^
Start of string
$
End of string
[]
Range of characters
Used to specify range ( i.e. [0-9] )
( )
Logical grouping
.
Any single character
*
Zero or more instances
+
One or more instance
?
Zero or one instance
_
Comma, open or close brace, open or close parentheses, start or end of string, or space
Anything
.*
Locally originated routes
^$
Learned from AS 100
^100_
Originated in AS 100
_100$
Any instance of AS 100
_100_
Directly connected ASes
^[0-9]+$
accept prefixes from [rtrX] that were originated by [AS501] or its directly connected ASes
permit ^501_[0-9]*$
AF11 DSCP 10
001010 is AF XX and DSCP XX

010100

AF XX

DSCP XX

AF 22

DSCP 20

011110

AF XX

DSCP XX

AF 33

DSCP 30

PFR – Create a Zone
zone security zonename

PFR – Assign a Zone to an interface

int fa0/0

zone-member security zone

PFR – Create a Zone Pair

zone-pair security zonename source z1 destination z2

zone-pair security zp source z1 destination z2
[command to apply policy p1]

service-policy type inspect p1

ZBF – Create a Zone
zone security …

ZBF – Apply Zone to Interface

int fa0/0

zone-member security …

ZBF – Zone Pair

zone-pair security …

ZBF – Class Map

class-map type inspect

 

ZBF – Policy Map

 

policy-map type inspect

 

 

ZBF – Actions

 

 

class type inspect class-name

drop – Drops packets that are matched with the defined class

pass – Allows packets that are matched with the defined class.

police rate – Limits traffic matching within a firewall (inspect) policy.

inspect – Enables Cisco IOS stateful packet inspection.

 

Lock and Key – Local Username

username test password test
username test autocommand access-enable host timeout 10

Lock and Key – Interface Access-list

interface Ethernet0/0 
  ip address 10.1.1.1 255.255.255.0 
  ip access-group 101 in 
 
access-list 101 permit tcp any host 10.1.1.1 eq telnet 
 
!— 15 (minutes) is the absolute timeout.
access-list 101 dynamic testlist timeout 15 permit ip 10.1.1.0 /24 172.16.1.0 /24

rip authentication

int fa0/x

ip rip auth mode md5

ip rip auth key-chain keychain

eigrp auth

ip auth mode eigrp 10 md5

ip auth key-chain eigrp 10 keychain

Reflexive ACLs – Apply to Interface

interface Ethernet0/1

 ip address 172.16.1.2 255.255.255.0

 ip access-group inboundfilters in

 ip access-group outboundfilters out 

 

ip access-list extended outboundfilters

permit icmp 10.1.1.0 0.0.0.255 172.16.1.0 0.0.0.255 

permit tcp 10.1.1.0 0.0.0.255 172.16.1.0 0.0.0.255 reflect tcptraffic

 

 

 

 

ip access-list extended inboundfilters

permit icmp 172.16.1.0 0.0.0.255 10.1.1.0 0.0.0.255

evaluate tcptraffic

Reflexive ACLs – Global Options

ip reflexive-list timeout 120

IOS IPS – 

First, we need a place for IPS configuration files to call home. IPS wants a folder. Lets make a directory on the router flash. Optionally if there were other IOS file systems present, we could use those writable file systems as well.

R6#mkdir ips

Create directory filename [ips]?

Created dir flash:/ips

R6#

IOS IPS uses a crypto key to verify the digital signature for the master signature file, which is signed using a private key. To verify the signature, we need a corresponding public key. This key is available as a text file on Cisco’s site. The file is called realm-cisco.pub.key.txt. To inject the public key into the router config, we would do the following:

R6(config)#crypto key pubkey-chain rsa

R6(config-pubkey-chain)#named-key realm-cisco.pub signature

Translating “realm-cisco.pub”

R6(config-pubkey-key)#key-string

Enter a public key as a hexidecimal number ….

R6(config-pubkey)#$2A864886 F70D0101 01050003 82010F00 3082010A 02820101…

Let’s check the ips folder we created on flash. It should still be empty.

R6#cd ips

R6#dir

Directory of flash:/ips/

 

No files in directory

 

255967232 bytes total (187428864 bytes free)

R6#cd ..

Once we complete the IPS configuration, the router can monitor all traffic on the interface and direction we specify. If we want to limit the traffic that goes through the IPS processing, we can use an access-list to filter. Only traffic permitted in the ACL will be subjected to IPS analysis. Let’s create an ACL that matches only on traffic destined to 6.6.6.6, which is the loopback of R6.
R6(config)#access-list 123 permit ip any host 6.6.6.6
Next we will create an IPS rule named “IOS-IPS”, and associate the ACL(123) we just created. In a later step, we will apply IPS rule to an interface.
R6(config)#ip ips name IOS-IPS list 123
IPS needs to know where to keep it’s signature definitions and configurations. It just so happens that we have a folder on flash we created earlier named “ips”. We will use that directory.
R6(config)#ip ips config location flash:/ips
IOS IPS – The router can send alerts using Security Device Event Exchange (SDEE) and/or Syslog. We will configure both, and allow up to 2 simultaneous SDEE managers to setup up requests for alerts called subscriptions. To use SDEE, http server must be enabled on the router. Lets take care of these items next.

R6(config)#ip ips notify sdee

R6(config)#ip sdee subscriptions 2

R6(config)#ip ips notify log

R6(config)#ip http server

IOS IPS – Before we apply the IPS rule to an interface, we are going to set up some safety. We will retire all the signatures, and then enable just the signatures in the “advanced” default set. If we un-retired the “all” category, it is possible that the router could run out of memory. (Your mileage may varyO) As we exit out of the configuration, we are prompted to accept the changes.

R6(config)#ip ips signature-category

R6(config-ips-category)#category all

R6(config-ips-category-action)#retired true

R6(config-ips-category-action)#exit

R6(config-ips-category)#

R6(config-ips-category)#category ios_ips advanced

R6(config-ips-category-action)#retired false

R6(config-ips-category-action)#end

Do you want to accept these changes? [confirm]

R6#

Applying Category configuration to signatures …

R6#

Next we will apply the ips (name is IOS-IPS) rule we created to an interface. We also enable virtual-reassembly so that IPS can better analyze sessions and attacks that comprise multiple packets.

R6(config)#interface FastEthernet0/0

R6(config-if)#ip ips IOS-IPS in

R6(config-if)#ip virtual-reassembly

EEM

event manager applet EEM-NAME

 event cli pattern “tclsh” sync yes

 action 1.0 syslog msg “Attempted to tclsh at  $_event_pub_time”

 set 2.0 _exit_status 0


What does the sync yes do?

When you use the sync yes option in the event cli command, the EEM applet runs before the CLI command is executed. 

EEM

 

event manager applet EEM-NAME

 event cli pattern “tclsh” sync yes

 action 1.0 syslog msg “Attempted to tclsh at  $_event_pub_time”

 set 2.0 _exit_status 0


What does the _exit_status 0 do?

 

The EEM applet should set the _exit_status variable to indicate whether the CLI command should be executed (_exit_status set to one) or not (_exit_status set to zero).

Make sure that it?s not possible to use the “tclsh” feature on R9. Also make sure that the when the “tclsh” feature is trying to be used a syslog message is generated and this is sent to the logging server. The syslog message needs to be: “Attempted tclsh command by user at actual time>”. Make sure the date and time is added when the actual even occurs.

 

event manager applet EEM-NAME

event cli pattern “tclsh” sync yes

action 1.0 syslog msg “Attempted to tclsh at $_event_pub_time”

action 2.0 set _exit_status 0

 

With the sync no option, the EEM applet is executed in
background in parallel with the CLI command. 
As the CLI command starts at the same time as the EEM applet, you cannot use the _exit_status variable anymore; you have to specify whether you want the CLI command to execute with the
skip yes|no option of the event cli command. 

EEM

Name it NoReload.

Ensure that when this command is entered EEM kicks in in-Parrallel but the command does not execute. A syslog msg with a priority of “errors” and a message about what you cannot do should appear

 

event manager applet NoReload

 event cli pattern “reload” sync no skip yes

 action 1.0 syslog priority errors msg “Cannot reload this router”

 

EEM

Name the applet EEM-NAME

when a user enters “tclsh” the router should execute EEM before the command takes place. A syslog message should say “Attempted to tclsh at ” with the last word a variable that puts the time when the event occured. The command should not be executed in the second action.

event manager applet EEM-NAME

event cli pattern “tclsh” sync yes

action 1.0 syslog msg “Attempted to tclsh at $_event_pub_time”

set 2.0 _exit_status 0

 

If R7 receives the prefix 150.50.66.6/32 from OSPF and it is added to the routing table. R7 should fire a log message saying: “Evil prefix received”

After bootup R7 should wait 5 minutes before enabling the routing Event Detector.

 

event manager applet 63

 event routing prot ospf netw 150.50.66.6/32 type add

 action 1 syslog msg “Evil prefix received”

 exit

 

event manager detector routing bootup-delay 300

Loopback0 interface on R1 must always be up. Configure appropriate feature on R1 to monitor if

Loopback0 is disabled and reconfigure it if it happens.

first action “Re-Enabling Loopback0”

next actions  – turn it back on

event syslog occurs 1 pattern “Loopback0.*down”

 action 1.0 syslog msg “Re-Enabling Loopback0”

 action 1.1 cli command “enable”

 action 1.2 cli command “configure terminal”

 action 1.3 cli command “interface Loopback0”

 action 1.4 cli command “no shutdown”

PPPoE – Client

int fa0/0

 no ip address

 pppoe enable

 pppoe-client dial-pool-number 1

 

int dialer1

 mtu 1492

 encapsulation ppp

 ip add negotiated

 dialer pool 1

PPPoE – Server

bba-group pppoe global

 virtual-template 1

 

int virtual-template 1

 mtu 1492

 encapsulation ppp

 ip add 192.168.60.1 255.255.255.0

 peer default ip address pool pool1


ip local pool pool1 192.168.60.6 192.168.60.6

PPP Authentication

(plain text)

– Configure a maximum of 3 bad authentication retries

– configure Link control and IP control to predict peer responses

Your router hostname is R1

int s0/0/0

 ip add 192.168.60.1 255.255.255.0

 encapsulation ppp

 ppp authentication pap

 ppp pap sent-username R1 password ipexpert

 ppp lcp predictive

 ppp ipcp predictive

 ppp max-bad-auth 3

 no shut

PPP over Frame Relay

Username to use for chap authentication: T3ST123

username T3ST123 password ipexpert

int s0/0/0

 encapsulation frame-relay

 frame-relay interface-dlci 102 ppp virtual-template 1

 

int virtual-template 1

 ip add 192.168.60.1 255.255.255.0

 ppp authentication chap

 ppp chap hostname T3ST123

MPLS Password Configuration

-Configure the MPLS password for your neighbor. do not use “neighbor password” command. Ensure Both sides require authentication. Use a source of the loopback.

ip cef

mpls label protocol ldp

mpls ldp password option 1 for 1 cisco

mpls ldp router-id lo0

mpls ldp password required

 

access-list 1 permit 7.7.7.7

int fa0/0

mpls ip

PPP authentication using PAP with same username (from remote host) configured locally.

 

no ppp chap ignoreus

 

[/32] (ppp: ip address negotiated)–[/24]

Using RIP authentication neighbor does not form.

To correct this…

no validate-update-source

Make this acl as small as possible:

 

access-list 5 permit 172.20.33.2 0.0.0.0

access-list 5 permit 172.20.34.2 0.0.1.0

access-list 5 permit 172.20.36.2 0.0.3.0

access-list 5 permit 172.20.40.2 0.0.3.0

access-list 5 permit 172.20.44.2 0.0.1.0

access-list 5 permit 172.20.46.2 0.0.0.0

access-list 5 deny 172.20.32.0 0.0.0.255

access-list 5 deny 172.20.47.0 0.0.0.255

access-list 5 permit 172.20.32.0 0.0.15.255

area 256 virtual-link 5.5.5.5 [authentication practice]

OSPF rfc1587

 

configure this area according to this RFC

area x nssa

configuring a router to OSPF with a switch

 

what should you ALWAYS DO!!??

int fa0/0

ip ospf mtu-ignore

OSPF Frame Relay Network

R1 – Serial s0/1/0

R2  Serial s0/1/0 (hub)

R3 – Serieal s0/1/0.1 multipoint

 

What are the network types and priorities

R1 – ip ospf network broadcast (pri 0)

R2 – ip ospf network broadcast (pri 255)

R3 – ip ospf network broadcast (pri 0)

set mtu on switch just for routing protocols
system mtu routing

quick way for pinging

192.168.60.1

192.168.60.2

192.168.60.3

 

variable IP

tclsh

foreach IP {

192.168.60.1

192.168.60.2

192.168.60.3

} { ping $IP }

When you configure an OSPF area to NSSA (ABR R2) then in another part of the network you configure EIGRP and redistribute that into the OSPF network, the NSSA area would NOT see the routes.

 

Why not?

What would you need to configure to fix this

The routes would be type 5 LSA and not propagated in the  area.

 

Configure ABR (R2) to: nssa no-summary

on two interfaces running EIGRP

 

int s0/0/0

int s0/1/0

 

how would you balance traffic accross both links per packet?

int s0/0/0

ip load-sharing per-packet

int s0/1/0

ip load-sharing per-packet

For Multicast

R2 is loopback is RP

what do you configure under the interface?

ip pim sparse-mode

For Multicast

For A multicast network; a router R3 has the following config:

 

int lo1

ip igmp join-group 2.2.2.2

 

Do we configure pim on this interface?

no; do not put “ip pim sparse-mode”
Multicast over a frame-relay hub and spoke configuration; what do you configure on the interface going to the frame cloud?

ip pim nbma

 

This will help prevent failures and treat each connection to the spokes (for multicast) as point-to-point connections.

ipv6 link local

 

starts with

use ::2

 

 

ipv6 add ?

ipv6 add fe80::2 link-local
with ospf and eigrp ipv6 under the routing process you should ALWAYS set:

a router-id

 

ipv6 router eigrp 256

 eigrp router-id 5.5.5.5

QoS – Set the precedence to 5 under a class map

class-map test

set precedence 5

icmp type 0
icmp echo-reply

icmp type 8

icmp echo

The “rotary” command, when applies to a “line vty” paragraph, sets that router’s telnet daemon listening on port


for port 3005 the config is:

 3000 + the rotary number


line vty 0 5

rotary 5

ZBF – To police

 

class type inspect ftp

police rate 2000000 bursts 250000

 

what must be put in the class first?

inspect

 

class type inspect ftp

 inspect

 police rate 2000000 burst 250000

ZBF – Even loopback interface should be on the inside network

 

int lo1

zone-member security inside

int lo1

zone-member security inside

ZBF – p2p

 

there are how many?

5

 

class-map type inspect match-any p2p

match protocol bittorrent

match protocol edonkey

match protocol fasttrack

match protocol gnutella

match protocol kazaa2

ZBF – Drop then log under a p2p class

class type inspect p2p

 drop log

Custom Queu 8.4 Qos Lab 1

Pri Queu

ZBF with http & local traffic example (see favorites)

RSVP

EIGPR FD/RD

ford (show command placement)

Configure a switchport where

“I want to be a trunk, but if you don’t want to, then I won’t”

 

ensure that if trunking is enable, the trunking will be dot1q

int fa0/0

switchport mode dynamic desirable

switchport trunk encapsulation dot1q

Configure a switchport where, “It’s all up to you, I don’t want to be a trunk but if you insist, I will”

int fa0/0

switchport mode dynamic auto

On a switchport, how do you remove a VLAN from an existing list of allowed vlans?

int fa0/0

switchport trunk allowed vlan remove x

On a switchport, how do you allow all vlans on a port but not vlans 3 and 4

int fa0/0

switchport trunk allowed vlan except 3,4

Disable flow control on an ethernet interface

int fa0/0

flowcontrol receive off

After reviewing a CCIE lab you see that EXTENDED VLANs will be used throught, which VTP mode MUST you use?
vtp mode transparent
What’s the default VTP version of a switch
VTP version 1
Your using MST -;-‘optimize’ BPDU transmission in the network. there are never going to be any addional switches added to any interfaces. there are 4 switches (1 is root)
spanning-tree mst 0 root primary diameter 3
ensure all devices can communicate immediately when their interfaces are enabled (even in trunk mode)

int fa0/0

spanning-tree portfast trunk

practice this:

configure spanning-tree that uses less CPU

all VLANs should be mapped to the default

set the revision to be 1

;

spanning-tree mode mst

spanning-tree mst configuration

instance 0 vlan 1-4094

revision 1

;

on a multilink with an mu69 interface with two s0/0/0 / s0/0/1 interfaces part of the bundle.

;

Where do you apply the configuration to not automatically create a /32 route for the neighbor

int mu69

no peer neighbor-route

you have a point-to-point PPP interface s0/0/0 and you want to ensure that a /32 route for your neighbor does not appear. where and what do you configure?;

int s0/0/0

no peer neighbor-route

;

If you have an area 1332 and a virtual link between that area (R1 ; R2) and you need to make the area a stub, how do you do it?

;

-you can’t, virtual-links can’t traverse stub areas

Your requirements: all redistributed routes should have a tag of 1

;

router ospf 1

redistribute static subnets tag 1

;

You need to know create a summary route for those redistributed /24’s. The summary would be a /23

10.5.5.0/24, 10.5.6.0/24. How would you do it?

router ospf 1

summary-address 10.5.5.0 255.255.254.0 tag 1

You advertised a summary address via EIGRP, how do you prevent the null0 from appearing in the routing table?

 

it’s a switch. Your interface is vlan 1122. That’s the same as your routing protocol

int vlan 1122

ip summary-address eigrp 1122 10.0.0.0 255.255.255.0 255

 

– where 255 is the AD 

router rip

network 166.6.0.0

redistribute connecte route-map loopback

route-map loopback permit 10

match interface lo0

set tag 77

int lo0

ip add 166.6.6.6 255.255.255.255

would you/your neighbors see the tag?

Nope! – they are covered by network statement

 

whenever doing mutual redistribution in more than one place – that means your opening up the possibility of a ____. what do you need to do?

opens a possibility of routing loops

we need to tag and filter

BGP Template

router bgp 1220

bgp router-id 166.2.2.2

 

template peer-session AS1220-session

 remote-as 1220

 update-source lo0

 password ipexpert

 

template peer-policy AS1220-policy

 route-reflector-client

 next-hop-self

 

neighbor 166.1.1.1 inherit peer-session AS1220-session

neighbor 166.1.1.1 inherit peer-policy AS1220-policy

neighbor 166.12.21.21 inherit peer-session AS1220-session

neighbor 166.12.21.21 inherit peer-policy AS1220-policy

neighbor 166.12.21.21 password ipexpert?

when they say peer using minimal configuration on all routers

 

if it’s one neighbor – don’t use peer groups

more than one – use peer-groups (but not always)

fix
Prevent BGP transit using community

route-map no-transit permit 10

set community no-export

224.0.0.0/4

 

what’s the wild card

permit 224.0.0.0 15.255.255.255
configure this router’s loopback 0 interface as a BSR RP

ip pim bsr-candidate lo0 ( me first)

ip pim rp-candidate lo0   (To be a PIMv2 RP candidate)

(To be a PIMv2 RP candidate)

ip pim rp-candidate          To be a PIMv2 RP candidate

R7(config-pmap-c)#int fa0/0.789

R7(config-subif)#service-policy output allocate-SMTP

 CBWFQ : Not supported on subinterfaces

 
what do we do?

int fa0/0

service-policy output allocate-SMTP

set your ntp server to be 166.21.21.21
ntp server 166.21.21.21 prefer
configure router 1 on interface fa0/0 to be a learn it’s time using the multicast address 224.21.21.21

ip multicast-routing

;

int fa0/0

ntp multicast client 224.21.21.21

ip pim sparse-dense-mode

Jul 23 01:27:36.487: OSPF: Rcv pkt from 223.5.6.6, Serial0/1/0, area 0.0.0.0

; ; ; mismatch area 0.0.2.57 in the header

;
but no virtual links created?

