1. On PE router, address families ipv4 vrf X and vpnv4 must be configured. Under vpnv4 address family neighboring PE router must be specified in order for them to start advertising vpvn4 capabilities to each other. Redistribution of customer routes occurs in ipv4 vrf X address family.
2. When redistributing route to IPv6 EIGRP and then summarizing it out of interface, route gets into EIGRP tables of neighbors as INTERNAL EIGRP route instead of external.
3. QBBP. Allows router to mark and apply QoS policies to packets based on BGP destination route.
route-map route-map-name [permit | deny [sequence-number]]
match community {standard-list-number | expanded-list-number | community-list-name [exact]}
set ip precedence [number | name]
router bgp autonomous-system
table-map route-map-name
ip community-list standard-list-number {permit | deny} [community-number]
interface type number
bgp-policy {source | destination} ip-prec-map
4. What happens when DR is not a hub in DMVPN?
5. When applying filter-list at OSPF ABR, direction can be somewhat confusing, so always remember that it has the following meaning: IN - filters LSA from this ABR TO the specified area, OUT - filters updates FROM the specified area to ALL other areas.
6. Prefix lists permit any 0.0.0.0/32 le 32 not be confused with 0.0.0.0/0, which is default only
7. "ip rip v2-broadcast" interface command to force RIPv2 to broadcast updates
8. uRPF with ACL. Cisco docs: "If Unicast RPF does not find a reverse path for the packet, Unicast RPF can drop or forward the packet, depending on whether an ACL is specified in the Unicast Reverse Path Forwarding command. If an ACL is specified in the command, then when (and only when) a packet fails the Unicast RPF check, the ACL is checked to see if the packet should be dropped (using a deny statement in the ACL) or forwarded (using a permit statement in the ACL)."
9. Controlling redistribution. For example, mutual redistribution between OSPF and RIP on two routers. The least elegant way is to deny OSPF routes to enter OSPF domain back at all. Another way to control redistribution is to lower AD only for routes that are native to RIP (in case 2 OSPF ASBR and RIP routers share the same subnet, it's possible to change AD only for routes that have RIP router as a next-hop. Check Cisco 360 TS lab02 for reference.). In this case OSPF routes learned from another ASBR are not denied on the boundary and can be used in case primary link to OSPF domain fails (RIP domain will be used as a transit for OSPF prefixes). To be continued.
10. Continue. When RIP routers share the same subnet (hub and spoke, for example) and spoke sends an update to the hub, hub will use the IP of this spoke as a NH in routing updates that it will send to the rest of the spokes. Applying this knowledge to Section 9, we can assume that if 2 spokes are OSPF ASBRs, that mutually redistribute OSPF and RIP, it is possible to lower RIP AD on ASBR's only for RIP updates that have hub as a NH and not another ASBR.
11. Routes recieved from confederation BGP peers are still considered iBGP with AD of 200.
12. NTP:
Client:
ntp authentication-key 1 md5 073B08616B 7
ntp authenticate
ntp server 135.15.26.2 key 1
Server:
ntp authentication-key 1 md5 081565632C 7
ntp authenticate
ntp trusted-key 1
ntp master
Friday, August 29, 2014
Saturday, August 23, 2014
Another quick CCIE note
1. When influencing route AD in BGP, the syntax is:
distance NUMBER "NEXT-HOP OF THE ROUTE(subnet+wildcard)" ROUTE-MAP (that matches routes to be modified)
2. BGP backdoor command is used to increase the AD of the recieved eBGP route (the easiest way to do it). Even though network statement is used, it doesn't advertise anything. Only changes AD of recieved route locally.
network x.x.x.x mask y.y.y.y backdoor
3. To filter BGP network with extended ACL, use source field as prefix, wildcard to match different prefixes and destination HOST as prefix mask.
