I blasted through the first of half working on my CCNP, but I slowed way down since I didn't have a deadline to meet.  I studied up for my ham radio technician license, but that fell through when I couldn't find a volunteer to proctor the exam.  After I gave up on that, I started on my CCNA Voice so I could talk semi-intelligently about VoIP.  Of course, that hit a huge roadblock when I couldn't find a testing center open (they're all at schools which are closed for the holidays and for student testing at the end of the semester).  Now we're at the start of another year, and I met very few of my goals for 2010.

I hate it when I let things get out of control like that and I'm not going to let that happen this year.  To help me stay on track, I'm actually going to publish my certification goals for the year.  Since they're all public, people can mock me when I don't hit my own mark.

Very simple, really.  Finish up what I started and move heavily into the CCIE R&S studies.

• Finish my CCNA Voice
• Pass my CCIE R&S written exam
• Decide on a training provider for the lab
• Schedule the lab
• Optionally, take the lab

I hope that 2010 was a good one for you.  I wish you all the best in 2011.  Here's to making it the best yet!

Some stats for the site in 2010:

• New Visitors:  34,396
• Top Visiting Countries (besides the US):  UK, Australia, Canada, India, Germany
• Most Popular Visitor OSes (besides Windows):  Mac 10.6, Linux 2.6.32
• Top Article by Landings:  ASA 8.3.1 – Smart Tunnel and NAT Changes
• Top Page by Landings: Reasons I Hate Comcast (retired)
• Most Referrals:  packetlife.net
• Most Popular Search Term That Lead People Here:  "rspan"  <- Really?  That's odd.

Aaron Conaway

I like to lean my head to the left, hit it with the palm of my right hand, and document what knowledge falls out.

Website - More Posts

CCNA Voice

Circle 28 February 2011 on your calendars.  That's when the CCNA Voice track gets a shakeup.  The IIUC (640-460) exam will be no more, and passing CVOICE (642-436) will no longer be a valid way to get the cert.  After the big day, you'll have to take ICOMM (640-461).  This seems to be a much broader exam instead of having the enterprise and commercial focuses in CVOICE and IIUC, respectively.  Look out for both CME- and CUCM-based topics including a troubleshooting section. 

See also:  

Wendell Odom's blog at NetworkWorld

CCVP

The CCVP is now known as the CCNP Voice.  There are still five exams to get the certification, so it's not that different.  The QoS exam is gone, but the new CVOICE (642-437) exam includes QoS, so keep studying those queueing methods.  The TUC exam is replaced by TVOICE (642-427), which, on the surface seems to be just an update.  The CIPT1 (642-447), and CIPT2 (642-457) exams also look like they're simply updated, but you'll have to ask a Voice guy since I don't really know the differences here..  The last exam is CAPPS (642-467), and covers Unity, VPIM, and Presence.  Fun stuff.

See also:  

Wendell's blog again

CCSP

Like the Voice track, the CCSP gets a name change and is now known as the CCNP Security.  There are still four tests like the old track, but the content is updated.  You have to take the SECURE (642-637), FIREWALL (642-617), VPN (642-647), and  IPS (642-627).  Word on the street is that the new VPN exam eliminates the inconsistencies with VPN deployment methods taught in SNAF and SNAA.  

See also:

Wendell's blog again

Can someone explain why CCSP and CCNP Security are both still listed on the professional cert page at Cisco, but the CCNP Voice gets a "formerly known as" moniker?

Aaron Conaway

I like to lean my head to the left, hit it with the palm of my right hand, and document what knowledge falls out.

Website - More Posts

If you remember, I took it over a week ago and had some bad luck on it.  Alright, bad luck is the wrong phrase.  I didn’t study enough and failed it.  This time, though, I had a special weapon on my side – the ROUTE Foundations book.  I haven’t used the Foundations books before, but, I saw some tweets about this one, so I picked it up off of Safari.  In just a couple pages, I realized that I was reading the answers to several questions directly out of the book.  It was amazing.  I only studied my weak points and wound up with 144 more points than I did last time.  I can’t say that was entirely because of the book, but I must say it was a big reason.

