PPP eap authentication

EAP is client-server authentication. Credentials need to be specified on client side as there is no default use of hostname as identity on contrary to Chap.

Client-side

ppp eap identity R5
ppp eap password CISCO

Server-side using a local stored username.

username R5 password 0 CISCO
ppp authentication eap
ppp eap local

PPP over Frame Relay

PPP over Frame Relay (PPPoFR) could be used for :

- Need for authentication between routers
- Need for same IP on multiple DLCI and static mapping not permitted.

int s0/0
encap frame-relay
frame-relay interface-dlci XXX ppp virtual-template1
frame-relay interface-dlci YYY ppp virtual-template1

int virtual-template1
ip add 10.0.0.1 255.255.255.0
ppp authentication chap

3550 QOS : WRR

On 3550 : Weighted Round Robin is done per packet
On 6000/6500 : Weighted Round Robin is done by bandwidth

wrr-queue bandwidth 10 20 30 40

On gigabit ports:

The 4 queues could be assigned a different amount of buffer size and WRED or RED with 2 thershold by queues :

Wred :
wrr-queue random-detect max-threshold 1 50 100

Red :
wrr-queue threshold 1 50 100

Queue Size:
wrr-queue queue-limit Q_size1 Q_size2 Q_size3 Q_size4

On non-gigabit ports:

Only FiFO with a reserved number of packet by queues, (max 170) :

mls qos min-reserve level buffer_size
wrr-queue min-reserve level queue

3560 QOS

Differents tasks that could be asked :

1 Map Ingress DSCP value to different queues and WTD :

There is 2 input queues each with 2 different WTD threshold

Followinbg example maps dspc 00 and 01 to the queue 1 threshold 2 and configure for queue 1 and threshold 1 of 75 and threshold 2 of 50 and for queue 2 a threshold1 of 30 and a threshold 2 of 75

mls qos srr-queue input dscp-map queue 1 threshold 2 00 01
mls qos srr-queue input threshold 1 75 50
mls qos srr-queue input threshold 2 30 75


2 Configure the ingress bandwidth association to queues

Here 20 % is dedicated to Expedite queue 2, the remain bandwidth is shared between queue 1 35% and queue 2 45%

mls qos srr-queue input bandwidth 35 45
mls qos srr-queeu input priority 2 bandwidth 20

3 Modifiy default buffer

Buffer is the amount of packet each queue could contains before dropping

Input buffer is globally modified with :
mls qos srr-queue input buffer 60 40

Ouput is modified by Queue-set. Queue-set 1 is by default applied to all interfaces with egal shared. To apply a different queue-set to an interface :

mls qos queue-set output 2 buffers 40 20 20 20
int fa0/14
queue-set 2

4 Configure bandwidth shaping and sharing on interface

Shaped queue limit the bandwidth, whereas shared only limit during congestion.
Shape weight is an inverse ration 1/weight
Share weight is a ration weight_queue1/total_weight
0 in shape means queue is treated as shared. The remain bandwith is for shared.
A queue in shape mode is not take into account on the shared ratio.

Example Queue 1 is a shared queue with 12,5 percent of the bandwidh, the remaining bandwidth is shared among q2, q3, q4.

srr-queue bandwidth shape 8 0 0 0
srr-queue bandwidth share 25 25 25 25

Private-VLAN

Differents vlan types :

- Promisicous/primary : a port/vlan that could communicate to all other private vlan associated with.
- Community : a port/vlan that could communicate with each other and with primary associated with.
- Isolated : a port/vlan that could communicate with primary associated with only.

A primary port can contains one isolted vlan and multiple communities vlan

Configuration

- Create the differents vlan
vlan 10
private-vlan primary
vlan 20
private-vlan community
vlan 30
private-vlan isolated

-Associate the vlan with a primary vlan
vlan 10
private-vlan association 10,20

Configure interface

On the following example,
- port 21 & 22 could communicate with each other and with port 1
- port 31 & 32 could not communicate with each other but could with port 1
- Port 1 could communicate with port 21,22,31,32

int f0/1
switchport mode private-vlan promiscious
switchport private-vlan mapping 10 add 20 30

int range f0/21-22
switchport mode private-vlan host
switchport private-vlan host-association 10 20

int range f0/31-32
switchport mode private-vlan host
switchport private-vlan host-association 10 30

Difference between BPDUGuard & BPDU Filtering

Thoses functions could be enabled globally for all PortFast ports :

span portfast bpdufilter default
span portfast bpduguard default

Or by interfaces.

