Troubleshooting
Ticket 4 Vrf leaking
The purpose was to interconnect 2 ospf area0 thrue another router that shoudn't be aware of those routes without GRE.
Solution is VRF. I used one vrf on the middle routers, put the interface interconnecting the domains on the vrf and an ospf process. The routes then appears as intra-area whereas it was asked to be inter-area. The solution for it :
- 1 vrf by domain
- 1 ospf process by domain redistributing bgp
- Vrf leaking between both vrf with import/export route-targer
- Redistributing of bgp<->ospf of each Vrf.
Configuration
Task 2.5
Use of community local-as : use in a confederation, permits to advertise only inside the local-as and not to ebgp peers nor ebgp inside the confederation.
Task 5.1
AAA authentication.
Usually, the list of methods used for authentication is used in order if the first fails it uses the second. Fails means no answer and not an authentication failure due to missing user or wrong password.
It seems that there is an exception with local. If local is put first it will first try local if wrong password the process stop. But if the user doesn't exist on local database it will goes to next :
username ccie password ipexpert
aaa authentication login default local group radius
Will authethenticate ccie locally, and use radius for others users.
Affichage des articles dont le libellé est Lab review. Afficher tous les articles
Affichage des articles dont le libellé est Lab review. Afficher tous les articles
lundi 20 septembre 2010
lundi 13 septembre 2010
IPExpert V3 Lab9
1.1 VTP pruning in transparent mode
A sh vtp status output show transparent mode with vtp pruning enabled.
Need to configure pruning in server then switch to transparent. Be careful if extended vlan are configured !
1.2 Load Balancing method over etherchannel
By default source mac.
The question was about being sure One host will not saturate one link. Load balancing source and destination IP was the key ( or the mac)
1.4 Layer 2 protection Task
The task asked about making part of the topology unknow to CE routers. Sould be implemented in 2 manners :
- 2 devices sould interconnect on 1 vlans that sould not be propagated on the network -> QinQ
A new vlan is attibuted to encapsulate the forbidden network on trunks links.
-R4 should be connected at Cat4 on vlan X, there is a switch between R4 & Cat4, the switch sould not know vlan X. Easy just with access ports:
R4 vlanX ------- vlan Y Cat vlanY ------ vlanX Cat4
1.7 Load-Sharing
By default equal-costIP load-balancing is done by CEF on a per-dest basis.
Could be configured per-packet
int C
ip load-sharing per-packet
2.7 BGP redistribution as-path
When redistributing local, if you want them appear from an as
st origin egrp as-path
3.3 L2VPN AToM
The purpose was about L2VPN over MPLS .
- Use xconnect with encapsulation mpls. The destination is the remote PE device and the circuit is identified by an identical id on boths sides.
- Needs LDP
- Could be done under subinterfaces.
4.0 Multicast VPN
Steps for multicast vpn :
-Configure provide network with PIM
-If pim-ssm is used the address-family mdt should be activated between PE to share PE source of the mdt tunnels.
-Configure multicast for each vrf : activate, and choose a unique mdt group adress for each multicast domain
-activate pim on the client side interface of the PE
-configure the multicast domain client side as usual.
The provider network is seen as a lan.
5.0 Parser view
- enable secret
- aaa new-model
- Go into enable view root
- Configure authentication login and authorization exec
- Configure the view
parser view XXX
commands exec include ping
6.3 VRF Aware NAT
Performing nat between a vrf and the global outside table is pretty the same as normal nat except :
- ip nat inside source ... should use the vrf keyword specifying vrf is inside
- A route leak should be configured from the vrf to the global routing table
ip route vrf VPNA 0.0.0.0 0.0.0.0 10.0.0.1 global.
Indicate inside the vrf that to goes out use 10.0.0.1 that is in the global RIB
A sh vtp status output show transparent mode with vtp pruning enabled.
Need to configure pruning in server then switch to transparent. Be careful if extended vlan are configured !
1.2 Load Balancing method over etherchannel
By default source mac.
The question was about being sure One host will not saturate one link. Load balancing source and destination IP was the key ( or the mac)
1.4 Layer 2 protection Task
The task asked about making part of the topology unknow to CE routers. Sould be implemented in 2 manners :
- 2 devices sould interconnect on 1 vlans that sould not be propagated on the network -> QinQ
A new vlan is attibuted to encapsulate the forbidden network on trunks links.
-R4 should be connected at Cat4 on vlan X, there is a switch between R4 & Cat4, the switch sould not know vlan X. Easy just with access ports:
R4 vlanX ------- vlan Y Cat vlanY ------ vlanX Cat4
1.7 Load-Sharing
By default equal-costIP load-balancing is done by CEF on a per-dest basis.
Could be configured per-packet
int C
ip load-sharing per-packet
2.7 BGP redistribution as-path
When redistributing local, if you want them appear from an as
st origin egrp as-path
3.3 L2VPN AToM
The purpose was about L2VPN over MPLS .
- Use xconnect with encapsulation mpls. The destination is the remote PE device and the circuit is identified by an identical id on boths sides.
- Needs LDP
- Could be done under subinterfaces.
4.0 Multicast VPN
Steps for multicast vpn :
-Configure provide network with PIM
-If pim-ssm is used the address-family mdt should be activated between PE to share PE source of the mdt tunnels.
-Configure multicast for each vrf : activate, and choose a unique mdt group adress for each multicast domain
-activate pim on the client side interface of the PE
-configure the multicast domain client side as usual.
The provider network is seen as a lan.
5.0 Parser view
- enable secret
- aaa new-model
- Go into enable view root
- Configure authentication login and authorization exec
- Configure the view
parser view XXX
commands exec include ping
6.3 VRF Aware NAT
Performing nat between a vrf and the global outside table is pretty the same as normal nat except :
- ip nat inside source ... should use the vrf keyword specifying vrf is inside
- A route leak should be configured from the vrf to the global routing table
ip route vrf VPNA 0.0.0.0 0.0.0.0 10.0.0.1 global.
Indicate inside the vrf that to goes out use 10.0.0.1 that is in the global RIB
mercredi 8 septembre 2010
IPExpert V2 Lab20
1.2 IRB
IP is the same on both vlan -> consider IRB.
Don't forget to active both commands to make the BVI up :
bridge 1 protocol ieeee
bridge 1 route ip
3.4 Default-Route in NSSA
NSSA -> default route is Type7 with area 40 nssa default-originate
Totally NSSA -> default-metric is Type 3
On the first case the metric could be defined adding a metric command after default-originate
On the second the metric used is the defined default-cost for stub/nssa default : 1
Could be changed with
area 40 default-cost X
6.2 Redistribution
Task to redistribute all Loopback to relevant protocol. As there redistribution is not transitive, we have to redistribute loopback on all the protocols used on a given router.
Don't forget when route-map is used on redistribute connected for only redistributing loopback, it will prevent any connected interface activated for a protocol A to be redistributed on protocol B. Route-map should be modified to also accept this interface.
7.3 BGP AS filtering
AS50 permits only directly connected clients of 102 to transit :
Understood that AS102 could use AS50 as transit and othe learned route from 102 could be learned but no used AS50 as transit. Match all other route than coming from 102 and tag as no-export.