The test, like last time, was actually really good.  The questions were well-written and clear for the most part.  There were, of course, some that were confusing, but there weren’t any traps like you usually see in the other tests.  A couple asked you to do contradictory things.  There were a couple that just blasted you with information, but, if you read the question and know the material, the answer just pops right out at you.  Overall, another great test.  That makes 2 I’ve taken…and they’re both the 642-902.  :)

I’m quite excited about finishing up.  I’ve had a lot of failures along the way, but the support from the online community has been tremendous.  Thanks to everyone who kept pushing me and telling me I could do it.  I’m also happy to report that I kept the testing costs below the cost of the CCIE lab (barely) and that I may hold the record for number of P-level tests (8 P-levels tests and 10 overall) and overall Cisco test questions answered (535 questions).  What an honor.  *denotes sarcasm*

So, what’s next?  I think I’m going to take a month or two off from networking to study up for a ham radio license.  We get a lot of hurricanes down here, and having a good radio around will help us and the community out if such a disaster happens.  I’m calling it prep for CCIE-Wireless.  Heh.  When I get done with that, I either plan on hitting up the CCIE-R&S or going down the CCDP track.  I’m not really sure, but we’ll see when we get there.

Don’t worry.  The blog will stay network-related.  With the feedback from the study questions format, I think I’ll start a problem question and answer format.  I’m also thinking of generating scenarios to work through.  Again, we’ll see when we get there.

Send any trips to Delaware questions my way.

Audio Commentary:

Aaron Conaway

I like to lean my head to the left, hit it with the palm of my right hand, and document what knowledge falls out.

Website - More Posts

Study Questions

• I’ve got IGRP and EIGRP both configured with the same AS number.  What’s special about this configuration?

If both use the same AS number, then they automatically redistribute their routes into each other without using the redistribute command.

• When redistributing one IGP into another, where’s a good place to filter routes?

There’s no one good place, but at the router(s) that’s doing the redistribution is a good start.  There’s no need to send an IGP a bunch of routes it doesn’t need.

• When redistributing one IGP into another, where’s a good place to summarize routes?

There’s no one good place, but that may be best done at the router just inside the redistributing router.  If the redistributing router only sees the summary route, that’s what it will pass to the other IGP.

• What’s the default metric of RIP?

That’s infinity, so it’s unreachable with an explicit metric.

• I’ve redistributed OSPF into RIP, but I don’t see my subnets there.  What gives?

RIP automatically summarized routes, so look for summaries instead of specific subnets.

• How can you limit the number of routes redistributed into EIGRP or OSPF?

Use the redistribute maximum-prefix X directive under the routing protocol, where X is the maximum number of routes.

• What are the metrics of connected routes when redistributed into EIGRP?

Those routes take the metric of the associated interface instead of using the metric you gave to the redistribution.  [This seems fishy at best.  Can anyone help clarify, please?]

• I have 845734928 interfaces on my router, but I only want to use 3 of them for EIGRP and only want to configure a single network statement.  What’s the easiest way to do that?

Set all the interfaces as passive with the passive-interface default router subcommand.  Next, make all your interesting interfaces non-passive with the no passive-interface X subcommand.  Now you can configure network 0.0.0.0 255.255.255.255 to match all the interfaces, but only the interesting interfaces will participate.

• What is the term for the rank of trustworthiness a routing protocol provides?

Administrative distance

• How can I change the AD of external EIGRP routes to 201 while keeping the default AD for internal EIGRP routes?

Router1(config-router)#distance eigrp 90 201
You have to set both, so you’ll have to remember that EIGRP has an AD of 90 for internal routes by default.

• How can I change the AD of OSPF routes to 192.168.0.0/24 to 202?

Router1(config)#access-list 88 permit 192.168.0.0 0.0.0.255
Router1(config)#router ospf X
Router1(config)#distance 202 0.0.0.0 255.255.255.255 88

• Is it possible to set the AD of different OSPF routes types like intra-area and interarea?

Yes.  You can give it the old distance ospf inter-area X to change the AD.  It also works for intra-area and external routes.

• Is it possible to set the AD of an external OSPF route to 192.168.100.0/24 to 202 without changing the others?

I would have though you could use a route-map for that, but I can’t find a proper set command in a route-map.  [A little help, please.]

Aaron Conaway

I like to lean my head to the left, hit it with the palm of my right hand, and document what knowledge falls out.

Website - More Posts

Study Notes

• Is BGP route selection a controversial subject?

