On Demand Routing (ODR)

ODR requires cdp to be enabled on connected interface between hub and spokes. the hub need to have "router odr" command that's all we require to configure odr. Hub router will send a default route to all spokes while spokes will send their connected prefixes to Hub.

We need to enable cdp on virtual-template if PPPoFR is running, in this case it does matter whether cdp is enabled on physical interface or not. But if cdp is enable on both physical interface and virtual template, the hub will have two routes installed for same destination one via virtual -access and other via physical interface. Though this does not make any difference whether two routes are install or just one because ultimately even virtual-access is also using physical interface for packet forwarding. And obviously spokes will have a default route advertise by hub.

Redistribution example

Lets take up a scenario based question on redistribution

R1 running both EIGRP and OSPF.  EIGRP to R2 and OSPF to R3
R1 s0/0 to R2 s0/0 and R1 S0/1 to R3 S0/1

R1 has 2 LAN interface F0/0 and F0/1

R1 Redistributes these LAN interfaces into EIGRP.  

R1 then mutually redistributes EIGRP and OSPF

Question: Why isn't R3 seeing the LAN interfaces of R1? Since they were redistributed on EIGRP and then EIGRP was redistributed into OSPF....wouldn't R3 see them?

Answer:  When you redistribute 2 LAN connected interfaces into EIGRP on R1, these two interfaces will land up in the eigrp topology database i.e show ip eigrp topology" but not on the eigrp routing table i.e "show ip route eigrp" because R1 does a comparision of administrative distance(AD) between same routes(2 LAN interfaces) learned via connected (AD = 0) and EIGRP (AD = 170) clearly connected wins and hence appear in the routing table. Now since Eigrp has these routes in its database so it passes them to R2, R2 is learning these routes only via EIGRP so R2 need not to perform any comparision and hence install in its routing table.

Remember even after the above redistribution: 

"Show ip route eigrp will have nothing while "show ip eigrp int" will have only connected link i.e s0/0

When mutual redistribution takes place between EIGRP and OSPF on R1 (Redistribution always takes place from the routing table)

When EIGRP redistribute into OSPF it does this

1. R1's OSPF databese "show ip ospf database" will have "Show ip route eigrp" and "show ip eigrp int" route so the only route land up in R1's database is prefix of S0/0 "show ip ospf database.

2. R1 passes this route (prefix of R1's S0/0) to R3 and R3 learned these routes only via ospf so R3 installs them in its routing table

When OSPF redistribute into EIGRP it does this

1. R1's EIGRP databese "show ip eigrp topology" will have "Show ip route eigrp" and "show ip eigrp int" routes so the only route land up in R1's EIGRP database is prefix of S0/1 "show ip eigrp topology".

2. R1 passes this route (prefix of R1's S0/1) to R2 and R2 learned these routes only via eigrp so R3 installs them in its routing table

Therefore ultimately R3 can not have connected routes in its routing table, in order to do so we have to redistribute these connected interfaces into eigrp.

Redistribution between OSPF processes

Lets take a corner case where three OSPF processes running on a router are getting redistributed.

First a side note: A router running multiple ospf processes and learning a same from all of them, in that case router will install that route in the routing table associated with the ospf process which has least process I'd number.

R1 is directly connected with R2, R3 and R4. Loopback 0 is configured on all routers as 1.1.1.1, 2.2.2.2 , 3.3.3.3 and 4.4.4.4 respectively. 

Link between R1 and R2, and R2's loopback  are running ospf process 1 in area 0

Link between R1 and R3, and R3's loopback  are running ospf process 2 in area 0

Link between R1 and R4, and R4's loopback  are running ospf process 3 in area 0

The rule of redistribution says redistribution should happen only from the routing table. When redistribution between process 1 and process 3 takes place

1. R1 puts 2.2.2.2 from its "show ip route ospf 1" to R1's "show ip ospf 3 database" consecutively in R4's "show ip route ospf 3"

2. R1 puts 4.4.4.4 from its "show ip route ospf 3" to R1's "show ip ospf 1 database" consecutively in R2's "show ip route ospf 1"

After this redistribution R1's "show ip route ospf 1" still have same prefix i.e 2.2.2.2 (there is no change). Now if we redistribute between process 1 and process 2

1. R1 puts 2.2.2.2 from its "show ip route ospf 1" to R1's "show ip ospf 2 database" consecutively in R3's "show ip route ospf 2"

2. R1 puts 3.3.3.3 from its "show ip route ospf 2" to R1's "show ip ospf 1 database" consecutively in R2's "show ip route ospf 1"

After these two redistribution R3's "show ip route ospf 2" can not have R4's 4.4.4.4 and vice versa. Therefore we must redistribute between process 2 and process 3 in order to achieve the same.

