. 1700
IPexperts CCIE R&S Written VoD Series
156
IPexpert, Inc.
IPexpert, Inc.
SPAN, RSPAN
This
feature
is
used
to
copy
all
traffic
transmitted/received on a specific port or VLAN to a
single port on the same switch
158
IPexpert, Inc.
SPAN Example
F0/2
F0/10
PC
Network Analyzer
Rev. 1700
159
IPexpert, Inc.
RSPAN Example
S1
RSPAN
VLAN
S2
PC
RSPAN
VLAN
S3
Network Analyzer
Rev. 1700
160
IPexpert, Inc.
Rev. 1700
IPexperts CCIE R&S Written VoD Series
161
IPexpert, Inc.
IPexpert, Inc.
SPAN
monitor session session_nr source
interface|vlan [both|rx|tx]
monitor session session_nr destination
interface [ingress vlan]
RSPAN
monitor session session_nr source
interface|vlan
[both|rx|tx]
[remote vlan]
monitor session session_nr destination
interface [ingress vlan]
[remote vlan]
vlan vlan_nr
remote-span
VLAN Filtering
monitor session session_nr filter vlan vlans
163
Rev. 1700
IPexpert, Inc.
SPAN
Rev. 1700
IPexperts CCIE R&S Written VoD Series
164
IPexpert, Inc.
Switch 1
vlan 999
remote-span
monitor session 12 source vlan 10 rx
monitor session 12 destination remote vlan 999
Switch 2
vlan 999
remote-span
monitor session 12 source remote vlan 999
monitor session 12 destination interface f0/2
Rev. 1700
IPexperts CCIE R&S Written VoD Series
165
IPexpert, Inc.
Configuration Verification
show monitor session session_nr
- Displays information
about
specified
SPAN
or
RSPAN
session
Rev. 1700
IPexperts CCIE R&S Written VoD Series
166
IPexpert, Inc.
IPexpert, Inc.
Frame Relay
L2 WAN technology
168
IPexpert, Inc.
169
IPexpert, Inc.
170
IPexpert, Inc.
Rev. 1700
IPexperts CCIE R&S Written VoD Series
171
IPexpert, Inc.
Rev. 1700
IPexperts CCIE R&S Written VoD Series
172
IPexpert, Inc.
Split Horizon
Multicast issues
173
IPexpert, Inc.
174
IPexpert, Inc.
Both routers & Frame Relay switches can set the DE bit
Rev. 1700
IPexperts CCIE R&S Written VoD Series
175
IPexpert, Inc.
IPexpert, Inc.
Encapsulation
encapsulation frame-relay
frame-relay map [cisco|ietf]
LMI
frame-relay lmi-type ansi|cisco|q933a
Point-to-Point subinterfaces
frame-relay interface-dlci DLCI_nr
Multipoint subinterfaces
frame-relay map ip IP_addr DLCI_nr [broadcast]
Inverse ARP
[no] frame-relay inverse-arp [IP_addr DLCI_nr]
Rev. 1700
177
IPexpert, Inc.
Rev. 1700
IPexperts CCIE R&S Written VoD Series
178
IPexpert, Inc.
Configuration Verification
show frame-relay map
and
about
Permanent
Virtual Circuits
debug frame-relay packet
been sent
a Frame Relay interface
Rev. 1700
IPexperts CCIE R&S Written VoD Series
179
IPexpert, Inc.
IPexpert, Inc.
HDLC
181
IPexpert, Inc.
PPP
IPexpert, Inc.
PPP
183
IPexpert, Inc.
PPP LCP
Rev. 1700
IPexperts CCIE R&S Written VoD Series
184
IPexpert, Inc.
PPP Phases
Rev. 1700
IPexperts CCIE R&S Written VoD Series
185
IPexpert, Inc.
PPP Configuration
IPexpert, Inc.
PPP Configuration
Clocking
clock rate
Encapsulation
encapsulation ppp
PPP Authentication
ppp authentication pap|chap
LQM
ppp quality percentage
187
IPexpert, Inc.
Router XXX
hostname XXX
username YYY password SAMEONE
int serial 0
encapsulation ppp
ppp authentication pap/chap
Router YYY
hostname YYY
username XXX password SAMEONE
int serial 0
encapsulation ppp
ppp authentication pap/chap
Rev. 1700
IPexperts CCIE R&S Written VoD Series
188
IPexpert, Inc.
Rev. 1700
IPexperts CCIE R&S Written VoD Series
189
IPexpert, Inc.
Configuration Verification
show interfaces
interfaces
show ppp multilink
Displays PPP
during
packets
the
negotiation
Rev. 1700
IPexperts CCIE R&S Written VoD Series
190
IPexpert, Inc.
IPexpert, Inc.
IPexpert, Inc.
IPv4 Basics
IPv4 address uniquely identifies a device on an IP
network. It is a 32-bit structure divided into four octects
Written in a decimal form
IP network is a distinguished group of networking devices
Rev. 1700
IPexperts CCIE R&S Written VoD Series
IPexpert, Inc.
Rev. 1700
IPexperts CCIE R&S Written VoD Series
IPexpert, Inc.
Rev. 1700
IPexperts CCIE R&S Written VoD Series
IPexpert, Inc.
Rev. 1700
IPexperts CCIE R&S Written VoD Series
IPexpert, Inc.
Rev. 1700
IPexperts CCIE R&S Written VoD Series
IPexpert, Inc.
Rev. 1700
IPexperts CCIE R&S Written VoD Series
IPexpert, Inc.
Rev. 1700
IPexperts CCIE R&S Written VoD Series
IPexpert, Inc.
Rev. 1700
IPexperts CCIE R&S Written VoD Series
10
IPexpert, Inc.
IPexpert, Inc.
Tunneling
Tunneling is transmission of data intended for use only
within a private, usually corporate network, through a
public network like for example Internet
Tunneling equals to encapsulation
12
IPexpert, Inc.
GRE
GRE (Generic Routing Encapsulation) is a tunneling
protocol
Commonly used to transport multicast packets
Rev. 1700
IPexperts CCIE R&S Written VoD Series
13
IPexpert, Inc.
GRE cont.
GRE tunnels are connectionless & stateless
14
IPexpert, Inc.
GRE Configuration
IPexpert, Inc.
GRE Configuration
Tunnel Interface
interface tunnel nr
Keepalives
keepalive interval retries
Tunnel Mode
tunnel mode gre
Rev. 1700
16
IPexpert, Inc.
Rev. 1700
IPexperts CCIE R&S Written VoD Series
17
IPexpert, Inc.
Configuration Verification
show interface tunnel
Rev. 1700
IPexperts CCIE R&S Written VoD Series
18
IPexpert, Inc.
IPexpert, Inc.
IP Routing
Rev. 1700
IPexperts CCIE R&S Written VoD Series
20
IPexpert, Inc.
IP Routing Step 1
21
IPexpert, Inc.
22
IPexpert, Inc.
IP Routing Step 2
Rev. 1700
IPexperts CCIE R&S Written VoD Series
23
IPexpert, Inc.
Step 4 Encapsulation :
Encapsulate the packet into the interfaces
underlaying L2 header
Layer 3 to Layer 2 resolution may be required for
multiaccess interfaces such as Ethernet or Frame
Relay multipoint
Point-to-point interfaces dont require resolution
Step 5 Serialization
Serialize the packet onto the physical link
Rev. 1700
24
IPexpert, Inc.
RIP
RIP version 1 :
Classful
Does not support VLSM
No authentication
Uses broadcasts
Rev. 1700
IPexperts CCIE R&S Written VoD Series
25
IPexpert, Inc.
RIP cont.
RIP version 2
Supports VLSM
Authentication
Packets sent as multicast to 224.0.0.9
Rev. 1700
IPexperts CCIE R&S Written VoD Series
26
IPexpert, Inc.
RIP Operations
Rev. 1700
IPexperts CCIE R&S Written VoD Series
27
IPexpert, Inc.
RIP Timers
28
IPexpert, Inc.
Split Horizon
Rev. 1700
IPexperts CCIE R&S Written VoD Series
29
IPexpert, Inc.
RIP Configuration
IPexpert, Inc.
RIP Configuration
Enabling RIP
network ip_address
RIP version
version 1|2
Passive Interface
passive-interface if_name
Rev. 1700
IPexperts CCIE R&S Written VoD Series
31
IPexpert, Inc.
Interface-Level Summary
ip summary-address rip
Unicast Updates
neighbor ip_address
passive-interface if_name
Default Route
default-information originate
Split Horizon
[no] ip split-horizon
Rev. 1700
32
IPexpert, Inc.
RIP Timers
timers basic
Offset List
offset-list
Source Validation
no validate-update-source
Triggered Updates
ip rip triggered
Rev. 1700
IPexperts CCIE R&S Written VoD Series
33
IPexpert, Inc.
serial 0/0
add 172.16.100.1 255.255.255.0
ip split-horizon
rip triggered
router rip
version 2
no auto-sumary
network 172.16.100.0
timers basic 10 60 60 80
Rev. 1700
IPexperts CCIE R&S Written VoD Series
34
IPexpert, Inc.
Configuration Verification
show ip rip database
show ip protocols
Rev. 1700
IPexperts CCIE R&S Written VoD Series
35
IPexpert, Inc.
IPexpert, Inc.
Rev. 1700
IPexperts CCIE R&S Written VoD Series
37
IPexpert, Inc.
OSPF Operations
Rev. 1700
IPexperts CCIE R&S Written VoD Series
38
IPexpert, Inc.
OSPF Router ID
Rev. 1700
IPexperts CCIE R&S Written VoD Series
39
IPexpert, Inc.
OSPF Messages
40
IPexpert, Inc.
OSPF Neighbors
41
IPexpert, Inc.
Rev. 1700
IPexperts CCIE R&S Written VoD Series
42
IPexpert, Inc.
DR Election Criteria :
1. Highest OSPF Priority
2. Highest OSPF Router ID
43
IPexpert, Inc.
OSPF Point-to-point
Point to Point
Hellos are sent as multicast to 224.0.0.5
Neighboring routers automatically become
adjacent
NO DR/BDR Election
Faster Convergence
Rev. 1700
IPexperts CCIE R&S Written VoD Series
44
IPexpert, Inc.
Loopback
Used on loopbacks and looped-back interfaces
Interfaces are advertised as host routes (/32)
Rev. 1700
IPexperts CCIE R&S Written VoD Series
45
IPexpert, Inc.
Recap :
DR and BDR election is performed on broadcast
and non-broadcast networks only
Unicast updates are sent on non-broadcast and
point-to-multipoint nonbroadcast networks
Next-hop modifications are only performed on pointto-multipoint and point-to-multipoint non-broadcast
networks
Rev. 1700
IPexperts CCIE R&S Written VoD Series
46
IPexpert, Inc.
OSPF Areas
OSPF inter-area routing uses some of the DistanceVector logic (advertised metric)
Rev. 1700
47
IPexpert, Inc.
Rev. 1700
IPexperts CCIE R&S Written VoD Series
48
IPexpert, Inc.
Rev. 1700
IPexperts CCIE R&S Written VoD Series
49
IPexpert, Inc.
50
IPexpert, Inc.
Rev. 1700
IPexperts CCIE R&S Written VoD Series
51
IPexpert, Inc.
Rev. 1700
IPexperts CCIE R&S Written VoD Series
52
IPexpert, Inc.
53
IPexpert, Inc.
Rev. 1700
IPexperts CCIE R&S Written VoD Series
54
IPexpert, Inc.
OSPF Cost
55
IPexpert, Inc.
56
IPexpert, Inc.
57
IPexpert, Inc.
If there are two prefixes with the same length, type and
cost, load balancing will occur
Rev. 1700
IPexperts CCIE R&S Written VoD Series
58
IPexpert, Inc.
59
IPexpert, Inc.
Rev. 1700
IPexperts CCIE R&S Written VoD Series
60
IPexpert, Inc.
61
IPexpert, Inc.
Relies on CEF
Rev. 1700
62
IPexpert, Inc.
OSPF Configuration
IPexpert, Inc.
OSPF Configuration
OSPF Process
router ospf proc_nr
Enable OSPF
network IP_address wildcard area area_nr
ip ospf area area_nr [secondaries none]
Router ID
router-id router_id
64
IPexpert, Inc.
Area Types
area stub [no-summary]
area nssa [no-summary] [no-redistribution]
[default-information-originate]
[nssa-only]
Default Route
default-information-originate [always]
Rev. 1700
65
IPexpert, Inc.
Virtual Link
area area_nr virtual-link router_id
NFS
nfs cisco
Rev. 1700
IPexperts CCIE R&S Written VoD Series
66
IPexpert, Inc.
s0/0
address 192.0.2.1 255.255.255.0
ospf hello-interval 15
ospf dead-interval 60
int
ip
ip
ip
f0/1
address 10.1.1.1 255.255.255.0
ospf 1 area 1
ospf cost 50
int loopback 0
ip address 172.16.1.1 255.255.255.0
ip ospf network point-to-point
Rev. 1700
IPexperts CCIE R&S Written VoD Series
67
IPexpert, Inc.
Rev. 1700
IPexperts CCIE R&S Written VoD Series
68
IPexpert, Inc.
Configuration Verification
show ip ospf neighbors
show ip ospf
- Displays general
information about OSPF
routing processes
ABR and
IPexperts CCIE R&S Written VoD Series
Displays
OSPF-related
interface information
Rev. 1700
69
IPexpert, Inc.
show ip protocols
routing
Rev. 1700
IPexperts CCIE R&S Written VoD Series
70
IPexpert, Inc.
IPexpert, Inc.
Rev. 1700
IPexperts CCIE R&S Written VoD Series
72
IPexpert, Inc.
EIGRP Terminology
73
IPexpert, Inc.
Rev. 1700
IPexperts CCIE R&S Written VoD Series
74
IPexpert, Inc.
EIGRP Operations
3.
75
IPexpert, Inc.
EIGRP packets
IPexperts CCIE R&S Written VoD Series
are
transported
76
using
Rev. 1700
Reliable
IPexpert, Inc.
When a Hello is received for the first time and all the
parameters match, an adjacency forms and an Update
packet is sent back
Rev. 1700
IPexperts CCIE R&S Written VoD Series
77
IPexpert, Inc.
78
IPexpert, Inc.
Rev. 1700
IPexperts CCIE R&S Written VoD Series
79
IPexpert, Inc.
80
IPexpert, Inc.
81
IPexpert, Inc.
82
IPexpert, Inc.
Rev. 1700
IPexperts CCIE R&S Written VoD Series
83
IPexpert, Inc.
Rev. 1700
IPexperts CCIE R&S Written VoD Series
84
IPexpert, Inc.
Rev. 1700
IPexperts CCIE R&S Written VoD Series
85
IPexpert, Inc.
Rev. 1700
IPexperts CCIE R&S Written VoD Series
86
IPexpert, Inc.