Yes.  If you ask 1000 network guys the best way to influence BGP, you’ll probably get 1000 different answers.

• At what position in the PA list of a BGP update do you find the weight attribute?

You don’t.  Weight is a Cisco-proprietary thing.

• List the attributes of a BGP route that a Cisco router evaluates in order of operation with a short description.

Next-hop : Is the next hop IP reachable?
Weight : A numeric value where bigger is better; this is of local significance and is not passed to any BGP peers
LOCAL_PREF : A numeric value where bigger is better; this is shared within an AS
Local : Is the next hop me (0.0.0.0)?
AS_PATH length : The number of AS hops to the destination; the closer the better
ORIGIN : Did this route come from an IGP (I), an EGP (E), or somewhere else(?)?  I over E over ?
MED : Multi Exit Discriminator; can be used by one AS to influence routes to that AS; smaller is better
Neighbor type : eBGP are better than iBGP routes
IGP metric : Prefer the next-hop address that’s closest via an IGP like OSPF or EIGRP (or RIP, Ivan)
Route age : Prefer the oldest (and thus the most stable) route
Lowest BGP neighbor router ID : Do I have to explain that one?
Lowest BGP neighbor IP : You know what this is, right?

• Alright, what’s the mnemonic?

N WLLA OMNI

• Which attributes can be used to influence your path out to another AS?

Weight
LOCAL_PREF
AS_PATH

• Which attributes can be used to influence another AS’s path to you?

MED
AS_PATH

• When you look at the output of show ip bgp, which column lists the MED?

The Metric column.

• If there are two entries for a network in the output of show ip bgp, in what order are they listed?

They are listed from youngest to oldest.  You can infer the comparative age by looking at the order in which they appear.  See “route age” in the attribute list.

• If I set the weight of a prefix with a route-map in the BGP neighbor config, but then set the weight of the neighbor, what shows up in the BGP table?

The neighbor weight trumps the prefix weight, so all routes from that neighbor will be weighted the same.

• What is different about weight compared to the other attributes?

Weight is actually not a BGP path attribute (PA).  When a route is received from a BGP peer, the weight is set and stored locally; it is not an attribute carried in the routing update like AS_PATH or MED.

• If you receive the same route from both an eBGP and iBGP peer, what will the local preference be for each route assuming you haven’t changed the explicitly?

The eBGP route’s local preference will be null, and the iBGP route’s will be 100.

• What is maximum-paths in BGP land?

That’s the maxiumum number of routes that BGP will submit to the RTM if routes are still tied by the IGP metric step of the tie breaker process.

• I applied a route map to a BGP neighbor to change the AS path, but now all the routes are gone except for the influenced routes; what happened?

BGP always tries to filter routes if you use a route map, so you probably just forgot your explicit permit at the end of the route map.

• What super-common mechanism is typically used to change BGP attributes like MED or AS path?

route-maps rock!

• What does “>” mean in the output of show ip bgp?

That means the path indicated is the best path for the prefix.

What Command Was That

What command…

• …shows the weights for all BGP routes?

show ip bgp

• …shows the local preference for all BGP routes?

show ip bgp

• …shows the AS path for all BGP routes?

show ip bgp

• …show the MED for all BGP routes?

show ip bgp [ look under the Metric column ]

• …shows all the prefixes that a router knows via BGP?

show ip bgp [ is there a theme here? ]

• …shows the MED for a specific BGP route in the routing table without using show ip bgp?

show ip route x.x.x.x [ and look for the metric of the route; the number after the AD ]

• …shows why a BGP route wasn’t inserted into the routing table?

show ip bgp rib-failures

Aaron Conaway

I like to lean my head to the left, hit it with the palm of my right hand, and document what knowledge falls out.

Website - More Posts

Study Notes

• What do IPSec tunnels give you when a branch office is on a broadband connection?

Privacy through encryption
Authentication of the remote peer through ISAKMP
Delivery of private data over the public Internet

• What do you need to configure to get your branch router talking to the Internet?

ISP connection configuration such as PPPoE or PPPoA
DHCP server configuration for internal users
NAT
Firewall services like inspection and filtering

• What kind of routes would you normally see on a small branch router with a single IPSec tunnel home?

You would usually just see a default route to the ISP; IPSec will intercept interesting traffic and take care of sending the packets home without having routes for home networks configured.