The challege comes when we have two routers running 2 different ospf processes and redistribution is performed on both between these two processes.

In this case internal prefixes of any process say process 1 will become external to process 2, now these routers have to decide which route they should choose, if it were from same process it was easy for router to choose internal routes over external but here comparision is between internal prefixes of one process and external prefixes for another. Administrative Distance will also not help because its same for both. Here there is no way for the routers to determine which routes to take sometimes they prefer internal route from process 1 and sometimes externel from process 2 basically whichever router install last in the routing table but its not stable so condition is undetermined. 

Protected ports

The basic security feature available in a switch.

The protected ports are used for isolating ports within same vlan and this work within a single switch. 

For example if a switch has 3 ports i.e fa0/0, fa0/1 and fa1/1, all in a same vlan 100. If "switchport protected" command is configured in fa0/0 and fa0/1 that means host on f0/0 and host on f0/1 can not send frames to each other while both hosts on fa0/0 and fa0/1 can still send and receive frames to or from  host on fa1/1. 

Configuration on switch ports fa0/0 and fa0/1

#interface range fa0/0 , fa0/1

#switchport access vlan 100

#switchport protected

Configuration on switch port fa1/1

#interface fa1/1
#switchport access vlan 100

Cisco IOS caveat

Cisco IOS Software, C2600 Software (C2600-ADVENTERPRISEK9-M), Version 12.4(10), RELEASE SOFTWARE (fc1)

If this IOS is being used, it can behave a bit differently than others for the below case


RIPv2 is running with "passive-interface default" command on R2, now if you create a tunnel interface then this tunnel interface will not fall under passive-interface default. For example


R2#sh ver | in IOS
Cisco IOS Software, C2600 Software (C2600-ADVENTERPRISEK9-M), Version 12.4(10), RELEASE SOFTWARE (fc1)

R2#sh run | se router rip
router rip
 version 2
 passive-interface default
 no passive-interface FastEthernet0/0
 network 204.12.3.0
 no auto-summary
R2#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
R2(config)#int tunnel 1
R2(config-if)#ip add 1.1.1.1 255.255.255.0
R2(config)#end
R2#
Jan 24 23:58:06.524: %SYS-5-CONFIG_I: Configured from console by console
R2#sh run | se router rip
router rip
 version 2
 passive-interface default
 no passive-interface FastEthernet0/0
 no passive-interface Tunnel1
 network 204.12.3.0
 no auto-summary
R2#

Side note:
The same IOS  does not support "show ipv6 ospf interface brief" while it does support "show ipv6 ospf interface"

Cisco IOS features

Cisco IOS asks file names or destinations address again if you have already supplied then before.
Example

Router#copy running-config tftp://192.168.1.1/file
Source filename [running-config]?
Address or name of remote host [192.168.1.1]?
Destination filename [file]?
!!
1124 bytes copied in 0.226 secs (4976 bytes/sec)

This can be disabled by the "file prompt quiet" configuration command.

fw#configure terminal
Enter configuration commands, one per line.  End with CNTL/Z.
Router(config)#file prompt quiet
Router(config)#end
Router#copy running-config tftp://192.168.1.1/file
!!
1124 bytes copied in 0.226 secs (4976 bytes/sec)

Basic OSPF packets

Lets consider this

R1(fa0/0)------R2(fa0/0)

when OSPF protocol is configured only on R1 via "router ospf"  it joins multicast groups 224.0.0.5 and 224.0.0.6 check via

R1#sh ip int f0/0 | in Multicast

  Multicast reserved groups joined: 224.0.0.5 224.0.0.6

Now if other router R2 on this link is not running OSPF it will not join these multicast groups check on R2