The main difference is :
- Bpdu Guard will shutdown the port if a bpdu is received on a portfast port
- Bpdu filter will prevent inbound and outbound bpdu but will remove portfast state on a port if a bpdu is received.

Mac address Notification

The purpose is to notify a NMS of mac address changes :

Enable the TRAP :
snmp-server enable traps mac-notification

Enable the MAC notification globally :
mac address-table notification change

Enable the change on the port :
snmp trap mac-notification change [added | removed]

Limit the traps :
mac address-table notification interval seconds
mac address-table notification history-size messages


Verify :
show mac address-table notification change

Automatic IPv6 Tunnel

IPv6-IPv4 Compatible

Adress format : ::A.B.C.D/96

IPv4 Tunnel Source : IPv4 source interface
IPv4 Tunnel Destination : Deducted from the IPv6-Ipv4 compatible addess
IPv6 tunnel interface : Automatically generated from IPv4 Tunnel Source

Configuration

int tunnel 0
tunnel source int lo 0
tunnel mode ipv6ip auto-tunnel

6To4

Adress format : 2002:ipv4-border-router:/48

IPv4 Tunnel Source : IPv4 source interface
IPv4 Tunnel Destination : Deducted from the 6to4 addess
IPv6 tunnel interface : 2002:ipv4-border-router::/48

Configuration

int tunnel 0
tunnel source int lo 0
tunnel mode ipv6ip 6to4
ipv6 address 2002:ipv4-source-address::1/64
ipv6 router 2002::/16 tunnel 0

ISATAP

Adress format : ipv6-global-address:0000:5EFE:ipv4-border-router/128

IPv4 Tunnel Source : IPv4 source interface
IPv4 Tunnel Destination : Deducted from the ipv4 embedded address on ISATAP addess
IPv6 tunnel interface : Generated from the configured ipv6 prefix + ipv4-source-address

Configuration

int tunnel 0
tunnel source int lo 0
tunnel mode ipv6ip isatap
ipv6 address 2001:x:y::/64 eui-64

Protocols Overhead

Ethernet : 38 bytes
Ethernet + 802.1q : 42 bytes

IPv4 : 20 bytes
IPv6 : 40 bytes

TCP : 20 bytes
Tcp timestamps : +12 bytes

UDP : 8 bytes

MPLS : 4 octets

Priority Queueing

In priority queueing, packets are assigned to one of the 4 availables queues according to protocol type, acl or entering interface. The differents queues are served in a strict priority fashion, that is when a packet has to been sent, queue 1 is always served before until limit or emptied. It could lead to bandwidth starvation (onlys queue 1 is served)

Configuration

Assign the Priority-list to an interface
interface fa1/0
priority-group list-num

Assign packet to a queue
priority-list list-num protocol protocol high|medium|normal|low list|tcp|udp list-or-proto-num
OR
priority-list list-num interface int-typ int-num high|medium|normal|low

Configure queue length
priority-list list-num limit high-limit medium-limit normal-limit low-limit

Custom Queuing

It permits to share bandwidth accross up to 16 different queues according to protocol, acl, entering interface. The sharing is done by maximum packet count by queues or average bytes count by queues.

Configuration :

Apply on interface
interface fa0/1
custom-queue-list list-num

Define queue size
custom-queue-list list-num queue queue-num limit packet-limit
OR
custom-queue-list list-num queue queue-num byte-count byte-limit

Assign packet to queues
queue-list list-number protocol protocol-name queue-number list|tcp|udp keyword-value
OR
queue-list list-number interface int-type int-num queue-number

Integrated Routing & Bridging

IRB permits to bridge between to router interfaces, create a virtual interface (BVI) and permit to route via this BVI between the bridged interface and the other router interface.

In this lab you want to bridge between 2 vlans :

interface Ethernet0/0
no ip address
half-duplex
!
interface Ethernet0/0.16
encapsulation dot1Q 16
bridge-group 1
!
interface Ethernet0/0.36
encapsulation dot1Q 36
bridge-group 1

You now need to enable a spanning tree protocol on the group

bridge 1 protocol ieee

It's now possible to ping machine between vlan 36 and vlan 16 (same broadcast domain)

Now to route between vlan 16/36 to other router interface, you need to create a virtual interface with an IP :

interface BVI1
ip address 136.1.136.6 255.255.255.0
bridge 1 route ip

From vlan 16/36 you could now ping BVi1 and behind

Policy Based Routing

The prupose is to defined a specified route different from the one in the routing table for a type of traffic.
For example 2 routers are interconnected by 2 differents links for backup purpose but you want to use the backup for FTP traffic in order to not overload the primary line.

