Posts

Showing posts from September 7, 2008

SP Multicast Security

Dynamic Intra-AS RP assignments should not leak out to other service providers.

(1)Auto-RP
interface F0/0
ip multicast boundary 1
!
access-list 1 deny 224.0.1.39
access-list 1 deny 224.0.1.40
access-list 1 permit 224.0.0.0 15.255.255.255

(2)BSR
interface F0/0
ip pim bsr-border

To achieve ISIS fast convergence without configuring on interface

一般人都知道在IS-IS路由協定中可以在interface上設定isis hello-interval minimal及isis hello-multiplier 3(最小值為3倍)的方式來加快收歛的速度,不過如果考題要求你不能使用interface上的指令時,你可以使用router isis process下的command來達成:

Router(config)#router isis
Router(config-router)#?
prc-interval Minimum interval between partial route calculations
spf-interval Minimum interval between SPF calculations
lsp-gen-interval Minimum interval between regenerating same LSP

Router(config-router)#prc-interval ?
<1-120> PRC interval in seconds

Router(config-router)#prc-interval 1 ?
<1-120000> Initial wait for PRC in milliseconds


Router(config-router)#prc-interval 1 1 ?
<1-120000> Minimum wait between first and second PRC in milliseconds


Router(config-router)#prc-interval 1 1 1000
!
Router(config-router)#spf-interval ?
<1-120> Interval between consecutive SPFs in seconds
level-1 Set interval for level 1 only
level-2 Set interval for level 2 only

Router(config-router)#spf-interval 1 ?
<1-120000> Initial w…

Traffic Queueing - Random Early Discard Sample Configuration

Traffic marked as flash-override should be candidate for drop if there are 20 packets in the output queueIf there are 30 packets of flash-override in the output queue one out six should be droppedTraffic marked as priority should be candidate for drop if there are 12 packets in the output queueIf there are 18 packets of priority in the output queue two out of eighteen should be dropped


Router(config)#interface f0/0
Router(config-if)#random-detect
Router(config-if)#random-detect precedence 1 12 18 9
Router(config-if)#random-detect precedence 4 20 30 6

How to limit different bandwidth usage without rate-limit command in a interface?

在CCIE考題中最難不是指令的記憶及設定,而是題意內容的了解,尤其對於非英文系國家的人來說更容易被題目的字裏行間所誤導。其中最容易confused的就是QoS相關的題目,因為它通常會伴隨著數字及不同的單位傳輸速率,所以我找了幾個例子來讓各位了解這類題目及相對應的解法:

Question:

Received traffic from 172.16.0.0/16 under 512Kbps should be marked as flash-overrideReceived traffic from 172.16.0.0/16 over 512Kbps should be marked as priorityReceived traffic from 172.16.0.0/16 over 1.5Mbps should be droppedDO NOT use rate-limit command to accomplish this.

Router(config)#ip access-list extended QOS_SOURCE
Router(config-ext-nacl)#permit ip 172.16.0.0 0.0.255.255 any
!
Router(config)#class-map QOS_SOURCE
Router(config-cmap)#match access-group name QOS_SOURCE
!
Router(config)#policy-map QOS_MARK
Router(config-pmap)#class QOS_SOURCE
Router(config-pmap-c)#police cir 512000
Router(config-pmap-c-ploice)#conform-action set-prec-transmit 4
Router(config-pmap-c-ploice)#exceed-action set-prec-transmit 1
Router(config-pmap-c-ploice)#violate-action set-prec-transmit 1
!
Router(config)#policy-map QOS_POLICE
Router(config-pmap)#class class-default
Router(…

How to filter BGP protocol ?

也許很多人知道BGP protocol TCP Port 179,但是可能很多人不曉得BGP protocol不只是單一方向,而是兩邊同時主動建立BGP Session,然後在OPEN Message交換時保留BGP Router-ID較大的Router主動initialized的Session,中斷另一個Session,所以如果想要filter BGP protocol,可以使用下列的ACL來達成:

Router(config)#ip access-list extended NO_BGP
Router(config-ext-nacl)#deny tcp any eq bgp any
Router(config-ext-nacl)#deny tcp any any eq bgp
Router(config-ext-nacl)#permit ip any any

How to filter send or recevie RIP updates ?

也許很多人知道RIP protocol UDP Port 520,但是可能很多人不曉得RIP protocol不只是Destination Port 520,Source Port也是520,所以如果想要filter RIP protocol,可以使用下列的ACL來達成:

Router(config)#ip access-list extended NO_RIP
Router(config-ext-nacl)#deny udp any eq rip any eq rip
Router(config-ext-nacl)#permit ip any any

不過各位要特別注意一點,有些人可能用過passive-interface的指令,或是會想說為什麼不直接用這個指令來避免RP update的資料,事實上,passive-interface只是讓該interface停止send updates,但是該interface仍然持續地listen updates,所以並不能完全符合題目的要求。

How to map Frame-Relay DLCI and IP address without "frame-relay map" command in Frame-relay Multipoint Sub-Interface?

在準備CCIE Lab的過程最有趣的事情就是不斷有一些特殊的tip & trick讓你驚奇,原本以為某個主題都已經了解很透徹了,但是往往因為一個特別的題目的出現讓你再度覺得學藝不精,原來一山還有一山高。

很多人都知道設定Frame-relay map的方式不外乎兩種:
Inverse-ARP(default enable)(Point-to-Point)Frame-Relay map(Multipoint)不過如果有一個題目要求你在Frame-relay Multipoint sub-interface中不能使用Frame-relay map時,你該怎麼辦?
以下就是這個主題的解答,請參考:

假設R1,R2,R3是Frame-Relay Hub-and-Spoke Topology(NBMA)
R1-R2 DLCI:102
R1-R3 DLCI:103
R2-R1 DLCI:201
R3-R1 DLCI:301

R1(config)#int s0/0
R1(config-if)#encapsulation frame-relay
R1(config-if)#int s0/0.1 multipoint
R1(config-subif)#ip address 172.16.1.1 255.255.255.0
R1(config-subif)#frame-relay interface-dlci 102
R1(config-subif)#frame-relay interface-dlci 103

R2(config)#int s0/0
R2(config-if)#encapsulation frame-relay
R2(config-if)#int s0/0.1 point-to-point
R2(config-subif)#ip address 172.16.1.2 255.255.255.0
R2(config-subif)#frame-relay interface-dlci 201

R3(config)#int s0/0
R3(config-if)#encapsulation frame-relay
R3(config-if)#int s0/0.1 point-to-point
R3(config-subif)#ip address 172.16.1.3 255.255.255.0
R3(confi…