All routers have frame-relay connected between them and getting the error from an unused pvc!

.9 [ r9 ] —s0/2/0— [ r6] .6 (223.9.6.0/27)

 

.9 [ r9 ] —s0/2/1— [ r6] .6 (223.6.9.0/27)

 

We need to configure back-to-back frame-relay!

 

This would allow each (chosen dlci) to be in it’s own VRF/etc!

 

Less commands on R9!

 

R6 (switch/server)

frame-relay switching

default int s0/2/0

deault int s0/2/1


int s0/2/0

encapsulation frame-relay

frame-relay intf-type dce

no shut


int s0/2/0.609 point-to-point

ip add 223.9.6.6 255.255.255.224

frame-relay interface-dlci 609


int s0/2/1

encapsulation frame-relay

frame-relay intf-type dce

no shut


int s0/2/1.906 point-to-point

ip add 223.6.9.6 255.255.255.224

frame-relay interface-dlci 906

 

r9

default int s0/2/0

default int s0/2/1


int s0/2/0

encapsulation frame-relay

no shut

int s0/2/1

encapsulation frame-relay

no shut


int s0/2/0.609 point-to-point

ip add 223.6.9.9 255.255.255.224

frame-relay interface-dlci 609

int s0/2/1.906 point-to-point

ip add 223.9.6.9.255.255.255.224

frame-relay interface-dlci 906

 

EIGRP metric weight K1=1, K2=0, K3=1, K4=0, K5=0

 

This is the default metric weights. What are the values K1 , and K3?

K1 = Bandwidth = 1

 

K2 = load = 0 

 

K3 = Delay = 1

 

K4 = Reliability = 0

 

K5 = MTU = 0

make sure eigrp takes bandwidth, delay ,  reliability, load into account when calculating metric

Cisco.com > metric weights tos k1 k2 k3 k4 k5

 

answer: metric weights 0 1 1 1 1 1

bgp – 

 

using confederations

you are asked to prepend your local loopback.you are in sub-as 6. your loop back is 215.0.0.6. Your pre-pend is supposed to be 66. What will your bgp confederation configuration look like? Your real as is 55 and your neighbor sub-as is 4678.

router bgp 55

bgp bestpath med missing-as-worst

bgp confederation identifier 66 4678

bgp confederation peers 478

bgp router-id 215.0.0.6

r6 should not accept peering sessions from as478 is hold-time is configured to a value lower than 30 seconds.

 

your neighbor is 215.0.0.4

 

Do you configure this on r6 only or on r6 and it’s neighbor?

neighbor 215.0.0.4 timers 60 180 30

 

r6 only!

bgp – with confederation sub-as eBGP peering should you set the next-hop-self?
yes!

bgp – on your router loopback 0 (215.1.1.1/32) needs to be advertised using bgp. 

 

Also you need to pre-pend as 77 to it.

 

How would you do it?

router bgp as

 network 215.1.1.1 mask 255.255.255.255

 neighbor 1.1.1.1 route-map my-as out

 

ip prefix-list loopback0 permit 215.1.1.1/32

 

route-map my-as permit 10

 match ip address prefix-list loopback0

 set as-path prepend 77

route-map my-as permit 20

bgp – always watch out for what when peering?
neighbor [n] next-hop-self
configuration to join the group 239.0.0.4 on loopback0

int lo0

ip pim sparse-mode

ip igmp join-group 239.0.0.4

R7(config)#ip pim bsr-candidate lo0 ?

  <0-32>  Hash Mask length for RP selection

  <cr>

ip pim bsr-candidate lo0 0 255

R7(config)#ip pim bsr-candidate lo0 0 ?

  <0-255>  Priority value for candidate bootstrap router

  <cr>

 
Default boostrap priority?

0
Do not initiate BGP sessions to BB1 but wait for BB1 (215.0.0.21) to initiate it. Your as is 478.

router bgp 478

neighbor 215.0.0.21 transport connection-mode passive

Filter pim neighbors to specific ip. What is the command?

 

access-list 1 permit host 1.1.1.1

int fa0/1.821

ip pim neighbor-filter 1

Re: Police vs police cir vs police rate

1st option

police 96(Kbps i.e)

This means SINGLE RATE TWO COLOR(One Bucket)

in this option u define only

confirm action = (mostly transmite)

exced action= (mostly  drop)

2nd Option

Police CIR 96(kbps ie) bc xxxx be xxxx

This is called Single Rate Three Color Policer (Two Buckets)

in this option u define

police cir xxx bc xxx be

confirm action, Exced action violate action

3rd Option

Two Rate Three-color policer(Two Buckets)

in this u define CIR and PIR

police rate (cir)xxxx (pir) xxxx and than confirm action, Exced action violate action

Your on a switch:

you issue the command – 

 

interface FastEthernet0/7

mls qos trust dscp

 

Is QoS enabled on this switch globally?

Cat2#sh mls qos

QoS is disabled

QoS ip packet dscp rewrite is enabled

configure netflow export on r2 [215.12.34.28].

 

export version 5 packets using fully reliable method and port 3434. if the primary server is not reachable in 3 seconds, use [215.12.34.27] as destination. When the primary server comes back into operation, wait 30 seconds before switching back to it.

ip flow-export version 5

ip flow-export source lo0

ip flow-export destination 215.12.34.28 3434 sctp

reliability full

backup mode fail-over

backup destination 215.12.34.27 3434

backup fail-over 3000

backup restore-time 30

 

int s0/1/0.204

 ip flow ingress

int s0/1/0.206

 ip flow ingress

RIP TO EIGRP

MTU: 1500

Realiability: Maximum

load: minimum

delay: 10 milliseconds

bandwidth: 100 mb/s

 

what’s the default metric?

default-metric 100000 1000 255 1 1500

Eigrp 10 milliseconds is expressed as?

 

 

“1000”

If you have a “frame-relay MESH”

the interfaces should be either what or what?

 

also should have the appropriate?

as well as have what disabled?

multipoint sub interfaces or main interfaces

 

appropriate map statements

inverse arp disabled

using a class-map; this PVC has 48 Kb/s CIR guarantee, with CIR peak to 64 Kb/s.

map-class frame-relay FR-QoS

 frame-relay cir 64000

 frame-relay mincir 48000

Practice conversion from milliseconds/microseconds bits/bits/mbits etc.

when you see:

 

router ospf 1

distance ospf intra-area 255 external 109

 

how would you remove this line of command?

router ospf 1

default distance ospf

neighbor 86.87.232.23 local-as 2 no-prepend replace-as dual-as


What does each bold item do?

no-prepend  Do not prepend local-as to updates from ebgp peers

replace-as  Replace real AS with local AS in the EBGP updates

dual-as  Accept either real AS or local AS from the ebgp peer

show ip bgp 86.87.0.0 255.255.255.0 longer-prefixes

 

shows what?

all BGP routes in the bgp table that start with 86.87.0.

 

— GENIUS

Configure a kron policy name Save

 

this should reoccur every 3 minutes

the config should be saved

the router should be reloaded

kron occurrence Save in 3 recurring

 policy-list Save

 

kron policy-list Save

 cli write memory

 cli reload running-config

spanning-tree mode mst

spanning-tree mst configuration

>

>

 

What’s missing?

spanning-tree mode mst

spanning-tree mst configuration

 name IPexpert

 revision 1

Rate Limit

 

2000 Kb/s

 

rate-limit output 2000000 a b

 

a = <1000-512000000>  Normal burst bytes

b = <2000-1024000000>  Maximum burst bytes

What is the result of a and b? What is the formula?

rate-limit output 2000000 375000 750000

 

Normal burst bytes: CAR x (1/8) x 1.5

Maximum burst bytes: double the above value

Rate Limit

 

you have a router r8

 

[fa0/0]–attached to interface dialer1

 

Where do you place the rate-limit command?

on the interface fa0/0

EIGRP – 

r7 should perform equal-cost load-sharing traffic to lo0 of r4

 

How do we solve this?

equal-cost!!!! Means we DO NOT use variance
Multicast IPv4 – If you specify the multicast IPv4 address family, you can configure the router to exchange routes to
multicast sources (as opposed to routes to unicast destinations).
conf t
policy-map type inspect z1-z2-pmap
class type inspect service-cmap
inspect|drop|allow

You have configured the following. Now you would like to apply an audit trail for logging. Where would you configure this at?

conf t
policy-map type inspect z1-z2-pmap
class type inspect service-cmap
inspect|drop|allow [service-parameter-map] (or log)
stg(config)#parameter-map type inspect z1-z2-pmap
stg(config-profile)#parameter-map commands:
alert Turn on/off alert
audit-trail Turn on/off audit trail
dns-timeout Specify timeout for DNS
exit Exit from parameter-map
icmp Config timeout values for icmp
max-incomplete Specify maximum number of incomplete connections before
clamping
no Negate or set default values of a command
one-minute Specify one-minute-sample watermarks for clamping
sessions Maximum number of inspect sessions
tcp Config timeout values for tcp connections
udp Config timeout values for udp flows

BGP – changing the next-hop ip address of routes received via BGP using a “neighbor 1.1.1.1” statment?

 

How would you do that?

neighbor 1.1.1.1 route-map changenexthop in

 

route-map changenexthop permit 10

set ip next-hop peer-address

BGP – Need TEMPLATE ON HERE
create a frame-relay map class for the speed of 512Kb/s

map-class frame-relay hub-to-spoke

frame-relay cir 512000

frame-relay mincir 512000

CATX – You want to track the interfaces going to your upstream switches. If those go down, you want to bring down your connections to switchports.

 

this command starts with

 

link state track 1

—-

int range fa0/6 – 7

link state group 1 downstream

 

int range fa0/12 – 13

link state group 1 downstream

 

!upstream

 

int po32

link state group 1 upstream

 

int po42

link state group 1 upstream

R9(config-router)#redistribute connected metric 1 ?

  <0-4294967295>  EIGRP delay metric, in 10 microsecond units

 

you need to redistiribute with a delay of 1 second

100000

redistribute anything into eigrp

 

What is the metric you should be good at typing fast??

metric 10000 100 255 1 1500

BGP – With Confederation. Which location is the REAL AS?

 

router bgp X

 

or router bgp X

bgp confederation identifier X

 

?

bgp confederation identifier!!!!

BGP – Regex

 

sh ip bgp regex _____

 

I want to look for just routes originated in confederation 22

 

*  193.44.0.7/32    193.44.0.22              0    100      0 (22) 17 i

*  193.44.0.8/32    193.44.0.22              0    100      0 (22) 17 218 i

*  193.44.0.21/32   193.44.0.22              0    100      0 (22) 17 218 ?

r> 193.44.0.22/32   193.44.0.22              0    100      0 (22) ?

sh ip bgp regexp ^_(22)$

 

*> 21.21.10.0/24    193.44.0.22              0    100      0 (22) ?

*> 21.21.11.0/24    193.44.0.22              0    100      0 (22) ?

*> 21.21.12.0/24    193.44.0.22              0    100      0 (22) ?

BGP – for an aggregate-address

21.21.0.0 255.255.0.0 attribute-map Aggr

21.21.0.0 255.255.0.0 route-map Aggr

 

route-map Aggr

set community 52:2

 

Which would NOT work?

None fool. They both would.

you want to tell your neighbor to allow your AS to be shown in a route’s AS path.

your neighbor is 193.44.124.4.

 

What is the command?

neighbor 193.44.124.4 allowas-in 1

Here are good ones:.* 			Matches anything.+ 			Match at least one character^$ 			Match routes local to this AS_1800$ 			Originated by 1800^1800_ 			Received from 1800_1800_ 			Via 1800_790_1800_ 		Passing through 1800 then 790_(1800_)+ 		Match at least one of 1800 in sequence_(65350)_ 		Via 65350 (confederation AS)^[0-9]+$		Match AS_PATH length of one^[0-9]+_[0-9]+$		Match AS_PATH length of two^[0-9]*_[0-9]+$		Match AS_PATH length of one or two^[0-9]*_[0-9]*$	 Match AS_PATH length of one or two, and will also match zero^[0-9]+_[0-9]+_[0-9]+$	Match AS_PATH length of three_(701|1800)_ 		Match anything which has gone through AS701 or AS1800_1849(_.+._)12163$	Match anything of origin AS12163 and passed through AS1849

some OER

oer master

mode route metric bgp local-pref 500

active-probe echo 193.44.0.21

active-probe echo 193.44.0.22

active-probe echo 193.44.0.23

 

ip prefix-list OER permit 193.44.0.21/32

ip prefix-list OER permit 193.44.0.22/32

ip prefix-list OER permit 193.44.0.23/32

 

oer-map AS469-OER

match traffic-class prefix-list OER

set mode route control

set delay threshold 8

set mode select-exit best

set mode monitor active

If you have a serial cloud point-to-multipoint R2-R4 and R2-R5 and R2 was configured with:

 

int s0/1/0

ipv6 ospf 1 area 0

ipv6 ospf network broadcast

ipv6 ospf priority 255

ipv6 ospf 1 area 0

 

Would R4 and R5 adj come up? they use s0/X/0 int(no sub).

NO! You MUST put:

 

ipv6 ospf network broadcast

 

on both sides!

ospf distance command uses which IP address in bold?

 

router ospf 1

 distance 19 56.56.56.5 0.0.0.0 2

 access-list 2 permit 56.56.56.5 0.0.0.0

ospf neighbor router-id — NOT NEXT HOP IP ADDRESS!!!!

[r8:fa0/0]——[bb1:78.1.1.1]

 

you want to exchange mpls labels with bb1. bb1 does not support link-level label exchange. 

What two commands do you need to put in. 1 in interface towards bb1 and the other in router bgp configuration mode

int fa0/0

mpls bgp forwarding

 

router bgp 1

neighbor 78.1.1.1 send-label

 

R8#sh mpls forwarding-table

Local  Outgoing      Prefix            Bytes Label   Outgoing   Next Hop

Label  Label or VC   or Tunnel Id      Switched      interface

16     No Label      78.78.78.7/32     0             Se0/0/0    point2point

17     Pop Label     78.1.1.1/32       0             Fa0/1      78.1.1.1


R8#sh mpls interface

Interface              IP            Tunnel   BGP Static Operational

FastEthernet0/1        No            No       Yes No     Yes


R8#sh ip bgp label

   Network          Next Hop      In label/Out label

   1.1.1.1/32       78.1.1.1        nolabel/imp-null

   24.24.24.2/32    78.1.1.1        nolabel/17

   78.78.78.7/32    78.78.78.7      16(from LDP)/nolabel

   78.78.78.8/32    0.0.0.0         imp-null(from LDP)/nolabel

 

ip dhcp excluded-address 10.8.45.4

!

ip dhcp pool R8

   host 10.8.45.8 255.255.255.0

   client-identifier 001b.d50f.f3e9

!

ip dhcp pool OTHERS

   network 10.8.45.0 255.255.255.0

 

int fa0/1.48

no ip address 10.8.45.4 255.255.255.0

pppoe enable group global

 

bba-group pppoe global

virtual-template 1

 

int virtual-template1

ip address 10.8.45.4 255.255.255.0

encapsulation ppp

peer default ip address dhcp-pool R8

ppp ipcp mask 255.255.255.0

int fa0/1

no ip address

pppoe-client dial-pool-number 1

 

int dialer 1

encapsulation ppp

ip address dhcp client-id FastEthernet0/1

mtu 1492

dialer pool 1

ppp ipcp mask request

EIGRP – Metric Weights

Defualt: BLDRM

Default K: 1 0 1 0 0

 

If you are going to enable Reliability; what would the K values be?

 

router eigrp

metric weights 0 _ _ _ _ _

metric weight 0 1 0 1 1 1

 

Why?? the last “1” – MTU must be on for the formula to calculate Reliability!

Pim v2?

 

what is it?

Boot Strap Router

.*

Matches anything

.+

Match at least one character

^$

Match routes local to this AS

_1800$

 Originated by 1800

Received from 1800

^1800_

Via 1800

_1800_

Passing through 1800 then 790

_790_1800_

Match at least one of 1800 in sequence

_(1800_)+

Via 65350 (confederation AS)

_(65350)_

Match AS_PATH length of one

^[0-9]+$

Match AS_PATH length of two

^[0-9]+_[0-9]+$

Match AS_PATH length of one or two

^[0-9]*_[0-9]+$

Match AS_PATH length of one or two, and will also match zero

^[0-9]*_[0-9]*$

Match AS_PATH length of three

^[0-9]+_[0-9]+_[0-9]+$

Match anything which has gone through AS701 or AS1800

_(701|1800)_

Match anything of origin AS12163 and passed through AS1849

_1849(_.+._)12163$

Switch Fallback bridging looks like..?

 

you  have two vlan’s vlan1111 and vlan2222

 

 

Then..how do you verify?

bridge 1 protocol vlan-bridge

 

interface Vlan2222

 bridge-group 1

 

interface Vlan1111

 bridge-group 1

 

Cat1#sh bridge group

 

Bridge Group 1 is running the VLAN Bridge compatible Spanning Tree protocol

 

   Port 32 (Vlan1111) of bridge group 1 is listening

   Port 31 (Vlan2222) of bridge group 1 is listening

Research this…

R1(config)#bridge ?

  <1-255>            Bridge Group number for Bridging.

  cmf                Constrained multicast flooding

  crb                Concurrent routing and bridging

  irb                Integrated routing and bridging

and…
R1(config)#bridge 1 protocol vlan-bridge ?
  <cr>
 

FEC

FED

FEE

FEF

 

Are all site-local address.

An example:

int fa0/0

ipv6 add ?

int fa0/0

ipv6 add fec0:0:0:XXXX::5/64

 

where XXXX is the subnet

fe80::5 

 

what kind of ipv6 address?

link local

 

ipv6 add fe80::5 link-local

FRF.16 is also know as what?

 

what does it look like?

Multilink Frame-Relay

 

int mfr1

no keepalive

 

int mfr1.1 point-to-point

frame-relay interface-dlci 609

ip address 200.110.69.9 255.255.255.0

 

int s0/2/0

bandwidth 768

encapsulation frame-relay mfr1

no arp frame-relay

no shut

 

int s0/2/1

bandwidth 768

encapsulation frame-relay mfr1

no arp frame-relay

no shut

What does MLPPPoFR look like?

 

It does require frame-relay ____?

username R2 password ipexpert

 

map-class frame-relay 128K

 frame-relay cir 128000

 frame-relay bc 16000

 no frame-relay adaptive-shaping becn

 

int s0/1/0

encapsulation frame-relay

no frame-relay inverse-arp

no shut

frame-relay traffic-shaping

frame-relay class 128K

frame-relay interface-dlci 602 ppp virtual-Template 1

frame-relay interface-dlci 612 ppp virtual-Template 1

frame-relay interface-dlci 622 ppp virtual-Template 1

 

int virtual-template 1

bandwidth 128

ppp multilink

ppp multilink links minimum 3 mandatory

ppp authentication chap

ip address 200.110.245.6 255.255.255.0

 

 

Answer: Frame Relay Traffic Shaping

MPLS – How do you secure LDP and TDP using?

mpls ldp neighbor x.x.x.x password ipexpert

 

for TDP – it’s not possible to do authentication

This isn’t coming up. What’s missing
interface Serial0/2/0
encapsulation ppp
ppp multilink

interface Serial0/2/1
encapsulation ppp
ppp multilink

interface Virtual-Template69
ip address 70.18.69.9 255.255.255.240
ppp multilink
ppp multilink links minimum 2 mandatory

multilink virtual-template 69
In an NSSA OSPF area:

router ospf 1
area 12 nssa default-information-originate no-summary

How would you prevent this area from receiving a default route?

router ospf 1
no area 12 nssa default-information-originate no-summary

It will automatically be:
router ospf 1
area 12 nssa

Both “default-information-originate” and “no-summary” will generate a default route!

