PfR Process flow

I came across a really good Performance Routing document, and I thought it should assist R&S v4 candidates. It has really great examples of the different scenarios along with implementations.

Here is a depiction of the PfR process flow for OER configuration:

Source: Cisco Design Land

R&S Quick Notes – Security & IP Services

Security

Know how to use extended access-lists in distribute-lists, see Brian McGahan article @INE.
Know how to use extended access-lists instead of prefix-lists, see Brian Dennis article @ INE.
Know your binary voodoo as Scott Morris @ INE calls it, PartI & PartII.
Dont forget to allow IGP’s, BGP, Multicast , IPv6 and any other needed protocols when adding ACL to a interface.
Know when to use the “established” keyword.
When matching Multicast traffic in a extended ACL, remember that Multicast traffic can NEVER be a source.
Allowing Telnet to a local router on a port other then 23: Option 1- Rotary command or Option 2- Port NAT.
NBAR can be used if you not forbidden from using ACL’s. You can also map undefined custom ports with “ip nbar port-map custom”
Dynamic ACL time-outs specified in the acl: “dynamic NAME timeout {x} permit tcp any any eq 80”.
When configuring SSH, don’t forget to specify a Domain-name and generate your RSA keys.

IP-Services

“no service config” – Disables the router from auto-answering for tftp config files
WCCP uses udp port 2048 and protcol 47-GRE
If talk about router discovery > IRDP
DNS server config : “ip dns server” & “ip host”
DNS client config : “ip domain-lookup” & “ip name-server”
DHCP stands for Dont Hit Computer People
DHCP option-82 = dhcp-relay.
DHCP option-66 = Hand out IP address off TFTP server
When configuring DHCP and earlier in the swithcing section you configured DHCP snooping you must enable the port connecting to the DHCP server as trusted.
Incase DHCP was configured you need either “no ip dhcp snooping info option” on the switch OR “ip dhcp relay information trust” on the dhcp router.
HSRP timers only need to be configure on one of the participating routers.
HSRP uses UDP port 1984.
When using HSRP with earlier configured port-security, you might need to allow you HSRP MAC 0000.0c07.acxx – where XX is the group number in hex.

R&S Quick Notes – Multicast & IPv6

Multicast

BSR is also commonly referred to as PIMv2.
Pay special attention to when using Frame-Relay non-broadcast types. Multicast will not work. Tunnels might be needed.
BSR – when multiple c-RP announces same groups, a longer match will be used to determine the RP, regardless of the RP priority set.
With TTL scoping, if the Packet TTL >= Interface TTL, then the packet is forwarded, else dropped.
GRE-tunnel – If the unicast source is reachable via tunnel, a RPF failure will occur. Correct with Mroute.
Know how to spot RPF failures.
Multicast Filtering:

1. Q – Prevent PIM neighbor establishments, but allow IGMP client joins?

A – On Central router : “ip pim neighbors filter” & the Stub router : “ip igmp helper-address”

2. Q – Filter specific multicast groups, while still allowing IGMP traffic?

A – “ip multicast boundary {acl}”

3. Q – Deny clients from joining specific multicast groups?

A – “ip igmp access-group {acl}”

4. Q – Statically filter RP requests and responses, (no Auto-RP, no BSR)?

A – “ip pim rp address {IP} {acl}”

5. Q – Client RP filtering, Limit join/prune messages for specific RP’s?

A – “ip pim accept-rp {RP-IP/auto-RP} {acl}”

6. Q – Auto-RP – Limit the Candidate-RP’s announcements?

A – “ip pim send-rp-announce {int} scope {no} group-list {acl}”

7. Q – Auto-RP – Limit what mgroups a MA accept from specific RP’s?

A – “ip pim rp-announce-filter rp-list {acl} group-list {acl}”

8. Q – Filter the BSR messages on a interface?

A – “ip pim bsr-border”

9. Q – Limit the amount of multicast routes in the mrouting table?

A – “ip multicast route-limit”

10. Q – Limit the rate a source can sent traffic to a group on a interface?

A – “ip multicast rate-limit group-list {acl} {kbps}”

IPv6

RIPng – “no ip split-horizon” in a process command not a interface command.
EIGRPv6 – Do not forget to enable eigrp under the process.
IPv6 tunnel method with least overhead : IPv6IP
Tunnel protocol numbers for ACL’s : IPv6IP = Protocol-41, & GRE IPv6 = Protocol-47
You can not redistribute a default static route(::/0) with ospfv3.
Dynamic information (ie IGP next-hops) recurses to remote link-local address, not the global unicast interface.

