Wednesday, October 24, 2012

MULTICAST COMMAND REVIEW


Multicast Command Review

224.0.0.0/4 (224.0.0.0- 239.255.255.255)

224.0.0.0/24 – link local

232.0.0.0/8- ssm

239.0.0.0/8 – private/admin scope


ip pim rp-address 1.1.1.1 (ACL) (override) - the acl list the groups that are mapped to this particular rp overide is to override dynamic

ip pim spt-threshold (rate in kbps|infinity) what rate it wills switchover to spt if inifinity does not switchover. This is done on the first hop router of the reciever.

no ip dm-fallback - put on pim sparse dense mode routers to prevent fallback to dense mode for groups

pim assert- done on multiaccess segments when two or more routers are delivering the mcast stream invokes an election to get on router elected to service segement election based on lowest admin distance if tied lowest metric to source if same highest ip

ip pim accept rp "rp address" "acl of groups"- filtering done on non rp's tp which rp they will accept for which group


pim dr election- decides who will do registered on shared segement traffic has to be incoming if priority is the same highest ip

ip pim dr-priority “ priority” - used to change the priority of an interface


sh ip pim interface - will show priority of interface


ip pim accept register "extended ACl| route-map" - the access-list goes like this

ip access-list REGISTER permit ip "source-ip" "source-wildcard" "group-address" " group-wildcard" - the purpose of the pim accept register is to filter on the rp what sources are allowed to register for what groups

In multicast tunnelling - we need to ensure the tunnel interface have lower admin distance and or metric than the underlying network or use static mroutes to ensure passing rpf check

ip pim nbma mode - only works with sparse mode it treats the frame relay multipoint interface as a collection of point to point it does so by tracking the pim joins. These gets around issue of all host not recieveing pim message such assets on nbma media

ip pim send-rp-annouce <interface> scope <TTL> (group-list "std acl") - this command is used for advertising in autorp a candidate rp to the mapping agent the group list is a standard acl used to limit what group serviced by RP. RP advertisement sent to 224.0.1.39

ip pim send-rp-discovery<interface>scope <TTL>- this command is used to set a router as ma it listens for candidate rp on 224.0.1.39 and advertises to all mcast pim routers on 224.0.1.40. If multiple ma in network they hear each other every one will cease sending discovery apart from MA with highest ip.

MA Rules

  • Recieves announcement for group from 2 or more candidate rp it will select rp with hightest ip
  • Recieves announcement for 2 different groups one is a subset of the other it will send both rp

For Autorp

Need ip pim sparse dense mode or ip pim autorp listner – used to propgate the 224.0.1.39/224.0.1.40. As of the 224.0.1.39/224.0.1.40 being dense groups


Sh ip pim rp mapping- used to see rp mappings

ip pim rp-announce-filter {group-list <access-list> | rp-list <access-list> {group-list <access-list} – used to filter on ma the incoming rp it will accept for what groups

ip pim send-rp-discovery lo0 scope 4 orcan be used to limit the size and set boundary for mcast domain

ip multicast boundary <access-list><filter-autorp> - if standard acl the acl inspecting for any pim/igmp messages to group see if there is match on group if match it is allowed if not disallowed. For extended acl both source and destination is inpected for match. If using filter-autorp it will inspect autorp messages if not matching group they are filtered.The acl has to be standard if using filter autorp


ip pim rp-candidate <pim-enabled-interface> [group-list <standard-ACL>] [interval (seconds) [priority <0-255> - advertise a candidate rp for BSR group list filters what groups it will service priority is used when multiple rp. Lowest priority is preferred default is 0.

ip pim bsr-candidate <interface>[hash-mask-lenght][priority] – setting a router as a bsr candidate the higher priority the more preferred the bsr-candidate. When bsr recieves advertisement for multiple rp unlike autorp it does not elect the rp for a router it sends out the multiple rp to each router. The router decides which rp to use for which group. A hashing procedure is done by the pim routers to ensure that the rp are decided deterministectly this to ensure we do not have say the source picking one rp and the receiver selecting another.


Ip pim bsr-border - this is used on interface to stop flooding of pim messages. Used at network boundaries.


R1

Int fa0/1

ip igmp helper-address <1550.1.0.5> - stub router with little memory

r2

access-list 22 deny 155.1.0.3

access-list 22 permit any

int s0/0

ip pim sparse-mode

ip pim neighbor-filter 33

The above config is used for setting up stub router first part of sub router used igmp helper-address to forward the mcast igmp joins. On r2 the router that is processing igmp for the stub we need to ensure that it does not form pim adj with r1 so we do a ip pim neighbor filter. R1 is configure with pim dense mode to ensure it flood all mcast traffic received to the segment.


Ip igmp limit “number” – can be applied globally or interface level. Interface level limits number of igmp groups joined on the interface. Applied globally it will limit the number of groups joined by directly connected recievers.

ip access-list standard IGMP_Filter

permit 239.1.1.0 0.0.0.255

int fa0/1

ip igmp access-group "acl" – used to filter igmp join to group in this case on int fa0/1

sh ip igmp int

ip igmp query-interval “seconds” - used on multiaccess segments one router is elect designated querier by lowest ip other router on the segement listen for queries set by the query-interval. Also used to query for group membership

ip igmp querier-timeout <seconds> - this sets the timeout before the other router on segment will take over the querier role

ip igmp query-max-response-time <seconds>– this is the maximum time we will wait for a reciever to express interest in group before we close it off.

Ip igmp last-member-query-count & ip igmp last-member-query-interval “milliseconds” - In igmpv2 we had the intro of leave message when host leave a group. The querier on receiving will generate a last-member query to check if anyone is still interested in the group. The query count is how many queries it will send without response before closing off the group.

Ip igmp immediate-leave group-list “access-list” – this covers a situation whereby you know you only have 1 source on the interface so if you receive a leave you want to close the group off rather than doing last member queries.

