Task 3.2 RIP Triggered update
Can only be used on point-to-point interface and need to be configured on both sides.
Task 3.2 Redistribution
It seems that using the command distance distance neigbhor with eigrp only affect internal route.
Whereas in ospf it affect all routes
Task 3.2 MPLS Tag of default-route
The command mpls ip default-route permit to tag a default-route if neighbor has advertised one in it's routing table and advertized a label for it.
Task 6.2 Bidir
Task was to use exclusively shared tree
My solution was to put an spt-threshold of infinity but in this case the source to SPT is a source-tree.
Exclusively shared is the fac of bidir.
Just add :
On all routers
ip ipm bidir-enable
On R8
ip pim rp-candidate lo1 bidir
Task 7.4 NTP
When filtering who ntp server can server don't forget 127.127.7.1 which is used by master to sync with himself
Task 9.2 Finding TCP/UDP port
A good command to know is : sh ip nbar port-map
Task 9.3 FRTS
Access-rate or burst-rate is Be+Bc every Tc.
Ex CIR =64k and Access-rate=96k for 20ms
Bc=1280 be=640
I've done wrong calculating be independantly of bc (setting be to 1920 so an access-rate to 160kb)
samedi 29 mai 2010
lundi 24 mai 2010
IPExpert V2 Lab7
Task 2.2 Frame-relay Wan
don't why, instead of using a multipoint fr interface to create hub & spoke I use 2 pt-to-pt bridged on the hub. The way the task was formulated make me wrong
Task 3.1 RIP
Read to quickly, use RIP v2 instead of v1
Task 5.5 Redistribution
The solution guide redistributed all connected routes. On my solution redistributing between protocols is enough. On R8 I activate ospf in passive mode where no peer.
Task 9.2 Xml Logging
Forgot to enable it only for error
loggin monitor xml errors
Task 9.3 Optimize tcp connection to send multiple character on one frame
service nagle
(Basic system management on DocCD)
don't why, instead of using a multipoint fr interface to create hub & spoke I use 2 pt-to-pt bridged on the hub. The way the task was formulated make me wrong
Task 3.1 RIP
Read to quickly, use RIP v2 instead of v1
Task 5.5 Redistribution
The solution guide redistributed all connected routes. On my solution redistributing between protocols is enough. On R8 I activate ospf in passive mode where no peer.
Task 9.2 Xml Logging
Forgot to enable it only for error
loggin monitor xml errors
Task 9.3 Optimize tcp connection to send multiple character on one frame
service nagle
(Basic system management on DocCD)
jeudi 20 mai 2010
IPExpert V2 Lab10
2.1 Spanning-tree etherchannel guard
Spanning-tree etherchannel is automatically activated to erredisable ports when ehterchannel misconfiguration is detected. To only display a message but no errdisable :
no spanning-tree ethernchannel guard misconfig
2.4 Telnet to switch
Forgot default-gateway !
2.6 Frame-relay multilink
Quite simple :
int mfr XX
int s0/0
encap frame-relay mfr XX
Some timers could be set with frame-relay multilink command under the physical interface
Hello : 10s
Ack :4s
Retry :2
5.0 EIGRP
The purpose was to make a route muche more better by a router by setting a high delay on interface and on redistribution on one of the router.
Reported distance was so high that impossible to load-balance with variance.
Solution 1 : change the delay on the other router (with delay X on interface and during redistribution)
Solution 2 : don't take into account the delay parameter (metric weigh 010000)
13.1 QOS
Configured a priority queue but the words 'configure a strict queue unless there is more than 1Mbps' is more an LLQ
13.2 General traffic shaping
Must be configured directly on physical interface with
traffic-shape rate ...
traffic-shape fecn-adapt
GTS apply for all VC on the physical interface whereas FRTS
I used FTRS (frame-relay class command)
Spanning-tree etherchannel is automatically activated to erredisable ports when ehterchannel misconfiguration is detected. To only display a message but no errdisable :
no spanning-tree ethernchannel guard misconfig
2.4 Telnet to switch
Forgot default-gateway !
2.6 Frame-relay multilink
Quite simple :
int mfr XX
int s0/0
encap frame-relay mfr XX
Some timers could be set with frame-relay multilink command under the physical interface
Hello : 10s
Ack :4s
Retry :2
5.0 EIGRP
The purpose was to make a route muche more better by a router by setting a high delay on interface and on redistribution on one of the router.
Reported distance was so high that impossible to load-balance with variance.
