Frame-Relay PVC Switching

R1(config)#int s1/0
R1(config-if)#frame-relay in
R1(config-if)#encapsulation frame-relay intf-type dce
R1(config-if)#clock rate <speed>
R1(config-if)#frame-relay route <pvc-number-1> interface s2/0 <pvc-number-2>

OSPF Network Types Summary

Interface Type	uses DR/BDR?	Dynamic Neighbour Discovery	Default Hello Interval	Cisco Priprietary
broadcast	Yes	Yes	10	Yes
nonbroadcast	Yes	No	30	No
point-to-point	No	Yes	10	Yes
Loopback	No	-	-	Yes
point-to-multipoint	No	Yes	30	No
point-to-multipoint nonbroadcast	No	No	30	Yes

OSPF Frame-Relay Point-to-multipoint Host Routes

OSPF automatically adds a host(/32) route for neighbours on point to multipoint network. somehow serves as dlci map command.

R1:


router ospf 1
 log-adjacency-changes
 network 192.168.0.0 0.0.0.255 area 0

interface Serial1/0.1 multipoint

 ip address 192.168.0.1 255.255.255.0

 ip ospf network point-to-multipoint

 frame-relay interface-dlci 101

 frame-relay interface-dlci 102

 frame-relay interface-dlci 103

show ip route:


     1.0.0.0/32 is subnetted, 1 subnets
O       1.1.1.2 [110/65] via 192.168.0.2, 00:09:13, Serial1/0.1
     20.0.0.0/24 is subnetted, 1 subnets
O       20.20.20.0 [110/65] via 192.168.0.2, 00:09:13, Serial1/0.1
     192.168.0.0/24 is variably subnetted, 2 subnets, 2 masks
C       192.168.0.0/24 is directly connected, Serial1/0.1
O       192.168.0.2/32 [110/64] via 192.168.0.2, 00:09:13, Serial1/0.1

Order of Operation for an Interface

NAT in -> out NAT out -> in
1 decryption decryption
2 input acl input acl
3 input policing input policing
4 input accounting         input accounting
5 PBR NAT G-L
6 redirect PBR
7 NAT L->G redirect
8 crypto map crypto map
9 output acl output acl
10 IOS FW IOS FW
11 tcp intercept tcp intercept
12 encryption encryption
13 queuing                  queuing


CCNP TSHOOT-640-832 Official Certification Guide - Chapter 10
http://www.cisco.com/en/US/tech/tk648/tk361/technologies_tech_note09186a0080133ddd.shtml

Comparing the bandwidth and priority Commands of a QoS Service Policy

http://www.cisco.com/en/US/tech/tk543/tk757/technologies_tech_note09186a0080103eae.shtml

Multicast Source Discovery Protocol (MSDP)

• Anycast RP
• load balancing between RPs
• faster recovery after RP failure (IGP convergence time)
• Inter-domain Multicast Routing
• send Source Active (SA) messages over TCP every 60s
• configuration: ip msdp peer <peer-address>

PIM Modes

Protocol Independent Multicast - Dense Mode (PIM-DM): uses Source Tree / Shared Path Tree (SPT)
Protocol Independent Multicast - Sparse Mode (PIM-SM): uses Shared Tree / Root Path Tree (RPT)

Embedding IPv6 Rendezvous Point(RP) Address in and IPv6 Multicast Address

here:

https://tools.ietf.org/html/rfc3956
http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6552/whitepaper_c11-508498.html

Source Specific Multicast Address Ranges

IPv4: 232.0.0.0/8
IPv6: FF3x::/32

http://tools.ietf.org/html/rfc4607
http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6552/ps6594/product_data_sheet0900aecd80320fb8.pdf

Telnet and SSH from Different VRF

telnet >ip-address> /vrf <vrf-name>
ssh -l <username> -vrf <vrf-name> <ip-host>

https://supportforums.cisco.com/thread/247590
http://www.cisco.com/en/US/docs/switches/lan/catalyst4500/12.2/50sg/configuration/guide/vrf.html#wp1082389

VRF Definition in IPv6 (Multiprotocol VRF)

vrf definition [vrf-name]

creates a multiprotocol VRF for both IPv4 and IPv6



http://www.cisco.com/en/US/docs/ios/mpls/configuration/guide/mp_vpn_ipv4_ipv6.html

VTP Advertisements

VTP advertisements can occur in three forms:

1. Summary advertisement
1. every 5 minutes
2. information included
1. VTP version
2. domain name
3. configuration revision number
4. time stamp
5. MD5 encryption  hash code
6. number of subset advertisements to follow
3. Subset advertisement
1. sent after VLAN configuration changed.
2. information included:
1. VTP version
2. Subset sequence number 
3. domain name
4. configuration revision number
5. VLAN info field
2. Advertisement requests from clients
1. VTP client can request the VLAN information it lacks.