• What’s a really easy way to get routes to fail from a WAN link to a GRE tunnel when the WAN link dies?

Floating static routes

• What do GRE tunnels allow you to do that native IPSec tunnels don’t?

Run a routing protocol

• Your DSL provider has given you a VPI/VCI of 1/50 to use on your branch router’s ATM 0/0 interface.  Show me the full configuration to get basic web surfing working (ignore DNS and DHCP).

interface ATM0/0
no ip address
pvc 1/50
encapsulation aal5mus ppp dialer
dialer pool-member 1
!
interface Dialer9
encapsulation ppp
ip address negotiated
dialer pool 1
ppp authentication chap callin
ppp chap password MYPASSWORD
ip nat outside
!
interface E0/0
ip add 192.168.1.1 255.255.255.0
ip nat inside
!
ip route 0.0.0.0 0.0.0.0 Dialer9

• For what would you use an ACL when configuring IPSec tunnels?

You define interesting traffic with ACLs.

• What are the two basic configuration items in a crypto map for an IPSec tunnel?

Matching ACL
IPSec peer IP

Aaron Conaway

I like to lean my head to the left, hit it with the palm of my right hand, and document what knowledge falls out.

Website - More Posts

• Your boss says that ever host in the network needs to be converted over to IPv6 by the end of the day.  Which of multipoint tunnels, point-to-point tunnels, or native IPv6 would be the most appropriate to use to help with that conversion?

Native IPv6

• The engineering department wants to permanently use IPv6 on their test boxes in two offices.  Which of multipoint tunnels, point-to-point tunnels, or native IPv6 would be the most appropriate to use?

Point-to-point tunnels

• A handful of departments want to use IPv6 for testing but have no schedule.  Which of multipoint tunnels, point-to-point tunnels, or native IPv6 would be the most appropriate to use?

Multipoint tunnels

• You’ve implemented 6to4 tunnels and are turning up another router that should participate.  What do you need to configure on the other routers to support the new one?

Nothing.  The use of 6to4 tunnels requires a strict addressing scheme that is used to determine tunnel endpoints dynamically.

• You’ve implemented ISATAP tunnels and are turning up another router that should participate.  What do you need to configure on the other routers to support the new one?

You need to add static routes pointing the new prefix across the IPv6 address of the new router’s tunnel interface.

• How does a router using 6to4 tunnels determine tunnel endpoints?

The second and third quartet of the destination address are used to figure out what the IPv4 tunnel endpoint is.  For example, a host on 2002:a01:a01::/64 sits behind the tunnel endpoint at 10.1.10.1.

• Don’t you need to have some sort of IPv6 routing enabled to use 6to4 tunnels?

Since 6to4 tunnels use the reserved prefix of 2002::/16, all the routers just have to point that prefix out the tunnel interface.  Since this covers all the networks that 6to4 uses,  no other routes are necessary.

• How does a router using ISATAP tunnels determine tunnel endpoints?

The last two quartets (7 and 8) of the endpoint’s tunnel interface are used to determine the IPv4 tunnel endpoint.  For example, a router with an IPv6 address of 2000::a04:b0b has an IPv4 tunnel endpoint of 10.4.11.11.

• What are the different types of IPv6 tunnels, and what are their tunnel modes?

Manual IPv6 point-to-point – tunnel mode ipv6ip
GRE point-to-point – tunnel mode gre ip
6to4 multipoint – tunnel mode ipv6ip 6to4
ISATAP multipoint – tunnel mode ipv6ip isatap

• Which tunnels types support OSPFv3?

Manual IPv6 and GRE

• How are routes learned on ISATAP tunnels?

Routes aren’t really learned.  ISATAP requires a static route pointing prefixes towards a tunnel address on a distance router.

• How are the local link addresses determined on an ISATAP tunnel?

The local link address, like all local link addresses, starts with fe80 and ends with the IPv4 address of the tunnel source as the last two quartets; quartets 2 through 6 are all zeroes.

• What is required to be configured when using any of the tunnel types?

ipv6 unicast-routing

What Command Was That?