Proctor solution was to accept 102 or 102 + 1AS and filter all other. regexp to match 102 + directly 102 connected AS
^102(_[0-9]+)?$
8.4 PBR + Tunnel
The task ask for a certain traffic between 2 BB to transit transparently :
-Create a GRE between egress and ingress tunnel
-Match the traffic
-PBR it to tunnel interface
9.2 Modifying COS to DSCP value.
Default values ares found on the doccd
mls qos map cos-dscp ....
11.2 prevent access to telnet to R2 except from R6. No config R2
I configured ACL on neighbor routers.
Solution guide configured Vlan ACL, wich is wrong as R2 as 2 serials.
Anyway VACL is a good way to think of it in other cases.
IP is the same on both vlan -> consider IRB.
Don't forget to active both commands to make the BVI up :
bridge 1 protocol ieeee
bridge 1 route ip
3.4 Default-Route in NSSA
NSSA -> default route is Type7 with area 40 nssa default-originate
Totally NSSA -> default-metric is Type 3
On the first case the metric could be defined adding a metric command after default-originate
On the second the metric used is the defined default-cost for stub/nssa default : 1
Could be changed with
area 40 default-cost X
6.2 Redistribution
Task to redistribute all Loopback to relevant protocol. As there redistribution is not transitive, we have to redistribute loopback on all the protocols used on a given router.
Don't forget when route-map is used on redistribute connected for only redistributing loopback, it will prevent any connected interface activated for a protocol A to be redistributed on protocol B. Route-map should be modified to also accept this interface.
7.3 BGP AS filtering
AS50 permits only directly connected clients of 102 to transit :
Understood that AS102 could use AS50 as transit and othe learned route from 102 could be learned but no used AS50 as transit. Match all other route than coming from 102 and tag as no-export.
Proctor solution was to accept 102 or 102 + 1AS and filter all other. regexp to match 102 + directly 102 connected AS
^102(_[0-9]+)?$
8.4 PBR + Tunnel
The task ask for a certain traffic between 2 BB to transit transparently :
-Create a GRE between egress and ingress tunnel
-Match the traffic
-PBR it to tunnel interface
9.2 Modifying COS to DSCP value.
Default values ares found on the doccd
mls qos map cos-dscp ....
11.2 prevent access to telnet to R2 except from R6. No config R2
I configured ACL on neighbor routers.
Solution guide configured Vlan ACL, wich is wrong as R2 as 2 serials.
Anyway VACL is a good way to think of it in other cases.
lundi 6 septembre 2010
IPExpert V2 Lab18
5.3 EIGRP Timer
The task was to make eigrp warn about neighbor down half the default time.
That means hold-time of 7.5 s, but don't forget to change the hello time because the default 5s can cause instability.
Important things : in eigrp, hold-time could be different on each side because waht we configure on R1 for example means "Hello i'm R1, if you neighbor don't hear about me in X seconds i'm dead'
In ospf timers should be the same and changing hello will automatically change dead-time to x4
6.1 OSPF Loopback
Bonehead error : Forgot about what the guidelines asked " the prefix should apperas in RIB with original mask". I dumbly advertised loopback being /32 :
- change the ip ospf network type of lo0
- redistribute connected
- put lo0 on another area and summarize to the regular mask.
7.3 BGP Prefix length route filtering
The task was about filtering all prefixes having /24 or more prefix.
I've done the more but let go the /24 itself. As all routes were /24 I missed the point to find a way of summarize to /23 to let them enter !!
8.1 Time to wait before timeout a output telnet session
Play with syn timeout :
ip tcp synwait-time 5
8.2 default NTP stratum
Is 8 not 16. So 2 less than the default is 6. stupid error.
10.2 Policing on subinterface
MQC policing on subinterface is permitted. The other way the design guide choose is too apply on interface and match the subinterface vlan.
A simple recall it's queueing techniques that are not allowed on subinterace (LLQ and CBWFQ). To make this works you need to apply shaping on a default-class and nest a LLQ OR CBWF policy-map on it
11.3 Rate-limit Mcast
I configured it with mqc. Can also use ip multicast rate-limit
The task was to make eigrp warn about neighbor down half the default time.
That means hold-time of 7.5 s, but don't forget to change the hello time because the default 5s can cause instability.
Important things : in eigrp, hold-time could be different on each side because waht we configure on R1 for example means "Hello i'm R1, if you neighbor don't hear about me in X seconds i'm dead'
In ospf timers should be the same and changing hello will automatically change dead-time to x4
6.1 OSPF Loopback
Bonehead error : Forgot about what the guidelines asked " the prefix should apperas in RIB with original mask". I dumbly advertised loopback being /32 :
- change the ip ospf network type of lo0
- redistribute connected
- put lo0 on another area and summarize to the regular mask.
7.3 BGP Prefix length route filtering
The task was about filtering all prefixes having /24 or more prefix.
I've done the more but let go the /24 itself. As all routes were /24 I missed the point to find a way of summarize to /23 to let them enter !!
8.1 Time to wait before timeout a output telnet session
Play with syn timeout :
ip tcp synwait-time 5
8.2 default NTP stratum
Is 8 not 16. So 2 less than the default is 6. stupid error.
10.2 Policing on subinterface
MQC policing on subinterface is permitted. The other way the design guide choose is too apply on interface and match the subinterface vlan.
A simple recall it's queueing techniques that are not allowed on subinterace (LLQ and CBWFQ). To make this works you need to apply shaping on a default-class and nest a LLQ OR CBWF policy-map on it
11.3 Rate-limit Mcast
I configured it with mqc. Can also use ip multicast rate-limit
dimanche 5 septembre 2010
IPExpert V2 Lab19
2.2 OSPF Max LSA
Only configured max-lsa 1000 wich will by default stop adjacency for a certain amout of time whereas only warning was asked when 1000 is reached :
max-lsa 1000 warning-only 100
5.1 IPv6 Multicast
A simple rp static ipv6 multicast task, BUT the joined group was a non-ipv6 interface ! Have to enable ipv6 on mcast joined group even if no ip is configured
int f0/0.21
ipv6 enable
ipv6 mld join FF15::2
5.2 SSM Multicast
- As the joined-group is set on the vlan, we need to enable igmp on the downstream router interface to process the join message. (remember there is no RP to report the source)
- Doesn't seems to work with IGMP v3lite need IGMP version 3
8.3 3560 Queue-set configuration
Only configured max-lsa 1000 wich will by default stop adjacency for a certain amout of time whereas only warning was asked when 1000 is reached :
max-lsa 1000 warning-only 100
5.1 IPv6 Multicast
A simple rp static ipv6 multicast task, BUT the joined group was a non-ipv6 interface ! Have to enable ipv6 on mcast joined group even if no ip is configured
int f0/0.21
ipv6 enable
ipv6 mld join FF15::2
5.2 SSM Multicast
- As the joined-group is set on the vlan, we need to enable igmp on the downstream router interface to process the join message. (remember there is no RP to report the source)
- Doesn't seems to work with IGMP v3lite need IGMP version 3
8.3 3560 Queue-set configuration
mercredi 1 septembre 2010
IPExpert V3 Lab8
Troubleshooting
Ticket 6
Classical EIGRP<->OSPF loop :
- Filter with tagging
brings with suboptimal that could be resolved by
- increasing ospf distance for other 'mutual redistribution router' to somethig more than external eigrp.