Rev. 1700
IPexperts CCIE R&S Written VoD Series
87
IPexpert, Inc.
88
Rev. 1700
IPexpert, Inc.
Rev. 1700
IPexperts CCIE R&S Written VoD Series
89
IPexpert, Inc.
Rev. 1700
IPexperts CCIE R&S Written VoD Series
90
IPexpert, Inc.
Rev. 1700
IPexperts CCIE R&S Written VoD Series
91
IPexpert, Inc.
Rev. 1700
IPexperts CCIE R&S Written VoD Series
92
IPexpert, Inc.
Rev. 1700
IPexperts CCIE R&S Written VoD Series
93
IPexpert, Inc.
connected, which advertises only the EIGRPenabled interfaces (covered by the network
command)
94
IPexpert, Inc.
95
IPexpert, Inc.
EIGRP Configuration
IPexpert, Inc.
EIGRP Configuration
Auto-Summarization
[no] auto-summary
Unicast Hellos
neighbor ip_address
Default Network
ip default-network ip_address
Rev. 1700
97
IPexpert, Inc.
EIGRP Configuration
Split Horizon
no ip split-horizon eigrp AS_nr
K-Values
metric weights tos k1 k2 k3 k4 k5
Traffic Engineering
delay value
Bandwidth Limitation
ip bandwidth-percent eigrp AS_nr value
Rev. 1700
IPexperts CCIE R&S Written VoD Series
98
IPexpert, Inc.
99
Rev. 1700
IPexpert, Inc.
Configuration Verification
show ip eigrp neighbors
- Displays neighbors
discovered by EIGRP
- Displays information
about
EIGRP-configured
interfaces
only
Rev. 1700
IPexperts CCIE R&S Written VoD Series
100
IPexpert, Inc.
Configuration Verification
show ip eigrp topology all-links
Displays ALL IP
entries in the
EIGRP
topology table
show ip protocols
- Displays parameters
and state of
ACTIVE
routing processes
Rev. 1700
IPexperts CCIE R&S Written VoD Series
101
IPexpert, Inc.
IPexpert, Inc.
103
IPexpert, Inc.
Rev. 1700
IPexperts CCIE R&S Written VoD Series
104
IPexpert, Inc.
BGP Peerings
Rev. 1700
IPexperts CCIE R&S Written VoD Series
105
IPexpert, Inc.
BGP Operations
106
IPexpert, Inc.
Rev. 1700
IPexperts CCIE R&S Written VoD Series
107
IPexpert, Inc.
Rev. 1700
IPexperts CCIE R&S Written VoD Series
108
IPexpert, Inc.
Rev. 1700
IPexperts CCIE R&S Written VoD Series
109
IPexpert, Inc.
Rev. 1700
IPexperts CCIE R&S Written VoD Series
110
IPexpert, Inc.
BGP Synchronization
Legacy feature
Rev. 1700
IPexperts CCIE R&S Written VoD Series
111
IPexpert, Inc.
Rev. 1700
IPexperts CCIE R&S Written VoD Series
112
IPexpert, Inc.
113
IPexpert, Inc.
114
IPexpert, Inc.
Rev. 1700
IPexperts CCIE R&S Written VoD Series
115
IPexpert, Inc.
Rev. 1700
IPexperts CCIE R&S Written VoD Series
116
IPexpert, Inc.
Rev. 1700
IPexperts CCIE R&S Written VoD Series
117
IPexpert, Inc.
Rev. 1700
IPexperts CCIE R&S Written VoD Series
118
IPexpert, Inc.
Rev. 1700
IPexperts CCIE R&S Written VoD Series
119
IPexpert, Inc.
Rev. 1700
IPexperts CCIE R&S Written VoD Series
120
IPexpert, Inc.
Rev. 1700
IPexperts CCIE R&S Written VoD Series
121
IPexpert, Inc.
Rev. 1700
IPexperts CCIE R&S Written VoD Series
122
IPexpert, Inc.
Rev. 1700
IPexperts CCIE R&S Written VoD Series
123
IPexpert, Inc.
BGP Confederations
124
are
considered
IPexpert, Inc.
Rev. 1700
IPexperts CCIE R&S Written VoD Series
125
IPexpert, Inc.
BGP Configuration
IPexpert, Inc.
BGP Configuration
Enable BGP
router bgp AS_nr
Configure Peerings
neighbor ip_address remote-as AS_nr
Update Source
neighbor ip_address update-source if_name
Synchronization
[no] synchronization
TTL Modifications
neighbor ip_address ebgp-multihop [ttl] ttl
neighbor ip_address disable-connected-check
Rev. 1700
127
IPexpert, Inc.
Next-Hop Modifications
neighbor ip_address next-hop-self
Network Advertisement
network ip_address mask mask
128
IPexpert, Inc.
Rev. 1700
IPexperts CCIE R&S Written VoD Series
129
IPexpert, Inc.
Missing MED
bgp bestpath med missing-as-worst
Route Reflection
neighbor ip_address route-reflector-client
Rev. 1700
IPexperts CCIE R&S Written VoD Series
130
IPexpert, Inc.
Confederation Peers
bgp confederation peers as1 as2 ...
Real AS Number
bgp confederation identifier
Soft Reconfiguration
neighbor ip_address soft-configuration inbound
clear ip bgp soft [in|out]
Rev. 1700
IPexperts CCIE R&S Written VoD Series
131
IPexpert, Inc.
Rev. 1700
IPexperts CCIE R&S Written VoD Series
132
IPexpert, Inc.
Rev. 1700
IPexperts CCIE R&S Written VoD Series
133
IPexpert, Inc.
Rev. 1700
IPexperts CCIE R&S Written VoD Series
134
IPexpert, Inc.
Configuration Verification
show ip bgp summary
show ip bgp
community
connections
neighbors
show ip protocols
IPexperts CCIE R&S Written VoD Series
135
IPexpert, Inc.
Policy Routing
Rev. 1700
IPexperts CCIE R&S Written VoD Series
137
IPexpert, Inc.
138
IPexpert, Inc.
IPexpert, Inc.
Match Options
match ip address ACL_nr
match length length
Set Options
set
set
set
set
set
set
ip next-hop ip_address
ip default next-hop ip_address
interface if_name
default interface if_name
ip precedence value
ip tos value
Rev. 1700
140
IPexpert, Inc.
Policy-Based Routing
ip policy route-map name
Rev. 1700
IPexperts CCIE R&S Written VoD Series
141
IPexpert, Inc.
Rev. 1700
IPexperts CCIE R&S Written VoD Series
142
IPexpert, Inc.
Case Study
143
IPexpert, Inc.
144
IPexpert, Inc.
Configuration Verification
show ip policy
show route-map
debug ip policy
Rev. 1700
IPexperts CCIE R&S Written VoD Series
145
IPexpert, Inc.
IPexpert, Inc.
PfR
the
following
traffic
Rev. 1700
IPexperts CCIE R&S Written VoD Series
147
IPexpert, Inc.
PfR Components
Rev. 1700
IPexperts CCIE R&S Written VoD Series
148
IPexpert, Inc.
PfR Process
3.
149
IPexpert, Inc.
5.
Rev. 1700
IPexperts CCIE R&S Written VoD Series
150
IPexpert, Inc.
PfR Configuration
IPexpert, Inc.
OER Master
oer master
border ip_address [key-chain] kchain
interface if_name internal|external
OER Border
oer border
master ip_address [key-chain] kchain
local if_name
Rev. 1700
IPexperts CCIE R&S Written VoD Series
152
IPexpert, Inc.
Automatic Learning
oer master
learn
delay
throughput
periodic-interval time_interval
monitor-period time_interval
prefixes number
153
IPexpert, Inc.
Active Monitoring
oer master
mode monitor active
active-probe echo|udp-conn|tcp-conn
Rev. 1700
IPexperts CCIE R&S Written VoD Series
154
IPexpert, Inc.
The Policy
oer-map map_name seq
match ip address prefix-list prefix-list-name
set delay {relative percent|threshold maximum}
set loss {relative average|threshold maximum}
oer master
policy-rules map_name
Link Utilization
oer master
border ip_address
interface if_name internal|external
max-xmit-utilization percentage value
Rev. 1700
155
IPexpert, Inc.
156
IPexpert, Inc.
NetFlow
Logging
oer master|border
logging
Rev. 1700
IPexperts CCIE R&S Written VoD Series
157
IPexpert, Inc.
Rev. 1700
IPexperts CCIE R&S Written VoD Series
158
IPexpert, Inc.
159
IPexpert, Inc.
Rev. 1700
IPexperts CCIE R&S Written VoD Series
160
IPexpert, Inc.
route-map RED_RMAP
match tag 2000
router ospf 1
redistribute static route-map RED_RMAP
Rev. 1700
IPexperts CCIE R&S Written VoD Series
161
IPexpert, Inc.
Configuration Verification
show oer master
Displays status
prefixes
162
of
monitored
Rev. 1700
IPexpert, Inc.
IPexpert, Inc.
Summarization
Rev. 1700
IPexperts CCIE R&S Written VoD Series
164
IPexpert, Inc.
Summarization Example
Rev. 1700
IPexperts CCIE R&S Written VoD Series
165
IPexpert, Inc.
Summarization cont.
To disable Auto Summarization use the no autosummary command (works for RIP & EIGRP)
166
IPexpert, Inc.
Summarization cont.
Rev. 1700
IPexperts CCIE R&S Written VoD Series
167
IPexpert, Inc.
Summarization cont.
BGP Auto Summarization to classful boundaries (autosummary) applies only to connected, static, and
redistributed routes
168
IPexpert, Inc.
Route Filtering
IPexpert, Inc.
Route Filtering
traffic
Rev. 1700
IPexperts CCIE R&S Written VoD Series
170
IPexpert, Inc.
Prefix Lists
192.0.100.0/24
but
not
Rev. 1700
IPexperts CCIE R&S Written VoD Series
171
IPexpert, Inc.
Rev. 1700
IPexperts CCIE R&S Written VoD Series
172
IPexpert, Inc.
RIPv2 :
Passive interface (passive-interface)
Distribute-lists
(distribute-list
in|out).
Standard ACL can only specify the routes which
we want to filter. Extended ACL can also specify
the source of the routing update
Offset lists (offset-list). Used to manipulate the
metric
Administrative Distance (distance). Setting AD to
255 prevents a route from being placed in the RIB
Rev. 1700
IPexperts CCIE R&S Written VoD Series
173
IPexpert, Inc.
EIGRP :
Passive interface (passive-interface). In EIGRP
it prevents forming an adjacency (no Hellos are
sent)
Distribute-lists
(distribute-list
in|out).
Standard ACL can only specify the routes which
we want to filter. Extended ACL can also specify
the source of the routing update. Route-maps can
be used to match a route metric or a tag
Administrative Distance (distance). Setting AD to
255 prevents a route from being placed in the RIB
Rev. 1700
IPexperts CCIE R&S Written VoD Series
174
IPexpert, Inc.
OSPF :
Stub Areas
LSA Type 3 Filtering (area filter-list prefix
[in|out])
Summarization (area range not-advertise)
Distribute-lists (distribute-list in). Work only
inbound, preventing an LSA information from
being put into the RIB
Administrative Distance (distance). Does not
affect LSA in the database. LSA Originator is a
source of an update
Rev. 1700
175
IPexpert, Inc.
Rev. 1700
IPexperts CCIE R&S Written VoD Series
176
IPexpert, Inc.
Regexp examples :
a*
- Any consecutive occurrence of the letter
"a", which includes none. For example ,
a, aa, aaa
ab?a - Matches "aa" or "aba"
[0-9]+ - Matches one digit or more
Rev. 1700
IPexperts CCIE R&S Written VoD Series
177
IPexpert, Inc.
BGP :
Prefix Lists (neighbor prefix-list [in|out])
Distribute-lists
(neighbor
distribute-list
in|out). Extended ACL can match the network
mask. The source portion of the ACL defines the
prefix, and the destination portion, along with the
destination mask, determines the prefix length
Filter Lists (neighbor filter-list [in|out]). To
define an AS Path ACL use the ip as-path
access-list statement
Route-maps (neighbor route-map [in|out]).
User-defined communities can be created using
the ip community-list command
Rev. 1700
IPexperts CCIE R&S Written VoD Series
178
IPexpert, Inc.
179
IPexpert, Inc.
Redistribution
IPexpert, Inc.
Redistribution
To define
router rip
redistribute ospf 1 subnets
Rev. 1700
IPexperts CCIE R&S Written VoD Series
181
IPexpert, Inc.
Redistribution cont.
182
IPexpert, Inc.
Route-Maps
be
set
for
the
Rev. 1700
IPexperts CCIE R&S Written VoD Series
183
IPexpert, Inc.
Redistribution Problems
Rev. 1700
IPexperts CCIE R&S Written VoD Series
184
IPexpert, Inc.
185
IPexpert, Inc.
Rev. 1700
IPexperts CCIE R&S Written VoD Series
186
IPexpert, Inc.
Case Study
187
IPexpert, Inc.
188
IPexpert, Inc.
Rev. 1700
IPexperts CCIE R&S Written VoD Series
189
IPexpert, Inc.
Rev. 1700
IPexperts CCIE R&S Written VoD Series
190
IPexpert, Inc.
Question 7 Topology
Rev. 1700
IPexperts CCIE R&S Written VoD Series
191
IPexpert, Inc.
Question 15 Topology
Rev. 1700
IPexperts CCIE R&S Written VoD Series
192
IPexpert, Inc.
IPexpert, Inc.
IPexpert, Inc.
IPv6 Basics
IPv6 addresses are 128-bits long and are represented in
hex
If no abbreviation is used, an IPv6 address is composed
of eight colon-separated fields, each containing 4
hexdecimal numbers. For example :
2001:0000:0000:0000:0DB8:0800:200C:417B
Since IPv6 addresses are long and somewhat
cumbersome to work with, there are two methods of
abbreviating them
Rev. 1700
IPexperts CCIE R&S Written VoD Series
IPexpert, Inc.
IPexpert, Inc.
Rev. 1700
IPexperts CCIE R&S Written VoD Series
IPexpert, Inc.
IPv6 Interface ID
RFC 3513 states that for all unicast addresses, except
those that start with binary value 000, Interface IDs are
required to be 64 bits long and to be constructed in
Modified EUI-64 format
The process of constructing an EUI-64 address consists
of two steps :
1. Ethernets MAC address is divided into two equal
parts, 24-bits each, and a fixed hex value FFFE
is put between them
2. Universal/Local (U/L) bit, which is the seventh bit
of the first octet in MAC address, is inverted
For interface types other than Ethernet (e.g. Serial, ATM,
FR), the first MAC from the pool of MAC addresses in a
router is used
Rev. 1700
IPexperts CCIE R&S Written VoD Series
IPexpert, Inc.
Rev. 1700
IPexperts CCIE R&S Written VoD Series
IPexpert, Inc.
IPexpert, Inc.
