Posts

Showing posts from September 7, 2008

SP Multicast Security

Dynamic Intra-AS RP assignments should not leak out to other service providers. (1)Auto-RP interface F0/0 ip multicast boundary 1 ! access-list 1 deny 224.0.1.39 access-list 1 deny 224.0.1.40 access-list 1 permit 224.0.0.0 15.255.255.255 (2)BSR interface F0/0 ip pim bsr-border

To achieve ISIS fast convergence without configuring on interface

一般人都知道在IS-IS路由協定中可以在interface上設定isis hello-interval minimal及isis hello-multiplier 3(最小值為3倍)的方式來加快收歛的速度,不過如果考題要求你不能使用interface上的指令時,你可以使用router isis process下的command來達成: Router(config)#router isis Router(config-router)#? prc-interval Minimum interval between partial route calculations spf-interval Minimum interval between SPF calculations lsp-gen-interval Minimum interval between regenerating same LSP Router(config-router)#prc-interval ? <1-120> PRC interval in seconds Router(config-router)#prc-interval 1 ? <1-120000> Initial wait for PRC in milliseconds Router(config-router)#prc-interval 1 1 ? <1-120000> Minimum wait between first and second PRC in milliseconds Router(config-router)#prc-interval 1 1 1000 ! Router(config-router)#spf-interval ? <1-120> Interval between consecutive SPFs in seconds level-1 Set interval for level 1 only level-2 Set interval for level 2 only Router(config-router)#spf-interval 1 ? <1

Traffic Queueing - Random Early Discard Sample Configuration

Traffic marked as flash-override should be candidate for drop if there are 20 packets in the output queue If there are 30 packets of flash-override in the output queue one out six should be dropped Traffic marked as priority should be candidate for drop if there are 12 packets in the output queue If there are 18 packets of priority in the output queue two out of eighteen should be dropped Router(config)#interface f0/0 Router(config-if)#random-detect Router(config-if)#random-detect precedence 1 12 18 9 Router(config-if)#random-detect precedence 4 20 30 6

How to limit different bandwidth usage without rate-limit command in a interface?

在CCIE考題中最難不是指令的記憶及設定,而是題意內容的了解,尤其對於非英文系國家的人來說更容易被題目的字裏行間所誤導。其中最容易confused的就是QoS相關的題目,因為它通常會伴隨著數字及不同的單位傳輸速率,所以我找了幾個例子來讓各位了解這類題目及相對應的解法: Question: Received traffic from 172.16.0.0/16 under 512Kbps should be marked as flash-override Received traffic from 172.16.0.0/16 over 512Kbps should be marked as priority Received traffic from 172.16.0.0/16 over 1.5Mbps should be dropped DO NOT use rate-limit command to accomplish this. Router(config)#ip access-list extended QOS_SOURCE Router(config-ext-nacl)#permit ip 172.16.0.0 0.0.255.255 any ! Router(config)#class-map QOS_SOURCE Router(config-cmap)#match access-group name QOS_SOURCE ! Router(config)#policy-map QOS_MARK Router(config-pmap)#class QOS_SOURCE Router(config-pmap-c)#police cir 512000 Router(config-pmap-c-ploice)#conform-action set-prec-transmit 4 Router(config-pmap-c-ploice)#exceed-action set-prec-transmit 1 Router(config-pmap-c-ploice)#violate-action set-prec-transmit 1 ! Router(config)#policy-map QOS_POLICE Router(config-pmap)#class c

How to filter BGP protocol ?

也許很多人知道BGP protocol TCP Port 179,但是可能很多人不曉得BGP protocol不只是單一方向,而是兩邊同時主動建立BGP Session,然後在OPEN Message交換時保留BGP Router-ID較大的Router主動initialized的Session,中斷另一個Session,所以如果想要filter BGP protocol,可以使用下列的ACL來達成: Router(config)#ip access-list extended NO_BGP Router(config-ext-nacl)#deny tcp any eq bgp any Router(config-ext-nacl)#deny tcp any any eq bgp Router(config-ext-nacl)#permit ip any any

How to filter send or recevie RIP updates ?

也許很多人知道RIP protocol UDP Port 520,但是可能很多人不曉得RIP protocol不只是Destination Port 520,Source Port也是520,所以如果想要filter RIP protocol,可以使用下列的ACL來達成: Router(config)#ip access-list extended NO_RIP Router(config-ext-nacl)#deny udp any eq rip any eq rip Router(config-ext-nacl)#permit ip any any 不過各位要特別注意一點,有些人可能用過passive-interface的指令,或是會想說為什麼不直接用這個指令來避免RP update的資料,事實上,passive-interface只是讓該interface停止send updates,但是該interface仍然持續地listen updates,所以並不能完全符合題目的要求。

How to map Frame-Relay DLCI and IP address without "frame-relay map" command in Frame-relay Multipoint Sub-Interface?

在準備CCIE Lab的過程最有趣的事情就是不斷有一些特殊的tip & trick讓你驚奇,原本以為某個主題都已經了解很透徹了,但是往往因為一個特別的題目的出現讓你再度覺得學藝不精,原來一山還有一山高。 很多人都知道設定Frame-relay map的方式不外乎兩種: Inverse-ARP(default enable)(Point-to-Point) Frame-Relay map(Multipoint) 不過如果有一個題目要求你在Frame-relay Multipoint sub-interface中不能使用Frame-relay map時,你該怎麼辦? 以下就是這個主題的解答,請參考: 假設R1,R2,R3是Frame-Relay Hub-and-Spoke Topology(NBMA) R1-R2 DLCI:102 R1-R3 DLCI:103 R2-R1 DLCI:201 R3-R1 DLCI:301 R1(config)#int s0/0 R1(config-if)#encapsulation frame-relay R1(config-if)#int s0/0.1 multipoint R1(config-subif)#ip address 172.16.1.1 255.255.255.0 R1(config-subif)#frame-relay interface-dlci 102 R1(config-subif)#frame-relay interface-dlci 103 R2(config)#int s0/0 R2(config-if)#encapsulation frame-relay R2(config-if)#int s0/0.1 point-to-point R2(config-subif)#ip address 172.16.1.2 255.255.255.0 R2(config-subif)#frame-relay interface-dlci 201 R3(config)#int s0/0 R3(config-if)#encapsulation frame-relay R3(config-if)#int s0/0.1 point-to-point R3(config-subif)#ip address 172.16.1