Ticket 9 L3 VPN
The Workbook comes with a problem I don't have because I corrected suboptimal routing :
A PE loopback is learned from ospf on a partial-mesh NBMA network hub which prevent label switching for it because the next-hop is the spoke and the ldp neighbor advertising the label is the hub router.
show ip cef, show no label for the PE loopbakc prefix.
Make the prefix learn by eigrp is a workaround.
Another if we want it work on NBMA : goes with point-to-multipoin ospf type network. The hub will be the next-hop, so it will match the ldp neighbor address.
Ticket 10 RP
The BSR/RP is not learned. Still a problem of RPF. The pim enabled interface is not the RPF interface for the RP address. Change it by advertising the RP in EIGRP or play with distance to make eigrp prefered for the RP address.
Configuration
1.6 IPhones
The purpose was to configure both access vlan and voice vlan in one command.
This was a good time to use pre-defined cisco macro command listed with
sh parser macro
The one to use is cisco-phone :
sh parser macro name cisco-phone to discover how to use it :
And to apply on it do :
macro apply cisco-phone $access_vlan X $voice_vlan Y
1.7 Private vlan
Don't forget to map secondary vlans on SVI and to set routers on the vlan as promiscious :
vlan P
private-vlan primary
vlan I
private-vlan isolated
vlan C
private-vlan community
vlan P
private-vlan association C,I
int vlan P
private-vlan mapping C,I
int I
sw mode private-vlan host
sw private-vlan host-association P I
int C
sw mode private-vlan host
sw private-vlan host-association P C
Int R
sw mode private-vlan promiscious
sw private-vlan mapping P add C,I
2.0 MPPPoFR
A Reminder on all kind of Multilink :
MLPPP with Multilink interface
Multilink frame Relay FR16
Permits to use multiple physical link as one Frame-relay bundle
MPPPoFR with virtual-interface
permits to use multiple DLCI on one interface
Information of Bandwidth for routing protocol will goes on physical if Multilink interface is used or on virtual-template, the bundle will be the addition of the physical or the vi interface.
IP on a virtual-link could prevent OSPF to make adjacency or exchange routes, use unnumbered on the VI and the real IP on a loopback.
3.2 Interconnecting 2 EIGRP AS
Easy task but missed it : Gre tunnel
3.5 redistribution
- Mutual redistribution between OSPF and EIGRP, make one router better for output and other for input. Play on redistribution metric on both. Be carefull a router also learn route by RIP making it better than external eigrp. need to change metric of external eigrp to 109.
5.1 BGP Redistribution of ospf.
- Redistribute only our network into bgp by filtering with ACL on the RR. Be carefull to also include external routes
- Border router will summarize to external neighbor (preventing to redistribute also connected routes of border). Those summarization should be filtered back to inside.
- Border router will import external routes with no-export community.
- To choose default prefered route. Set local-preference in order of preference and make distance of BGP for default prefered over others protocols.
7.0 NAT
Nat task Was ok, but forget to redistribute the Pool into IGP for the return routes be knonw by neighbor.
Ticket 6
Classical EIGRP<->OSPF loop :
- Filter with tagging
brings with suboptimal that could be resolved by
- increasing ospf distance for other 'mutual redistribution router' to somethig more than external eigrp.
Ticket 9 L3 VPN
The Workbook comes with a problem I don't have because I corrected suboptimal routing :
A PE loopback is learned from ospf on a partial-mesh NBMA network hub which prevent label switching for it because the next-hop is the spoke and the ldp neighbor advertising the label is the hub router.
show ip cef, show no label for the PE loopbakc prefix.
Make the prefix learn by eigrp is a workaround.
Another if we want it work on NBMA : goes with point-to-multipoin ospf type network. The hub will be the next-hop, so it will match the ldp neighbor address.
Ticket 10 RP
The BSR/RP is not learned. Still a problem of RPF. The pim enabled interface is not the RPF interface for the RP address. Change it by advertising the RP in EIGRP or play with distance to make eigrp prefered for the RP address.
Configuration
1.6 IPhones
The purpose was to configure both access vlan and voice vlan in one command.
This was a good time to use pre-defined cisco macro command listed with
sh parser macro
The one to use is cisco-phone :
sh parser macro name cisco-phone to discover how to use it :
And to apply on it do :
macro apply cisco-phone $access_vlan X $voice_vlan Y
1.7 Private vlan
Don't forget to map secondary vlans on SVI and to set routers on the vlan as promiscious :
vlan P
private-vlan primary
vlan I
private-vlan isolated
vlan C
private-vlan community
vlan P
private-vlan association C,I
int vlan P
private-vlan mapping C,I
int I
sw mode private-vlan host
sw private-vlan host-association P I
int C
sw mode private-vlan host
sw private-vlan host-association P C
Int R
sw mode private-vlan promiscious
sw private-vlan mapping P add C,I
2.0 MPPPoFR
A Reminder on all kind of Multilink :
MLPPP with Multilink interface
int s0/0MLPPP with Virtual-template
encap ppp
ppp multilink group 1
int s0/0
encap ppp
ppp multilink group 1
Int Multilink 1
encap ppp
ppp multilink group 1
Where goes IP and stuff.
multilink virtual-template 1
int s0/0
encap ppp
ppp multilink
int s0/0
encap ppp
ppp multilink
Int virtual-template
encap ppp
ppp multilink
Where goes IP and stuff.
The difference with Multilink is that virtual-template will be cloned in virtual-access and can create multiple bundle all with same IP !!! a kind of multipoint PPP.
Example 2x2 serials arriving on a router, the 4 serial on the hub router call one VI interface, the 3 routers will use one subnet between them.
PPP will installed a /32 for each peer.
Multilink frame Relay FR16
Permits to use multiple physical link as one Frame-relay bundle
int mfr1
IP stuffs and frame-relay mapping goes there
int s0/0
encap frame mfr 1
int s0/1
encap frame mfr 1
MPPPoFR with virtual-interface
permits to use multiple DLCI on one interface
Like for PPP with virtual-interface but the VI is called withMPPPoFR with multilink
frame-relay interface-dlci DLCIx ppp virtual-template 1
frame-relay interface-dlci DLCIy ppp virtual-template 1
Point-to-multipoin is still available as the IP of the VI will be replicated on each bundle.
int virtual-template 1
encap ppp
Where ip stuff goes
WRONG WAY :
Not very interesting as configuration is much the same as for Vi but only permits point-to-point :
frame-relay interface-dlci DLCIx ppp virtual-template 1
frame-relay interface-dlci DLCIy ppp virtual-template 1
int virtual-template 1
encap ppp
ppp multilink group X
Where ip stuff goes
Information of Bandwidth for routing protocol will goes on physical if Multilink interface is used or on virtual-template, the bundle will be the addition of the physical or the vi interface.