Solution 1 : change the delay on the other router (with delay X on interface and during redistribution)
Solution 2 : don't take into account the delay parameter (metric weigh 010000)
13.1 QOS
Configured a priority queue but the words 'configure a strict queue unless there is more than 1Mbps' is more an LLQ
13.2 General traffic shaping
Must be configured directly on physical interface with
traffic-shape rate ...
traffic-shape fecn-adapt
GTS apply for all VC on the physical interface whereas FRTS
I used FTRS (frame-relay class command)
IPExpert V2 Lab6
3.2 Ospf Stub & virtual-link
-WB says only a default route should exist on R1 received from R2. Stub no-summary is not enough as LO1 of R2 is in same area. We could filter with a distribute-lsit in ospf
-WB says virtual-link should be secured. Means 2 point of attachment in area 0 and authentication.
3.4 GRE recursive routing
A GRE tunnel is run between the 2 eigrp as 100. Problem is when tunnel is up the destination of the tunnel is learned through the tunnel. Need to change the distance of the internal route to be prefered over tunnel route
7.3 IPv6 connectivity
Without redistribution eigrp/ospf domains should be reachable.
Eigrp side : summary-route
OSPF side : area range-route (put the lo1 of R7 in area 1 is necessary)
-WB says only a default route should exist on R1 received from R2. Stub no-summary is not enough as LO1 of R2 is in same area. We could filter with a distribute-lsit in ospf
-WB says virtual-link should be secured. Means 2 point of attachment in area 0 and authentication.
3.4 GRE recursive routing
A GRE tunnel is run between the 2 eigrp as 100. Problem is when tunnel is up the destination of the tunnel is learned through the tunnel. Need to change the distance of the internal route to be prefered over tunnel route
7.3 IPv6 connectivity
Without redistribution eigrp/ospf domains should be reachable.
Eigrp side : summary-route
OSPF side : area range-route (put the lo1 of R7 in area 1 is necessary)
samedi 15 mai 2010
IPExpert V2 Lab5
done on paper
1.1 VTP domain with special caracter
User ctrl-V
1.2 Backup interface
2 links between 2 switchs, workbook said that one link should be used until one fail. My solution was letting spanning-tree do the job. Solution use a backup interface
int fa0/13
switchport backup int fa0/14
2.1 Force DE for packet <512
My solution
class-map DE
match packet length min 512
policy-map DE
class DE
set fr-de
int s2/0
service-policy out DE
Proctor solution
int s2/0
frame-relay de-group 1 502
de-list 1 protocol ip gt 512
3.3 EIGRP on frame-RelayMultipoint interface
Don't forget to disable split-horizon on multipoint interface.
3.5 EIGRP <-> OSPF mutual redistribution
External EIGRP(AD170) routes when redistributed in OSPF are prefered through OSPF (AD110). In order to change this, in ospf process of the redistributing routers, routes learned from the other router doing redistribution, modify the AD to > 170. filter routes learned from ospf.
Ex
distance 172 172.16.6.6 0.0.0.0 10
access-list 10 deny ospf routes
-> All routes learnt from 172.16.6.6 excpet OSPF routes will have an AD of 171 making IGRP better routes.
4.2 BGP aggregate without summary-only
Use of suppress map
OR
Use community no-advertise
1.1 VTP domain with special caracter
User ctrl-V
1.2 Backup interface
2 links between 2 switchs, workbook said that one link should be used until one fail. My solution was letting spanning-tree do the job. Solution use a backup interface
int fa0/13
switchport backup int fa0/14
2.1 Force DE for packet <512
My solution
class-map DE
match packet length min 512
policy-map DE
class DE
set fr-de
int s2/0
service-policy out DE
Proctor solution
int s2/0
frame-relay de-group 1 502
de-list 1 protocol ip gt 512
3.3 EIGRP on frame-RelayMultipoint interface
Don't forget to disable split-horizon on multipoint interface.
3.5 EIGRP <-> OSPF mutual redistribution
External EIGRP(AD170) routes when redistributed in OSPF are prefered through OSPF (AD110). In order to change this, in ospf process of the redistributing routers, routes learned from the other router doing redistribution, modify the AD to > 170. filter routes learned from ospf.
Ex
distance 172 172.16.6.6 0.0.0.0 10
access-list 10 deny ospf routes
-> All routes learnt from 172.16.6.6 excpet OSPF routes will have an AD of 171 making IGRP better routes.
4.2 BGP aggregate without summary-only
Use of suppress map
OR
Use community no-advertise
vendredi 14 mai 2010
IPExpert V2 Lab4
2.1 Modify frame-Relay Full status update without mdifying keepalive
By default keepalive every 10s and full status every 6 keepalive.
frame-relay lmi-n391dte 18 permit a full update eveyr 18 keepalive (180s)
4.0 BGP AS number manipulation
neighbor x.x.x.x local YY no-prepend replace-as
Permit to replace the real as number by YY
Using YY with a private-as and the command
neighbor x.x.x.x remove-private-as at the neighbor permit to remove or replace AS information.