Rev. 1700
IPexperts CCIE R&S Written VoD Series
IPexpert, Inc.
Rev. 1700
IPexperts CCIE R&S Written VoD Series
10
IPexpert, Inc.
IPexpert, Inc.
IPv6 Address
ipv6 address ip_add /prefix-length [eui-64]
Rev. 1700
IPexperts CCIE R&S Written VoD Series
12
IPexpert, Inc.
Configuration Verification
show ipv6 interface [brief]
Rev. 1700
IPexperts CCIE R&S Written VoD Series
13
IPexpert, Inc.
IPexpert, Inc.
Rev. 1700
IPexperts CCIE R&S Written VoD Series
15
IPexpert, Inc.
16
IPexpert, Inc.
Rev. 1700
IPexperts CCIE R&S Written VoD Series
17
IPexpert, Inc.
18
IPexpert, Inc.
IPv6 ND Functions
There are nine functions of IPv6 Neighbor Discovery :
1. Router Discovery. A host receiving Router
Advertisement builds a list of Default Routers
2. Prefix Discovery. Allows hosts to learn about their
directly connected networks
3. Parameter Discovery. Includes MTU and Hop
Count value that hosts should be using on that
specific link
4. Stateless Address Autoconfiguration. IPv6
hosts can automatically configure itself with an
IPv6 address the prefix learned from the Router
Advertisement message will become a network
part, whereas Interface ID will be derived using
modified EUI-64 format
Rev. 1700
IPexperts CCIE R&S Written VoD Series
19
IPexpert, Inc.
20
IPexpert, Inc.
Rev. 1700
IPexperts CCIE R&S Written VoD Series
21
IPexpert, Inc.
IPexpert, Inc.
IPv6 ND Configuration
Rev. 1700
IPexperts CCIE R&S Written VoD Series
23
IPexpert, Inc.
Configuration Verification
show ipv6 neighbors
Rev. 1700
IPexperts CCIE R&S Written VoD Series
24
IPexpert, Inc.
IPexpert, Inc.
Rev. 1700
IPexperts CCIE R&S Written VoD Series
26
IPexpert, Inc.
27
IPexpert, Inc.
28
IPexpert, Inc.
Rev. 1700
IPexperts CCIE R&S Written VoD Series
29
IPexpert, Inc.
IPexpert, Inc.
ICMPv6 Rate-Limiting
ipv6 icmp error-interval msec [bucketsize]
Rev. 1700
IPexperts CCIE R&S Written VoD Series
31
IPexpert, Inc.
Configuration Verification
show cdp neighbors [detail]
Protocol information
Rev. 1700
IPexperts CCIE R&S Written VoD Series
32
IPexpert, Inc.
IPexpert, Inc.
GRE Tunnels
Manual Tunnels
Automatic 6to4 Tunnels
ISATAP Tunnels
Rev. 1700
IPexperts CCIE R&S Written VoD Series
34
IPexpert, Inc.
Rev. 1700
IPexperts CCIE R&S Written VoD Series
35
IPexpert, Inc.
Configuration :
R1
R2
ipv6 unicast-routing
ipv6 unicast-routing
int loopback0
ip add 1.1.1.1 255...
int loopback0
ip add 2.2.2.2 255...
int tun 12
ipv6 add 2001:12::1/64
tunnel source loop 0
tunnel dest 2.2.2.2
tunnel mode gre ipv6
int tun 12
ipv6 add 2001:12::2/64
tunnel source loop 0
tunnel dest 1.1.1.1
tunnel mode gre ipv6
36
IPexpert, Inc.
Rev. 1700
IPexperts CCIE R&S Written VoD Series
37
IPexpert, Inc.
38
IPexpert, Inc.
Rev. 1700
IPexperts CCIE R&S Written VoD Series
39
IPexpert, Inc.
Configuration for R1 :
ipv6 unicast-routing
int f0/0
ip address 1.1.1.1 255.255.255.0
int tun 12
ipv6 address 2002:0101:0101:0::1/64
tunnel source f0/0
tunnel mode ipv6ip 6to4
ipv6 route 2002::/16 tunnel 12
Rev. 1700
IPexperts CCIE R&S Written VoD Series
40
IPexpert, Inc.
ISATAP characteristics :
Tunnel interfaces can use a normal /64 prefixes,
there is no need for 2002 in the beginning
Interface ID is derived based on another modified
EUI-64 format the first 32 bits are always the
same and equal to 0000:5efe
The remaining 32 bits are taken from the tunnel
source command
For example, if the tunnel source points to 1.1.1.1,
the
Interface
ID
will
be
equal
to
0000:5efe:0101:0101
Rev. 1700
41
IPexpert, Inc.
int loopback 0
ip address 1.1.1.1 255.255.255.0
Rev. 1700
IPexperts CCIE R&S Written VoD Series
42
IPexpert, Inc.
Configuration Verification
show interfaces tunnel
information
Rev. 1700
IPexperts CCIE R&S Written VoD Series
43
IPexpert, Inc.
IPexpert, Inc.
OSPFv3
Rev. 1700
IPexperts CCIE R&S Written VoD Series
45
IPexpert, Inc.
OSPFv3 cont.
46
IPexpert, Inc.
OSPFv3 cont.
Rev. 1700
IPexperts CCIE R&S Written VoD Series
47
IPexpert, Inc.
OSPFv3 cont.
48
IPexpert, Inc.
OSPFv3 Configuration
IPexpert, Inc.
OSPFv3 Configuration
General Syntax
ipv6 ospf ...
Enabling OSPFv3
ipv6 ospf nr area area_nr [instance inst_id]
Rev. 1700
IPexperts CCIE R&S Written VoD Series
50
IPexpert, Inc.
51
IPexpert, Inc.
Configuration Verification
show ipv6 ospf neighbors
52
IPexpert, Inc.
EIGRPv6
54
IPexpert, Inc.
EIGRPv6 cont.
Rev. 1700
IPexperts CCIE R&S Written VoD Series
55
IPexpert, Inc.
56
IPexpert, Inc.
Configuration Verification
show ipv6 eigrp neighbors
Rev. 1700
IPexperts CCIE R&S Written VoD Series
57
IPexpert, Inc.
IPexpert, Inc.
Rev. 1700
IPexperts CCIE R&S Written VoD Series
59
IPexpert, Inc.
Rev. 1700
IPexperts CCIE R&S Written VoD Series
60
IPexpert, Inc.
Case Study
61
IPexpert, Inc.
Verify :
R4#sh ipv route eigrp
IPv6 Routing Table - Default - 9 entries
-- Output Omitted -ON1 - OSPF NSSA ext 1, ON2 - OSPF NSSA ext 2
EX 2222:1:1::1/128 [170/2560002816]
via FE80::211:93FF:FE69:AB1, FastEthernet0/0
EX 2222:1:2::1/128 [170/2560002816]
via FE80::211:93FF:FE69:AB1, FastEthernet0/0
Rev. 1700
IPexperts CCIE R&S Written VoD Series
62
IPexpert, Inc.
Verify :
R4#sh ipv route eigrp
IPv6 Routing Table - Default - 10 entries
EX
EX
EX
63
IPexpert, Inc.
Rev. 1700
IPexperts CCIE R&S Written VoD Series
64
IPexpert, Inc.
Rev. 1700
65
IPexpert, Inc.
IPexpert, Inc.
IPexpert, Inc.
MPLS Basics
MPLS is a high-performance switching WAN technology
Rev. 1700
IPexperts CCIE R&S Written VoD Series
IPexpert, Inc.
Rev. 1700
IPexperts CCIE R&S Written VoD Series
IPexpert, Inc.
MPLS Terminology
Customer Edge (CE) device is client-managed equipment
Rev. 1700
IPexperts CCIE R&S Written VoD Series
IPexpert, Inc.
IPexpert, Inc.
Rev. 1700
IPexperts CCIE R&S Written VoD Series
IPexpert, Inc.
LDP Example
Rev. 1700
IPexperts CCIE R&S Written VoD Series
IPexpert, Inc.
LDP Details
LDP is a session-based protocol that uses UDP & TCP
IPexpert, Inc.
Rev. 1700
IPexperts CCIE R&S Written VoD Series
10
IPexpert, Inc.
LFIB
Only the best label is used in the traffic forwarding
process
The decision about which label is considered to be best
is made by the underlying IGP protocol
11
IPexpert, Inc.
Rev. 1700
IPexperts CCIE R&S Written VoD Series
12
IPexpert, Inc.
13
IPexpert, Inc.
Outgoing
Prefix
Bytes Label Outgoing Next Hop
Label or VC or Tunnel Id Switched
interface
25
10.1.1.0/24
0
Gi0/1.24 172.16.24.4
Rev. 1700
IPexperts CCIE R&S Written VoD Series
14
IPexpert, Inc.
Rev. 1700
IPexperts CCIE R&S Written VoD Series
15
IPexpert, Inc.
(Push operation)
(Swap operation)
(Pop operation)
Rev. 1700
IPexperts CCIE R&S Written VoD Series
16
IPexpert, Inc.
Rev. 1700
IPexperts CCIE R&S Written VoD Series
17
IPexpert, Inc.
CEF
Cisco Express Forwarding (CEF), is an advanced
switching technology. It consists of two key components :
1. Forwarding Information Base (FIB)
2. Adjacency Table
FIB contains all IP routes from the RIB, their Next-Hops,
outgoing interfaces and a reference to the Adjacency
Table. This information is stored in a special memory
structure that allows for optimized lookups
for
very
efficient,
high-speed
packet
Rev. 1700
IPexperts CCIE R&S Written VoD Series
18
IPexpert, Inc.
Outgoing
Prefix
Bytes Label Outgoing Next Hop
Label or VC or Tunnel Id Switched
interface
No Label
10.1.1.0/24
1812
Fa0/1 172.16.67.7
Rev. 1700
19
IPexpert, Inc.
MPLS Configuration
IPexpert, Inc.
MPLS Configuration
Enable CEF
ip cef
Enable LDP
mpls label protocol ldp
Rev. 1700
IPexperts CCIE R&S Written VoD Series
21
IPexpert, Inc.
Configuration Verification
show mpls ldp discovery
show ip cef
Rev. 1700
IPexperts CCIE R&S Written VoD Series
22
IPexpert, Inc.
IPexpert, Inc.
VRF Basics
Virtual Routing and Forwarding (VRF) is just a separate
(virtual) routing table on a device
VRFs are used with MPLS
VRF Lite, also known as Multi-VRF CE is a feature that
does not use MPLS at all
Rev. 1700
IPexperts CCIE R&S Written VoD Series
24
IPexpert, Inc.
VRF-Lite
There are a couple of methods that can be used to
segment traffic at Layer 3 :
Separate physical devices
Access-lists
Route-Filtering
Policy Routing
NAT
The aformentioned solutions does not scale well (cost,
administrative burden)
VRF Lite can be used to overcome those limitations
Rev. 1700
IPexperts CCIE R&S Written VoD Series
25
IPexpert, Inc.
VRF-Lite cont.
Rev. 1700
IPexperts CCIE R&S Written VoD Series
26
IPexpert, Inc.
VRF-Lite cont.
Rev. 1700
IPexperts CCIE R&S Written VoD Series
27
IPexpert, Inc.
VRF-Lite cont.
Rev. 1700
IPexperts CCIE R&S Written VoD Series
28
IPexpert, Inc.
VRF-Lite cont.
Each VRF consists of a :
Separate routing table
Separate CEF FIB and Adjacency table
Set of interfaces using this particular virtual
routing table only
Packets entering a VRF-assigned interface can only
follow routes and other interfaces listed in that specific
VRF
Multiple technologies can be used to extend VRFs (e.g.
Frame Relay, VLANs, MPLS, IPSec), since they are only
locally significant
VRF configuration should be consistent end to end
Rev. 1700
IPexperts CCIE R&S Written VoD Series
29
IPexpert, Inc.
VRF-Lite Configuration
IPexpert, Inc.
VRF-Lite Configuration
VRF Instance
ip vrf vrf_name
Assigning an Interface
ip vrf forwarding vrf_name
Rev. 1700
IPexperts CCIE R&S Written VoD Series
31
IPexpert, Inc.
Static Route
ip route vrf vrf_name IP_addr mask NH [global]
ip route vrf VRF_100 192.0.2.0 255.255.255.0
10.1.1.1
EIGRP
autonomous-system AS_NR
router eigrp 100
address-family ipv4 vrf VRF_100
autonomous-system 100
Rev. 1700
32
IPexpert, Inc.
BGP
neighbor IP_addr activate
router bgp 65000
no sync
no auto
address-family ipv4 vrf VRF_100
neighbor 192.0.2.1 remote-as 65100
neighbor 192.0.2.1 activate
OSPF
router ospf proc_nr vrf vrf_name
33
IPexpert, Inc.
Configuration Verification
show ip vrf [interfaces]
VRF
show ip ospf proc_nr
associated with
34
Case Study
35
IPexpert, Inc.
36
IPexpert, Inc.
37
Rev. 1700
IPexpert, Inc.
<not set>
VRF
Protocol
VRF_CUSTOMERS
up
VRF_CUSTOMERS
up
VRF_INTERNAL
up
VRF_INTERNAL
up
Interfaces
Lo1
Gi0/0
Lo2
Gi0/1
Rev. 1700
38
IPexpert, Inc.
Rev. 1700
IPexperts CCIE R&S Written VoD Series
39
IPexpert, Inc.
40
IPexpert, Inc.
41
Rev. 1700
IPexpert, Inc.
IPexpert, Inc.
MPLS VPNs
Rev. 1700
IPexperts CCIE R&S Written VoD Series
43
IPexpert, Inc.
Rev. 1700
IPexperts CCIE R&S Written VoD Series
44
IPexpert, Inc.
Rev. 1700
IPexperts CCIE R&S Written VoD Series
45
IPexpert, Inc.
46
IPexpert, Inc.
Since the same client may use different RDs for its
different sites, Route Distinguishers cannot be used to
determine which VPN a prefix belongs to. Route
Distinguishers must be still unique among the
customers, though
47
IPexpert, Inc.
Rev. 1700
IPexperts CCIE R&S Written VoD Series
48
IPexpert, Inc.
Rev. 1700
IPexperts CCIE R&S Written VoD Series
49
IPexpert, Inc.
50
IPexpert, Inc.
IPexpert, Inc.
Standard Configuration
OSPF Example :
router ospf 1
network 192.168.1.1 0.0.0.0 area 0
network 172.16.12.1 0.0.0.0 area 0
Rev. 1700
IPexperts CCIE R&S Written VoD Series
52
IPexpert, Inc.
VRFs
ip vrf vrf_name
rd rd_value
route-target import|export|both rt_value
interface if_name
ip vrf forwarding vrf_name
ip vrf CUST-1
rd 1:1
route-target import 1:10
route-target export 1:10
53
Rev. 1700
IPexpert, Inc.