R&S Quick Notes – BGP

BGP

When using Communities, don’t forget “neighbor send-community”
Know your attributes and the direction which applied, when to used what.
“aggregate address” needs a more specific prefix in the BGP table for aggregate to be advertised.
Synchronization issue has 3 solutions, 1- Load BGP on all transit routers, 2- GRE tunnel, 3- Redistribution BGP>IGP.
“no bgp nexthop trigger” – Disables next-hop tracking between scanner intervals.
“no bgp fast-ext-fallover” – Force the router to wait for the dead-timer to expire, before generating notification messages , when a connected peer goes down.
“neighbor fall-over” – Will check neighbor connenctivity between scanner intervals, aka BGP Fast Peering.
Only the Holdtime is sent in update-msg. Two neighbors will use the lowest holdtime and then calculate the keepalive from that.
Know your Regular Expressions
Know the difference between Peer-Groups and Peer-Templates

R&S Quick Notes – Frame-Relay/PPP

Frame-Relay

DHCP on a frame interface : “frame-relay interface-dlci 555 protocol ip 166.166.166.2”
When asked to disable INARP, be sure to do so on physical interfaces any multipoint sub-interfaces.
If you see 0.0.0.0 frame mappings, save your config and reload.
The backup command CANNOT be used on FR physical interfaces. (no way to detect when back up)
Back-to-Back frame connections, disable keepalives with “no keep”
LMI keepalives sent every 10 seconds. This interval can NOT be changed.
LMI Full Status Updates are requested every 60 seconds. CAN be changed with “frame lmi-n391dte”.
To ping local interface IP, add a mapping for local IP with any valid DLCI.

PPP

To do “?” in authentication password, use either ESC-Q or CRTL-V.
If two routers both using CHAP has the same hostname “no ppp chap ignoreus” is required.
“ppp authentication eap” can be used as alternative to chap when md5 needed.
“ppp link minimum” – amount of links required for a MLP bundle to up.
With CHAP and PAP, know which side is the client and who is authenticating who!
Know PPPoFR, MLP, and the mix combination formats

R&S Quick Notes – Switching

With the insane amount of theory to go through before the big day comes, it is only normal for a couple of items to get lost in the masses. On top of that, regardless of the material you used to study, you are bound to come across a couple small things that you have not seen before. Apart from my 400 pages of everything there is to know for the R&S, I took the time to compile, format and index a book of my CCIE R&S short notes. While compiling all my notes, labbing, and reading the Cisco DOC and other blogs, that I made shorter list of the most important tid-bits and any beeg gothas to look out for on the big day.

Hope these help some of you :)

Switching Notes

If different VTP domain names between 2 switches, you cant use DTP. Must use manual trunking.
When configuring 802.1x, DO NOT forget to add “aaa authentication login default none”, else you might lock the switch and forfeit any points related to that switch.
Always confirm your MD5 to be same when configuring VTP PASSWORDS, with “sh vtp status”
To enable WCCP on a 3550, you have to change the SDM template to ‘extended-match’
STP Timers question-1: Change the STP timers when a port initially comes up to 44 sec. Answer: Blocking is always 20 sec, (44-20 = 24/2) each listening and learning timers should be configured at 12 sec.
STP Timers question-2: Change the STP timers, that in the event of convergence, delay should be no more than 20 sec. Answer: (20/2) each listening and learning timers should be configured at 10 sec.
MAC-ACL’s will only match NON-IP traffic. 3560 sees IPv6 traffic as IP-traffic, but 3550 sees IPv6 traffic as NON-IP-traffic, so a 3550 can use a MAC-ACL for IPv6 traffic.
Ethertypes used with MAC-ACL’s not on DOC-CD/CMD-Help :

– 0x0806 : IP ARP
– 0x0800 : IPv4
– 0x86DD : IPv6
– 0x4242 : CST (Common Spanning Tree)
– 0xAAAA : All Cisco proprietary (VTP, STP, CDP, DTP, UDLD, PAgP)
– 0xFFFF : all NON-IP

VLAN-ACL’s: ONLY a ACL-Permit performs the “forward”/”drop” function in the access-map. A ACL-deny will be ignored. So to deny traffic with VLAN ACL’s, permit the traffic and use a “drop” action in the access-map.
Storm-Control: Multicast amount must be equal or greater that the broadcast amount.
Uplinkfast used when a direct link failure is detected.
Backbonefast – used to determine indirect link failure.
Root Bridge Election: 1-Lowest Bridge-ID (Priority [32768 ] + Sys-Id-Ext[=vlan]) & 2-Lowest MAC
Root Port Election: 1-Lowest cost to Root, 2-Lowest upstream Bridge-ID, 3-Lowest Port-ID (Port Priority + Port Number)
Influencing local Root Port election – change the Port Cost.
Influencing the Root Port of directly connected downstream switch – change the Port Priority.

Cisco CCIE R&S – 1st Time PASS

It is with great pleasure, pride and excitement that I am typing this, despite the painful agony of waiting a whole weekend for the result.
(My advice, NEVER do your lab on a Friday)

On Friday the 17th April, I passed the R&S Lab Exam on my 1st attempt with the Cisco Mobile-Lab in Bryanston SA.
It was an experience unlike anything I have had before, the build-up, the exam, the agony of waiting, then the result and now the afterglow.
My biggest fear was the possibility of becoming a statistic that most candidates only pass on the 2nd /3rd attempt.
But despite the natural fear and anxiety, Friday belonged to me, it was my day to earn my number:

ccierouting_and_switching_colour

#24163

Now that I have taken the LAB, I can really share my comments and views regarding the structure/experience.

Continue reading “Cisco CCIE R&S – 1st Time PASS” →