Below is an example converting a bcast to mcast then receiving on another remote segement converting back to bcast


Router On Segmenet recieving initial broacast converting to mcast address


ip forward-protocol udp 5000

ip access-list extended Traffic

permit udp any any eq 5000

int fa0/0

ip multicast helper-map broadcast 239.1.1.100 Traffic



Router on Remote Segement converting Mcast back to Bcast



ip forward-protocol udp 5000

ip access-list extended Traffic

permit udp any any eq 5000

int fa0/0

ip directed-broadcast

ip broadcast-address 155.1.37.255

int s1/0.1

ip mutlicast helper-map 239.1.1.100 155.1.37.255 Traffic


Notable things done with the multicast helper broadcast we convert broadcast which restricted down to bcase on port 5000 via the access list traffic and we convert them to 239.1.1.100

On router 2 we receive mcast 239.1.1.100 convert it to 155.1.37.255 we limit down to port 5000 with access-list traffic then to specify the bcast address as 155.1.37.255 we use ip broadcast-address 155.1.37.255 otherwise it assume bcast of 255.255.255.255. We could customise other address rather than 155.1.37.255


Debug ip mroute – to debug mcast traffic

No ip mroute cache – on interfaces similar to changing to fast switching to view debug traffic of transit traffic

Ip multicast rate-limite {in|out} [group-list <acl>] [source-list “acl”] [limit in kbps] – used to rate limit multicast you could by using group list limit particular groups or you could limit by source list particular sources. So you could have one rate limit for a group a and another different one for group b

Ip pim bidir-enable- enables bidirectional pim only (*,G) no (S,G) traffic always flows through RP no switchover to SPT traffic can go bidirectionally for many sources to many recievers enviorment

ip pim rp-address <ip><acl> bidir - statically configuring an rp address for bidir


ip pim send-rp-announce <interface> scope <ttl> group-list <Acl> bidir - using autorp for rp candidate bidir


ip pim rp-candidate <interface>group-list <ACL> bidir - using bsr for rp candidate bidir

ip pim ssm range {default|range "acl"}- global command. enable source specfic multicast on a router if you say default it use the defaultrange for ssm of 232.0.0.0/8 while if you say range you specify an acl for the ssm addresses. SSM do not create (*,G) only (S,G)and do not need rp + need igmp version 3 to be running

ip igmp version 3- enable igmp v3 on interface

ip igmp join “group address “ source “source address” – specify an interface to join a igmp multicast address

ip msdp peer 150.1.1.1 connect-source lo0 - used when multiple rps to keep them in synch as regards registers from sources and joins from recievers

ip msdp mesh-group GROUP1 150.1.1.1- used when rps are meshed and we get into scenerio where rp advertises group for example other rp recieves advertise to other rp who sends it back to original rp this will be ok as rpf check will eventually get rid but to optimize we can use mesh groups

sh ip msdp sa-cache- to view mulitcast group cache on rp running msdp

access-list 150 deny ip any 239.0.0.0 0.255.255.255

access-list 150 permit ip any any

ip msdp sa-filter out 150.1.1.1 list 150 – so this filters any private admin scope sa advertisement been sent out

when running multicast across AS we can run into rpf check issues to get around it was brought in multicast bgp when we enable mcast bgp when doing the rpf check we first check the static mrouter then bgp table then unicast table. So we get around rpf issues with using bgp routing. We can inflience paths taking using typical bgp mechanism weight/local pref/ med/as path

router bgp 1

address-family ipv4 multicast

neighbor 155.1.3.2 activate

network 150.1.29.1 mask 255.255.255.0

anycast rp is two or more rp advertising the same int address so say 1.1.1.1 on loopback been advertised

anycast run msdp between each other clients register with closest rp and we have redudancy

ip igmp snooping – typically switches flood all mcast traffic to all ports treats as unknown bcast with igmp snooping the switch keeps track of all igmp joins it reads the mcast packets and creates a mcast cam so we can send just to interested reciever rather than all ports. It is on by default

we can be specfic and turn it off generally and on for particular vlan

ip igmp snooping vlan “xx”

ip igm snooping vlan “xx” static “group address” interface “int” - enabling static join for a port

ip igmp snooping tcn flood query count “ count” - if it host changes port generates a tcn this will flood mcast traffic for the period of the count

no ip igmp snooping tcn flood – to disable this flooding behaviour

ip igmp profile 1

permit/deny

range 239.0.0.0

int fa0/1

ip igmp profile – used for filtering igmp at layer 2 port they are either permit or deny permit allows the group but only that group deny disallows the specfied group but allows all others

ip igmp max-group “nn” - limits the number of groups allowed to join on interface

ip igmp max-groups action deny | replace – so new groups either the denied if reach max or replaced if reaches max

mvr

mvr vlan “xx”

mvr group “group address”

mvr query time 15 - so mcast floods to specfic vlan then when joins are sent from ports on different ports on different vlans they intercepted and get access to mvr traffic vlan and recieve mcast flow Multicast does not have enabled on switch used alot in metro ethernet enviorment

for source ports we

mvr type source for reciever ports in other vlans mvr type reciever

Ipv6 multicast uses reserved range Ffxy::/8

where x = flags y = scope

scope are 1=node 2= link 5=site 8=organisation E= global



sample address are ff02::1 – all nodes ff02::2 – all routers

ff05::2 all routers ff05::1:3 all dhcp servers



ipv6 multicast-routing – enables pim on all interfaces by default to turn off go to interface and do

no ipv6 pim

sh ipv6 mld interface- replaces igmp mld mldv1 copies igmp v2 mld v2 copies igmpv3

ipv6 mld limit “number” - limit number groups on interface that can be joined

ipv6 mld query-interval- mld query interval fro groups

ipv6 mld querier timeout

ipv6 mld query-max-response-time

ipv6 mld access-group - all same functions as igmp equivlant

ipv6 pim rp-address “ipv6”- manually specify rp address on pim rrouters

ipv6 pim bsr candidate rp <ipv6> - candidate rp for bsr no autorp in ipv6

ipv6 pim bsr candidate bsr <ipv6> - candidate bsr

ipv6 pim bsr announced rp “ipv6” - statically configure a rp address on bsr for distribution

show ipv6 pim range-list – replacement for sh ip pim rp-mapping

sh ipv6 pim neighbors – instead of sh ip pim neighbors

int fa0/1

ipv6 mld join ff0e::1 – manually join an interfaces

sh ipv6 bsr election – view the multiple candidate rp on bsr



ff7Y:0ill <64bit rp prefix>:<32 bit group id> - embedded rp address

Y = scope ll= 8 bit rp address prefix lenght i = 4 interface id

e.g

rp address 2001:150:1:4::4/64 becomes



ff7E:0440:2001:150:1:4::1

so to break it up



ff 7 E is the scope 04 – 4 is interface id 40 is /64 is in hex 2001:150:1:4:: is the ipv6 address















