Pete's Packet

Limitless

  • Catagories

  • Global visitors

    free counters

  • RSS CCIE Jobs – Metro NY area

    • Senior Network Engineer
      Titan Computer Services New York, NY
    • Architect
      Tekmark Global Solutions LLC New York, NYJob description: ...6) Visio drawings 7) Voice/data convergence 8) Data center design 9) Firewalls/security 10) CCIE Written Roles and Responsibilities: -Provide Network Architectural direction to various client outsourced customer accounts-Works with...
    • Sr. Network Engineer Cisco - Somerset NJ or Jersey City
      Confidential Company Somerset, NJJob description: ...industry knowledge* Excellent communication and interpersonal skills* Excellent customer presentation skills** Cisco Certifications preferred (CCNA, CCNP,CCIE).We are committed to a policy of Equal Employment opportunity and will not discriminate on any legally...
    • Senior Network/Communications Engineer
      Next Level Business Services, Inc. New York City, NYJob description: ...CCDP (Cisco Certified Design Professional)CCSP (Cisco Certified Security Professional)CCIE (Cisco Certified Internet Expert; Routing and Switching or Security)CISSP (Cisco Information Systems Security Professional)...

Archive for January, 2009

« Previous Entries

QOS notes

Posted by Peter Kurdziel on January 25, 2009

telnet = ip prec 1
tftp – ip prec 2

ip cef

class-map match-all TASK1-1
match protocol tftp
class-map match-all TASK1
match protocol telnet
!
!
policy-map TEST
class TASK1
set ip precedence 1
class TASK1-1
set ip precedence 2

interface Serial1/0.23 point-to-point
service-policy output TEST

R2(config)#do sho policy-map int s1/0.23

Serial1/0.23

Service-policy output: TEST

Class-map: TASK1 (match-all)
12 packets, 560 bytes
5 minute offered rate 0 bps, drop rate 0 bps
Match: protocol telnet
QoS Set
precedence 1
Packets marked 12

Class-map: TASK1-1 (match-all)
0 packets, 0 bytes
5 minute offered rate 0 bps, drop rate 0 bps
Match: protocol tftp
QoS Set
precedence 2
Packets marked 0

Class-map: class-default (match-any)
10 packets, 1596 bytes
5 minute offered rate 0 bps, drop rate 0 bps
Match: any
———————————————————

block prec 1

class-map match-all BLOCKPREC1
match ip precedence 1
!
!
policy-map BLKPREC1PM
class BLOCKPREC1
drop

interface Serial1/0.32 point-to-point
service-policy input BLKPREC1PM
———————————————

IP CEF

int e0/0
ip nbar protocol-discovery

ip nbar port-map http tcp 80 1180
ip nbar port-map telnet tcp 23 1123

R3#sh ip nbar port-map http
port-map http                     tcp 80 1180
R3#sh ip nbar port-map teln
port-map telnet                   tcp 23 1123

—————————————————–

config all well-known port #’s as ip prec 4 and everything else ip prec 0

ip cef

class-map match-all QOS
match access-group 100
class-map match-all OTHERS
match not class-map QOS
!
!
policy-map QOSPM
class QOS
set ip precedence 4
class OTHERS
set ip precedence 0

interface Ethernet0/0
service-policy output QOSPM

access-list 100 permit tcp any any lt 1024
access-list 100 permit tcp any lt 1024 any
————————————————–

PRIORITY QUEUING

access-list 131 permit ip host 131.1.1.1 host 131.1.2.2
priority-list 1 protocol ip low list 131
priority-list 1 interface Loopback0 high
priority-list 1 protocol ip medium tcp www
priority-list 1 protocol ip normal udp tftp
priority-list 1 default low

int e0/0
priority-group 1

R1(config-if)#do sho queuein priority
Current DLCI priority queue configuration:
Current priority queue configuration:

List   Queue  Args
1      low    default
1      low    protocol ip          list 131
1      high   interface Loopback0
1      medium protocol ip          tcp port www
1      normal protocol ip          udp port tftp

testing
no cdp run
int e0/0
no keep
debug priority

testing

R1(config-if)#do ping
Protocol [ip]:
Target IP address: 131.1.2.2
Repeat count [5]:
*Mar  1 00:53:10.271: PQ: Ethernet0/0: ip (defaulting) -> low
*Mar  1 00:53:10.271: PQ: Ethernet0/0 output (Pk size/Q 66/3)

Datagram size [100]:
Timeout in seconds [2]:
Extended commands [n]: y
Source address or interface: 131.1.1.1
Type of service [0]:
Set DF bit in IP header? [no]:
Validate reply data? [no]:
Data pattern [0xABCD]:
Loose, Strict, Record, Timestamp, Verbose[none]:
Sweep range of sizes [n]:
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 131.1.2.2, timeout is 2 seconds:
Packet sent with a source address of 131.1.1.1
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 16/30/44 ms
R1(config-if)#
*Mar  1 00:53:23.711: PQ: Ethernet0/0: ip (s=131.1.1.1, d=131.1.2.2) -> low
*Mar  1 00:53:23.715: PQ: Ethernet0/0 output (Pk size/Q 114/3)
*Mar  1 00:53:23.759: PQ: Ethernet0/0: ip (s=131.1.1.1, d=131.1.2.2) -> low
*Mar  1 00:53:23.759: PQ: Ethernet0/0 output (Pk size/Q 114/3)
*Mar  1 00:53:23.795: PQ: Ethernet0/0: ip (s=131.1.1.1, d=131.1.2.2) -> low
*Mar  1 00:53:23.795: PQ: Ethernet0/0 output (Pk size/Q 114/3)
*Mar  1 00:53:23.811: PQ: Ethernet0/0: ip (s=131.1.1.1, d=131.1.2.2) -> low
*Mar  1 00:53:23.811: PQ: Ethernet0/0 output (Pk size/Q 114/3)
*Mar  1 00:53:23.827: PQ: Ethernet0/0: ip (s=131.1.1.1, d=131.1.2.2) -> low
R1(config-if)#
R1(config-if)#
*Mar  1 00:53:23.827: PQ: Ethernet0/0 output (Pk size/Q 114/3)
R1(config-if)#
*Mar  1 00:53:36.039: PQ: Ethernet0/0: ip (defaulting) -> low
*Mar  1 00:53:36.039: PQ: Ethernet0/0 output (Pk size/Q 66/3)
R1(config-if)#
*Mar  1 00:53:48.419: PQ: Ethernet0/0: mop-console (defaulting) -> low
*Mar  1 00:53:48.419: PQ: Ethernet0/0 output (Pk size/Q 77/3)
R1(config-if)#

testing http

R1(config-if)#do telnet 131.1.12.2 80
Trying 131.1.12.2, 80 … Open

*Mar  1 00:54:59.027: PQ: Ethernet0/0: ip (defaulting) -> low
*Mar  1 00:54:59.027: PQ: Ethernet0/0 output (Pk size/Q 66/3)
*Mar  1 00:54:59.967: PQ: Ethernet0/0: ip (tcp 80) -> medium
*Mar  1 00:54:59.967: PQ: Ethernet0/0 output (Pk size/Q 60/1)
*Mar  1 00:55:00.011: PQ: Ethernet0/0: ip (tcp 80) -> medium
*Mar  1 00:55:00.015: PQ: Ethernet0/0 output (Pk size/Q 60/1)
*Mar  1 00:55:00.023: PQ: Ethernet0/0: ip (tcp 80) -> medium
*Mar  1 00:55:00.027: PQ: Ethernet0/0 output (Pk size/Q 60/1)
———————————————————–

change the priority queue sizes high 80 medium 60 normal 40 low 20

priority-list 1 queue-limit 80 60 40 20

R1(config)#do sho queuei pr
Current DLCI priority queue configuration:
Current priority queue configuration:

List   Queue  Args
1      low    default
1      low    protocol ip          list 131
1      high   interface Loopback0
1      medium protocol ip          tcp port www
1      normal protocol ip          udp port tftp
1      high   limit 80
1      medium limit 60
1      normal limit 40
1      low    limit 20
———————————————

custom queuing

access-list 100 permit ip host 131.1.1.1 host 131.1.2.2

queue-list 1 protocol ip 2 list 100
queue-list 1 interface Loopback0 1
queue-list 1 protocol ip 3 tcp telnet
queue-list 1 protocol ip 4 tcp www
queue-list 1 protocol ip 6 tcp 69
queue-list 1 default 5

int e0/0
custom-queue-list 1

do sho queuein cus
Current custom queue configuration:

List   Queue  Args
1      5      default
1      2      protocol ip          list 100
1      1      interface Loopback0
1      3      protocol ip          tcp port telnet
1      4      protocol ip          tcp port www
1      6      protocol ip          tcp port 69
——————————————————

R1(config)#int s1/0
R1(config-if)#fair-queue 128 512

R1(config-if)#do sho queuei f
Current fair queue configuration:

Interface           Discard    Dynamic  Reserved  Link    Priority
threshold  queues   queues    queues  queues
Serial1/0           128        512      0         8       1

Serial1/0 is up, line protocol is up

Queueing strategy: weighted fair
Output queue: 0/1000/128/0 (size/max total/threshold/drops)
Conversations  0/1/512 (active/max active/max total)
———————————————————-

class-map match-all TFTP
match protocol tftp
class-map match-all HTTP
match protocol http
class-map match-all FTP
match protocol ftp
class-map match-all URL
match protocol http host “www.net-workbooks.com”
!
!
policy-map TEST
class TFTP
bandwidth 2000
class URL
bandwidth 6000
class HTTP
bandwidth 5000
class FTP
bandwidth 3000

R1(config-if)#do sho policy-map int f0/0
FastEthernet0/0

Service-policy output: TEST

Class-map: TFTP (match-all)
0 packets, 0 bytes
5 minute offered rate 0 bps, drop rate 0 bps
Match: protocol tftp
Queueing
Output Queue: Conversation 265
Bandwidth 2000 (kbps)Max Threshold 64 (packets)
(pkts matched/bytes matched) 0/0
(depth/total drops/no-buffer drops) 0/0/0

