Router R3 is connected on it's ethernet interface to SW3 (working only as a l2 switch) and we have to send him default gateway via IRDP. This how such configuration would looks like:
R3
R3#sh run int fast 0/0.50
Building configuration...
Current configuration : 262 bytes
!
interface FastEthernet0/0.50
encapsulation dot1Q 50
ip address 172.16.30.3 255.255.255.128
ip irdp
ip irdp multicast
ip irdp maxadvertinterval 20
ip irdp minadvertinterval 20
ip irdp holdtime 60
ip irdp preference 100
ip irdp address 0.0.0.0 100
end
R3#
and
SW3#sh run int vlan 50
Building configuration...
Current configuration : 93 bytes
!
interface Vlan50
ip address 172.16.30.10 255.255.255.128
ip irdp
ip irdp multicast
end
SW3#
however, to make it work you'd need to enable it by entering
ip gdp irdp
SW3#show ip route
Gateway Using Interval Priority Interface
172.16.30.3 IRDP 20 100 Vlan50
Default gateway is 172.16.30.3
Host Gateway Last Use Total Uses Interface
ICMP redirect cache is empty
SW3#
2/27/2011
2/25/2011
DHCP Authorized ARP::Really nice feature available in 12.3T
The DHCP Authorized ARP feature enhances the Dynamic Host Configuration Protocol (DHCP) and Address Resolution Protocol (ARP) components of the Cisco IOS software to limit the leasing of IP addresses to mobile users to authorized users. This feature enhances security in public wireless LANs (PWLANs) by blocking ARP responses from unauthorized users at the DHCP server.
http://www.cisco.com/en/US/docs/ios/12_3t/12_3t4/feature/guide/gtautarp.html
http://www.cisco.com/en/US/docs/ios/12_3t/12_3t4/feature/guide/gtautarp.html
2/22/2011
re-patching the lab for netmaster
In this topology I have 4 switches (2x3560 and 2x3550) and 6 virtual routers 3725 with Tbased IOS (pc with 12 network cards).I haven't tested the configuration against the netmasterclas workbooks,yet. Some features are missing on this platform or at least on this version of IOS like "object track" in ACL. The first visible difference is that there is no backbone routers as we used to have on INE labs.
This is my configuration:
"netmasterclass.net"
autostart = False
[localhost:7200]
workingdir = /home/nabromov/dynamips/working
udp = 11000
[[3725]]
image = /home/nabromov/dynamips/images/c3725-adventerprisek9-mz.124-15.T14.bin
ram = 256
nvram = 256
ghostios = True
idlepc = 0x60c06028
[[Router R1]]
model = 3725
console = 2001
# R1 e0/0 to SW1 fa0/1
f0/0 = NIO_linux_eth:eth0
# R1 f0/1 to SW2 fa0/1
f0/1 = NIO_linux_eth:eth1
s1/0 = FRSW 1
s1/1 = R3 s1/1
[[ROUTER R2]]
model = 3725
console = 2002
# R2 e0/0 to SW1 fa0/2
f0/0 = NIO_linux_eth:eth3
# R2 e0/1 to SW2 fa0/2
f0/1 = NIO_linux_eth:eth4
s1/0 = FRSW 2
s1/1 = FRSW 22
[[ROUTER R3]]
model = 3725
console = 2003
# R3 e0/0 to SW1 fa0/3
f0/0 = NIO_linux_eth:eth5
# R3 00/1 to SW2 fa0/3
f0/1 = NIO_linux_eth:eth6
s1/0 = FRSW 3
[localhost:7201]
workingdir = /home/nabromov/dynamips/working
udp = 11000
[[3725]]
image = /home/nabromov/dynamips/images/c3725-adventerprisek9-mz.124-15.T14.bin
ram = 256
nvram = 256