1 Define the traffic to be matched

access-list 198 permit tcp any any eq ftp
class-map match-all PBR
match acces-group 198

2 Define the new route for the matched traffics

route-map PBR permit 10
match ip address 198
set ip next-hop X.X.X.X

3 Apply on the incoming interface

int fa0/0
ip policy route-map PBR


Remark : If you want the PBR rule applies to the traffic for/from the router itself add thje following command

ip local policy route-map PBR

Verification : you could verify matched traffic with sh route-map command

route-map PBR, permit, sequence 10
Match clauses:
ip address (access-lists): 198
Set clauses:
ip next-hop 132.1.23.3
Policy routing matches: 35 packets, 3990 bytes
route-map PBR, permit, sequence 20
Match clauses:
Set clauses:
Policy routing matches: 20 packets, 1740 bytes

Pim NBMA Mode

On the following example. A server is multicasting over a NBMA network. There is only one member of the group on R1. Pim sparse mode is configured on ethernet and serial line. R2 is the manual RP for every groups.


R1
ip multicast-routing
ip pim rp-address 150.1.2.2

interface Serial1/0
ip address 132.1.0.1 255.255.255.0
ip pim sparse-mode

interface fa0/0
ip address 132.1.17.7 255.255.255.0
ip pim sparse-mode
ip igmp join-group 228.28.28.28

R2
ip multicast-routing
ip pim rp-address 150.1.2.2

interface Serial1/0
ip address 132.1.0.2 255.255.255.0
ip pim sparse-mode

interface fa0/0
ip address 132.1.6.6 255.255.255.0
ip pim sparse-mode

int lo0
ip address 150.1.2.2
ip pim sparse-mode

R3
ip multicast-routing
ip pim rp-address 150.1.2.2

interface Serial1/0
ip address 132.1.0.3 255.255.255.0
ip pim sparse-mode

interface fa0/0
ip address 132.1.18.8 255.255.255.0
ip pim sparse-mode

The result of debug mpacket on R3 & R1 when a ping is done from r2 ethernet interface show that the packet is received from both R1 & R3

Rack1R3#*Mar 1 02:26:59.307: IP(0): s=132.1.6.6 (Serial1/0) d=228.28.28.28 id=298, ttl=
253, prot=1, len=104(100), mroute olist null

Rack1R1#*Mar 1 02:27:57.951: IP(0): s=132.1.6.6 (Serial1/0) d=228.28.28.28 (FastEtherne
t0/0) id=298, ttl=253, prot=1, len=100(100), mforward

R2 mroute shows that the OIL is s1/0 so the mcast packet is replicated on every dlci attached to s1/0:

(132.1.6.6, 228.28.28.28), 00:03:13/00:01:48, flags: T
Incoming interface: FastEthernet0/0, RPF nbr 132.1.26.6
Outgoing interface list:
Serial1/0, Forward/Sparse, 00:03:13/00:03:22

In order to avoid that use the PIM nbma-mode on R2 s1/0 interface:

interface s1/0
ip pim nbma-mode

Now, the result of debug mpacket on R3 & R1 when a ping is done from r2 ethernet interface show that the packet is received only on R1 as R3 doesn't have members.

Rack1R3#

Rack1R1#*Mar 1 02:27:57.951: IP(0): s=132.1.6.6 (Serial1/0) d=228.28.28.28 (FastEtherne
t0/0) id=298, ttl=253, prot=1, len=100(100), mforward

And R2 mroute shows that the OIL has now the the output interface s1/0 and the IP of the PIM neighbor so the mcast packet is only sent to this neighbor :

(132.1.6.6, 228.28.28.28), 00:00:16/00:03:17, flags: T
Incoming interface: FastEthernet0/0, RPF nbr 132.1.26.6
Outgoing interface list:
Serial1/0, 132.1.0.1, Forward/Sparse, 00:00:15/00:03:14


Remarks : when debugging with debug ip mpacket it's important to disable mroute-cache on every interface, otherwise only the first packet will be seen.