OSPF Type 0 authentication

> No Authentication

OSPF Type 1 authentication

> Plain text authentication

OSPF Type 2 authentication

> MD5 hash

If a router that has s0/0/0 in rip passive mode, would it send updates and/or receive updates?
In passive mode, the interface would only listen to RIP updates, but it DOES NOT send any updates!
BGP (as1)

On an inbound route-map from a neighbor 1.1.1.1

you want to remove the following community “no-advertise” but leave the others.

How would you do this?

ip community-list standard no-community permit no-advertise

route-map no-community
set comm-list no-community delete

router bgp 1
neighbor 1.1.1.1 route-map no-community in

BGP – if you want to activate and send vpnv4 information between bgp neighbors.

Do you need to activate the address family ipv4
router bgp 69
no bgp default ipv4-unicast
bgp log-neighbor-changes
neighbor 187.42.0.9 remote-as 69
neighbor 187.42.0.9 password ipexpert
neighbor 187.42.0.9 update-source Loopback0
!
address-family ipv4
neighbor 187.42.0.9 activate
exit-address-family
!
address-family vpnv4
neighbor 187.42.0.9 activate
neighbor 187.42.0.9 send-community extended
exit-address-family

No!

router bgp 69
no bgp default ipv4-unicast
bgp log-neighbor-changes
neighbor 187.42.0.9 remote-as 69
neighbor 187.42.0.9 password ipexpert
neighbor 187.42.0.9 update-source Loopback0
!
address-family vpnv4
neighbor 187.42.0.9 activate
neighbor 187.42.0.9 send-community extended
exit-address-family

BGP – What show command to see vpnv4 bgp neighbor status?
sh ip bgp vpnv4 all summary
If you have two neighbors with the following:
R1
router bgp 69
no bgp default ipv4-unicast
bgp log-neighbor-changes
neighbor 187.42.0.6 remote-as 69
neighbor 187.42.0.6 transport connection-mode passive
R2
router bgp 69
no bgp default ipv4-unicast
bgp log-neighbor-changes
neighbor 187.42.0.6 remote-as 69
neighbor 187.42.0.6 transport connection-mode passive

What do you need to do to bring up the session during troubleshooting lab?

R1
router bgp 69
neighbor 187.42.0.6 transport connection-mode active

Don’t delete the “transport connection-mode” on the routers!

What does this command do
int mfr1
no keepalive
It turns off LMI in a back-to-back frame-relay configuration
Configure frame-relay back-to-back. Do NOT use sub interfaces

You have one end point; use dlci 609!

Your IP: 163.144.69.6 (R6)
You have two interfaces between router R9 and R6:
int s0/2/0
int s0/2/1

int mfr1
no keepalive
no frame-relay inverse-arp
ip add 163.144.69.6 255.255.255.0
frame-relay map ip 163.144.69.6 609 broadcast
frame-relay map ip 163.144.69.9 609 broadcast
no shut

int s0/2/0
encapsulation frame-relay mfr 1
no shut

int s0/2/1
encapsulation frame-relay mfr 1
no shut

When it says’ area 12 should not allow Type 7 LSA.

What type of configuration under router ospf 1 would you put?

None.

Type 7 LSA is a: nssa

router ospf 1
area 57 nssa no-redistribution default-information-originate metric-type 1

What will the 0.0.0.0/0 route look like
O IA 163.144.245.0/24 [110/65] via 163.144.57.5, 00:00:02, FastEthernet0/0
O*N1 0.0.0.0/0 [110/2] via 163.144.57.5, 00:00:02, FastEthernet0/0

or

O*IA 0.0.0.0/0 [110/2] via 163.144.57.5, 00:00:02, FastEthernet0/0

O*N1 0.0.0.0/0 [110/2] via 163.144.57.5, 00:00:02, FastEthernet0/0
router ospf 1
area 57 nssa no-redistribution default-information-originate metric-type 1 no-summary

What will the 0.0.0.0/0 route look like
O IA 163.144.245.0/24 [110/65] via 163.144.57.5, 00:00:02, FastEthernet0/0
O*N1 0.0.0.0/0 [110/2] via 163.144.57.5, 00:00:02, FastEthernet0/0

or

O*IA 0.0.0.0/0 [110/2] via 163.144.57.5, 00:00:02, FastEthernet0/0

O*IA 0.0.0.0/0 [110/2] via 163.144.57.5, 00:00:02, FastEthernet0/0
router ospf 1
area 57 nssa no-redistribution default-information-originate metric-type 1 no-summary

In 12.4T IOS what takes precedence, no-summary or default-information-originate?

no-summary ; can’t use both of them!
You are an OSPF Border router R5. Your connected to area 0 and area 57.
You have the following command
router ospf 1
area 57 nssa default-information-originate

Your OSPF neighbor has the following routes:
O IA 163.144.115.0/24 [110/2] via 163.144.57.5
O IA 163.144.245.0/24 [110/65] via 163.144.57.5
O*N1 0.0.0.0/0 [110/2] via 163.144.57.5, 00:11:43

How would you prevent the IA routes (area 0) from entering this area 57?

ip prefix-list DEFAULT seq 5 permit 0.0.0.0/0

router ospf 1
router-id 163.144.0.5
log-adjacency-changes
area 57 filter-list prefix DEFAULT in

R5(config-router)#area 57 authentication Enable authentication
default-cost Set the summary default-cost of a NSSA/stub area
filter-list Filter networks between OSPF areas

router ospf 1
area 28 filter-list prefix DEFAULT in

What does the “in” stand for?

R5(config-router)#area 28 filter-list prefix DEFAULT in Filter networks sent to this area
out Filter networks sent from this area
You have this:
R5(config-router)#
router ospf 1
redistribute static subnets
area 57 nssa default-information-originate metric-type 1

=remote router=
R7#sh ip route ospf
163.144.0.0/16 is variably subnetted, 3 subnets, 2 masks
O N2 163.144.0.11/32 [110/20] via 163.144.57.5
O*N1 0.0.0.0/0 [110/2] via 163.144.57.5

How do you prevent the External Route (N2)? You cannot add another line of command under the R5 routing process.

router ospf 1
area 57 nssa no-redistribution default-information-originate metric-type 1

You add the “no-redistribution” command!

Under OSPF you configured the following:

router ospf 1
router-id 163.144.0.1
summary-address 163.144.40.0 255.255.248.0
redistribute eigrp 121 subnets

R1#sh ip route ospf
55.0.0.0/22 is subnetted, 1 subnets
O E2 55.6.32.0 [110/20] via 163.144.15.5
O IA 163.144.57.0/24 [110/2] via 163.144.15.5
O 163.144.40.0/21 is a summary, 00:01:36, Null0

You are NOT allowed to have any routes auto generated! How do you resolve this?

router ospf 1
router-id 163.144.0.1
summary-address 163.144.40.0 255.255.248.0
no discard-route external

R1(config-router)#discard-route external Discard route for redistributed summarised routes
internal Discard route for summarised internal routes

You have the following configured:
router ospf 1
router-id 163.144.0.1
redistribute eigrp 121 subnets

Learned from EIGRP are the following subnets:
D EX 163.144.43.0/24
[170/284160] via 163.144.131.13
[170/284160] via 163.144.121.12
D EX 163.144.42.0/24
[170/284160] via 163.144.131.13
[170/284160] via 163.144.121.12

How do you summarize the following networks when redistributing into OSPF?

router ospf 1
summary-address 163.144.40.0 255.255.248.0
You want to configure a routing protocol on:

Cat1
Protocol is EIGRP. What do you need to enable first?

ip routing
ip cef distributed
When configuring RIP, what should it start out with:
router rip
no auto-summary
version 2
passive-interface default
no passive-interface if/if
When configuring EIGRP, what should it start out with:
router eigrp x
eigrp router-id 1.1.1.1
no auto-summary
Review these:

R5(config-router)#area 57 authentication Enable authentication
default-cost Set the summary default-cost of a NSSA/stub area
filter-list Filter networks between OSPF areas
nssa Specify a NSSA area
range Summarize routes matching address/mask (border routers only)
sham-link Define a sham link and its parameters
stub Specify a stub area
virtual-link Define a virtual link and its parameters

Quick notepad method for BGP templates:

router bgp 1
?

router bgp 1
template peer-session
template peer-policy
router bgp 1
template peer-policy AS1245-policy

What goes under here?

router bgp 1
template peer-policy AS1245-policy

route-reflector-client
send-community
next-hop-self
route-map
filter-list
distribute-list

router bgp 1
template peer-policy AS1245-session

What goes under here?

router bgp 1
template peer-policy AS1245-session
remote-as 1245
update-source lo0
ebgp-multihop
password
R4#sh ip bgp
BGP table version is 13, local router ID is 163.144.0.4
Status codes: s suppressed, d damped, h history, * valid, > best, i – internal,
r RIB-failure, S Stale
Origin codes: i – IGP, e – EGP, ? – incomplete
Network Next Hop Path
*> 181.11.56.0/24 163.144.46.6 69 23 53 4000 e
*> 181.11.57.0/24 163.144.46.6 69 23 53 4000 e
*> 181.11.58.0/24 163.144.46.6 69 23 4000 e
*> 181.11.59.0/24 163.144.46.6 69 23 4000 e
*>i211.21.20.0 163.144.0.2 22 200 2000 e
* i 163.144.215.21 21 2000 e
*>i211.21.21.0 163.144.0.2 22 200 2000 e
* i 163.144.215.21 21 2000 e
*>i211.21.22.0 163.144.0.2 22 200 2000 e
* i 163.144.215.21 21 2000 e
*>i211.21.23.0 163.144.0.2 22 200 2000 e
* i 163.144.215.21 21 2000 e

What’s wrong with the above routes?

The networks below without “>” have a shorter AS Path than the ones with the just the “*”.

After adding next hop self:

Network Next Hop Path
*> 181.11.56.0/24 163.144.46.6 69 23 53 4000 e
*> 181.11.57.0/24 163.144.46.6 69 23 53 4000 e
*> 181.11.58.0/24 163.144.46.6 69 23 4000 e
*> 181.11.59.0/24 163.144.46.6 69 23 4000 e
*>i211.21.20.0 163.144.0.5 21 2000 e
*>i211.21.21.0 163.144.0.5 21 2000 e
*>i211.21.22.0 163.144.0.5 21 2000 e
*>i211.21.23.0 163.144.0.5 21 2000 e

When doing configuring this towards router R5:

router bgp 7
bgp router-id 163.144.0.7
bgp confederation identifier 12457
bgp confederation peers 1245

neighbor 163.144.0.5 remote-as 1245
neighbor 163.144.0.5 update-source lo0
neighbor 163.144.0.5 ebgp
neighbor 163.144.0.5 transport connection-mode passive

What should be configured on the other end in regards to transport?

router bgp 1245
neighbor 163.144.0.7 transport connection-mode active
In a BGP speaker in autonomous system 6001, the bgp confederation peers command marks the peers from autonomous systems 6002 and 6003 as special EBGP peers. Hence peers 171.69.232.55 and 171.69.232.56 will get the local-preference, next-hop and MED unmodified in the updates. EBGP speaker and the updates received by it from this peer will be just like a normal EBGP update from a peer in autonomous system 60000.

router bgp 6001
bgp confederation identifier 60000
bgp confederation peers 6002 6003
neighbor 171.69.232.55 remote-as 6002
neighbor 171.69.232.56 remote-as 6003
neighbor 160.69.69.1 remote-as 777

ip bgp-community new-format

router bgp 1245
bgp router-id 163.144.0.2
bgp confederation identifier 12457
bgp confederation peers 7

neighbor 163.144.0.4 remote-as 1245
neighbor 163.144.0.4 update-source lo0
neighbor 163.144.0.4 next-hop-self
neighbor 163.144.0.4 send-community

neighbor 163.144.222.22 remote-as 22
neighbor 163.144.222.22 send-community

Always do send-community in this confederation environment
You have this configuration; the other side is not coming up. Assume it is configured correctly. What is the problemR6:
interface MFR1
no ip address
no frame-relay map ip 163.144.69.6 609
no frame-relay map ip 163.144.69.9 609 broadcast
frame-relay interface-dlci 609 ppp virtual-template 1

int virtual-template1
ip address 163.144.69.6 255.255.255.0
ppp authentication chap
ppp chap hostname Router6
ppp chap password ipexpert

int virtual-template1
no ppp authentication chap

*Mar 1 01:07:19.711: %LINEPROTO-5-UPDOWN: Line protocol on Interface Virtual-Access1, changed state to up.!

The other side is authenticating R6.

If you have the following PPP configuration; what should you remove
int mfr1
no keepalive
no frame-relay inverse-arp
frame-relay map ip 163.144.69.9 609 broadcast
frame-relay map ip 163.144.69.6 609
frame-relay interface-dlci 609 ppp virtual-Template 1
int mfr1
no frame-relay map ip 163.144.69.9 609 broadcast
no frame-relay map ip 163.144.69.6 609
If you have the following configuration:
R6:
int virtual-template 1
ip add 163.144.69.6 255.255.255.0
ppp chap hostname Router6
ppp chap password ipexpert

R9:
int virtual-template 1
ip add 163.144.69.9 255.255.255.0
ppp authentication chap ForR6

Why do you have ppp authentication only on one side?

Because R9 is the authenticating router while R6 just presents credentials to R9. R9 was not allowed to present it’s credentials to R6.
You have this configuration; and you are required to self-ping. How would you do sointerface MFR1
no ip address
no keepalive
frame-relay interface-dlci 609 ppp Virtual-Template1
no frame-relay inverse-arp

int virtual-template1
ip address 163.144.69.6 255.255.255.0
ppp authentication chap
ppp chap hostname Router6
ppp chap password ipexpert

R6#ping 163.144.69.6
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 163.144.69.6
…..
Success rate is 0 percent (0/5)

interface Virtual-Template1
no ip address 163.144.69.6 255.255.255.0
ip unnumbered lo1

int lo1
ip address 163.144.69.6 255.255.255.0

Note: be careful not to overwrite your exiting loopbacks

You want your banner to say:

Welcome to this router named [R1]
You have connected to the domain [ipexpert.com]
You are on line [0]
Your line description is [vty0]

Replace the variables with the variables needed to show the values even if there is a configuration change. This would make it so you don’t have to change the banner.

banner exec *
Welcome to this router named $(hostname)
You have connected to the domain $(domain)
You are on line $(line)
Your line description is $(line-desc)
*
You have the following configuration:

banner exec *
This device is physically located at:
$(line-desc)
*

How do you get this to work?

line vty 0 5
location Equinox, 5th Floor, Ste 10, San Jose California
Enable QoS on Cat2. Ensure that receive EF-marked packets have correct marking when they leave the switch on all ports.

mls qos
mls qos map cos-dscp 0 8 16 24 32 40 48 56

How do you verify when complete?

mls qos
mls qos map cos-dscp 0 8 16 24 32 [46] 48 56

int range fa0/1 – 24 , gi0/1 – 2
mls qos trust dscp

Explanation:
By default, incoming DSCP value will be rewritten as COS5, which will further be rewritten to DSCP 40. We need to change this and rewrite COS5 to DSCP 46. In order to allow for this on all ports, we should trust incoming DSCP marking on the ports.

Verify: sh mls qos maps cos-dscp

Your a ntp client:

Set your server to 6.6.6.6 and use a source of loopback 0.

ntp server 6.6.6.6 source loopback0 prefer
Set your clock for 14:00 on January 15th, 2010
clock set 14:00:00 15 January 2010
ip sla responder
ip sla responder udp-echo ipaddress localip port 6453

What is the purpose of the second line? Is it required?

(Optional) Required only if protocol control is disabled on source. Permanently enables IP SLAs Responder funcionality on specified IP address and port.

Control is enabled by default.

You want to create a menu.

Use line-mode. The user can press x to exit the menu.

When users type “R1” they should ping “6.6.6.6”

you have a username and password of bryan that needs to access the menu when they telnet to the device.

menu Main line-mode
menu Main text R1 =Ping R1=
menu Main command R1 ping 6.6.6.6
menu Main text x Exit Menu
menu Main command x menu-exit

username bryan password bryan
username bryan autocommand menu Main

line vty 0 5
login local

IOS Menu

What does it start with. Name it: MainMenu

config t
menu MainMenu
IOS Menu:

Your about to create the following menu:

menu Main single-space
menu Main line-mode
menu Main text R1 Ping R1
menu Main command R1 ping 1.1.1.1
menu Main text R2 Ping R2
menu Main command R2 ping 2.2.2.2
menu Main text x Exit Menu
menu Main command x menu-exit

What should you do BEFORE you start configuring it?

save the configuration; if you mess up. Reboot the device.
you have the following config. R5/R6 are configured as hub and spoke on s0/0/0.1. What’s missing in this commandR2:
int s0/0/0
ipv6 add 2001::256:2/125
ipv6 add fe80::2 link-local
frame-relay map ipv6 fe80::5 205
frame-relay map ipv6 fe80::6 206
frame-relay map ipv6 2001::256:5 205 broadcast
frame-relay map ipv6 2001::256::6 206 broadcast
frame-relay map ipv6 2001::256::2 206

ipv6 router eigrp 256
eigrp router-id 2.2.2.2
no shut

no ipv6 split-horizon eigrp 256
You have the following configured already. Configure R2’s Gigabit Ethernet interface to drop ICMP type 0 and type 8 packets with a size from 250 to 300 bytes.

access-list 102 permit icmp any any echo-reply
access-list 102 permit icmp any any echo

class-map match-all ICMP
match packet length min 250 max 300
match access-group 102

policy-map r2gi0/0
class ICMP
drop

int gi0/0
service-policy output r2gi0/0
service-policy input r2gi0/0

Note: No direction was specified!!!!

You have the following configured. What port will be allowed for telnet on this device
line vty 0 4
rotary 5
300X where X equals the rotary X

Port 3005 and port 23

To have a router except ssh connections on port 2009, what do you configure?
ip ssh port 2009 rotary 1

line vty 0 1081
rotary 1

You need to allow only 5.5.5.5 to telnet/ssh to a router using an extended ACL. You have already created your certificate.

You have this configuration:

access-list 5 permit 5.5.5.5
line vty 0 4
transport input ssh telnet
access-class 5 in

What is missing?

You are using SSH, you need to use username/password to login.

username cisco password cisco

line vty 0 4
login local

You have the following configuration; You want to allow the rest of the traffic through the firewall. Assumed it is configured correctly. What do you need to add to the policy-map
class-map type inspect zb-smtp
match protocol smtp

policy-map type inspect outside-to-inside
class type inspect zb-smtp
drop

class class-default
pass

DO NOT type in: class type inspect class-default (BAD!)

When your configuring ZBF, you have been told to put gi0/0 as unsecure and all other interfaces in a more secure zone.

List the types of interfaces on the router that could be one of those?

int fa0/0
int s0/0/0
int multilink69
int tunnel59
int lo0
int fa0/0.124
int gi0/0.123

Don’t forget!!!!

HSRP – You are running HSRP between R1/R2 for Cat1/Cat2:

R1–|
|–[CAT1]
R2–|–[CAT2]
|
|–[BB1]

You configure everything correctly and give R2 a priority of 120 to be the active gateway. You then realize your NOT active. You get on R1 and you realize your NOT active either. What do you need to do?

