Monday, September 15, 2014

Note

1. EIGRP Add-path
By default, all EIGRP interfaces have next-hop-self configured. Even in a hub-and-spoke topologies, hub will advertise its own IP as a hext-hop for the routes that were received on the same interface from other spokes. This behavior interferes with add-path capability and must be turned off in order to use add-path.
Add-path is only supported in NAMED EIGRP mode.
Variance should not be configured on the hub when add-path is used.

Configuration:
router eigrp virtual-name
 address-family ipv4 autonomous-system as-number
  af-interface {default | interface-type interface-number}
   no next-hop-self [no-ecmp-mode]
   add-paths number

4. VRF route leaking
It's possible to leak routes between VRF's DEFAULT and NON-DEFAULT using static routes.
However, BGP must be used to leak routes between two non-default VRF's.

5. Loopguard should be on all root and alternate ports (non-designated)

6. Etherchannel misconfig guard - checks if the source mac from lacp and bpdu packet is the same on all physical links

7. EIGRP FRR
router eigrp virtual-name
 address-family ipv4 autonomous-system autonomous-system-number
  topology base
  fast-reroute per-prefix {all | route-map route-map-name}
show ip eigrp topology frr

8. Wide metric works only in NAMED EIGRP mode

9. Regexp
+ matches any preceding character ONE or more times
* matches any preceding character ZERO or more times
? matches zero or one occurrence of the pattern

10. NAT
When NAT'ted IP is on the external directly connected network (outside interface) but it's not the same IP as the one of the interface, router must send ARP replies for the NAT'ted IP in order for return packets to reach router. This feature is called alias IP.
No-alias keyword can be used along with NAT statement in order to disable ARP replies from the router for the NAT'ted IP. It is useful when there is a dedicate subnet for NAT pool and routing is used to send packets to the router by its neighbors.

11. Multicast PIM sparse-dense mode with auto-RP

- ip multicast-routing
- Then enable PIM on interfaces: ip pim sparse-dense-mode (to check "show ip pim neighbors")
- Create loopback and associate it with multicast group: ip igmp join-group x.x.x.x
- Enable PIM on the loopback: ip pim sparse-dense-mode
- Configure Auto-RP
ip pim send-rp-announce Loopback1 scope N
ip pim send-rp-discovery Loopback1 scope N

Note that if PIM sparse-mode is used then "ip pim autorp listener" global configuration command must be used

12. OSPF timers tunning: "timers ...." router configuration command

13. Tunnel interface can be in Global VRF but using source interface in different VRF. To achieve this command "tunnel vrf NAME" command must be used. In this case tunnel IP will be in a global routing table, but transport IP will be in separate VRF.

14. Tunnel traffic can be forced out of particular interface by specifying "tunnel route-via Interface mandatory" command.

15. OSPF Fast-Hellos. Interface configuration command:  ip ospf dead-interval minimal hello-multiplier 5

16. OSPF area transit capability is the ability of the area to carry data traffic that neither originates nor terminates in the area itself. This capability enables the OSPF ABR to discover shorter paths through the transit area and forward traffic along those paths rather than using the virtual link or path, which are not as optimal. Router configuration command "no capability transit".

17. OSPFv3 prefix suppression mechanism alloSource IP of the ACL must match next hop (not router-id!) of the route and destination part must match route.ws to suppress transit networks (directly connected from OSPF routers perspective) from OSPF advertisements.
Router ospf address-family configuration: prefix-suppression. Or interface configuration: ipv6 ospf prefix-suppression.
By default, secondary and loopback IPs are not suppressed. As well as passive interfaces (since they are connected to the edge networks that must be advertised!).

18. Dynamic BGP Neighbors:
 bgp listen limit 200
 bgp listen range 172.21.0.0/16 peer-group group172 
 bgp listen range 192.168.0.0/16 peer-group group192 

19. BGP Soft  reconfiguration and route refresh. Soft-reconfiguration must be enabled on per-neighbor basis and basically tells the router to store a copy of Adj-RIBs-In table in the memory. Route refresh is a capability of the router to request/re-send all the routes as needed. In other words, soft reconfiguration works locally, where route refresh is a capability of two neighbors to understand "route refresh" messages.