5.3 Activate BGP multicast
On this task, proctor active bgp multicast, even if all the networks are redistributed in Igp???
7.3 redistributing EIGRPv6 to OSPFv3
In IPv4 the process to see if a route is redistributed is (ex OSPF to EIGRP):
-Is the route appears when doing a sh ip route ospf.
-Is OSPF activated on the connected interface.
In IPv6 only the first phase is done :
For EIGRPv6 : the keyword include-connected permit to redistribute attached network where EIGRPv6 is activated
For OSPFv3 : need to manually redistribute connected
8.4 IP Precedence mask
To match multiple precedencewith CAR, you could use ip precedence mask. Each precedence is a bit, beginning at 0.
Ex to match IP precedence 1 and 7, in bit : 10000010 -> in Hex 82
9.2 Lock User
2 methods :
Quiet time (lock all users during a time :
login block-for 60 attempts 3 within 60
Or via AAA
aaa local authentication attempts max-fail 3
aaa authentication login vty local
line vty 0 15
login authent local
By default keepalive every 10s and full status every 6 keepalive.
frame-relay lmi-n391dte 18 permit a full update eveyr 18 keepalive (180s)
4.0 BGP AS number manipulation
neighbor x.x.x.x local YY no-prepend replace-as
Permit to replace the real as number by YY
Using YY with a private-as and the command
neighbor x.x.x.x remove-private-as at the neighbor permit to remove or replace AS information.
5.3 Activate BGP multicast
On this task, proctor active bgp multicast, even if all the networks are redistributed in Igp???
7.3 redistributing EIGRPv6 to OSPFv3
In IPv4 the process to see if a route is redistributed is (ex OSPF to EIGRP):
-Is the route appears when doing a sh ip route ospf.
-Is OSPF activated on the connected interface.
In IPv6 only the first phase is done :
For EIGRPv6 : the keyword include-connected permit to redistribute attached network where EIGRPv6 is activated
For OSPFv3 : need to manually redistribute connected
8.4 IP Precedence mask
To match multiple precedencewith CAR, you could use ip precedence mask. Each precedence is a bit, beginning at 0.
Ex to match IP precedence 1 and 7, in bit : 10000010 -> in Hex 82
9.2 Lock User
2 methods :
Quiet time (lock all users during a time :
login block-for 60 attempts 3 within 60
Or via AAA
aaa local authentication attempts max-fail 3
aaa authentication login vty local
line vty 0 15
login authent local
dimanche 9 mai 2010
IPExpert V2 Lab3
2.1 Set MTU
Two ways to set mtu : interface MTU (on physical interface) and protocol mtu (ex ip mtu)
3.2 Ospf authentication
ip ospf authentication-key ipexpert -> Use for cleartext password
ip ospf message-digest-key 1 ipexert -> Use for Md5 password
Verify with show ip ospf int
3.5 RIP
3 routers on a broadcast media, find a way to learn only from one.
My solution :
Passive interface on the BB2 router.
Summary and split horizon disable on the middle router and neighbor command between BB2 & Cat4
Proctor solution
Disable split horizon on Cat4.
Put a default distance of 255 on R8 rip process except for Cat4
-> With the proctor solution routes are learn from Cat4 (metric = 2) but the next-hop is still BB2
4.1 BGP
Forgot the peering between cat2 & cat3 on same AS, not explicitly said but mandatory inside as !!
6.2 Logging
The only purpose of the list of the message to syslog was to define the trap error level.
7.1 IPv6
On Catalyst, when ipv6 is used you should configer an SDM template to support it :
sdm prefer dual-ipv4-and-ipv6 default
sdm prefer dual default
As for Ipv4, it could be necessary to configure ipv6 mtu-ignore if ospf adjacency stuck in Extart. (it disable the auto detection of the mtu of the peer)
8.4 DSCP Rewrite
My solution : MQC based
Proctor solution : dscp-mutation map that rewrite all dscp to AF32, apply it to interface with
mls qos dscpèmutation ResetAF32
9.3 Zone Based firewall
No time to finish.
Two ways to set mtu : interface MTU (on physical interface) and protocol mtu (ex ip mtu)
3.2 Ospf authentication
ip ospf authentication-key ipexpert -> Use for cleartext password
ip ospf message-digest-key 1 ipexert -> Use for Md5 password
Verify with show ip ospf int
3.5 RIP
3 routers on a broadcast media, find a way to learn only from one.