Class-map: URL (match-all)
0 packets, 0 bytes
5 minute offered rate 0 bps, drop rate 0 bps
Match: protocol http host “www.net-workbooks.com”
Queueing
Output Queue: Conversation 266
Bandwidth 6000 (kbps)Max Threshold 64 (packets)
(pkts matched/bytes matched) 0/0
(depth/total drops/no-buffer drops) 0/0/0

Class-map: HTTP (match-all)
0 packets, 0 bytes
5 minute offered rate 0 bps, drop rate 0 bps
Match: protocol http
Queueing
Output Queue: Conversation 267
Bandwidth 5000 (kbps)Max Threshold 64 (packets)
(pkts matched/bytes matched) 0/0
(depth/total drops/no-buffer drops) 0/0/0

Class-map: FTP (match-all)
0 packets, 0 bytes
5 minute offered rate 0 bps, drop rate 0 bps
Match: protocol ftp
Queueing
Output Queue: Conversation 268
Bandwidth 3000 (kbps)Max Threshold 64 (packets)
(pkts matched/bytes matched) 0/0
(depth/total drops/no-buffer drops) 0/0/0

Class-map: class-default (match-any)
2 packets, 126 bytes
5 minute offered rate 0 bps, drop rate 0 bps
Match: any

==========================================================================

class-map match-all TFTP
match protocol tftp
class-map match-all HTTP
match protocol http
class-map match-all FTP
match protocol ftp
!
!
policy-map TEST
class TFTP
bandwidth percent 25
class HTTP
bandwidth percent 35
class FTP
bandwidth percent 20

interface FastEthernet0/0
ip address 131.1.12.1 255.255.255.0
duplex auto
speed auto
max-reserved-bandwidth 85
service-policy output TEST

sh policy-map  int f0/0
FastEthernet0/0

Service-policy output: TEST

Class-map: TFTP (match-all)
0 packets, 0 bytes
5 minute offered rate 0 bps, drop rate 0 bps
Match: protocol tftp
Queueing
Output Queue: Conversation 265
Bandwidth 25 (%)
Bandwidth 25000 (kbps)Max Threshold 64 (packets)
(pkts matched/bytes matched) 0/0
(depth/total drops/no-buffer drops) 0/0/0

Class-map: HTTP (match-all)
0 packets, 0 bytes
5 minute offered rate 0 bps, drop rate 0 bps
Match: protocol http
Queueing
Output Queue: Conversation 266
Bandwidth 35 (%)
Bandwidth 35000 (kbps)Max Threshold 64 (packets)
(pkts matched/bytes matched) 0/0
(depth/total drops/no-buffer drops) 0/0/0

Class-map: FTP (match-all)
0 packets, 0 bytes
5 minute offered rate 0 bps, drop rate 0 bps
Match: protocol ftp
Queueing
Output Queue: Conversation 267
Bandwidth 20 (%)
Bandwidth 20000 (kbps)Max Threshold 64 (packets)
(pkts matched/bytes matched) 0/0
(depth/total drops/no-buffer drops) 0/0/0

Class-map: class-default (match-any)
12 packets, 1029 bytes
5 minute offered rate 0 bps, drop rate 0 bps
Match: any
============================================================

class-map match-all TFTP
match protocol tftp
class-map match-all HTTP
match protocol http
class-map match-all PREC-5
match ip precedence 5
class-map match-all FTP
match protocol ftp
!
!
policy-map TEST
class TFTP
bandwidth percent 15
class HTTP
bandwidth percent 25
class FTP
bandwidth percent 20
class PREC-5
priority percent 25

interface FastEthernet0/0
no ip address
shutdown
duplex auto
speed auto
max-reserved-bandwidth 85     <—–<<<<<< default is 75 so we need this cmd.
service-policy output TEST
=========================================

CAR – commited access rate

interface FastEthernet0/0
rate-limit output access-group 100 240000 3750 3750 conform-action set-prec-transmit 3 exceed-action drop

int f0/0 rate
FastEthernet0/0
Output
matches: access-group 100
params:  240000 bps, 3750 limit, 3750 extended limit
conformed 0 packets, 0 bytes; action: set-prec-transmit 3
exceeded 0 packets, 0 bytes; action: drop
last packet: 16345872ms ago, current burst: 0 bytes
last cleared 00:01:06 ago, conformed 0 bps, exceeded 0 bps

=========================================================================

interface FastEthernet0/1

rate-limit output access-group rate-limit 10 128000 2000 2000 conform-action transmit exceed-action drop

sho int f0/1 rate-limit
FastEthernet0/1
Output
matches: access-group rate-limit 10
params:  128000 bps, 2000 limit, 2000 extended limit
conformed 0 packets, 0 bytes; action: transmit
exceeded 0 packets, 0 bytes; action: drop
last packet: 16785252ms ago, current burst: 0 bytes
last cleared 00:00:46 ago, conformed 0 bps, exceeded 0 bps
=======================================================================
class based policing

interface FastEthernet0/0

service-policy output TEST

class-map match-any QOS-1
match protocol http
match protocol ftp
match protocol icmp
class-map match-any QOS-2
match protocol telnet
match protocol smtp
!
!
policy-map TEST
class QOS-1
police 10000000 conform-action transmit  exceed-action drop
class QOS-2
police 8000000 conform-action transmit  exceed-action drop
!

sho policy-map int f0/0
FastEthernet0/0

Service-policy output: TEST

Class-map: QOS-1 (match-any)
0 packets, 0 bytes
5 minute offered rate 0 bps, drop rate 0 bps
Match: protocol http
0 packets, 0 bytes
5 minute rate 0 bps
Match: protocol ftp
0 packets, 0 bytes
5 minute rate 0 bps
Match: protocol icmp
0 packets, 0 bytes
5 minute rate 0 bps
police:
cir 10000000 bps, bc 312500 bytes
conformed 0 packets, 0 bytes; actions:
transmit
exceeded 0 packets, 0 bytes; actions:
drop
conformed 0 bps, exceed 0 bps

Class-map: QOS-2 (match-any)
0 packets, 0 bytes
5 minute offered rate 0 bps, drop rate 0 bps
Match: protocol telnet
0 packets, 0 bytes
5 minute rate 0 bps
Match: protocol smtp
0 packets, 0 bytes
5 minute rate 0 bps
police:
cir 8000000 bps, bc 250000 bytes
conformed 0 packets, 0 bytes; actions:
transmit
exceeded 0 packets, 0 bytes; actions:
drop
conformed 0 bps, exceed 0 bps

Class-map: class-default (match-any)
3 packets, 471 bytes
5 minute offered rate 0 bps, drop rate 0 bps
Match: any
R1(config-if)#do sho policy
% Ambiguous command:  “do sho policy”
R1(config-if)#do sho policy-map TEST
Policy Map TEST
Class QOS-1
police cir 10000000 bc 312500
conform-action transmit
exceed-action drop
Class QOS-2
police cir 8000000 bc 250000
conform-action transmit
exceed-action drop

==============================================================

class-map match-all TELNET
match protocol telnet
class-map match-all TFTP
match protocol tftp
!
!
policy-map TEST
class TELNET
police 10000000 5000 conform-action transmit  exceed-action drop
class TFTP
police 8000000 4000 conform-action transmit  exceed-action drop

interface FastEthernet0/0
ip address 10.1.123.2 255.255.255.0
duplex auto
speed auto
service-policy output TEST

sho policy-map TEST
Policy Map TEST
Class TELNET
police cir 10000000 bc 5000
conform-action transmit
exceed-action drop
Class TFTP
police cir 8000000 bc 4000
conform-action transmit
exceed-action drop

========================

class-map match-all SERVER1
match access-group 700
class-map match-all SERVER2
match access-group 701

policy-map TST
class SERVER1
police 1000000 conform-action transmit  exceed-action drop
class SERVER2
police 800000 conform-action transmit  exceed-action drop

access-list 700 permit 0000.1111.1111   0000.0000.0000
access-list 701 permit 0000.2222.2222   0000.0000.0000

sho policy-map f0/1

R1(config-if)#do sho policy-map int f0/1
FastEthernet0/1

Service-policy input: TST

Class-map: SERVER1 (match-all)
0 packets, 0 bytes
5 minute offered rate 0 bps, drop rate 0 bps
Match: access-group 700
police:
cir 1000000 bps, bc 31250 bytes
conformed 0 packets, 0 bytes; actions:
transmit
exceeded 0 packets, 0 bytes; actions:
drop
conformed 0 bps, exceed 0 bps

Class-map: SERVER2 (match-all)
0 packets, 0 bytes
5 minute offered rate 0 bps, drop rate 0 bps
Match: access-group 701
police:
cir 800000 bps, bc 25000 bytes
conformed 0 packets, 0 bytes; actions:
transmit
exceeded 0 packets, 0 bytes; actions:
drop
conformed 0 bps, exceed 0 bps

Class-map: class-default (match-any)
0 packets, 0 bytes
5 minute offered rate 0 bps, drop rate 0 bps
Match: any

sho policy-map TST
Policy Map TST
Class SERVER1
police cir 1000000 bc 31250
conform-action transmit
exceed-action drop
Class SERVER2
police cir 800000 bc 25000
conform-action transmit
exceed-action drop

==================================
access-list 100 permit tcp any any eq www time-range Weekdays
access-list 100 permit icmp any any time-range Weekdays
access-list 100 permit tcp any any eq ftp-data time-range Weekdays
access-list 100 permit tcp any any eq ftp time-range Weekdays

class-map match-all QOS
match access-group 100
!
!
policy-map TEST
class QOS
police 10000000 conform-action transmit  exceed-action drop

interface FastEthernet0/0

service-policy output TEST

sho policy-map inter f0/0
FastEthernet0/0

Service-policy output: TEST

Class-map: QOS (match-all)
0 packets, 0 bytes
5 minute offered rate 0 bps, drop rate 0 bps
Match: access-group 100
police:
cir 10000000 bps, bc 312500 bytes
conformed 0 packets, 0 bytes; actions:
transmit
exceeded 0 packets, 0 bytes; actions:
drop
conformed 0 bps, exceed 0 bps

Class-map: class-default (match-any)
2 packets, 120 bytes
5 minute offered rate 0 bps, drop rate 0 bps
Match: any