What command…

• …shows the status of an IPv6 tunnel?

show ipv6 interface tunnel X
show ipv6 interface brief
show interfaces tunnel X

• …shows the routes involved with an IPv6 tunnel?

show ipv6 route

• …pings a distant host over an IPv6 tunnel terminated on the router?

ping ipv6 distantaddress source localaddress

Aaron Conaway

I like to lean my head to the left, hit it with the palm of my right hand, and document what knowledge falls out.

Website - More Posts

• Why would anyone develop a version of RIP that supports IPv6?

I have no idea.  Boredom, maybe.  Whatever the case, it works just like RIPv2, which is pretty scary.

• In EIGRP for IPv4, there are several requirements for two routers to neighbor up.  Which of those is not true for EIGRP for IPv6?

The two routers don’t need to be in the same subnet.  The concept of the link local address takes care of that need since neighbors always share a common medium like an Ethernet segment or a serial link.

• I configured EIGRP for IPv6 on my completely IPv6 router, but it’s not working.  Nothing happens.  What’s going on?

For one, you have to do a no shutdown as an EIGRP subcommand; by default, EIGRP for IPv6 is in a shutdown state.  Another reason could be that a router ID hasn’t been set; EIGRP for IPv6 still uses the IPv4 addresses to establish a router ID, so you may have to set one manually.

• I tried to configure EIGRP for IPv6 with the network statements, but it’s not taking the command.  What gives?

You actually configure EIGRP for IPv6 (and RIPng and OSPFv3) the “new way” by using the interfaces.  Try doing a ipv6 eigrp X as an interface subcommand.

• When redistributing one IPv6 IGP into another, what kinds of routes will and won’t be redistributed?

Only routes discovered via the original IGP will be redistributed.  Connected routes, even the ones configured in the original IGP, won’t be redistributed.  Link local addresses and local routes will also NOT be redistributed.

• Show me a simple RIPng config.

R1(config)#ipv6 router rip PROC-NAME
R1(config-rtr)#int f0/0
R1(config-if)#ipv6 rip PROC-NAME enable

• Show me a simple EIGRP for IPv6 config.

R1(config)#ipv6 router eigrp 8
R1(config-rtr)#router-id 1.1.1.1
R1(config-rtr)#no shutdown
R1(config-rtr)#int f0/0
R1(config-if)#ipv6 eigrp 8

• Show me a simple OSPFv3 config.

R1(config)#ipv6 router ospf 4
R1(config-rtr)#router-id 1.1.1.1
R1(config-rtr)#int f0/0
R1(config-if)#ipv6 ospf 4 area 0

• How do you include connected routes when redistributing one IGP into another in IPv6?

Use the include-connected directive in the redistribution command.

• In EIGRP for IPv6, what address shows up as the next hop in the routing table?

The link local address of the advertising router.

What Command Was That

What command is used to…

• …show all the IPv6 routes?

show ipv6 route

• …shows the status of OSPFv3 neighbors?

show ipv6 ospf neighbor

• …shows the status of RIPng neighbors?

There is none; RIPng doesn’t have neighbors.

• …shows a route to a specific prefix?

show ipv6 route prefix::/length

Aaron Conaway

I like to lean my head to the left, hit it with the palm of my right hand, and document what knowledge falls out.

Website - More Posts

• Exactly how big is an IPv6 address?

It’s 128 bits long.

• This shouldn’t be on the test, but how many unique addresses is that?

That’s 2^128 or a “3″ with 38 zeros after it.  That’s also 2^95 addresses for each person on earth.

• Surely we’re not writing in binary, are we?

No way.  IPv6 uses 32 hex characters.  Each character is 4 bits, so we wind up with 128 bits of data.

• Surely all 32 characters aren’t just written out together in one continuous string, are they?

No again.  They’re written in groups of 4 separated by colons.  For example, 2000:1234:0184:AB33:0000:0000:1084:0001 is a valid IPv6 address.

• That’s still a lot of characters; tell me that there’s a shortcut to writing those out.

There are two shortcuts, actually.  First, you can omit leading zeros in an octet (4 hex digits).  You can also replace a single run of octets that are all zeros with a double colon (::).  If we took our example above and shortened it, we would wind up with 2000:1234:184:AB33::1084:1.  Notice that some octets are less than 4 characters longs and that the two octets of zeros are replaced wih the double colon.

• If an implementation plan says that you should statically configure all the IPv6 addresses on a bunch of routers, what should you do?