My solution :
Passive interface on the BB2 router.
Summary and split horizon disable on the middle router and neighbor command between BB2 & Cat4
Proctor solution
Disable split horizon on Cat4.
Put a default distance of 255 on R8 rip process except for Cat4
-> With the proctor solution routes are learn from Cat4 (metric = 2) but the next-hop is still BB2
4.1 BGP
Forgot the peering between cat2 & cat3 on same AS, not explicitly said but mandatory inside as !!
6.2 Logging
The only purpose of the list of the message to syslog was to define the trap error level.
7.1 IPv6
On Catalyst, when ipv6 is used you should configer an SDM template to support it :
sdm prefer dual-ipv4-and-ipv6 default
sdm prefer dual default
As for Ipv4, it could be necessary to configure ipv6 mtu-ignore if ospf adjacency stuck in Extart. (it disable the auto detection of the mtu of the peer)
8.4 DSCP Rewrite
My solution : MQC based
Proctor solution : dscp-mutation map that rewrite all dscp to AF32, apply it to interface with
mls qos dscpèmutation ResetAF32
9.3 Zone Based firewall
No time to finish.
vendredi 7 mai 2010
Route Filtering with distribute-list
3 ways to filter routes for redistribution :
- Standard ACL
access-list permit ip 10.0.0.0 0.0.15.255
Match 10.0.0.0/20 but also 10.0.0.0/21 .. 21 etc any smaller mask.
To match also the mask use Extended ACL
-Extended ACL
access-list 101 permit ip 10.0.0.0 0.0.0.0 255.255.248.0 0.0.0.0
Match only 10.0.0.0/20
-Prefix-list
ip prefix-list TEST 10.0.0.0/20
But permit to limit a range of valid mask
ip prefix-list TEST 10.0.0.0/20 le 24
It match 10.0.0.0/24 and also 10.0.4.0/22
ip prefix-list TEST 10.0.0.0/20 ge 24
It match 10.0.0.0/24 but also 10.0.0.0/25 ...
- Standard ACL
access-list permit ip 10.0.0.0 0.0.15.255
Match 10.0.0.0/20 but also 10.0.0.0/21 .. 21 etc any smaller mask.
To match also the mask use Extended ACL
-Extended ACL
access-list 101 permit ip 10.0.0.0 0.0.0.0 255.255.248.0 0.0.0.0
Match only 10.0.0.0/20
-Prefix-list
ip prefix-list TEST 10.0.0.0/20
But permit to limit a range of valid mask
ip prefix-list TEST 10.0.0.0/20 le 24
It match 10.0.0.0/24 and also 10.0.4.0/22
ip prefix-list TEST 10.0.0.0/20 ge 24
It match 10.0.0.0/24 but also 10.0.0.0/25 ...
jeudi 6 mai 2010
IPExpert V2 Lab2
6.0 redistribution
In case of mutual redistribution between 3 process (R5 & R6), keep in mind to tag redistributed route in the transit area (ospf) with the originating tag.
cycle redistribution RIP -> OSPF -> EIGRP -> RIP
Ex : redistribute rip in ospf with tag 25, redistribute ospf with tag 58 and ospf coming from RIP with tag 25 into eigrp. When redistributing to orignating RIP, filter tag 25, redistribute 58 with tag 58 and EIGRP with tag 20.
7.6 BGP MED
In order to make the R5 route prefered MED must be compared, as R5 set a MED and R6 not, R6 is preferedd.
bgp bestpath med missing-as-worst permits to set a MED TO THE LARGEST VALUE WHEN HE IS NO SET
Easier to do
8.2 NTP Authentication
Authentication permit to authentication the clock source not the recipient and on the demand of the recipient.
Case 1 : Server Y, Client N : sync but no authenticated
Case 2 : Server N, Client Y : no sync
Case 3 : Server Y, Client Y :
Server Side
ntp authentication-key 1 md5 060F1F24545E0C0B11 7
ntp authenticate
ntp master
Client side
ntp authentication-key 1 md5 060F1F24545E0C0B11 7
ntp authenticate
ntp server 10.10.10.4 key 1
ntp trusted-key 1
10.2 Qos
In order to drop traffic and use NBAR, use policy-amp with action drop
policy-map DROP
class P2P
drop
In case of mutual redistribution between 3 process (R5 & R6), keep in mind to tag redistributed route in the transit area (ospf) with the originating tag.
cycle redistribution RIP -> OSPF -> EIGRP -> RIP
Ex : redistribute rip in ospf with tag 25, redistribute ospf with tag 58 and ospf coming from RIP with tag 25 into eigrp. When redistributing to orignating RIP, filter tag 25, redistribute 58 with tag 58 and EIGRP with tag 20.