R2#sh ip int f0/0 | in Multicast

R2#

So when R1 sends OSPF packets to R2 at multicast destination address of 224.0.0.5 with ip protocol ip 89 check on R2 via

R1#debug ip packets details

*Mar  1 00:17:45.907: IP: s=10.0.0.1 (local), d=224.0.0.5 (FastEthernet0/0), len 76, sending broad/multicast, proto=89

Since R2 does not have layer 2 multicast address corresponding to Layer 3 multicast address 224.0.0.5 because R2 has not joined this group (OSPF is not enabled ). Therefore when these packets arrived on R2's layer 2. It will discard all these packets at this layer. Hence no packets will be shown at layer 3 via

R2#debug ip packets details

R2#

Conclusion: OSPF packets will not be received at R2's network layer 3 because they were already being discarded at R2's layer 2. 

802.1q trunk native vlan concept

IEEE 802.1q trunk has the concept of native vlans. The standard also provides less overhead to the ethernet frames (just 4 bytes) by shim vlan tag compare to Cisco's ISL (26 bytes) which encapsulates the entire frame and adds new CRC trailer.

So what is native vlan, and when do i use it ?

Native VLAN is relevant only when there is 802.1q trunking between switches or a switch and a router ( in case of router on stick). Native VLAN has no significance when ISL trunking is used OR all vlans are tagged.

In 802.1q trunking each frame is being tagged by 4 bytes field in the ethernet header and before IP header (assume IP traffic). The 4 bytes tag field contains vlan number (12 bit), 3 bit field for layer 2 QoS, TPID (16 bits) field in order to identified the tagged frame(this is set to 0x8100 for 802.1q) etc.

The native VLAN does not have the 4 bytes tag in the frame. When one switch sends native vlan traffic to the other switch over the 802.1q trunk, the receving switch must also have same native vlan configure in order to accept the native vlan from other switch. If the receiving switch has different native vlan than what it is receiving in that case this switch may leak the received native vlan traffic in to its own native valn traffic. Switches have protection mechanisms in order to prevent this to happen by throughing error messages saying "native vlan mismatch" these error came out because negotiation of native vlan between the switches is a part of DTP and CDP. If these two protocols are disabled this error message will not appear but traffic can still leak. However there is a special mechanism in STP which brings ports in blocking state (*PVID_Inc) if native vlans are mismatched. It show this errors
%SPANTREE-2-BLOCK_PVID_LOCAL
%SPANTREE-2-RECV_PVID_ERR
STP moves these ports out of blocking states as soon as vlans are tagged on both sides using vlan dot1q tag native global command. However CDP will still shows native vlan mismatch but traffic will flow as normal because now all vlans are tagged and native vlan has no significance in that case.

By default VLAN 1 is the native VLAN in CISCO switches and can be configured to any vlan as native. It is normally used for management traffic.

if a device on the path does not understand untagged frames, Native VLAN should be disabled. To do so, use the VLAN dot1q tag native global command which will affect all trunk ports and cause Native VLAN frames to be tagged. 

Now enough theory lets try this

https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiov9b41D7P8B1OiS_9g9TPUtpRzaxD850ZEgUtTy7IchaX-PQFt0wS7EhWLVIGV96dsDT9jX78yfv9QhI_cm7cNiEUzkKNtJnQ_ypBaqoMlW1IsewIK8Wm6USRmwIT_na9-fDEN6smYAM/s1600/Native+VLAN.PNG

!

!

!

!

Answer goes something like this

RIPv2 Authentication

Needs to remember couple of points in RIPv2 Authentication and RIPv1 does not have any authentication.

Question: Does key number has to match in key chain for RIPv2 authentication?

Answer: No, if its a clear text authentication. But YES if its MD5 authentication in this case 

router applies a hash functions on Key number + key-string and matches this hash output from the other side hash output value.

When configuring key-string make sure that there is no space present after key-string. Check this by "show key chain" command.

Maximum DLCIs on an interface

Lets directly take this old question but old is gold

Question: What is the limit of Maximum DLCIs configured on a Frame Relay Interface ?

It depends on the LMI type you are using so the formula comes out to be 

The maximum number of DLCIs assigned on an interface by LMI are = (MTU - 13)/8 when LMI is CISCO  OR = (MTU - 13)/5 when LMI is ANSI or Q933a

This is because Cisco LMI provides more overhead(8 Bytes) in the packet as compare to LMI type ANSI or Q933a overhead (5 Bytes) in the packet to accommodate DLCIs information.

