OSPF:
1、 Virtual-link interface's cost accumulates the physical interfaces' cost along the virtual link path.
2、 "ip OSPF demanded-circuit" cmd only need to be configured on the multipoint end of p2mp interface.
3、 Area filter-list xxx in/out cmd can filter type-3 inter-area lsa selectively.
4. on ABR,"area x nssa no-redistribute default-info-ori"(will genarate a type7 default rt)="area x nssa no-sum"(will generate a type3 default-rt)
OSPFv3
1. Although multiple OSPFv3 processes can run on a router, only a single process or instance can run on an interface.
BGP
1. BGP connections between confederation peers behave like EBGP peers(watch out, multi-hop), but they exchange routing information as if they were IBGP peer. This means that the BGP attributes next hop, metric, and local preference are reserved. (Next-hop-self could be use to change it), and the AD would be 200 like ibgp.
2. auto-summary ONLY apply to routes injected into BGP via redistribution.
3. Set as-path prepend can not change the last as# of the as-path when used in outbound route-map. Advertising router would insert its own as# at the end of the as-path.
4. BGP router only advertises its E-BGP peer the best routes.
5. In IOS 12.2 15T, cmd "BGP best-path as-path ignore" is a hidden command. And "BGP best-path med missing-as-worst" do not work.
6. When iBGP routes are reflected by RR, the next-hop attribute is kept. Config next-hop-self on RR does NOT change the next-hop of these routes.
7. Use of cluster-id: an RR will drop all route-updates which include its own cluster-id.
8. BGP dampening only applies to EBGP learned routes
9. When using route-map to control BGP dampening, route-map entry without "set dampening [parameter]" means do not apply dampening to matched routes.
10. iBGP routes has default local-pref of 100, eBGP routes has no local-pref. 'BGP default local-pref ' cmd only affect outbound I-BGP routes.
11. BGP deterministic-med also compare med of routes from different ASs. And it can not sort the path by the neighbor AS. Why?
12. Advertising a default route via BGP requires three steps:
Step 1. Create a static default route.
Step 2. Redistribute static into BGP.
Step 3. Uses the BGP command default-information originate.
(By default, BGP does not allow a 0.0.0.0/0 route to be injected into BGP table)
13. If multiple 'distance AD neighbor-addr wildcard-mask prefix-list' cmds are used to match updates from specified neighbor, the longest match is taken.
14、using bgp advertise-map/none-exist-map, when the primary route is withdrawed,the secondary route will NOT triggered an update immediatlly,it will be advertised by the next regular table-scan circle(about 60s);When the primary route comes back again, the secondary will be withdrawed by the next regular scan circle. The convergence is slow.
15、using "neighbor xx default-originate" to adv a dft route, This route will be adved unconditionally. Use "neighbor xx default-originate route-map ROUTE-MAP-NAME" to conditionally adv dft routes.
16.policies being applied to member peers override that applied to peer-groups. You can override ONLY inbound policies.
17. neighbor xxxx remove-private-AS. When using this cmd on a bgp confederation peer ,the private as will not be removed
Network Next Hop Metric LocPrf Weight Path
*> 172.16.0.0/24 192.168.1.3 0 100 0 (1 65530) i
another case:
Network Next Hop Metric LocPrf Weight Path
*> 172.16.1.0/24 192.168.1.3 0 100 0 (65530 1) i
and a private AS # following public AS #s would not be removed too.
18. An extended IP access list can be used in route-map to match on the incoming prefix and mask. The second subnet/mask portion of the extended access list is used to match the mask length.
19.When two BGP speakers establish a connection, the smaller of the advertised keepalive and holdtime values will be used
20.ebgp as-path with confed takes more preference than equal length all-ebgp-path.
*> 197.68.1.0 150.100.2.254 0 100 0 (65012) 254 i
* 150.100.1.254 0 0 253 254 i
redistribute:
1.ospf default-metric for external route is 20
2.if a route is redistributed into ospf1 on rtr A, then rtr A will not redistribute this route again from ospf1 to other protocols.the rule is : one route cannot be redistributed twice on one router.
3.ospf locally ganarated summary route cannot be filter by tag when redistributing out to rip.why?
4.when red eigrp EX rt to ospf, modify AD to 180 to prevent loop.
misc:
1.BW of tunnel interface is 9kbps by default, ospf cost is 11111.