IP on a virtual-link could prevent OSPF to make adjacency or exchange routes, use unnumbered on the VI and the real IP on a loopback.
3.2 Interconnecting 2 EIGRP AS
Easy task but missed it : Gre tunnel
3.5 redistribution
- Mutual redistribution between OSPF and EIGRP, make one router better for output and other for input. Play on redistribution metric on both. Be carefull a router also learn route by RIP making it better than external eigrp. need to change metric of external eigrp to 109.
5.1 BGP Redistribution of ospf.
- Redistribute only our network into bgp by filtering with ACL on the RR. Be carefull to also include external routes
- Border router will summarize to external neighbor (preventing to redistribute also connected routes of border). Those summarization should be filtered back to inside.
- Border router will import external routes with no-export community.
- To choose default prefered route. Set local-preference in order of preference and make distance of BGP for default prefered over others protocols.
7.0 NAT
Nat task Was ok, but forget to redistribute the Pool into IGP for the return routes be knonw by neighbor.
lundi 30 août 2010
IPExpert V3 Lab7
Troubleshooting
Difficulties with an inter-as mpls peering, option C like, using bgp to exchange label for bgp routes.
Configuration
1.5 PPPOE with DHCP reservation
Multiple ways to assign IP in PPP/PPPOE:
Client Server
IPCP (ip add negot) Local pool (peer default ip address pool )
dhcp pool (peer default ip address dhcp-pool )
DHCP (ip add dhcp) dhcp pool (nothing)
For manual bindings, user full dhcp version : a host pool should exist and client should be configured with client-identifier
Client
ip address dhcp client f0/0
Server
ip dhcp pool R1
host 10.1.1.1 /24
client-identifier 01+mac-adress of client F0/0
For IPCP you could force client to request mask
PPP ipcp mask request on client
ppp ipcp mask 255... on server
If Vrf is used the pool should be configured with vrf command
3.2 BGP loop because of RIP summarization
RIP summarize a route. Later it's asked to redistribute RIP in BGP, this cause a loop with summary. The summary has to be filtered in redistribution to BGP
4.4 AS Override
Took a while to find again this command that permits the PE to override originator AS by this OWN (in case every vpn site use the same AS, loop prevention will prevent to re-enter)
Another solution could be allow-as in on CE.
5.3 MSDP Oringiator
MSDP orignator id in case of anycast has to be set to the anycast address.
Took a while to discover that I should another route for multicast between to AS as direct link for not allowed for multicast
7.1 NTP multicast
On server side
int
ntp multicast group
On client side
int
ntp multicas client group
Difficulties with an inter-as mpls peering, option C like, using bgp to exchange label for bgp routes.
Configuration
1.5 PPPOE with DHCP reservation
Multiple ways to assign IP in PPP/PPPOE:
Client Server
IPCP (ip add negot) Local pool (peer default ip address pool )
dhcp pool (peer default ip address dhcp-pool )
DHCP (ip add dhcp) dhcp pool (nothing)
For manual bindings, user full dhcp version : a host pool should exist and client should be configured with client-identifier
Client
ip address dhcp client f0/0
Server
ip dhcp pool R1
host 10.1.1.1 /24
client-identifier 01+mac-adress of client F0/0
For IPCP you could force client to request mask
PPP ipcp mask request on client
ppp ipcp mask 255... on server
If Vrf is used the pool should be configured with vrf command
3.2 BGP loop because of RIP summarization
RIP summarize a route. Later it's asked to redistribute RIP in BGP, this cause a loop with summary. The summary has to be filtered in redistribution to BGP
4.4 AS Override
Took a while to find again this command that permits the PE to override originator AS by this OWN (in case every vpn site use the same AS, loop prevention will prevent to re-enter)
Another solution could be allow-as in on CE.
5.3 MSDP Oringiator
MSDP orignator id in case of anycast has to be set to the anycast address.
Took a while to discover that I should another route for multicast between to AS as direct link for not allowed for multicast
7.1 NTP multicast
On server side
int
ntp multicast group
On client side
int
ntp multicas client group
mardi 24 août 2010
IPExpert V2 Lab17
1.1 Vty timeout
Bonehead error, timeout for vty is exec-timeout and not session-timeout used for physical
2.5 Fallback bridging
Not available on dynamips but permits to bridge between 2 vlan for non IP protocols :
bridge 1 proto vlan-bridge
int vlan X
bridge-group 1
int vlan Y
bridge-group 1
4.0 Cisco RIP timer
Task was about disabling the Cisco defined RIP timer, which is holdown :
timers basic 30 180 0 180
4.3 Forbidden RIP to accept routes from future gateway
I used a distribute-list or offset-list, other solution was a distance default of 255 except for the current neighbor.
6.3 OSPF
DR/BDR election timeout : configured by the dead-intervall timer !
Make an ospf neighbor prefered without using cost or bandwidth : AD of course :
distance 109 gateway acl
6.4 OSPF Misc
LSA expiration in DB : configured by pacing on lsa-group
No Null0 with summarization : no discard-route
7.0 BGP
An AS with 2 routers peered with iBGP, each as one eBGP peer, sync and IGP redistribution is forbidden.
Due to sync rule, an iBGP learnt route will not be installed if it's not learnt by an IGP. So eBGP learnt root from one routers will no be learnt by the other thrue iBGP. The solution is using confederation, as sub-as peering become eBGP like peering.
7.5 BGP Community override
The task was to prevent prefix to be sent out of AS (no-export community) except for one router. Only way to do that is re-write the prefix on inbound for this router (internet community)
Bonehead error, timeout for vty is exec-timeout and not session-timeout used for physical
2.5 Fallback bridging
Not available on dynamips but permits to bridge between 2 vlan for non IP protocols :
bridge 1 proto vlan-bridge
int vlan X
bridge-group 1
int vlan Y
bridge-group 1
4.0 Cisco RIP timer
Task was about disabling the Cisco defined RIP timer, which is holdown :
timers basic 30 180 0 180
4.3 Forbidden RIP to accept routes from future gateway
I used a distribute-list or offset-list, other solution was a distance default of 255 except for the current neighbor.
6.3 OSPF
DR/BDR election timeout : configured by the dead-intervall timer !
Make an ospf neighbor prefered without using cost or bandwidth : AD of course :
distance 109 gateway acl
6.4 OSPF Misc
LSA expiration in DB : configured by pacing on lsa-group
No Null0 with summarization : no discard-route
7.0 BGP
An AS with 2 routers peered with iBGP, each as one eBGP peer, sync and IGP redistribution is forbidden.
Due to sync rule, an iBGP learnt route will not be installed if it's not learnt by an IGP. So eBGP learnt root from one routers will no be learnt by the other thrue iBGP. The solution is using confederation, as sub-as peering become eBGP like peering.
7.5 BGP Community override
The task was to prevent prefix to be sent out of AS (no-export community) except for one router. Only way to do that is re-write the prefix on inbound for this router (internet community)
dimanche 22 août 2010
IPExpert V3 Lab5
Troubleshooting
Ticket 1
Spent some time figuring out why IP of the frame relay where /32 -> The network type was point-to-multipoint nonbroadcast so the /32 is learned from elswhere. As it was forbidden to change IGP we see that the problem is multihop with ebgp connection.