BGP
neighbor IP_addr remote-as as_nr
neighbor IP_addr update-source if_name
MP-BGP (VPNv4)
address-family vpnv4
neighbor IP_addr activate
neighbor IP_addr send-community
54
Rev. 1700
IPexpert, Inc.
55
IPexpert, Inc.
Configuration Verification
show mpls ldp bindings
Rev. 1700
IPexperts CCIE R&S Written VoD Series
56
IPexpert, Inc.
- Displays the
MP-
BGP
VPNv4
information
show ip route vrf
[*]
- Displays the
RIB
for a
particular
VRF
show ip cef [vrf]
- Displays CEF
FIB entries
Rev. 1700
57
IPexpert, Inc.
Case Study
58
IPexpert, Inc.
59
IPexpert, Inc.
Rev. 1700
IPexperts CCIE R&S Written VoD Series
60
IPexpert, Inc.
Rev. 1700
IPexperts CCIE R&S Written VoD Series
61
IPexpert, Inc.
Rev. 1700
IPexperts CCIE R&S Written VoD Series
62
IPexpert, Inc.
Rev. 1700
IPexperts CCIE R&S Written VoD Series
63
IPexpert, Inc.
Rev. 1700
IPexperts CCIE R&S Written VoD Series
64
IPexpert, Inc.
Rev. 1700
IPexperts CCIE R&S Written VoD Series
65
IPexpert, Inc.
Rev. 1700
IPexperts CCIE R&S Written VoD Series
66
IPexpert, Inc.
Rev. 1700
IPexperts CCIE R&S Written VoD Series
67
IPexpert, Inc.
Rev. 1700
IPexperts CCIE R&S Written VoD Series
68
IPexpert, Inc.
Bytes Label
Switched
41404
Rev. 1700
IPexperts CCIE R&S Written VoD Series
69
IPexpert, Inc.
R5#
MPLS les: Fa0/0: rx: Len 122 Stack {18 0 253} {20 0 254}- ipv4 data
MPLS les: Fa0/1: tx: Len 118 Stack {20 0 252} - ipv4 data
Rev. 1700
IPexperts CCIE R&S Written VoD Series
70
IPexpert, Inc.
Rev. 1700
IPexperts CCIE R&S Written VoD Series
71
IPexpert, Inc.
IPexpert, Inc.
IPexpert, Inc.
IP Multicast Introduction
How would you deliver 1Mbps video stream to five PCs?
IPexpert, Inc.
Multicast Groups
We have got two types of multicast groups :
1. Special Usage
2. Transient
Special Usage group can be further subdivided into the
following ranges :
Permanent ranges :
224.0.0.0/24 (TTL set to 1). E.g. OSPF
224.0.0.5/6
224.0.1.0/24 (can be forwarded). E.g. Auto-RP
Non-permanent ranges :
232.0.0.0/8 (Source-Specific Multicast)
233.0.0.0/8 (GLOP range)
239.0.0.0/8 (Private range)
IPexperts CCIE R&S written VoD Series
Rev. 1700
IPexpert, Inc.
IPexpert, Inc.
11101010.01000000.00000100.00001001
Rev. 1700
IPexperts CCIE R&S written VoD Series
IPexpert, Inc.
IGMP
Internet Group Management Protocol (IGMP) works
between a router and multicast client
IGMP is used to inform local multicast routers that a host
wants to receive a multicast traffic for a specific group (or
that it no longer wants to receive it)
Routers send periodic Host Membership Query messages
to see if there are any hosts interested in multicast traffic
IPexpert, Inc.
IGMP cont.
If there are multicast clients, they will respond with a Host
Membership Report message, also known as IGMP Join
Host Membership Reports are sent to the destination IP
address corresponding to the group a host wants to join
IPexpert, Inc.
Rev. 1700
IPexperts CCIE R&S written VoD Series
IPexpert, Inc.
10
IPexpert, Inc.
IPexpert, Inc.
IGMP Version
ip igmp version 1|2|3
CGMP
ip cgmp
IGMP Snooping
ip igmp snooping
[no] ip igmp snooping vlan vlan_nr
Rev. 1700
IPexperts CCIE R&S written VoD Series
12
IPexpert, Inc.
Configuration Verification
show ip igmp groups
Rev. 1700
IPexperts CCIE R&S written VoD Series
13
IPexpert, Inc.
IPexpert, Inc.
rooted
at
the
so-called
Rev. 1700
15
IPexpert, Inc.
Source Tree
Rev. 1700
IPexperts CCIE R&S written VoD Series
16
IPexpert, Inc.
Shared Tree
Rev. 1700
IPexperts CCIE R&S written VoD Series
17
IPexpert, Inc.
Rev. 1700
IPexperts CCIE R&S written VoD Series
18
IPexpert, Inc.
RPF Example
Rev. 1700
IPexperts CCIE R&S written VoD Series
19
IPexpert, Inc.
20
IPexpert, Inc.
Rev. 1700
IPexperts CCIE R&S written VoD Series
21
IPexpert, Inc.
Rev. 1700
IPexperts CCIE R&S written VoD Series
22
IPexpert, Inc.
23
IPexpert, Inc.
Pruning Example
Rev. 1700
IPexperts CCIE R&S written VoD Series
24
IPexpert, Inc.
Rev. 1700
IPexperts CCIE R&S written VoD Series
25
IPexpert, Inc.
Rev. 1700
IPexperts CCIE R&S written VoD Series
26
IPexpert, Inc.
Rev. 1700
IPexperts CCIE R&S written VoD Series
27
IPexpert, Inc.
Rev. 1700
IPexperts CCIE R&S written VoD Series
28
IPexpert, Inc.
Rev. 1700
IPexperts CCIE R&S written VoD Series
29
IPexpert, Inc.
30
IPexpert, Inc.
Rev. 1700
IPexperts CCIE R&S written VoD Series
31
IPexpert, Inc.
32
IPexpert, Inc.
33
IPexpert, Inc.
Rev. 1700
IPexperts CCIE R&S written VoD Series
34
IPexpert, Inc.
35
IPexpert, Inc.
Rev. 1700
IPexperts CCIE R&S written VoD Series
36
IPexpert, Inc.
Rev. 1700
IPexperts CCIE R&S written VoD Series
37
IPexpert, Inc.
SPT
(10.1.1.1/32, 225.1.1.1), 00:01:30/00:02:01, flags T
Incoming interface: Serial0/1, RPF nbr 10.3.3.3,
Outgoing interface list: Null
Rev. 1700
IPexperts CCIE R&S written VoD Series
38
IPexpert, Inc.
SPT Switchover
Each PIM-SM router can build the SPT between itself and
the source of multicast traffic
This is used to reduce the latency and load on the RP
itself
Before PIM Join can be generated to build this tree, a
router needs to learn the multicast source IP address
39
IPexpert, Inc.
Rev. 1700
IPexperts CCIE R&S written VoD Series
40
IPexpert, Inc.
Rev. 1700
IPexperts CCIE R&S written VoD Series
41
IPexpert, Inc.
Rev. 1700
IPexperts CCIE R&S written VoD Series
42
IPexpert, Inc.
IPexpert, Inc.
PIM Configuration
Multicast Routing
ip multicast-routing
SPT Threshold
ip pim spt-threshold value
Rev. 1700
IPexperts CCIE R&S written VoD Series
44
IPexpert, Inc.
Configuration Verification
show ip pim interface
show ip mroute
Rev. 1700
IPexperts CCIE R&S written VoD Series
45
IPexpert, Inc.
IPexpert, Inc.
Rendezvous Point
All PIM Sparse Mode devices need to know the RP
address
Rendezvous Point information can be provided in three
ways :
1. Statically (ip pim rp-address)
2. Using Auto-RP (Cisco-proprietary)
3. Using BSR (standard-based)
Static method does not scale well
Rev. 1700
IPexperts CCIE R&S written VoD Series
47
IPexpert, Inc.
Auto-RP
Auto-RP uses two types of devices candidate RPs
(cRPs) and a Mapping Agent
Candidate RP sends RP-Announce messages to the
reserved multicast address 224.0.1.39 (UDP port 496), to
propose itself as an RP for a particular group/range
Mapping Agent learns all cRPs information (it listens to
224.0.1.39) and decides which device becomes an RP for
a particular group/range (if there is more than one cRP for
a group/range, the highest IP device is elected)
Mapping Agent embedds this information inside an RPDiscovery message which is then sent to 224.0.1.40 over
UDP port 496. All cRPs listen to 224.0.1.40 to receive this
message
Rev. 1700
IPexperts CCIE R&S written VoD Series
48
IPexpert, Inc.
Auto-RP Example
Rev. 1700
IPexperts CCIE R&S written VoD Series
49
IPexpert, Inc.
Rev. 1700
IPexperts CCIE R&S written VoD Series
50
IPexpert, Inc.
Auto-RP Problem
If Auto-RP uses multicasts to learn the RP address, how
are Auto-RP messages actually forwarded?
Auto-RP uses PIM Sparse Mode which means that there
should be an RP configured for 224.0.1.39/40. We have
three options to fix this problem :
1. Static RP configuration for 224.0.1.39/40
2. PIM Sparse-Dense Mode
3. Auto-RP Listener feature
Auto-RP Listener enables forwarding Auto-RP packets
(only 224.0.1.39/40) as Dense Mode traffic, even if router
interfaces are configured for Sparse Mode. Use the ip
pim autorp listener command to configure this feature
Rev. 1700
IPexperts CCIE R&S written VoD Series
51
IPexpert, Inc.
52
IPexpert, Inc.
BSR Example
Rev. 1700
IPexperts CCIE R&S written VoD Series
53
IPexpert, Inc.
Rev. 1700
IPexperts CCIE R&S written VoD Series
54
IPexpert, Inc.
Rev. 1700
IPexperts CCIE R&S written VoD Series
55
IPexpert, Inc.
IPexpert, Inc.
Auto-RP Candidate RP
ip pim send-rp-announce if_name [group-list]
BSR Candidate RP
ip pim rp-candidate if_name [group-list]
Rev. 1700
IPexperts CCIE R&S written VoD Series
57
IPexpert, Inc.
Configuration Verification
show ip pim rp
Rev. 1700
IPexperts CCIE R&S written VoD Series
58
IPexpert, Inc.
IPexpert, Inc.
MSDP
60
IPexpert, Inc.
MSDP Example
Rev. 1700
IPexperts CCIE R&S written VoD Series
61
IPexpert, Inc.
Anycast RP
62
IPexpert, Inc.
MSDP Configuration
IPexpert, Inc.
MSDP Configuration
MSDP Peering
ip msdp peer IP_address
Rev. 1700
IPexperts CCIE R&S written VoD Series
64
IPexpert, Inc.
Configuration Verification
show ip msdp peer
Rev. 1700
IPexperts CCIE R&S written VoD Series
65
IPexpert, Inc.
IPexpert, Inc.
Multicast Scoping
Rev. 1700
IPexperts CCIE R&S written VoD Series
67
IPexpert, Inc.
Bidirectional PIM
68
IPexpert, Inc.
69
IPexpert, Inc.
Rev. 1700
IPexperts CCIE R&S written VoD Series
70
IPexpert, Inc.
71
IPexpert, Inc.
IPexpert, Inc.
SSM
ip pim ssm default|range access-list
ip igmp version 3
Bidirectional PIM
ip pim bidir-enable
Rev. 1700
IPexperts CCIE R&S written VoD Series
73
IPexpert, Inc.
Configuration Verification
show ip igmp groups [detail]
- Displays IGMP
groups
learned from
multicast receivers
- Displays the
contents of the
multicast
table
routing
Rev. 1700
IPexperts CCIE R&S written VoD Series
74
IPexpert, Inc.
IPexpert, Inc.
IPv6 Multicast
Rev. 1700
IPexperts CCIE R&S written VoD Series
76
IPexpert, Inc.
77
IPexpert, Inc.
Rev. 1700
IPexperts CCIE R&S written VoD Series
78
IPexpert, Inc.
Embedded RP
Rev. 1700
IPexperts CCIE R&S written VoD Series
79
IPexpert, Inc.
Embedded RP Address
Rev. 1700
IPexperts CCIE R&S written VoD Series
80
IPexpert, Inc.
IPv6 SSM
Rev. 1700
IPexperts CCIE R&S written VoD Series
81
IPexpert, Inc.
IPexpert, Inc.
IPv6 PIM
[no] ipv6 pim
MLD
ipv6 mld ...
Rev. 1700
IPexperts CCIE R&S written VoD Series
83
IPexpert, Inc.
Configuration Verification
show ipv6 pim interface
configured for
show ipv6 pim neighbors
neighbors
show ipv6 pim range-list
lists
show ipv6 pim bsr
- Displays BSR-related
information
Rev. 1700
84
IPexpert, Inc.
Configuration Verification
show ipv6 mld interface
- Displays MLD-related
information about an
interface
- Displays connected
multicast groups learned
through MLD
Rev. 1700
IPexperts CCIE R&S written VoD Series
85
IPexpert, Inc.
IPexpert, Inc.
IPexpert, Inc.
Access Lists
Not only a traffic-filtering tool
Rev. 1700
IPexperts CCIE R&S Written VoD Series
IPexpert, Inc.
Rev. 1700
IPexperts CCIE R&S Written VoD Series
IPexpert, Inc.
IPexpert, Inc.
Rev. 1700
IPexperts CCIE R&S Written VoD Series
IPexpert, Inc.
IPexpert, Inc.
Named ACL
ip access-list standard|extended name
IPv6 ACL
ipv6 access-list name
ipv6 traffic-filter name in|out
Rev. 1700
IPexpert, Inc.
Extended ACL
IPexpert, Inc.
Rev. 1700
IPexperts CCIE R&S Written VoD Series
10
IPexpert, Inc.
Configuration Verification
show access-list
show ip access-list
Rev. 1700
IPexperts CCIE R&S Written VoD Series
11
IPexpert, Inc.
IPexpert, Inc.
Rev. 1700
IPexperts CCIE R&S Written VoD Series
13
IPexpert, Inc.
Rev. 1700
IPexperts CCIE R&S Written VoD Series
14
IPexpert, Inc.
15
IPexpert, Inc.
Rev. 1700
IPexperts CCIE R&S Written VoD Series
16
IPexpert, Inc.
1.
2.
3.
4.
5.
6.
HTTP
IMAP
Instant Messenger
Peer to Peer
SMTP
SUN RPC
Rev. 1700
IPexperts CCIE R&S Written VoD Series
17
IPexpert, Inc.
IPexpert, Inc.
Classify traffic
class-map type inspect
Create policy
policy-map type inspect
19
IPexpert, Inc.
Create zones
zone security
Rev. 1700
IPexperts CCIE R&S Written VoD Series
20
IPexpert, Inc.
interface F0/0
zone-member security INSIDE
Rev. 1700
IPexperts CCIE R&S Written VoD Series
21
IPexpert, Inc.
Configuration Verification
show policy-map type inspect
zones
show zone-pair security
policies
Rev. 1700
IPexperts CCIE R&S Written VoD Series
22
IPexpert, Inc.