====================================

police and mark

class-map match-all HTTP
match protocol http
!
!
policy-map TST
class HTTP
police cir 10000000 pir 20000000
conform-action transmit
exceed-action set-prec-transmit 4
violate-action drop

interface FastEthernet0/0
service-policy output TST

sho  policy-map int f0/0
FastEthernet0/0

Service-policy output: TST

Class-map: HTTP (match-all)
0 packets, 0 bytes
5 minute offered rate 0 bps, drop rate 0 bps
Match: protocol http
police:
cir 10000000 bps, bc 312500 bytes
pir 20000000 bps, be 625000 bytes
conformed 0 packets, 0 bytes; actions:
transmit
exceeded 0 packets, 0 bytes; actions:
set-prec-transmit 4
violated 0 packets, 0 bytes; actions:
drop
conformed 0 bps, exceed 0 bps, violate 0 bps

Class-map: class-default (match-any)
10 packets, 1182 bytes
5 minute offered rate 0 bps, drop rate 0 bps
Match: any

sho policy-map TST
Policy Map TST
Class HTTP
police cir 10000000 bc 312500 pir 20000000 be 625000
conform-action transmit
exceed-action set-prec-transmit 4
violate-action drop

=====================================

class-map match-all TST-WWW
match access-group 100

policy-map TST
class TST-WWW
police cir percent 30

access-list 100 permit tcp 10.1.12.0 0.0.0.255 host 10.1.12.100 eq www

interface FastEthernet0/1
service-policy output TST

sho policy-map int f0/1
FastEthernet0/1

Service-policy output: TST

Class-map: TST-WWW (match-all)
0 packets, 0 bytes
5 minute offered rate 0 bps, drop rate 0 bps
Match: access-group 100
police:
cir 30 %
cir 30000000 bps, bc 937500 bytes
conformed 0 packets, 0 bytes; actions:
transmit
exceeded 0 packets, 0 bytes; actions:
drop
conformed 0 bps, exceed 0 bps

Class-map: class-default (match-any)
1 packets, 60 bytes
5 minute offered rate 0 bps, drop rate 0 bps
Match: any

sho policy-map TST
Policy Map TST
Class TST-WWW
police cir percent 30
conform-action transmit
exceed-action drop
==========================================

r1

ip rsvp sender-h 131.1.12.2 131.1.12.1 tcp 0 0 10 5

r2
sh ip rsvp send
To              From            Pro DPort Sport Prev Hop        I/F      BPS
131.1.12.2      131.1.12.1      TCP 0     0     131.1.12.1      Fa0/0    10K
ip rsvp reservation-h 131.1.12.2 131.1.12.1 tcp 0 0 FF rate 10 5

r1
sho ip rsvp res
To            From          Pro DPort Sport Next Hop      I/F      Fi Serv BPS
131.1.12.2    131.1.12.1    TCP 0     0     131.1.12.2    Fa0/0    FF RATE 10K

==================================
interface Serial0/0/0
bandwidth 192
frame-relay traffic-shaping

!
interface Serial0/0/0.12 point-to-point
frame-relay class TEST

map-class frame-relay TEST
frame-relay cir 64000
frame-relay bc 8000
frame-relay be 16000
frame-relay mincir 32000
frame-relay adaptive-shaping becn

sho traffic-shap s0/0/0.12

Interface   Se0/0/0.12
Access Target    Byte   Sustain   Excess    Interval  Increment Adapt
VC     List   Rate      Limit  bits/int  bits/int  (ms)      (bytes)   Active
102           64000     3000   8000      16000     125       1000      BECN

=========================================================

map-class frame-relay TEST
frame-relay cir 64000
frame-relay bc 8000
frame-relay be 16000
frame-relay mincir 32000
frame-relay adaptive-shaping interface-congestion 1
!

interface Serial0/0/0
bandwidth 192
frame-relay traffic-shaping

!
interface Serial0/0/0.12 point-to-point
frame-relay class TEST

sho traffic-shap s0/0/0.12

Interface   Se0/0/0.12
Access Target    Byte   Sustain   Excess    Interval  Increment Adapt
VC     List   Rate      Limit  bits/int  bits/int  (ms)      (bytes)   Active
102           64000     3000   8000      16000     125       1000      -

sho frame pvc 102

PVC Statistics for interface Serial0/0/0 (Frame Relay DTE)

DLCI = 102, DLCI USAGE = LOCAL, PVC STATUS = ACTIVE, INTERFACE = Serial0/0/0.12

input pkts 223           output pkts 229          in bytes 62906
out bytes 64321          dropped pkts 0           in pkts dropped 0
out pkts dropped 0                out bytes dropped 0
in FECN pkts 0           in BECN pkts 0           out FECN pkts 0
out BECN pkts 0          in DE pkts 0             out DE pkts 0
out bcast pkts 229       out bcast bytes 64321
5 minute input rate 0 bits/sec, 0 packets/sec
5 minute output rate 0 bits/sec, 0 packets/sec
pvc create time 07:23:28, last time pvc status changed 00:18:06

cir 64000     bc 8000      be 16000     byte limit 3000   interval 125
mincir 32000     byte increment 1000  Adaptive Shaping IF_CONG

pkts 49        bytes 7080      pkts delayed 0         bytes delayed 0
shaping inactive
traffic shaping drops 0
Queueing strategy: fifo
Output queue 0/40, 0 drop, 0 dequeued

==================
map-class frame-relay TEST
frame-relay cir 64000
frame-relay bc 8000
frame-relay be 16000
frame-relay mincir 32000
frame-relay adaptive-shaping interface-congestion 1

R1(config-fr-dlci)#map-class frame-relay TEST

R1(config-map-class)#service-policy out TST
Remove frame-relay traffic shaping first beforeusing GTS in Modular QoS CLI

R1(config-map-class)#int s0/0/0
R1(config-if)#no fram traffic-shaping

R1(config-if)#map-class frame-relay TEST
R1(config-map-class)#service-policy out TST

R1(config-map-class)#do sho policy-map int s0/0/0.12
Serial0/0/0.12: DLCI 102 -

Service-policy output: TST

Class-map: class-default (match-any)
1 packets, 56 bytes
5 minute offered rate 0 bps, drop rate 0 bps
Match: any
Traffic Shaping
Target/Average   Byte   Sustain   Excess    Interval  Increment
Rate           Limit  bits/int  bits/int  (ms)      (bytes)
64000/64000     3000   8000      16000     125       1000

Adapt  Queue     Packets   Bytes     Packets   Bytes     Shaping
Active Depth                         Delayed   Delayed   Active
BECN   0         1         56        0         0         no
=========================================

map-class frame-relay R2
frame-relay cir 64000
frame-relay bc 8000
frame-relay mincir 32000
frame-relay adaptive-shaping becn
!
map-class frame-relay R3
frame-relay cir 128000
frame-relay bc 16000
frame-relay mincir 64000
frame-relay adaptive-shaping becn
!
map-class frame-relay R4
frame-relay cir 192000
frame-relay bc 24000
frame-relay mincir 96000
frame-relay adaptive-shaping becn

interface Serial0/0/0
bandwidth 192
ip address 10.1.1.1 255.255.255.0
encapsulation frame-relay
no fair-queue
frame-relay traffic-shaping
frame-relay interface-dlci 102
class R2
frame-relay interface-dlci 103
class R3
frame-relay interface-dlci 104
class R4

sho traffic-shape

Interface   Se0/0/0
Access Target    Byte   Sustain   Excess    Interval  Increment Adapt
VC     List   Rate      Limit  bits/int  bits/int  (ms)      (bytes)   Active
103           128000    2000   16000     0         125       2000      BECN
104           192000    3000   24000     0         125       3000      BECN
102           64000     1000   8000      0         125       1000      BECN
=================================================================================

policy-map TST-r2
class class-default
shape average 64000 8000 0
shape adaptive 64000

map-class frame-relay R2
frame-relay cir 64000
frame-relay bc 8000
frame-relay mincir 32000
frame-relay adaptive-shaping becn
service-policy output TST-r2

interface Serial0/0/0
frame-relay interface-dlci 102
class R2

sho policy-map int s0/0/0
Serial0/0/0: DLCI 102 -

Service-policy output: TST-r2

Class-map: class-default (match-any)
0 packets, 0 bytes
5 minute offered rate 0 bps, drop rate 0 bps
Match: any
Traffic Shaping
Target/Average   Byte   Sustain   Excess    Interval  Increment
Rate           Limit  bits/int  bits/int  (ms)      (bytes)
64000/64000     1000   8000      0         125       1000

Adapt  Queue     Packets   Bytes     Packets   Bytes     Shaping
Active Depth                         Delayed   Delayed   Active
BECN   0         0         0         0         0         no

======================================================================
map-class frame-relay R2
frame-relay interface-queue fair queue-limit 32
frame-relay interface-queue priority high
!
map-class frame-relay R3
frame-relay interface-queue fair queue-limit 32
frame-relay interface-queue priority medium
!
map-class frame-relay R4
frame-relay interface-queue fair queue-limit 32
!
map-class frame-relay R5
frame-relay interface-queue fair queue-limit 32
frame-relay interface-queue priority low

interface Serial0/0/0
bandwidth 192
ip address 10.1.1.1 255.255.255.0
encapsulation frame-relay
frame-relay interface-dlci 102
class R2
frame-relay interface-dlci 103
class R3
frame-relay interface-dlci 104
class R4
frame-relay interface-dlci 105
class R5

sho fram pvc 102

PVC Statistics for interface Serial0/0/0 (Frame Relay DTE)

DLCI = 102, DLCI USAGE = LOCAL, PVC STATUS = ACTIVE, INTERFACE = Serial0/0/0

input pkts 0             output pkts 0            in bytes 0
out bytes 0              dropped pkts 0           in pkts dropped 0
out pkts dropped 0                out bytes dropped 0
in FECN pkts 0           in BECN pkts 0           out FECN pkts 0
out BECN pkts 0          in DE pkts 0             out DE pkts 0
out bcast pkts 0         out bcast bytes 0
5 minute input rate 0 bits/sec, 0 packets/sec
5 minute output rate 0 bits/sec, 0 packets/sec
pvc create time 00:43:07, last time pvc status changed 00:43:07
priority high