You should send the plan back for revision since there are two methods to statically configure an IPv6 address – static and static with EUI-64.

• What the heck is EUI-64?

EUI-64 is a IEEE standard for deriving a unique ID from a MAC address.  It splits the MAC address in half, shoves a “FFFE” in the middle (since MACs are 48-bits long and we need 16 more bits to make 64), and toggles the 7th bit in the whole string.

• What are you talking about?

Example time!  Your MAC is 0000.3333.1938.  First, we split the MAC in half and shove in the “FFFE” to give us 0000:03FF:FE33:1938.  Next, we toggle the 7th bit in the string to give us 0200:03FF:FE33:1938.

• What are the two methods for dynamically assigning an IP address?

Stateful DHCP and Stateless autoconfig.

• What’s the difference between stateful and stateless DHCP?

Stateful DHCP functions similarly to the IPv4 version where a DHCP server gives a host and IP address, mask, etc., and keeps a record of the lease.  Stateless DHCP simply tells a host what DNS servers to use without recording the transaction.

• How do I calculate the network and broadcast addresses in IPv6?

You don’t!  There’s no such thing as either.

• That’s cool, but how do I address groups of addresses?

IPv6 makes use of multicasting to do that.  All multicast addresses are in the prefix FF/8, and can serve many purposes.  For example, all hosts on a subnet respond to FF02::1, and all routers respond to FF02::2.

• Your all-knowing Network Architect wants all the IPv6 addresses of the routers to be the lowest in a prefix like you do with IPv4.  How can you assign the addresses like that?

You can statically configure the whole 128-bit address.  You can also set the MAC address to 0000.0000.0001 (or whatever) and use the static with EUI-64 method.

• What’s the better of the two methods?

There is never a better method to use.  You have to figure out what you want to do and which method would be best suited for your situation.

• What risks do you take with changing a MAC address?

If you change two or more routers to the same MAC address, you will have all sorts of problems from IPv6 conflicts down to CAM table flapping.  Be careful!

• What are the different types of IPv6 address and what do they do?

Global unicast – a globally-unique address that can be used throughout the world
Unique local – a site-unique address that can be used throughout your organization (like RFC1918)
Link local – an address that is only addressable on a single segment/subnet/prefix

• For what is the link local address used?

Every host has a link local address that is used to communicate on a link (or subnet).  This address always begins with FE80/10 and uses the EUI-64 technique to generate the full address.

• How does an IPv6 host (like your laptop) get its default gateway?

The host sends a router soliciation (RS) ICMP message sourced from it’s link-local address.  Each router on the subnet then responds with a router advertisement (RA) that says it’s available for use as a gateway.

• What must you configure on your router to allow it to respond to RS messages?

You only need to enable IPv6 and have a global unicast IPv6 address configured.

• My ARP table is empty; why is that?

IPv6 doesn’t use ARP like IPv4 does.  Instead, IPv6 uses neighbor discovery to populate the layer3-to-layer2 mappings.  The process is similar to the router discovery, except that the host suse neighbor soliciation (NS) and neighbor advertisement (NA) packets.

• How does an IPv6 host detect duplicate addresses?

When a host comes up, it calculates an address called the solicited node multicast address, which is a special multicast group in the prefix FF02::1:FF00:0/104.  The last 24 bits of the address are taken off the end of an IPv6 address configured on the device to finish the address.  Each address on the device gets one, so you may have a lot of solicited node multicast addresses.  To the point, when the box is bringing up the interface(s), a NS is sent to the solicited node multicast address (which basically is hosts with somewhat similar IPv6 address configured), and, if a NA is received with the same address that the device has configured, there’s a duplicate IP!¹

• Why doesn’t a host just use FF00::1 to detect duplicates?

This is just an efficiency thing.  There’s no need to ask every node on the segment what address they have when you can just ask a small subset of nodes that have similar addresses.

What Command Was That

What command is used to…

• …show all the IPv6 routes on a router?

show ipv6 route

• …show a brief summary of the IPv6 interfaces?

show ipv6 interface brief

• …show all the multicast groups of which a router is a member?

show ipv6 interface X

• …shows all the neighbors that have been discovered?

show ipv6 neighbor

• …shows all the routers that have been discovered?

show ipv6 routers

1  Thanks to Jochen for clearing that up for me!

Aaron Conaway

I like to lean my head to the left, hit it with the palm of my right hand, and document what knowledge falls out.