ghostios = True
idlepc = 0x60c06028
[[Router R4]]
model = 3725
console = 2004
# R4 e0/0 to SW1 fa0/4
f0/0 = NIO_linux_eth:eth7
# R4 e0/1 to SW2 fa0/4
f0/1 = NIO_linux_eth:eth8
s1/0 = FRSW 4
s1/1 = R5 s1/1
[[Router R5]]
model = 3725
console = 2005
# R5 e0/0 to SW1 fa0/5
f0/0 = NIO_linux_eth:eth9
# R5 e0/1 to SW2 fa1/5
f0/1 = NIO_linux_eth:eth10
s1/0 = FRSW 5
[[Router R6]]
model = 3725
console = 2006
# R6 f0/0 to SW1 fa0/6
f0/0 = NIO_linux_eth:eth11
# R6 f0/1 to SW2 fa0/6
f0/1 = NIO_linux_eth:eth12
s1/0 = FRSW 6
s1/1 = FRSW 66
[[FRSW FRSW]]
# R1 to FRSW
1:102 = 2:201
1:103 = 3:301
1:104 = 4:401
1:105 = 5:501
1:106 = 6:601
1:112 = 22:211
1:116 = 66:611
# R2 to FRSW
2:203 = 3:302
2:204 = 4:402
2:205 = 5:502
2:206 = 6:602
22:213 = 3:312
22:214 = 4:412
22:215 = 5:512
22:216 = 66:612
# R3 to FRSW
3:304 = 4:403
3:305 = 5:503
3:306 = 6:603
3:316 = 66:613
# R4 to FRSW
4:405 = 5:504
4:406 = 6:606
4:416 = 66:614
# R5 to FRSW
5:506 = 6:605
5:516 = 66:615
# R6 to FRSW
This is my configuration:
"netmasterclass.net"
autostart = False
[localhost:7200]
workingdir = /home/nabromov/dynamips/working
udp = 11000
[[3725]]
image = /home/nabromov/dynamips/images/c3725-adventerprisek9-mz.124-15.T14.bin
ram = 256
nvram = 256
ghostios = True
idlepc = 0x60c06028
[[Router R1]]
model = 3725
console = 2001
# R1 e0/0 to SW1 fa0/1
f0/0 = NIO_linux_eth:eth0
# R1 f0/1 to SW2 fa0/1
f0/1 = NIO_linux_eth:eth1
s1/0 = FRSW 1
s1/1 = R3 s1/1
[[ROUTER R2]]
model = 3725
console = 2002
# R2 e0/0 to SW1 fa0/2
f0/0 = NIO_linux_eth:eth3
# R2 e0/1 to SW2 fa0/2
f0/1 = NIO_linux_eth:eth4
s1/0 = FRSW 2
s1/1 = FRSW 22
[[ROUTER R3]]
model = 3725
console = 2003
# R3 e0/0 to SW1 fa0/3
f0/0 = NIO_linux_eth:eth5
# R3 00/1 to SW2 fa0/3
f0/1 = NIO_linux_eth:eth6
s1/0 = FRSW 3
[localhost:7201]
workingdir = /home/nabromov/dynamips/working
udp = 11000
[[3725]]
image = /home/nabromov/dynamips/images/c3725-adventerprisek9-mz.124-15.T14.bin
ram = 256
nvram = 256
ghostios = True
idlepc = 0x60c06028
[[Router R4]]
model = 3725
console = 2004
# R4 e0/0 to SW1 fa0/4
f0/0 = NIO_linux_eth:eth7
# R4 e0/1 to SW2 fa0/4
f0/1 = NIO_linux_eth:eth8
s1/0 = FRSW 4
s1/1 = R5 s1/1
[[Router R5]]
model = 3725
console = 2005
# R5 e0/0 to SW1 fa0/5
f0/0 = NIO_linux_eth:eth9
# R5 e0/1 to SW2 fa1/5
f0/1 = NIO_linux_eth:eth10
s1/0 = FRSW 5
[[Router R6]]
model = 3725
console = 2006
# R6 f0/0 to SW1 fa0/6
f0/0 = NIO_linux_eth:eth11
# R6 f0/1 to SW2 fa0/6
f0/1 = NIO_linux_eth:eth12
s1/0 = FRSW 6
s1/1 = FRSW 66
[[FRSW FRSW]]
# R1 to FRSW
1:102 = 2:201
1:103 = 3:301
1:104 = 4:401
1:105 = 5:501
1:106 = 6:601
1:112 = 22:211
1:116 = 66:611
# R2 to FRSW
2:203 = 3:302
2:204 = 4:402
2:205 = 5:502
2:206 = 6:602
22:213 = 3:312
22:214 = 4:412
22:215 = 5:512
22:216 = 66:612
# R3 to FRSW
3:304 = 4:403
3:305 = 5:503
3:306 = 6:603
3:316 = 66:613
# R4 to FRSW
4:405 = 5:504
4:406 = 6:606
4:416 = 66:614
# R5 to FRSW
5:506 = 6:605
5:516 = 66:615
# R6 to FRSW
2/21/2011
netmasterclass workbooks