Posted by at 1 comment:

Sunday, September 30, 2012

PFR REVIEW QUESTIONS

PFR
What is the difference between load balancing and load sharing?
What is the job of the mc in pfr?
What is the job if border routers?
what are the requirements for pft as regards internal and external interface?
Is this requirement per device?
what happens if pfr is not specfied on interface?
what is the requirement for routing in pfr?
how would you define a border router connecting to master of 2.2.2.2?
How could you define a md5 authentication for this?
what do we need to define on mc for border router r1 1.1.1.1 and border router 3.3.3.3
how can you check on the master if the connections have been successifully established?
what would you use to define max difference of 20 percent in utilization?
What is different between passive and active mode + which existing ios features do the use?
What is the default monitoring in pfr??
How could we say to only monitor utilization?
what is the default mode control for pfr?
How can we change this to be active in routing?
What is the backoff value in pfr?
how would set pfr to automatic learning based on throughput
how would set so it continiously monitors does not stop and take breaks
What is the default high utilization?
What tag does pfr assign the static routes?
what can we use this tag for ??
how could we tell under the auto learn so that evaluates bgp table rather then the cef fib?
What is the parent route issue in pfr??
What types of routes can parent routes be?
how could we tell pfr to only auto learn www?
How could we in auto learn tell pfr to only looking icmp traffic destined to 5.5.5.5?
how do you turn on logging for pfr?
how can we disable auto learn
how could we tell pfr to aggregate /24
what is a learn list + how do we define it
How can we use pbr mode?
how do we match traffic in pbr mode?
what is important about the acl in pbr mode?
what must we set?
how do you view the pbr route map on the border routers?
what are the requirement when we have multiple border routers?
what do we need to define on the oer master for this interface?
how could we change pfr only to account for delay not throught put?
what is the difference betweeen the relative delay threshold vs the abosultes?
what is the mode fast?
what is a link group + how do we define links groups?
what is flexible netflow?
what 4 steps to we need to take to apply a flexible netflow?
What are the difference between a match and collect statment?
how can we define flexible netflow to integrate with pfr
Posted by at 1 comment:

Wednesday, September 26, 2012

Security Review

Security Review
How would we set authentication to the console to use the local configured username + password??
How could we configure authentication by telnet to only need a password?
How could we configure user trying to go into enable mode to be autheticated by tacacs and fall back to local?
How could we configure a failed login to generate Sorry Authentication failed?
How do we define tacacs server with a password of cisco which use source int lo0?
how could we authorize the console connections by tacacs then fall back to local?
how could we authorize locally all ip options on interface to user with privelege level 6
How can we use rbac to give a specfic access to a user named EOghan to allow him run all debug commands??
How do you combine rbac access??
how can we do lock out after 3 attempts??
What is quietmode and how can we configure away around it?
how could we get a failure logon every 3 attempts
how could we delay each login attempt by 4 tries to prevent dictionary attacks?
Limit a user named Eoghan so he can only telnet from a router to 1.1.1.1 port 80?
Limit telent sessions inbound to router only from 2.2.2.2?
how would you match even 2 octet out of these 5 address 112.1.0.0 112.2.0.0 112.3.0.0 112.4.0.0 112.4.0.0 112.4.0.0 112.5.0.0?
What are the traceroute udp ports?
What is used path mtu discovery process what message is generated?
What error/return message are generated by icmp?
How can you chance the logging of an access list to log every 4th hit?
How can you stop icmp from sending back unreachable info?
How could you drop traffic if entered a specfic interface and leaving on another sepcfic interface so limit traffic to say enters s0/0 and leaves fa0/0 only?
How can we allow return traffic using reflexive accesslist say icmp?
When denying traffic inbound what must we take into account?
why do we not need to take this into account outbound?
If i ping from a router which has a reflect access list how can i account for this with reflect acl?
I want to give access to http server 1.1.1.1 but only if user authenticated to a router 2.2.2.2 how would i configure?
I want to set so the connection timeout every 15 min?
i want to limit access to the web server 1.1.1.1 from a user in 3.3.3.3 subnet to weekdays 6pm to 9am?
If i have 4 (1 to 4) switches connected in full mesh i want to implement vlan access map to filter where should i implement this??
how could create a vlan access map to allow tcp but deny everything else and apply to vlan 20??
In port security what do we need to watch out for with sub interfaces in different vlans?
How do you set an time out on port security enteries??
How do you set port security mode whether it shutdown port etc?
Which action logs and which action does not log when port-security rejects?
How can we configure auto recover for port security shutdown ports?
Where do you enable dhcp snooping trust?
How can we protect dhcp database again reboot??
How could i limit request on a non trusted port?
What does dhcp snooping do with giaddr?
what issues does it cause and how can we resolve?
How do we put a static entry for 150.1.1.1 to mac 000d.2fee.bcef.0000 in arp inspection and when would we do this?
how do we enable arp inspection and include the static entry?
What is ip source guard for?
How do we create a static entry for 150.2.2.2 in ip source guard?
how do we enable ip source guard?
On layer 2 port appy a filter to int gi1/0/1 only allow ethertype 0x806 and icmp?
what is the command to put a port under 802.1x control at interface mode and at global config mode?
how would set 802.1x to send request to radius server?
how could we limit icmp to 100 pps in CPP?
what the differences between cpp and cppr?
What are the 3 interfaces CPR?
How could we match all closed ports with CPPR?
What is notable about routing protocols and ports?
How could we apply que limit to http of 50?
is there a way of globally not allowing ip options?
How could we interface level disallow ip source routing?