Ticket 4
PG set the distance of BGP mulitcast to be prefered, this seems a bit unusefull as there is no RPF tie because no PIM on the interface use for Unicast.
Ticket 7
Sham link to make MLPS prefered path :
-Ospf domain-id should be set in order the routes be IA.
-Shame link is done between 2 loopback own by the VRF and redistributed on the BGP vrf.
-The loopbakc could be filtered toward OSPF VRF.
Configuration
1.3 PPP secured without CHAP
Only EAP
ppp authent eap
ppp eap identify (no default identity in EAP)
ppp eap password
ppp eap local (to use local username database
1.5 Catalyst Interface tracking
Permits to group multiple 'server interface' (downstream) with uplink interface (upstream) for redundancy purposes. When all upstream are down, downstreams are shut.
In this case the purpose was to err-disabled some links when uplinks are unavailable.
int Uplink
link state group 1 upstream
int ToServer
link state group 1downpstream
link state track 1
2.4 Redistribution
Tricky redistribution scenario. Follow those pinciples :
-Don't forget 170 external AD of EIGRP wich prevent external be preferes
-RIP areas were stub. Playing with distance >170 for external routes and 120 for rip routes prevent a lot of problems
-Between eigrp and ospf as there is mutual redistribution, filtering with tag is necessary. Proctor use a tag of the advertising router.
3.5 OER/PFR
Setting oer/pfr network component is ok, others phase less :
Profile : choose the optimized traffic
Measure : monitor the traffic and give threshold
Control : choose the way to play on best route.
Everything is done on master thrue an oer-map
oer-map TEST
match traffic-clas .... (profile)
set delay threshold ... (measure)
set active-probe ...
set mode route control (control, bgp)
set mode router metric bgp local-pref ..)
To review
Ticket 1
Spent some time figuring out why IP of the frame relay where /32 -> The network type was point-to-multipoint nonbroadcast so the /32 is learned from elswhere. As it was forbidden to change IGP we see that the problem is multihop with ebgp connection.
Ticket 4
PG set the distance of BGP mulitcast to be prefered, this seems a bit unusefull as there is no RPF tie because no PIM on the interface use for Unicast.
Ticket 7
Sham link to make MLPS prefered path :
-Ospf domain-id should be set in order the routes be IA.
-Shame link is done between 2 loopback own by the VRF and redistributed on the BGP vrf.
-The loopbakc could be filtered toward OSPF VRF.
Configuration
1.3 PPP secured without CHAP
Only EAP
ppp authent eap
ppp eap identify (no default identity in EAP)
ppp eap password
ppp eap local (to use local username database
1.5 Catalyst Interface tracking
Permits to group multiple 'server interface' (downstream) with uplink interface (upstream) for redundancy purposes. When all upstream are down, downstreams are shut.
In this case the purpose was to err-disabled some links when uplinks are unavailable.
int Uplink
link state group 1 upstream
int ToServer
link state group 1downpstream
link state track 1
2.4 Redistribution
Tricky redistribution scenario. Follow those pinciples :
-Don't forget 170 external AD of EIGRP wich prevent external be preferes
-RIP areas were stub. Playing with distance >170 for external routes and 120 for rip routes prevent a lot of problems
-Between eigrp and ospf as there is mutual redistribution, filtering with tag is necessary. Proctor use a tag of the advertising router.
3.5 OER/PFR
Setting oer/pfr network component is ok, others phase less :
Profile : choose the optimized traffic
Measure : monitor the traffic and give threshold
Control : choose the way to play on best route.
Everything is done on master thrue an oer-map
oer-map TEST
match traffic-clas .... (profile)
set delay threshold ... (measure)
set active-probe ...
set mode route control (control, bgp)
set mode router metric bgp local-pref ..)
To review
mercredi 18 août 2010
IPExpert V2 Lab16
1.0 TCP header-compression
Bonehead error, used UDP compression and forgot to specify frame-relay before ip tcp header-compression.
Verify with show frame tcp header-compression
4.6 IPV6 Multicast RPF
Spent some times resolving an RPF issue. BSR was refused because announced from an interface that was not the RPF interface (because pim was disabled on the RPF int)
Wanted to plays with MPBGP of ipv6 multicast but rules for RPF are differents thant ipv4 :
-No Ipv6 unicast bgp check by default
- longest prefix is choosen in unicast and multicast tables of all routing tables
- Best AD is choosed in case of tie
So BGP IPV6 multicast AF is not prefered as it's the case in IPV4. Need to modify the AD of the IPV6 multicast AF and it works !
6.4 Inter AS MPLS
Did not remember the command to accept prefix with a route-target not attached to a VRF :
no bgp default route-target filter
7.2 RSVP signalling tag with DSCP 46
I used service-policy.
Simlpler :
ip rsvp sig dscp 46
Bonehead error, used UDP compression and forgot to specify frame-relay before ip tcp header-compression.
Verify with show frame tcp header-compression
4.6 IPV6 Multicast RPF
Spent some times resolving an RPF issue. BSR was refused because announced from an interface that was not the RPF interface (because pim was disabled on the RPF int)
Wanted to plays with MPBGP of ipv6 multicast but rules for RPF are differents thant ipv4 :
-No Ipv6 unicast bgp check by default
- longest prefix is choosen in unicast and multicast tables of all routing tables
- Best AD is choosed in case of tie
So BGP IPV6 multicast AF is not prefered as it's the case in IPV4. Need to modify the AD of the IPV6 multicast AF and it works !
6.4 Inter AS MPLS
Did not remember the command to accept prefix with a route-target not attached to a VRF :
no bgp default route-target filter
7.2 RSVP signalling tag with DSCP 46
I used service-policy.
Simlpler :
ip rsvp sig dscp 46
jeudi 12 août 2010
IPExpert V2 Lab15
3.2 BGP No-export
Bonehead error, I set the community via route-map on the aggregate adress but forgot the send-community ower the neighbor.
6.2 MPLS Label Filtering
New way (don't forget to disable mpls ldp advertise-labels for the ACL works, else everythin will be authorized):
mpls ldp advertise-labels for ACL_num
no mpls ldp advertise-labels
Old style (defining oldstyle means only what is on acl is authorized)
mpls ldp advertise-labels for ACL_num
mpls ldp advertise-labels oldstyle
6.3 Broken LSP
Loopback 5 of router 5 is /24 but ospf advertised it with a /32 as it's loopback.
The problem is R5 have only the /24 in its routing table and will then advertized a label for the /24. Other network will have a route to the /32 with no mls label toward R5 and do a broken LSP.
this could be verified with show mpls forward :
Local Outgoing Tag Prefix
Tag
20 Untagged 100.23.5.5/32
After loopback is set to point-to-point ospf network type
Local Outgoing Tag Prefix
Tag
20 Pop Tag 100.23.5.0/24
2nd Point,
On a NBMA network, the next-hop of a speak network will be the speak, but there will be no LDP relationship between speaks, so no labels for the speak network. The idea is to force the Hub to reset the next-hop to self in order to match the peer of the advertised label. Or to add a route to speak network to the hub, the best-route next-hop will then match the label advertised by the hub.