I am planning to try another training provider so I found netmasterclass who are working with Cisco based on Cisco 360 training program. I will post some impressions after I go through few of the labs.
Juniper networks bootcamp in March
Registration: JUNOS Bootcamp UK March 28th - April 1st 2011 (Mar 28, 2011 - Apr 01, 2011)
2/20/2011
CBAC concurrent sessions
another trick that I just learned. If you want to limit the number of the concurrent sessions going through the inspect rules you can use:
"RouterXXX(config)#ip inspect hashtable number"
Usage Guidelines
Use the ip inspect hashtable command to increase the size of the hash table when the number of concurrent sessions increases or to reduce the search time for the session. Collisions in a hash table result in poor hash function distribution because many entries are hashed into the same bucket for certain patterns of addresses. Even if a hash function distribution evenly dispenses the input across all of the buckets, a small hash table size will not scale well if there are a large number of sessions. As the number of sessions increase, the collisions increase, which increases the length of the linked lists, thereby, deteriorating the throughput performance.
"RouterXXX(config)#ip inspect hashtable number"
Usage Guidelines
Use the ip inspect hashtable command to increase the size of the hash table when the number of concurrent sessions increases or to reduce the search time for the session. Collisions in a hash table result in poor hash function distribution because many entries are hashed into the same bucket for certain patterns of addresses. Even if a hash function distribution evenly dispenses the input across all of the buckets, a small hash table size will not scale well if there are a large number of sessions. As the number of sessions increase, the collisions increase, which increases the length of the linked lists, thereby, deteriorating the throughput performance.
tclsh connectivity check example
this is one of the most important parts, the verification.
labXXX#tclsh
foreach i {
130.1.17.1
150.1.1.1
130.1.124.1
130.1.234.2
} { ping $i }
labXXX#tclsh
foreach i {
130.1.17.1
150.1.1.1
130.1.124.1
130.1.234.2
} { ping $i }
INE lab 15 task task 1.2
okey, everyone will configure the bba-groups in the right way to make the task working.For me the tricky bit was that I used the wrong identifier for this task and the static host map in the dhcp pool didn't work. If yo don't configure the right client identifier it want work.
so, what I did was to start the debug of the pppoe session and get the identifier from the dump in the log.
*Mar 1 00:13:42.243: Retry count: 1 Client-ID: cisco-c203.03d1.0000-Di1
*Mar 1 00:13:42.243: Client-ID hex dump: 636973636F2D633230332E303364312E
*Mar 1 00:13:42.247: 303030302D446931
we should keep in mind that we need to add 00 of front of the first two digits for the client-id and it will looks like 6369.xxxx.xxxx.xxxx.xxxx
so, what I did was to start the debug of the pppoe session and get the identifier from the dump in the log.