For reference:
http://www.cisco.com/en/US/tech/tk713/tk237/technologies_tech_note09186a0080094183.shtml
http://www.cisco.com/en/US/tech/tk713/tk237/technologies_tech_note09186a008014f8a7.shtml#dlcilimit

RIPv1 and RIPv2 Explained

RIPv1 is completely out of the exam. However to understand other protocols in better way its a good idea to built a base.

Question: How does RIPv1 transmit updates?

RIPv1 sends its update at every 30 seconds as UDP broadcast (255.255.255.255) on port 520 to all of its connected links where RIP is enable.

The following are the important fields at each layer in the RIPv1 updates.

Ethernet Layer (If updates are exchanges on multiaccess media like ethernet)

Source mac address: mac address of the interface sending the updates

Destination mac address: FFFF.FFFF.FFFF

Type: 0x800 (as next header is IP)

IP Layer

IP Protocol No. 17 (for UDP at the Tansport Layer, next header)

Destination IP Address: 255.255.255.255 (for Broadcast address)

Source IP Address: address of the interface from where router is origination updates

Transport Layer

Source UDP Port: 520

Destination UDP Port: 520

Application Layer

RIP version

Metric (1-16)

Routes max of 25 per update: To keep size of UDP packet less than 512 bytes( this is due to the fact that UDP doesnot have MTP path discovery like TCP so as per the TCP/IP protocol suit recommendation we keep UDP packet less than 512 bytes)

Question: Is it same for RIPV2 right ?

RIPv2 sends its updates as multicast (ip address 224.0.0.9) instead of broadcast in RIPv1. Now in this case the RIPv2 updates are only processed by RIP enable interfaces as oppose to RIPv1 where these packets are processed by all the routers on the link.

In RIPv2 Just replace Multicast address with broadcast address in IP layer as well as Ethernet layer for RIPv2. And everything is remained same for RIPv2

A side note: RIP v1 only supports classful address and does not support varable length subnet masking which RIPv2 does

A basic point in Redistribution

When a multiple protocols are running on a single router and there is a need to mutually redistribution, one important point needs to remember.

When Protocol A is redistribute into Protocol B and Protocol B redistribute into Protocol C on a single router that does not mean that Protocol A is also redistribute into Protocol C therefore to achieve this we need to manually redistribute Protocol A into Protocol C.

802.1 tunneling

Lets recap briefly about dot1q tunnel

Customers sometimes demand layer 2 for end-to-end connectivity over service providers network, SP uses a technique to transparently passing the different customers traffic over their layer 2 network by using an additional vlan tag called "metro tag". This technique is called Layer 2 tunneling or L2VPN.

PE switch ports connected to CE switch ports as an asymmetric link meaning that CE side can be either trunk or access ports, the PE switch port just takes the traffic receive on the port and adds a metro tag to it. 

It does not matter whether inter link trunks are ISL or dotq inside the SP network. 

SP assign a vlan to each customer over which customers vlan travels inside the SP network.

Configuration on PE switch ports on each side connected to CE switch port as as follow

#switchport access vlan 100

! this is the metro tag, make sure spanning tree is end to  end in all the SP switches for ! ! ! this vlan

#switchport mode dotq-tunnel 

! set tunnel mode

On CE switch port connected to PE switch port can be configured as static or trunk port.

Points to remember:

1. mac addresses of all host at customers side are learned in SP switch to actual pass traffic. Therefore scalability issue arises due to limited mac address learning capability of switches

2. dotq tunnel port does not support DTP and any layer 3 setting configuration.

3. CDP,STP and VTP are disable by default on the dotq tunnel ports. So that customers traffic transparently pass over SP network.