BB1 is configured with the highest priority and taking over the active role.

You need to configure authentication between R1/R2:

int gi0/0
standby 1 authentication md5 key-string ipexpert

Your IP is 8.8.8.8. Your BGP neighbor is 10.10.10.10.

Your interface between you and your neighbor is fa0/0.

Ensure that your 10.10.10.10 bgp neighbor is able to talk bgp with you. Ensure that no other devices on the same subnet or it’s directly connected bgp peers attempt a bgp session with you inbound on your peering interface.

ip access-list extended bgp-in
permit tcp host 10.10.10.10 host 8.8.8.8 eq bgp
deny tcp any any eq bgp
deny tcp any eq bgp any
permit ip any any

int fa0/0
ip access-group bgp-in in

You have the following configuration; You need to Guarantee 25% interface bandwidth for this traffic and do not allow more than 50% if interface bandwidth to be used by it.

class-map match-all AF21
match dscp af21

policy-map task2.5
class AF21

What command(s) do you need on this interfaceint fa0/0

policy-map task2.5
class AF21
bandwidth percent 25
police rate percent 50

int fa0/0
service-policy output task2.5

You have the following configuration:

interface FastEthernet0/0.211
encapsulation dot1Q 11
ip address 1.1.1.1 255.255.255.0

You paste in the following configuration:

interface FastEthernet0/0.211
service-policy output AS21 <--- It does not take the command. Why now?

CBWFQ : Not supported on subinterfaces
You have a router R1 connected to BB1 via interface fa0/0.11

int fa0/0.11
encapsulation dot1q 11
ip add 192.168.58.1 255.255.255.0

class-map AS21
match dscp af31

policy-map AS21
class AS21
bandwidth 10

You want to apply the following service policy on fa0/0.11:
service-policy output AS21

What do you need to do?

class-map AS21
match dscp af31
match vlan 11

int fa0/0
service-policy output AS21

You have the following configuration. Under the class-map you want to match the access list AS22, how do you do that
ip access-list extended AS22
permit ip any host 21.21.21.21
permit ip any host 121.121.121.121

class-map AS22

class-map AS22
match access-group name AS22
BGP – You are building an as-path access list. You have configured the following:

route-map R4-out permit 10
match as-path 53
set community local-as additive
route-map R4-out permit 20

Routes that have NOT traversed AS53 should be marked with a local-as community.

Write the as-path access list — Quickly!

ip as-path access-list 53 deny _53_
ip as-path access-list 53 permit .*
BGP – Write two community lists that match community 21:21 and name it BB1 and also another community list that matches community 22:22 named BB2.
ip community-list standard BB1 permit 21:21
ip community-list standard BB2 permit 22:22
BGP – In a route-map if you want to match a specific community for a BGP neighbor then set local preference; what do you need to do
neighbor 163.144.0.5 route-map r5-set-LP-to-200 in
You need to MATCH a specific community. You can do this ONLY BY using a Community-list:

ip community-list standard BB1 permit 44:44

R4(config)#ip community-list standard BB1 permit <1-4294967295> community number
aa:nn community number
internet Internet (well-known community)
local-AS Do not send outside local AS (well-known community)
no-advertise Do not advertise to any peer (well-known community)
no-export Do not export to next AS (well-known community)

IPv6 EIGRP – You are configuring the following:

ipv6 unicast-routing

ipv6 router ospf 1
redistribute eigrp 1 subnets include-connected
router-id 1.1.1.1

Would the EIGRP 1 process get the networks based on the configuration above?

Dude — this command wouldn’t take.

ipv6 router ospf 1
redistribute eigrp 1 include-connected
router-id 1.1.1.1

The “subnets” does NOT take anymore for IPv6! 🙂

Your configuring IPv6 EIGRP on a MLS named Cat2.

What is the first thing you would do
Do you YOUR BEST attempting the command(s) before looking at the answer!

sdm prefer dual-ipv4-and-ipv6 routing

hope you chose routing! We are routing on these bad boys!

You have a hub and spoke frame-relay connection that you want to run multicast on.

R4 is the hub; s0/0/0
R2/R5 are the spokes; s0/1/0

You are running pim sparse mode only. What interface commands do you need to make this happen
ip multicast-routing has already been configured.

r4

int s0/0/0
ip pim sparse-mode
ip pim nbma-mode
ip pim dr-priority 100

r2/r5
int s0/1/0
ip pim sparse-mode
ip pim nbma-mode

When should you use the “ip pim nbma-mode” command in a frame-relay environment?
This command applies to only PIM sparse mode configurations because its functionality is dependent on the PIM sparse mode join message.

An alternative solution to using NBMA mode to configure IP multicast within a Frame Relay network is to use point-to-point subinterfaces for each of the remote sites. For the point-to-point subinterfaces solution, the partially meshed Frame Relay network is divided into a number of virtual, point-to-point networks using subinterfaces. Each new point-to-point subnetwork is assigned its own network number. To the routed protocol, each subnetwork now appears to be located on separate interfaces.

In a Frame Relay network that uses IP multicast, the benefits of point-to-point subinterfaces are as follows:

•No prune message override issues are associated with the partial mesh design of Frame Relay networks.

•They avoid limitations associated with pseudobroadcasts in a Frame Relay network because point-to-point subinterfaces are treated more like standard serial interfaces than LAN interfaces.

•They prevent Auto-RP issues related to multicast routers receiving dense mode traffic.

Note: If your network can support both the point-to-point subinterfaces and NBMA mode solutions, we recommend point-to-point subinterfaces because of its simplicity and ease of use with Auto-RP.

Is this correct
cat4

ip multicast-routing distributed

int lo0
ip pim sparse-mode
ip igmp join-group 239.14.14.14

Yes!
Configure r1 and r9. R1 should set the time from loopback0 of r9 which would be configured for correct date, time and UTC+1 timezone.
r9

clock set 02:03:00 October 29 2011
clock timezone CET 1 0
ntp master 1
ntp source lo0

r1

ntp server 9.9.9.9 source lo0

Configure a router so that it can only be managed in the highest secure way possible. Make sure the login username and password “ip3xpert” is used, and for the enable password “ip3xpert” is used.

The users can only retry 2 times when the wrong credentials are used, and the timeout should be exactly 1 minute.

ip domain-name ipexpert.com
enable secret ip3xpert
username ip3xpert secret ip3xpert

crypto key gen rsa
2048

line vty 0 15
transport input ssh
login local

ip ssh version 2 (version 2 is more secure that v1)
ip ssh time-out 60
ip ssh authentication-retries 2

You need to put the following commands on this switch; what’s the correct order
vtp mode server
vtp pruning
vtp domain Inexpert
vtp version 2
vtp password VTPpassword
vtp version 2 (cannot modify this in client mode)
vtp pruning
vtp mode server
vtp domain Inexpert
vtp password VTPpassword
On a switch; when your asked to run the latest VTP version..

What version is that?

vtp version
Most recently releases support VTP version 3!!!!
Be careful 🙂
On your VTP Server; you have the following configuration:

vtp version 2
vtp pruning
vtp mode server
vtp domain Inexpert
vtp password VTPpassword

What is required on the client switches?

vtp mode client
vtp password VTPpassword
vtp domain Inexpert

It will get the VTP version and Pruning settings.

On an access port; you are told to prevent send DTP frames.

How would you configure that for an access port vlan 5
int fa0/1

int fa0/1
switchport mode access
switchport access vlan 5

On an access port; DTP is disabled automatically when you set static access mode. STATIC ACCESS MODE.

switchport mode access!

You have the following configuration; Ensure that the router uses the local credentials when logging in over the first 10 telnet sessions.

username ipexpert password lab
enable secret isthebest

aaa new-model
aaa authentication login default local

line con 0
login authentication default

line vty 0 9
login authentication default
privilege level 15

0-9!!!!! Not 0-10 – 🙂

Refresh your memory on the following topics!

ntp access-group {query-only | serve-only | serve | peer} access-list-number

Peer
Server
Serve-only
Query-only

The access group options are scanned in the following order, from least restrictive to most restrictive:

1. peer— Allows time requests and NTP control queries and allows the system to synchronize itself to a system whose address passes the access list criteria.

2. serve— Allows time requests and NTP control queries, but does not allow the system to synchronize itself to a system whose address passes the access list criteria.

3. serve-only— Allows only time requests from a system whose address passes the access list criteria.

4. query-only— Allows only NTP control queries from a system whose address passes the access list criteria.

How do you define a range of ports fa0/21 – 24 as a macro called TRUNKS?

How do you access the Macro to apply configuration for the Trunks?

define interface-range TRUNKS fa0/21 – 24

interface range macro TRUNKS
switchport trunk encap dot1q
switchport mode trunk

What is the default frame-relay and lmi type?
frame-relay cisco
lmi type cisco
You have the following configuration; you need to ensure that frame-relay inverse-arp has been disabled. What change would need to be made
int s0/1/0
shut
encapsulation frame-relay
int s0/1/0.100 multipoint
ip add 172.18.100.2 255.255.255.192
frame-relay map ip 172.18.100.4 224 broadcast
frame-relay map ip 172.18.100.6 226 broadcast
frame-relay map ip 172.18.100.2 224
int s0/1/0
no shut
int s0/1/0
shut
no frame-relay inverse-arp
int s0/1/0.100 multipoint
no frame-relay inverse-arp

Frame Relay inverse-arp DOES NOT carry from physical interface to a multipoint subinterface!

Point-to-Point subinterfaces take the command but do not show it under the configuration.

PPP PAP – What do you need to do to send authentication (username/password) to the remote node
R2
interface Serial0/2/0
no shut
ip address 172.18.25.2 255.255.255.248
encapsulation ppp
ppp authentication pap
interface Serial0/2/0
ppp pap sent-username R2Lab password Inexpert
CHAP – You have the following configuration; You want R2 to challenge R5 and R5 should respond with a hostname of “Inexpert” and “Lab” for the password. What’s missingR2:
interface Serial0/2/0
ip address 172.18.25.2 255.255.255.248
encapsulation ppp
no peer neighbor-route

R5:
interface Serial0/2/0
ip address 172.18.25.5 255.255.255.248
encapsulation ppp

R2:
username Inexpert password Lab
interface Serial0/2/0
ppp authentication chap

R5:
interface Serial0/2/0
ppp chap hostname Inexpert
ppp chap password Lab

R5 does NOT need “ppp authentication chap” – R2 is the authenticator!

When you configure:

interface Serial0/2/0
no shut
ip address 172.18.25.2 255.255.255.248
encapsulation ppp
ppp authentication chap
no peer neighbor-route <<<<--- This. What do you have to do next?

You MUST shut/no shut the interface so that this command takes into effect.
R2#sh frame-relay lmi
LMI Statistics for interface Serial0/1/0 (Frame Relay DTE) LMI TYPE = CISCO
..
Num Status Enq. Sent 223 (this increments by 1)
Num Update Status Rcvd 0
Last Full Status Req 00:00:15 (every 10 seconds)

R2#sh frame-relay lmi
..
Num Status Enq. Sent 224 (this increments by 1)
Num Update Status Rcvd 0
Last Full Status Req 00:00:21 (every 10 seconds)

It resets every 60 seconds. So how many full requests per minute?

6 full requests per minute is the default!
If you see this:

interface Serial0/1/0
no ip address
encapsulation frame-relay
no frame-relay inverse-arp
frame-relay lmi-n391dte 2

How many seconds does it take before the full LMI update gets requested?

20 seconds!

If you changed this:

R2(config-if)#interface Serial0/1/0
R2(config-if)#keepalive <0-30> Keepalive period (default 10 seconds)

The changes would MODIFY the FRAME RELAY SWITCH. Don’t do it unless asked.

To unicast updates on RIP, it is required to provide the directly connected neighbor’s IP address and to disable multicast updates with passive interface.
Note: The redistribute CONNECTED route-map takes precedence on protocol redistribution.

For example: on R2:
router rip
redistribute connected route-map conn>rip

route-map conn>rip
match interface lo0

In a different task, you redistribute OSPF to RIP redistribution, the OSPF directly connected interfaces WILL NOT redistribute because the route-map conn>rip denies these interfaces. You will need to include the OSPF directly connected interfaces in order to obtain full reachability.

R6 must accept no more than 500 LSA and generate a warning when the database reaches 250 LSA

Try without looking!

router ospf 1
max-lsa 500 50 warning-only

R6(config-router)#max-lsa 500 <1-100> Threshold value (%) at which to generate a warning msg

R6(config-router)#max-lsa 500 50 ignore-count maximum number of times adjacencies can be suppressed
ignore-time time during which all adjacencies are suppressed
reset-time time after which ignore-count is reset to zero
warning-only Only give warning message when limit is exceeded

R6 must also silently discard LSA6 without generating error messages.

What is a type LSA6 and how do you do it?

R6(config-router)#ignore lsa Do not complain upon receiving LSA of the specified type

R6(config-router)#ignore lsa mospf MOSPF Type 6 LSA

Multicast OSPF!

Received this message:
R6(config-router)#
*Oct 30 23:44:18.199: %OSPF-4-ERRRCV: Received invalid packet: mismatch area ID, from backbone area must be virtual-link but not found from 172.18.100.2, Serial0/1/0.100

Both end points had configured the virtual link pointing to each other. After troubleshooting; the router-id was wrong on R2.

R2(config-if)#router ospf 1
R2(config-router)#router-id 2.2.2.2
Reload or use “clear ip ospf process” command, for this to take effect
R2(config-router)#do clear ip ospf proc
Reset ALL OSPF processes? [no]: yes

R6(config-router)#
*Oct 30 23:44:19.535: %OSPF-5-ADJCHG: Process 1, Nbr 2.2.2.2 on Serial0/1/0.100 from LOADING to FULL, Loading Done
You have the following interfaces; What would you configure to make the adjacency unicast
R4:
interface FastEthernet0/0
ip address 172.18.47.4 255.255.255.192
ip ospf 1 area 4.3.2.0

R7
interface FastEthernet0/0.47
encapsulation dot1Q 47
ip address 172.18.47.7 255.255.255.192
ip ospf 1 area 4.3.2.0

router ospf 1

interface FastEthernet0/0
ip ospf network non-broadcast

router ospf 1
neighbor 172.18.47.7

interface FastEthernet0/0.47
ip ospf network non-broadcast

router ospf 1
neighbor 172.18.47.4

Or you’ll get; *Oct 31 01:04:25.278: %OSPF-4-CFG_NBR_INVAL_NET_TYPE: Can not use configured neighbor: neighbor command is allowed only on NBMA and point-to-multipoint networks

On R3; Advertise Loopback 0 subnet into area 100. Configure this.

int lo1

router ospf1

int lo0
ip ospf 1 area 100
ip ospf network point-to-point

Advertise Loopback 0 [subnet] into area 100

If you don’t set:

router 1
area 0 authentication

And you create a virtual-link to extend area 0; what would you do on the virtual-link configuration
Use type 1 (clear text) authentication

endpoint 2.2.2.2 password is cisco

router ospf 1
virtual-link 2.2.2.2 authentication authentication-key cisco

or

router ospf 1
virtual-link 2.2.2.2 authentication message-digest message-digest-key 1 md5 cisco

For OSPF; what’s the default reference bandwidth?
sh ip protocols
Reference bandwidth unit is 100 mbps
When redistributing in the Lab:
1. From routing protocol to another; set metric and metric-type (if applicable) to help routing protocol choose better path (rip) or to easily identify route in routing table (i.e. E1)

So…
router rip
redistribute ospf 1 metric 3

router ospf
redistribute ospf 1 subnets route-map rip>ospf
route-map rip>ospf
set metric 10
set metric-type type-1

On R2: You have the following configuration. Everything shown meets the requirement. Something is missing. What is itrouter ospf 1
redistribute connected subnets route-map conn>ospf
redistribute rip subnets route-map rip>ospf

route-map rip>ospf permit 40
set tag 120
set metric 10
set metric-type type-1

route-map conn>ospf permit 20
match interface s0/2/0
set metric-type type-1

route-map conn>ospf permit 20
set tag 120

Don’t forget to set the tag to 120 just like your rip>ospf redistribution. Or you’ll lose points since you need all RIP networks (s0/2/0 being one of them) to be tagged.

Especially since you’ll be filter to prevent RIP feedback routes

When redistributing from one protocol to another;
You have the following: You need to get gi0/0 (interface from OSPF) into RIP. What’s missing and whyR2:
router rip
redistribute connected route-map con-to-RIP
redistribute ospf 1 metric 2 route-map ospf>rip

router ospf 1
redistribute connected subnets route-map conn>ospf
redistribute rip subnets route-map rip>ospf

route-map conn>ospf permit 10
match interface Loopback1

route-map ospf>rip permit 40
set metric 3
set tag 110

route-map con-to-RIP permit 20
match interface gi0/0
set tag 110 !!!!IMPORTANT, your tagging in ospf>rip for filtering.
EIGRP – Defaults

Hello Timer:
Hold Timer:

Hello Timer: 5
Hold Timer: 15

By default, hello packets are sent every 5 seconds. The exception is on low-speed, nonbroadcast multiaccess (NBMA) media, where the default hello interval is 60 seconds. Low speed is considered to be a rate of T1 or slower, as specified with the bandwidth interface configuration command. The default hello interval remains 5 seconds for high-speed NBMA networks.

The default hold time is three times the hello interval, or 15 seconds. For slow-speed NBMA networks, the default hold time is 180 seconds.

EIGRP Hello/Hold Interval Timer

Set it to 5 times faster than the default

int fa0/0

int fa0/0
ip hello-interval eigrp 123 1
ip hold-time eigrp 123 5
Router id for:

BGP:
EIGRP:
OSPF:

[B]GP: bgp router-id
[E]IGRP: eigrp router-id

OSPF: router-id

On the test; EIGRP

Do not send updates out of unnecessary interfaces. What do you do?

router eigrp x
passive-interface default
no passive-interface x

-Just DO IT

EIGRP –

By default; EIGRP may use a maximum of __% of an interface’s bandwidth?

50%
You have the following configuration; What does 00:00:00 stand for
key chain EIGRP
key 3
key-string V3-BLUEPRINT
accept-lifetime 00:00:00 Jan 1 1993 00:00:00 Oct 18 2009
send-lifetime 00:00:00 Jan 1 1993 00:00:00 Oct 18 2009
key 4
key-string V4-BLUEPRINT
accept-lifetime 00:00:00 Oct 18 2009 infinite
send-lifetime 00:00:00 Oct 18 2009 infinite
00:00:00 Stands for midnight.

accept-lifetime 00:00:00 Jan 1 1993 00:00:00 Oct 18 2009

Accept at midnight Jan 1 1993 (beginning of the day)

Is this correct or the other oneroute-map conn>eigrp permit 20
match interface s0/2/0
set tag 120
set metric 100000 100 255 1 1500
route-map conn>eigrp permit 30
match interface fa0/1
set tag 120
set metric 100000 100 255 1 1500
=or========
route-map conn>eigrp permit 20
match interface s0/2/0
match interface fa0/1
set tag 120
set metric 100000 100 255 1 1500
Both work!
Your configuring RIP. You have the following;

R5(config-router)#distance 171 A.B.C.D IP Source address

You want to configure this distance for routes that match access list 5 and for all source address. How would you configure it
access-list 5 deny 2.2.2.2
access-list 5 deny 11.11.11.11
access-list 5 permit any

router rip
distance 171 0.0.0.0 255.255.255.255 5
You have the following BGP routes:

*>172.17.1.0/24
*>172.17.2.0/24
*>172.17.3.0/24
*>172.17.4.0/24

Use only a single line standard numbered access-list to match even prefixes in the third octet on R8 and do R7 for odd prefixes in the third octet.