7.6 As-override and Site Of Origin
The task was about customer of AS 100 always using AS18 in loop-free manner.
I only configured allow-as 1 on customer side.
Proctor use a Service Provider side solution :
AS-override in order all routes be from AS18 be replaced by the AS 100. As customer are in AS 18 incoming routes from 100 will be accepted creating routing loop.
Using Soo prevent it in cse of multihoming
Incoming route of a site is tagged on the PE
route-map SoO permit 10
set extcomm soo 100:18
neighbor x.x.x.x SoO in
It will automatically prevent the same SoO to re-enter in the same site.
8.4 Identd
Even with doccd didnt found this : it's about telnetting to 113 and know which port my others connection to this router use.
Bonehead error, I set the community via route-map on the aggregate adress but forgot the send-community ower the neighbor.
6.2 MPLS Label Filtering
New way (don't forget to disable mpls ldp advertise-labels for the ACL works, else everythin will be authorized):
mpls ldp advertise-labels for ACL_num
no mpls ldp advertise-labels
Old style (defining oldstyle means only what is on acl is authorized)
mpls ldp advertise-labels for ACL_num
mpls ldp advertise-labels oldstyle
6.3 Broken LSP
Loopback 5 of router 5 is /24 but ospf advertised it with a /32 as it's loopback.
The problem is R5 have only the /24 in its routing table and will then advertized a label for the /24. Other network will have a route to the /32 with no mls label toward R5 and do a broken LSP.
this could be verified with show mpls forward :
Local Outgoing Tag Prefix
Tag
20 Untagged 100.23.5.5/32
After loopback is set to point-to-point ospf network type
Local Outgoing Tag Prefix
Tag
20 Pop Tag 100.23.5.0/24
2nd Point,
On a NBMA network, the next-hop of a speak network will be the speak, but there will be no LDP relationship between speaks, so no labels for the speak network. The idea is to force the Hub to reset the next-hop to self in order to match the peer of the advertised label. Or to add a route to speak network to the hub, the best-route next-hop will then match the label advertised by the hub.
7.6 As-override and Site Of Origin
The task was about customer of AS 100 always using AS18 in loop-free manner.
I only configured allow-as 1 on customer side.
Proctor use a Service Provider side solution :
AS-override in order all routes be from AS18 be replaced by the AS 100. As customer are in AS 18 incoming routes from 100 will be accepted creating routing loop.
Using Soo prevent it in cse of multihoming
Incoming route of a site is tagged on the PE
route-map SoO permit 10
set extcomm soo 100:18
neighbor x.x.x.x SoO in
It will automatically prevent the same SoO to re-enter in the same site.
8.4 Identd
Even with doccd didnt found this : it's about telnetting to 113 and know which port my others connection to this router use.
samedi 7 août 2010
IPExpert V2 Lab14
3.2 PPP Authentification with MPPP
Authentification pap or chap should be done on physical and not on the mu1 or virtual-template interface !! -> Wrong event if Proctor apply it on physical it's ok to put it on multilink interface or virtual-template.
4.4 OSPF Max-metric
The task was about making ospf wait for BGP to converge before advertising links for a maximum of 600 second of wait time.
The idea is to use the max-metric command to make the generated lsa the least prefered until bgp has converged :
max-metric router-lsa on-startup wai-for-bgp
5.1 BGP new configuration style
was just about configuring the peers inside the IPV4 AF.
12.3 filtering Imported route into a VRF
I used a route-map on the neighbor in the VPNv4 family but it's not scalable as it will filter the prefix for all VRF (not a problem in this case because there's one but in real life ...)
Filtering with route-map could be done inside the vrf with
ip vrf ccie
import map ROUTE-MAP-NAME
Authentification pap or chap should be done on physical and not on the mu1 or virtual-template interface !! -> Wrong event if Proctor apply it on physical it's ok to put it on multilink interface or virtual-template.
4.4 OSPF Max-metric
The task was about making ospf wait for BGP to converge before advertising links for a maximum of 600 second of wait time.
The idea is to use the max-metric command to make the generated lsa the least prefered until bgp has converged :
max-metric router-lsa on-startup wai-for-bgp
5.1 BGP new configuration style
was just about configuring the peers inside the IPV4 AF.
12.3 filtering Imported route into a VRF
I used a route-map on the neighbor in the VPNv4 family but it's not scalable as it will filter the prefix for all VRF (not a problem in this case because there's one but in real life ...)
Filtering with route-map could be done inside the vrf with
ip vrf ccie
import map ROUTE-MAP-NAME
IPExpert V2 Lab13
1.0 PVC Bandwidth
Was only about setting bandwidth information for routing protocol and no Traffic shaping
3.1 DCE Clocking
to see wich side is DCE/FT
sh controller serial
The clock rate is set only on DCE side.
On dynamips both sides are DCE
6.2 BGp Aggregation
Bonehead mak error!
Was only about setting bandwidth information for routing protocol and no Traffic shaping
3.1 DCE Clocking
to see wich side is DCE/FT
sh controller serial
The clock rate is set only on DCE side.
On dynamips both sides are DCE
6.2 BGp Aggregation
Bonehead mak error!
lundi 2 août 2010
IPExpert V3 Lab4
2.1 Unicast RIP
Using neighbor was the right way, but to prevent multicast I used access-list a simpler way was to make the interface passive. Neighbor command override the passive. Network is also needed
2.3 EIGRP Weight
A bit of recall :
Metric order with set metric command is : bandwidth delay reliabiliy load mtu
K order for weight command is : TOS K1(bandwidth) K2(load) K3(delay) K4(reliability) K5(mtu)
5.2 QOS on subinterface
I used hierarchical policy-map to apply CBWFQ on a fast-ethernet sub-interface.
Other solution was to apply on physical and match the vlan of the subinterface :
class-map PIN
match dscp af31
match vlan 211
6.3 Activate ssh
crypto key generate rsa
ip domain-name ipexpert.com
line vty 0 4
transport input telnet ssh
6.4 Archive Backup
Permits to perform backup of running-conf on a regulary basis or when a running-conf is done, and keep a revision history.
archive
maximum 10
path flash:backup
time-period 30
write-memory
show archive
Using neighbor was the right way, but to prevent multicast I used access-list a simpler way was to make the interface passive. Neighbor command override the passive. Network is also needed
2.3 EIGRP Weight
A bit of recall :
Metric order with set metric command is : bandwidth delay reliabiliy load mtu
K order for weight command is : TOS K1(bandwidth) K2(load) K3(delay) K4(reliability) K5(mtu)
5.2 QOS on subinterface
I used hierarchical policy-map to apply CBWFQ on a fast-ethernet sub-interface.