Case Study
23
IPexpert, Inc.
Traffic classification
access-list
access-list
access-list
access-list
100
100
150
151
permit
permit
permit
permit
tcp host
tcp host
icmp any
icmp any
10.1.1.1 any eq 22
10.1.1.1 any eq 80
any echo
any echo-reply
24
IPexpert, Inc.
Policy creation
Rev. 1700
IPexperts CCIE R&S Written VoD Series
25
IPexpert, Inc.
Rev. 1700
IPexperts CCIE R&S Written VoD Series
26
IPexpert, Inc.
Rev. 1700
IPexperts CCIE R&S Written VoD Series
27
IPexpert, Inc.
IPexpert, Inc.
uRPF
29
IPexpert, Inc.
uRPF Configuration
IPexpert, Inc.
uRPF Configuration
Loose Mode
ip verify unicast source reachable-via any
Strict Mode
ip verify unicast source reachable-via rx
Rev. 1700
IPexperts CCIE R&S Written VoD Series
31
IPexpert, Inc.
Rev. 1700
IPexperts CCIE R&S Written VoD Series
32
IPexpert, Inc.
Configuration Verification
show ip interface if | in verify
- Shows if uRPF is
enabled
on
this
interface
Displays
CEF
information
for a
specified interface
Rev. 1700
IPexperts CCIE R&S Written VoD Series
33
IPexpert, Inc.
IPexpert, Inc.
IP Source Guard
Rev. 1700
IPexperts CCIE R&S Written VoD Series
35
IPexpert, Inc.
IPexpert, Inc.
IP address filtering
ip verify source
Manual bindings
ip source binding
Rev. 1700
IPexperts CCIE R&S Written VoD Series
37
IPexpert, Inc.
Rev. 1700
IPexperts CCIE R&S Written VoD Series
38
IPexpert, Inc.
Configuration Verification
show ip verify source [interface]
- Displays IP Source
Guard
configuration
show ip source binding
- Shows ONLY
dynamic
bindings
(DHCP
Snooping
bindings)
Rev. 1700
IPexperts CCIE R&S Written VoD Series
39
IPexpert, Inc.
IPexpert, Inc.
AAA
Security framework
41
Rev. 1700
IPexpert, Inc.
AAA cont.
Rev. 1700
IPexperts CCIE R&S Written VoD Series
42
IPexpert, Inc.
AAA Configuration
IPexpert, Inc.
AAA Configuration
Authentication methods :
line
local
enable
group radius/tacacs+
none
AAA Servers
radius-server, tacacs-server
Rev. 1700
44
IPexpert, Inc.
Authorization methods :
if-authenticated
line
local
group radius/tacacs+
none
45
Rev. 1700
IPexpert, Inc.
Rev. 1700
IPexperts CCIE R&S Written VoD Series
46
IPexpert, Inc.
new-model
authentication login AUTH group tacacs+ local
authorization exec AUTHOR group tacacs+
accounting exec ACC start-stop group tacacs+
47
IPexpert, Inc.
Configuration Verification
show aaa-servers
group
show tacacs
Rev. 1700
IPexperts CCIE R&S Written VoD Series
48
IPexpert, Inc.
IPexpert, Inc.
Rev. 1700
IPexperts CCIE R&S Written VoD Series
50
IPexpert, Inc.
CoPP Policing
51
IPexpert, Inc.
CoPP Configuration
IPexpert, Inc.
CoPP Configuration
MQC
class-map
policy-map
Enabling CoPP
control-plane
service-policy input|output policy_name
Rev. 1700
IPexperts CCIE R&S Written VoD Series
53
IPexpert, Inc.
Routing Protocols
Management traffic
Normal traffic
access-list
access-list
access-list
access-list
102
102
102
102
permit
permit
permit
permit
54
IPexpert, Inc.
Undesirable traffic
Classification
55
IPexpert, Inc.
policy-map COPP_POL
class ROUTING_CLASS
police 1000000 50000 50000 conform-action transmit
exceed-action transmit
class MGMT_CLASS
police 100000 5000 5000 conform-action transmit
exceed-action drop
class NORMAL_CLASS
police rate 1000 pps burst 100
class BAD_CLASS
drop
control-plane
service-policy input COPP_POL
IPexperts CCIE R&S Written VoD Series
56
Rev. 1700
IPexpert, Inc.
Configuration Verification
show policy-map
Rev. 1700
IPexperts CCIE R&S Written VoD Series
57
IPexpert, Inc.
IPexpert, Inc.
CBAC
Stateful monitoring
Connection Table
Rev. 1700
IPexperts CCIE R&S Written VoD Series
59
IPexpert, Inc.
Rev. 1700
IPexperts CCIE R&S Written VoD Series
60
IPexpert, Inc.
CBAC features
Application-level inspection
Rev. 1700
IPexperts CCIE R&S Written VoD Series
61
IPexpert, Inc.
CBAC Configuration
IPexpert, Inc.
CBAC Configuration
Apply CBAC
ip inspect name name in|out
Rev. 1700
IPexperts CCIE R&S Written VoD Series
63
IPexpert, Inc.
General Tuning
ip
ip
ip
ip
inspect
inspect
inspect
inspect
tcp synwait-time
tcp idle-time
udp idle-time
dns-timeout
Anti-DoS configuration
ip inspect max-incomplete high|low
ip inspect one-minute high|low
ip inspect tcp max-incomplete host
Rev. 1700
IPexperts CCIE R&S Written VoD Series
64
IPexpert, Inc.
int F0/1
ip access-group OUTSIDE_IN in
ip inspect CBAC out
Rev. 1700
IPexperts CCIE R&S Written VoD Series
65
IPexpert, Inc.
Configuration Verification
show ip inspect config
configuration
show ip inspect sessions
inspected by
CBAC
Rev. 1700
IPexperts CCIE R&S Written VoD Series
66
IPexpert, Inc.
IPexpert, Inc.
68
IPexpert, Inc.
IPexpert, Inc.
Rev. 1700
IPexperts CCIE R&S Written VoD Series
70
IPexpert, Inc.
Retire/Enable signatures
ip ips signature-category
category cat_name
retired true|false
Rev. 1700
IPexperts CCIE R&S Written VoD Series
71
IPexpert, Inc.
72
IPexpert, Inc.
Configuration Verification
show ip ips [config|signature]
Rev. 1700
IPexperts CCIE R&S Written VoD Series
73
IPexpert, Inc.
IPexpert, Inc.
SSH
Rev. 1700
IPexperts CCIE R&S Written VoD Series
75
IPexpert, Inc.
SSH Mechanics
76
IPexpert, Inc.
SSH Configuration
IPexpert, Inc.
SSH Configuration
78
IPexpert, Inc.
Rev. 1700
IPexperts CCIE R&S Written VoD Series
79
IPexpert, Inc.
Configuration Verification
show ip ssh
show ssh
Rev. 1700
IPexperts CCIE R&S Written VoD Series
80
IPexpert, Inc.
IPexpert, Inc.
802.1x
Rev. 1700
IPexperts CCIE R&S Written VoD Series
82
IPexpert, Inc.
802.1x components
supporting
Rev. 1700
IPexperts CCIE R&S Written VoD Series
83
IPexpert, Inc.
802.1x mechanics
Rev. 1700
IPexperts CCIE R&S Written VoD Series
84
IPexpert, Inc.
802.1x Configuration
IPexpert, Inc.
802.1x Configuration
86
IPexpert, Inc.
Rev. 1700
IPexperts CCIE R&S Written VoD Series
87
IPexpert, Inc.
Configuration Verification
show dot1x [interface][details] - Displays 802.1x statistics
and status
Rev. 1700
IPexperts CCIE R&S Written VoD Series
88
IPexpert, Inc.
IPexpert, Inc.
NAT
Confusing terminology
Rev. 1700
IPexperts CCIE R&S Written VoD Series
90
IPexpert, Inc.
NAT local/global
Rev. 1700
IPexperts CCIE R&S Written VoD Series
91
IPexpert, Inc.
NAT local/global
Rev. 1700
IPexperts CCIE R&S Written VoD Series
92
IPexpert, Inc.
Static NAT
- one-to-one mapping. A fixed
translation slot is pre-created allowing traffic to be
intiated from the post-NAT side
PAT
- form of Dynamic NAT, however only a
single IP address is used in conjunction with source port
numbers
93
IPexpert, Inc.
NAT Configuration
IPexpert, Inc.
NAT Configuration
Rev. 1700
IPexperts CCIE R&S Written VoD Series
95
IPexpert, Inc.
Rev. 1700
IPexperts CCIE R&S Written VoD Series
96
IPexpert, Inc.
Rev. 1700
IPexperts CCIE R&S Written VoD Series
97
IPexpert, Inc.
Rev. 1700
IPexperts CCIE R&S Written VoD Series
98
IPexpert, Inc.
Rev. 1700
IPexperts CCIE R&S Written VoD Series
99
IPexpert, Inc.
Rev. 1700
IPexperts CCIE R&S Written VoD Series
100
IPexpert, Inc.
Rev. 1700
IPexperts CCIE R&S Written VoD Series
101
IPexpert, Inc.
Rev. 1700
IPexperts CCIE R&S Written VoD Series
102
IPexpert, Inc.
Rev. 1700
IPexperts CCIE R&S Written VoD Series
103
IPexpert, Inc.
int serial0
ip nat outside
int f0/1
ip nat inside
Rev. 1700
IPexperts CCIE R&S Written VoD Series
104
IPexpert, Inc.
Configuration Verification
show ip nat translations
Rev. 1700
IPexperts CCIE R&S Written VoD Series
105
IPexpert, Inc.
IPexpert, Inc.
Rev. 1700
IPexperts CCIE R&S Written VoD Series
107
IPexpert, Inc.
IPexpert, Inc.
Text password
ip rip authentication password
109
IPexpert, Inc.
Create a key-chain
key-chain kchain
key key_nr
key-string key_string
accept-lifetime
send-lifetime
Rev. 1700
IPexperts CCIE R&S Written VoD Series
110
IPexpert, Inc.
111
IPexpert, Inc.
Rev. 1700
IPexperts CCIE R&S Written VoD Series
112
IPexpert, Inc.
Rev. 1700
IPexperts CCIE R&S Written VoD Series
113
IPexpert, Inc.
Configuration Verification
debug ip rip
show key-chain
114
IPexpert, Inc.
116
IPexpert, Inc.
IPexpert, Inc.
Example #1
Example #2
line vty 0 4
access-class 101 out
Example #3
line vty 1
transport input ssh
IPexperts CCIE R&S Written VoD Series
Rev. 1700
118
IPexpert, Inc.
Configuration Verification
show line
Rev. 1700
IPexperts CCIE R&S Written VoD Series
119
IPexpert, Inc.
IPexpert, Inc.
Rev. 1700
IPexperts CCIE R&S Written VoD Series
121
IPexpert, Inc.
Rev. 1700
IPexperts CCIE R&S Written VoD Series
122
IPexpert, Inc.
Rev. 1700
IPexperts CCIE R&S Written VoD Series
123
IPexpert, Inc.
interface FastEthernet0/1
description Printer
switchport access vlan 10
switchport mode access
switchport port-security
switchport port-security mac-address
0022.1ab1.7013
Rev. 1700
IPexperts CCIE R&S Written VoD Series
124
IPexpert, Inc.
Configuration Verification
show port-security [interface]
entries
Rev. 1700
IPexperts CCIE R&S Written VoD Series
125
IPexpert, Inc.
Rev. 1700
IPexperts CCIE R&S Written VoD Series
126
IPexpert, Inc.
Rev. 1700
IPexperts CCIE R&S Written VoD Series
127
IPexpert, Inc.
Rev. 1700
IPexperts CCIE R&S Written VoD Series
128
IPexpert, Inc.
129
IPexpert, Inc.
Enable it globally
ip dhcp snooping
Rev. 1700
IPexperts CCIE R&S Written VoD Series
130
IPexpert, Inc.
ip dhcp snooping
ip dhcp snooping vlan 120
int f0/1
ip dhcp snooping trust
Rev. 1700
IPexperts CCIE R&S Written VoD Series
131
IPexpert, Inc.
Configuration Verification
show ip dhcp snooping
- Displays DHCP
Snooping
configuration
- Displays DHCP
Snooping
binding
database
Rev. 1700
IPexperts CCIE R&S Written VoD Series
132
IPexpert, Inc.
Rev. 1700
IPexperts CCIE R&S Written VoD Series
133
IPexpert, Inc.
Manual bindings
arp access-list ARP_ACL_name
permit|deny ip [host] IP_addr [host] MAC_addr
134
IPexpert, Inc.
int f0/1
ip arp inspection trust
ip arp inspection vlan 120
Rev. 1700
IPexperts CCIE R&S Written VoD Series
135
IPexpert, Inc.
Configuration Verification
show ip arp inspection [interfaces|vlan] Displays
configuration
and state of
DAI
Rev. 1700
IPexperts CCIE R&S Written VoD Series
136
IPexpert, Inc.
IPexpert, Inc.
IPexpert, Inc.
Master/Backup (VRRP)
Higher priority device becomes the primary unit
IPexpert, Inc.
HSRP/VRRP
Rev. 1700
IPexperts CCIE R&S Written VoD Series
IPexpert, Inc.
HSRP
Cisco proprietary
IPexpert, Inc.
VRRP
Industry Standard
IPexpert, Inc.
Object Tracking
MD-5 Authentication
No inherent Load-Balancing functionality
Rev. 1700
IPexperts CCIE R&S Written VoD Series
IPexpert, Inc.
HSRP/VRRP Configuration
IPexpert, Inc.
HSRP/VRRP Configuration
HSRP VIP
standby group_nr ip
HSRP Priority
standby group_nr priority
HSRP Tracking
standby group_nr track
track_obj|interface_name [decrement]
HSRP Preemption
standby group_nr preempt
VRRP
vrrp
Rev. 1700
IPexpert, Inc.
2
2
2
2
ip 10.1.1.200
track serial 0
preempt
priority 95
Rev. 1700
IPexperts CCIE R&S Written VoD Series
10
IPexpert, Inc.
1
1
1
1
ip 10.1.1.100
track Serial0
preempt
priority 95
standby 2 ip 10.1.1.200
standby 2 track serial 0
standby 2 preempt
Rev. 1700
IPexperts CCIE R&S Written VoD Series
11
IPexpert, Inc.
Configuration Verification
show standby [brief]
show vrrp [brief]
Rev. 1700
IPexperts CCIE R&S Written VoD Series
12
IPexpert, Inc.
IPexpert, Inc.
GLBP
Another FHRP
Rev. 1700
IPexperts CCIE R&S Written VoD Series
14
IPexpert, Inc.
15
IPexpert, Inc.
16
IPexpert, Inc.
Rev. 1700
IPexperts CCIE R&S Written VoD Series
17
IPexpert, Inc.