R7:
R8:

R7: (even prefixes)
access-list 5 permit 0.0.0.0 255.255.254.255

R8: (odd prefixes)
access-list 5 permit 0.0.1.0 255.255.254.255

You have the following BGP AS1 routes:

*>172.17.1.0/24
*>172.17.2.0/24
*>172.17.3.0/24
*>172.17.4.0/24

On R5, configure an inbound route-map to not advertise (no-export) 172.17.2.0/24 and 172.17.3.0/24. You are allowed to use a single line extended named access-list. Your neighbor is 7.7.7.7.

R5
router bgp 1
neighbor 7.7.7.7 route-map no-export in

ip access-list extended no-export
permit 172.17.2.0 0.0.1.255 host 255.255.255.0

route-map no-export permit 10
match ip address no-export
set community no-export
route-map no-export permit 20

The access-list seems more similar to a prefix list:
host 255.255.255.0 (represents the prefix length)

You have the following configured:
R2(config-if)#do sh run int g0/0
interface GigabitEthernet0/0
ip address 172.18.29.2 255.255.255.0
ip ospf 1 area 92
duplex auto
speed auto
media-type rj45
end

You add the following command:
int gi0/0
ip vrf forwarding r2r9

What will be removed by adding this command?

>Both IP address AND ip ospf 1 area 92 command
-Be careful and look at the interface before applying cmd!

R2(config-if)#int g0/0
R2(config-if)#ip vrf forwarding r2r9
% Interface GigabitEthernet0/0 IP address 172.18.29.2 removed due to enabling VRF r2r9
R2(config-if)#
*Oct 2 15:06:20.559: %OSPF-5-ADJCHG: Process 1, Nbr 9.9.9.9 on GigabitEthernet0/0 from FULL to DOWN, Neighbor Down: Interface down or detached
R2(config-if)#
*Oct 2 15:06:20.563: %OSPF-6-PROC_REM_FROM_INT: OSPF process 1 removed from interface GigabitEthernet0/0

With IPv6 and frame-relay; do you need to map the IPv6 address for your own IP address?
IPv6 doesn’t require to map same interface addresses.
IPV6 Frame-relay – Do not map link local address on spoke-to-spoke
RIPng – In RIPng does the process name have to match on each router?
Note: RIPng process name is only locally significant, it may be different on different routers.
When configuring BGP. You have iBGP peers between R2 and R4. You are about to configure iBGP ipv6 neighbors.

What’s the first thing you should do
router bgp 100

router bgp 100
no bgp default ipv 4-unicast

We need to use IPv6 address family without sending IPv4 prefixes since there is already an IPv4 neighbor relationship between R2 and R4.

You have the following configured and BGP routes are NOT showing up in the RIP neighbor router. What’s wrong
router bgp 100
neighbor 2001:cc13:100::4 remote-as 100

address-family ipv6 unicast
neighbor 2001:cc13:100::4 activate
redistribute rip Inexpert include-connected

ipv6 router rip Inexpert
redistribute bgp 100 metric 2

As for IPv4, IPv6 address family has the same security feature that prevents iBGP routes to be redistributed into an IGP. Since R2 and R4 are iBGP neighbors, the command “bgp redistribute-internal” under the address-family IPv6 is needed in order to modify the default behavior.
If you configured:

address-family ipv6
bgp redistribute-internal

Then did a show run | s router b; where would this command be?

router bgp 100
bgp log-neighbor-changes

address-family ipv6
bgp redistribute-internal
redistribute rip Inexpert include-connected
exit-address-family

You have the following config; You are redistributing RIP between R2 and a cat1 switch advertising it’s loopback.

What’s missing in order to get it’s routes into BGP. Assume RIP is configured correctly.

R2
router bgp 100
neighbor 2001:CC13:100::2 remote-as 100

address-family ipv6
neighbor 2001:CC13:100::2 activate
bgp redistribute-internal
redistribute rip Inexpert
exit-address-family

address-family ipv6
redistribute rip Inexpert include-connected

You would only have cat1’s loopback. This would be advertised to all other iBGP neighbors from R2 but the network between R2-Cat1 would not be.

ip pim send-rp-announce

RP or RP-Mapping agent?

R2(config)#ip pim send-rp-announce – Auto-RP send RP announcement

Answer: RP

ip pim send-rp-announce

RP or RP-Mapping agent?

R2(config)#ip pim send-rp-discovery – Auto-RP send RP discovery message (as RP-mapping agent)

Answer: RP-Mapping agent

Who is this

(*, 224.0.1.39), 00:26:41/stopped, RP 0.0.0.0, flags: DC
Incoming interface: Null, RPF nbr 0.0.0.0
Outgoing interface list:

from candidate RP routers
Auto-RP Filters

ip pim rp-announce-filter

When using Auto-RP, configure the ip pim rp-announce-filter global configuration command on Auto-RP mapping agent routers to filter Auto-RP announcement messages that arrive on group 224.0.1.39 from candidate RP routers. This command prevents unwanted candidate RP announcement messages from being processed by the mapping agent. Unwanted messages could interfere with the RP election mechanism of the mapping agent.

The following example shows how to configure the router to accept announcements from RP addresses 10.0.0.1 and 10.0.0.2. This router is also configured to accept announcements for all groups.

ip pim rp-announce-filter rp-list 1 group-list 2
access-list 1 permit 10.0.0.1
access-list 1 permit 10.0.0.2
access-list 2 permit 224.0.0.0 15.255.255.255

When using PIM Sparse in NBMA environment like Frame Relay you need to make sure you enter the ip pim nbma on the hub of the Frame Relay that command is to disable the split horizon rule that traffic coming into the interface is not going out that same interface
you can see after you enable the command when you do “show ip mroute” in the OIL (Outgoing Interface List) IP’s instead of the Serial Interface.

Notice that the IP pim nbma is working only for Sparse Mode Group when you enable it on interface that have sparse-dense mode enable you will get a warring that basicly means that this feature will be only valid for sparse groups

(2.2.2.2, 225.4.3.2), 00:00:14/00:03:24, flags: FT
Incoming interface: Loopback1, RPF nbr 0.0.0.0, Registering
Outgoing interface list:
Serial0/1/0.100, 172.18.100.6, Forward/Sparse, 00:00:14/03:15
|
/|
————————|
Candidate RP need to be able to communicate only with the mapping agent and the Routers in the Domain need to be able to communicate with the Mapping agent so from that we can understand that we need to watch our RPF to the Mapping Agent.
Multicast – You have been asked to configure ip pim sparse-mode on all your interfaces and use Auto-RP between your devices.

What is the FIRST thing that should come to your mind that needs to be configured?

ip pim autorp listener
When in the troubleshooting lab and you are troubleshooting a multicast routing lab.

What is recommended you do first?

Before starting it is recommended to draw a simple diagram with the routers and the interfaces participating in multicast routing.
Multicast – You have the following configuration:

R2(config)#ip pim send-rp-discovery lo1 scope 20

You want to advertise the discovery messages to all autorp routers on 224.0.1.40. The advertise interval should be set to 5 seconds to speed up the rp convergence.

What is missing from this command?

R2(config)#ip pim send-rp-discovery lo1 scope 20 interval <1-16383> number of seconds
You have the following configuration: Shake dscp cs2 and cs1 traffic to 32k, using a Tc interval of 10ms. What’s the value and where do you place the configuration at for the 10ms
class match-any DSCP-CS2-CS1
match dscp cs2
match dscp cs1

policy-map s0/2/0-policy
class DSCP-EF
priority 64
class DSCP-CS2-CS1
shape average 32000
class class-default
fair-queue

policy-map s0/2/0-policy
class DSCP-EF
priority 64
class DSCP-CS2-CS1
shape average 32000 320
class class-default
fair-queue
To retain dscp values, you have to enable mls qos on all switches and trust the dscp value on all used ports (trunks and access)

Learn more about this!

In a multilayer switch; 3560 – by default, the dscp values of _-_ are mapped to queue 1 threshold 1.

This is where you would put voice traffic! This is also known as the priority queue.

DSCP values 40-47!
Reflexive ACL:

ip access-list extended in-r8
permit tcp host 172.18.18.1 eq bgp host 172.18.18.8
permit tcp host 172.18.18.1 host 172.18.18.8 eq bgp
evaluate reflected

ip access-list extended out-r8
permit ip any any reflect reflected

int fa0/0.18
ip access-group in-r8 in
ip access-group out-r8 out

ip access-list extended in-r8
permit tcp host 172.18.18.1 eq bgp host 172.18.18.8
permit tcp host 172.18.18.1 host 172.18.18.8 eq bgp
evaluate reflected

ip access-list extended out-r8
permit ip any any reflect reflected

int fa0/0.18
ip access-group in-r8 in
ip access-group out-r8 out

MAC ACL

int gi0/0
mac-address 0000.0000.0022

mac access-list extended r2-r9-only
permit host 0000.0000.0022 host 0000.0000.0099
permit host 0000.0000.0099 host 0000.0000.0022

vlan access-map r2-r9-only 10
action forward
match mac address r2-r9-only

vlan filter r2-r9-only vlan-list 29

Cat1(config-if)#switchport port-security violation protect Security violation protect mode
restrict Security violation restrict mode
shutdown Security violation shutdown mode

What does protect do?

It silently drops unauthorized frames
Cat1(config-if)#switchport port-security violation protect Security violation protect mode
restrict Security violation restrict mode
shutdown Security violation shutdown mode

What does restrict do?

It silently drops unauthorized frames AND causes the security violation counter to increment
Cat1(config-if)#switchport port-security violation protect Security violation protect mode
restrict Security violation restrict mode
shutdown Security violation shutdown mode

What does shutdown do?

Puts the interface into error-disabled state immediately and sends an SNMP trap notification
ip http server
ip http max-connections 7
ip http access-class 7
ip http port 8080

ip htp secure-server
ip http secure-port 8443

access-list 7 permit 172.18.7.7
access-list 7 permit 7.7.7.7

R5#sh ip http server all

There is something in this list that is missing; what is it
R2
int gi0/0
description VLAN 29
standby version 2
standby 210 ip 172.18.29.1
standby 210 priority 5
standby 210 preempt
standby 210 mac-address CC13.CC1E.CC13
standby 210 track Serial0/2/0
standby 210 track Serial0/1/0.100
int gi0/0
standby 210 name VLAN29-HSRP
What is the default port state on a Cat 3560
Think Trunk or Access.
switchport mode dynamic auto

-Note: you won’t see this

If your configuring VLANs; and when you try to create vlan 1006 you get the following error:
*Mar 1 04:31:25.047: %PM-4-EXT_VLAN_INUSE: VLAN 1006 currently in use by Port-channel12
*Mar 1 04:31:25.047: %SW_VLAN-4-VLAN_CREATE_FAIL: Failed to create VLANs 1006: VLAN(s) not available in Port Manager
What’s the problemvlan 20
vlan 2006
vlan 3006
vlan 40
vlan 50
vlan 25
vlan 30
vlan 16
vlan 1006
It’s possible that vlan 1006 is already in use as an internal vlan, servicing the portchannel. In this case, simply shutdown the portchannel to free this vlan from internal use. Or modify the “internal vlan policy ascending/descending” in order to allocate internal vlan starting from 1006 or from 4094, but requires a reload to take in effect.
When configuring the following VLANs:
vlan 20
vlan 2006
vlan 3006
vlan 40
vlan 50
vlan 25
vlan 30
vlan 16
vlan 1006

Don’t automatically assume you’ll be using VTP transparent on ALL SWITCHES; maybe just the ones that you will be configuring extended VLANs on. Read carefully.

If your asked to shutdown all remaining switch to router ports. Look at your diagram. Some of the router ports might be shutdown and there is a cable to the switch but not in the diagram. Those need to be shutdown as well!
You have two MST instances 0 and 1. Configure R2 to be the root of all VLANs.

R2:

spanning-tree mst 0-1 priority 0
Configuring frame-relay; you have been asked:

Configure R2–R5 (frame-relay with no frame-relay switch)

You are not allowed to disable LMI to accomplish this task.”

What command(s) do you need to perform on one of the routers?

frame-relay switching

int s0/2/0
encapsulation frame-relay
frame-relay intf-type dce

Configuring Frame Relay; you have been asked to set the interface speed and bandwidth to 128k. You are using virtual-templates for PPP authentication.

How would you do that?

int s0/2/0
clock rate 128000 (-duh!)

int virtual-template1
bandwidth 128

🙂

When asked to set the clock rate on the following interfaces: Go ahead and add whatint s0/2/0
clock rate 64000
encapsulation ppp
ppp multilink group 1
ppp authentication chap
ppp chap password IPexpert
no shut

int s0/2/1
clock rate 128000
encapsulation ppp
ppp multilink group 1
ppp authentication chap
ppp chap password IPexpert

int s0/2/0
clock rate 64000
bandwidth 64
encapsulation ppp
ppp multilink group 1
ppp authentication chap
ppp chap password IPexpert
no shut

int s0/2/1
clock rate 128000
bandwidth 128
encapsulation ppp
ppp multilink group 1
ppp authentication chap
ppp chap password IPexpert

When configuring RIP and you are doing a unicast neighbor adjacency between two endpoints, is the following correct
R1
int fa0/0
description to R2
192.168.60.1 255.255.255.252

router rip
passive-interface default
neighbor 192.168.60.2

Yes! Unicast updates in RIP requires passive interface and neighbor statement(s).
You have been asked to no elect DR/BDR on frame relay links, you are not allowed to create host routes. Which network type do you use
ip ospf network point-to-point
ip ospf network point-to-multipoint
ip ospf network point-to-point. Multipoint will generate /32 host routes
By default OSPF assigns a __ Cost to 100 Mbps links
If you put in the following configuration:

router ospf 1
auto-cost reference-bandwidth 1000

What will the default cost be for a 100 Mbps link?

A cost of 1. This means that a cost of 1 will be used for 1000 Mbps links. A cost of 10 for 100 Mbps links.

it would then be:

Cost of 10

You have a router; R2. You have been told to redistribute rip into OSPF, do not accept more than 200 prefixes, and generate a warning when 200 prefixes are redistributed. How would you do this
router ospf 1
router ospf 1
redistribute maximum-prefix 200 100

If you were to put WARNING-ONLY; it would DISABLE maximum limit!

R6(config-router)#redistribute maximum-prefix <1-4294967295> Maximum number of IP prefixes redistributed

R6(config-router)#redistribute maximum-prefix 200 <1-100> Threshold value (%) at which to generate a warning message
warning-only Only give warning message when limit is exceeded

R6(config-router)#redistribute maximum-prefix 200 war
R6(config-router)#redistribute maximum-prefix 200 warning-only ?

R6(config-router)#redistribute maximum-prefix 200 100 warning-only Only give warning message when limit is exceeded

If you are on R2; you are running both OSPF and RIP and EIGRP.

You have been asked to redistribute RIP into EIGRP so that your EIGRP router R6 will have the 10.10.10.0/24 network. This network is known via all routing protocols.

You look in your routing table on R2 and you indeed have the 10.10.10.0/24 network.

You apply the redistribution command and you look on R6. You do NOT see the route. You have configured redistribute correctly. What is the problem and how do you resolve it?

R2 is learning the 10.10.10.0/24 route via OSPF. This will not get redistributed into EIGRP.

To solve. You need to lower the AD of RIP to 109 on R2. This is lower than OSPF. Then R6 will start getting the routes! 🙂

Your pasting the following commands in; will it work the first time
neighbor 6.6.6.6 inherit peer-policy as300-policy
neighbor 6.6.6.6 inherit peer-session as300-session
neighbor 4.4.4.4 inherit peer-policy as300-policy
neighbor 4.4.4.4 inherit peer-session as300-session
R5(config-router-ptmp)#neighbor 6.6.6.6 inherit peer-policy as300-policy
% Specify remote-as command first
R5(config-router)#neighbor 6.6.6.6 inherit peer-session as300-session
R5(config-router)#neighbor 4.4.4.4 inherit peer-policy as300-policy
% Specify remote-as command first
R5(config-router)#neighbor 4.4.4.4 inherit peer-session as300-session

Nope! You need to use policy first; it has the “remote-as” command!

neighbor inherit peer-policy (1st)
neighbor inherit peer-session (2nd)

What is special about this network

R8#sh ip bgp 4.4.4.0
BGP routing table entry for 4.4.4.0/24, version 44
Paths: (2 available, best #2, table Default-IP-Routing-Table, RIB-failure(17))
Flag: 0x820
Advertised to update-groups:
1
500
4.4.4.4 (metric 2818560) from 4.4.4.4 (4.4.4.4)
Origin IGP, metric 0, localpref 100, valid, external
500
172.27.3.5 from 172.27.3.5 (5.5.5.5)
Origin IGP, localpref 100, valid, external, best

The Flag: 0x820 — Appears after enabling:

router bgp 5
network 4.4.4.0 mask 255.255.255.0 backdoor <<--

You are BGP peered with your neighbor via loopback0 and sourced from loopback0. You learn his loopback via BGP and the neighbor adjacency goes down every 180 seconds.

Why?

Advertising the loopback network via BGP will cause the BGP prefix to be installed in rib, as the eBGP administrative distance is 20. This means you are creating a recursive routing for loopback prefixes.

You will see BGP flapping every 180 seconds, the default hold timer, since loopbacks become unreachable.

You need to create a one line as-path access list that denies AS1 or AS2 in any as-path.

Don’t configure anything under router BGP

ip as-path access-list 1 deny (1|2)
Enable IPv6 RIP and name it RnS on interface fa0/0 and lo0.

Is this “name” locally significant?

ipv6 router rip RnS

int fa0/0
ipv6 rip RnS enable

int lo0
ipv6 rip Rns enable

Yes it is!

You need to create and eigrp IPv6 default route to be originated from R9 going to R6 using interface mu1. You are R9. There are no static routes on R9 and you cannot add one.

R9:

ipv6 router eigrp 96

ipv6 router eigrp 96
ipv6 summary-address eigrp 96 ::/0
when doing redistribution in the lab; don’t ALWAYS tag unless there is a full circle of mutual redistribution. I just spent 20 minutes on redistribution and tagging in ipv6 and when i was done, there wan’t a full circle. — Waste of time!
IPv6 Tunnels:

You have to choose between:

R2(config-if)#tunnel mode ipv6ip 6to4 IPv6 automatic tunnelling using 6to4
auto-tunnel IPv6 automatic tunnelling using IPv4 compatible addresses
isatap IPv6 automatic tunnelling using ISATAP

You are not allowed to configure EUI-64 addresses. Which one should you choose?

tunnel mode ipv6ip 6to4

Note: using ISATAP uses EUI-64 IPv6 addresses

Regarding this tunnel mode:

tunnel mode ipv6ip 6to4

>What is the 6to4 used for>What is the reserved network for this>Give an example for 6.6.6.6 as the source?

>What is the 6to4 used for:
Used to allow IPv6 to talk to other IPv6 over legacy IPv4 networks. The 6to4 tunnel address is derived from source interface IPv4 address in the format 2002:border-router-IPv4-address::/48. You convert from IPv4 (dotted decimal) to Ipv6 (hexadecimal). This is easy for loopback addresses.

2.2.2.2 is ipv6 add 2002:202:202::2/64 (if it was R2 and applied to an interface)

5.5.5.5 is: 2002:505:505

>What is the reserved network for this:
2002::/16

IPv6 6to4 tunnel.