using nbar match any http request which end .pfd or .txt and drop?
What is the difference between URPF strict and loose mode?
Why would we use loose?
what the command to configure each?
What modes are in tcp intercept + how do they difffer?
how could you configure a passive mode to limit icomplete connections to 100 if they drop below 80 reallow?
Also set connection timeout?
how could allow return traffic for ftp using cbac what is special about ftp that reflexive would not work?
How can we set a global setting for CBAC for dns timeout 10 seconds compared to interface specfic??
How would account for custom ports in cbac say 8008 for internet ?
How do we apply a cbac to an interface?
how do you define secuirty zone and inside zone?
how could we allow return traffic zbfw?
how do we assign an interface to a zone?
can inside speak to outside by default?
can outside speak to inside by default ?
how would we allow outside transit traffic into inside?
How do apply a parameter map + what is it?
why would we need a key for cisco ips defentions?
what if the key was on another router how could we copy it accoss?

how could we limit ips to check traffic to host 5.5.5.5

how could we tell ips to syslog violations
how could we disable all signatures + why would we do this?
how can we enable individual signature
how do we apply to interface ips
how do you copy a .pkg into your ips database?
how can we make event action in ips?
if all host are in vlan 20 which is isolated can they communicate to each other?
if all host are in vlan 30 which is communtity can they speak to each other + can they speak to communtiy vlan 40?
how would assign primary vlan?
how can you configure the above vlan 10 the primary port?
what is limit with protected ports?
when unkown traffic comes in will it floood out on protect port + could another protected recieve how do we get around this
problem?
how do you cofigure storm control to lime unicast to 80 percent of the bw ??



Posted by at 1 comment:

Tuesday, September 18, 2012

QOS REVIEW QUESTIONS




QOS REVIEW QUESTIONS

what is the formula for IOS weight for WFQ??
What is the virtual scheduling time + how is calculated??
What is the queue tail time for new packet in new flow??
What is CDT in wfq??
How do we enable wfq on interface??
Using legacy tools  how would reserve 128kb for ports 16384 to 32766?
what weight does reserve get in fair que??
Where would you see weighting in the cli?
with legacy tools how would priorise 128 kb for ports 16384 to 32766?
DO legacy custom que to allow for 3 protocols rtp (60 byte packets) icmp (100 byte packets) TCP 160 byte packets
Rtp should get 30 percent icmp should get 10 % tcp should 60 percent??
What is assigned to que 0 in custom queing??
How do we assign a priority que to the legacy custom que??
How do we legacy priority queing giving we want udp rip as the top http in middle lowest would be traffic going to 10.229.11.11
How does priority queing work as regards allocation to ques?
Enable legacy wred the weight constant should be 4 it should start dropping at 11 packets and tail drop 12 for prec 6
What is flow based wred and how do we enable?
What goes to the spd extended headroom que?
what goes to spd headroom que??
what happens if either que fills??
How would you set threshold for spd?
What is the difference between spd in normal mode and spd in aggressive mode?
What payload compression uses min cpu but high memory + how do you configure?
what payload compression uses high cpu but little memory + how do you configure
How do you enable payload compression of particular dlici??
How could we get around an issue with small packets + large packet headers for both tcp and rtp??
How do you apply this and how do you limit connections??
How do we configure multilink and interleave to max delay of 10ms for packets
What is the formula for fragment size?
How do you configure legacy traffic shaping first effecting all traffic and secondly affecting subset?
Whats the bc in GTS if you have CIR 128k and TC 10 ms?
WHat is the problem with setting bc 1000 bytes if your average packet is 1500 bytes?? How does IOS get around this
problem?
What is solution to deal with under sending as periods of quietness is the transmission?
Maximum  Burst for BE??
What is BE set to in GTS if it is not specfied?
How can we use legacy rate limiting to limit access to a host 150.1.1.1 to 256000 if the traffic confirms it should
be set to prec 1 if it does not it is set to prec 0
What is the bc in legacy rate limiting for 128kb at 10ms TC??
What is bc when we use the drop option in legacy car??
If we do not specify bc in legacy car what is set to?
What would be usual be value?
how could you with 1 line match ip prec 4 and 6 in car?
What is fecn??
What is becn??
How do we enable router to use fecn??
how do we enable gts on frame relay interface
what is the min rate + how to we enable?
How would we traffic shape a particular dlci using legacy commands?
How could we get the router to use fecn and becn on a singular dlci?
How could we change vc to use fair que using legacy commands?
How could we use pq at per vc level using legacy commands?
How could we use cq at per vc level using legacy commands?
How can we fragment at per vc level using legacy??
how do you work out the size of the fragment using legacy??
How do you apply per vc rtp priority using legacy??
How do Apply tcp header compression to multiple dlci bar one using legacy??
How do you limit the frame relay pseudo bcast que?
what is the legacy way of setting de marking say for all packets gt 64?
How would you match icmp with packet lenght of 1001 using mqc??
What is the policed rate for bandwidth 128 reservation??
What weight do specfic classes get in cbwfq?
How could we make template of bandwidth reservation given we have multiple different speed intefaces?
How would apply priority for traffic class and give all the remaining bw to another class??
How does priority reservation behave during congestion vs when network is not conjested
How do you apply mqc wred?
How would change a class default que to be fifo??
what is ecn and how to we apply it??
Create MQC GTS with CIR 384k and TC 20 MS?
WHat is BE if not specfied in MQC GTS?
If we are using CBWFQ bw reservation etc and we want to shape to 384k cir how would we do it?
Police http to 128000 with 200 ms tc if it keeps to cir set prec 0 if it goes over set prec 0 if it goes over burst drop it?
What type of policer is the above?
How does be behave in this type of policing?

OK we have 3 router on lan segment r1 r2 and r3. R1 wants to limit overall traffic to 128k and it also when to limit r2 64000 and r3 6400
how would we configure?
We have been told by our provider our CIR 64k and PIR is 128k. Our cir burst is 300 mbs while our PIR bust is 400 ms
How are the CIR and PIR buckets filled??
SHape http traffic to a peak rate of 128k?
What is the formula for PIR in shaping?
We want to do a template for MQC policing to apply to different speed interfaces how do we do this?
How do we account for tcp small payloads with large packet headers is there way optimize using mqc?
How do shape a singular dlci using mqc and no legacy commands??
in the above set de on all traffic?
how can we use mqc with legacy frts?
how can we set fragment of 480 on interface?
We have guaranteed rate of 128k and pir rate of 192k on our frame relay circuit. The only delay sensitive traffic we send is voice. But we do not
want to shape to 128k just to keep voice in the cir. We only want to shape to 128k when voice is in the que how can we do
this?
How do you fragment and interleaving with mqc??
How can you ensure gre traffic is not considered just one flow by mqc and recieves proper qos treatment?

