PfR Process flow

I came across a really good Performance Routing document, and I thought it should assist R&S v4 candidates. It has really great examples of the different scenarios along with implementations.

Here is a depiction of the PfR process flow for OER configuration:

Source: Cisco Design Land

Advertisements

R&S Quick Notes – Security & IP Services

Security

  • Know how to use extended access-lists in distribute-lists, see Brian McGahan article @INE.
  • Know how to use extended access-lists instead of prefix-lists, see Brian Dennis article @ INE.
  • Know your binary voodoo as Scott Morris @ INE calls it,  PartI & PartII.
  • Dont forget to allow IGP’s, BGP, Multicast , IPv6 and any other needed protocols when adding ACL to a interface.
  • Know when to use the “established” keyword.
  • When matching Multicast traffic in a extended ACL, remember that Multicast traffic can NEVER be a source.
  • Allowing Telnet to a local router on a port other then 23: Option 1- Rotary command or Option 2- Port NAT.
  • NBAR can be used if you not forbidden from using ACL’s.  You can also map undefined custom ports with “ip nbar port-map custom”
  • Dynamic ACL time-outs specified in the acl:  “dynamic NAME timeout {x} permit tcp any any eq 80”.
  • When configuring SSH, don’t forget to specify a Domain-name and generate your RSA keys.

IP-Services

  • “no service config” – Disables the router from auto-answering for tftp config files
  • WCCP uses udp port 2048 and protcol 47-GRE
  • If talk about router discovery > IRDP
  • DNS server config : “ip dns server” & “ip host”
  • DNS client config : “ip domain-lookup” & “ip name-server”
  • DHCP stands for Dont Hit Computer People
  • DHCP option-82 = dhcp-relay.
  • DHCP option-66 = Hand out IP address off TFTP server
  • When configuring DHCP and earlier in the swithcing section you configured DHCP snooping you must enable the port connecting to the DHCP server as trusted.
  • Incase DHCP was configured you need either “no ip dhcp snooping info option” on the switch OR “ip dhcp relay information trust” on the dhcp router.
  • HSRP timers only need to be configure on one of the participating routers.
  • HSRP uses UDP port 1984.
  • When using HSRP with earlier configured port-security, you might need to allow you HSRP MAC 0000.0c07.acxx – where XX is the group number in hex.

R&S Quick Notes – Multicast & IPv6

Multicast

  • BSR is also commonly referred to as PIMv2.
  • Pay special attention to when using Frame-Relay non-broadcast types. Multicast will not work. Tunnels might be needed.
  • BSR – when multiple c-RP announces same groups, a longer match will be used to determine the RP, regardless of the RP priority set.
  • With TTL scoping, if the Packet TTL >= Interface TTL, then the packet is forwarded, else dropped.
  • GRE-tunnel –  If the unicast source is reachable via tunnel, a RPF failure will occur. Correct with Mroute.
  • Know how to spot RPF failures.
  • Multicast Filtering:

1. Q – Prevent PIM neighbor establishments, but allow IGMP  client joins?

A – On Central router : “ip pim neighbors filter” & the Stub router : “ip igmp helper-address”

2. Q – Filter specific multicast groups, while still allowing IGMP traffic?

A – “ip multicast boundary {acl}”

3. Q – Deny clients from joining specific multicast groups?

A – “ip igmp access-group {acl}”

4. Q – Statically filter RP requests and responses, (no Auto-RP, no BSR)?

A – “ip pim rp address {IP} {acl}”

5. Q – Client RP filtering, Limit join/prune messages for specific RP’s?

A – “ip pim accept-rp {RP-IP/auto-RP} {acl}”

6. Q – Auto-RP – Limit the Candidate-RP’s announcements?

A – “ip pim send-rp-announce {int} scope {no} group-list {acl}”

7. Q – Auto-RP – Limit what mgroups a MA accept from specific RP’s?

A – “ip pim rp-announce-filter rp-list {acl} group-list {acl}”

8. Q – Filter the BSR messages on a interface?

A – “ip pim bsr-border”

9. Q – Limit the amount of multicast routes in the mrouting table?

A – “ip multicast route-limit”

10. Q – Limit the rate a source can sent traffic to a group on a interface?

A – “ip multicast rate-limit group-list {acl} {kbps}”

IPv6

  • RIPng – “no ip split-horizon” in a process command not a interface command.
  • EIGRPv6 – Do not forget to enable eigrp under the process.
  • IPv6 tunnel method with least overhead : IPv6IP
  • Tunnel protocol numbers for ACL’s : IPv6IP = Protocol-41,  &  GRE IPv6 = Protocol-47
  • You can not redistribute a default static route(::/0) with ospfv3.
  • Dynamic information (ie IGP next-hops)  recurses to remote link-local address, not the global unicast interface.