20. VRF routes leaking. In order to leak route to/from global routing table from/to VRF, export/import command must be used under vrf configuration. Export map can set extended community values to routes (RT values, for example). Also, "import map" can be used to import routes not only based on RT but also any specific parameter (community, for example)

21. Export maps. Route map specified in an export map matches routes that needs to be modified. Routes that are denied by the route-map are not denied from being exported, they are just not modified!
http://www.networking-forum.com/viewtopic.php?t=29464

22. Few words about IPSec.

Case 1: No GRE tunnel.
a. crypto map must be used to set peer address, TS, and ACL for interesting traffic.
b. ACL must match every source and destination that must be encrypted.
c. Tunnel mode must be used in TS.

Case 2: GRE tunnel.
a. ACL should match only endpoint IPs of the tunnel (external IPs, tunnel source and destination).
b. TS mode should be set to transport since GRE has it's own IP header.
c. There are two ways to enable IPSec for tunneled traffic:
    - "tunnel protection" method. In this case there is no need in crypto maps. Instead, "crypto ipsec profile" should be used along with "tunnel protection" tunnel interface command.
    -  crypto maps. In this case protection is applied to a physical interface with "crypto map NAME" command. Peer for crypto map ""set peer" must be set to an external IP of the peer (tunnel destination), not tunnel IP (very easy to make a mistake)!  ACL for interesting traffic should match only external IPs of the peers (tunnel source and destination).

23. Key facts about DMVPN:
a. Phase 1 - all spokes have p-t-p tunnels and communication is done only via hub.
Phase 2 - all tunnels are multipoint. Dynamic tunnels established as needed.
b. ip nhrp network-id MUST be configured in order for NHRP to work.
c. Split-horizon must be disabled for all distance-vector protocols (RIP, EIGRP).
d. Next-hop-self must be disabled for EIGRP in Phase 2.
e. OSPF point-to-multipoint network should be used in Phase 1.
f. OSPF broadcast network should be used in Phase 2.
g. In order for multicast to work properly, "ip nhrp map multicast OUTER_IP" is required. On hub it is specified as "ip nhrp map multicast dynamic"