Rev. 1700
IPexperts CCIE R&S Written VoD Series
18
IPexpert, Inc.
GLBP Configuration
IPexpert, Inc.
GLBP Configuration
Virtual IP Address
glbp group_nr ip
Load-Balancing Method
glbp group_nr load-balancing
Track Object
track obj_nr interface line-protocol|ip routing
Rev. 1700
20
IPexpert, Inc.
Rev. 1700
IPexperts CCIE R&S Written VoD Series
21
IPexpert, Inc.
Configuration Verification
show glbp [brief]
Rev. 1700
IPexperts CCIE R&S Written VoD Series
22
IPexpert, Inc.
23
IPexpert, Inc.
24
IPexpert, Inc.
IPexpert, Inc.
NTP
26
IPexpert, Inc.
NTP Associations
Rev. 1700
IPexperts CCIE R&S Written VoD Series
27
IPexpert, Inc.
NTP Authentication
Rev. 1700
IPexperts CCIE R&S Written VoD Series
28
IPexpert, Inc.
NTP Configuration
IPexpert, Inc.
NTP Configuration
NTP Server
ntp master stratum
NTP Client
ntp server IP_address [key key_nr]
ntp peer IP_address [key key_nr]
Source Interface
ntp source if_name
Authentication
ntp authentication-key key_nr md5 password
ntp trusted-key key_nr
ntp authenticate
Rev. 1700
IPexperts CCIE R&S Written VoD Series
30
IPexpert, Inc.
NTP Server
ntp master 2
ntp source loopback 1
ntp authentication-key 1 md5 ipexpert
NTP Client
Rev. 1700
IPexperts CCIE R&S Written VoD Series
31
IPexpert, Inc.
R1
ntp master
ntp peer 10.1.1.2
R2
Rev. 1700
IPexperts CCIE R&S Written VoD Series
32
IPexpert, Inc.
Configuration Verification
show ntp status
Rev. 1700
IPexperts CCIE R&S Written VoD Series
33
IPexpert, Inc.
IPexpert, Inc.
DHCP
Client-Server architecture
Rev. 1700
IPexperts CCIE R&S Written VoD Series
35
IPexpert, Inc.
DHCP Structure
Rev. 1700
IPexperts CCIE R&S Written VoD Series
36
IPexpert, Inc.
DHCP Operations
DHCP Operations :
1. (C) DHCP Discover
2. (S) DHCP Offer
3. (C) DHCP Request
4. (S) DHCP ACK or DHCP NAK
Rev. 1700
IPexperts CCIE R&S Written VoD Series
37
IPexpert, Inc.
Rev. 1700
IPexperts CCIE R&S Written VoD Series
38
IPexpert, Inc.
Rev. 1700
IPexperts CCIE R&S Written VoD Series
39
IPexpert, Inc.
DHCP Configuration
IPexpert, Inc.
DHCP Configuration
DHCP Lease
lease days hours minutes
41
Rev. 1700
IPexpert, Inc.
42
IPexpert, Inc.
Rev. 1700
IPexperts CCIE R&S Written VoD Series
43
IPexpert, Inc.
Configuration Verification
show ip dhcp pool
pools
show ip dhcp database
Rev. 1700
IPexperts CCIE R&S Written VoD Series
44
IPexpert, Inc.
IPexpert, Inc.
WCCP
Rev. 1700
IPexperts CCIE R&S Written VoD Series
46
IPexpert, Inc.
WCCP Redirection
Rev. 1700
IPexperts CCIE R&S Written VoD Series
47
IPexpert, Inc.
WCCP versions
48
IPexpert, Inc.
WCCP Configuration
IPexpert, Inc.
WCCP Configuration
WCCP Version 2
ip wccp version 2
ip wccp web-cache group-address IP_addr
[redirect-list ACL_nr] [group-list
ACL_nr]
ip wccp web-cache group-listen
50
Rev. 1700
IPexpert, Inc.
Rev. 1700
IPexperts CCIE R&S Written VoD Series
51
IPexpert, Inc.
Rev. 1700
IPexperts CCIE R&S Written VoD Series
52
IPexpert, Inc.
Rev. 1700
IPexperts CCIE R&S Written VoD Series
53
IPexpert, Inc.
Rev. 1700
IPexperts CCIE R&S Written VoD Series
54
IPexpert, Inc.
Rev. 1700
IPexperts CCIE R&S Written VoD Series
55
IPexpert, Inc.
int f0/0
ip wccp web-cache redirect in
ip wccp web-cache group-listen
Rev. 1700
IPexperts CCIE R&S Written VoD Series
56
IPexpert, Inc.
Configuration Verification
show ip wccp
Rev. 1700
IPexperts CCIE R&S Written VoD Series
57
IPexpert, Inc.
IPexpert, Inc.
IPexpert, Inc.
Introduction to QoS
Quality of Service (QoS) is a technique used to provide
better service to selected network traffic
Network traffic can be characterized by three parameters :
1. Delay (latency) how long does it take for a
packet to get to a
particular
destination
2. Jitter
delay variation
3. Packet loss
the amount of dropped packets
Rev. 1700
IPexperts CCIE R&S WrittenVoD Series
IPexpert, Inc.
MQC Framework
MQC (Modular QoS CLI) is a framework used to configure
QoS
Replaces most of the legacy QoS commands
Using Modular Quality of Service CLI is a three-step
process :
1. Classyfing the traffic (class-map)
2. Defining a QoS tool/action (policy-map)
3. Enabling QoS (service-policy)
Rev. 1700
IPexperts CCIE R&S WrittenVoD Series
IPexpert, Inc.
IPexpert, Inc.
NBAR
NBAR (Network-Based Application Recognition) classifies
packets based on their payload, up to the application
layer
An example may be classifying HTTP traffic based on
URL or MIME Type
NBAR can be also used to discover the protocols that are
running in the network
Rev. 1700
IPexperts CCIE R&S WrittenVoD Series
IPexpert, Inc.
Marking Methods
Marking can be performed in Layer 2 or Layer 3
Rev. 1700
IPexperts CCIE R&S WrittenVoD Series
IPexpert, Inc.
IP Precedence
Rev. 1700
IPexperts CCIE R&S WrittenVoD Series
IPexpert, Inc.
Rev. 1700
IPexperts CCIE R&S WrittenVoD Series
IPexpert, Inc.
10
IPexpert, Inc.
IPexpert, Inc.
Classification
class-map match-any|match-all class_name
match access-group
match fr-dlci
match source-address-mac
match destination-address-mac
match cos
match dscp
match precedence
match any
NBAR
match protocol protocol_name
12
Rev. 1700
IPexpert, Inc.
Marking
policy-map policy_name
set cos
set dscp
set precedence
set fr-de
set qos-group
Rev. 1700
IPexperts CCIE R&S WrittenVoD Series
13
IPexpert, Inc.
14
Rev. 1700
IPexpert, Inc.
Configuration Verification
show class-map
show policy-map
Rev. 1700
IPexperts CCIE R&S WrittenVoD Series
15
IPexpert, Inc.
Congestion Management
(Queuing)
IPexpert, Inc.
Queuing
Queuing identifies how traffic from multiple streams is
sent out of an interface that is currently experiencing
congestion
No congestion means that no queuing is required
17
IPexpert, Inc.
CBWFQ
Class-Based Weighted Fair Queuing (CBWFQ) is used to
configure minimum bandwidth for a class
During congestion, a particular class receives at least
Class-Configured_BW/Interface_BW share
18
IPexpert, Inc.
CBWFQ cont.
Bandwidth reservation is limited to 75% of the interface
bandwidth by default (max-reserved-bandwidth)
There are three ways to allocate bandwidth in CBWFQ :
1. bandwidth absolute value, in kbps
2. bandwidth percent allocates percentage of the
interface-level bandwidth (bandwidth)
3. bandwidth
remaining
percent
reserves
percentage of the bandwidth that left (after the
priority,
bandwidth,
bandwidth
percent
commands)
The first two options cannot be mixed within the same
policy-map
Rev. 1700
IPexperts CCIE R&S WrittenVoD Series
19
IPexpert, Inc.
CBWFQ Example
We assume interface-level bandwidth configured to
200Kbps
CBWFQ calculations are as follows :
Option #1 bandwidth 100 reserves 100Kbps
Option #2 bandwidth percent 60 reserves
60%*200Kbps = 120Kbps
Now if another class is added and configured with
bandwidth remaining percent 40, it will receive the
following allocation :
For #1 40%*(75%*200-100)Kbps = 20Kbps
For #2 40%*(75%*200-120)Kbps = 12Kbps
Rev. 1700
IPexperts CCIE R&S WrittenVoD Series
20
IPexpert, Inc.
LLQ
Low Latency Queuing (LLQ) is essentially CBWFQ
extended by the priority queue
LLQ class will be always serviced before any other class,
up to its configured bandwidth (LLQ queue is policed)
21
IPexpert, Inc.
MDRR
Modified Deficit Round Robin (MDRR) uses seven normal
queues and one priority queue (PQ)
MDRR keeps track of extra bytes sent for each queue and
adjusts how many bytes can be sent in subsequent
rounds
There are two modes of MDRR priority queue :
1. Strict Priority PQ is always emptied first
2. Alternate Priority PQ will be served between
normal queues. For example, if 0 is the PQ,
queues will be served as follows : 0, 1, 0, 2, 0, 3 ...
Each MDRR queue uses two variables Quantum Value
(number of bytes that can be sent per round) and Deficit
Counter (number of extra bytes that were sent)
Rev. 1700
IPexperts CCIE R&S WrittenVoD Series
22
IPexpert, Inc.
MDRR Example
Rev. 1700
IPexperts CCIE R&S WrittenVoD Series
23
IPexpert, Inc.
Rev. 1700
IPexperts CCIE R&S WrittenVoD Series
24
IPexpert, Inc.
Queuing Configuration
IPexpert, Inc.
Queuing Configuration
26
IPexpert, Inc.
// LLQ queue
class WEB_CLASS
bandwidth remaining percent 50
// CBWFQ queue
class BE_CLASS
bandwidth remaining percent 10
// CBWFQ queue
int f0/0
bandwidth 200
service-policy output QOS_POL
Rev. 1700
IPexperts CCIE R&S WrittenVoD Series
27
IPexpert, Inc.
Configuration Verification
show class-map
criteria
show policy-map
28
IPexpert, Inc.
Policing
IPexpert, Inc.
Policing
Policing is a traffic regulation mechanism. It allows to
mark or drop the packets that dont conform to a
configured rate
There are three types of Policing :
Single Rate, Two-Color
Single Rate, Three-Color
Two Rate, Three Color
Rev. 1700
IPexperts CCIE R&S WrittenVoD Series
30
IPexpert, Inc.
Rev. 1700
IPexperts CCIE R&S WrittenVoD Series
31
IPexpert, Inc.
Rev. 1700
IPexperts CCIE R&S WrittenVoD Series
32
IPexpert, Inc.
Rev. 1700
IPexperts CCIE R&S WrittenVoD Series
33
IPexpert, Inc.
Rev. 1700
IPexperts CCIE R&S WrittenVoD Series
34
IPexpert, Inc.
35
IPexpert, Inc.
Rev. 1700
IPexperts CCIE R&S WrittenVoD Series
36
IPexpert, Inc.
Rev. 1700
IPexperts CCIE R&S WrittenVoD Series
37
IPexpert, Inc.
38
IPexpert, Inc.
39
IPexpert, Inc.
CAR
Committed Access Rate (CAR) is another method of ratelimiting traffic
CAR relies on Single Rate, Two-Color token bucket (Bc in
size), but it works differently than standard policing
40
IPexpert, Inc.
Policing Configuration
IPexpert, Inc.
Policing Configuration
CAR
rate-limit {input | output} access-group ACL_nr
bps burst-normal burst-max
conform-action action
exceed-action action
Rev. 1700
42
IPexpert, Inc.
int f0/1
rate-limit input access-group 100 8000 1500 3000
conform-action set-prec-transmit 0
exceed-action drop
Rev. 1700
IPexperts CCIE R&S WrittenVoD Series
43
IPexpert, Inc.
Configuration Verification
show class-map
criteria
show policy-map
interface
Rev. 1700
IPexperts CCIE R&S WrittenVoD Series
44
IPexpert, Inc.
Shaping
IPexpert, Inc.
Shaping
Traffic shaping is used to control the speed of the
outgoing traffic
Shaper does not mark/drop excess traffic it buffers it
Four main characteristics of shaping are :
1. Shaping queue
2. Size of the Token Bucket is Bc + Be
3. Bc tokens are refilled every Tc (Bc = CIR * Tc)
4. One token corresponds to one bit
Rev. 1700
IPexperts CCIE R&S WrittenVoD Series
46
IPexpert, Inc.
Rev. 1700
IPexperts CCIE R&S WrittenVoD Series
47
IPexpert, Inc.
Shaping Example
Rev. 1700
IPexperts CCIE R&S WrittenVoD Series
48
IPexpert, Inc.
Shaping Configuration
IPexpert, Inc.
GTS (ACL)
traffic-shape group ACL_nr bps
[burst-size [excess-burst-size]]
Adaptive Shaping
traffic-shape adaptive bps
Example
access-list 120 permit tcp any any eq 80
int f0/0
traffic-shape group 120 64000 640 640
IPexperts CCIE R&S WrittenVoD Series
50
Rev. 1700
IPexpert, Inc.
FRTS Configuration
FRTS
interface if_name
encapsulation frame-relay
frame-relay traffic-shaping
Map Class
map-class frame-relay map_name
map-class frame-relay PVC120_CLASS
frame-relay cir 256000
frame-relay bc 2560
frame-relay be 0
service-policy output LLQ_POL
Rev. 1700
IPexperts CCIE R&S WrittenVoD Series
51
IPexpert, Inc.
Adaptive Shaping
map-class frame-relay map_name
frame-relay cir bps
frame-relay adaptive-shaping [becn|foresight]
frame-relay mincir bps
Rev. 1700
IPexperts CCIE R&S WrittenVoD Series
52
IPexpert, Inc.
MQC Shaping
policy-map policy_name
class class_name
shape average bps [bc] [be]
Rev. 1700
IPexperts CCIE R&S WrittenVoD Series
53
IPexpert, Inc.
int s0/1.2
service-policy output SHAPE_QUEUE_POL
Rev. 1700
IPexperts CCIE R&S WrittenVoD Series
54
IPexpert, Inc.
Rev. 1700
IPexperts CCIE R&S WrittenVoD Series
55
IPexpert, Inc.
Configuration Verification
show traffic-shape
Rev. 1700
IPexperts CCIE R&S WrittenVoD Series
56
IPexpert, Inc.
Congestion Avoidance
IPexpert, Inc.
Rev. 1700
IPexperts CCIE R&S WrittenVoD Series
58
IPexpert, Inc.
WRED
RED is not supported on IOS
59
IPexpert, Inc.