Configure a static route to the reserved tunnel network?

ipv6 route 2002::/16 Tunnel0
IPv6 default route to 2002::606:606::5
ipv6 route ::/0 2002:606:606::5
What is this configuration:
R2:
ipv6 unicast-routing

int tu0
ipv6 add 2002:202:202::2/64
tunnel source lo0
tunnel mode ipv6ip 6to4

ipv6 route 2002::/16 Tunnel0
ipv6 route ::/0 2002:606:606::6
ipv6 route ::/0 2002:606:606::5

R5:
int tu0
ipv6 add 2002:505:505::5/64
tunnel source lo0
tunnel mode ipv6ip 6to4

ipv6 route 2002::/16 tu0

IPv6 6to4 Tunnel Configuration. R2 is an router with a default route to R5 and R6. R5 is a head-end with one single route into the IPv6 6to4 reserved tunnel.
Which RP will be preferred
Group(s) 225.0.0.0/8
RP 5.5.5.5 (?), v2
Info source: 172.27.54.5 (?), via bootstrap, priority 0, holdtime 150
Uptime: 00:04:51, expires: 00:01:38

RP 10.10.10.10 (?), v2
Info source: 172.27.61.10 (?), via bootstrap, priority 255, holdtime 150
Uptime: 00:04:02, expires: 00:02:23

The LOWEST priority. RP 5.5.5.5
You have configured the following; What is missingmls qos
mls qos aggregate-policer 7and8 500000 62500 exceed-action policed-dscp-transmit
mls qos map policed-dscp 46 to 26

class-map DSCP-EF
match ip dscp EF

policy-map agg
class DSCP-EF
police aggregate 7and8

int fa0/7
service-policy input agg

int fa0/7
mls qos trust dscp
How do you apply an aggregate policer to an interface
mls qos aggregate-policer 7and8 500000 62500 exceed-action policed-dscp-transmit
mls qos map policed-dscp 46 to 26
class-map DSCP-EF
match ip dscp EF

policy-map agg
class DSCP-EF
police aggregate 7and8

int fa0/7
mls qos trust dscp
service-policy input agg

You configured the following; what should you do as well!

username noc priv 15 secret adminop

aaa new-model
aaa authentication login default none
aaa authentication login VTY group radius local

radius-server host 172.27.64.66 key IPexpert

line vty 0 15
login authentication VTY

line con 0
login authentication default
How would you apply this to the control plane
class-map match-any protocols
match protocol bgp
match protocol ospf

class-map match-all telnet
match protocol telnet

policy-map cp
class protocols
class telnet
police rate 30 pps

control-plane
service-policy cp in

R7(config-cp)#service-policy input cp
Unsupported protocol in ‘match protocol’
Unsupported protocol in ‘match protocol’
error: failed to install policy map cp
R7(config-cp)#exit

You CAN’T USE match protocol into the control plane!

Tunnels –

You are going to do Q-in-Q tunneling. What additional size 802.1Q tag will be used to transport tagged traffic?

4 Bytes for this additional tag.

Raise MTU to 1504

Tunnels –

You are going to do Q-in-Q tunneling.
You are also (after looking a head) doing MPLS (2 tags)

What MTU value should be set on the Cat switches?

4 Bytes for this additional tag.

Raise MTU to 1504 on Cat switches for Q-in-Q
Raise MTU to 1512 on Cat switches for 2 more 4 Byte tags

Answer: 1512

When you are using Q-in-Q and dot1q trunks, errdisable will block ports because it detects a recursion, this happens when a Q-in-Q port receives a frame with the well known reserved multicast mac address 01-00-0c-cd-cd-d0.

You are using vlan 666 and 999.

In this case; you can safely disable ________ because you are controlling the propagation of vlan 666 and 999 on trunks.

Answer: l2ptguard

no errdisable detect cause l2ptguard

When configuring the bandwidth command; what should you ALWAYS DO also
int s0/2/0
bandwidth 256
peer default ip address pool r9-s0/2/0
backup interface s0/2/1
backup delay 0 30
int s0/2/0
clock rate 256000
You have the following configuration; what is the 0 and 30 for
int s0/2/0
peer default ip address pool r9-s0/2/0
backup interface s0/2/1
backup delay 0 30
The “delay” parameters will control the preemption, the first is the delay for switching to the backup when the primary fails, the second is the delay to preempt to primary when restored.
You have two interfaces

You want to put the command “backup interface” on the backup interface for s0/2/0. Where do you place it at? Also, how do you verify your backup configurationR1
int s0/2/0
int s0/2/1

R2
int s0/2/0
int s0/2/1

Is it placed on both routers?

R1
int s0/2/0
int s0/2/1

R2
int s0/2/0
backup interface s0/2/1
int s0/2/1

show backup

No, only on one side.

You are configuring the hub R6 for ODR routing.
Your stub neighbor is R9. You have three interface; fa0/0, fa0/1, s0/1/0. Your neighbor is connected to you on s0/2/0, s0/2/1. Configure on demand routing so that R9 obtains reachability in 15 seconds.
r6
int fa0/1
no cdp enable
int s0/1/0
no cdp enable

cdp timer 5
cdp holdtime 15

router odr

r9
cdp timer 5
cdp holdtime 15

ip ospf mtu-ignore is required only on which device
[R1:1500]—-[CAT1:1512]
[R1:1504]—-[CAT2:1500]
This is only required on the device with the smaller MTU.

[R1:1500](here)—-[CAT1:1512]
[R1:1504]—-(here)[CAT2:1500]

When looking at OSPF neighbors:

R1#show ip ospf neighbor
10.7.80.80 1 FULL/BDR 00:00:37
10.7.1.1 1 1 EXSTART/DROTHER 00:00:37

This is Normal or Not Normal?

Not Normal. Neighbor 10.7.1.1 is in EXSTART. There is an MTU mismatch between R1 and this 10.7.1.1 switch!
Everything should paste correctly, correct
router ospf 1
router-id 10.7.70.70
area 100 virtual-link 10.7.10.10
neighbor 10.75.1.80

router ospf 100 vrf V7
router-id 10.7.70.70
area 100 virtual-link 10.7.10.10

Wrong. Haha. Okay; you CANNOT use the same router-id for two different ospf processes.

R7(config)#router ospf 100 vrf V7
R7(config-router)#router-id 10.7.70.70
OSPF: router-id 10.7.70.70 in use by ospf process 1

You are on R1. Your OSPF topology is:
[R1]—100—[R8]—100—[R7]
|
|
600
|
|
[cat1]

On R1 you just summarized a block of IP addresses (10.7.0.0/16) to cat1 with the command:
router ospf 1
area 100 range 10.7.0.0 255.255.0.0
R7 now has this route. How do you resolve this?
All existing ospf configuration is correct.

R1:
router ospf 1
area 0 filter-list prefix filter-to-area-0 in

ip prefix-list filter-to-area-0 deny 10.7.0.0/16
ip prefix-list filter-to-area-0 permit 0.0.0.0/0 le 32

R1 has a virtual link to R7 via area 100!

Be careful! 🙂

You are R1 running OSPF and EIGRP. If you were told you had to advertise your Loopback0 as an EIGRP External route. But you could NOT redistribute connected. How would you do it?
Advertise the route into another protocol and then perform redistribution.
You are on R1. You have configured the following:
R1:
int lo0
ip add 10.7.60.1 255.255.255.0

int fa0/1
ip summary-address eigrp 16 10.7.0.0 255.255.0.0
ip summary-address eigrp 16 10.75.0.0 255.255.0.0

These two summaries are to be propagated to Cat1, which is already an EIGRP neighbor via fa0/1.

Cat1 only has a 10.75.0.0/16 route via EIGRP and NOT the 10.7.0.0/16 route. Why not? How do you resolve?

Summaries are NOT advertised until at least one or more specific route(s) is learned via EIGRP or advertised. In this case, advertise Loopback0 on R1 to have the 10.7.0.0/16 summary advertised to Cat1.
On R1, you have configured the following. What is missing
int fa0/1
ip summary-address eigrp 16 10.7.0.0 255.255.0.0
ip summary-address eigrp 16 10.75.0.0 255.255.0.0

router rip
redistribute eigrp 16 route-map eigrp>rip
route-map eigrp>rip deny 10
match tag 120
route-map eigrp>rip permit 20
set tag 9016
set metric 3

When performing redistribution, pay attention to summary routes. Summary routes are installed on rip as EIGRP internal routes to Null0. During redistribution tasks, keep in mind to filter out summaries, to avoid unwanted propagation to these routes to other domains.

ip prefix-list SUMMARY permit 10.7.0.0/16
ip prefix-list SUMMARY permit 10.75.0.0/16

route-map eigrp>rip deny 15
match ip address prefix-list SUMMARY

EIGRP – Unicast Updates

Your neighbor is: 10.75.90.20
You can get to it via fa0/0.20

router eigrp 126
eigrp router-id 10.7.10.10
no auto-summary
network 10.75.90.10 0.0.0.0

router eigrp 126
neighbor 10.75.90.20 fa0/0.20
OSPF – Unicast Updates

Your neighbor is: 10.75.90.20
You can get to it via fa0/0.20

router ospf 1
router-id 10.75.90.10

router ospf 1
neighbor 10.75.90.20

int fa0/0
ip ospf network non-broadcast

RIP – Unicast Updates
How do you verify if unicast is being sent to your neighbor via EIGRP?
R1#sh ip eigrp int detail

IP-EIGRP interfaces for process 126
Hello interval is 5 sec
Next xmit serial
Un/reliable mcasts: 0/0 Un/reliable ucasts: 3/3
Mcast exceptions: 0 CR packets: 0 ACKs suppressed: 0
Retransmissions sent: 0 Out-of-sequence rcvd: 0
Authentication mode is md5, key-chain is “EIGRP”
Use unicast
Can you do take this route-map and do the one belowroute-map eigrp>rip permit 10
match tag 160
set metric 6
route-map eigrp>rip permit 20
match tag 9016
set metric 6
route-map eigrp>rip permit 30
match tag 110
set metric 6

This one:
route-map eigrp>rip permit 10
match tag 160 9016 110
set metric 6

Yes!
You are redistributing from AS 90126 into RIP. Connected to RIP are two stub networks. EIGRP 9016 and ODR (tag 160). What is missing for statement 20
route-map eigrp>rip deny 10
match tag 120
route-map eigrp>rip 20

route-map eigrp>rip permit 30
match tag 110
set metric 6
route-map eigrp>rip permit 40
set tag 90126
set metric 3

route-map eigrp>rip deny 20
desc no need to put this stub networks back into RIP
match tag 160 9016
BGP – It is BEST PRACTICE to peer using loopbacks for iBGP neighbors
BGP – Don’t ALWAYS assume that you have two RR in a BGP AS – that you need to use BGP cluster-id’s.

Save this for when each client is peering to both. I just made a mistake!

Configure an as-path access-list for traffic destined to AS 2
_2$
BGP –

Is MED compared after or before as-path?

MED is compared after as-path.
BGP –

You have two peers to AS1234 and AS01234. Your routers are R1 and R2. AS1234 is advertising a MED of 10000 via peer 1 and a MED of 500 from peer 2 in the other AS.

Which Path is preferred?

By default, MED is compared only if the prefix is received from neighbors in the same AS!
You are R7. You look at R8 bgp table for routes terminating or originating inside AS 6427.
R8#sh ip bgp regex ^6427$
Network Next Hop Metric
*> 10.7.90.0/24 10.75.1.70
* i 10.7.10.10 0

R8 has a backup path through another iBGP neighbor. You want to influence R8 to use it’s iBGP neighbor. How would you do this
1. Create an as-path access-list
2. Build the route-map
3. Apply it to your 10.75.1.80 neighbor (R8)
4. Your BGP AS is 6427

router bgp 6427
neighbor 10.75.1.80 route-map med-out out

ip as-path access-list 7 permit ^$

route-map med-out permit 10
match as-path 7
set metric 1000
route-map med-out permit 20

Results:
R8#sh ip bgp regex ^6427$
Network Next Hop Metric
r 10.7.90.0/24 10.75.1.70 1000
r>i 10.7.10.10 0

BGP/MPLS/OSPF SHAM LINK

int lo7
ip vrf forwarding V7
ip add 10.78.7.7 255.255.255.255

router ospf 100 vrf V7
area 0 sham-link 10.78.7.7 10.78.4.4

router bgp 6427
address-family ipv4 vrf V7
network 10.78.7.7 mask 255.255.255.255

int lo4
ip vrf forwarding V4
ip add 10.78.4.4 255.255.255.255

router ospf 100 vrf V4
area 0 sham-link 10.78.4.4 10.78.7.7

router bgp 6427
address-family ipv4 vrf V4
network 10.78.4.4 mask 255.255.255.255

IPv6 –

To simplify the IPv6 deployment, configure the IPv6 address using the name “V6NET” representing the first 16 bits.

R6:
s0/1/0 FE80::60
s0/1/0 FC05::60/64

Configure it:
ipv6 unicast-routing
int s0/1/0

ipv6 unicast-routing
ipv6 general-prefix V6NET FC05::/16

int s0/1/0
ipv6 add fe80::60 link-local
ipv6 add V6NET ::60/64

IPv6 –

Your a spoke router R4; here is your Hub router is R2 via DLCI 602 and ipv6 IP (::20). What is missing
int s0/1/0
ipv6 add fe80::60 link-local
ipv6 add V6NET ::60/64
frame-relay map ipv6 fe80::20 602 broadcast
frame-relay map ipv6 fc05::20 602
frame-relay map ipv6 fc05::40 602

Nothing! When you are a spoke, you only need to map the link-local address of the Hub (link local 🙂 then map the IP address to that DCLI.

If you were a HUB (like R2); it would look like this:

int s0/1/0
frame-relay map ipv6 fe80::60 206 broadcast
frame-relay map ipv6 fc05::60 206
frame-relay map ipv6 fe80::40 214 broadcast
frame-relay map ipv6 fc05::40 214

IPv6 –

You have to configure the IPv6 address:

R7:
fa0/1 FE80::70
fa0/1 FC05:0:0:30::70/64

Configure a general prefix for this network representing the first 16 bits. Name it “V6NET”

ipv6 unicast-routing
ipv6 general-prefix V6NET FC05::/16

int fa0/1
ipv6 add fe80::70 link-local
ipv6 add V6NET ::30:0:0:0:70/64

Note: General Prefix always terminates with a double colon (“::”), precluding (make impossible) the use of another double colon in the address.

IPv6 – Remember, with IPv6 you don’t need to map your own IP address to the DLCI to be able to ping it.
aaa new-model
enable password cisco

[what’s missing here?]

config t
aaa authentication login default none
aaa authentication login VTY local
aaa authorization exec VTY local

username cisco priv 15 view root password cisco
username restricted priv 15 view restricted password lame

parser view restricted
secret cisco
commands exec include ping
commands exec include show
commands exec include exit

ip domain-name ipexpert.com
crypto key gen rsa
1024

line vty 0 15
transport input ssh
login authentication VTY
authorization exec VTY

enable view root

(confirm with “show parser view”)

You have a router R1 providing DHCP to a switch. You are performing static assignment for the Cat1 IP address.

By default; a client-identifier is 01+the mac-address. But when option 82 information is enabled it becomes this 63 byte string (HUGE client-identifier).

To accept the DHCP request with the Option 82 information from Cat1 you must trust the information relayed from Cat1 on Gi0/0.21.

What is the command?

int gi0/0.21
ip dhcp relay information trusted

Context Help:

R1(config-if)#ip dhcp relay information …
trusted Received DHCP packet may contain relay info option with zero giaddr

R1(config-if)#ip dhcp relay information trusted

Add a crypto key in only one line of command! This should be used for SSH.
crypto key gen rsa general-keys modulus 1024
You have the following NAT configuration; Can you NAT to other “outside” interfaces if the NAT-to-IP is directly connected to your gi0/0.26 interface
int gi0/0.1
ip nat inside

int gi0/0.26
!ip add 70.18.26.2 255.255.255.0
ip nat outside
int gi0/0.25
ip nat outside
int s0/1/0.215
ip nat outside

ip nat inside source stati tcp 70.18.21.21 22 70.18.26.10 22

access-list 1 permit 70.18.21.0 0.0.0.255
ip nat pool vlan21 70.18.26.150 70.18.26.150 prefix-le 24
ip nat inside source list 1 pool vlan21 overload

Yes!
IPv6 – What is 6to4 Tunnel network prefix
This is that prefix that you would create the static routes to.

Source this tunnel from this new loopback4, with ip address 120.49.64.4/32. What is the HEX value.

The remote 6to4 tunnel will be source from 3.3.3.3 with the last IPv6 octet being ::13. Use ::4 on R4.

Create the loopback and the tunnel!

Create the static route to this 6to4 tunnel

2002::/16

Hex: 7831:4004 > 2002:7831:4004::4

Hex: 0303:0303 > 303:303 > 2002:303:303::13

int lo4
ip add 120.49.64.4 255.255.255.255

int tu0
ipv6 add 2002:7831:4004::4/128
tunnel source lo4
tunnel mode ipv6 6to4

ipv6 route 2002::/16 tu0

IPv6 OSPF neighbor unicast adjacency:
Problem: multicast is blocked on the LAN
Note: Since IPv6 uses neighbor discovery for mapping IPv6 neighbors on a network which uses multicast address FF02::1 address to communicate with each other. Since neighbor discover messages are not taking place thus IPv6 “ARP” doesn’t allow mapping the directly connected neighbors.
What needs to be configured on each routerr1
int fa0/0
ipv6 ospf network non-broadcast
ipv6 ospf neighbor fe80::2

r2
ipv6 ospf network non-broadcast
ipv6 ospf neighbor fe80::1

r1

ipv6 neighbor 2120:49:44::2 fa0/0 0019.0606.71c1

r2

ipv6 neighbor 2120:49:44::1 fa0/0 0019.0606.71c2

IPv6 – How do you disable RIP split horizon in IPv6?
ipv6 router rip RIPng
no split-horizon
REVIEW –

ip nbar port-map http tcp 80 8080 8088

time-range work-weekdays
periodic weekdays 8:00 to 16:59

access-list 108 permit ip any any time-range work-weekdays

class-map match-any SITES
match protocol http host *youtube.com
match protocol http host *facebook.com

class-map BLOCK-SITES
match access-group 108
match class-map SITES

policy-map block-websites
class BLOCK-SITES
drop

int s0/0/0
service-policy output block-websites

ACL – Create an access-list numbered 146 to match DSCP EF
access-list 146 permit ip any any dscp ef
Custom Queuing –

What does it start with in EXEC mode?

queue-list 1
Custom Queuing – Review

access-list 146 permit ip any any dscp ef

queue-list 1 protocol ip 0 list 146
queue-list 1 protocol ip 1 tcp telnet
queue-list 1 protocol ip 2 tcp ftp
queue-list 1 default 3

int s0/1/0
custom-queue-list 1

Custom Queuing –

What does it start with in interface mode
How do you verify it (“show”)?

int s0/1/0
custom-queue-list 1

show queuing custom

SNMP – Allowing RO or RW from SNMP Networks/Host:

ip access-list standard SNMP-WRITE
permit host 10.75.40.45

ip access-list standard SNMP-READ
permit 10.75.0.0 0.0.255.255

snmp-server community ADMINS SNMP-WRITE
snmp-server community MONITOR ro SNMP-READ

SNMP – Sending Traps

You have enabled the following SNMP Traps on R1

snmp-server enable traps ospf state-change
snmp-server enable traps config

Send traps to 10.75.40.45 using version 2c and password TRAP! whenever the router is configured or an OSPF adjacency experiences a state change.

snmp-server host 10.75.40.45 version 2c TRAP! config ospf
SNMP – Turning on Traps

Turn on the SNMP Trap for when a router is configured

snmp-server enable traps config
SNMP – Enable the administrators to reload the router via SNMP
snmp-server system-shutdown
IPS – You have to protect a MS-SQL server listening on tcp and udp 1433-1434 ports from attacks. Use the built-in intrusion prevention system signatures on R9. The server IP address is 10.7.90.100. When an attack is detected, generate a syslog message.