24. In DVTI networks, all tunnel interfaces MUST be unnumbered to a loopback IP. When interfaces are unnumbered, ospf advertises host routes for each loopback IP. Without host routes, OSPF DB is populated but routes are not installed into the RIB.
25. Virtual link is an extension of Area 0, so if lab requires area 0 to be authenticated, it applies to virtual-links also.
26. Nested policy-maps.The requirement is to limit the bandwith for the packets having network X in source from consuming more than 5kb/s. At the same time packets having network X in source and having ip precendence from 0 to 2 must be given 3 kb/s. Packets having network X and precendence 1 (note, it falls into the range betweeen 0 and 2) must be policed to 1kb/s.
Configuration.
First, ACL must be created to match the network.
Then, 3 class-maps will be created:
- First will match only source network.
- Second matching network and range of precedences.
- Third, the most specific, matching network.
Last thing to do is to create nested policy-maps going from the most specific to the least specific. On each next level we will include previously created policy.
class-map 1 <- br="" least="" specific=""> match network X
class-map match-all 2
match access-group ACL
match ip precedence 0 1 2
class-map match-all 3 <- br="" most="" specific=""> match access-group ACL
match ip precedence 1
Policy-map 3 <- br="" most="" policy-map="" specific=""> match class-map 3
police 1000
Policy-map 2
match class-map 2
police 3000
service-polcy 3 <- nested="" p="" policy-map=""> Policy-map 3 <- br="" least="" policy-map="" specific=""> match class-map 3
police 5000
service-policy 2 <- nested="" p="" policy-map=""> Logic: Police the large chunk of packets to 5kb/s, then from this group take more specific part and police it to 3kb/s. Lastly, from the second group take another one, which is the most specific and police it down to 1kb/s.
27. Configuring burst if it is given in ms (time value).
Burst bytes = time in seconds * target rate (in bits) / 8
28. RPF for multicast. Outgoing interface to reach unicast source IP of multicast traffic must match the interface where multicast comes from.
29. If non-broadcast OSPF network type is used and only one router must be DR with no BDR, then neighbor statements must be used only DR. All spokes do NOT require neighbor statements. Priority should be set to 0 on spokes.
30. NAT port forwarding.
ip nat inside source static LOCAL GLOBAL
31. OSPF NSSA
      B
     /  \
A--     --D
     \  /
      C
Assume that B and C are ABR's, subnet ABC is in area 0 and subnet BDC is in NSSA 30. NSSA ABR with higher router-id translates all type 7 LSA's from NSSA area to type 5 LSA's and advertises them to a backbone area. Now, assume that D advertises external route X to NSSA area.
Problem. What should be the next hop for route X on A? B? or C? or both?
In fact, if we check OSPF DB on A, we will see that X is advertised only from B. Regardless of that fact, the next hop for X on A is both B and C!
32. Distribute list for OSPF intra-area routes using ACL.
Source IP of the ACL must match next hop (not router-id!) of the route and destination part must match route.
33. "show ip route X" is a very usefl command when checking route source (don't confuse it with NH!)
34. OSPF External Routes. E1 is always preffered over E2 even if latter has lower metric. Internal OSPF cost to ASBR is still considered even in case of E2 routes. This is only a case when both E2 routes get equal metric during redistribution.
35. DMVPN Phase 3 is used to create "data plane shortcuts" even though NH in a RIB points to a hub. OSPF can use point-to-multipoint in this scenario and there still will be a traffic between spokes because NHRP will override CEF entries.
36. RIP doesn't have "ip next-hop-self" feature of EIGRP. In hub and spoke topology, RIP will always send updates for spokes networks with spoke as a NH EXCEPT the case when auto-summary is enabled. If RIP is summarizing one of the spoke's networks on a classful boundary, it will put itself as a next-hop (even if the network was originally Class C with /24 mask, it will advertise it as the same class C network with /24 mask to the neighbor on class A network but it will put itself as a next hop! In this scenario summarization cannot be seen in the RIB of the spoke because the subnet still has /24 mask but next hop will be hub!) It essentially means that if spoke's network point to the hub in hub and spoke topology, it means that hub performed summarization on a classful boundary!
37. Route manipulation:
-Distance
"distance N SOURCE ST_ACL". Source is specified right in the command without the use of ACL, etc. Source must be advertising router, not NH. Only standard ACL can be used to filter prefixes.
-Distribute-list
Distribute list can use following options:
"distribute-list ST_ACL" - Deny statements match prefixes to be denied and permit any at the end to permit the rest.
"distribute-list EXT_ACL" - Source IP must be in form of host that matches NH of the route, destination is prefix. Deny to deny prefix with particular NH, and permit...to permit.
"distribute-list gateway PR_LIST" - Every route with NH specified in PR_LIST with deny statement are filtered.
"distribute-list prefix PR_LIST1 gateway PR_LIST2" - All updates with NH specified with DENY statement in PR_LIST2 are filtered, the rest can be filtered with deny statements from PR_LIST1.
"distribute-list route-map NAME in".
#From my tests with 12.4, filtering by both prefix and route-type doesn't work if combined in a single route-map (maybe it's not possible to filter by specifying different attributes in a single route-map).
For different types of filtering to work together in one route-map theu must be separated in different permit/deny clauses unless you want to match several parameters at the same time:
route-map RM deny 10
 match route-type external level-2
route-map RM deny 15
 match ip address prefix-list try
 match metric 11
route-map RM permit 20
ip prefix-list try seq 5 permit 192.168.1.1/32
Previous route-map filters all E2 routes, all routes that (a.) permitted by "try" prefix-list AND (b.) have OSPF metric of 11. All other routes are permitted by clause 20.
---
Filtering by NH doesn't work with prefix-list in route-maps in 12.4 (have to test on 15.3). ACL's work fine.
---
Filtering by network prefix works for both PL and ACL.
---
Filtering by route-source (advertising router) works the same way as by NH (e.g. prefix-lists do NOT work). Note: I could NOT filter external prefix with this command.
---
#applies to both NH, prefix and route-source filtering: What's interesting is that route-map is used differently here compared to usual use cases. First statement is PERMIT and what must be filtered is specified within the matching clause (for example, deny in ACL will deny the prefix. ACL is used to determine what is filtered and what is not instead of just selecting "interesting" matches that will be permitted or denied by route-map itself)
---
Filtering by route-type works either by : (a.) RM permit clause specifies what should be permitted and everything else is blocked (b.) RM deny clause specifies what must be filtered and then permit clause permits everything else (without a match statement)
---
Filtering by metric works smoothly
---
38. Inter-area route filtering on ABR:
Method 1: Filter the inter-area routes generated at ABR
router ospf 1
 area 10 filter-list prefix in NAME

Method 2: Filter out intra-area routes
router ospf 1
 area 10 range 1.1.1.0 255.255.255.0 no-advertise

Method 3: Filter inter-area routes learned by ABR from Area 0
router ospf 1
 distribute-list 1 in
39. External route filtering:
Method 1:
router ospf 1
 distribute-list 10 out rip
!
access-list 1 deny 1.1.1.0
access-list 1 permit any

