Quick Notes

QOS

• Class class-default need “fair-queue” if “bandwidth” was not specified.
• When using “ip rsvp bandwidth” on a sub-interfaces, it is also required to be configured on the main interface.
• When using multiple sub-interfaces with “ip rsvp bandwidth”, the main interface should be configured to be the sum all sub-interfaces.
• RSVP requires fair-queue to be enabled. With FRTS, WFQ is disabled by default, re-enable with “frame-relay fair-queue” in the map-class.
• When doing MQC configurations using the bandwidth percent command, do not forget to change the “max-reserve-bandwidth %”.
• Custom queueing defaults – Byte-count = 1500 bytes & Queue-limit = 20.
• Know the NBAR mime categories: “image/*” or “audio/*” or “application/*” or “text/*”
• Voice EF class = 46 decimal and 101110 in dscp-binary.
• FRTS formulas:
Bc = CIR * Tc
Be = (CAR – CIR) * Tc
• WRED formula:
= (1/MPD)
• CAR (Police) formula:
Bc = CIR / 8 * Tc (Default Tc = 1.5 seconds)
Be = 2 * Bc

Multicast

• BSR is also commonly referred to as PIMv2.
• Pay special attention to when using Frame-Relay non-broadcast types. Multicast will not work. Tunnels might be needed.
• BSR – when multiple c-RP announces same groups, a longer match will be used to determine the RP, regardless of the RP priority set.
• With TTL scoping, if the Packet TTL >= Interface TTL, then the packet is forwarded, else dropped.
• GRE-tunnel - If the unicast source is reachable via tunnel, a RPF failure will occur. Correct with Mroute.
• Know how to spot RPF failures.
• Multicast Filtering:
1. Q – Prevent PIM neighbor establishments, but allow IGMP client joins?
A – On Central router : “ip pim neighbors filter” & the Stub router : “ip igmp helper-address”
2. Q – Filter specific multicast groups, while still allowing IGMP traffic?
A – “ip multicast boundary {acl}”
3. Q – Deny clients from joining specific multicast groups?
A – “ip igmp access-group {acl}”
4. Q – Statically filter RP requests and responses, (no Auto-RP, no BSR)?
A – “ip pim rp address {IP} {acl}”
5. Q – Client RP filtering, Limit join/prune messages for specific RP’s?
A – “ip pim accept-rp {RP-IP/auto-RP} {acl}”
6. Q – Auto-RP – Limit the Candidate-RP’s announcements?
A – “ip pim send-rp-announce {int} scope {no} group-list {acl}”
7. Q – Auto-RP – Limit what mgroups a MA accept from specific RP’s?
A – “ip pim rp-announce-filter rp-list {acl} group-list {acl}”
8. Q – Filter the BSR messages on a interface?
A – “ip pim bsr-border”
9. Q – Limit the amount of multicast routes in the mrouting table?
A – “ip multicast route-limit”
10. Q – Limit the rate a source can sent traffic to a group on a interface?
A – “ip multicast rate-limit group-list {acl} {kbps}”

IPv6

• RIPng – “no ip split-horizon” in a process command not a interface command.
• EIGRPv6 – Do not forget to enable eigrp under the process.
• IPv6 tunnel method with least overhead : IPv6IP
• Tunnel protocol numbers for ACL’s : IPv6IP = Protocol-41, & GRE IPv6 = Protocol-47
• You can not redistribute a default static route(::/0) with ospfv3.
• Dynamic information (ie IGP next-hops) recurses to remote link-local address, not the global unicast interface.

Security

• Know how to use extended access-lists in distribute-lists, see Brian McGahan @INE article.
• Know how to use extended access-lists instead of prefix-lists, see Brian Dennis @ INE article.
• Know your binary voodoo as Scott Morris @ INE calls it, Part I & Part II.
• Dont forget to allow IGP’s, BGP, Multicast , IPv6 and any other needed protocols when adding ACL to a interface.
• Know when to use the “established” keyword.
• When matching Multicast traffic in a extended ACL, remember that Multicast traffic can NEVER be a source.
• Allowing Telnet to a local router on a port other then 23: Option 1- Rotary command or Option 2- Port NAT.
• NBAR can be used if you not forbidden from using ACL’s. You can also map undefined custom ports with “ip nbar port-map custom”
• Dynamic ACL time-outs specified in the acl: “dynamic NAME timeout {x} permit tcp any any eq 80″.
• When configuring SSH, don’t forget to specify a Domain-name and generate your RSA keys.

IP-Services

• “no service config” – Disables the router from auto-answering for tftp config files
• WCCP uses udp port 2048 and protcol 47-GRE
• If talk about router discovery > IRDP
• DNS server config : “ip dns server” & “ip host”
• DNS client config : “ip domain-lookup” & “ip name-server”
• DHCP stands for Dont Hit Computer People
• DHCP option-82 = dhcp-relay.
• DHCP option-66 = Hand out IP address off TFTP server
• When configuring DHCP and earlier in the swithcing section you configured DHCP snooping you must enable the port connecting to the DHCP server as trusted.
• Incase DHCP was configured you need either “no ip dhcp snooping info option” on the switch OR “ip dhcp relay information trust” on the dhcp router.
• HSRP timers only need to be configure on one of the participating routers.
• HSRP uses UDP port 1984.
• When using HSRP with earlier configured port-security, you might need to allow you HSRP MAC 0000.0c07.acxx – where XX is the group number in hex.

