Frame-Relay Interfaces types

Physical
PVC establishment :

• LMI automatically applies all DLCI to the interface or
• frame-relay interface dlci applies the specified dlci to the interface
  

Layer2/Layer mapping

• Need static mapping or
• Need inverse-arp enabled on the DLCI
  

Point-To-Point
PVC establishment :

• frame-relay interface dlci applies the specified dlci to the interface

Layer2/Layer mapping

• No mapping needed (everything for the subnet is sent thrue pt-to-pt interface)
• Inverse arp is not needed ans disabled by default
  

Point-To-MultiPoint
PVC establishment :

• LMI automatically applies all DLCI to the interface or
• frame-relay interface dlci applies the specified dlci to the interface

Layer2/Layer mapping

• Need static mapping or
• Need inverse-arp enabled on the DLCI
  

Dot1x

The purpose is to do a minimal dot1x authentification on ethernet Ports

1 : Define Radius server

ip radius source-interface Loopback0
!
radius-server host 25.2.2.1
radius-server key CISCO

2 : Globally activate dot1x

dot1x system-auth-control

3 : Define the AAA model for dot1x only

Don't forget the login default non, otherwise it will ask for password on console and telnet login.

aaa new-model
aaa authentication login default none
aaa authentication dot1x default group radius

4: Activate dot1x on ports

interface FastEthernet1/4
switchport mode access
dot1x port-control auto


4: Verification

show dot1x
show dot1x interface

PPP chap authentication

Chap authentication is unidirectionnal. A router always answer to a challenge even if ppp authentication chap is not configured. So for a one-way authentication R5 authenticating R4 :

On R5
username ROUTER4 password 0 CISCO
interface Serial1/1
ip address 132.1.45.5 255.255.255.0
encapsulation ppp
ppp authentication chap

On R4
interface Serial1/1
ip address 132.1.45.4 255.255.255.0
encapsulation ppp
ppp chap hostname ROUTER4
ppp chap password CISCO

The 2 ways authentication :

On R5
username ROUTER4 password 0 CISCO
interface Serial1/1
ip address 132.1.45.5 255.255.255.0
encapsulation ppp
ppp authentication chap host
ppp chap hostname ROUTER5

On R4
username ROUTER5 password 0 CISCO
interface Serial1/1
ip address 132.1.45.4 255.255.255.0
encapsulation ppp
ppp authentication chap
ppp chap hostname ROUTER4

Layer 3 Etherchannel

Purpose : Etherchannel on a "no switchport" interface.

The physical interfaces should already be in "no switchport" before issuing the "channel-group" command in order to create the Layer 3 etherchannel

Ip will be placed on int port-channel interface.

Etherchannel : Pagp or Lacp

Pagp or lacp are used to automatically negotiate etherchannel bundle :

Pagp (Cisco protocol):
auto : passive negotiation, other side needs too be desirable
desirable : active negotiation, other side needs too be desirable or auto.

Lacp (802.3ad)
passive : passive negotiation, other side needs to be active
active : passive negotiation, other side needs to be active or passive.

The main differences between both is Pagp only works in cisco environment whereas lacp works in mixe environment

To manually force the etherchannel, both sides have to be in on mode.

Verification

Rack1SW2#sh etherchannel 1 sum
Flags: D - down P - in port-channel
I - stand-alone s - suspended
R - Layer3 S - Layer2
U - in use
Group Port-channel Ports
-----+------------+-----------------------------------------------------------
1 Po1(SU) Fa1/7(P) Fa1/8(P) Fa1/9(P)

OR

Rack1SW2#sh etherchannel 1 port
Ports in the group:
-------------------
Port: Fa1/7
------------

Port state = Up Mstr In-Bndl
Channel group = 1 Mode = On/FEC Gcchange = 0
Port-channel = Po1 GC = 0x00010001 Pseudo port-channel = Po1
Port index = 2
Age of the port in the current state: 00d:03h:17m:20s
Port: Fa1/8
------------

Port state = Up Mstr In-Bndl
Channel group = 1 Mode = On/FEC Gcchange = 0
Port-channel = Po1 GC = 0x00010001 Pseudo port-channel = Po1
Port index = 1
Age of the port in the current state: 00d:03h:17m:20s

IP Accounting

IP Accounting is an IP service that permit to count the packet in our out an interfaces.
Let's see the differents ways of doing it :

Account for every packet :
ip accounting

Account for packets with an ip precedence set :
ip accounting precedence input
ip accounting precedence output

Account only for ouput packet
ip accounting output-packet

Account only for packets blocked by an access-list applied on the interface
ip accounting acess-violations

Verification
show ip accounting
show interface s1/0 precedence

Traffic Policing : Rate-Limit or MQC Policing

Example : limiting icmp traffic to 128kbps with a permitted burst during 1/4th of the rate

Legacy traffic policing using the command rate-limit

access-list 110 permit icmp any any
access-list 110 permit ip any any

interface e0/0
rate-limit 110 128000 4000 4000 conform-action transmit exceed-action drop

128000 bps : rate-limit
4000 bytes : normal rate that could be sent at clock rate (bucket size every timeslot)
4000 bytes : exceed rate that could be sent at clock rate

Bc = Be so there is no exceed burst

Verification

show interface rate-limit


traffic policing using MQC

Cef must be activated

class-map match-all CAR
match protocol icmp

policy-map CAR
class CAR
police cir 128000 bc 4000

interface e0/0
service-policy out CAR

128000 : rate limit
4000 : normal rate that could be sent at clock rate
Be : 0

Verification

show policy-map interface


Differences

- Legacy CAR : configured Bc should include Be (Bc = excess_bits + Be)
- MQC CAR use a default Bc of 2xBe if not configured
- MQC CAR : configured Bc doesn't include Be ( Bc = excess_bits)