========================================

frame-relay de-list 1 protocol ip gt 1500
frame-relay de-list 1 protocol ip tcp www
!
interface Serial0/0/0.12 point-to-point
ip address 131.1.12.1 255.255.255.0
frame-relay de-group 1 102
frame-relay interface-dlci 102

sho fram pvc 102

PVC Statistics for interface Serial0/0/0 (Frame Relay DTE)

DLCI = 102, DLCI USAGE = LOCAL, PVC STATUS = ACTIVE, INTERFACE = Serial0/0/0.12

input pkts 17            output pkts 19           in bytes 2005
out bytes 2930           dropped pkts 0           in pkts dropped 0
out pkts dropped 0                out bytes dropped 0
in FECN pkts 0           in BECN pkts 0           out FECN pkts 0
out BECN pkts 0          in DE pkts 0             out DE pkts 12
out bcast pkts 14        out bcast bytes 2410
5 minute input rate 0 bits/sec, 0 packets/sec
5 minute output rate 0 bits/sec, 0 packets/sec
pvc create time 00:04:17, last time pvc status changed 00:03:29
—————————————–
class-map match-any DE
match protocol http
match protocol ftp
!
!
policy-map TEST
class DE
set fr-de

interface Serial0/0/0.12 point-to-point
ip address 131.1.12.1 255.255.255.0
frame-relay interface-dlci 102
service-policy output TEST

sho policy-map int s0/0/0.12

Serial0/0/0.12

Service-policy output: TEST

Class-map: DE (match-any)
0 packets, 0 bytes
5 minute offered rate 0 bps, drop rate 0 bps
Match: protocol http
0 packets, 0 bytes
5 minute rate 0 bps
Match: protocol ftp
0 packets, 0 bytes
5 minute rate 0 bps
QoS Set
fr-de
Packets marked 0

Class-map: class-default (match-any)
0 packets, 0 bytes
5 minute offered rate 0 bps, drop rate 0 bps
Match: any

========================
r1
interface Serial0/0/0.12 point-to-point
ip address 131.1.12.1 255.255.255.0
frame-relay interface-dlci 102
frame-relay payload-compression packet-by-packet
!
interface Serial0/0/0.13 point-to-point
ip address 131.1.13.1 255.255.255.0
frame-relay interface-dlci 103
frame-relay payload-compression packet-by-packet

r3

r3(config-if)#frame-r map ip 131.1.13.1 301 broadcast payload-compression packet-by-packet

========

R1(config-subif)#frame-relay payload-compression frF9 stac

===========

class-map match-all bulk
match ip precedence 2  3
class-map match-all priority
match ip precedence 4
class-map match-all best-effort
match ip precedence 0  1
!
!
policy-map TEST
class best-effort
bandwidth percent 20
random-detect
random-detect precedence 0   20    40    10
random-detect precedence 1   22    40    10
class bulk
bandwidth percent 25
random-detect
random-detect precedence 2   24    40    10
random-detect precedence 3   26    40    10
class priority
bandwidth percent 35
random-detect
random-detect precedence 4   28    40    10
policy-map TST-r2
class class-default
shape average 64000 8000 0
shape adaptive 64000
!
interface FastEthernet0/0
ip address 10.1.12.1 255.255.255.0
duplex auto
speed auto
max-reserved-bandwidth 80
service-policy output TEST

sho policy-map int f0/0
FastEthernet0/0

Service-policy output: TEST

Class-map: best-effort (match-all)
0 packets, 0 bytes
5 minute offered rate 0 bps, drop rate 0 bps
Match: ip precedence 0  1
Queueing
Output Queue: Conversation 265
Bandwidth 20 (%)
Bandwidth 20000 (kbps)
(pkts matched/bytes matched) 0/0
(depth/total drops/no-buffer drops) 0/0/0
exponential weight: 9
mean queue depth: 0

class    Transmitted      Random drop      Tail drop    Minimum Maximum  Mark
pkts/bytes       pkts/bytes       pkts/bytes    thresh  thresh  prob
0       0/0               0/0              0/0           20      40  1/10
1       0/0               0/0              0/0           22      40  1/10
2       0/0               0/0              0/0           24      40  1/10
3       0/0               0/0              0/0           26      40  1/10
4       0/0               0/0              0/0           28      40  1/10
5       0/0               0/0              0/0           30      40  1/10
6       0/0               0/0              0/0           32      40  1/10
7       0/0               0/0              0/0           34      40  1/10
rsvp       0/0               0/0              0/0           36      40  1/10

Class-map: bulk (match-all)
0 packets, 0 bytes
5 minute offered rate 0 bps, drop rate 0 bps
Match: ip precedence 2  3
Queueing
Output Queue: Conversation 266
Bandwidth 25 (%)
Bandwidth 25000 (kbps)
(pkts matched/bytes matched) 0/0
(depth/total drops/no-buffer drops) 0/0/0
exponential weight: 9
mean queue depth: 0

class    Transmitted      Random drop      Tail drop    Minimum Maximum  Mark
pkts/bytes       pkts/bytes       pkts/bytes    thresh  thresh  prob
0       0/0               0/0              0/0           20      40  1/10
1       0/0               0/0              0/0           22      40  1/10
2       0/0               0/0              0/0           24      40  1/10
3       0/0               0/0              0/0           26      40  1/10
4       0/0               0/0              0/0           28      40  1/10
5       0/0               0/0              0/0           30      40  1/10
6       0/0               0/0              0/0           32      40  1/10
7       0/0               0/0              0/0           34      40  1/10
rsvp       0/0               0/0              0/0           36      40  1/10

Class-map: priority (match-all)
0 packets, 0 bytes
5 minute offered rate 0 bps, drop rate 0 bps
Match: ip precedence 4
Queueing
Output Queue: Conversation 267
Bandwidth 35 (%)
Bandwidth 35000 (kbps)
(pkts matched/bytes matched) 0/0
(depth/total drops/no-buffer drops) 0/0/0
exponential weight: 9
mean queue depth: 0

class    Transmitted      Random drop      Tail drop    Minimum Maximum  Mark
pkts/bytes       pkts/bytes       pkts/bytes    thresh  thresh  prob
0       0/0               0/0              0/0           20      40  1/10
1       0/0               0/0              0/0           22      40  1/10
2       0/0               0/0              0/0           24      40  1/10
3       0/0               0/0              0/0           26      40  1/10
4       0/0               0/0              0/0           28      40  1/10
5       0/0               0/0              0/0           30      40  1/10
6       0/0               0/0              0/0           32      40  1/10
7       0/0               0/0              0/0           34      40  1/10
rsvp       0/0               0/0              0/0           36      40  1/10

Class-map: class-default (match-any)
5 packets, 300 bytes
5 minute offered rate 0 bps, drop rate 0 bps
Match: any

=======================

class-map match-all BESTEFFORT
match ip dscp af23

policy-map WRED
class BESTEFFORT
bandwidth percent 20
random-detect dscp-based
random-detect dscp 22   26    40    10

R1(config-pmap-c)#int f0/0
R1(config-if)#serv
R1(config-if)#service-policy ou WRED
R1(config-if)#do sho service-po
% Ambiguous command:  “do sho service-po”
R1(config-if)#do sho policy-map WRED
Policy Map WRED
Class BESTEFFORT
Bandwidth 20 (%)
exponential weight 9
dscp     min-threshold    max-threshold    mark-probablity
———————————————————-

af11      -                -                1/10
af12      -                -                1/10
af13      -                -                1/10
af21      -                -                1/10
af22      -                -                1/10
af23      26               40               1/10

af31      -                -                1/10
af32      -                -                1/10
af33      -                -                1/10
af41      -                -                1/10
af42      -                -                1/10
af43      -                -                1/10
cs1       -                -                1/10
cs2       -                -                1/10
cs3       -                -                1/10
cs4       -                -                1/10
cs5       -                -                1/10
cs6       -                -                1/10
cs7       -                -                1/10
ef        -                -                1/10
rsvp      -                -                1/10
default   -                -                1/10

Posted in QOS, Routing & Switching Lab | Leave a Comment »

MST

Posted by Peter Kurdziel on January 24, 2009

spanning-tree mode mst
!
spanning-tree mst configuration
name CCIE
revision 1
instance 1 vlan 12, 34
instance 2 vlan 56
!
spanning-tree mst 1 priority 24576

sw1(config)#do sho spann mst con
Name      [CCIE]
Revision  1     Instances configured 3

Instance  Vlans mapped
——–  ———————————————————————
0         1-11,13-33,35-55,57-4094
1         12,34
2         56
——————————————————————————-

sw1(config)#do sho spann mst

##### MST0    vlans mapped:   1-11,13-33,35-55,57-4094
Bridge        address 0019.aa6f.2700  priority      32768 (32768 sysid 0)
Root          address 0019.554a.3b80  priority      32768 (32768 sysid 0)
port    Fa0/13          path cost     0
Regional Root address 0019.554a.3b80  priority      32768 (32768 sysid 0)
internal cost 200000    rem hops 19
Operational   hello time 2 , forward delay 15, max age 20, txholdcount 6
Configured    hello time 2 , forward delay 15, max age 20, max hops    20

Interface        Role Sts Cost      Prio.Nbr Type
—————- —- — ——— ——– ——————————–
Fa0/13           Root FWD 200000    128.15   P2p
Fa0/14           Altn BLK 200000    128.16   P2p

##### MST1    vlans mapped:   12,34
Bridge        address 0019.aa6f.2700  priority      24577 (24576 sysid 1)
Root          this switch for MST1

Interface        Role Sts Cost      Prio.Nbr Type
—————- —- — ——— ——– ——————————–
Fa0/13           Desg FWD 200000    128.15   P2p
Fa0/14           Desg FWD 200000    128.16   P2p

##### MST2    vlans mapped:   56
Bridge        address 0019.aa6f.2700  priority      32770 (32768 sysid 2)
Root          address 0019.554a.3b80  priority      24578 (24576 sysid 2)
port    Fa0/13          cost          200000    rem hops 19