Method 2:
router ospf
 redistribute rip route-map RIP_TO_OSPF
!
route-map RIP_TO_OSPF
 match ip address 1

Method 3:
router ospf
 summary-address 10.0.0.0 255.255.25.0 no advertise

40. OSPF area summarization (or just new Type-3 summary LSA creation) is done via checking RIB table, not LSDB and applies ONLY to routes that are internal to the area! And it's done BEFORE "distribute-list in" command is applied, so summary LSA will be generated even if there is no corresponding more specific route in the RIB (have to check if it applies to "area range" or to any type-3 LSA being created).
41. OSPF inter-area (IA) routes caNOT be summarized by "area range" command.
42. When ABR re-generates summary LSA received from area 0 (origin is any other area) for its directly connected area, it is doing so AFTER applying "distribute-list" filter. Same way it's done for intra-area summarization, it checks RIB instead of LSDB when it performs re-generations of summary LSA's. It means that if IA routes are filtered from getting into the RIB on ABR, they will not be propagated past that ABR!
43. [OSPF] If hub is not DR, it becomes adjacent with DR only and the state of the rest of the spokes is 2-WAY. However on spokes it looks like they are adjacent with hub and the state is FULL. Essentially, it means that hub will install the routes only advertised by the neighbor it thinks it is adjacent with. On all other spokes LSDB will be empty.
44. [RED] When redistributing external eigrp to ospf on two routers, AD for OSPF ext routes must be increased. Otherwise one the routers will prefer route via OSPF domain of EIGRP to EIGRP exit point.
45. [ROUTE_MANIPULATION, EIGRP, OSPF] Command "distance X ROUTE_SOURCE ACL" can change AD for any OSPF route but for EIGRP it changes AD of internal routes ONLY.
46. [OSPF, NSSA] NSSA area has two (2) ABRs. Command "area X nssa no-summary no-redistribution default-information-originate" is configured on one ABR and "area X nssa default-information-originate" is configured on the second ABR. Router in NSSA area (connected to NSSA area only) will see only one (1) default route instead of two from both ABR's as one might think! And the reason why is because both ABR's inject default route in form of Type-5 LSA because of "default-information-originate". However, only one (1) of them also inject default route in form of Type-3 LSA (no-summary) and it is always preferred! O-IA-E1-E2-N1-N2.
Summary Net Link States (Area 30)
Link ID ADV Router Age Seq# Checksum
0.0.0.0 10.1.1.1 66 0x80000001 0x006409

Type-7 AS External Link States (Area 30)
Link ID ADV Router Age Seq# Checksum Tag
0.0.0.0 10.1.1.1 155 0x80000001 0x0038B0 0
0.0.0.0 10.1.1.2 559 0x80000009 0x0022BD 0

47. [OSPF, NSSA] Same topology as was described above. After deletion of "no-summary" keyword on ABR, two (2) defaults are injected into NSSA area. On NSSA internal router I wanted to change distance for one of the defaults to make it less preferred. Oddly enough, when I matched the ABR that performs LSA7-to-5 translations in my "distance X ROUTE_SOURCE ACL" command, it didn't take effect at all! However, when I matched the other ABR (one that doesn't do translations), AD for both defaults was changed on the router. Looking at LSDB, I see that both defaults are advertised by different routers (see output above). The best solution was to change metric on ABR instead of changing AD on receiving router. "area X nssa def-inf-or metric X" command was used.
48. [L2, VTP] For VTP transparent mode switch to forward VTP updates received on trunk ports, it must be configured with the SAME domain name as all other switches in VTP domain.
49. [L2, VTP] When transparent switch is placed in the middle of VTP domain, it might create data-plane black-holes, since VLAN's will be created on the leaf nodes, but not on the transparent switch.
50. [L2, VTP] When pruning is enabled in VTP domain and than one of the switches is connected by a trunk port to a device that doesn't support VTP, it will request ALL VLAN's from VTP neighbors.
51. [L2, DTP] Port that is in trunk mode still runs DTP. It means that if on the other side port is in dynamic auto mode it will still negotiate trunking. Dynamic auto/auto doesn't actively negotiate trunking.
52. [L2, DHCP_SNOOPING] DHCP Snooping on IOL works only with "no ip dhcp snooping information option"
53. [OSPF] When there is a p-t-m nbma network configured between a bunch of routers, ALL of them must configure "area X range" command for host routes to be suppressed out of the area. It must be done on all routers, not only on ABR's.