Frame-Relay Interfaces types

Physical
PVC establishment :

• LMI automatically applies all DLCI to the interface or
• frame-relay interface dlci applies the specified dlci to the interface
  

Layer2/Layer mapping

• Need static mapping or
• Need inverse-arp enabled on the DLCI
  

Point-To-Point
PVC establishment :

• frame-relay interface dlci applies the specified dlci to the interface

Layer2/Layer mapping

• No mapping needed (everything for the subnet is sent thrue pt-to-pt interface)
• Inverse arp is not needed ans disabled by default
  

Point-To-MultiPoint
PVC establishment :

• LMI automatically applies all DLCI to the interface or
• frame-relay interface dlci applies the specified dlci to the interface

Layer2/Layer mapping

• Need static mapping or
• Need inverse-arp enabled on the DLCI
  

Dot1x

The purpose is to do a minimal dot1x authentification on ethernet Ports

1 : Define Radius server

ip radius source-interface Loopback0
!
radius-server host 25.2.2.1
radius-server key CISCO

2 : Globally activate dot1x

dot1x system-auth-control

3 : Define the AAA model for dot1x only

Don't forget the login default non, otherwise it will ask for password on console and telnet login.

aaa new-model
aaa authentication login default none
aaa authentication dot1x default group radius

4: Activate dot1x on ports

interface FastEthernet1/4
switchport mode access
dot1x port-control auto


4: Verification

show dot1x
show dot1x interface

PPP chap authentication

Chap authentication is unidirectionnal. A router always answer to a challenge even if ppp authentication chap is not configured. So for a one-way authentication R5 authenticating R4 :

On R5
username ROUTER4 password 0 CISCO
interface Serial1/1
ip address 132.1.45.5 255.255.255.0
encapsulation ppp
ppp authentication chap

On R4
interface Serial1/1
ip address 132.1.45.4 255.255.255.0
encapsulation ppp
ppp chap hostname ROUTER4
ppp chap password CISCO

The 2 ways authentication :

On R5
username ROUTER4 password 0 CISCO
interface Serial1/1
ip address 132.1.45.5 255.255.255.0
encapsulation ppp
ppp authentication chap host
ppp chap hostname ROUTER5

On R4
username ROUTER5 password 0 CISCO
interface Serial1/1
ip address 132.1.45.4 255.255.255.0
encapsulation ppp
ppp authentication chap
ppp chap hostname ROUTER4

Layer 3 Etherchannel

Purpose : Etherchannel on a "no switchport" interface.

The physical interfaces should already be in "no switchport" before issuing the "channel-group" command in order to create the Layer 3 etherchannel

Ip will be placed on int port-channel interface.

Etherchannel : Pagp or Lacp

Pagp or lacp are used to automatically negotiate etherchannel bundle :

Pagp (Cisco protocol):
auto : passive negotiation, other side needs too be desirable
desirable : active negotiation, other side needs too be desirable or auto.

Lacp (802.3ad)
passive : passive negotiation, other side needs to be active
active : passive negotiation, other side needs to be active or passive.

The main differences between both is Pagp only works in cisco environment whereas lacp works in mixe environment

To manually force the etherchannel, both sides have to be in on mode.

Verification

Rack1SW2#sh etherchannel 1 sum
Flags: D - down P - in port-channel
I - stand-alone s - suspended
R - Layer3 S - Layer2
U - in use
Group Port-channel Ports
-----+------------+-----------------------------------------------------------
1 Po1(SU) Fa1/7(P) Fa1/8(P) Fa1/9(P)

OR

Rack1SW2#sh etherchannel 1 port
Ports in the group:
-------------------
Port: Fa1/7
------------

Port state = Up Mstr In-Bndl
Channel group = 1 Mode = On/FEC Gcchange = 0
Port-channel = Po1 GC = 0x00010001 Pseudo port-channel = Po1
Port index = 2
Age of the port in the current state: 00d:03h:17m:20s
Port: Fa1/8
------------

Port state = Up Mstr In-Bndl
Channel group = 1 Mode = On/FEC Gcchange = 0
Port-channel = Po1 GC = 0x00010001 Pseudo port-channel = Po1
Port index = 1
Age of the port in the current state: 00d:03h:17m:20s

IP Accounting

IP Accounting is an IP service that permit to count the packet in our out an interfaces.
Let's see the differents ways of doing it :

Account for every packet :
ip accounting

Account for packets with an ip precedence set :
ip accounting precedence input
ip accounting precedence output