4. dotq tunnel add additional 4 byte header so MTU needs to increase to 1504 byte at SP switches. "system mtu 1504"

4. Traffic from customers side can leak inside SP network if metro tag is the native vlan of inside the SP network. To avoid such this, always tag even the native vlan traffic inside the SP network via "dot1q tag native vlan"

Advertising networks into BGP via aggregate-address

Lets try to recap BGP aggregation

Its one of the method for advertising a network into BGP domain, others are via network statement, redistribution and inject map

An aggregate prefix is only advertise when at least one subset prefix of aggregate prefix is  present in the BGP table (NOT ROUTING TABLE)

key points to remember in BGP aggregation

1. Without summary-only command, both aggregate and specific prefixes are advertise

2. "as-set" key word adds an unodered ASes list and addive community attribute from original prefixes to the new aggregated prefix as attribute.

3. "attribute-map" key word assigns attributes to the newly generated aggregated prefix. for example if aggregated prefix obtained its attribute "no-export" community from its one of the original prefix then using advertise-map this attribute can be reset as "none" community for the aggregated prefix or any attribute can be set using attribute-map.

4. "advertise-map" allows filtering of attributes which are passing to the aggregated prefix from  original prefixes based on removal of some specific prefix . for example deny specific prefix in a route map so that its attribute will not contribute to the aggregated prefix.  Though aggregate is still composed of all the original prefixes. "REMOVE THIS PREFIX SO THAT ITS ATTRIBUTE IS NOT ADDED IN THE AGGREGATED PREFIX ATTRIBUTE"

OSPF communication intercept

Lets take up this easy question

Q: Ensure that other OSPF devices running on the segment between R1 and R2 cannot intersecpt OSPF communications.

A: If other routers running ospf process were present on this ethernet segment they can able to intercept and make ospf adjacancy with R1 and R2 because of the default muticast nature of ospf adj. , LSA exchange etc. In order to avoid such cases this tasks requires to form a unicast communication between R4 and R5 so that no other devices can intercept this communication even if they are listening on multicast address 224.0.0.5 or 224.0.0.6 by enabling ospf process.

Its true that there are no devices on this segment then why this question was asked in the first place. If it was asked then we have to make sure that other devices should not intercept ospf communication if present via unicast communication between them.

So the answer is configure ospf network type which sends their packets as unicasts via neighbor statements. There are two network types which does i.e non-broadcast and point-to-multipoint non-broadcast.

BPDU filter and BPDU guard combined

Lets recap what do they do

1. BPDU filter, if it is configured at port level in that case it stops sending bpdus out and if any bpdus is received it silently discard them. But if it is globally configured with portfast then in that case it stops sending bpdus but when it receives any bpdus the portfast enable port reverts back to normal port.

2. BPDU guard, if is is configured interface level, it does not stop switch port to send bpdus out but if bpdus are received this port goes into error disable mode and can be recovered via error recovery interval and error recovery cause or manually by shut and un shut that port.

If this feature is used with spanning tree at globally in that case portfast enable port goes into error disable mode if any bpdus are received on this port.

This point is very interesting, if both bpdu filter and bpdu guard are configured on a switch port at the same time the which one take the preference.

Side note on spanning tree portfast

Spanning-tree portfast is very easy to configure. Lets recap what it does

1. This should be configured on edge ports if configured on trunk ports connected between switches create loops.

2. Switches connected to server via trunk can be configured as "spanning-tree portfast  trunk"

3. portfast enable ports skip listening and learning stages of STP

4. portfast enable ports does not generate TCN which in turn does not flush mac table.

5. This feature can also be enabled with BPDUfilter and BPDUguard. 

R1(Fa0/0)-----SW1(Fa0/0)

SW1's Fa0/0 configured with "spanning-tree portfast"

Once R1 starts sending BPDU's SW1 disables the portfast from its interface connected to R1. However after sometime when R1 stops sending BPDUs, SW1 never automatically converts portfast state from disable to enable on the same interface

SNMP traps with example EIGRP traps

First lets have a brief background on snmp trap configuration. First need to define a server where traps needs to send, then enabled all or specific trap with command "snmp-server enable traps". 

1. If all traps are enables and no traps are configure with snmp-server host command then all traps are send to that host.

2.If some specific trap is enable and no trap is configure with snmp-server host command then only that specific traps will be send.

3. If all traps are enable with command "snmp-server enable trap" but specific trap is configured with "snmp-sever host" command then only that specific trap will be send.