You have configured the following access list already:

access-list 101 permit tcp any host 10.7.90.100 range 1433 1434
access-list 101 permit udp any host 10.7.90.100 range 1433 1434

Apply the IPS to s0/2/0 and s0/2/1

ip ips notify log
ip ips name MS-SQL list 101

int s0/2/0
ip ips MS-SQL in

int s0/2/1
ip ips MS-SQL in

Security – Limit DoS attacks

You have the following access list already created:

access-list 101 permit tcp any host 10.7.90.100 range 1433 1434
access-list 101 permit udp any host 10.7.90.100 range 1433 1434

Limit the impact of DoS attacks, using an IOS security feature. Allow a maximum of 100 incomplete tcp sessions, randomly drop connections when this limit is reached.

ip tcp intercept list 101
ip tcp intercept max-incomplete low 100 high 100
ip tcp intercept drop-mode random
CBAC – Create a CBAC inspect name called “PERMIT-JAVA”. Make sure that only then users that match access list 10 are permitted to use java.

access-list 10 permit 192.168.60.0 0.0.0.255

ip inspect name PERMIT-JAVA http java-list 10
ip inspect name Internet ftp
ip inspect name tcp
ip inspect name udp
ip inspect name icmp router-traffic

int fa0/0
ip access-group Internet in
ip inspect Internet out

ip access-list extended Internet
deny ip any any

Spanning-tree –

Enable 802.1w

Rapid STP
Spanning-tree –

Enable 802.1s

Multiple Instance STP
Frame-Relay –
What is NOT possible with the command below:

int s0/1/0
encapsulation frame-relay ietf
no frame-relay inverse-arp
ip add 192.168.254.5 255.255.255.128
frame-relay map ip 192.168.254.6 506
frame-relay map ip 192.168.254.5 506
bandwidth 128

int s0/1/0.1 point-to-point
ip add 192.168.253.5 255.255.255.128
bandwidth 128
no frame-relay inverse-arp
frame-relay interface-dlci 516

You cannot put “no frame-relay inverse-arp” on sub-interfaces. Move it to the interface.

R5(config-if)#int s0/1/0.1 point-to-point
R5(config-subif)#ip add 192.168.253.5 255.255.255.128
R5(config-subif)#no frame-relay inverse-arp
R5(config-subif)#bandwidth 128
R5(config-subif)#frame-relay interface-dlci 516

R5#sh run int s0/1/0.1
!
interface Serial0/1/0.1 point-to-point
bandwidth 128
ip address 192.168.253.5 255.255.255.128
frame-relay interface-dlci 516
end

If you are told to configured RFC 1490/2427 (IETF) on R2 s0/1/0.1 and the remaining interfaces will use default; What’s missing
int s0/1/0
encapsulation frame-relay
ip add 192.168.253.6 255.255.255.128

int s0/1/0.1 multipoint
ip add 192.168.254.6 255.255.255.128
bandwidth 128
no frame-relay inverse-arp
frame-relay map ip 192.168.254.2 602
frame-relay map ip 192.168.254.5 605
frame-relay map ip 192.168.254.6 605

int s0/1/0.1 multipoint
ip add 192.168.254.6 255.255.255.128
bandwidth 128
no frame-relay inverse-arp
frame-relay map ip 192.168.254.2 602 ietf
frame-relay map ip 192.168.254.5 605 ietf
frame-relay map ip 192.168.254.6 605 ietf
If you are told you are NOT allowed to use inverse-arp on R2 sub-interface; what is missing
int s0/1/0
encapsulation frame-relay ietf

int s0/1/0.1 point-to-point
ip add 192.168.254.2 255.255.255.128
bandwidth 128
frame-relay interface-dlci 206

Nothing; you are already NOT using frame-relay inverse-arp on the sub-interface!
If you are told to configured RFC 1490/2427 on R2 s0/1/0 and the remaining interfaces will use default; What’s missing
int s0/1/0
encapsulation frame-relay
no frame-relay inverse-arp
ip add 192.168.254.5 255.255.255.128
frame-relay map ip 192.168.254.6 506
bandwidth 128

int s0/1/0.1 point-to-point
ip add 192.168.253.5 255.255.255.128
bandwidth 128
frame-relay interface-dlci 516

int s0/1/0
encapsulation frame-relay ietf <<< int s0/1/0.1 point-to-point
ip add 192.168.253.5 255.255.255.128
bandwidth 128
frame-relay interface-dlci 516 cisco <<<
PPP –

When configuring PPP. You can disable automatic host routes if both sides are in the same subnet (unless restricted to do so). How do you do that?

no peer neighbor-route
FRAME RELAY – Is the following configuration possible? Reference the inverse arp!

int s0/1/0
encapsulation frame-relay
no frame-relay inverse-arp
ip add 192.168.253.6 255.255.255.128
bandwidth 128
frame-relay map ip 192.168.253.5 615

int s0/1/0.1 multipoint
ip add 192.168.254.6 255.255.255.128
bandwidth 128
no frame-relay inverse-arp

Yes – You HAVE to put “no frame-relay inverse-arp” on multipoint sub-interfaces when you are asked to disable.
If you are told to set the interface bandwidth to 128k bps; would you do it on the s0/1/0 or s0/1/0.1 sub interfaceint s0/1/0
shut
encapsulation frame-relay ietf
no frame-relay inverse-arp
ip add 192.168.254.5 255.255.255.128
frame-relay map ip 192.168.254.6 506
frame-relay map ip 192.168.254.2 506
frame-relay map ip 192.168.254.5 506

int s0/1/0.1 point-to-point
ip add 192.168.253.5 255.255.255.128
frame-relay interface-dlci 516 cisco

Both!
int s0/1/0
shut
encapsulation frame-relay ietf
no frame-relay inverse-arp
bandwidth 128
ip add 192.168.254.5 255.255.255.128
frame-relay map ip 192.168.254.6 506
frame-relay map ip 192.168.254.2 506
frame-relay map ip 192.168.254.5 506

int s0/1/0.1 point-to-point
ip add 192.168.253.5 255.255.255.128
frame-relay interface-dlci 516 cisco
bandwidth 128

PPP –

Note: On PPP links it’s expected NOT to ping the same-interface address.

PPPoE Client – New Commands

int fa0/1
no ip address
pppoe enable
pppoe-client dial-pool-number 1

int dialer1
mtu 1492
ip add negotiated
encapsulation ppp
ppp chap password Secure
dialer pool 1
dialer persistent <<<<<<<

R1(config-if)#dialer persistent Configure dialing without interesting traffic
PPPoE Server – New Command

int virtual-template 1
ip address 192.168.48.2 255.255.255.128
peer default ip address pool R1
encapsulation ppp
ppp authentication chap
no peer neighbor-route

Get’s rid of this:

R2(config)#do sh ip route
C 192.168.48.1/32 is directly connected, Virtual-Access1.1

You are peering Cat3 to BB2 on vlan 12 using RIP. Your not learning routes. Then you debug and see:
Cat3#debug ip rip
*Mar 1 05:11:41.075: RIP: ignored v2 update from bad source 22.22.22.22 on Vlan12
You enable: router rip then no validate-update-source
You then learn your routes:
Cat3#sh ip route rip
R 192.168.243.0/24 [120/1] via 22.22.22.22, 00:00:01
R 192.168.242.0/24 [120/1] via 22.22.22.22, 00:00:01
R 192.168.241.0/24 [120/1] via 22.22.22.22, 00:00:01
R 192.168.240.0/24 [120/1] via 22.22.22.22, 00:00:01

Since you had to put in “no validate-update-source” – something must be wrong with the source. You do a “show ip route 22.22.22.22” and there isn’t a route. What do you do? You cannot ping any of your RIP routes!

Cat3#sh ip route 22.22.22.22
% Network not in table

Cat3(config)#ip route 22.22.22.22 255.255.255.255 vlan 12

Cat3#sh ip route 22.22.22.22
Routing entry for 22.22.22.22/32
Known via “static”, distance 1, metric 0 (connected)
Redistributing via rip
Advertised by rip
Routing Descriptor Blocks:
* directly connected, via Vlan12
Route metric is 0, traffic share count is 1

You are on Cat3 trying to send a RIP summary address out vlan 12 to BB1. You get the following error:

Cat3(config)#int vlan 12
Cat3(config-if)#ip summary-address rip 192.168.0.0 255.255.0.0
Summary mask must be greater or equal to major net
Cat3(config-if)#

What do you need to do?

You have to do manually the same things that summarization does automatically:
>Configure a static route to null with less preferred AD
>Redistribute static into RIP
>Filter all other RIP routes to BB1

ip prefix-list SUMMARY-ONLY permit 192.168.0.0/16

router rip
redistribute static metric 1
distribute-list prefix SUMMARY-ONLY out vlan 12

RIP – If in the Lab; you are using 192.168.x.0 subnets all over the network.

You do NOT need to set “passive-interface default” — since all the networks are class C.

So, when you are advertising a loopback0 (192.168.6.1) interface; you can just do what instead?

router rip
network 192.168.6.0
passive-interface loopback 0
Create an access-list 7 that just matches ODD routes in the third octet only.
access-list 7 permit 0.0.1.0 255.255.254.255
OSPF –

When in the lab and you see two partitioned areas (area 12) for example. How would you repair this partitioned area to have consistent routing?

You cannot use virtual-links in this case, because a virtual link belongs always to area 0. You would create a tunnel interface.

If you were asked not to add IP addresses, here is how you would perform this on the area border routers:

int tu0
ip unnumbered lo0
ip ospf 10 area 12
tunnel source gi0/1
tunnel destination 192.168.79.4

int tu0
ip unnumbered lo0
ip ospf 10 area 12
tunnel source fa0/0
tunnel destination 192.168.92.2

Redistribution –

Just because you have all interfaces covered in a routing protocol and you are doing mutual redistribution and tagging in the entire network DOES NOT MEAN that you will have full reachability.

Depending on the underlying topology, you may need to redistribute connected!!!!!!!!

What’s missing unless otherwise stated
router bgp 1
bgp router-id 1.1.1.1
aggregate-address 172.31.132.0 255.255.252.0
summary-only as-set
BGP –

Cat4 is advertising the following summary:
router bgp 344
aggregate-addr 172.31.132.0 255.255.252.0 summary-only as-set

On R8(AS 289) you want to (upon receiving the agg) advertise the following networks that are currently NOT in the BGP routing table and keep them in this AS:
172.31.132.0/24
172.31.134.0/24

Top: [Cat4:192.168.72.4]—Ethernet—[R8:.8]

What would you use to make this happen and how?

>BGP inject-map

ip prefix-list cat4-summary permit 172.31.132.0/22
ip prefix-list SUMMARY permit 172.31.132.0/24
ip prefix-list SUMMARY permit 172.31.134.0/24
ip prefix-list ROUTE-SOURCE permit 192.168.72.4/32

route-map INJECT permit 10
set ip address prefix-list SUMMARY
set community no-export

route-map EXISTS permit 10
match ip address prefix-list cat4-summary
match ip route-source prefix-list ROUTE-SOURCE

router bgp 289
bgp inject-map INJECT exist-map EXISTS

Your device is R9. It’s connected to R7 via [fa0/0] to [fa0/1.45] on r7. You need to summarize the following two serial interfaces towards R7.

int s0/2/0
ipv6 add 2001:196::9/112
ipv6 rip IPv6RIP enable

int s0/2/1
ipv6 add 2001:169::9/112
ipv6 rip IPv6RIP enable

Once you have created the summary; you’ll also need to have this summary installed on R7 with a metric of 6. Looking at R7’s routing table; it’s currently a metric of 2.

R9
int fa0/0
ipv6 add 2001:45::9/112
ipv6 enable
ipv6 rip IPv6RIP enable
ipv6 rip IPv6RIP summary-address 2001:100::/24

R7
int fa0/1.45
ipv6 rip IPv6RIP metric-offset 5
(this is applied inbound on R7 since summaries are applied in incoming direction)

Look at your favorites under “CCIE R&S” for a CCIE Pilot link to learn more about IPv6 summary.

QoS –

Configure CAT2 port fa0/8 for queue 1 to shape outgoing traffic to 2% of interface bandwidth. Do not use a service policy to accomplish this task

int fa0/8
srr-queue bandwidth shape 50 0 0 0

Cat2#sh mls qos int fa0/8 queueing
FastEthernet0/8
Egress Priority Queue : disabled
Shaped queue weights (absolute) : 50 0 0 0

Recall that shape bandwidth is 1/weight, so to obtain 2% of bandwidth, you have to configure a weight of 50, 1/50 = 0.02, that means 2%.

Cisco recommends the following values for the normal and extended burst parameters:

normal burst = configured rate * (1 byte)/(8 bits) * 1.5 seconds
extended burst = 2 * normal burst

Cisco recommends the following values for the normal and extended burst parameters:

normal burst = configured rate * (1 byte)/(8 bits) * 1.5 seconds
extended burst = 2 * normal burst

You have four switches interconnected with spanning-tree. You have the following configuration. What is needed on cat1/2cat4

vlan 789
remote-span
monitor session 1 source interface fa0/7 – 9 both
monitor session 1 destination remote vlan 789

cat3

vlan 789
remote-span
monitor session 1 source remote vlan 789
monitor session 1 destination interface fa0/10

Configure R7 to provide an encrypted connection and limit failed logins to 3 in 1 minute.

If the maximum failed logins number is reached, do not accept further logins for 2 minutes, except for IP addresses on vlan 45 (192.168.45.0/25).

ip domain-name ipexpert.com
crypto key gen rsa mod 1024

line vty 0 15
transport input ssh

login block-for 120 attempts 3 within 60
login quiet-mode access-class 1

access-list 1 permit 192.168.45.0 0.0.0.127

Configure R7 to send all configuration commands issued on R7 to a syslog server with IP 192.168.17.17, do not send any password to syslog server.
logging host 192.168.17.17

archive
log config
logging enable
notify syslog contenttype plaintext
hidekeys

On R8 allow three web servers with the IP address 192.168.72.101 , 192.168.72.102 and 192.168.72.103 to be accessed as a single server via the ip 192.168.72.100 from

CAT1 networks via fa0/1:
192.168.32.0 255.255.255.128
192.168.11.0 255.255.255.128

Vlan 72 is 192.168.72.0/25 connected to fa0/0

ip nat pool real-hosts 192.168.72.101 192.168.72.103 prefix-length 25 type rotary
ip nat inside destination list 101 pool real-hosts

access-list 101 permit tcp 192.168.32.0 0.0.0.127 host 192.168.72.100 eq 80
access-list 101 permit tcp 192.168.11.0 0.0.0.127 host 192.168.72.100 eq 80

int fa0/0
ip nat inside
int fa0/1
ip nat outside

What configuration is required on a catalyst switch connected to hosts (vlan 28) that are requesting for IP address from an upstream Cisco router that is configured for DHCP
The Catalyst switch is running DHCP snooping on vlan 28.

cat2

ip dhcp snooping vlan 28
ip dhcp snooping

cat2

Answer:
no ip dhcp snooping information option

DHCP snooping will insert option 82 information with the giaddr field set to 0.0.0.0.

Cisco routers acting as DHCP server will discard the request by default. You can solve this by instructing the switches not to set the giaddr field. Here we disabled the option 82 insertion only on Cat1, to have the dhcp client work!

How do you configure a Cisco IOS Router to ignore a Catalyst switch from inserting option 82 information with the giaddr field set to 0.0.0.0 because it is running DHCP snooping on the same VLAN that the DHCP host/client is requesting the IP address?
R9
int fa0/0
ip dhcp relay information trusted
You have the following topology:

[R1:DHCP Client]-cat1-[R7:RELAY]-cat2-[R9:DHCP SERVER]

If configuring DHCP snooping; what interfaces would you configure DHCP Trust on
cat1/2
ip dhcp snooping vlan 28
ip dhcp snooping

[R1]-fa0/1-cat1-fa0/7-[R7]-fa0/7-cat2-fa0/9-[R9]

int fa0/7
ip dhcp snooping trust

The DHCP messages will be coming from R9 as unicast; then out of R7 as broadcast! So fa0/7 is connected to R7 which will make it’s way to R1 on the same VLAN.

When configuring DHCP Snooping and configuring Trust Points on your network. In a normal lab with four catalyst switches; what do you configure on each one – in addition to the per-port Trusting?
You have to set all inter-switch trunks as dhcp snooping trusted ports, to provide redundancy in case of link failures.

int range po1 – 3
ip dhcp snooping trust

-This automatically turns on TRUST on all the L2 trunk ports connected to po1 – 3 (fa0/19 – 24)

What happens when you paste the following commands:

int range fa0/21 – 22
channel-group 13 mode on

int range fa0/21 – 22
no switchport

int po13
no switchport
ip add 192.168.60.1 255.255.255.192

The interface po13 would be DOWN. Why
Because when you paste “no switchport” ; it removes the “channel-group 13 mode on” command.

int range fa0/21 – 22
no switchport

You must do it in the following order:

int range fa0/21 – 22
no switchport
channel-group 13 mode on

Storm Control – What is the default action when traffic thresholds are exceeded?
silently discard

can be changed by: storm-control action trap/shutdown

You have configured the following:
Cat2#sh run int fa0/12
interface FastEthernet0/12
storm-control broadcast level pps 10
storm-control multicast level 5.00

Looking at the options below; would the falling thresholds need to be set to the same value as the rising threshold shown above
Cat2(config-if)#storm-control broadcast level pps 10 <0.0 - 10000000000.0>[k|m|g] Enter falling threshold

Cat2(config-if)#storm-control multicast level 5 <0.00 - 100.00> Enter falling threshold

Nope. It does it automatically. Verify when-in-doubt!

Cat2#sh storm-control multicast
Interface Filter State Upper Lower Current
——— ————- ———– ———– ———-
Fa0/12 Forwarding 5.00% 5.00% 0.00%

Cat2#sh storm-control broadcast
Interface Filter State Upper Lower Current
——— ————- ———– ———– ———-
Fa0/12 Forwarding 10 pps 10 pps 0 pps

You are configuring frame-relay on R2 s0/2/0 interface. You have been asked to set the bandwidth to 128k bps; how do you do it with the configuration below
[R5]-serial/frame-s0/2/0[R2]s0/2/0.1–frame-cloud–[RX]

R2:
int s0/2/0
encapsulation frame-relay
no frame-relay inverse-arp

int s0/2/0.1 multipoint
no frame-relay inverse-arp
ip add 192.168.0.132 255.255.255.128
frame-relay map ip 192.168.0.134 555 broadcast

int s0/2/0
encapsulation frame-relay
clock rate 128000

int s0/2/0.1 multipoint
bandwidth 128

You have the following: This is a back to back frame-relay configuration. You have the following DLCI requirements:
-Do not use the “no keepalive” command to disable LMI
-R2>R5 DLCI 255
-R5>R2 DLCI 522

Note: This is a little different than back to back frame-relay with one DLCI.