ACL:
1.Lock and key ACL. the timeout defined in user autocommand is an idle-timeout; the time out define in dynamic ACL is and absolute timeout for the dynamic access entry.
route-map:
1.This example uses AND semantics between POLICY-LIST-NAME-1 and POLICY-LIST-NAME-2:
Router(config-route-map)# match policy-list POLICY-LIST-NAME-1
Router(config-route-map)# match policy-list POLICY-LIST-NAME-2
This example uses OR semantics between POLICY-LIST-NAME-3 and POLICY-LIST-NAME-4:
Router(config-route-map)# match policy-list POLICY-LIST-NAME-3 POLICY-LIST-NAME-4
2.Policy lists in route-map are supported only by BGP.it is invisible to other routing protocols.
3.写acl过滤route时,permit host x.x.x.0有时不好使,用permit x.x.x.0 0.0.0.255或者扩展acl
NAT:
1.'ip nat inside destination list x pool y' doesn't work on ios 12.2 15t(16)?
MTU:
datagram size in ext-ping=packt length in route-map match=total ip packet lanth?
Strange phenomenon
1.use one 2500(r2) with to ip-in-ip tunnel interface to connect other two rtrs(r1 & r3),r1 can ping r2's tunnel int, and so do r3. but when r1 pings r3, r2 crashed and reload, why?(IOS version:12.2 15T(16))
2.using ppp virtual-templete int under IOS12.2 15T16,sometimes ip routing may be hung.
bgp:
1.让BGP以尽可能多的方式发布默认路由
(1).red static,then default-info origin
(2).aggregate 0.0.0.0 0.0.0.0
(3).net 0.0.0.0 0.0.0.0
(4).red from IGP
以上均试验有效
2.配neighbor时,最好加上ver 4。
multicast:
1.all multicast forwarding interface must enable pim , ortherwise no mpacket will be forward out that interface even though it has igmp group member reported.
2.when using ip helper-address to forward broadcast, by default , only BOOTP/DHCP udp broadcasts are forwarded.
3."ip multicast helper-map broadcast MCAST-GRP EXT-ACL" and "ip multicast helper-map MCAST-GRP SUBNET-BROCAST-ADDR EXT-ACL" is used to convert UDP brocast traffic into multicast stream to travel across multicast cloud and then convert back to (direct-)brocast and forward to the destination network.
4.when using mrm test tool. the manager,sender and receiver of a test MUST be 3(or 3+) DIFFERENT routers.
igmp snooping
igmp snooping bases on intercept mode,the sw cpu handle the igmp query and report/leave msg by itself,acting as a mc querier. part of message are forwarded to the real mc router.
pim:
pim hello interval:30s
pim-dm periodic join/prune message interval:60s
pim msg hold-time:180s
T flag: spt-bit,means this is a RP-builded spt tree entry.
P flag
runed,all output interface pruned,no downstream neighbor.sent prune msg to upstream neighbor.
F flag:registering
when igmp group X withdrawed, the pim-sm mroutes entry for group X still are still alive, why?--ip mrm test-sender-receiver turns on.
"ip pim spt-threshold infinity(never join spt)" does not works.(ios 12.2 15t16).why?
auto-rp:
1.The mapping agent chooses the RP for a group based on the highest RP address.If that RP fails, the mapping agent selects the next-highest qualifying RP and advertises that after the hold-timer(3 times of hello-interval) expired.but if a new c-RP with higher IP comes up,the mapping agent will adv the new RP IMMEDIATELY(triggered update?).
2.when 2 c-RPs announced overlap group range, the mapping agent will uses longest matching.
3.if u set a 224.0.0.0/32 group-list for rp-announce-filter, the mapping agent will NOT filter a 224.0.0.0/4 rp-announce.
4.in cmd "ip pim rp-announce-filter rp-list", no c-RP is to be filtered.
5.if multiple mapping agents advertise different RPs for one group, the auto-rp client's RP table will be flapping.
6.auto-rp cannot perform RP load sharing and redundance at the same time.it map RPs to groups only by the highest RP address.
pim v2 bsr
1.hash-mask X means the first X bits of group-address participate in hash algorithm.BUT,the hash result is quite random,not just load balance by the bit bounary?
2.bsr messages are send every 30s by default,(not 60s interval?).new-coming c-BSR can trigger bsr msg flooding.but if the BSR failed, c-BSRs must wait 150s to flush the old failed BSR(not 130s holdtime?).