4. To create tunnel in vrf default that will use source interface in diff. vrf, "tun vrf NAME" command must be used.
5. NHRP mappings do not start working without specifying NETWORK-ID
6. When configuring tunnel protection, the steps are:
- isakmp policy
- isakmp key
- ipsec transform set
- ipsec profile
- tunnel protection ipsec profile
7. ipv6 EIGRP is enabled via "ipv6 router eigrp AS"
8. Redistribution is done under address-family in ospfv3
9. If filtering has to be done with route-maps in EIGRP, it is possible to match a source-protocol. For example, It means that if connected route was redistributed to EIGRP, we can match it as "source-protocol connected" on any other router (dist-list X in).
10. Sham-links must be used in MPLS VPN environment when backdoor exists between customer sites that should be used as backup only. Sham-links allows two PE routers to form an OSPF adjacency that makes it possible to exchange LSA directly so routes between sites are seen as intra-area routes. Otherwise backdoor is always preferred regardless of the cost because OSPF always prefers intra-area in favor of inter-area routes.
Important to note here is that sham-link must be created between loopback IP's that are redistributed to MP-BGP customer VRF. Adjacency will not be formed if loopbacks are advertised to OSPF because in this case recursive routing lookup might occur.
Not sure what IOS exactly checks before bringing sham-link UP, but it seems that next hop for the sham-link destination IP must be learned from BGP (show ip route vrf VPN on PE must show BGP learned route). If loopback is redistributed to OSPF only and next hop for sham-link destination is learned via OSPF then link doesn't come up.
11. In order for BGP Synchronization to work, iBGP route must not only be known via IGP but, in case of OSPF, RID of iBGP peer must match OSPF RID of the router that advertises this prefix.
distance NUMBER "NEXT-HOP OF THE ROUTE(subnet+wildcard)" ROUTE-MAP (that matches routes to be modified)
2. BGP backdoor command is used to increase the AD of the recieved eBGP route (the easiest way to do it). Even though network statement is used, it doesn't advertise anything. Only changes AD of recieved route locally.
network x.x.x.x mask y.y.y.y backdoor
3. To filter BGP network with extended ACL, use source field as prefix, wildcard to match different prefixes and destination HOST as prefix mask.
4. To create tunnel in vrf default that will use source interface in diff. vrf, "tun vrf NAME" command must be used.
5. NHRP mappings do not start working without specifying NETWORK-ID
6. When configuring tunnel protection, the steps are:
- isakmp policy
- isakmp key
- ipsec transform set
- ipsec profile
- tunnel protection ipsec profile
7. ipv6 EIGRP is enabled via "ipv6 router eigrp AS"
8. Redistribution is done under address-family in ospfv3
9. If filtering has to be done with route-maps in EIGRP, it is possible to match a source-protocol. For example, It means that if connected route was redistributed to EIGRP, we can match it as "source-protocol connected" on any other router (dist-list X in).
10. Sham-links must be used in MPLS VPN environment when backdoor exists between customer sites that should be used as backup only. Sham-links allows two PE routers to form an OSPF adjacency that makes it possible to exchange LSA directly so routes between sites are seen as intra-area routes. Otherwise backdoor is always preferred regardless of the cost because OSPF always prefers intra-area in favor of inter-area routes.
Important to note here is that sham-link must be created between loopback IP's that are redistributed to MP-BGP customer VRF. Adjacency will not be formed if loopbacks are advertised to OSPF because in this case recursive routing lookup might occur.
Not sure what IOS exactly checks before bringing sham-link UP, but it seems that next hop for the sham-link destination IP must be learned from BGP (show ip route vrf VPN on PE must show BGP learned route). If loopback is redistributed to OSPF only and next hop for sham-link destination is learned via OSPF then link doesn't come up.
11. In order for BGP Synchronization to work, iBGP route must not only be known via IGP but, in case of OSPF, RID of iBGP peer must match OSPF RID of the router that advertises this prefix.
Subscribe to:
Posts (Atom)