BGP

• When using Communities, don’t forget “neighbor send-community”
• Know your attributes and the direction which applied, when to used what.
• “aggregate address” needs a more specific prefix in the BGP table for aggregate to be advertised.
• Synchronization issue has 3 solutions, 1- Load BGP on all transit routers, 2- GRE tunnel, 3- Redistribution BGP>IGP.
• “no bgp nexthop trigger” – Disables next-hop tracking between scanner intervals.
• “no bgp fast-ext-fallover” – Force the router to wait for the dead-timer to expire, before generating notification messages , when a connected peer goes down.
• “neighbor fall-over” – Will check neighbor connenctivity between scanner intervals, aka BGP Fast Peering.
• Only the Holdtime is sent in update-msg. Two neighbors will use the lowest holdtime and then calculate the keepalive from that.
• Know your Regular Expressions
• Know the difference between Peer-Groups and Peer-Templates

RIP

• Know your filters: Offset-list, Distribute-lists, distance command.
• With filters read carefully: “between 25 & 45″ or “from 25 to 45″.
• Know your prefix-lists or alternatively using ACL’s instead.
• “passive interface” command, ONLY stops the sending of updates out the interface. Interface will still receive and process those updates. Passive interfaces will still be advertised in other updates.
EIGRP
• Advertising a default route out one interface: “ip summary-address eigrp [AD] 0.0.0.0 0.0.0.0″
• To see if a neighbor is configured as STUB, “show ip eigrp neighbors [detail]” as look for ‘CONNECTED SUMMARY’
• On frame-relay multipoint interfaces, don’t forget to disable split-horizon.
• External EIGRP routes AD (admin distance = 170) can NOT be changed on per prefix basis.
• Metric weight values:
1 0 1 0 0 = Default
0 0 1 0 0 = Only DLY
1 0 0 0 0 = Only BW
3 0 1 0 0 = BW has 3 times more weight reference than DLY
• Metric formula:
Metric = ((107 / BW) + (DLY/10) ) * 256

OSPF

• The Neighbor IP used with OSPF distance command is the Neighbors Router-ID.
• “area range” summarize type 3 LSA’.
• “summary-address” summarize type 5 & 7 LSA’s.
• Auto-cost reference BW (Default = 100mb), formula = Ref-BW/Int-Bw.
• Switches do no support the interface command “ip ospf {pid} area {area-id}” .
• OSPF path selection: O > O*IA > O*E1 > O*E2.
• Using E1 metric type : Packets will be routed out the closest exit point of the network.
• Using E2 metric type : If you want packets to exit your network at the closest point to their external destination.
• Don’t forget with hub and spoke topology, “ip ospf priority 0″.
• PITFALL, when forbid to use RID, Loopbacks created later on might change the DR on you network after a reload.
• PITFALL, when forbid to use RID, Later requested to configure the same loopback on two routers, could break your adjacencies, as two router cant peer with the same RID.
• “no capability transit” – Mimics OSPFv1 behaviour for all data traffic to pass through Area-0.
• “max-metric” – Configures OSPF stub configurations
• “max-lsa” – Limit amount of non-local LSA’s
• “timers throttle lsa all” – Slow down update rate.
• “timers pacing lsa-group” – Group more LSA’s together in updates.
• “no ip ospf flood-reduction” – Disables every 30-min LSA DB refresh.
• “ip ospf database filter all out” – Breaks RFC, Stop sending LSA’s, but still receive LSA’s

Frame-Relay

• DHCP on a frame interface : “frame-relay interface-dlci 555 protocol ip 166.166.166.2″
• When asked to disable INARP, be sure to do so on physical interfaces any multipoint sub-interfaces.
• If you see 0.0.0.0 frame mappings, save your config and reload.
• The backup command can NOT be used on FR physical interfaces. (no way to detect when back up)
• Back-to-Back frame connections, disable keepalives with “no keep”
• LMI keepalives sent every 10 seconds. This interval can NOT be changed.
• LMI Full Status Updates are requested every 60 seconds. CAN be changed with “frame lmi-n391dte”.
• To ping local interface IP, add a mapping for local IP with any valid DLCI.
PPP
• To do “?” in authentication password, use either ESC-Q or CRTL-V.
• If two routers both using CHAP has the same hostname “no ppp chap ignoreus” is required.
• “ppp authentication eap” can be used as alternative to chap when md5 needed.
• “ppp link minimum” – amount of links required for a MLP bundle to up.
• With CHAP and PAP, know which side is the client and who is authenticating who!
• Know PPPoFR, MLP, and the mix combination formats