R2(DTE):
int s0/2/0
encapsulation frame-relay
no frame-relay inverse-arp
ip add 192.168.25.132 255.255.255.128
frame-relay map ip 192.168.25.135 255 broadcast
frame-relay map ip 192.168.25.132 255

R5:
frame-relay switching
int s0/2/0
encapsulation frame-relay
frame-relay intf-type dce
no frame-relay inverse-arp
ip add 192.168.25.135 255.255.255.128
frame-relay map ip 192.168.25.132 522 broadcast
frame-relay map ip 192.168.25.135 522 broadcast

R2:
int s0/2/0
encapsulation frame-relay
no frame-relay inverse-arp
ip add 192.168.25.132 255.255.255.128
frame-relay map ip 192.168.25.135 255 broadcast
frame-relay map ip 192.168.25.132 255
frame-relay interface-dlci 255
frame-relay local-dlci 522

R5:
frame-relay switching
int s0/2/0
encapsulation frame-relay
frame-relay intf-type dce
no frame-relay inverse-arp
ip add 192.168.25.135 255.255.255.128
frame-relay map ip 192.168.25.132 522 broadcast
frame-relay map ip 192.168.25.135 522 broadcast
frame-relay interface-dlci 522
frame-relay local-dlci 255

When configuring the following, what is also required to have R6 forward the DHCP broadcast (as unicast) towards the DHCP server
interface Virtual-Template1
ip address 192.168.60.136 255.255.255.128
ppp authentication pap
peer default ip address dhcp

R6(config-if)#peer default ip address dhcp Use DHCP proxy client mechanism to allocate a peer IP
dhcp-pool Use local DHCP pools to allocate a peer IP address
pool Use IP pool mechanism to allocate a peer IP address

ip dhcp-server 192.168.0.134
ip address-pool dhcp-proxy-client
RIP –
You have the following configuration. You are peered with R1 via RIP. R1 must receive a default route from CAT4, but with a metric of 15.

Cat1:
router rip
version 2
no auto-summary
passive-interface default
no passive-interface vlan10
network 10.20.14.0

router rip
default-information originate route-map default

route-map default
set metric 15

R1:
R* 0.0.0.0/0 [120/15] via 10.20.14.4, 00:00:11, FastEthernet0/1

RIP – You are told to configure RIP on R1 and advertise Loopback0 on R1; use only a single network statement on R1.

R1 has two different networks. How do you do this
router rip
version 2
no auto-summary

router rip
network 0.0.0.0
passive-interface lo0

It’s a good practice to use passive interfaces in order to control the outgoing RIP updates, even if it’s not specified on the task.

RIP – You have the following configuration. You are peered with R1 via RIP. R1 must receive a default route from CAT4, but not propagate it to R1’s Peer BB3.

Cat1:
router rip
version 2
no auto-summary

R1:
router rip
version 2
no auto-summary

Cat1:
router rip
default-information originate

R1:
ip prefix-list NO-DEFAULT deny 0.0.0.0/0
ip prefix-list NO-DEFAULT permit 0.0.0.0/0 le 32

router rip
distribute-list prefix NO-DEFAULT out fa0/0

OSPF – You have the following Routers and Loopbacks: You want to advertise the subnets into OSPF area 0. How would you do this? You cannot use any network statements under process 2.
R1
int lo0
ip add 192.168.50.1 255.255.255.0
R4
int lo0
ip add 192.168.60.4 255.255.255.128
R9
int lo0
ip add 192.168.90.9 255.255.255.255
R10
int lo0
ip add 192.168.30.10 255.255.255.248
Since the loopback is a /32, you are not required to modify the default network type on loopbacks.
R1
int lo0
ip ospf 2 area 0
ip ospf network point-to-point
R4
int lo0
ip ospf 2 area 0
ip ospf network point-to-point
R9
int lo0
ip ospf 2 area 0
R10
int lo0
ip ospf 2 area 0
ip ospf network point-to-point
OSPF – What is the default OSPF network type for the following interface
R9:
interface Virtual-Template1
ip address negotiated
ip ospf 2 area 22
R9#sh ip ospf int virtual-template1
Virtual-Template1 is down, line protocol is down
Internet Address 0.0.0.0/0, Area 22
Process ID 2, Router ID 192.168.255.9, Network Type POINT_TO_POINT, Cost: 1

or

R9#sh ip ospf int virtual-access1
Virtual-Access1 is up, line protocol is up
Internet Address 192.168.49.139/32, Area 22
Process ID 2, Router ID 192.168.255.9, Network Type POINT_TO_POINT, Cost: 1

OSPF – You have PPP in area 22 links and you want to avoid the propagation of these routes to other areas. How do you do it
router ospf 2
You can use summarization on ABRs.

Example:
router ospf 2
area 22 range 192.168.60.0 255.255.255.128
area 22 range 192.168.49.0 255.255.255.128

Redistribution – There is no need to tag routes redistributed into an isolated routing protocol if there is no return paths for these routes.
Redistribution – When doing redistribution; make sure to read each routing protocol redistribution requirements just in-case you have to modify your current redistribution to make a task work on another redistribution task.

 

EIGRP – By looking at the below info; your Reported Distance (FD) is 145920. You need to load balance between each path. Currently only THe path through Port-chanel13 is in the routing table. How would you do so? All the info is below for your configuration!

 

Cat3#sh ip eigrp top 192.168.255.44/32


EIGRP-IPv4:(46) (AS 46): Topology entry 192.168.255.44/32

1 Successor(s), FD is 145920

Descriptor Blocks:

172.29.13.1 (Port-channel13), from 172.29.13.1

Composite metric is (145920/143360), Route is Internal

Vector metric:

  Minimum bandwidth is 200000 Kbit

  Total delay is 5200 microseconds

  Reliability is 255/255

  Load is 1/255

  Minimum MTU is 1508

  Hop count is 2


172.29.60.4 (Vlan60), from 172.29.60.4

Composite metric is (158976/158720), Route is Internal

Vector metric:

  Minimum bandwidth is 100000 Kbit

  Total delay is 5210 microseconds

  Reliability is 255/255

  Load is 1/255

  Minimum MTU is 1500

  Hop count is 3

 

Note: The second route has a RD of 158720. This is HIGHER than the current FD of this route (145920).

You CANNOT use variance in this scenario!

You’ll need an offset list. Subtract from the FD!!!!
158976-145920=13056

access-list 1 permit 192.168.255.44 255.255.255.255

router eigrp 46
offset-list 1 in 13056 po13

On Cat4 you have the following configuration. Do you need the sequence 10Cat4(config-router)#
D 192.168.255.11 [90/143360] via 172.29.14.1, 01:48:39, Po14
D 192.168.255.33 [90/145920] via 172.29.14.1, 01:48:38, Po14
C 192.168.255.44 is directly connected, Loopback0

route-map rip>eigrp deny 10
match ip address prefix-list default
route-map rip>eigrp permit 20
set tag 123
set metric 100000 100 255 1 1500

router rip
default-information originate

Nope! Unless Cat4 has a default route in it’s Routing table via RIP, there is no need for it.
BGP – What are the well-known mandatory attributes?
ORIGIN, AS_PATH, NEXT_HOP
IPv6/EIGRP – You have the following configuration; would this work? Yes/No – If No, what command would you be referencing
ipv6 unicast-routing

ipv6 router eigrp 78
no shut

int lo0
ipv6 add 3001:255::7/128

interface Serial0/0/0
ipv6 eigrp 78
ipv6 unnumbered Loopback0

int lo0
ipv6 eigrp 78
ISATAP tunnels use a modified version of ____ address to provide automatic connectivity through the IPv4 cloud.
EUI-64
You are unable to ping R9 tunnel interface via a far endpoint. All other device configuration is correct. Here is R9’s configuration. What is the problem
R9#
sh run int virtual-template1
interface Virtual-Template1
ip address negotiated

int tu0
ipv6 add 3001::/64 eui-64
tunnel source virtual-template1
tunnel mode ipv6ip isatap

On R9 you have to configure the IP address manually as tunnel source, you cannot use the virtual-template interface, since virtual-template is configured to use dhcp.

int tu0
ipv6 add 3001::/64 eui-64
tunnel source 192.168.49.139
tunnel mode ipv6ip isatap

You won’t be able to ping this end-point unless you do this. The tunnel0 would be down.

IPv6 – ISATAP Tunnels are a non-broadcast multipoint network, you can configure OSPF by setting the correct network type and manually specifying neighbors.

You are on R8. You have three end-points:
R7| 3001::5EFE:A14:2F07
R5| 3001::5EFE:AC1D:2805
R9| 3001::5EFE:C0A8:318B

Note – You MUST use Link Local Addresses!

int tu0
ipv6 ospf 1 area 0
ipv6 ospf network point-to-multipoint non-broadcast
ipv6 ospf neighbor FE80::5EFE:A14:2F07
ipv6 ospf neighbor FE80::5EFE:AC1D:2805
ipv6 ospf neighbor FE80::5EFE:C0A8:318B

R5(config-if)#ipv6 ospf neighbor 3001::5EFE:A14:1208
OSPFv3: Neighbor address needs to be a link-local address

What Multicast Group is this for
224.0.0.13
Protocol Independent Multicast (PIM) Version 2
What Multicast Group is this for
224.0.0.22
Internet Group Management Protocol (IGMP) Version 3
You are asked to configure SSM Multicast and have a few routers become clients via loopback0 using IGMP.

Your current configuration:

ip multicast-routing
ip pim ssm default

int lo0
ip pim sparse-mode
ip igmp join-group 235.1.1.1 source 192.168.255.44

What needs to be added? What is wrong with the above config?

ip pim ssm range 1
access-list 1 permit host 235.1.1.1

The default SSM range is 232/8

R1(config)#ip pim ssm default Use 232/8 group range for SSM

What is the default SSM range for Source Specific Multicast (SSM)
How do you change it to 235.1.1.1?
R1(config)#ip pim ssm default Use 232/8 group range for SSM

How to change it:

ip pim ssm range 1
access-list 1 permit host 235.1.1.1

You enabled the following frame-relay compression:

int s0/1/0
frame-relay map ip 192.168.0.134 624 broadcast compress
frame-relay map ip 192.168.0.136 624 compress
frame-relay map ip 192.168.0.132 624 compress

How do you verify this? show…

R6#show frame-relay map
Serial0/1/0 (up): ip 192.168.0.132 dlci 624(0x270,0x9C00), static,
CISCO, status defined, active
TCP/IP Header Compression (enabled), connections: 256
RTP Header Compression (enabled), connections: 256
QoS – Look at this output; how do you make the “Appliance Trust” set to 1
Cat3#sh int fa0/10 switchport
Name: Fa0/10
Switchport: Enabled
Administrative Mode: static access
Operational Mode: static access
[..]
Capture VLANs Allowed: ALL

Protected: false
Unknown unicast blocked: disabled
Unknown multicast blocked: disabled
Appliance trust: none

int fa0/10
switchport priority extend cos 1
Configure port fa0/10 to use vlan 10 for data and vlan 40 for voice traffic. Force the IP phones to assign COS 1 to data traffic.

mls qos

int fa0/10

int fa0/10
switchport mode access
switchport access vlan 10
switchport voice vlan 40
switchport priority extend cos 1
mls qos trust cos
mls qos trust device cisco-phone
Configure R1 to send all HTTP traffic directed to BB3 networks to a web cache with IP address 10.20.14.60.

R1-fa0/0(10.20.14.0/26)
|
fa0/1(10.20.13.0/26)
|
BB3

ip access-list standard WCCP
permit host 10.20.14.60

ip wccp web-cache
ip wccp web-cache group-list WCCP

interface FastEthernet0/1
ip wccp web-cache redirect in

IPv6 Access list –

You have created the following ACL. You need to apply this on interface Tunnel0 (inbound). How do you do it
ipv6 access-list Block
deny ipv6 host 3001:255::9 host 3001:255::8
deny ipv6 host 3001:255::5 host 3001:255::8
permit ipv6 any any

int tu0
ipv6 traffic-filter Block in
int fa0/0
ip add 192.168.60.1 255.255.255.0
ip nat outside

int fa0/1
ip add 192.168.61.1 255.255.255.0
ip nat inside

ip nat inside destination list LOAD_BALANCE pool ROTARY
ip nat pool prefix-length 24 type rotary
address 192.168.61.2 192.168.61.2
address 192.168.61.3 192.168.61.3

ip address extended LOAD_BALANCE
permit tcp any host 192.168.60.1 eq telnet

How to figure out the TOS from Precedence…multiply it by 32! Precedence of 3 would be TOS 96. It’s easy to turn on IP Accounting for precedence packets…’ip accounting precedence’ but the regular ‘show ip accounting’ does not show anything. Instead you need to ‘show interface s0/1 precedence’.
R1

ip nat stateful id 1
primary 1.1.1.1
peer 2.2.2.2
mapping-id 5

r2

ip nat stateful id 2
backup 2.2.2.2
peer 1.1.1.1
mapping-id 5

ip nat inside source list 1 pool Pool1 mapping-id 5
ip nat pool Pool1 192.168.60.1 192.168.60.2 prefix-length 24

IP SLA, VRRP and HSRP are all pretty simple. GLBP can be slightly more difficult, only because of the load-balancing aspect to it. The weighting always trips me up, but to do a 2:1 ratio, just do the following:

R4(config-if)#glbp 146 weighting 20
R4(config-if)#glbp 146 load-balancing weighted

R6(config-subif)#glbp 146 weighting 10
R6(config-subif)#glbp 146 load-balancing weighted

Something pretty easy – you can have DHCP update ARP. And then you can only allow authorized arp entries thus disabling dynamic ARP.

ip dhcp pool VL146
network 155.1.146.0 255.255.255.0
default-router 155.1.146.4 155.1.146.6
dns-server 155.1.146.4 155.1.146.6
lease 0 12
update arp
ip dhcp pool R1
host 155.1.146.11 255.255.255.0
client-identifier 01c2.0005.c500.00
update arp

interface FastEthernet0/0.146
encapsulation dot1Q 146
ip address 155.1.146.6 255.255.255.0
ip rip advertise 10
arp authorized

If not all hosts are DHCP, you need to statically add their ARP entries; ‘arp 155.1.146.4 1234.5678.90AB.CDEF’.

Example: Configuring IRDP (Server)

The following example shows how to configure IRDP on a router:

Router(config)# interface fastethernet 0/1
Router(config-if)# no shutdown
Router(config-if)# ip address 172.16.10.1 255.255.255.0
Router(config-if)# ip irdp
Router(config-if)# ip irdp multicast
Router(config-if)# ip irdp holdtime 120
Router(config-if)# ip irdp maxadvertinterval 60
Router(config-if)# ip irdp minadvertinterval 10
Router(config-if)# ip irdp preference 900
Router(config-if)# ip irdp address 192.168.10.2 90

Client Command: R2(config)#ip gdp irdp

R2(config)#ip gdp eigrp Discover routers transmitting EIGRP router updates
irdp Discover routers transmitting IRDP router updates
rip Discover routers transmitting RIP router updates

IRDP Overview
ICMP Router Discovery Protocol (IRDP) allows hosts to locate routers that can be used as a gateway to reach IP-based devices on other networks. When the device running IRDP operates as a router, router discovery packets are generated. When the device running IRDP operates as a host, router discovery packets are received.

ip dhcp pool POOL
network 192.168.61.0 255.255.255.0
class VLAN61
address range 192.168.61.3 192.168.61.3

ip dhcp class VLAN61
relay agent information
relay-information hex 00000000*

debug ip dhcp server class

ip dhcp class VLAN61
relay agent information
no relay-information hex 00000000*
relay-information hex 020c020a0000c0a83d01010000000606564c414e3631

bridge irb
bridge 100 protocol ieee
no bridge 100 bridge appletalk

int bvi 100
ip add 10.10.10.1 255.255.255.0

int fa0/0
bridge-group 100

int fa0/1
bridge-grouop 100

BGP, OSPF>BGP

-By default ONLY OSPF intra-area and inter-area routes are redistributed into BGP

Refresh BGP:

http://www.bbfish.net/router/router_7511.html

BGP private
64,512 – 65,535
If you are asked to create the following VLANs on your VTP server:

vlan 100,200,12,67
spanning-tree vlan 12,67,100 priority 0

Then you are asked to create trunks between switches as shown:

int range fa0/21 – 22
switchport trunk encapsulation dot1q
switchport mode trunk
switchport trunk native vlan 123
channel-group 21 mode on
no shut

What’s missing?

vlan 100,200,12,67,123
spanning-tree vlan 12,67,100 priority 0

Don’t forget about vlan 123
-I wasn’t told to make this switch the root for vlan 123.

show vtp status
Show’s this:
Local updater ID is 35.35.35.35 on interface Lo1 (preferred interface)
Preferred interface name is Loopback1 (mandatory)

You configured what?

vtp interface Loopback1 only

Only — makes it “mandatory” – Preferred only — leave off “
only”

When configuring this:

int s0/2/0
ppp lcp predictive
ppp ipcp predictive

You need to do this on both sides!!!!!!

If both of your routers are setup like this; what command is required
username T3ST123 password [email protected]

int s0/1/0
frame-relay interface-dlci 504 ppp virtual-template 1

int virtual-template 1
ip add 141.141.45.5 255.255.255.0
ppp authentication chap
no ppp chap ignoreus
ppp chap hostname T3ST123

int virtual-template 1
no ppp chap ignoreus
OSPF – Configure area 12 and you should use the option discussed in RFC 158
area 12 nssa
ip multicast boundary access-list [filter-autorp]
Example:
Router(config-if)# ip multicast boundary 10 filter-autorp

Configures an administratively scoped boundary.

•Perform this step on the interfaces that are boundaries to other routers.

•The access list is not shown in this task.

•An access list entry that uses the deny keyword creates a multicast boundary for packets that match that entry.

When redistributing; ensure that on the redistributing routers; all connected interfaces are in the respective routing protocol.

If you were asked to create a tunnel (i.e.:)

int tu69
ipv6 add 2001:DB8:5:9::9/64
tunnel source lo0
tunnel destination 166.5.5.5
tunnel mode ipv6ip
ipv6 ospf 2 area 0

Then make sure this is in the routing protocols (if you were asked for full reachability — that always!

ZBF – Is this configured completelyzone security INSIDE
zone security OUTSIDE

int fa0/1.789
zone-member security OUTSIDE
int mu69
zone-member security INSIDE

class-map type inspect smtp-traffic
match protocol smtp

policy-map type inspect drop-smtp
class type inspect smtp-traffic
drop

zone-pair security zp1 source OUTSIDE destination INSIDE
service-policy type inspect drop-smtp

You are dropping all other traffic!!!!
R9#sh policy-map type inspect zone-pair zp1
policy exists on zp zp1
Zone-pair: zp1

Service-policy inspect : drop-smtp

Class-map: smtp-traffic (match-all)
Match: protocol smtp
Drop
4 packets, 96 bytes

Class-map: class-default (match-any)
Match: any
Drop
13 packets, 585 bytes
R9#

policy-map type inspect drop-smtp
class type inspect smtp-traffic
drop
class class-default
pass

When you redistribute internal networks into BGP (from OSPF(example)), you MOST LIKELY redistribute BGP back into other protocol (example:RIP) since it was learning this network from internal routing protocols and the ABR router is not redistributing it into the RIP domain since it is learning it via BGP and not eigrp>rip where it was redistributing.
Multicast Boundary

Always DENY what you want to have the boundary take into effect. Then PERMIT the rest.

access-list 1 deny 224.1.0.0 15.255.255.255
access-list 1 permit 224.0.0.0 15.255.255.255

int fa0/0.74
ip multicast boundary 1 filter-autorp

1 millisecond (ms) = 1000 microseconds (µs) und 1 second (s) = 1,000,000 microseconds (106 µs)
MTU when enabling 802.1Q Tunneling?
1504 (then save/reboot switch)
AD of ODR (On Demand Routing)
160

Rack17R5#show ip route odr
150.17.0.0/24 is subnetted, 5 subnets
o 150.17.4.0 [160/1] via 155.17.0.4, 00:00:06, Serial0/0/0

Frame Relay: Is CDP Enabled by default on interface s0/0/0?
no
Frame Relay: Is CDP Enabled by default on interface s0/0/0.1 point-to-point?
Yes!
Frame Relay: Is CDP Enabled by default on interface s0/0/0.2 multipoint?
no

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes:

<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>