- Is it a mutual authentication or only one side is authenticating?
- Clear text or scrambled password in running config:
- username R1 password 0 test
- no service password-encryption
- VTY and Console line authentication
- aaa authentication login default line none
- none required if no password is set on console
- AAA settings
- aaa authentication ppp default group radius local-case
Sunday 6 October 2013
PPP Authentication
Sunday 28 July 2013
IPv6 Multicast Routing with BSR
R1(config)#ipv6 routing
R1(config)#ipv6 pim bsr candidate rp <IPv6 Address>
R1(config)#ipv6 pim bsr candidate bsr <IPv6 Address> priority X
BSR and RP can't be on a single router.
R1(config)#ipv6 pim bsr candidate rp <IPv6 Address>
R1(config)#ipv6 pim bsr candidate bsr <IPv6 Address> priority X
BSR and RP can't be on a single router.
Saturday 29 June 2013
IP Addressing in Mars!
Got this few days ago in a test lab:
*Mar 1 00:10:50.423: %BGP-6-NEXTHOP: Invalid next hop (254.192.2.52) received from FEC0:234::4: martian next hop
it seems Class E was reserved to be used on Mars, always knew we are not alone!
*Mar 1 00:10:50.423: %BGP-6-NEXTHOP: Invalid next hop (254.192.2.52) received from FEC0:234::4: martian next hop
it seems Class E was reserved to be used on Mars, always knew we are not alone!
Monday 27 May 2013
Saturday 11 May 2013
Monday 25 March 2013
OSPF Downward Option
PE1 router advertises intra area routes int MP-BGP. other PE2 redistributes the MP-BGP routes into OSPF as LSA type 3 (Summary address) as MPLS backbone acts as an OSPF superbackbone.
PE2 sets the Down bit on those routes to avoid routing loops in scenarios which a site is dual homed to the service provider network.
If a router receives a Type 3 LSA with its Down bit set on an interface that belongs to a VRF, it drops the LSA. In cases which the site is not dual home this loop prevention mechanism is undesirable.
To disable this behaviour the following command can be used under router ospf, which no longer perform PE specific checks:
R1(config-router)# capability vrf-lite
If the router doesn't support that command, different OSPF domain-ids should be set on the PE routers, which in turn changes the route types to External(LSA Type 5) instead of Summary (LSA Type3).
PE2 sets the Down bit on those routes to avoid routing loops in scenarios which a site is dual homed to the service provider network.
If a router receives a Type 3 LSA with its Down bit set on an interface that belongs to a VRF, it drops the LSA. In cases which the site is not dual home this loop prevention mechanism is undesirable.
To disable this behaviour the following command can be used under router ospf, which no longer perform PE specific checks:
R1(config-router)# capability vrf-lite
If the router doesn't support that command, different OSPF domain-ids should be set on the PE routers, which in turn changes the route types to External(LSA Type 5) instead of Summary (LSA Type3).
Saturday 16 March 2013
max-reserved-bandwidth
To change the percent of interface bandwidth allocated for Resource Reservation Protocol (RSVP), class-based weighted fair queueing (CBWFQ), low latency queueing (LLQ), IP RTP Priority, Frame Relay IP RTP Priority, Frame Relay PVC Interface Priority Queueing (PIPQ), or hierarchical queueing framework (HQF), use the max-reserved bandwidth command in interface configuration mode.
http://www.cisco.com/en/US/docs/ios/qos/command/reference/qos_m1.html#wp1054626
http://www.cisco.com/en/US/docs/ios/qos/command/reference/qos_m1.html#wp1054626
Thursday 14 March 2013
Frame Relay RTP Priority
map-class frame-relay <NAME>
frame-relay ip rtp priority <LOW PORT NUMBER> <PORT RANGE> <BANDWIDTH>
Don't forget to configure frame-relay fragmentation (FRF.12) as RTP Priority doesn't work without frame-relay fragmentation.
map-class frame-relay <NAME>
frame-relay fragmentation <SIZE>
frame-relay ip rtp priority <LOW PORT NUMBER> <PORT RANGE> <BANDWIDTH>
Don't forget to configure frame-relay fragmentation (FRF.12) as RTP Priority doesn't work without frame-relay fragmentation.
map-class frame-relay <NAME>
frame-relay fragmentation <SIZE>
Frame Relay Traffic Shape
R1(config)# map-class <CLASS-NAME>
R1(config-map-class)#frame-relay cir <CIR>
R1(config-map-class)#frame-relay bc <CIR>
R1(config-map-class)#frame-relay be <CIR>
R1(config-if)# frame-relay traffic-shaping
Apply to PVC:
R1(config-if)# frame-relay interface-dlc <PVC>
R1(config-fr-dlci)#class <CLASS-NAME>
Apply to interface:
R1(config-if)# frame-relay class <CLASS-NAME>
CIR=Bc/Tc
Be=(AR-CIR)*Tc
AR= Available Rate, the actual physical interface speed.