3.additionally,if u raise a c-bsr's priority,it can become bsr immediatlly, but if u lower a bsr's priority,other c-BSRs must wait the hold-time(150s) expired to become new bsr.
4.rule for electing BSR:highest priority-->highest BSR-address.
5.rule for selecting RP
owest priority-->highest RP-address(hash mask=0)-->hash load sharing(hash mask>0).
6.in bsr client ,use "ip pim rp-accept RP-ADDR GRP-LIST" to filter unauthenticated RPs.
pim nbma
1.The ip pim nbma-mode interface command. This command works only
with PIM sparse mode because it relies on PIM join messages to indicate traffic types.This command allows multicast traffic to be fast switched over Frame Relay network interfaces.
Watch the wording and topology within your CCIE lab scenarios.
pim bidir
1.pim bidir enabled c-RP will advertise itself as bidir RP to the c-BSR , by default?(12.2 15t)
2.Bidir-PIM does not support nonbroadcast multiaccess (NBMA) mode.(df will take care of the loop-free tree?)
rpf
1.when an output interface is looped back to the rpf interface (e.g. by a mistake vlan configuration) , the multicast storm will burst almost immediattly.
ssm
1.use the following config to filter out ssm groups from using the RPT:
ip pim accept-register list no-ssm
ip access-list extended no-ssm
deny ip any 232.0.0.0 0.255.255.255
permit ip any any
mbgp
1.RR-Client should be config at address-family config mode.
2.MBGP does not affect the forwarding of multicast traffic. Further configuration is needed in a situation such as the parallel links to force multicast traffic over the multicast-only link. MBGP just allows the dissemination of RPF information across AS boundaries.
3.unicast bgp NLRI can also be used for RPF check!
bgp
1.there's no auto-generated route to the null interface when auto-summary redstribution.must manually config one.
msdp
1.'ip msdp ttl-threshold' do not set the scope of msdp message, but the scope of data packets which are encapsulated in SA messages.
2.spt一旦形成,只要spt有流量,sa通告即使去掉,也不会影响spt继续存在。
3.'ip msdp peer x.x.x.x' is enough. connect-source or originater-id or remote-as is not necessary to be config.
inter-domain multicast routing
1.pim neighbor must be formed between the AS border router,to build the inter-domain soruce tree.
rip
1.'ip rip triggered' enables the triggered extensions of RIP. route table updates are minimized to include only the initial exchange of route tables and updates when changes to the route tables occur. This command is only available on serial links and must be configured on both ends of the link before taking affect.
when troubleshooting, use debug ip rip triggered.
2.after IOS ver 12.0T. RIP router will not automatically advertise the default route unless the default route is redistributed into the RIP protocol. Before IOS train 12.0T, it was a default behavior of RIP, IGRP, and EIGRP.
3.when using 'ip summary-addr rip ' to advertise summary route, the metric of the summary route is 1.
4.u may use 'default-info originate route-map CONDITION-ROUTE-MAP' to config rip to conditionally advertise a default route.
multicast qos
1.How can you rate limit multicast traffic?
*On the Catalyst 3550, you can rate limit on a per-port basis:
Cat3550(config-if)# storm-control multicast level 10
*On a router, inclusive of WAN links, you can rate limit by issuing the :
ip multicast rate-limit (in | out) [group-list (acl#)] [source-list (acl#)] interface kbps command.
2.about 10% of the available traffic rate is conserved by system. so, if u config a 8kbps rate-limit, the real traffic rate would be 7kbps.
bridge & sw
1.when using IRB (bvi interface), use 'brige # route ip' to direct ip traffic to the bvi# interface. otherwise, no protocol data will be bridged to that interface.
2.spt port-id, lowest win. port-id=[port_priority].[port_num]
desinated neighbor's port-id first,if equal,then local port-id will be the tie-breaker.
3.port-security:the max mac limit is 1 by default.
4.fallback bridge:只能在可路由接口或者SVI接口之间做.只转发不可路由的非ip流量
security
1.after config rip authen (md5),if authen fail,remove and reconfig, if still fail, reload the router.