7.6 BGP MED
In order to make the R5 route prefered MED must be compared, as R5 set a MED and R6 not, R6 is preferedd.
bgp bestpath med missing-as-worst permits to set a MED TO THE LARGEST VALUE WHEN HE IS NO SET
Easier to do
8.2 NTP Authentication
Authentication permit to authentication the clock source not the recipient and on the demand of the recipient.
Case 1 : Server Y, Client N : sync but no authenticated
Case 2 : Server N, Client Y : no sync
Case 3 : Server Y, Client Y :
Server Side
ntp authentication-key 1 md5 060F1F24545E0C0B11 7
ntp authenticate
ntp master
Client side
ntp authentication-key 1 md5 060F1F24545E0C0B11 7
ntp authenticate
ntp server 10.10.10.4 key 1
ntp trusted-key 1
10.2 Qos
In order to drop traffic and use NBAR, use policy-amp with action drop
policy-map DROP
class P2P
drop
lundi 3 mai 2010
IPExpert V2 Lab1
Review :
1.0 Etherchannel load balancing
Load balance according to where frame are headed : means where frame goes so it's destination mac load-balancing type.
1.4 PPPoE
PPPoE is on aggregation & DSL on the doc CD.
Virtual-template and bba-group on the server side
Dialer with ppp encap on the client side
2.1 Frame-Relay
Don't forget local frame-relay map on physical or multipoint interface to ping ourselves
Broadcast keyword is no necessary for spoke on frame-relay map
3.1 RIP
When more passive than active it's easier to do :
passive-interface default
no passive-interface f0/0
To add dely between rip update
router rip
output-delay 25
7.3 Snmp Trap configuration
Event after snmp-host x.x.x.x configuration don't forget to enable trap
snmp-server enable traps
10.1 DHCP Server Secure ARP
In order arp table secured by dhcp entry
update arp
11.3 RSVP
Activate RSVP on interface
ip rsvp bandwidth
ip rsvp sender-host and ip rsvp reservation-host are used to simulate a PATH message between 2 router and verify that reservation is done on the path.
12.3 EEM
event maanger applet denytcl
event cli pattern "tclsh" sync yes
action syslog msg "Attempted tclsh command by user at $_$event_pub_time"
set _exit_status 0
1.0 Etherchannel load balancing
Load balance according to where frame are headed : means where frame goes so it's destination mac load-balancing type.
1.4 PPPoE
PPPoE is on aggregation & DSL on the doc CD.
Virtual-template and bba-group on the server side
Dialer with ppp encap on the client side
2.1 Frame-Relay
Don't forget local frame-relay map on physical or multipoint interface to ping ourselves
Broadcast keyword is no necessary for spoke on frame-relay map
3.1 RIP
When more passive than active it's easier to do :
passive-interface default
no passive-interface f0/0
To add dely between rip update
router rip
output-delay 25
7.3 Snmp Trap configuration
Event after snmp-host x.x.x.x configuration don't forget to enable trap
snmp-server enable traps
10.1 DHCP Server Secure ARP
In order arp table secured by dhcp entry
update arp
11.3 RSVP
Activate RSVP on interface
ip rsvp bandwidth
ip rsvp sender-host and ip rsvp reservation-host are used to simulate a PATH message between 2 router and verify that reservation is done on the path.
12.3 EEM
event maanger applet denytcl
event cli pattern "tclsh" sync yes
action syslog msg "Attempted tclsh command by user at $_$event_pub_time"
set _exit_status 0
samedi 1 mai 2010
PPPoE
PPPOE with static IP
Server Configuration
bba-group pppoe PPPOE
virtual-template 1
int f0/0
pppo enable group PPPOE
int virtual-template
ip add 150.50.17.1 255.255.255.0
Client Configuration
int dialer 1
mtu 1492
ip add 150.50.17.2 255.255.255.0
encap ppp
dialer pool 1
int f0/0
pppoe enable
pppoe-client dial-pool-number 1
Server Configuration
bba-group pppoe PPPOE
virtual-template 1
int f0/0
pppo enable group PPPOE
int virtual-template
ip add 150.50.17.1 255.255.255.0
Client Configuration
int dialer 1
mtu 1492
ip add 150.50.17.2 255.255.255.0
encap ppp
dialer pool 1
int f0/0
pppoe enable
pppoe-client dial-pool-number 1
Inscription à :
Articles (Atom)