Minimum
threshold
20
22
24
26
28
31
33
35
Maximum
threshold
40
40
40
40
40
40
40
40
Mark
probability
1/10
1/10
1/10
1/10
1/10
1/10
1/10
1/10
Rev. 1700
IPexperts CCIE R&S WrittenVoD Series
60
IPexpert, Inc.
WRED Configuration
IPexpert, Inc.
WRED Configuration
WRED
random-detect [dscp-based]
WRED Profile
random-detect precedence|dscp value
min-threshold min
max-threshold min
mark-prob-denominator value
Rev. 1700
IPexperts CCIE R&S WrittenVoD Series
62
IPexpert, Inc.
Configuration Verification
show queue
- Displays contents of
packets inside a particular
queue
Rev. 1700
IPexperts CCIE R&S WrittenVoD Series
63
IPexpert, Inc.
Compression
IPexpert, Inc.
Compression
Compression increases available bandwidth
Rev. 1700
IPexperts CCIE R&S WrittenVoD Series
65
IPexpert, Inc.
Compression Configuration
Payload Compression
compress stac|predictor
int s0/1
compress stac
Rev. 1700
IPexperts CCIE R&S WrittenVoD Series
66
IPexpert, Inc.
Compression Configuration
Header Compression
ip tcp|rtp header-compression [passive]
Rev. 1700
IPexperts CCIE R&S WrittenVoD Series
67
IPexpert, Inc.
Configuration Verification
show compress
- Displays
compression
statistics
- Displays TCP/RTP
header
compression
statistics
- Displays traffic
statistics of all
classes configured
on the specified
interface
Rev. 1700
68
IPexpert, Inc.
IPexpert, Inc.
Rev. 1700
IPexperts CCIE R&S WrittenVoD Series
70
IPexpert, Inc.
71
IPexpert, Inc.
Rev. 1700
IPexperts CCIE R&S WrittenVoD Series
72
IPexpert, Inc.
Rev. 1700
IPexperts CCIE R&S WrittenVoD Series
73
IPexpert, Inc.
: 20Gbps
: 20% = 20%*20Gbps = 4Gbps
: 40 for queue #1 and 10 for queue #2
Relative share :
Queue #1 : 40/(10+40) = 0.8
Queue #2 : 10/(10+40) = 0.2
Overall Reservation :
Queue #1 : (20-4)*0.8Gbps = 12.8Gbps
Queue #2 : 4Gbps + (20-4)*0.2Gbps = 7.2Gbps
If there was no PQ :
Queue #1 : 20*0.8Gbps = 16Gbps
Queue #2 : 20*0.2Gbps = 4Gbps
IPexperts CCIE R&S WrittenVoD Series
74
Rev. 1700
IPexpert, Inc.
Egress Queueing
Outbound queues are located after internal ring
Rev. 1700
IPexperts CCIE R&S WrittenVoD Series
75
IPexpert, Inc.
Overall Result :
Queue #1 : 1/10*100Mbps = 10Mbps
Queue #2 : 1/20*100Mbps = 5Mbps
Queue #3 : 1/2 *100Mbps = 50Mbps
Queue #4 : Shared Mode
IPexperts CCIE R&S WrittenVoD Series
76
Rev. 1700
IPexpert, Inc.
10
20
0 0
30 50
77
IPexpert, Inc.
78
IPexpert, Inc.
IPexpert, Inc.
80
IPexpert, Inc.
IPexpert, Inc.
Enable QoS
mls qos
Ingress Queueing
mls qos srr-queue input bandwidth w1 w2
mls qos srr-queue input priority-queue nr
bandwidth value
mls qos srr-queue input cos-map q_nr <values>
mls qos srr-queue input dscp-map q_nr <values>
Egress Queuing
srr-queue bandwidth shape w1 w2 w3 w4
srr-queue bandwidth share w1 w2 w3 w4
priority-queue out
srr-queue bandwidth limit
Rev. 1700
82
IPexpert, Inc.
Rev. 1700
IPexperts CCIE R&S WrittenVoD Series
83
IPexpert, Inc.
Rev. 1700
IPexperts CCIE R&S WrittenVoD Series
84
IPexpert, Inc.
Configuration Verification
show mls qos
Rev. 1700
IPexperts CCIE R&S WrittenVoD Series
85
IPexpert, Inc.
IPexpert, Inc.
LFI
Large packets take long time to serialize on lowbandwidth WAN links this may affect small Voice
packets that are delay & jitter -sensitive
Rev. 1700
IPexperts CCIE R&S WrittenVoD Series
87
IPexpert, Inc.
LFI cont.
Rev. 1700
IPexperts CCIE R&S WrittenVoD Series
88
IPexpert, Inc.
LFI Example
(non-fragmented
Rev. 1700
IPexperts CCIE R&S WrittenVoD Series
89
IPexpert, Inc.
LFI Configuration
IPexpert, Inc.
LFI Configuration
MQC-Compatible LFI
frame-relay fragment end-to-end
Rev. 1700
IPexperts CCIE R&S WrittenVoD Series
91
IPexpert, Inc.
Configuration Verification
show frame-relay fragment
fragmentation
Rev. 1700
IPexperts CCIE R&S WrittenVoD Series
92
IPexpert, Inc.
IPexpert, Inc.
Rev. 1700
IPexperts CCIE R&S WrittenVoD Series
94
IPexpert, Inc.
Rev. 1700
IPexperts CCIE R&S WrittenVoD Series
95
IPexpert, Inc.
RSVP Configuration
IPexpert, Inc.
RSVP Configuration
RSVP
ip rsvp bandwidth total_bw single_flow_bw
Rev. 1700
IPexperts CCIE R&S WrittenVoD Series
97
IPexpert, Inc.
Configuration Verification
show ip rsvp interface
- Displays RSVP-related
interface information
Rev. 1700
IPexperts CCIE R&S WrittenVoD Series
98
IPexpert, Inc.
IPexpert, Inc.
100
IPexpert, Inc.
AutoQoS Enterprise
Rev. 1700
IPexperts CCIE R&S WrittenVoD Series
101
IPexpert, Inc.
AutoQoS Configuration
IPexpert, Inc.
AutoQoS Configuration
AutoQoS Enterprise
auto discovery qos [trust]
auto qos
Rev. 1700
IPexperts CCIE R&S WrittenVoD Series
103
IPexpert, Inc.
Configuration Verification
show auto qos
Rev. 1700
IPexperts CCIE R&S WrittenVoD Series
104
IPexpert, Inc.
IPexpert, Inc.
IPexpert, Inc.
Troubleshooting Introduction
Troubleshooting means diagnosing a problem and
resolving it
Common approaches to troubleshooting include :
Top-Down
Bottom-Up
Divide & Conquer
IPexpert, Inc.
Troubleshooting Auto-Negotiation
Both sides should have Auto-Negotiation enabled or both
sides should be configured manually
Any other combination may cause Auto-Negotiation to fail
Verify how the speed & duplex settings were actually
derived :
- show interfaces status
Port Name
Status
Fa0/1
connected
Rev. 1700
IPexperts CCIE R&S Written VoD Series
IPexpert, Inc.
Rev. 1700
IPexpert, Inc.
IPexpert, Inc.
IPexpert, Inc.
Rev. 1700
IPexpert, Inc.
Rev. 1700
IPexperts CCIE R&S Written VoD Series
IPexpert, Inc.
Troubleshooting VTP
VTP information is always forwarded on trunk links using
VLAN 1
VTP Parameters that have to match are :
VTP domain name
VTP password
VTP version
Since VTP domain name is sent inside a DTP packet,
DTP will never negotiate a trunk between two different
VTP domains
Not only a VTP Server with higher revision number can
erase the entire VLAN configuration within a VTP domain,
but also a VTP Client
Rev. 1700
IPexperts CCIE R&S Written VoD Series
10
IPexpert, Inc.
Troubleshooting EtherChannel
The following parameters must match in order to form an
EtherChannel :
Speed & duplex
STP values
VLAN, Native VLAN
Trunking mode
Interface Type
When using manual configuration, dont wait too long with
configuring the other side
Make sure that Load-Balancing method chosen fits into
the current topology
Rev. 1700
IPexperts CCIE R&S Written VoD Series
11
IPexpert, Inc.
Troubleshooting STP
STP loops are formed when a port that should block starts
forwarding traffic
Unidirectional links are often a culprit
Duplex mismatch can resemble a unidirectional link
scenario
Never use PortFast on interfaces connected to :
Switches
Hubs
Bridging routers
Rev. 1700
IPexperts CCIE R&S Written VoD Series
12
IPexpert, Inc.
13
IPexpert, Inc.
Rev. 1700
IPexperts CCIE R&S Written VoD Series
14
IPexpert, Inc.
- Displays spanning-tree
topology event debug
messages
Rev. 1700
IPexperts CCIE R&S Written VoD Series
15
IPexpert, Inc.
IPexpert, Inc.
Rev. 1700
IPexperts CCIE R&S Written VoD Series
17
IPexpert, Inc.
Troubleshooting RIP
Lack of routes installed in the RIB may be generally
caused by three things :
1. Router receives an update but does not install it
2. Route sender is not even advertising a route
3. Routing update got lost somewhere in the path
between the sender and receiver
Start verifying the devices configuration :
- show run router rip, show ip protocols
- debug ip rip
RIP: ignored v2 packet from 10.1.1.1 (not enabled on
FastEthernet0/0)
RIP: ignored v2 packet from 10.1.1.1 (invalid
authentication)
IPexperts CCIE R&S Written VoD Series
18
Rev. 1700
IPexpert, Inc.
Rev. 1700
IPexperts CCIE R&S Written VoD Series
19
IPexpert, Inc.
Rev. 1700
IPexperts CCIE R&S Written VoD Series
20
IPexpert, Inc.
Troubleshooting EIGRP
Unidirectional links may prevent a neighborship from
being established
Common causes :
Layer 2 problems
Hardware issues
Filtering
Troubleshoot adjacencies :
- show ip eigrp neighbors
Rev. 1700
IPexperts CCIE R&S Written VoD Series
21
IPexpert, Inc.
1 10.1.1.2
Et0/0
11
Uptime
SRTT RTO
(sec) (ms)
00:00:20
0
5000
Q
Cnt
5
Seq
Num
0
Output params :
H
order in which the neighbors were
learned
SRTT
how long does it take for an ACK to
come back (0 means ACK was never
received)
RTO
how long to wait for an ACK before
retransmitting
Q Cnt
number of unicast packets queued
Rev. 1700
IPexperts CCIE R&S Written VoD Series
22
IPexpert, Inc.
23
IPexpert, Inc.
Rev. 1700
IPexperts CCIE R&S Written VoD Series
24
IPexpert, Inc.
Rev. 1700
IPexperts CCIE R&S Written VoD Series
25
IPexpert, Inc.
Troubleshooting OSPF
Basic OSPF verification :
- show ip ospf neighbor
- show ip ospf interface [brief]
More advanced troubleshooting :
- debug ip ospf adjacency
- debug condition interface
OSPF adjacency events debugging is on
OSPF: Rcv hello from 10.1.10.1 area 0 from
FastEthernet0/0 10.1.1.1
OSPF: Mismatched hello parameters from 10.1.1.1
Dead R 40 C 40, Hello R 10 C 10 Mask R 255.255.255.0 C
255.255.255.128
Rev. 1700
IPexperts CCIE R&S Written VoD Series
26
IPexpert, Inc.
Rev. 1700
27
IPexpert, Inc.
28
Rev. 1700
IPexpert, Inc.
29
IPexpert, Inc.
Rev. 1700
IPexperts CCIE R&S Written VoD Series
30
IPexpert, Inc.
Troubleshooting BGP
For direct peering, If Layer 1 and Layer 2 are configured
correctly, verify the neighbors :
- show ip bgp summary
BGP table version is 1, main routing table version 1
31
IPexpert, Inc.
32
IPexpert, Inc.
Rev. 1700
IPexperts CCIE R&S Written VoD Series
33
IPexpert, Inc.
Rev. 1700
IPexperts CCIE R&S Written VoD Series
34
IPexpert, Inc.
Troubleshooting Redistribution
Verify which routes have been added to/removed from the
RIB and what was the reason for it :
- debug ip routing
*Jan 11 13:21:24.181:
10.1.1.0, flushing 1
*Jan 11 13:21:24.185:
*Jan 11 13:21:24.185:
bgp metric [20/20]
*Jan 11 13:21:24.191:
Rev. 1700
IPexperts CCIE R&S Written VoD Series
35
IPexpert, Inc.
Rev. 1700
IPexperts CCIE R&S Written VoD Series
36
IPexpert, Inc.
Rev. 1700
IPexperts CCIE R&S Written VoD Series
37
IPexpert, Inc.
- Displays information on
significant TCP transactions
debug ip routing
- Displays information on
routing table and route
cache updates
Rev. 1700
IPexperts CCIE R&S Written VoD Series
38
IPexpert, Inc.
IPexpert, Inc.
3.
40
IPexpert, Inc.
41
IPexpert, Inc.
42
Rev. 1700
IPexpert, Inc.
Packets
1200
Bytes
654120
Packets
Delayed
248
Match: any
Increment Adapt
(bytes) Active
1000
-
Bytes
Delayed
135185
Shaping
Active
yes
43
IPexpert, Inc.
Egress :
- show mls qos if_name queuing
44
Rev. 1700
IPexpert, Inc.
45
IPexpert, Inc.
- Displays information
about only the active
policy maps
attached to an
interface
46
IPexpert, Inc.
IPexpert, Inc.
Troubleshooting FHRPs
48
IPexpert, Inc.
Virtual IP
10.1.1.100
HSRP debugging is on
Vlan5 Hello out 10.1.1.1 Active pri 100 ip 10.1.1.100
Vlan5 Hello in 10.1.1.2 Standby pri 100 ip 10.1.1.100
IPexperts CCIE R&S Written VoD Series
49
Rev. 1700
IPexpert, Inc.
Troubleshooting NTP
Rev. 1700
IPexperts CCIE R&S Written VoD Series
50
IPexpert, Inc.
51
IPexpert, Inc.
Troubleshooting DHCP
Common issues :
DHCP Pool is exhausted
DHCP Server cannot reach Relay Agent
Option 82 is enabled and makes troubles
URPF used to drop packet with src IP 0.0.0.0 &
dst IP 255.255.255.255
DHCP is turned off (no service dhcp)
52
IPexpert, Inc.
Troubleshooting WCCP
Verify :
- show ip wccp
10.1.1.1
2.0
1
1
20
Rev. 1700
53
IPexpert, Inc.
Troubleshoot :
- debug ip wccp events
- debug ip wccp packets
R1#
WCCP-EVNT:S00: Built new router view: 0 routers, 0
usable web caches, change # 00000001
WCCP-PKT:S00: Sending I_See_You packet to 10.1.1.2 w/
rcv_id 00000001
WCCP-EVNT:S00: Redirect_Assignment packet from 10.1.1.2
fails source check
WCCP-5-SERVICEFOUND: Service web-cache acquired on Web
Cache 10.1.1.2
WCCP-PKT:S00: Received valid Here_I_Am packet from
10.1.1.2 w/rcv_id 00000001
WCCP-EVNT:S00: Built new router view: 1 routers, 1
usable web caches, change # 00000002
Rev. 1700
IPexperts CCIE R&S Written VoD Series
54
IPexpert, Inc.