2.tcp intercept:防dos攻击。两种模式:主动intercept和被动watch。connection-timeout是无活动连接计时器,默认24h,超时丢弃连接。这跟建立连接计时器不同,建立连接计时器(watch-timeout)默认是30s,超时认为是sync攻击。
3.unicast rpf:
a.Unicast RPF must be config with ip CEF.
b.Unicast RPF will allow packets with 0.0.0.0 source and 255.255.255.255 destination to pass so that Bootstrap Protocol (BOOTP) and Dynamic Host Configuration Protocol (DHCP) functions work properly.
c.rpf+acl(log):
rpf check-----> rpf pass------> forward(no log)
rpf fail------> check acl-----> permited--> forward(& log)
\-----> denied--> drop(& log)
3.acl log:比较敏感的数据最好用log-input(log input-intf, ext acl才支持)代替log
4.to block unknown dest-addr unicast/multicast inbound:
(conf-if)#switchport block unicast/multicast
qos
Marking
1.[IP QoS Flag]=[IP Prec]3 bit+[ToS]4 bit
DSCP=Prec(3bit)+[first 3 bit of ToS field]
Traffic Shaping/Policing
1.class-bass traffic shaping
(1).the "shape average" command is used to send traffic at the fixed CIR without sending any excess burst bits. The excess burst is not allowed at all, even if it is configured to a value other than 0.
(2)The shape peak command is used to peak to a burst of BC + BE bits per interval while keeping a CIR.
2.frts:
(1)."fram class" for interface-based(all pvc) frts
"fram inter dlci"-->"class" for per-pvc-based frts
(2).when configing map-class: [fram cir]=[target rate]=[average rate]=[max troughput](the rate u want to send ur data out).
[fram mincir]=the backoff rate when congested.
[fram bc]=cir/8
Queing (traffic scheduling)
(1)CBWFQ("bandwith") set the min limit (bottom line) of traffic, traffic-shaping/police/CAR(rate-limit) set the max limit (top line) of traffic.
(2).CBWFQ:
-.By default, all traffic that has not been defined as belonging to a class is provided with best-effort service
-.dtf action for class-default is inherented form the interface config(FIFO or FBWFQ). u can config FBWFQ to and only to this class.
-.Queuing stratege for class with bandwidth is FIFO(and tail-drop).
-.Before configuring CBWFQ, you need to be aware of a number of rules, including the following:
*Before CBWFQ can be installed, interfaces must be running their default queuing method. CBWFQ overrides default method of queuing.
*Unless specified, CBWFQ uses tail drop rather than WRED when dropping packets.
*If you are planning to use CBWFQ with WRED, make sure that the interface is not already running WRED.
*CBWFQ does not support subinterfaces; it must be installed on a physical interface.
*CBWFQ supports only ATM variable bit rate (VBR) and available bit rate (ABR) circuits.
*Policy maps can be used for more than one interface, saving configuration space.
*The CBWFQ-configured bandwidth must not exceed 75 percent of the interface bandwidth. The other used for overhead control and routing traffic. If the bandwidth used by a policy map exceeds that available interface, the policy map is denied and removed from all other interfaces.
*CBWFQ, CQ, PQ, WFQ, and WRED are all mutually exclusive, service policies must be removed before queuing method can be installed.
*CBWFQ supports queue size limits and WRED, but not both in the same class
Link Efficiency
-FR LFI
*For interleaving to work, both fragmentation and the LLQ policy must be configured with shaping disabled.
*shaping在LLQ之前进行,frts本身采用fbwfq,所以frts排队还会产生附加的延迟。所以对llq不宜加shaping,但对其他流量class-default可以加shaping。
Catalyst 3550 Qos
1.globally enable QoS on a Catalyst 3550:
[no] mls qos
Switch#show mls qos
2.Classification:
(1)untagged frames:
manually assigning CoS values to untagged frames:
(conf-if)#mls qos trust cos
(conf-if)#mls qos cos [0-7](dft=0)
(2)tagged frames:
the default mappings for the CoS-to-DSCP and IP precedence-to-DSCP mappings:
CoS/IP Prec*8 = internal DSCP
0 0
1 8
2 16
3 24
4 32
5 40
6 48
7 56
to override the dft mapping:
for cos/ip prec
(conf-if)#mls qos trust cos/ip-prec
(conf-if)#mls qos cos [0-7](dft=0)
(conf-if)#mls qos cos override
for dscp
(global)#mls qos dscp-muta MAP_NAME 40 41 42 43 44 45 to 30
(conf-if)#mls qos trust dscp
(conf-if)#mls qos dscp-mutation MAP_NAME
#show mls qos interface
(3)config the switche to support trusting CoS/DSCP only when the switch connects to a Cisco IP Phone(only Cisco IP Phones support CDP):
(conf-if)#mls qos trust device cisco-phone
3.Policing
*2950 does not support egress police,3550 support.