Don't forget to enable traffic shaping on interface first
R1(config-if)# frame-relay traffic-shaping
http://www.ine.com/resources/01700368.htm
R1(config-map-class)#frame-relay cir <CIR>
R1(config-map-class)#frame-relay bc <CIR>
R1(config-map-class)#frame-relay be <CIR>
R1(config-if)# frame-relay traffic-shaping
Apply to PVC:
R1(config-if)# frame-relay interface-dlc <PVC>
R1(config-fr-dlci)#class <CLASS-NAME>
Apply to interface:
R1(config-if)# frame-relay class <CLASS-NAME>
CIR=Bc/Tc
Be=(AR-CIR)*Tc
AR= Available Rate, the actual physical interface speed.
Don't forget to enable traffic shaping on interface first
R1(config-if)# frame-relay traffic-shaping
http://www.ine.com/resources/01700368.htm
Serial Link Compression
PPP Predictor:
Less CPU, more memory, less efficient.
R1(config-if)# compress predictor
HDLC Stacker (LZ):
More CPU, less memory, more efficient.
R1(config-if)# compress stacker
Frame Relay FRF.9 Compression
R1(config-if)# frame-relay map ip <IP-ADDRESS> <PVC> broadcast IETF payload-compression FRF9 stac one-way-negotiation
Less CPU, more memory, less efficient.
R1(config-if)# compress predictor
HDLC Stacker (LZ):
More CPU, less memory, more efficient.
R1(config-if)# compress stacker
Frame Relay FRF.9 Compression
R1(config-if)# frame-relay map ip <IP-ADDRESS> <PVC> broadcast IETF payload-compression FRF9 stac one-way-negotiation
Selective Packet Discard
It applies a form of random packet drop to interface FIFO input queue.
It's a hidden command from IOS parser.
ip spd enable
ip spd mode aggressive --> bad packets are dropped as soon as the minimum threshold for hold-queue
is reached
spd headroom <x> --> BGP, IGP, L2 Keepalives
spd extended-headroom <x> --> IGP, L2 Keepalives
ip spd queue max-threshold <x>
ip spd queue min-threshold <x>
show ip spd
http://www.cisco.com/en/US/products/hw/routers/ps167/products_tech_note09186a008012fb87.shtml
It's a hidden command from IOS parser.
ip spd enable
ip spd mode aggressive --> bad packets are dropped as soon as the minimum threshold for hold-queue
is reached
spd headroom <x> --> BGP, IGP, L2 Keepalives
spd extended-headroom <x> --> IGP, L2 Keepalives
ip spd queue max-threshold <x>
ip spd queue min-threshold <x>
show ip spd
http://www.cisco.com/en/US/products/hw/routers/ps167/products_tech_note09186a008012fb87.shtml
Saturday 2 March 2013
Don't Miss the Permit Sequence in route-map
While modifying BGP route attributes with route-map, always remember to add permit line at the end of the list, or you'll end up filtering those routes which haven't been matched by previous route-map entries.
Thursday 28 February 2013
Redistribute iBGP Routes into IGP
Issuing redistribute bgp command under IGP routers only redistribute EBGP routes into the IGP. In order to redistribute iBGP learnt routes into IGP redistribute bgp internal command should be used.
To avoid routing loops and IGP routes to preempt iBGP routes, it's recommended to increase the IGP AD to a value higher than iBGP AD (200).
To avoid routing loops and IGP routes to preempt iBGP routes, it's recommended to increase the IGP AD to a value higher than iBGP AD (200).
BGP RIB-failure and bgp suppress-inactive
RIB-failure means although the BGP route is valid (reachable next-hop) it's not being installed in the routing table. One of the main reasons for that behaviour is to have an exact match for that route already installed in the routing table with a better administrative distance, which in case of iBGP learnt routes any IGP has better AD.