*Mar 1 00:13:42.243: Retry count: 1 Client-ID: cisco-c203.03d1.0000-Di1
*Mar 1 00:13:42.243: Client-ID hex dump: 636973636F2D633230332E303364312E
*Mar 1 00:13:42.247: 303030302D446931
we should keep in mind that we need to add 00 of front of the first two digits for the client-id and it will looks like 6369.xxxx.xxxx.xxxx.xxxx
dynamips and CDP annoying messages
*Mar 1 01:41:22.403: %CDP-4-DUPLEX_MISMATCH: duplex mismatch discovered on FastEthernet0/0 (not full duplex), with Rack1SW2 FastEthernet0/2 (full duplex).
to stop these messages you can type
LabXXX(config)#no cdp log mismatch duplex
to stop these messages you can type
LabXXX(config)#no cdp log mismatch duplex
annoying cisco features during the labs
Use the access-list hardware program nonblocking global configuration command to cause the system to continue to forward frames even while a new security access-control list (ACL) configuration is being programmed into the hardware. Use the no form of this command to return to the default behavior, where traffic is blocked on affected interfaces when changes are made to the security ACL configuration while the hardware is updated with the new configuration.
access-list hardware program nonblocking
no access-list hardware program nonblocking
access-list hardware program nonblocking
no access-list hardware program nonblocking
2/18/2011
some time to study
the company I work for gave me two months to prepare for the lab exam. So next couple of months I will be concentrated on this topic.
2/17/2011
IPv6overIP vs GRE
I just found this nice tutorial about the v6 tunnels and the ip over-head in particular.
http://ardenpackeer.com/routing-protocols/tutorial-ipv6-tunnels-part-1-manual-gre-ipv6ip-tunnels/
http://ardenpackeer.com/routing-protocols/tutorial-ipv6-tunnels-part-1-manual-gre-ipv6ip-tunnels/
2/13/2011
object group tracking for ACLs
First Published: July 11, 2008
Last Updated: September 6, 2010
The Object Groups for ACLs feature lets you classify users, devices, or protocols into groups and apply those groups to access control lists (ACLs) to create access control policies for those groups. This feature lets you use object groups instead of individual IP addresses, protocols, and ports, which are used in conventional ACLs. This feature allows multiple access control entries (ACEs), but now you can use each ACE to allow an entire group of users to access a group of servers or services or to deny them from doing so.
In large networks, the number of ACLs can be large (hundreds of lines) and difficult to configure and manage, especially if the ACLs frequently change. Object group-based ACLs are smaller, more readable, and easier to configure and manage than conventional ACLs, simplifying static and dynamic ACL deployments for large user access environments on Cisco IOS routers.
Cisco IOS Firewall benefits from object groups, because they simplify policy creation (for example, group A has access to group A services).
http://www.cisco.com/en/US/docs/ios/sec_data_plane/configuration/guide/sec_object_group_acl.html#wp1132576
Last Updated: September 6, 2010
The Object Groups for ACLs feature lets you classify users, devices, or protocols into groups and apply those groups to access control lists (ACLs) to create access control policies for those groups. This feature lets you use object groups instead of individual IP addresses, protocols, and ports, which are used in conventional ACLs. This feature allows multiple access control entries (ACEs), but now you can use each ACE to allow an entire group of users to access a group of servers or services or to deny them from doing so.
In large networks, the number of ACLs can be large (hundreds of lines) and difficult to configure and manage, especially if the ACLs frequently change. Object group-based ACLs are smaller, more readable, and easier to configure and manage than conventional ACLs, simplifying static and dynamic ACL deployments for large user access environments on Cisco IOS routers.
Cisco IOS Firewall benefits from object groups, because they simplify policy creation (for example, group A has access to group A services).
http://www.cisco.com/en/US/docs/ios/sec_data_plane/configuration/guide/sec_object_group_acl.html#wp1132576
Subscribe to:
Posts (Atom)