Interface        Role Sts Cost      Prio.Nbr Type
—————- —- — ——— ——– ——————————–
Fa0/13           Root FWD 200000    128.15   P2p
Fa0/14           Altn BLK 200000    128.16   P2p

sw1(config)#do sho spann brid

Hello  Max  Fwd
MST Instance                 Bridge ID              Time  Age  Dly  Protocol
—————- ——————————— —–  —  —  ——–
MST0             32768 (32768,   0) 0019.aa6f.2700    2    20   15  mstp
MST1             24577 (24576,   1) 0019.aa6f.2700    2    20   15  mstp
MST2             32770 (32768,   2) 0019.aa6f.2700    2    20   15  mstp
==========================================================================

interface FastEthernet0/13
switchport trunk encapsulation isl
switchport mode trunk
spanning-tree mst 1 port-priority 0
end

sw1(config-if)#do sh run int f0/14
Building configuration…

Current configuration : 130 bytes
!
interface FastEthernet0/14
switchport trunk encapsulation isl
switchport mode trunk
spanning-tree mst 2 port-priority 0
end

Mst Instance     Role Sts Cost      Prio.Nbr Type
—————- —- — ——— ——– ——————————–
MST0             Root FWD 200000    128.15   P2p
MST1             Desg FWD 200000      0.15   P2p
MST2             Altn BLK 200000    128.15   P2p

sw1(config-if)#do sho span int f0/14

Mst Instance     Role Sts Cost      Prio.Nbr Type
—————- —- — ——— ——– ——————————–
MST0             Altn BLK 200000    128.16   P2p
MST1             Desg FWD 200000    128.16   P2p
MST2             Root FWD 200000      0.16   P2p

=============================

Posted in CATALYST, Routing & Switching Lab | Leave a Comment »

Posted by Peter Kurdziel on January 24, 2009

no service password-recovery – no pw recovery
security passwords min-length 7

enable secret cisco
% Password too short – must be at least 7 characters. Password configuration failed

————————————

service password-encryption

———————————————–

line aux 0
login local
password cisco

——————-

3 failed login attemps + create a syslog msg

security authentication failure rate 3 log
———————————————-

log out con session in 4 min 30 sec

line con 0
exec-timeout 4 30

might need a wr mem & reload
—————————–

username U2 privilege 2 password 7 070C285F4D06
username U3 privilege 3 password 7 01100F17580455
username admin password 7 094F471A1A0A

privilege interface level 3 shutdown
privilege interface level 3 ip address
privilege interface level 3 ip
privilege configure level 3 interface
privilege exec level 2 traceroute
privilege exec level 2 ping
privilege exec level 3 configure terminal
privilege exec level 3 configure
privilege exec level 2 show ip interface brief
privilege exec level 2 show ip interface
privilege exec level 2 show ip
privilege exec level 2 show interfaces
privilege exec level 2 show

line con 0
login local
———————-
not done on line….

config t banner motd #
You are connected to $(hostname) on line $(line) on domain $(domain)
#
ip domain-name ccie2be.4me

*Mar  1 00:48:50.483: %SYS-5-CONFIG_I: Configured from console by console
You are connected to R1 on line 0 on domain ccie2b3.4me
————————————————————–
menu’s

username U2 privilege 15 password 7 030752180500731C1E50
username U2 autocommand men U2
username admin password 7 060506324F415B49554E

menu U2 title ^C CCIE MENU ^C
menu U2 prompt ^C Please choose an option and press enter^C
menu U2 text 1 Display interfaces and ip’s
menu U2 command 1 sh ip int br
menu U2 options 1 pause
menu U2 text 2 Display ethernet 0/0
menu U2 command 2 sho run int e0/0
menu U2 text 3 Logout
menu U2 command 3 logtout
menu U2 text 4 Exit out of menu
menu U2 command 4 menu-exit
menu U2 clear-screen
menu U2 line-mode

CCIE MENU

1          Display interfaces and ip’s

2          Display ethernet 0/0

3          Logout

4          Exit out of menu

Please choose an option and press enter
————————————————–

access-list 1 per ho 1.1.1.1
line vty 0
access-class 1 in

test
telnet 10.1.12.2 <- does not work
telnet 10.1.12.2 /source lo0 <- works
—————————-

allow telnet from r1 to r2 then to r4
r2

line vty 0 871

access-class 2 out
access-list 2 per ho 4.4.4.4

R1(config-if)#do telnet 10.1.12.2 /source lo0
Trying 10.1.12.2 … Open

User Access Verification

Password:
R2>telnet 4.4.4.4
Trying 4.4.4.4 … Open

User Access Verification

Password:
R4>ex
——————————-
SSH
crypto key generate rsa usage-keys <– automaically enables ssh

then

aaa new-model
!
!
aaa authentication login NO-AUTH none
aaa authentication login LOCAL-AUTH local
!
username user1 password 0 cisco

ine con 0
exec-timeout 0 0
logging synchronous
login authentication NO-AUTH
line aux 0
login authentication NO-AUTH
line vty 0 4
password cisco
login authentication LOCAL-AUTH
transport input ssh
line vty 5 181
login authentication LOCAL-AUTH
transport input ssh
——————————————

deny communications between 1.1.1.1 and 4.4.4.4.

r2
access-list 100 deny   ip host 4.4.4.4 host 1.1.1.1
access-list 100 permit ip any any
access-list 101 deny   ip host 1.1.1.1 host 4.4.4.4
access-list 101 permit ip any any

interface Ethernet0/0
ip access-group 101 in

interface Serial1/0.23 point-to-point
ip access-group 100 in
———————————————–

r1 can ping and receive replies from r2. R2 can not ping r1.

access-list 100 deny   icmp host 10.1.12.2 any echo
access-list 100 deny   icmp host 2.2.2.2 any echo
access-list 100 deny   icmp host 10.1.23.2 any echo
access-list 100 permit ip any any
!
interface Ethernet0/0
ip access-group 100 in
—————————————

prevent icmp not reachable
s1/0.32
no ip unreachables
———————–

—————————–

filter eigrp

access-list 101 permit ip any any
access-list 101 deny eigrp any any log

e0/0
ip access-group 100 in
————————————

filter with mqc

c > p > s

access-list 100 permit tcp any any eq telnet

class-map match-all TELNET
match access-group 100

policy-map TST
class TELNET
set ip precedence 1

interface Ethernet0/0
ip address 10.1.12.1 255.255.255.0
full-duplex
service-policy output TST

——————————–

block precedence 1 on r3 s1/0.21

class-map match-all IP_PREC
match ip precedence 1
!
!
policy-map TEST
class IP_PREC
drop

int s1/0.32
service-policy input TEST
——————————-

interface Serial1/0.23 point-to-point
ip access-group 100 in

access-list 100 permit ospf any any
access-list 100 permit tcp any any established
————————————————

access-list 100 permit tcp any host 10.1.23.2 eq telnet
access-list 100 permit ospf any any
access-list 100 permit tcp any any established
access-list 100 dynamic TEST permit ip any any

line vty 0 4
password cisco
login local
autocommand access-enable host timeout 2

sho access-lis
Extended IP access list 100
10 permit tcp any host 10.1.23.2 eq telnet (171 matches)
20 permit ospf any any (10 matches)
30 permit tcp any any established
40 Dynamic TEST permit ip any any
50 permit ip host 10.1.34.4 any (5 matches) (time left 115)
——————————————————————–

access-list 100 permit tcp any host 10.1.23.2 eq telnet
access-list 100 permit ospf any any
access-list 100 permit tcp any any established
access-list 100 dynamic TEST timeout 3 permit ip any any
access-list 100 permit tcp any any eq 3005

line vty 0 4
password cisco
login local
autocommand  access-enable host
line vty 5 870
login local
autocommand  access-enable host
line vty 871
login local
rotary 5
autocommand  access-ena host
———————————————–

ip access-list extended inbound
permit ospf any any
evaluate TEST

ip access-list extended outbound
permit tcp any any eq www reflect TEST
permit tcp any any eq telnet reflect TEST
permit tcp any any eq 69 reflect TEST
permit ospf any any

interface Serial1/0.23 point-to-point
ip address 10.1.23.2 255.255.255.0
ip access-group inbound in
ip access-group outbound out

————————————-

ip access-list extended outbound
permit tcp any any eq www reflect TEST time 120
permit tcp any any eq telnet reflect TEST time 60
permit tcp any any eq 69 reflect TEST time 30
permit icmp any any reflect TEST timeout 10
permit udp any any eq 53 reflec TEST time 10
permit ospf any any

interface Serial1/0.23 point-to-point
ip address 10.1.23.2 255.255.255.0
ip access-group inbound in
ip access-group outbound out
——————————-

all reflective acls have a timeout of 120
ip reflexive-list timeout 120
——————————–

time-range WEEKDAYS
periodic weekdays 0:00 to 23:59
!
interface Ethernet0/0
ip address 10.1.12.1 255.255.255.0
ip access-group 100 out

access-list 100 permit tcp any any eq www time-range WEEKDAYS
——————-

internet on weekends only

time-range WEEKENDS
periodic weekend 0:00 to 23:59

access-list 100 permit tcp any any eq www time-range WEEKENDS

interface Ethernet0/0
ip access-group 100 out
—————————————
cbac
tcp, udp, icmp inspection. Traffic initiated from the inside is allowed back in.

access-list 100 permit udp any any eq rip
access-list 100 deny   ip any any log

ip inspect name fw tcp
ip inspect name fw udp
ip inspect name fw icmp

interface Ethernet0/1
ip access-group 100 in
ip inspect fw out
————————————-

access-list 100 permit ip 10.1.123.0 0.0.0.255 any
access-list 101 permit icmp any host 10.1.123.3
access-list 101 permit tcp any host 10.1.123.3 eq telnet

ip inspect name OUT tcp
ip inspect name OUT udp
ip inspect name OUT icmp

interface Ethernet0/0
ip access-group 100 in
ip inspect OUT in

!
interface Ethernet0/1
ip access-group 101 in

sh ip inspect session
—————————

ip inspect log drop-pkt
ip inspect max-incomplete high 800
ip inspect max-incomplete low 600
ip inspect one-minute high 800
ip inspect one-minute low 600
ip inspect tcp idle-time 8
ip inspect tcp finwait-time 8
ip inspect tcp synwait-time 20
ip inspect tcp max-incomplete host 80 block-time 8
ip inspect name OUT udp
ip inspect name OUT icmp
no ip ips deny-action ips-interface

do sho ip insp config
Dropped packet logging is enabled
Session audit trail is disabled
Session alert is enabled
one-minute (sampling period) thresholds are [600:800] connections
max-incomplete sessions thresholds are [600:800]
max-incomplete tcp connections per host is 80. Block-time 8 minutes.
tcp synwait-time is 20 sec — tcp finwait-time is 8 sec
tcp idle-time is 8 sec — udp idle-time is 30 sec
dns-timeout is 5 sec
Inspection Rule Configuration
Inspection name OUT
udp alert is on audit-trail is off timeout 30
icmp alert is on audit-trail is off timeout 10