Other solution was to apply on physical and match the vlan of the subinterface :
class-map PIN
match dscp af31
match vlan 211
6.3 Activate ssh
crypto key generate rsa
ip domain-name ipexpert.com
line vty 0 4
transport input telnet ssh
6.4 Archive Backup
Permits to perform backup of running-conf on a regulary basis or when a running-conf is done, and keep a revision history.
archive
maximum 10
path flash:backup
time-period 30
write-memory
show archive
lundi 26 juillet 2010
IPExpert V3 Lab3
2.3 OSPF
- On Area 2223, with R7-BB2-BB3 on a broadcast network, in preceding task we prevent any layer2 BB2 to BB3 communication we must then be sure that R7 is the DR
-On R6 attached to multiple areas a virtual-link is needed to an area 0 router, even if others areas are connected to area 0.
3.1 BGP
This task is about distributing connected interface with minimal conf and appearing as IGP.
Network is a solution but doesn't use minimal conf :
redistribute connected with a route-map setting origin as igp
4.1 Inter-domain Multicast
Multiple PIM domains are interconnected via MSDP.
In order interdomain multicast work, I activated pim sparse-mode along the path between inter-domain.
Proctor didn't do that, He advertise the multicast sources on a BGP multicast adress family.
5.1 Filter PIM and BGP active-passive
I only used ACL to filter PIM and to force the way BGP is initiated between 2 routers. Other solution :
- ip pim neighbor-filter ACL
-router bgp xXX
neighbor x.x.x.x transport connection-mode passive
6.2 Netflow
Forgot the ip flow ingress on the interfaces.
- On Area 2223, with R7-BB2-BB3 on a broadcast network, in preceding task we prevent any layer2 BB2 to BB3 communication we must then be sure that R7 is the DR
-On R6 attached to multiple areas a virtual-link is needed to an area 0 router, even if others areas are connected to area 0.
3.1 BGP
This task is about distributing connected interface with minimal conf and appearing as IGP.
Network is a solution but doesn't use minimal conf :
redistribute connected with a route-map setting origin as igp
4.1 Inter-domain Multicast
Multiple PIM domains are interconnected via MSDP.
In order interdomain multicast work, I activated pim sparse-mode along the path between inter-domain.
Proctor didn't do that, He advertise the multicast sources on a BGP multicast adress family.
5.1 Filter PIM and BGP active-passive
I only used ACL to filter PIM and to force the way BGP is initiated between 2 routers. Other solution :
- ip pim neighbor-filter ACL
-router bgp xXX
neighbor x.x.x.x transport connection-mode passive
6.2 Netflow
Forgot the ip flow ingress on the interfaces.
mardi 13 juillet 2010
IPExpert V3 Lab2
Task 1.3 : MST -3
Question was about minimal impact STP : means minimal instance.
But Vlan 1314 is only on one link that could be blocked if one instance because not connected to the root. Assuming Cat3 could assist Cat2 in root role, we'll use an instance with Cat3 as root for vlan 1314.
Task 2.4 : EIGRP
The goal was to summarize without Null route.
I used static with redistribute.
Proctor solution is used summary-address command with distance of 255 wich prevent IOS from installing a Null0.
Question was about minimal impact STP : means minimal instance.
But Vlan 1314 is only on one link that could be blocked if one instance because not connected to the root. Assuming Cat3 could assist Cat2 in root role, we'll use an instance with Cat3 as root for vlan 1314.
Task 2.4 : EIGRP
The goal was to summarize without Null route.
I used static with redistribute.
Proctor solution is used summary-address command with distance of 255 wich prevent IOS from installing a Null0.
dimanche 20 juin 2010
IPExpert V2 Lab11
Task 2.1 VTP pruning
Forgot to activate pruning missing the phrase 'ensure broadcast frames withtin any given vlan are not sent to switch that don't have access port in that vlan'
Task 5.4 Eigrp Tuning
Forgoten task : prevent SIA process after 300 seconds
timers active-time
Wrong task : drop routes from inactive neighbors after half the default value.
I configured an hold-time of 90 as default for NBMA is 180se
The question was more about to use NSF, permitting using during a normal nsf enabled neighbor failure (restart or maintenace) . default is 240s. to configure it
timers nsf route-hold 120
or
timers graceful-restart purge-time 120
Task 6.1 RIP
Forgotten task : RIP updates should be sent to the broadcast adress :
ip rip v2-broadcast
Task 8.6/7 BGP
Advertising same networks throught 2 different as in AS 567 make one preferable. I manipulate AS_PATH. other solutions was:
- Setting a local preference on input ebgp.
- Setting a weight on all routers of the as 567
- Setting a med with the options of ignoring as-path and always comparing med (because coming of differents as)
Aggregate an adress without routing loops :
- Filtering where the route is propagated (my solution)
- Setting as-set in order the route be automatically filtered from when the more specifics routes come from.
Task 9.2 MPLS VPN
As i used ospf between PE-CE and CE was using vrf I needed to activate vrf-lite capability on CE ospf process in order the coming routes from the PE be accepted. A PE router will set DN or domain-tag in order another PE on the same segment not reinject the route. So a PE will not accept lsa with dn or domain-tag set. As the CE has vrf activated it's considered PE and will not accept any ospf route from the PE. vrf-lit permits to disable this check on the CE
Forgot to activate pruning missing the phrase 'ensure broadcast frames withtin any given vlan are not sent to switch that don't have access port in that vlan'
Task 5.4 Eigrp Tuning
Forgoten task : prevent SIA process after 300 seconds
timers active-time
Wrong task : drop routes from inactive neighbors after half the default value.
I configured an hold-time of 90 as default for NBMA is 180se
The question was more about to use NSF, permitting using during a normal nsf enabled neighbor failure (restart or maintenace) . default is 240s. to configure it
timers nsf route-hold 120
or
timers graceful-restart purge-time 120
Task 6.1 RIP
Forgotten task : RIP updates should be sent to the broadcast adress :
ip rip v2-broadcast
Task 8.6/7 BGP
Advertising same networks throught 2 different as in AS 567 make one preferable. I manipulate AS_PATH. other solutions was:
- Setting a local preference on input ebgp.
- Setting a weight on all routers of the as 567
- Setting a med with the options of ignoring as-path and always comparing med (because coming of differents as)
Aggregate an adress without routing loops :
- Filtering where the route is propagated (my solution)
- Setting as-set in order the route be automatically filtered from when the more specifics routes come from.
Task 9.2 MPLS VPN
As i used ospf between PE-CE and CE was using vrf I needed to activate vrf-lite capability on CE ospf process in order the coming routes from the PE be accepted. A PE router will set DN or domain-tag in order another PE on the same segment not reinject the route. So a PE will not accept lsa with dn or domain-tag set. As the CE has vrf activated it's considered PE and will not accept any ospf route from the PE. vrf-lit permits to disable this check on the CE
dimanche 13 juin 2010
IPExpert V2 Lab9
Task 1.1 Tag native vlan
To override the fact that native vlan is not tagged in 802.1q, use the global command :
vlan dot1q native vlan
To not use A trunk even if you need 2 vlan to be used on a link, use voice vlan.
Task 3.5 Default route without any routing protocol
I used DHCP between R9 and BB3 in order to send a gateway.
The protocol used odr.
Task 4.2
R2 will redistribute osfp into BGP but, the redistributed need to only be sent to eBGP neighbor.
I filtered locally generated routes toward iBGP neighbor.