Account only for ouput packet
ip accounting output-packet

Account only for packets blocked by an access-list applied on the interface
ip accounting acess-violations

Verification
show ip accounting
show interface s1/0 precedence

Traffic Policing : Rate-Limit or MQC Policing

Example : limiting icmp traffic to 128kbps with a permitted burst during 1/4th of the rate

Legacy traffic policing using the command rate-limit

access-list 110 permit icmp any any
access-list 110 permit ip any any

interface e0/0
rate-limit 110 128000 4000 4000 conform-action transmit exceed-action drop

128000 bps : rate-limit
4000 bytes : normal rate that could be sent at clock rate (bucket size every timeslot)
4000 bytes : exceed rate that could be sent at clock rate

Bc = Be so there is no exceed burst

Verification

show interface rate-limit


traffic policing using MQC

Cef must be activated

class-map match-all CAR
match protocol icmp

policy-map CAR
class CAR
police cir 128000 bc 4000

interface e0/0
service-policy out CAR

128000 : rate limit
4000 : normal rate that could be sent at clock rate
Be : 0

Verification

show policy-map interface


Differences

- Legacy CAR : configured Bc should include Be (Bc = excess_bits + Be)
- MQC CAR use a default Bc of 2xBe if not configured
- MQC CAR : configured Bc doesn't include Be ( Bc = excess_bits)

Manual IPv6 Tunnels

Ipv6 tunnels ares used to interconnect 2 or more IPv6 network through an Ipv4 network.

A sample configuration is :

interface Tunnel 0
no ip address
ipv6 address 2001:CC1E:1:4545::5/64
ipv6 rip RIPng enable
tunnel source Loopback0
tunnel destination 150.1.4.4
tunnel mode ipv6ip | gre
end

Tunnel source and destination should be IPv4 adresses

The differents modes are

GRE : default mode (protocol 47), used tu encapsulate multiple layer 3 protocols
IPV6IP : less overhead than GRE (protocol 41) encapsulate only IPv6

OSPF Fast Hello

Normal OSPF timers could be configured defining the hello-interval and dead-interval, as hello interval is 1 sec, detect a dead neighbor within 1 second means at first loss of a hello.

ip ospf hello-interval 1-65535s
ip ospf dead-interval 1-65535s


Fast hello permit a hello-interval below 1sec. The following command means hello of 333ms and a dead-interval of 1sec :

ip ospf dead-interval minimal hello-multiplier 3

Split Horizon on Frame-Relay

Split horizon must be take into account for DV protocols :

By default split-horizon is enabled on all cisco router interface.

Except for frame-relay interface, and particulary on mutilpoint Frame-Relay interface (ex on the Hub router). It acts differently for RIP and EIGRP

RIP : by default split-horizon is disabled on FR interface

EIGRP : Split-horizon must be manually disabled on FR interface

int s0/1
no ip split-horizon eigrp 100

OSPF Network Types

A review of the different network types and behaviour of ospf :

NBMA : default for frame-relay physical and point-to-multipoint subinterface
Broadcast :default for ethernet
Point-to-Point : default for point-to-point subinterface


Remark : When using Pt-to-Mpt the next hop is the adjacent router and not the originating router as in Nbma or Broadcast networks

Tips :
Point-to-x : no DR/BDR
Non-broadcast : manual neighbor

Frame-Relay Legacy Traffic Shaping

Some recalls :

Guaranteed rate = minimum guaranteed rate by the Telco. Configured with minCIR (bps) by default is 1/2 CIR
CIR = rate provided by Telco during no congestion. Configured with CIR (bps) By default it's 2x CIR
Access rate = maximum rate of the link. Configured with Bc (bits). Bc = (Access Rate - CIR)*Tc By default Tc is 125ms or 1/8 of seconds.