How does rsvp router reserve from host x to host y what messages does it use?
reserve 64k of 96k link using rsvp?
what weight does rsvp?
How can we keep track of rsvp on shared ethernet segment?
what weight does rsvp get?
What is AF13 in decimal?
What is AF13 ip precedence value
What is drop preference?
how can we map cos - dscp on ethernet switches? so that cos 2 is changed to dscp26
how can we map ip prec- dscp so that ip prec 5 is dscp 46?
what is the default incoming marking action when mls qos is not enabled?
What is the default incoming marking action when mls qos is enabled?
how could we trust dscp in from a router on the switch?
How could we remark all cos values to 4 coming in an interface?
How could we trust ip prec but remark all cos to 4?
For untagged packets how can we mark cos 1?
How can we reset dscp but pass cos??
how do you read sh mls qos int fa0/16 stats?
how would you at layer 2 Set ipx traffic to dscp ef??
We want to apply a qos policy to all ports in vlan what is the best way to do this and how would you configure?
Apply policing at layer 2 to police to cir 128k
what command do you need to do to allow setting cos in mqc class map??
If traffic exceeds we do not want to drop but remark to CS2 how do we do that?
S1 and S2 are connected and we have set to trust dscp incoming on the port connected to a router on s1 when it
gets to s2 it has default marking what is the problem?
We want to limit all classes in mqc to 128k shaped how do we do that?
How many ingress que are there on 3560 switch interface?
how can we assign cos 5 to que 1 and all other cos values to que 2 on ingress ques?
How can we set a pq?
How does the pq work with bw assigned??
what configurable threshold are there on ingress?
How many ques are there on egress interface on 3560?
what is difference between shaped round robin and shared round robin?
How do you enable shaped round robin?
how do you set a pq on 3560 and what que number is it?
how can we limit egress sending rate?
how can we map dscp/cos values to ques on egress?
What is queue set how do you configure it?
how on input could we change cs 0 to cs 1?
How could we match .txt or text with nbar?





 
Posted by at 1 comment:

Route Redistribution EEM Multicast Review Questions

Route Redistribution
what routes are redistributed??
When do we need to further investigate route redistribution parameters?
How does OSPF prevent issues inbuilt??
When do we generally have issue with redistribution??
What are the rules for redistribution (4 rules)
How do you verify with TCLSH??

EEMHow do you see what version of EEM you are running?

Write an applet that will not allow in the cli eigrp or ospf when user attempts it should write a message saying
" no eigrp or ospf" it should then send a mail to the admin via the mail server 10.0.0.100 the sendername should
r5@ine.com the email address it is sending to dropboX@ine.com

Write an applet that restores the startup config when a user types help it should also say "have no fear"

Write an applet that hides all i in the running config when user types sh run

Write an applet that when the interface usuage hits 100 percent it applies a prefconfigured control plane policy. Called
ICMP in the inbound direction

Wirte an applet that when user creates a loopback interface it accepts it but puts the loopback into the shutdown state
It should then save the config. Then it should write a message that "lox" loopback command executed" where x is the loopback
number?