Protocol use another solution :
On redistribution to BGP it set a community for ospf routes. This community is filtered toward iBGP neighbor :
router bgp 245
redi ospf route-map FROMOSPF
neighbor 100.0.0.6 route-map TO6
route-map FROMOSPF
set community 100:100
route-map TO6 deny
match community 1
route-map TO6 permit
ip community-list permit 100:100
Task 4.5 Specific BGP dampening
When setting specific dampening for a route, it should be set with the set dampening command under the route-map and bgp dampeing route-map command.
Task 5.2 SSM
The goal was to permit only one source to ping a group joined on R6 without any filtering.
The solution was on R6 to join a group with a specific sender and use SSM :
ip igmp join-group 236.6.6.6 source 100.0.0.2
As default SSM group is 232.0.0.0/8
the command ip pim ssm range 236.6.6.6 was needed in order to change the default SSM group.
Task 6.1 Dhcp option TFTP
I used tftp option 150 whereas protocol use 66.
66 is the rfc one and allow on tftp server whereas 150 permit more than on address
To override the fact that native vlan is not tagged in 802.1q, use the global command :
vlan dot1q native vlan
To not use A trunk even if you need 2 vlan to be used on a link, use voice vlan.
Task 3.5 Default route without any routing protocol
I used DHCP between R9 and BB3 in order to send a gateway.
The protocol used odr.
Task 4.2
R2 will redistribute osfp into BGP but, the redistributed need to only be sent to eBGP neighbor.
I filtered locally generated routes toward iBGP neighbor.
Protocol use another solution :
On redistribution to BGP it set a community for ospf routes. This community is filtered toward iBGP neighbor :
router bgp 245
redi ospf route-map FROMOSPF
neighbor 100.0.0.6 route-map TO6
route-map FROMOSPF
set community 100:100
route-map TO6 deny
match community 1
route-map TO6 permit
ip community-list permit 100:100
Task 4.5 Specific BGP dampening
When setting specific dampening for a route, it should be set with the set dampening command under the route-map and bgp dampeing route-map command.
Task 5.2 SSM
The goal was to permit only one source to ping a group joined on R6 without any filtering.
The solution was on R6 to join a group with a specific sender and use SSM :
ip igmp join-group 236.6.6.6 source 100.0.0.2
As default SSM group is 232.0.0.0/8
the command ip pim ssm range 236.6.6.6 was needed in order to change the default SSM group.
Task 6.1 Dhcp option TFTP
I used tftp option 150 whereas protocol use 66.
66 is the rfc one and allow on tftp server whereas 150 permit more than on address
mardi 1 juin 2010
IPExpert V3 Lab1
Task 2.2 CHAP Authentication with same hostname
By default chap refuse to authenticate both sides with same hostname
no ppp chap ignoreus is the magicall command that authorize that.
Task 2.5 MPLS
The missed task was to configure ldp authentication without "mpls ldp neighbor password" command.
Ways to configure LDP password :
Neighbor by neighbor
mpls ldp neighbor X.X.X.X password pass
For neighbor in an acl with multiple options :
mpls ldp password option X for ACL_NUM1 pass
mpls ldp password option Y for ACL_NUM2 pass
If not specifically defined try this password, else no password.
mpls ldp password fallback pass
Password could be required for all peer or peer in an acl
mpls ldp password required
mpls ldp password required for ACL_NUM
Task 3.5 RIP
Mask was different between 2 adjacents due to IPCP adress negotiated. Need the command "no validate-update-source'
Task 3.5 EIGRP load-sharing
When eigrp load-balance between same cost multi-past or different cost multi-path. The load-balancing done by CEF could be configured (default is per-destination) :
ip load-sharing per-parcket
ip load-sharing per-destination
By default chap refuse to authenticate both sides with same hostname
no ppp chap ignoreus is the magicall command that authorize that.
Task 2.5 MPLS
The missed task was to configure ldp authentication without "mpls ldp neighbor password" command.
Ways to configure LDP password :
Neighbor by neighbor
mpls ldp neighbor X.X.X.X password pass
For neighbor in an acl with multiple options :
mpls ldp password option X for ACL_NUM1 pass
mpls ldp password option Y for ACL_NUM2 pass
If not specifically defined try this password, else no password.
mpls ldp password fallback pass
Password could be required for all peer or peer in an acl
mpls ldp password required
mpls ldp password required for ACL_NUM
Task 3.5 RIP
Mask was different between 2 adjacents due to IPCP adress negotiated. Need the command "no validate-update-source'
Task 3.5 EIGRP load-sharing
When eigrp load-balance between same cost multi-past or different cost multi-path. The load-balancing done by CEF could be configured (default is per-destination) :
ip load-sharing per-parcket
ip load-sharing per-destination
samedi 29 mai 2010
IPExpert V2 Lab8
Task 3.2 RIP Triggered update
Can only be used on point-to-point interface and need to be configured on both sides.
Task 3.2 Redistribution
It seems that using the command distance distance neigbhor with eigrp only affect internal route.
Whereas in ospf it affect all routes
Task 3.2 MPLS Tag of default-route
The command mpls ip default-route permit to tag a default-route if neighbor has advertised one in it's routing table and advertized a label for it.
Task 6.2 Bidir
Task was to use exclusively shared tree
My solution was to put an spt-threshold of infinity but in this case the source to SPT is a source-tree.
Exclusively shared is the fac of bidir.
Just add :
On all routers
ip ipm bidir-enable
On R8
ip pim rp-candidate lo1 bidir
Task 7.4 NTP
When filtering who ntp server can server don't forget 127.127.7.1 which is used by master to sync with himself
Task 9.2 Finding TCP/UDP port
A good command to know is : sh ip nbar port-map
Task 9.3 FRTS
Access-rate or burst-rate is Be+Bc every Tc.
Ex CIR =64k and Access-rate=96k for 20ms
Bc=1280 be=640
I've done wrong calculating be independantly of bc (setting be to 1920 so an access-rate to 160kb)
Can only be used on point-to-point interface and need to be configured on both sides.
Task 3.2 Redistribution
It seems that using the command distance distance neigbhor with eigrp only affect internal route.
Whereas in ospf it affect all routes
Task 3.2 MPLS Tag of default-route
The command mpls ip default-route permit to tag a default-route if neighbor has advertised one in it's routing table and advertized a label for it.
Task 6.2 Bidir
Task was to use exclusively shared tree
My solution was to put an spt-threshold of infinity but in this case the source to SPT is a source-tree.
Exclusively shared is the fac of bidir.
Just add :
On all routers
ip ipm bidir-enable
On R8
ip pim rp-candidate lo1 bidir
Task 7.4 NTP
When filtering who ntp server can server don't forget 127.127.7.1 which is used by master to sync with himself
Task 9.2 Finding TCP/UDP port
A good command to know is : sh ip nbar port-map
Task 9.3 FRTS
Access-rate or burst-rate is Be+Bc every Tc.
Ex CIR =64k and Access-rate=96k for 20ms
Bc=1280 be=640
I've done wrong calculating be independantly of bc (setting be to 1920 so an access-rate to 160kb)
Inscription à :
Articles (Atom)