Example
32kbps is guarantedd
64kbps of Cir
192kbps of Access Rate

map-class frame-relay cisco
frame-relay cir 64000
frame-relay mincir 32000
frame-relay adaptive-shaping becn
frame-relay bc 8000
frame-relay be 16000 

interface Serial0/0 
interface Serial/0/
frame-relay traffic-shaping
frame-relay class cisco

Verification commands :

show traffic-shaping

Frame-Relay DE setting

Purpose of the exercice is to set the DE bit of a frame-relay packet depending on the length. 2 solutions depending on constraints :

1) If it's for all dlci of a given interface, you could use a Service-Policy :

class-map match-all DE1024
match packet length min 1024
!
policy-map DE1024
class DE1024
set fr-de
!
interface Serial0/0
service-policy output DE1024

2) If it's for a specific dlci, you could use the de-list command :

frame-relay de-list 1 protocol ip gt 1024
!
interface Serial0/0
frame-relay de-group 1 501

To check, connect on the other side router :

R2#sh frame-relay pvc 105

PVC Statistics for interface Serial0/0 (Frame Relay DTE)

DLCI = 105, DLCI USAGE = LOCAL, PVC STATUS = STATIC, INTERFACE = Serial0/0.2

input pkts 25 output pkts 25 in bytes 13600
out bytes 13600 dropped pkts 0 in pkts dropped 0
out pkts dropped 0 out bytes dropped 0
in FECN pkts 0 in BECN pkts 0 out FECN pkts 0
out BECN pkts 0 in DE pkts 7 out DE pkts 0
out bcast pkts 0 out bcast bytes 0
5 minute input rate 0 bits/sec, 0 packets/sec
5 minute output rate 0 bits/sec, 0 packets/sec
pvc create time 00:49:33, last time pvc status changed 00:35:02

Non-Cisco SFP

Maybe you tried in vain to put non-cisco (Finisar,...) SFP inside a Catalyst.
2 Magical commands to accept it :