- Displays debugging
information on NTP
authentication
- Displays debugging
information about the DHCP
Client activities
Rev. 1700
IPexperts CCIE R&S Written VoD Series
55
IPexpert, Inc.
Rev. 1700
IPexperts CCIE R&S Written VoD Series
56
IPexpert, Inc.
IPexpert, Inc.
Troubleshooting CBAC
Common issues :
Inspection is not enabled for a protocol
Inspection is enabled on wrong interface
Inspection is enabled in wrong direction
Router-generated traffic is not inspected
Verify :
- show ip inspect session detail
Rev. 1700
IPexperts CCIE R&S Written VoD Series
58
IPexpert, Inc.
Established Sessions
Session 817298C4 (10.1.1.2:11005)=>(20.1.1.1:23) tcp SIS_OPEN
Created 00:00:06, Last heard 00:00:03
Bytes sent (initiator:responder) [391:123911]
In SID 20.1.1.1[23:23]=>10.1.1.2[11005:11005] on ACL 100(108
matches)
Half-open Sessions
Session 81729A34 (10.1.1.2:11006)=>(20.1.1.1:80) http SIS_OPENING
Created 00:00:03, Last heard 00:00:01
Bytes sent (initiator:responder) [0:0]
Rev. 1700
IPexperts CCIE R&S Written VoD Series
59
IPexpert, Inc.
Troubleshooting AAA
Common issues :
AAA server is not configured/misconfigured
Key mismatch (NAS <-> AAA)
Connectivity problems (NAS <-> AAA)
Misconfigured AAA database
Troubleshoot AAA :
- debug aaa authentication
- debug aaa authorization
- debug aaa accounting
Rev. 1700
IPexperts CCIE R&S Written VoD Series
60
IPexpert, Inc.
Rev. 1700
IPexperts CCIE R&S Written VoD Series
61
IPexpert, Inc.
Troubleshoot RADIUS/TACACS+ :
- debug radius
- debug tacacs
Rev. 1700
IPexperts CCIE R&S Written VoD Series
62
IPexpert, Inc.
debug radius
debug tacacs
- Displays information
associated with TACACS+
Rev. 1700
63
IPexpert, Inc.
IPexpert, Inc.
IPexpert, Inc.
Rev. 1700
IPexperts CCIE R&S Written VoD Series
IPexpert, Inc.
Logging Destinations
1.
2.
3.
4.
5.
(logging console)
(logging buffered)
(logging monitor + terminal monitor)
(snmp-server enable traps syslog +
logging history)
Syslog Server (logging trap)
Console
Internal Buffer
VTY lines
SNMP Server
Rev. 1700
IPexperts CCIE R&S Written VoD Series
IPexpert, Inc.
Syslog Configuration
IPexpert, Inc.
Syslog Configuration
Turning Logging on
[no] logging on
Time Stamps
service timestamps log
Logging facility
logging facility
Logging Synchronous
logging synchronous
Rev. 1700
IPexperts CCIE R&S Written VoD Series
IPexpert, Inc.
Rev. 1700
IPexperts CCIE R&S Written VoD Series
IPexpert, Inc.
Configuration Verification
show logging
Rev. 1700
IPexperts CCIE R&S Written VoD Series
IPexpert, Inc.
IPexpert, Inc.
IP SLA
IP SLA Responder
a) Allows for unidirectional measurements
b) Improves accuracy uses two timestamps
allowing to neglect the probe processing time
10
IPexpert, Inc.
IP SLA Responder
T0
30 ms
T1
Rev. 1700
IPexperts CCIE R&S Written VoD Series
11
IPexpert, Inc.
IP SLA Configuration
IPexpert, Inc.
IP SLA Configuration
IP SLA Responder
ip sla responder
Rev. 1700
IPexperts CCIE R&S Written VoD Series
13
IPexpert, Inc.
Rev. 1700
IPexperts CCIE R&S Written VoD Series
14
IPexpert, Inc.
ip sla 2
udp-echo dest-ipaddr 10.1.1.2 1234
frequency 3
ip sla schedule 2 life 43200 start-time now
ip sla responder
Rev. 1700
IPexperts CCIE R&S Written VoD Series
15
IPexpert, Inc.
Configuration Verification
show ip sla configuration
Responder
show ip sla configuration
Rev. 1700
IPexperts CCIE R&S Written VoD Series
16
IPexpert, Inc.
IPexpert, Inc.
NetFlow
Flow Sampling
Rev. 1700
18
IPexpert, Inc.
NetFlow Configuration
IPexpert, Inc.
NetFlow Configuration
Enabling NetFlow
ip flow ingress/egress
Flow Exporter
ip flow-export
Flow Aggregation
ip flow-aggregation
Rev. 1700
IPexperts CCIE R&S Written VoD Series
20
IPexpert, Inc.
int f0/1
ip flow ingress
ip flow-export version 5
ip flow-export destination 10.1.1.1 9000
ip flow-capture icmp
21
IPexpert, Inc.
Configuration Verification
show ip flow interface
and flows
show ip cache verbose flow
Displays
the
detailed
summary of NetFlow
statistics and flows
22
IPexpert, Inc.
IPexpert, Inc.
Rev. 1700
IPexperts CCIE R&S Written VoD Series
24
IPexpert, Inc.
RITE Configuration
IPexpert, Inc.
RITE Configuration
26
IPexpert, Inc.
Rev. 1700
IPexperts CCIE R&S Written VoD Series
27
IPexpert, Inc.
Configuration Verification
show ip traffic-export
Rev. 1700
IPexperts CCIE R&S Written VoD Series
28
IPexpert, Inc.
IPexpert, Inc.
SNMP
Application-Layer management
monitoring and administration
SNMP Framework
1. Network Management Station (NMS)
2. SNMP Agent
3. Management Information Base (MIB)
SNMP Operations
1. Polling (GET, SET)
2. Notifications (TRAPS, INFORMS)
protocol
used
for
Rev. 1700
IPexperts CCIE R&S Written VoD Series
30
IPexpert, Inc.
SNMP Polling
SNMP SET
Rev. 1700
31
IPexpert, Inc.
SNMP Polling
Rev. 1700
IPexperts CCIE R&S Written VoD Series
32
IPexpert, Inc.
SNMP Notifications
Rev. 1700
IPexperts CCIE R&S Written VoD Series
33
IPexpert, Inc.
SNMP Notifications
Rev. 1700
IPexperts CCIE R&S Written VoD Series
34
IPexpert, Inc.
SNMP Versions
SNMP Versions :
Rev. 1700
IPexperts CCIE R&S Written VoD Series
35
IPexpert, Inc.
SNMP Versions
SNMP Versions :
Rev. 1700
IPexperts CCIE R&S Written VoD Series
36
IPexpert, Inc.
Rev. 1700
IPexperts CCIE R&S Written VoD Series
37
IPexpert, Inc.
SNMP Configuration
IPexpert, Inc.
SNMP Configuration
SNMP Polling
snmp-server community [ro|rw]
SNMP Notifications
snmp-server enable traps
snmp-server host [traps|informs]
Rev. 1700
IPexperts CCIE R&S Written VoD Series
39
IPexpert, Inc.
SNMP Polling
SNMP Notifications
Rev. 1700
IPexperts CCIE R&S Written VoD Series
40
IPexpert, Inc.
Configuration Verification
show snmp
Rev. 1700
IPexperts CCIE R&S Written VoD Series
41
IPexpert, Inc.
IPexpert, Inc.
EEM
EEM Components :
1. Event Detector (monitored component)
2. EEM Policy (defines actions)
3. Event Manager Server (an interface between Event
Detector and EEM Policy)
Rev. 1700
IPexperts CCIE R&S Written VoD Series
43
IPexpert, Inc.
Rev. 1700
IPexperts CCIE R&S Written VoD Series
44
IPexpert, Inc.
Rev. 1700
IPexperts CCIE R&S Written VoD Series
45
IPexpert, Inc.
EEM Configuration
IPexpert, Inc.
EEM Configuration
Create an applet
event manager applet
Rev. 1700
IPexperts CCIE R&S Written VoD Series
47
IPexpert, Inc.
EEM Configuration
_syslog_msg
48
IPexpert, Inc.
Example applet #1
Example applet #2
Rev. 1700
IPexperts CCIE R&S Written VoD Series
49
IPexpert, Inc.
Configuration Verification
show event manager
Displays the
output
debugging
of
EEM
process
show event manager policy registered - Displays already
registered
EEM
policies
Rev. 1700
IPexperts CCIE R&S Written VoD Series
50
IPexpert, Inc.
IPexpert, Inc.
RMON
Rev. 1700
IPexperts CCIE R&S Written VoD Series
52
IPexpert, Inc.
RMON Groups
1.
2.
3.
4.
5.
6.
7.
8.
9.
53
IPexpert, Inc.
RMON Configuration
IPexpert, Inc.
RMON Configuration
Create an event
rmon event nr [log|trap community]
Create an alarm
rmon
Rev. 1700
IPexperts CCIE R&S Written VoD Series
55
IPexpert, Inc.
Rev. 1700
IPexperts CCIE R&S Written VoD Series
56
IPexpert, Inc.
Configuration Verification
show rmon alarm
Rev. 1700
IPexperts CCIE R&S Written VoD Series
57
IPexpert, Inc.
IPexpert, Inc.
FTP
Rev. 1700
IPexperts CCIE R&S Written VoD Series
59
IPexpert, Inc.
FTP Modes
Active Mode :
FTP client specifies its port using a PORT
command
FTP server initiates the data connection from
TCP port 20 to the port specified inside the PORT
command
Passive Mode
FTP Client sends a PASV command
Server responds with an ephemeral port number
and the FTP client initiates the data connection
TCP Port 20 is not used
Rev. 1700
60
IPexpert, Inc.
FTP Configuration
IPexpert, Inc.
FTP Configuration
Rev. 1700
IPexperts CCIE R&S Written VoD Series
62
IPexpert, Inc.
ftp
ftp
ftp
ftp
username ipexpert
password cciers
passive
source-interface l0
Rev. 1700
IPexperts CCIE R&S Written VoD Series
63
IPexpert, Inc.
Configuration Verification
show exception
Displays information on
significant
TCP
transactions
Rev. 1700
IPexperts CCIE R&S Written VoD Series
64
IPexpert, Inc.
IPexpert, Inc.
TFTP
TFTP works over UDP port 69. The actual data transfer,
however, uses an ephemeral port
Rev. 1700
IPexperts CCIE R&S Written VoD Series
66
IPexpert, Inc.
TFTP Mechanics
Rev. 1700
IPexperts CCIE R&S Written VoD Series
67
IPexpert, Inc.
TFTP Configuration
IPexpert, Inc.
TFTP Configuration
For TFTP Client use the copy command with the tftp
keyword
Rev. 1700
IPexperts CCIE R&S Written VoD Series
69
IPexpert, Inc.
TFTP Client
int loopback 1
ip add 10.1.1.1 255.255.255.0
ip tftp source-interface loopback 1
copy tftp://192.0.2.1/image2 flash
Rev. 1700
IPexperts CCIE R&S Written VoD Series
70
IPexpert, Inc.
Configuration Verification
debug tftp
Rev. 1700
IPexperts CCIE R&S Written VoD Series
71
IPexpert, Inc.
IPexpert, Inc.
SCP
AAA Authentication
configured
and
authorization
must
be
Rev. 1700
IPexperts CCIE R&S Written VoD Series
73
IPexpert, Inc.
SCP Configuration
IPexpert, Inc.
SCP Configuration
For SCP Client use the copy command with the scp
keyword
Rev. 1700
75
IPexpert, Inc.
aaa new-model
aaa authentication login default local
aaa authorization exec default local
username ipexpert priv 15 password cciers
hostname Europe
ip domain-name ipexpert.com
crypto key generate rsa
ip scp server enable
SCP Client
76
IPexpert, Inc.
Configuration Verification
debug ip scp
authentication
Rev. 1700
IPexperts CCIE R&S Written VoD Series
77
IPexpert, Inc.
IPexpert, Inc.
HTTP
Rev. 1700
IPexperts CCIE R&S Written VoD Series
79
IPexpert, Inc.
HTTP Operations
Rev. 1700
IPexperts CCIE R&S Written VoD Series
80
IPexpert, Inc.
HTTPS
HTTP + SSL/TLS
Rev. 1700
IPexperts CCIE R&S Written VoD Series
81
IPexpert, Inc.
IPexpert, Inc.
HTTP Configuration
HTTP Authentication
ip http authentication [local|aaa]
Rev. 1700
IPexperts CCIE R&S Written VoD Series
83
IPexpert, Inc.
HTTPS Configuration
Rev. 1700
IPexperts CCIE R&S Written VoD Series
84
IPexpert, Inc.
HTTP Server
http
http
http
http
server
port 8080
access-class 2
authentication local
HTTPS Server
ip http secure-server
ip http secure-port 8443
Rev. 1700
IPexperts CCIE R&S Written VoD Series
85
IPexpert, Inc.
Configuration Verification
show ip http server [status]
Displays
details
about
the
current
configuration of the
HTTP server
show ip http server secure status
server
configuration
Rev. 1700
IPexperts CCIE R&S Written VoD Series
86
IPexpert, Inc.
IPexpert, Inc.
Telnet
Client-Server architecture
Rev. 1700
88
IPexpert, Inc.
Telnet Configuration
IPexpert, Inc.
Telnet Configuration
90
IPexpert, Inc.
line vty 0 4
password ipexpert
login
Username-based
database
Telnet
authentication
with
local
line vty 0 4
login local
Rev. 1700
IPexperts CCIE R&S Written VoD Series
91
IPexpert, Inc.
Configuration Verification
show users
terminal
show tcp [brief]
Rev. 1700
IPexperts CCIE R&S Written VoD Series
92
IPexpert, Inc.
IPexpert, Inc.
Exam Overview
The exam is 2-hours long and it consists of multiplechoice questions and simulations (approx. 100 in total)
The Blueprint :
www.cisco.com/go/ccie
Rev. 1700
IPexperts CCIE R&S Written VoD Series
IPexpert, Inc.
Rev. 1700
IPexpert, Inc.
Exam Policy
Rev. 1700
IPexperts CCIE R&S Written VoD Series
IPexpert, Inc.
Reference Books
IPexpert, Inc.
IPexpert, Inc.
Preparation Timeline
Everyone is different
Rev. 1700
IPexperts CCIE R&S Written VoD Series
IPexpert, Inc.
Strategy
IPexpert, Inc.
Good Luck!
IPexpert, Inc.