R&S Quick Notes – BGP

BGP

  • When using Communities, don’t forget “neighbor send-community”
  • Know your attributes and the direction which applied, when to used what.
  • “aggregate address” needs a more specific prefix in the BGP table for aggregate to be advertised.
  • Synchronization issue has 3 solutions, 1- Load BGP on all transit routers, 2- GRE tunnel, 3- Redistribution BGP>IGP.
  • “no bgp nexthop trigger” – Disables next-hop tracking between scanner intervals.
  • “no bgp fast-ext-fallover” – Force the router to wait for the dead-timer to expire, before generating notification messages , when a connected peer goes down.
  • “neighbor fall-over” – Will check neighbor connenctivity between scanner intervals, aka BGP Fast Peering.
  • Only the Holdtime is sent in update-msg. Two neighbors will use the lowest holdtime and then calculate the keepalive from that.
  • Know your Regular Expressions
  • Know the difference between Peer-Groups and Peer-Templates

R&S Quick Notes – Frame-Relay/PPP

Frame-Relay

  • DHCP on a frame interface : “frame-relay interface-dlci 555 protocol ip 166.166.166.2”
  • When asked to disable INARP, be sure to do so on physical interfaces any multipoint sub-interfaces.
  • If you see 0.0.0.0 frame mappings, save your config and reload.
  • The backup command CANNOT be used on FR physical interfaces. (no way to detect when back up)
  • Back-to-Back frame connections, disable keepalives with “no keep”
  • LMI keepalives sent every 10 seconds. This interval can NOT be changed.
  • LMI Full Status Updates are requested every 60 seconds. CAN be changed with “frame lmi-n391dte”.
  • To ping local interface IP, add a mapping for local IP with any valid DLCI.

PPP

  • To do “?” in authentication password, use either ESC-Q or CRTL-V.
  • If two routers both using CHAP has the same hostname “no ppp chap ignoreus” is required.
  • “ppp authentication eap” can be used as alternative to chap when md5 needed.
  • “ppp link minimum” – amount of links required for a MLP bundle to up.
  • With CHAP and PAP, know which side is the client and who is authenticating who!
  • Know PPPoFR, MLP, and the mix combination formats

R&S Quick Notes – Switching

With the insane amount of theory to go through before the big day comes, it is only normal for a couple of items to get lost in the masses. On top of that, regardless of the material you used to study, you are bound to come across a couple small things that you have not seen before. Apart from my 400 pages of everything there is to know for the R&S, I took the time to compile, format and index a book of my CCIE R&S short notes. While compiling all my notes,  labbing,  and reading the Cisco DOC and other blogs, that I made shorter list of the most important tid-bits and any beeg gothas to look out for on the big day.

Hope these help some of you :)

Switching Notes

  • If different VTP domain names between 2 switches, you cant use DTP. Must use manual trunking.
  • When configuring 802.1x, DO NOT forget to add “aaa authentication login default none”, else you might lock the switch and forfeit any points related to that switch.
  • Always confirm your MD5 to be same when configuring VTP PASSWORDS, with “sh vtp status”
  • To enable WCCP on a 3550, you have to change the SDM template to ‘extended-match’
  • STP Timers question-1: Change the STP timers when a port initially comes up to 44 sec.  Answer: Blocking is always 20 sec, (44-20 = 24/2) each listening and learning timers should be configured at 12 sec.
  • STP Timers question-2: Change the STP timers, that in the event of convergence, delay should be no more than 20 sec. Answer: (20/2) each listening and learning timers should be configured at 10 sec.
  • MAC-ACL’s will only match NON-IP traffic. 3560 sees IPv6 traffic as IP-traffic, but 3550 sees IPv6 traffic as NON-IP-traffic, so a 3550 can use a MAC-ACL for IPv6 traffic.
  • Ethertypes used with MAC-ACL’s not on DOC-CD/CMD-Help :

– 0x0806 : IP ARP
– 0x0800 : IPv4
– 0x86DD : IPv6
– 0x4242 : CST (Common Spanning Tree)
– 0xAAAA : All Cisco proprietary (VTP, STP, CDP, DTP, UDLD, PAgP)
– 0xFFFF : all NON-IP

  • VLAN-ACL’s: ONLY a ACL-Permit performs the “forward”/”drop” function in the access-map. A ACL-deny will be ignored. So to deny traffic with VLAN ACL’s, permit the traffic and use a “drop” action in the access-map.
  • Storm-Control: Multicast amount must be equal or greater that the broadcast amount.
  • Uplinkfast used when a direct link failure is detected.
  • Backbonefast – used to determine indirect link failure.
  • Root Bridge Election: 1-Lowest Bridge-ID (Priority [32768 ] + Sys-Id-Ext[=vlan]) & 2-Lowest MAC
  • Root Port Election: 1-Lowest cost to Root, 2-Lowest upstream Bridge-ID, 3-Lowest Port-ID (Port Priority + Port Number)
  • Influencing local Root Port election – change the Port Cost.
  • Influencing the Root Port of directly connected downstream switch – change the Port Priority.

Cisco CCIE R&S – 1st Time PASS

It is with great pleasure, pride and excitement that I am typing this, despite the painful agony of waiting a whole weekend for the result.
(My advice, NEVER do your lab on a Friday)

On Friday the 17th April, I passed the R&S Lab Exam on my 1st attempt with the Cisco Mobile-Lab in Bryanston SA.
It was an experience unlike anything I have had before, the build-up, the exam, the agony of waiting, then the result and now the afterglow.
My biggest fear was the possibility of becoming a statistic that most candidates only pass on the 2nd /3rd attempt.
But despite the natural fear and anxiety, Friday belonged to me,  it was my day to earn my number:

ccierouting_and_switching_colour

#24163

Now that I have taken the LAB, I can really share my comments and views regarding the structure/experience.

Continue reading “Cisco CCIE R&S – 1st Time PASS”