service unsupported-transceiver
errdisable detect cause gbic-invalid

Thats-all

v4 Lab BluePrint

1.00	Implement Layer 2 Technologies	√
1.10	Implement Spanning Tree Protocol (STP)
	(a) 802.1d
	(b) 802.1w
	(c) 801.1s
	(d) Loop guard
	(e) Root guard
	(f) Bridge protocol data unit (BPDU) guard
	(g) Storm control
	(h) Unicast flooding
	(i) Port roles, failure propagation, and loop guard operation
1.20	Implement VLAN and VLAN Trunking Protocol (VTP)
1.30	Implement trunk and trunk protocols, EtherChannel, and load-balance
1.40	Implement Ethernet technologies
	(a) Speed and duplex
	(b) Ethernet, Fast Ethernet, and Gigabit Ethernet
	(c) PPP over Ethernet (PPPoE)
1.50	Implement Switched Port Analyzer (SPAN), Remote Switched Port Analyzer (RSPAN), and flow control
1.60	Implement Frame Relay
	(a) Local Management Interface (LMI)
	(b) Traffic shaping
	(c) Full mesh
	(d) Hub and spoke
	(e) Discard eligible (DE)
1.70	Implement High-Level Data Link Control (HDLC) and PPP
2.00	Implement IPv4
2.10	Implement IP version 4 (IPv4) addressing, subnetting, and variable-length subnet masking (VLSM)
2.20	Implement IPv4 tunneling and Generic Routing Encapsulation (GRE)
2.30	Implement IPv4 RIP version 2 (RIPv2)
2.40	Implement IPv4 Open Shortest Path First (OSPF)
	(a) Standard OSPF areas
	(b) Stub area
	(c) Totally stubby area
	(d) Not-so-stubby-area (NSSA)
	(e) Totally NSSA
	(f) Link-state advertisement (LSA) types
	(g) Adjacency on a point-to-point and on a multi-access network
	(h) OSPF graceful restart
2.50	Implement IPv4 Enhanced Interior Gateway Routing Protocol (EIGRP)
	(a) Best path
	(b) Loop-free paths
	(c) EIGRP operations when alternate loop-free paths are available, and when they are not available
	(d) EIGRP queries
	(e) Manual summarization and autosummarization
	(f) EIGRP stubs
2.60	Implement IPv4 Border Gateway Protocol (BGP)
	(a) Next hop
	(b) Peering
	(c) Internal Border Gateway Protocol (IBGP) and External Border Gateway Protocol (EBGP)
2.70	Implement policy routing
2.80	Implement Performance Routing (PfR) and Cisco Optimized Edge Routing (OER)
2.90	Implement filtering, route redistribution, summarization, synchronization, attributes, and other advanced features
3.00	Implement IPv6
3.10	Implement IP version 6 (IPv6) addressing and different addressing types
3.20	Implement IPv6 neighbor discovery
3.30	Implement basic IPv6 functionality protocols
3.40	Implement tunneling techniques
3.50	Implement OSPF version 3 (OSPFv3)
3.60	Implement EIGRP version 6 (EIGRPv6)
3.70	Implement filtering and route redistribution
4.00	Implement MPLS Layer 3 VPNs
4.10	Implement Multiprotocol Label Switching (MPLS)
4.20	Implement Layer 3 virtual private networks (VPNs) on provider edge (PE), provider (P), and customer edge (CE) routers
4.30	Implement virtual routing and forwarding (VRF) and Multi-VRF Customer Edge (VRF-Lite)
5.00	Implement IP Multicast
5.10	Implement Protocol Independent Multicast (PIM) sparse mode
5.20	Implement Multicast Source Discovery Protocol (MSDP)
5.30	Implement interdomain multicast routing
5.40	Implement PIM Auto-Rendezvous Point (Auto-RP), unicast rendezvous point (RP), and bootstrap router (BSR)
5.50	Implement multicast tools, features, and source-specific multicast
5.60	Implement IPv6 multicast, PIM, and related multicast protocols, such as Multicast Listener Discovery (MLD)
6.00	Implement Network Security
6.01	Implement access lists
6.02	Implement Zone Based Firewall
6.03	Implement Unicast Reverse Path Forwarding (uRPF)
6.04	Implement IP Source Guard
6.05	Implement authentication, authorization, and accounting (AAA) (configuring the AAA server is not required, only the client-side (IOS) is configured)
6.06	Implement Control Plane Policing (CoPP)
6.07	Implement Cisco IOS Firewall
6.08	Implement Cisco IOS Intrusion Prevention System (IPS)
6.09	Implement Secure Shell (SSH)
6.10	Implement 802.1x
6.11	Implement NAT
6.12	Implement routing protocol authentication
6.13	Implement device access control
6.14	Implement security features
7.00	Implement Network Services
7.10	Implement Hot Standby Router Protocol (HSRP)
7.20	Implement Gateway Load Balancing Protocol (GLBP)
7.30	Implement Virtual Router Redundancy Protocol (VRRP)
7.40	Implement Network Time Protocol (NTP)
7.50	Implement DHCP
7.60	Implement Web Cache Communication Protocol (WCCP)
8.00	Implement Quality of Service (QoS)
8.10	Implement Modular QoS CLI (MQC)
	(a) Network-Based Application Recognition (NBAR)
	(b) Class-based weighted fair queuing (CBWFQ), modified deficit round robin (MDRR), and low latency queuing (LLQ)
	(c) Classification
	(d) Policing
	(e) Shaping
	(f) Marking
	(g) Weighted random early detection (WRED) and random early detection (RED)
	(h) Compression
8.20	Implement Layer 2 QoS: weighted round robin (WRR), shaped round robin (SRR), and policies
8.30	Implement link fragmentation and interleaving (LFI) for Frame Relay
8.40	Implement generic traffic shaping
8.50	Implement Resource Reservation Protocol (RSVP)
8.60	Implement Cisco AutoQoS
9.00	Troubleshoot a Network
9.10	Troubleshoot complex Layer 2 network issues
9.20	Troubleshoot complex Layer 3 network issues
9.30	Troubleshoot a network in response to application problems
9.40	Troubleshoot network services
9.50	Troubleshoot network security
10.00	Optimize the Network
10.01	Implement syslog and local logging
10.02	Implement IP Service Level Agreement SLA
10.03	Implement NetFlow
10.04	Implement SPAN, RSPAN, and router IP traffic export (RITE)
10.05	Implement Simple Network Management Protocol (SNMP)
10.06	Implement Cisco IOS Embedded Event Manager (EEM)
10.07	Implement Remote Monitoring (RMON)
10.08	Implement FTP
10.09	Implement TFTP
10.10	Implement TFTP server on router
10.11	Implement Secure Copy Protocol (SCP)
10.12	Implement HTTP and HTTPS
10.13	Implement Telnet

Cisco NAC

Currently working on a Cisco NAC project for a customer.

Technical Architecture
- 802.1x on all Lan switchs
- 802.1x for Wifi SSID on a WLSE Architecture
- Authentification and posture validation for VPNSSL Users on Cisco ASA Cluster
- Cluster of a Cisco ACS 5.0 plugged on an ActiveDirectory
- Inter-vlan filtering is done by a cluster of Fortigate box

CCIE R&S v3 written passed.

Just before holydays, written passed. Now 18 months to pass the lab !