—————————

CBAC & java blocking

ip inspect name FW http java-list 1 alert on audit-trail on
ip inspect name FW smtp
ip inspect name FW h323

!
interface Ethernet0/1
ip address 10.1.14.1 255.255.255.0
ip access-group 100 in
ip inspect FW out

access-list 1 permit 4.4.4.0 0.0.0.255
access-list 100 permit icmp any any
access-list 100 permit udp any any eq rip
————————————————-

router w/ 3 interfaces, inside, outside and DMZ

ip inspect name OUT tcp
ip inspect name OUT udp
ip inspect name OUT icmp
ip inspect name OUT-DMZ tcp

interface Ethernet0/0
ip address 10.1.1.1 255.255.255.0
ip access-group 101 in
ip inspect OUT in

access-list 100 permit ip 10.1.1.0 0.0.0.255 any
access-list 101 permit icmp any 10.2.2.0 0.0.0.255
access-list 101 permit tcp any 10.2.2.0 0.0.0.255 eq www
access-list 102 permit icmp 10.1.2.0 0.0.0.255 any
access-list 103 permit icmp any 10.1.2.0 0.0.0.255
access-list 103 permit tcp any 10.2.2.0 0.0.0.255 eq www

int e0/1
ip access-group 102 in
ip access-group 103 out
—————————————————————–
R1(config)# do sho ip port-map http
Default mapping:  http                 tcp port 80                         system defined

ip port-map http port tcp 8000 list 1
ip port-map http port tcp 8080 list 2
access-list 1 permit 10.1.1.3
access-list 2 permit 10.1.1.4

do sho ip port-ma htt
Default mapping:  http                 tcp port 80                         system defined
Host specific:    http                 tcp port 8000           in list 1   user defined
Host specific:    http                 tcp port 8080           in list 2   user defined

————————————————

code red

class-map match-any CODERED
match protocol http url “*cmd.exe*”
match protocol http url “*.ida*”
match protocol http url “*roote.exe*”
match protocol http url “*readme.eml*”

policy-map NOCODERED
class CODERED
set ip precedence 4

interface Ethernet0/0
ip address 10.6.6.6 255.255.255.0
ip access-group 100 out

interface Serial1/0.64 point-to-point
ip address 10.1.46.6 255.255.255.0
frame-relay interface-dlci 604
service-policy input NOCODERED

access-list 100 deny   ip any any precedence flash-override
access-list 100 permit ip any any

Posted in Routing & Switching Lab, Security | Leave a Comment »

prefix-lists

Posted by Peter Kurdziel on January 24, 2009

Only permit 194.1.1.0/27 in routing table.

ip prefix-list NET194 seq 5 permit 194.1.1.0/27

router rip
version 2
network 10.0.0.0
distribute-list prefix NET194 in Ethernet0/0

————————————————–

Permit only non subnetted class a addresses

ip prefix-list SUB10 seq 5 per 0.0.0.0/1 ge 8 le 8

R2(config-router)#distribute-list pre SUB10 in e0/0
R2(config-router)#do clear ip route *
R2(config-router)#do sho ip route  rip
R    1.0.0.0/8 [120/1] via 10.1.12.1, 00:00:04, Ethernet0/0
R    2.0.0.0/8 [120/1] via 10.1.12.1, 00:00:04, Ethernet0/0
R    3.0.0.0/8 [120/1] via 10.1.12.1, 00:00:04, Ethernet0/0
R    125.0.0.0/8 [120/1] via 10.1.12.1, 00:00:04, Ethernet0/0

note: /1 pciks on calss a
——————————————————————-

allow only class b nettworks

ip prefix-list CLASSB seq 5 per 128.0.0.0/2 ge 16 le 16

distribute-list prefix CLASSB in Ethernet0/0

note: /2 prefix-length with a netwok address of 128.0.0.0, since I want t ofilter ONLY class B networks that are NOT subnetted, the prefix-length GE 16 and LE 16.
——————————————————-

only allow class c

ip prefix-list CLASSC seq 5 per 192.0.0.0/3 ge 24 le 24

distribute-list prefix CLASSC in Ethernet0/0

note: /3 for three bits.
————————————————

allow class A and allow subnets of class A.

R2(config)#ip prefix-list CLASSA se 5 per 0.0.0.0/1 ge 8 le 32
R2(config)#router rip
R2(config-router)#distr
R2(config-router)#distribute-list prefix CLASSA in e0/0
R2(config-router)#do clear ip route *
R2(config-router)#do sho ip route rip
R    1.0.0.0/8 [120/1] via 10.1.12.1, 00:00:09, Ethernet0/0
R    3.0.0.0/8 [120/1] via 10.1.12.1, 00:00:09, Ethernet0/0
4.0.0.0/16 is subnetted, 1 subnets
R       4.4.0.0 [120/1] via 10.1.12.1, 00:00:09, Ethernet0/0
5.0.0.0/24 is subnetted, 1 subnets
R       5.5.5.0 [120/1] via 10.1.12.1, 00:00:09, Ethernet0/0
6.0.0.0/27 is subnetted, 1 subnets
R       6.6.6.0 [120/1] via 10.1.12.1, 00:00:09, Ethernet0/0
R    125.0.0.0/8 [120/1] via 10.1.12.1, 00:00:09, Ethernet0/0
R2(config-router)#
—————————————————————–

R2(config)#ip prefix-list B se 5 per 128.0.0.0/2 ge 16 le 32
R2(config)#router rip
R2(config-router)#distri
R2(config-router)#distribute-list pre B in e0/0
R2(config-router)#
R2(config-router)#do clear ip route *
R2(config-router)#do sho ip route rip
R    191.1.0.0/16 [120/1] via 10.1.12.1, 00:00:07, Ethernet0/0
R    128.1.0.0/16 [120/1] via 10.1.12.1, 00:00:07, Ethernet0/0
R    131.1.0.0/16 [120/1] via 10.1.12.1, 00:00:07, Ethernet0/0
132.1.0.0/24 is subnetted, 1 subnets
R       132.1.1.0 [120/1] via 10.1.12.1, 00:00:07, Ethernet0/0
133.1.0.0/25 is subnetted, 1 subnets
R       133.1.1.0 [120/1] via 10.1.12.1, 00:00:07, Ethernet0/0
————————————————

allow /25 or higher

ip prefix-list 25ormore se 5 per 0.0.0.0/0 ge 25

—————————————————————–

allow /16 or less

ip prefix-list 16 or lessse 5 per 0.0.0.0/0 le 16
————————

Posted in Routing & Switching Lab | Leave a Comment »

QOS – switching

Posted by Peter Kurdziel on January 24, 2009

sw1#sh mls qos maps dscp-input-q
Dscp-inputq-threshold map:
d1 :d2    0     1     2     3     4     5     6     7     8     9
————————————————————
0 :    01-01 01-01 01-01 01-01 01-01 01-01 01-01 01-01 01-01 01-01
1 :    01-01 01-01 01-01 01-01 01-01 01-01 01-01 01-01 01-01 01-01
2 :    01-01 01-01 01-01 01-01 01-01 01-01 01-01 01-01 01-01 01-01
3 :    01-01 01-01 01-01 01-01 01-01 01-01 01-01 01-01 01-01 01-01
4 :    02-01 02-01 02-01 02-01 02-01 02-01 02-01 02-01 01-01 01-01
5 :    01-01 01-01 01-01 01-01 01-01 01-01 01-01 01-01 01-01 01-01
6 :    01-01 01-01 01-01 01-01

sw1(config)#$-queue input dscp-map queue 1 threshold 2 0 1 2 3 4 5 6 7
sw1(config)#$-queue input dscp-map queue 1 threshold ?
<1-3>  enter dscp-map threshold id

sw1(config)#mls qos srr-queue input dscp-map queue 1 threshold 2 ?
<0-63>  dscp values separated by spaces (up to 8 values total)

sw1(config)#$ut dscp-map queue 1 threshold 2  8 9 10 11 12 13 14 15
sw1(config)#$ut dscp-map queue 1 threshold 2  16 17 18 19 20
sw1(config)#$ut dscp-map queue 1 threshold 1 21 22 23 24 25 26 27 28
sw1(config)#$ut dscp-map queue 1 threshold 1 29 30 31 32 33 34 35 36
sw1(config)#$ut dscp-map queue 1 threshold 1 37 38 39 40 41 42 43 44
sw1(config)#$ut dscp-map queue 1 threshold 1 45 46 47 48 49 50

sw1(config)#$ut dscp-map queue 1 threshold 1 51 52 53 54 55 56 57 58
sw1(config)#$ut dscp-map queue 1 threshold 1 59
sw1(config)#mls qos srr-queue input dscp-map queue 1 threshold 2 60 61 62 63
sw1(config)#do sho mls qos maps dscp-i
sw1(config)#do sho mls qos maps dscp-input-q
Dscp-inputq-threshold map:
d1 :d2    0     1     2     3     4     5     6     7     8     9
————————————————————
0 :    01-02 01-02 01-02 01-02 01-02 01-02 01-02 01-02 01-02 01-02
1 :    01-02 01-02 01-02 01-02 01-02 01-02 01-02 01-02 01-02 01-02
2 :    01-02 01-01 01-01 01-01 01-01 01-01 01-01 01-01 01-01 01-01
3 :    01-01 01-01 01-01 01-01 01-01 01-01 01-01 01-01 01-01 01-01
4 :    01-01 01-01 01-01 01-01 01-01 01-01 01-01 01-01 01-01 01-01
5 :    01-01 01-01 01-01 01-01 01-01 01-01 01-01 01-01 01-01 01-01
6 :    01-02 01-02 01-02 01-02

sw1(config)#do sho mls qos input-q
Queue     :       1       2
———————————————-
buffers   :      90      10
bandwidth :       4       4
priority  :       0      10
threshold1:     100     100
threshold2:     100     100
sw1(config)#

sw1(config)#do sho mls qos in
sw1(config)#do sho mls qos inpu
sw1(config)#do sho mls qos input-q
Queue     :       1       2
———————————————-
buffers   :      90      10
bandwidth :       4       4
priority  :       0      10
threshold1:     100     100
threshold2:     100     100
sw1(config)#mls qos srr
sw1(config)#mls qos srr-queue in
sw1(config)#mls qos srr-queue input thre
sw1(config)#mls qos srr-queue input threshold 1 50 75
sw1(config)#mls qos srr-queue input threshold 2 30 75
sw1(config)#do sho mls qos input-q
Queue     :       1       2
———————————————-
buffers   :      90      10
bandwidth :       4       4
priority  :       0      10
threshold1:      50      30
threshold2:      75      75
sw1(config)#

sw1(config)#mls qos srr-queue input bandwidth 35 45

sw1(config)#mls qos srr-queue input priority-queue 1 band 20

sw1#sh mls qos inp
Queue     :       1       2
———————————————-
buffers   :      60      40
bandwidth :      35      45
priority  :      20       0
threshold1:      50      30
threshold2:      75      75

