Sep 12, 2008

SP Multicast Security

Dynamic Intra-AS RP assignments should not leak out to other service providers.

(1)Auto-RP
interface F0/0
ip multicast boundary 1
!
access-list 1 deny 224.0.1.39
access-list 1 deny 224.0.1.40
access-list 1 permit 224.0.0.0 15.255.255.255


(2)BSR
interface F0/0
ip pim bsr-border

Sep 9, 2008

To achieve ISIS fast convergence without configuring on interface

一般人都知道在IS-IS路由協定中可以在interface上設定isis hello-interval minimal及isis hello-multiplier 3(最小值為3倍)的方式來加快收歛的速度,不過如果考題要求你不能使用interface上的指令時,你可以使用router isis process下的command來達成:

Router(config)#router isis
Router(config-router)#?
prc-interval Minimum interval between partial route calculations
spf-interval Minimum interval between SPF calculations
lsp-gen-interval Minimum interval between regenerating same LSP

Router(config-router)#prc-interval ?
<1-120> PRC interval in seconds

Router(config-router)#prc-interval 1 ?
<1-120000> Initial wait for PRC in milliseconds


Router(config-router)#prc-interval 1 1 ?
<1-120000> Minimum wait between first and second PRC in milliseconds


Router(config-router)#prc-interval 1 1 1000
!
Router(config-router)#spf-interval ?
<1-120> Interval between consecutive SPFs in seconds
level-1 Set interval for level 1 only
level-2 Set interval for level 2 only

Router(config-router)#spf-interval 1 ?
<1-120000> Initial wait before first SPF in milliseconds


Router(config-router)#spf-interval 1 1 ?
<1-120000> Minimum wait between first and second SPF in milliseconds


Router(config-router)#spf-interval 1 1 1000
!
Router(config-router)#lsp-gen-interval ?
<1-120> Interval in seconds
level-1 Set interval for level 1 only
level-2 Set interval for level 2 only

Router(config-router)#lsp-gen-interval 1 ?
<1-120000> Initial wait in milliseconds


Router(config-router)#lsp-gen-interval 1 1 ?
<1-120000> Wait between first and second lsp generation in milliseconds


Router(config-router)#lsp-gen-interval 1 1 1000

Traffic Queueing - Random Early Discard Sample Configuration

  • Traffic marked as flash-override should be candidate for drop if there are 20 packets in the output queue
  • If there are 30 packets of flash-override in the output queue one out six should be dropped
  • Traffic marked as priority should be candidate for drop if there are 12 packets in the output queue
  • If there are 18 packets of priority in the output queue two out of eighteen should be dropped



Router(config)#interface f0/0
Router(config-if)#random-detect
Router(config-if)#random-detect precedence 1 12 18 9
Router(config-if)#random-detect precedence 4 20 30 6

How to limit different bandwidth usage without rate-limit command in a interface?

在CCIE考題中最難不是指令的記憶及設定,而是題意內容的了解,尤其對於非英文系國家的人來說更容易被題目的字裏行間所誤導。其中最容易confused的就是QoS相關的題目,因為它通常會伴隨著數字及不同的單位傳輸速率,所以我找了幾個例子來讓各位了解這類題目及相對應的解法:

Question:

  • Received traffic from 172.16.0.0/16 under 512Kbps should be marked as flash-override
  • Received traffic from 172.16.0.0/16 over 512Kbps should be marked as priority
  • Received traffic from 172.16.0.0/16 over 1.5Mbps should be dropped
  • DO NOT use rate-limit command to accomplish this.


Router(config)#ip access-list extended QOS_SOURCE
Router(config-ext-nacl)#permit ip 172.16.0.0 0.0.255.255 any
!
Router(config)#class-map QOS_SOURCE
Router(config-cmap)#match access-group name QOS_SOURCE
!
Router(config)#policy-map QOS_MARK
Router(config-pmap)#class QOS_SOURCE
Router(config-pmap-c)#police cir 512000
Router(config-pmap-c-ploice)#conform-action set-prec-transmit 4
Router(config-pmap-c-ploice)#exceed-action set-prec-transmit 1
Router(config-pmap-c-ploice)#violate-action set-prec-transmit 1
!
Router(config)#policy-map QOS_POLICE
Router(config-pmap)#class class-default
Router(config-pmap-c)#police 1500000
Router(config-pmap-c)#service-policy QOS_MARK
!
Router(config)#int f0/0
Router(config-if)#service-policy input QOS_POLICE

How to filter BGP protocol ?

也許很多人知道BGP protocol TCP Port 179,但是可能很多人不曉得BGP protocol不只是單一方向,而是兩邊同時主動建立BGP Session,然後在OPEN Message交換時保留BGP Router-ID較大的Router主動initialized的Session,中斷另一個Session,所以如果想要filter BGP protocol,可以使用下列的ACL來達成:

Router(config)#ip access-list extended NO_BGP
Router(config-ext-nacl)#deny tcp any eq bgp any
Router(config-ext-nacl)#deny tcp any any eq bgp
Router(config-ext-nacl)#permit ip any any

How to filter send or recevie RIP updates ?

也許很多人知道RIP protocol UDP Port 520,但是可能很多人不曉得RIP protocol不只是Destination Port 520,Source Port也是520,所以如果想要filter RIP protocol,可以使用下列的ACL來達成:

Router(config)#ip access-list extended NO_RIP
Router(config-ext-nacl)#deny udp any eq rip any eq rip
Router(config-ext-nacl)#permit ip any any


不過各位要特別注意一點,有些人可能用過passive-interface的指令,或是會想說為什麼不直接用這個指令來避免RP update的資料,事實上,passive-interface只是讓該interface停止send updates,但是該interface仍然持續地listen updates,所以並不能完全符合題目的要求。

How to map Frame-Relay DLCI and IP address without "frame-relay map" command in Frame-relay Multipoint Sub-Interface?

在準備CCIE Lab的過程最有趣的事情就是不斷有一些特殊的tip & trick讓你驚奇,原本以為某個主題都已經了解很透徹了,但是往往因為一個特別的題目的出現讓你再度覺得學藝不精,原來一山還有一山高。

很多人都知道設定Frame-relay map的方式不外乎兩種:
  • Inverse-ARP(default enable)(Point-to-Point)
  • Frame-Relay map(Multipoint)

不過如果有一個題目要求你在Frame-relay Multipoint sub-interface中不能使用Frame-relay map時,你該怎麼辦?
以下就是這個主題的解答,請參考:

假設R1,R2,R3是Frame-Relay Hub-and-Spoke Topology(NBMA)
R1-R2 DLCI:102
R1-R3 DLCI:103
R2-R1 DLCI:201
R3-R1 DLCI:301

R1(config)#int s0/0
R1(config-if)#encapsulation frame-relay
R1(config-if)#int s0/0.1 multipoint
R1(config-subif)#ip address 172.16.1.1 255.255.255.0
R1(config-subif)#frame-relay interface-dlci 102
R1(config-subif)#frame-relay interface-dlci 103

R2(config)#int s0/0
R2(config-if)#encapsulation frame-relay
R2(config-if)#int s0/0.1 point-to-point
R2(config-subif)#ip address 172.16.1.2 255.255.255.0
R2(config-subif)#frame-relay interface-dlci 201

R3(config)#int s0/0
R3(config-if)#encapsulation frame-relay
R3(config-if)#int s0/0.1 point-to-point
R3(config-subif)#ip address 172.16.1.3 255.255.255.0
R3(config-subif)#frame-relay interface-dlci 301