Multicast
What is the full mcast address class??
What is the link local range??
what is the source specfic range??
what  is the admin scope??
What protocol number is IGMP?
What are the igmpv1 messages?
What did igmpv2 add to igmpv1??
What did igmpv3 add ??
How does the rpf check work??
What is the difference between the source and the oil interfaces??
What mcast address does pim use??
What are the dense mode messages + how do they work
How do (*,G) and (S,G) work in dense mode??
When does a prune occur in dense mode??
Does (S,g) remain after prune
What is default dense mode flood interval??
How do prune work on multiaccess segmenets where one souce wants traffic and other does not??
What is pim assert + how does the election elect??
What is state refresh??
How can you see briefly how many packets where recieved+ how many were forwarded in mcast??
What mcast address does igmpv3 use??
What is T bit meaning in mcast?
What does a null outgoin interface in dense mode??
Describe the dense mode from igmp join??
What is the difference between source based tree and shared based tree?
What is the RP job in sparse mode?
What will the first hop router do in sparse mode when it hears mcast traffic from a source??
In the above case what will be the state of (S,G) and (*,G) on all the routers
How is the DR elected and what is it function in sparse mode??
What does the last hop router do when it receives an IGMP Join??
What routers will know of the (S,G) and (*,G) when an IGMP Join is recieved and processed (in the case there is no sender??
How does the switchover to the shortest path tree work??
Can we configure not to switchover + how + where to we configure??
Limit this to only the admin scope address to not to switch to shortest path tree?
How do you statically configure RP address??
How do you view the configured RP address for groups??
How can you change the PIM DR priority for an interface??
In the case we have no source but recievers what will the incoming interface and outgoing interface list be on the RP?
How do we specify a potential RP in Autorp??
How do we specify a mapping agent in AutoRP + what is it role??
How could we allow for redudancy not using anyrp??
How do We assign a mapping agent??
What mulitcast address do RP use to communicate to the mapping agent in AUtoRP?
What address does the MA use to speak to all PIM routers??
WHat is the recursive issue in AUtorp??
How do we resolve this issue 2 solutions??
IF MA recieves multiple RP how does it decide which to use??
What is mtrace??
What issue can we face when testing by ping "group" from a router on segment?
Do a config so that we split the group serviced by RP from R4 services 224.0.0.0 - 231.255.255.255
R6 services 232-239.255.255.255? The config should be done on each rp
DO a config on the MA so we will only advertise 224-231-255.255.255 out for R4 RP and 239.255.255.255 out for R6
all other RP attempting to service any groups should denied
What is a BSR router and how do you enable a BSR router?
How do advertise a RP in BSR?
How do you create boundary in BSR
How do you create a Boundary in AutoRP
When you do debug what do you need to do on the interfaces so you can see  mcast traffic transiting the device??
How do frame-relay main interfaces process multicast/bcast??
WHat happens on nmba partial mesh when a spoke sends a join??
What happens on nbma partial mesh when one spoke prunes in dense mode?
What happens when one spoke is the source of the traffic and the other spoke is listner??
How can you overcome these issues + how does it work + has it limitations??
When would you use bidirectional PIM??
When souce comes online in Bidirectional PIM what are (S,G) (*,G) enteries we will see in the transit path
How does bidirectional pim prevent loops??
What is the df in bidrectional pim + how is it elected??
How do we enable bidirectional pim
What routers do we need to enable it on??
What is SSM??
How does it work what are it requirements??
How do you enable RP in SSM??
What is address range for SSM??
What will be the state of (S,G) (*,G) in the transite path of routers when recievers senders come on line
How do you enable SSM??
How would you enable SSM with different range than default??
How do you test SSM from the source?? 
What is MSDP??
How do you enable msdp??
How do you optimize but potential lose redudancy in MSDP?
What will rp do if it has no reciever and it recieves a SA + how can we see this on the cli?
How does multicast BGP work??
How do you configure MULTICAST BGP??
How can you view mcast bgp routes?
R1 is originating mcast traffic in AS1 and the reciever is in AS3 R3. R3 shortest path to AS1 is direct it also has another
option of going through AS2 how would we influence the mcast traffic to go the longer path via AS1 without interupting any other
normal traffic flow??
How does anycast RP work??
What is requirement for anycast RP to ensure that rp are kept in synch??
What default time it takes is 1 RP goes down that the other RP will service the group??
What address should the mcast routers point at for RP??
How can we get around having non mcast routers in the transit path between 2 multicast routers??
What do we need to configure to enable this??
What is there to watch out for re the RP address and reachability?
When you have rpf failures what is wrong with just doing ip mroute 0.0.0.0 0.0.0.0 pointing at the interface you want to recieve on?
What is the difference between igmp static group and igmp join? When should each be used + what are the commands?
What would you do if you required to recieve mcast on segment but you had a bad connection and low end router?? + How do you
configure?
You have an old udp application that broadcast it needs to be recieved on vlan downstream do this without bridging it should
be recieved on the segmenet as broadcast? UDP port 2222
How can we limit who a router forms pim adjacency with??
how can we limit on non rp what rp address it will use for specfic group??
How can we limit the bw for a feed to 239.0.0.1?
What is the mac address range for mulitcast??
What bits are fixed and what are availible for multicast groups?
How do switches treat multicast traffic?
How does igmp snooping work?? How would we put it on only for a specfic vlan?
How do we statically join a port to a group in igmp snooping??
If reciever moves port at layer 2 how will igmp snooping react??
How can we stop this reaction if neccessary??
Limit via IGMP to permit the range 239.0.0.0??
Limit via IGMP to allow 2 groups max to be joined on interface?? if a new group comes online it should replace an existing group?
Use a technology on switches to allow a specfic vlan to be used for mcast that does not require mcast layer 3 routing to function
Use vlan 30 and the mcast group should be 239.1.1.12??
What is the IPV6 reserved for mcast address range??
What are the flags in ipv6?
What are the scopes ipv6 + are they auto enabled?
What is the all  local node address in ipv6 mcast?
What is the ospf dr address in ipv6?
What is the all routers address??
What is the first two bytes of ipv6 multicast address?
How do you enable ivp6 multicasting??
How do you enable ipv6 pim dense mode??
What is MLD??
What are it equivlant in ipv4?
How do we limit what groups in mld??
How do we change the query-interval in mld?
What is the tunnel in ipv6 mcast on the rp used for??
How do we statically configure an RP address in IPV6 mcast?
How do we configure a potential rp and bsr in IPV6?
What is the ipv6 equivlant to sh ip pim rp-mapping
what is the ipv6 equivant to ip igmp join-group "group address"
How do we assign an embedded RP address if the rp address is
200:1234:5678:ABCD::6/64
Do the config for the rp for embedded rp and also the sender/reciever??
How do we do a mroute in ipv6??
 





Posted by at 1 comment:

Saturday, February 25, 2012

DHCP and DNS

DHCP

  • Extension to BOOTP for automatic host configuration
  • Provide ip addressing netmask and default gw bootfile etc to end hosts
  • Broadcast UDP packets source port BOOTP 68 destination port BOOTPS 67
  • Host sends DHCP Discover (broadcast) server sends DHCP offer (unicast) host sends dhcp request (broadcast) server sends dhcpack (unicast)
  • Server should be in the same broadcast domain if not dhcp relay must be used
  • IOS SUPPORTS the following DHCP Server, DHCP client,DHCP Proxye.g translate IPCP request into DHCP used for PPP links,DHCP relaying
  • DHCP can supports option82 which a option added by the relay to be more specfic on the port the end host is connected to
  • Some end host vendors use there own specfic options to this
  • option 82 is automatically enabled when you configure dhcp snooping
  • DHCP Server is configured with DHCP Pools each pool has an ip subnet for allocation
  • host pools are supported

DHCP POOL SELECTION

Server may have multiple address pool
Pool is selected based on
-DHCP Client id (could be any string)
  - supplied by windows client but not linux
  -DHCP Hardware address if ID is missing
  -relaying gateway ip address
  - recieving interface ip subnet if no matching pool found and no relay ip address present

DHCP Relaying

Broadcast can be relayed to unicast destination
ip helper-address "ip" interface command

In case of DHCP relaying router inserts interface IP address
- known as "giaddres" of gateway address
- other options could be inserted e.g the information option 82

Commands

Server

service dhcp - enables dhcp ios
ip dhcp pool vlan 58
network 155.0.58.0/24
default-router 155.0.58.1
dns-server 1.1.1.1
lease 0 1 58