=======================================================================

sw2(config)#mls qos srr-q out dscp-map queue 1 threshold 1 0 1 2 3 4 5 6 7
sw2(config)#$-q out dscp-map queue 1 threshold 2 8 9 10 11 12 13 14 15
sw2(config)#$-q out dscp-map queue 2 thre 1 16 17 18 19 20 21 22 23
sw2(config)#mls qos srr-q out dscp-map queue 2 thre 2 24 25 26 27 28 29 30 31
sw2(config)#mls qos srr-q out dscp-map queue 3 thres
sw2(config)#$-q out dscp-map queue 3 threshold 1 32 33 34 35 36 37 38 39
sw2(config)#$-q out dscp-map queue 3 threshold 2 40 41 42 43 44 45 46 47
sw2(config)#$-q out dscp-map queue 4 thre
sw2(config)#$-q out dscp-map queue 4 threshold 1 48 49 50 51 52 53 54 55
sw2(config)#$-q out dscp-map queue 4 threshold 2 56 57 58 59 60 61 62 63
sw2(config)#
sw2(config)#
sw2(config)#do sho mls qos maps dscp-output-q
Dscp-outputq-threshold map:
d1 :d2    0     1     2     3     4     5     6     7     8     9
————————————————————
0 :    01-01 01-01 01-01 01-01 01-01 01-01 01-01 01-01 01-02 01-02
1 :    01-02 01-02 01-02 01-02 01-02 01-02 02-01 02-01 02-01 02-01
2 :    02-01 02-01 02-01 02-01 02-02 02-02 02-02 02-02 02-02 02-02
3 :    02-02 02-02 03-01 03-01 03-01 03-01 03-01 03-01 03-01 03-01
4 :    03-02 03-02 03-02 03-02 03-02 03-02 03-02 03-02 04-01 04-01
5 :    04-01 04-01 04-01 04-01 04-01 04-01 04-02 04-02 04-02 04-02
6 :    04-02 04-02 04-02 04-02

==============================================================================

sw2(config)#do show mls qos int f0/14 buff
FastEthernet0/14
QoS is disabled. When QoS is enabled, following settings will be applied
The port is mapped to qset : 1
The allocations between the queues are : 25 25 25 25

sw2(config)#mls qos
sw2(config)#
sw2(config)#
sw2(config)#do show mls qos int f0/14 buff
FastEthernet0/14
The port is mapped to qset : 1
The allocations between the queues are : 25 25 25 25

port specific

sw2(config)#mls qos queue-set output 2 buffers 40 20 20 20
sw2(config)#int f0/14
sw2(config-if)#queue-set 2
sw2(config-if)#do show mls qos int f0/14 buff
FastEthernet0/14
The port is mapped to qset : 2
The allocations between the queues are : 40 20 20 20

all ports – no int f0/x queue-set 1 is needed

sw2(config-if)#mls qos queue-set output 1 buffers 40 20 20 20
sw2(config)#do show mls qos int f0/1 buff
FastEthernet0/1
The port is mapped to qset : 1
The allocations between the queues are : 40 20 20 20

sw2(config)#do show mls qos int f0/24 buff
FastEthernet0/24
The port is mapped to qset : 1
The allocations between the queues are : 40 20 20 20
=========================================================

sw2(config)#mls qos queue-set out 2 thres 1 40 60 100 200
sw2(config)#mls qos queue-set out 2 thres 2 30 70 100 300

sw2(config)#do sho mls qos queue-set 2
Queueset: 2
Queue     :       1       2       3       4
———————————————-
buffers   :      40      20      20      20
threshold1:      40      30     100     100
threshold2:      60      70     100     100
reserved  :     100     100      50      50
maximum   :     200     300     400     400
=================================================

sw2(config)#do sho mls qos inter f0/16 queueing
FastEthernet0/16
Egress Priority Queue : disabled
Shaped queue weights (absolute) :  25 0 0 0
Shared queue weights  :  25 25 25 25
The port bandwidth limit : 100  (Operational Bandwidth:100.0)
The port is mapped to qset : 1

sw2(config)#int f0/16
sw2(config-if)#srr-queue band limit 80

sw2(config-if)#do sho mls qos inter f0/16 queueing
FastEthernet0/16
Egress Priority Queue : disabled
Shaped queue weights (absolute) :  25 0 0 0
Shared queue weights  :  25 25 25 25
The port bandwidth limit : 80  (Operational Bandwidth:80.0)
The port is mapped to qset : 1

=================================================

sw2(config-if)#do sho mls qos inter f0/16 queueing
FastEthernet0/16
Egress Priority Queue : disabled
Shaped queue weights (absolute) :  25 0 0 0
Shared queue weights  :  25 25 25 25
The port bandwidth limit : 80  (Operational Bandwidth:80.0)
The port is mapped to qset : 1

sw2(config-if)#
sw2(config-if)#
sw2(config-if)#int f0/16
sw2(config-if)#pri
sw2(config-if)#priority-queue out
sw2(config-if)#do sho mls qos inter f0/16 queueing
FastEthernet0/16
Egress Priority Queue : enabled
Shaped queue weights (absolute) :  25 0 0 0
Shared queue weights  :  25 25 25 25
The port bandwidth limit : 80  (Operational Bandwidth:80.0)
The port is mapped to qset : 1

====================================================

sw2(config-if)#  storm-control broadcast  level 50.00
sw2(config-if)#do sho storm f0/14 broa
Interface  Filter State   Upper        Lower        Current
———  ————-  ———–  ———–  ———-
Fa0/14     Forwarding      50.00%       50.00%        0.00%

===========================================================

sw3(config)#ml qos map cos-dscp 10 10 10 10 20 20 30 30
sw3(config)#do sho mls qos map cos-ds
Cos-dscp map:
cos:   0  1  2  3  4  5  6  7
——————————–
dscp:  10 10 10 10 20 20 30 30

===================================================

sw4(config)#mls qos map dscp-mutation TST 0 1 2 3 4 5 6 7 to 10
sw4(config)#mls qos map dscp-mutation TST 8 9 10 11 12 13 14 15 to 10
sw4(config)#mls qos map dscp-mutation TST 16 17 18 19 20 to 10

sw4(config)#mls qos map dscp-mutation TST 21 22 23 24 25 26 27 28 to 20
sw4(config)#mls qos map dscp-mutation TST 29 30 to 20

sw4(config)#mls qos map dscp-mutat TST 31 32 33 34 35 36 37 38 to 30
sw4(config)#mls qos map dscp-mutat TST 39 40 to 30

sw4(config)#mls qos map dscp-mutat TST  41 42 43 44 45 46 47 48 to 40
sw4(config)#mls qos map dscp-mutat TST  49 50 to 40
sw4(config)#
sw4(config)#mls qos map dscp-mutat TST 51 52 53 54 55 56 57 58 to 50
sw4(config)#mls qos map dscp-mutat TST 59 60 t 50
sw4(config)#mls qos map dscp-mutat TST 61 62 63 to 60

sw4(config)#int f0/23
sw4(config-if)#mls qos dsc
sw4(config-if)#mls qos dscp-mutation TST
sw4(config-if)#do sho mls qos map dscp-m

Dscp-dscp mutation map:
TST:
d1 :  d2 0  1  2  3  4  5  6  7  8  9
—————————————
0 :    10 10 10 10 10 10 10 10 10 10
1 :    10 10 10 10 10 10 10 10 10 10
2 :    10 20 20 20 20 20 20 20 20 20
3 :    20 30 30 30 30 30 30 30 30 30
4 :    30 40 40 40 40 40 40 40 40 40
5 :    40 50 50 50 50 50 50 50 50 50
6 :    50 60 60 60

Dscp-dscp mutation map:
Default DSCP Mutation Map:
d1 :  d2 0  1  2  3  4  5  6  7  8  9
—————————————
0 :    00 01 02 03 04 05 06 07 08 09
1 :    10 11 12 13 14 15 16 17 18 19
2 :    20 21 22 23 24 25 26 27 28 29
3 :    30 31 32 33 34 35 36 37 38 39
4 :    40 41 42 43 44 45 46 47 48 49
5 :    50 51 52 53 54 55 56 57 58 59
6 :    60 61 62 63

Posted in CATALYST, QOS, Routing & Switching Lab | Leave a Comment »

switch security

Posted by Peter Kurdziel on January 24, 2009

interface FastEthernet0/1
switchport mode access
switchport port-security
switchport port-security aging time 60
switchport port-security aging static
switchport port-security mac-address 0000.1111.1111

sw1(config-if)#do sho port-s

Secure Port  MaxSecureAddr  CurrentAddr  SecurityViolation  Security Action
(Count)       (Count)          (Count)
—————————————————————————
Fa0/1              1            1                  0         Shutdown
—————————————————————————
Total Addresses in System (excluding one mac per port)     : 0
Max Addresses limit in System (excluding one mac per port) : 6144

sw1(config-if)#do  sho port-s addres
Secure Mac Address Table
————————————————————————
Vlan    Mac Address       Type                     Ports   Remaining Age
(mins)
—-    ———–       —-                     —–   ————-
1    0000.1111.1111    SecureConfigured         Fa0/1       59
————————————————————————
Total Addresses in System (excluding one mac per port)     : 0
Max Addresses limit in System (excluding one mac per port) : 6144

to test
r1
int f0/0
no mac 0000.1111.1111

sw1(config-if)#
06:57:59: %PM-4-ERR_DISABLE: psecure-violation error detected on Fa0/1, putting Fa0/1 in err-disable state

sw1(config-if)#
06:57:59: %PORT_SECURITY-2-PSECURE_VIOLATION: Security violation occurred, caused by MAC address 0017.5925.f8d0 on port FastEthernet0/1.