*Aggregate policers cannot be used across different policy maps or interfaces. Define multiple aggregate to walkaround.
*Per-port Per-Vlan policing(3550 only):必须使用class嵌套
eg.
class-map match-all demo
match vlan 21 100-102
match class-map interesting-traffic
*the policing trust action takes precedence over the port trust config.
*3550 policer support normal-burst only, no extra-burst.only has exceed-action(equal to router's violate-action) , no violate-action.
4.Queuing(Congestion management)
*config cos-to-Q mapping
(conf-if)#wrr-queue cos-map <Q-id> <cos1..cosN>
#show wrr-queue cos-map
dft map:
CoS output Queue
0-1 1
2-3 2
4-5 3
6-7 4
*config per wrr-queue bandwidth
(conf-if)#wrr-queue bandwidth W1 W2 W3 W4
Wn=weight of Qn
*if Q4 config as priority-Q, W4 will no be used.
#sh wrr-q band
sh mls qos interface f0/4 queueing
*#wrr-q dscp-map <threshold-id> <dscp1>...<dscp8> is used in INGRESS intf to map the dscp to drop threshold-1&2.
FE only utilize threshold-2. GE can use 1&2
5.signal stream and relative maps:
ingress --------------> Classifying --> Queuing ------> egress
DSCP-map(to threshold) CoS-DSCP DSCP-CoS CoS-map
ip-prec-dscp
dscp-mutation
policed-dscp
6.about Modular Qos CLI:
You cannot use the service-policy interface configuration command to attach policy maps that contain these elements to an egress interface:
?set or trust policy-map class configuration commands. Instead, you can use the police command to mark down (reduce) the DSCP value at the egress interface.
?Access control list (ACL) classification.
?Per-port per-VLAN classification.
The only match criterion in a policy map that can be attached to an egress interface is the match ip dscp dscp-list class-map configuration command.
Per-port per-VLAN policing is not supported on routed ports or on virtual (logical) interfaces.
interface dampening:
1.default-- penalty:1000 per flap. half-life:5s, suppress-penalty:2000,reuse-penalty:1000,max-suppress-time:120s,must be larger than the suppress-time.
SupP<MaxP=ReuseP*2^(maxSupT/HalfL)<20000
2.计算halfLife/SupP:
设要求T(<=30)秒内flap发生n次触发dampening。
取hlfL=T, n=1,则SupP<=1000
n=2,则SupP<=1500
n=3,Sup<=2000
n=4,Sup<=2618
n=5,sup<=3000
n=6,Sup<=4000
若Sup取默认值2000,n>=3的情况下都满足。
IOS management
logging:
1.logging facility <facility-type> 转发来自unix系统的logg(让自身成为daemon?)
2.logging on是默认值,logg con debug,logg mon debug,都是默认。logg facility默认是local7.
IOS feature
DHCP
1.By default, the DHCP Server pings a pool address twice before assigning a particular address to a requesting client. If the ping is unanswered, the DHCP Server assumes (with a high probability) that the address is not in use and assigns the address to the requesting client.
3550
stp:
-Private VLANs can only be configured when VTP is in transparent mode.
正则表达式:在dial config guide appendix下有
需要看的知识点:
=3550
-*mac acl
mac acl
mac acce ext name
permit mac mac type
int f0/x
mac access-gr name in
//sh mac acce int
//sh acce
!mac acl只对非ip流量有效!!!!
*vlan map acl
vlan access-map noicmp 10
match ip add icmp <--这里如果写了不存在的ip acl,默认match all
action drop
vlan acce noicmp 20
action forward<--不写任何match条件,也等于match all
vlan filter noicmp vlan-list 10
ip acce ext icmp
per icmp any any
//sh vlan acce
//sh vlan filter
*mst
-*pvlan
-*protected port
=ip nbar
注意题目要求,完成IGP后,是否所有预配置接口都要求可达。
[此贴子已经被作者于2006-3-27 3:14:58编辑过]