Client

int fa0/0
ip address dhcp





LAB
----
Ok so s2 is the dhcp client
r5 will be dhcp relay
r6 will be the dhcp server

r6
---

r6(config)#service dhcp - enable dhcp server

r6(config)#ip dhcp pool VLAN58     - create a pool and options
r6(dhcp-config)#network 155.0.58.0 /24
r6(dhcp-config)#default-router 155.0.58.5
r6(dhcp-config)#dns-server 1.1.1.1
r6(dhcp-config)#lease?
lease
r6(dhcp-config)#lease ?
  <0-365>   Days
  infinite  Infinite lease
r6(dhcp-config)#lease 0 ?
  <0-23>  Hours
  <cr>
r6(dhcp-config)#lease 0 1 ?
  <0-59>  Minutes
  <cr>

r6#debug ip dhcp server events

r5
---
r5(config)#int fa0/0
r5(config-if)#ip helper-address 6.6.6.6   this will forward broadcast on the fa0/0 segement
to the dhcp server 6.6.6.6


s2
---
s2(config-if)#int vlan 58
s2(config-if)#ip address dhcp

s2(config)#int vlan 58
s2(config-if)#ip dhcp ?
  client  DHCP client configuration
  relay   DHCP relay configuration parameters
s2(config-if)#ip dhcp client ?
  class-id   Specify Class-ID to use
  client-id  Specify Client-ID to use
  hostname   Specify hostname to use
  lease      Requested address lease time
  request    Specify options (not) to request
  route      Options for routes installed by dhcp
s2(config-if)#ip dhcp client

we have a few options to specify class id etc if we wanted

we can see we have learnt the address via dhcp
155.0.58.1

s2#sh ip int brief
Interface              IP-Address      OK? Method Status                Protocol
Vlan1                  unassigned      YES NVRAM  administratively down down
Vlan58                 155.0.58.1      YES DHCP   up                    up

r6
---
r6#sh log
Syslog logging: enabled (1 messages dropped, 1 messages rate-limited,
                0 flushes, 0 overruns, xml disabled, filtering disabled)
    Console logging: level debugging, 44 messages logged, xml disabled,
                     filtering disabled
    Monitor logging: level debugging, 0 messages logged, xml disabled,
                     filtering disabled
    Buffer logging: level debugging, 17 messages logged, xml disabled,
                    filtering disabled
    Logging Exception size (4096 bytes)
    Count and timestamp logging messages: disabled
No active filter modules.
    Trap logging: level informational, 32 message lines logged
Log Buffer (99999 bytes):
*Feb 25 18:02:18.275: DHCPD: checking for expired leases.
*Feb 25 18:02:42.663: DHCPD: Sending notification of DISCOVER:
*Feb 25 18:02:42.663:   DHCPD: htype 1 chaddr 001b.2bec.83c4
*Feb 25 18:02:42.663:   DHCPD: remote id 020a00009b00920600000092
*Feb 25 18:02:42.663:   DHCPD: circuit id 00000000
*Feb 25 18:02:42.663: DHCPD: Seeing if there is an internally specified pool class:
*Feb 25 18:02:42.663:   DHCPD: htype 1 chaddr 001b.2bec.83c4
*Feb 25 18:02:42.663:   DHCPD: remote id 020a00009b00920600000092
*Feb 25 18:02:42.663:   DHCPD: circuit id 00000000
*Feb 25 18:02:44.663: DHCPD: Adding binding to radix tree (155.0.58.1)
*Feb 25 18:02:44.663: DHCPD: Adding binding to hash tree
*Feb 25 18:02:44.663: DHCPD: assigned IP address 155.0.58.1 to client
0063.6973.636f.2d30.3031.622e.3262.6563.2e38.3363.342d.566c.3538.
*Feb 25 18:02:44.939: DHCPD: Sending notification of ASSIGNMENT:
*Feb 25 18:02:44.943:  DHCPD: address 155.0.58.1 mask 255.255.255.0
*Feb 25 18:02:44.943:   DHCPD: htype 1 chaddr 001b.2bec.83c4
*Feb 25 18:02:44.943:   DHCPD: lease time remaining (secs) = 3600

we can see the request and assignment

r6#sh ip dhcp binding
Bindings from all pools not associated with VRF:
IP address          Client-ID/              Lease expiration        Type
                    Hardware address/
                    User name
155.0.58.1          0063.6973.636f.2d30.    Feb 25 2012 07:02 PM    Automatic
                    3031.622e.3262.6563.
                    2e38.3363.342d.566c.
                    3538

say if wanted r6 to give s2 an ip by dhcp but it to be reserved than no one else could have
this ip we could create a specfic poool based on s2 client id

r6
---
r6(config)#ip dhcp pool SW2-CLIENT-POOL
r6(dhcp-config)#host 155.28.58.100
r6(dhcp-config)#client-id 0063.6973.636f.2d30.3031.622e.3262.6563.2e38.3363.34

in order to do this we need to know the client id windows give certain ones linux gives other
so vendor specfic
??? not working need to complete

DNS

  • IOS has DNS client enable by default  that is why if we miss enter a command it can take a few minutes for it throw up an error
  • we can disable this behaviour we no ip domain-lookup
  • We could specify a dns server with ip name-server "ip" on the client and leave on ip domain-lookup
  • For configuring IOS as a server we do no ip domain-lookup  and specify ourselve as the name server ip name-server "my ip"
  • To create host records  ip host "hostname" "host ip"
  • We can configure dns server ip in cisco ios dhcp as above



LAB
r1
---
ok we will configure r1 as dns server

r1(config)#ip dns server
r1(config)#ip host R3 3.3.3.3
r1(config)#

WE have added a record for 3.3.3.3 for r3
s2
---
s2(config)#ip domain lookup
s2(config)#ip name-server 1.1.1.1
s2(config)#

s2#ping R3
Translating "R3"...domain server (1.1.1.1) [OK]
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 3.3.3.3, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 59/65/67 ms
s2#


Posted by at No comments:

NAT

NAT

  • Network Address translation rewrite sources ip address in packet normally to hide private ip address
  • Also used in case where we have overlapping subnets maybe a merger of networks
  • static translation is 1 to 1 translation guaranteed same ip everytime
  • dynamic translation is 1 to 1 done dynamically so not guaranteed same ip every time
  • Port address translation is many to one translation based on tcp/udp ports common for overloading scenerios
  • Inside local is inside ip before translation
  • inside global is inside ip after translation
  • outside global is original outside ip address
  • outside local is outside ip after translation as seen on inside
  • Major thing in nat is the order of operations when going from inside to outside routing takes place before nat when coming from outside to inside routing takes place after nat.