Such routes with RIB-failure are advertised to BGP peers by default as the hidden command, no bgp suppress-inactive exists under router bgp. If bgp suppress-inactive command those routes will no longer be advertised to BGP peers.
Such routes with RIB-failure are advertised to BGP peers by default as the hidden command, no bgp suppress-inactive exists under router bgp. If bgp suppress-inactive command those routes will no longer be advertised to BGP peers.
BGP Decision Process and AS_CONFED_SET
Entire AS_CONFED_SET counts as single entry when comparing AS_PATH length.
Saturday 23 February 2013
EBGP Session from Loopback without Increasing TTL
Instead of using neighbor ebgp-multihop, the neighbor disable-connected-check command is used to disable the connection verification process for eBGP peering sessions that are reachable by a single hop but are configured on a loopback interface or otherwise configured with a non-directly connected IP address.
http://www.cisco.com/en/US/docs/ios/12_3t/ip_route/command/reference/ip2_n1gt.html#wp1109875
http://www.cisco.com/en/US/docs/ios/12_3t/ip_route/command/reference/ip2_n1gt.html#wp1109875
Enforce Specific Router to Establish BGP Session
Normally the router which has the lowest IP address is responsible to establish the BGP session to remote TCP port 179. However as defined in RFC 4271 (A Border Gateway Protocol 4) - BGP Connection Collision Detection Mechanism - the session originated from the device with higher BGP rouer-id is maintained and the other session is dropped.
To enforce a router to always become the BGP Client (establish TCP session from a high number TCP port to TCP 179), configure loopback addresses in neighbour command and set update-source on the router that you wish to always become client.
To enforce a router to always become the BGP Client (establish TCP session from a high number TCP port to TCP 179), configure loopback addresses in neighbour command and set update-source on the router that you wish to always become client.
Sunday 17 February 2013
Resource Limitation in OSPF
Limit maximum number of LSAs in the database:
R1(config-router)#max-lsa <1-4294967294>
Limit maximum number of redistributed routes:
R1(config-router)#redistribute maximum-prefix <1-4294967294>
To specify the minimum percentage of CPU process time OSPF takes before the CPU should yield to a process with a higher priority:
R1(config-router)#process-min-time percent <1-100>
http://www.cisco.com/en/US/docs/ios/iproute_ospf/command/reference/iro_osp2.html
R1(config-router)#max-lsa <1-4294967294>
Limit maximum number of redistributed routes:
R1(config-router)#redistribute maximum-prefix <1-4294967294>
To specify the minimum percentage of CPU process time OSPF takes before the CPU should yield to a process with a higher priority:
R1(config-router)#process-min-time percent <1-100>
http://www.cisco.com/en/US/docs/ios/iproute_ospf/command/reference/iro_osp2.html
Sub-second Hello Interval in OSPF
R1(config-if)#ip ospf dead-interval minimal hello-multiplier <3-20>
Saturday 16 February 2013
OSPF Summary and Discard Route
R1(config-router)#area 0 range 100.0.0.0 255.255.192.0
R1(config-router)#no discard-route internal
Same as BGP and EIGRP, when summarising networks in OSPF, it automatically adds a route to Null0 interface. discard-route command stops OSPF from generating that route.
R1(config-router)#no discard-route internal
Same as BGP and EIGRP, when summarising networks in OSPF, it automatically adds a route to Null0 interface. discard-route command stops OSPF from generating that route.
Conditional Default Route with IP SLA in OSPF
R1(config)#ip sla 1
R1(config-ip-sla)#icmp-echo x.x.x.x
R1(config-ip-sla)#frequency y
R1(config-ip-sla)#ip sla schedule 1 life forever start-time now
R1(config)#exit
R1(config)#track 1 ip sla 1
R1(config)# ip prefix-list TRACK_DUMMY permit 1.0.0.1/32
R1(config)#route-map TRACK IPSLA
R1(config-route-map)#match ip add prefix-list TRACK_DUMMY
R1(config)#router ospf 1
R1(config-router)#default-information originate always route-map TRACK_IPSLA
OSPF Type 7 to 5 Translation
- ABR with the highest router-id does the translation (avoid unnecessary and redundant LSA generation)
- Preserves forward address
- There is no type 4 ASBR summary (as forwarding address is preserved)
- Yet the calculation of the final forwarding path stays independent
Subscribe to:
Posts (Atom)