Yup2k CCIE EI - R/S, Uncategorized

Logging

Local Logging:

Debugging logs all 0-7. Monitor will log to screen when remoting into device. Console logs to console when physically plugged into device.

Logs 0-7 to the local buffer.

Includes ms in the logs. Service timestamps allows changes in how logs appear in terms of time.

Conditional Debugging:

Allows logs to be generated for only specific things. Can be tied to access list.

The access-list was created permitting 10.10.10.10, then a route was created for that IP. In the logs we can see that there was a log generated for the additional static route.

Sending logs to host:

Sending to Syslog server 10.10.10.10; Only logging to level 4, warning.

‘show logging’ will display where we’re sending logs to, and what levels we’re logging at for monitor, console and buffer.

Yup2k CCIE EI - R/S, Uncategorized

SNMP

  • SNMP
    • Can be used for event driven or for pull.
    • v2c
      • Uses clear text community string for authentication.
      • Polling should be combined with an access-list for security.
        • Only authorized management station should be able to poll.
    • v3
      • Secure authentication and encryption.
      • authNoPriv
        • authentication but no encryption.
      • authPriv
        • authentication and encryption.
Enables all traps
Specifies 2c server and community ‘public’

For SNMPv3 we’ll need to do the following:

  • Create a group
  • Create a user
  • Add user to group
  • Specify authentication and encryption

Yup2k CCIE EI - R/S, Uncategorized

NTP

In the topology above we’re going to setup NTP. The ‘Internet’ router will become an NTP server and R6/R4 will be the clients.

Server:

We’re setting the ‘server’ as master with stratum 1.

Clients:

96.76.43.142 is the IP assigned to ‘Internet’. Shortly after a ‘show ntp status’ should produce the client being synchronized with the NTP server.

Authentication:

On Server
On Client
On Client

Yup2k CCIE EI - R/S, Uncategorized

Traffic Shaping

  • Goal is to normalize traffic flow
    • Smooth out bursts
    • Prepare traffic for ingress policing.
    • Delay and Queue exceeding traffic.
  • Terminology
    • Access Rate – AR
      • Physical port speed
    • Committed Information Rate – CIR
      • Average rate the shaper is targetting.
    • Time Committed – Tc
      • Time interval in ms to emit traffic bursts
      • Bursts always emitted at Access Rate (AR)
    • Burst Committed – Bc
      • Amount of bits that could be sent every Tc
    • Burst Excessive – Be
      • Amount of bits over Bc that could be sent during Tc
      • Must be accumulated by idle periods.
  • Modular QoS Command line (MQC) Syntax
    • Configuration via MQC
      • ‘shape average <cir> [Bc][Be]
      • Tc is found implicitly as Bc/CIR
    • Default shaper queue is FIFO.
      • Can be turned into HQF by associating a child policy-map with shaped class.
      • Specify HQF settings in the child-policy
        • ie. nested policies.
          • ie. shaping could be on outside policy, fancy queueing is referenced in outer policy via ‘service-policy’ command.

Configuration:

Create new access-list referencing ICMP:

Create new class-map that references access-list ‘ICMP’:

Create new Policy-map that references Class-map ‘ICMP’:

Under the Policy-map ‘SHAPER’ we’re saying the shape average is target bit rate.

And lastly, apply to the desired interface.

Now when doing a normal ping and high repeat ping out interface gig0/3, we’ll see the latency is very low, then very high.

Our normal ping has an average latency to 4.4.4.4 of 3ms. The high repeat ping has an average latency of 689ms.

Yup2k CCIE EI - R/S, Uncategorized

IPv6 First Hop Security

  • First hop
    • Segment between end host and default gateway.
  • Security
    • Prevent against internal threats at access layer
  • Both IPv4/6 have vulnerable control plane at access-layer.
    • IPv4
      • ARP
      • DHCP
    • IPv6
      • Neighbor Discovery (icmpv6)
      • Duplicate Address Detection (DAD)
      • SLAAC
      • DHCPv6
  • ICMPv6 ND
    • Replaces ARP in v4
    • ICMPv6 ND uses 4 messages instead of 2 (like arp request/reply)
      • NS – Neighbor Solicitation
        • ask for neighbor info
      • NA – Neighbor Advertisement
        • Advertise yourself to other neighbors
      • RS – Router solicitation
        • Ask info about local routers
      • RA – Router Advertisement
        • Advertise yourself as an active router
  • Router Advertisement Guard
    • Hosts dynamically discover default gateway based on NDP RA messages.
      • Prevents router spoofing on segment.
      • Prevents prefix spoofing on segment
      • Policy can be applied at VLAN or port level.
      • Says on interface level what’s on the other end
        • ie. Proper router or host.
  • DHCPv6 Guard
    • DHCPv6 does not assign default-router like IPv4.
      • Default router is learned through SLAAC from RA.
    • Similar in scope to DHCP Snooping.
    • Prevents DHCPv6 server spoofing.
    • Policy can be applied at VLAN or port level.
  • IPv6 Snooping:
    • IPv6 to MAC resolution achieved through Neighbor Discovery NS/NA messages.
      • Similar to dynamic arp inspection.
    • Inspects DHCPv6 and NDP messages.
      • Performs binding table through v6 neighbor tracking.
      • Prevents host spoofing on segment.
      • Optionally enables basic RA Guard and DHCPv6 Guard
      • Optionally can inspect data packets to perform neighbor binding.
    • Manual bindings can be completed.
    • Policy can be applied at VLAN or port level.
  • IPv6 Source-Guard
    • Similar in scope to IPv4 Source Guard
      • Relies on v6 snooping to create v6 neighbor binding table.
      • Creates automatic v6 PACL to filter sources based on neighbor binding table.

Yup2k CCIE EI - R/S, Uncategorized

MPLS L3 VPN Configuration

  • PE-CE Routing
    • No MPLS Required
    • Normal IPv4 and IPv6 routing
    • All IPv4 protocols supported.
    • Some IPv6 protocols supported.
  • MPLS Core (P and PE) Devices
  • IGP + LDP
    • goal is to establish LSP between PE /32 Loopbacks.
    • Traceroute between loopbacks for verification.
  • Other label switching mechanisms are available but outside of CCIE Scope.
    • BGP + Label, RSVP-TE
  • MPLS Edge (PE) devices
    • VRF
      • VRF aware PE-CE Routing
      • Used to locally separate customer routes and traffic.
    • VPNv4 BGP
      • iBGP peering to remote PE /32 Loopbacks.
      • Separates customer control and data plane over MPLS core.
      • Other designs supported outside scope of CCIE.
        • VPNv4 RR, Multihop EBGP VPNv4, etc.
    • Redistribution
      • VRF to BGP import and export policy
  • VRF
  1. Create a VRF name that’s unique to the box.
  2. Then we’re creating a Route-Distinguisher that makes the prefix unique.
  3. Then we’re defining the Route-Target import and export policy.
    1. ie – anything in VRF A being advertised into BGP is getting the extended community added to it of 100:1, which is then getting advertised with a modified IPv4 prefix. An IPv4 VPN prefix.
      1. ie. export.
    2. The other way around, anything that comes into this router with a route-target of 100:1 will be imported into VRF A.
      1. ie. import.
  • VPNv4 BGP

The command ‘neighbor 7.7.7.7 send-community extended’ allows us to send the route target extended community option. The command is also enabled by default after we run the activate command.

  • Redistribution

May be needed if the customer is using IGP like OSPF but needs their WAN routes added into their internal routing domain. If the CE is running BGP to the PE however, then redistribution obviously not needed.