Website - More Posts

Study Questions

• What’s the most primitive way to get traffic destined to a single host to use a different path than your dynamic IGP dictates?

Use a static route.

• What’s the most primitive way to get traffic sourced from a single host to use a different path than your dynamic IGP dictates?

Use policy-based routing (PBR).

• What’s the most primitive way to get traffic sourced from a single host and destined for another host to use a different path than your dynamic IGP dictates?

Use PBR.

• What are the steps to configure PBR?

Configure a route-map to match the desired traffic
Apply that route-map to an interface with the ip policy route-map command

• Configure PBR to send traffic that arrives on F0/0 from 10.0.0.5 destined for for 192.168.3.3 to be sent out the s0/0 interface.

R1(config)#ip access-list extended PBR-ACL1
R1(config)#permit ip host 10.0.0.5 host 192.168.3.3
R1(config)#route-map PBR-F0/0
R1(config-route-map)#match ip address PBR-ACL1
R1(config-route-map)#set interface s0/0
R1(config-route-map)#int f0/0
R1(config-if)#ip policy route-map PBR-F0/0

• What happens if you use PBR to redirect traffic to an IP that becomes unreachable?

That clause in the route-map is ignored, and the normal routing table is used.

• What difference does using default make in the set directive of the route-map?

If you use the default parameter in the set directive, then the router will first try to use the routing table to forward traffic before using the PBR settings.  The one caveat, though, is the default chosen for the traffic cannot be the default route; a more-specific route must be in the routing table or else the PBR logic rears its head.

• What is IP SLA?

IP SLA is a feature of a Cisco IOS device where a process measures the behavior of the network.

• Why is this topic in the ROUTE book?

You can configure a track object to use IP SLAs to get a “failed” or “ok” status.  That track object can be applied to static routes and PBR so that the routing is changed if the IP SLA measures a characteristic outside of normal parameters.

• What are the steps to configure IP SLA?

Create an IP SLA operation.
Define the type and parameters for the operation.
Define the frequency to run the operation.
Schedule when to start the operation.

• How do I use IP SLA to check if a host is pingable?

You use the icmp-echo as the operation type along with, at minimum, the IP address to ping.

• How can I use IP SLA to know whether a static route is usable or not?

First, create an IP SLA operation to ping the gateway for that route.

R1(config)#ip sla 5
R1(config-ip-sla)#icmp-echo 1.1.1.1
R1(config-ip-sla)#frequency 60  [ in seconds ]
R1(config-ip-sla)#exit
R1(config)#ip sla schedule 5 start-time now life forever

Then create a track object that references the IP SLA operation you just created.

R1(config)#track 2 ip sla 5 state
R1(config-track)#delay up 90 down 90 [ up if delay is below 90, down if above 90 ]

Finally, add the track to the static route.

R1(config)#ip route 10.0.0.0 255.255.0.0 1.1.1.1 track 2

Now, if the router can’t ping 1.1.1.1, the static route will be taken out of the routing table.

• What’s an IP SLA responder?

That’s (usually) a router that has been configured to interact with the IP SLA operation of another router to get characteristics of the connection between the two.  These characteristics include jitter and TCP establishment times.

• How can I use a track object in PBR?

In the set directive, you use the track parameter.  The sequence parameter is also used, but it’s not a part of the tracking process; it’s used to have the router go down a list of next hops until it finds on that’s available.  Here’s an example.

set ip next-hop verify-availability 192.168.0.1 1 track 5

• Ummm…the book doesn’t have anything about that; what gives?

The cert guide leaves that part out for some reason even though it’s a very important part of IP SLA and PBR.  Go figure.

What Command Was That

What command…

• …shows interfaces that have PBR configured on them?

show ip policy

• …shows the routing table and includes all the PBR configuration?

There isn’t one.  You have to remember to check for PBR when traffic isn’t flowing as you think it should.

• …shows the IP SLA configuration?

show ip sla configuration [ Duh! ]

• …shows the IP SLA statistics?

show ip sla statistics [ Duh, again! ]

• …shows the track objects on a router?

show track

Aaron Conaway

I like to lean my head to the left, hit it with the palm of my right hand, and document what knowledge falls out.

Website - More Posts