CCNP SWITCH 642-813 I\Official Certification Guide

Interoperability between Classic Spanning Tree Protocol (802.1D) and Rapid Spanning Tree (802.1w)

• Inherent fast convergence benefit of 802.1w are lost when it interacts with legacy bridges.
• Each port maintains a variable that defines the protocol to run on that segment.
• A migration delay timer of three seconds starts when the port comes up.
• Migration delay timer resets if port changes its mode of operation.
• Classic 802.1D timers (forward delay and max_age) are only used as backup and should not be necessary if point-to-point links and edge ports are properly identified and set by the administrator.

http://www.cisco.com/en/US/tech/tk389/tk621/technologies_white_paper09186a0080094cfa.shtml

RSVP Maximum Reservable Bandwidth

By default %75 of the bandwidth available on the interface is reservable for RSVP.
To change that max-reserved bandwidth command can be used.

QoS Requirements of Data

• Best-effort data
• DSCP 0
• adequate bandwidth, reserve at least %25 of bandwidth
• Bulk data: 
• DSCP AF11; excess AF12 or AF13
• moderate bandwidth guarantee but constrained
• Transactional / Interactive data:
• DSCP AF21; excess AF22 or AF23
• adequate bandwidth
• Locally defined mission-critical data:
• AF31; excess AF32 or AF33
• adequate bandwidth

End -to-End QoS Network Design - Chapter 2

NBAR Restrictions

NBAR doesn't support the following:

• Non-IP traffic
• Multicast and other non-CEF switching modes
• Asymmetric flows with stateful protocols
• Packets that are originated from or that are destined to the router running NBAR
• Pipelined persistent HTTP requests.
• URL/host/MIME classification with secure HTTP.
• MPLS labelled packets.
• Fragmented packets
• following interfaces:
• Fast EtherChannel
• Interfaces where tunnelling or encryption is used
• ...

http://www.cisco.com/en/US/docs/ios/12_4t/qos/configuration/guide/qsnbar1.html#wp1050835

BGP Backdoor

Can be used to favour IGP routes instead of eBGP routes when both exist in the routing table as the default AD for eBGP route is lower than any IGP route.

network <network address> backdoor

The specified network address is treated as a local entry, but not advertised as a normal network entry.

http://www.cisco.com/en/US/tech/tk365/technologies_tech_note09186a00800c95bb.shtml#bgpbackdoor

Disable PIM-SM Switchover to SPT

ip pim [vrf vrf-name] spt-threshold {kbps | infinity} [group-list access-list]

infinity: Causes all sources for the specified group to use the shared tree.

http://www.cisco.com/en/US/docs/ios/ipmulti/command/reference/imc_04.html#wp1049494

SSH v2 Minimum Key Size

For SSH Version 2, the modulus size must be at least 768 bits.


http://www.cisco.com/en/US/docs/ios/12_3t/12_3t4/feature/guide/gt_ssh2.html#wp1055056

TACACS Summary

• Authentication and Authorisation are done at different stages
• TCP port 49
• Encrypt the entire payload
• Cisco proprietary

SNMPv3 Encryption Algorithms

In the AES and 3-DES Encryption Support for SNMP Version 3 feature the Cipher Block Chaining/Data Encryption Standard (CBC-DES) is the privacy protocol. Originally only DES was supported (as per RFC 3414). This feature adds support for AES-128 (as per RFC 3826) and AES-192, AES-256 and 3-DES

http://www.cisco.com/en/US/docs/ios/12_4t/12_4t2/snmpv3ae.html#wp1053786

Access List Entry log and log-input

The log and log-input options apply to an individual ACE and cause packets that match the ACE to be logged. The log-input option enables logging of the ingress interface and source MAC address in addition to the packet's source and destination IP addresses and ports.



http://www.cisco.com/web/about/security/intelligence/acl-logging.html#2

IP Source Guard and DHCP Snooping with Option 82

When IP source guard is enabled in IP and MAC filtering mode, the DHCP snooping option 82 must be enabled to ensure that the DHCP protocol works properly. Without option 82 data, the switch cannot locate the client host port to forward the DHCP server reply. Instead, the DHCP server reply is dropped, and the client cannot obtain an IP address.

http://www.cisco.com/en/US/docs/switches/lan/catalyst4500/12.2/31sga/configuration/guide/dhcp.html#wp1083306

https://supportforums.cisco.com/thread/145470

port-filter Class-map Type

You can apply the port-filter policy feature to the control-plane host subinterface to block traffic destined to closed or nonlistened TCP/UDP ports.

Closed-ports—Matches automatically on all closed-ports on the router.

show control-plane host open-ports

http://www.cisco.com/en/US/docs/ios/12_4t/12_4t4/htcpp.html#wp1109374

Hash Value Generation for Access Control Entry

ip access-list logging hash-generation

Cisco IOS routers generate syslog entries for log-enabled ACEs. The system appends a tag (either a user-defined cookie or a router-generated MD5 hash value) to ACE syslog entries. This tag uniquely identifies the ACE, within an access control list (ACL), that generated the syslog entry.


http://www.cisco.com/en/US/docs/ios/security/command/reference/sec_i1.html#wp1042763