EIGRP generates traps only for SIA and miss match authentication. The configuration is very straight forward

snmp-server community CCIE RO

snmp-server enable traps eigrp

snmp-server host 155.24.146.100 version 2c CISCO

Side note on Reflexive Access-list

Reflexive access list are not difficult to implement though such access list are depreciated due to other various advance security mechanism are available like CBAC and ZBF. Still its a good idea to learning reflexive access list to learn advance security. In real world there an important thing to know about them goes like this

An edge router is acting as a firewall and has two interfaces inside and outside. Why is it not advisable to configure Reflexive access list on INSIDE interface like this ?

INBOUND ACL containing "reflect" statements

OUTBOUND ACL containing "evaluate" statement 

By doing this way, there can be a security rick associated with your firewall itself. The return traffic and other traffic first arrived on outside interface next it will process by the router only then it will reach to the inside OUTBOUND for EVALUATE where it decides to drop other traffic and pass the return traffic. If that other or return traffic contain malicious packets, they can cause DoS attack on the router itself so you must stop them before entering into your router. It will also save the cpu process cycles from processing unnecessary traffic.

STP port priority

Lets take an interesting question on STP port priority.

why can we only change STP port-priority with an increments of 16 ?

Earlier when 802.1t standard was not into existance port priority and port ID was considered to be 8bits each, therefore ports ID in a switch can be in range 0 -255 and port priority in the range 0 -255 with increment of 1.

When 802.1t standard was defined, it describes port priority of 4bits and port ID of 12bits,therefore ports in a switch can be upto 4096 while port priority range is still 1-256 to provide backward compatibility with the older format. However now port priority has only 4 bits and to achieve port priority range 1-256, this had to make an increment of 16 so min value of port priority now is 0 and max value is 240 (16 values) with an increament of 16. 

Here is the link to know more

http://book.chinaunix.net/special/ebook/oreilly/Understanding_Linux_Network_Internals/0596002556/understandlni-CHP-15-SECT-4.html

spanning-tree portfast Vs spanning-tree portfast trunk

Most commonly used spanning tree features but how are they different from each other.

"Spanning-tree portfast" instructs the port (on which it is configured) to skip listening and learning state and avoid generating TCN if port goes up/down but ONLY for one vlan configured on the access port.

"Spanning-tree portfast trunk" instructs the same thing on the port (on which it is configured) but for all the allowed vlans on the trunk port at the same time. Due to the nature of trunks to carry traffic for multiple vlans while access port does not, cisco has 2 different for this purpose. 

Frame Relay Encapsulation cisco or ietf

If both the connecting devices are cisco then mismatch frame relay encapsulation can work but if remote device is non cisco the cisco device has to configure with ietf FR encapsulation because non cisco device does not understand cisco.

The reference text: 

OSPF filtering with route-map

Which of the following examples can work ? More than one may be correct.

1st Example: 

router ospf 1

   distribute-list route-map filter-from-r4 in

route-map filter-from-r4 deny 10 

   match ip address prefix-list three

   match ip next-hop prefix-list four

route-map filter-from-r4 permit 100

   exit

ip prefix-list three permit 150.22.3.3/32

ip prefix-list four permit 155.22.146.4/32

 2nd Example: 

router ospf 1

   distribute-list route-map filter-from-r4 in

route-map filter-from-r4 deny 10

   match ip address 3

   match ip next-hop 4

route-map filter-from-r4 permit 100

  exit

access-list 3 permit 150.22.3.3

access-list 4 permit 155.22.146.4

3nd Example: 

router ospf 1

   distribute-list route-map filter-from-r4 in

route-map filter-from-r4 deny 10

   match ip address prefix-list three

   match ip next-hop 4

route-map filter-from-r4 permit 100

  exit

ip prefix-list three permit 150.22.3.3/32

access-list 4 permit 155.22.146.4

Short note on OSPF LSDB and RIB

The fact is

RIP's RIB = rip database = "show ip rip database"

EIGRP's RIB = topology table = "show ip eigrp topology"

BGP's RIB = bgp rib (?) = "show ip bgp"

Thats why many think that OSPF's RIB is the ospf database i.e LSDB but this isn't true. Here is the fact why

LSDB is not considered as RIB for ospf because it contains entire topolgy information in the form of LSAs and network reachability is merely an attribute of the LSA. However the network reachability information can be derivered from the LSAs stored in the LSDB, now since ospf does not have its own RIB like other routing protocols to store its routing information so ospf uses main routing table for this purpose and from there ospf generate summary LSAs type 3 or 4 etc..