Commands

 Static Nat

ip nat inside source static 10.10.10.1   30.30.30.30 - this going out
ip nat outside source static 30.30.30.30 10.10.10.1- this is coming in
int fa0/0
ip nat inside
int s0/0
ip nat outside

Dynamic Nat

ip nat pool 'name of pool' "start ip" "end ip"netmask "mask"
access-list "aclno" permit "source ip"
ip nat inside source-list "acl no" pool " name of pool"

int fa0/0
ip nat inside
int s0/0
ip nat outside

PAT

To the source list command we just need to add the keyword overload so we could define a smaller pool and choose overload when the pool runs out it will overload the last ip?



LAB
----
For the LAB sw2 and R5 are inside the network r5 is the border router + will do the nat
The rest of router are outside they do not have a route to inside address 10.164.48.0/24


s2
----
s2(config)#int vlan 58
s2(config-if)#ip address 10.164.48.2 255.255.255.0
s2(config-if)#e
00:09:37: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 1: Neighbor 155.0.58.5 (Vlan58) is down: interface downxit
s2(config)#ip route 0.0.0.0 0.0.0.0 10.164.48.5

r5
---
r5(config)#int fa0/0
r5(config-if)#ip address 10.164.48.5 255.255.255.0
r5(config-if)#no shut
r5(config-if)#


The first thing we will do is define a pool for the nat address
r5(config)#do sh run | begin ip nate
r5(config)#do sh run | begin ip nat
ip nat pool INSIDE-GLOBAL 155.28.254.0 155.28.254.254 prefix-length 24 add-route

what this command is saying that we will use a pool 155.28.254.0-254 with mask /24 the add route is to add static route to nv0 - the nat interface so we can use to advertise out to external networks

r5(config)#router eigrp 1
r5(config-router)#redistribute static 1 1 1 1 1 1
                                      ^
% Invalid input detected at '^' marker.
r5(config-router)#redistribute static metric 1 1 1 1 1

Next step we will define an access-list of what we are going to NAT
5(config)#access-list 1 permit 10.164.48.0 0.0.0.255

so we will nat address in 10.164.48.0- this important step we can have problems if start doing ip any any like control plane traffic can end up getting natted and just unexpected results it is better to limit down to our specfic networks

Next step is the actual nat command

r5(config)#ip nat source list 1 pool INSIDE-GLOBAL overload

ok so this is saying source list 1 is anything matched in the acl 1 and we will use the pool INSIDE-GLOBAL with port overload if we run address we can use port numbers to do many to one translations
ok next is to enable on the interfaces
r5(config)#int fa0/0
r5(config-if)#ip nat enable

r5(config-if)#int s0/0/0
r5(config-if)#ip nat enable


s1
---

s2#ping 1.1.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 1.1.1.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 67/67/67 ms
i can ping 1.1.1.1 sucessifully

r5
---
r5#sh ip nat tran
Pro Inside global      Inside local       Outside local      Outside global
r5#sh ip nat nvi tran
Pro Source global      Source local       Destin  local      Destin  global
icmp 155.28.254.1:5    10.164.48.2:5      1.1.1.1:5          1.1.1.1:5
r5#

we are getting translated from 10.164.48.2 to 155.28.254.1 port 5


r1
---
we can see this traffic been sent back from src1 dst 155.28.254.1
when this gets to r5. R5 checks its state table above and will forward the reply back to 10.164.48.2

*Mar  1 03:00:16.795: ICMP: echo reply sent, src 1.1.1.1, dst 155.28.254.1
*Mar  1 03:00:16.859: ICMP: echo reply sent, src 1.1.1.1, dst 155.28.254.1
*Mar  1 03:00:16.927: ICMP: echo reply sent, src 1.1.1.1, dst 155.28.254.1
*Mar  1 03:00:16.995: ICMP: echo reply sent, src 1.1.1.1, dst 155.28.254.1
*Mar  1 03:00:17.063: ICMP: echo reply sent, src 1.1.1.1, dst 155.28.254.1
*Mar  1 03:00:17.131: ICMP: echo reply sent, src 1.1.1.1, dst 155.28.254.1
*Mar  1 03:00:17.199: ICMP: echo reply sent, src 1.1.1.1, dst 155.28.254.1
*Mar  1 03:00:17.263: ICMP: echo reply sent, src 1.1.1.1, dst 155.28.254.1
*Mar  1 03:00:17.331: ICMP: echo reply sent, src 1.1.1.1, dst 155.28.254.1
*Mar  1 03:00:17.399: ICMP: echo reply sent, src 1.1.1.1, dst 155.28.254.1
*Mar  1 03:00:17.467: ICMP: echo reply sent, src 1.1.1.1, dst 155.28.254.1
*Mar  1 03:00:17.531: ICMP: echo reply sent, src 1.1.1.1, dst 155.28.254.1
*Mar  1 03:00:17.599: ICMP: echo reply sent, src 1.1.1.1, dst 155.28.254.1
*Mar  1 03:00:17.667: ICMP: echo reply sent, src 1.1.1.1, dst 155.28.254.1
*Mar  1 03:00:17.735: ICMP: echo reply sent, src 1.1.1.1, dst 155.28.254.1
*Mar  1 03:00:17.799: ICMP: echo reply sent, src 1.1.1.1, dst 155.28.254.1


r1
---
r1#ping 155.28.254.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 155.28.254.1, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
r1#telnet 155.28.254.1
Trying 155.28.254.1 ...

i can not ping or telnet this is because there is no way for r5 to know to forward this to 10.164.48.2 as there is no state information from and outbound packet
we can create a static entry for 

r5
----
r5(config)#ip nat source static tcp 10.164.48.2 23 interface s0/0/0 8080

bascially this command is saying anything coming on port 8080 on interface s0/0/0 will be redirected to 10.164.48.2 on port 23
r5#clear ip nat nvi translation *


r1
---
r1#
r1#telnet 155.0.0.5 8080
Trying 155.0.0.5, 8080 ... Open

User Access Verification
Username: cisco
Password:
s2>

working as expected
Posted by at 1 comment:
Subscribe to: Posts (Atom)