NBAR with class-map

Lets take a question on NBAR match statement under a class-map

Why do these two matching statement generally be configured under a class-map?

class-map type inspect match-all CMAP_TELNET

  match access-group name ACL_TELNET

  match protocol tcp

!

ip access-list extended ACL_TELNET

permit tcp any any eq 23

When two match statements configured under a class map like above way then logical AND operation occurs meaning that the class is true only when both statements are matched.

In the above case one match statement inspecting the entire tcp protocol suit but on the condition if that traffic is destined for port 23 coming from anywhere. Also keep in mind that NBAR feature is activated with match protocol statement and this feature not only checks the port numbers but also various signatures associated with the protocol if required. 

If there is no need for deep packet level inspection then you can avoid usiing NBAR. However it is very common to use this feature in real world.

Let me ask you something, how you will classify telnet traffic if telnet server is hosted on port other than 23 say 2323. If it’s known to you than you can easily classify it based on destination port number but if you don’t then you have no option but to use NBAR for classification. FTP also requires using NBAR for classification because it uses different ports for control and data transfer (learn more about active and passive FTP modes).

Multicast sparse mode SPT switchover

Background

Cisco router would automatically attempt to do a SPT-switchover as soon as it receives first  multicast packet by default and learns source IP of the multicast source. What exactly happens here is the explanation

Explanation

Once first hop router i.e router directly attached to the receiver starts receiving multicast packets it immediately knows about the source IP address. First thing it does, it internally checks the commands ip pim spt-threshold <>. If the incoming multicast flow is under the configured threshold it continues the same path via RP i.e only (*,G) entries up to the RP. But if it crosses the threshold limit it does this.

Now since it knows about the source IP (which it did not not know earlier) it consults its unicast routing table to see source IP is reachable by which interface. It then sends a PIM join message towards the source out of the interface by which source IP address is reachable of. It does this even if this outgoing interface is leading towards RP itself. After sending join message towards the source an SPT is built between source DR and this router (directly attached to the receiver). At this stage all the routers in the SPT have (S,G) entries. This could be seperate path towards the source or via RP towards the source.

This router now starts getting two flows just for a moment, then immediately it sends a prune message to the RP to remove itself from the shared tree, this prune message is then reaches to RP as hop by hop basis, the RP further sends it towards the source in order to leave SPT for this particular group.

At this stage router attached to the receiver get only one multicast flow from the source via shotest path. 

Unregistered EEM Applet Policy

Lets take a question on EEM

Q: How can I unregister an EEM applet without actually deleting it? I tried with no event  manager policy... but that did not work.

A: "no even manager policy" command can only unregister policy those are created using by this command i.e via eem tcl script. The only way to unregister an EEM applet is by modifying the existing applet and exit out of applet comfiguration mode. Else just delete them. 

Understanding spanning-tree vlan root primary command

Today's lets understand the command "spanning-tree vlan <vlan-id> root primary. Its nothing but a macro which works like  this

The macro "spanning-tree vlan <vlanid> root primary" configured lets say on sw1 works as follows with only one exception

1. sw1 first tries to be the root bridge by setting its priority equal to the current root bridge(by increasing or decreasing its priority). It becomes root bridge if its mac address is lower than current root bridge.

2. If sw1's mac address is not lower than current root bridge then sw1 further reduces its priority by 4096 and becomes the root bridge.

3. Macro can not set sw1's priority to be 0 even if current root bridge has priority 4096+vlanid. This case may arise when sw1 mac address is higher than current root bridge and cuurent root bridge priority is 4096+vlanid.

4. The only exception to this rule is if current root bridge has priority anything over 28672+vlanid, then sw1 sets its priority to 24576+vlanid this happens only because it has to accomodate the priority of secondary root bridge which is always be 28672+vlanid. 

This macro is mainly designed for switches enabled with extended system-id.

Routers and Switches are Initializing

The best to learn technologies is by asking question yourself about any technology in question therefore as a part of active learning approach every day I will be taking up few technologies and try to answer to those questions which came to your minds but remain unanswered.