06:58:00: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/1, changed state to down

sw1(config-if)#
06:58:01: %LINK-3-UPDOWN: Interface FastEthernet0/1, changed state to down

sw1(config-if)#do sho inter status | inc err-dis
Fa0/1                        err-disabled 1            auto   auto 10/100BaseTX

sw1(config-if)#do sho inter status  err-dis

Port      Name               Status       Reason               Err-disabled Vlans
Fa0/1                        err-disabled psecure-violation

sw1(config-if)#do sho port-se
Secure Port  MaxSecureAddr  CurrentAddr  SecurityViolation  Security Action
(Count)       (Count)          (Count)
—————————————————————————
Fa0/1              1            1                  1         Shutdown
—————————————————————————
Total Addresses in System (excluding one mac per port)     : 0
Max Addresses limit in System (excluding one mac per port) : 6144

=====================================================

macro name Port-Secur
sw mo acc
sw port-s
sw port-s mac-address stick
sw port-s max 1
sw port-s vio pro
@

interface FastEthernet0/1
switchport mode access
switchport port-security
switchport port-security violation protect
switchport port-security mac-address sticky
switchport port-security mac-address sticky 0017.5925.f8d1
macro description Port-Secur | Port-Secur
end

sw2(config-if-range)#  do sho run int f0/2
Building configuration…

Current configuration : 275 bytes
!
interface FastEthernet0/2
switchport mode access
switchport port-security
switchport port-security violation protect
switchport port-security mac-address sticky
switchport port-security mac-address sticky 0017.5902.9ce9
macro description Port-Secur | Port-Secur
end

etc………

====================================

to prevent two server from talking to each other in the same vlan

int range f0/15 – 16
sw mo acc
sw acc v 18
sw protected

sw2(config-if-range)#do sho int f0/15 sw
Name: Fa0/15
Switchport: Enabled
Administrative Mode: static access
Operational Mode: static access
Administrative Trunking Encapsulation: negotiate
Operational Trunking Encapsulation: native
Negotiation of Trunking: Off
Access Mode VLAN: 88 (VLAN0088)
Trunking Native Mode VLAN: 1 (default)
Administrative Native VLAN tagging: enabled
Voice VLAN: none
Administrative private-vlan host-association: none
Administrative private-vlan mapping: none
Administrative private-vlan trunk native VLAN: none
Administrative private-vlan trunk Native VLAN tagging: enabled
Administrative private-vlan trunk encapsulation: dot1q
Administrative private-vlan trunk normal VLANs: none
Administrative private-vlan trunk associations: none
Administrative private-vlan trunk mappings: none
Operational private-vlan: none
Trunking VLANs Enabled: ALL
Pruning VLANs Enabled: 2-1001
Capture Mode Disabled
Capture VLANs Allowed: ALL

Protected: true <—————————<<<<
Unknown unicast blocked: disabled
Unknown multicast blocked: disabled
Appliance trust: none
===========================

prevent UNKNOWN uni and mulitcast between the ports

int range f0/15 – 16
sw2(config-if-range)#switchport block unicast
sw2(config-if-range)#switchport block multicast

=======================================================

sw1(config)#do sho dot1x
Sysauthcontrol             Disabled
Dot1x Protocol Version            2
Critical Recovery Delay         100
Critical EAPOL             Disabled

aaa new-model
aaa authent login default none <–no radius srv– used so I’m not locked out
aaa authentication dot1x default group radius

radius-server host 192.168.1.2 key cisco

sw1(config-if)#do sh dot1x int f0/16

interface FastEthernet0/16
switchport mode access
dot1x pae authenticator
dot1x port-control auto
end

sw1(config-if)#do sh dot1x int f0/16
Dot1x Info for FastEthernet0/16
———————————–
PAE                       = AUTHENTICATOR
PortControl               = AUTO
ControlDirection          = Both
HostMode                  = SINGLE_HOST
ReAuthentication          = Disabled
QuietPeriod               = 60
ServerTimeout             = 30
SuppTimeout               = 30
ReAuthPeriod              = 3600 (Locally configured)
ReAuthMax                 = 2
MaxReq                    = 2
TxPeriod                  = 30
RateLimitPeriod           = 0

===================================

sw1(config)#do sh mac-address-table aging-time
Global Aging Time:  300
Vlan    Aging Time
—-    ———-
1     300
88     300

sw1(config)#mac-address-table aging-time 600
sw1(config)#
sw1(config)#
sw1(config)#
sw1(config)#do sh mac-address-table aging-time
Global Aging Time:  600
Vlan    Aging Time
—-    ———-
1     600
88     600
==================================

to have the config.text and vlan.dat fiel deleted in password recoverty
no service password-recovery

sh ver
..(omitted for brevity)..
The password-recovery mechanism is disabled

========================================

sw1(config)# do sh dot1x int f0/16

Dot1x Info for FastEthernet0/16
———————————–
PAE                       = AUTHENTICATOR
PortControl               = AUTO
ControlDirection          = Both
HostMode                  = SINGLE_HOST
ReAuthentication          = Disabled
QuietPeriod               = 60
ServerTimeout             = 30
SuppTimeout               = 30
ReAuthPeriod              = 3600 (Locally configured)
ReAuthMax                 = 2
MaxReq                    = 2
TxPeriod                  = 30
RateLimitPeriod           = 0

sw1(config)#int f0/16
sw1(config-if)#dot1x host-mode multi-host

sw1(config-if)# do sh dot1x int f0/16

Dot1x Info for FastEthernet0/16
———————————–
PAE                       = AUTHENTICATOR
PortControl               = AUTO
ControlDirection          = Both
HostMode                  = MULTI_HOST
ReAuthentication          = Disabled
QuietPeriod               = 60
ServerTimeout             = 30
SuppTimeout               = 30
ReAuthPeriod              = 3600 (Locally configured)
ReAuthMax                 = 2
MaxReq                    = 2
TxPeriod                  = 30
RateLimitPeriod           = 0
=============================================================

sw1(config)#mac-address-table static 0000.6666.6666 vlan 56 int f0/6
sw1(config)#do sho mac-address-table stat int f0/6
Mac Address Table
——————————————-

Vlan    Mac Address       Type        Ports
—-    ———–       ——–    —–
56    0000.6666.6666    STATIC      Fa0/6
Total Mac Addresses for this criterion: 1

===================

sw1(config)#mac-address-table stat 0000.1111.2222 vlan 1 drop
sw1(config)#
sw1(config)#
sw1(config)#
sw1(config)#do sho mac-address-table stat add 0000.1111.2222
Mac Address Table
——————————————-

Vlan    Mac Address       Type        Ports
—-    ———–       ——–    —–
1    0000.1111.2222    STATIC      Drop
Total Mac Addresses for this criterion: 1

=======================

r1(config-if)#do sho ip arp
Protocol  Address          Age (min)  Hardware Addr   Type   Interface
Internet  10.1.1.2                0   0000.2222.2222  ARPA   FastEthernet0/0
Internet  10.1.1.1                -   0000.1111.1111  ARPA   FastEthernet0/0

cat1
ip arp inspection vlan 1
ip arp inspection filter TST vlan  1 static

arp access-list TST
permit ip host 10.1.1.2 mac host 0000.2222.2222
permit ip host 10.1.1.1 mac host 0000.1111.1111

testing

r2(config-if)#do pin 10.1.1.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.1.1, timeout is 2 seconds:
.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 1/1/4 ms
r2(config-if)#do sho ip arp
Protocol  Address          Age (min)  Hardware Addr   Type   Interface
Internet  10.1.1.2                -   0000.2222.2222  ARPA   FastEthernet0/1
Internet  10.1.1.1                0   0000.1111.1111  ARPA   FastEthernet0/1
r2(config-if)#no mac-add 0000.2222.2222
r2(config-if)#do ping 10.1.1.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.1.1, timeout is 2 seconds:
…..

cat1

08:20:58: %SW_DAI-4-ACL_DENY: 1 Invalid ARPs (Req) on Fa0/13, vlan 1.([0017.5902.9ce9/10.1.1.2/0000.0000.0000/10.1.1.1/08:20:58 UTC Mon Mar 1 1993])
sw1(config-arp-nacl)#
08:21:00: %SW_DAI-4-ACL_DENY: 1 Invalid ARPs (Req) on Fa0/13, vlan 1.([0017.5902.9ce9/10.1.1.2/0000.0000.0000/10.1.1.1/08:21:00 UTC Mon Mar 1 1993])
sw1(config-arp-nacl)#
08:21:02: %SW_DAI-4-ACL_DENY: 1 Invalid ARPs (Req) on Fa0/13, vlan 1.([0017.5902.9ce9/10.1.1.2/0000.0000.0000/10.1.1.1/08:21:02 UTC Mon Mar 1 1993])
sw1(config-arp-nacl)#
08:21:04: %SW_DAI-4-ACL_DENY: 1 Invalid ARPs (Req) on Fa0/13, vlan 1.([0017.5902.9ce9/10.1.1.2/0000.0000.0000/10.1.1.1/08:21:04 UTC Mon Mar 1 1993])
sw1(config-arp-nacl)#
08:21:06: %SW_DAI-4-ACL_DENY: 1 Invalid ARPs (Req) on Fa0/13, vlan 1.([0017.5902.9ce9/10.1.1.2/0000.0000.0000/10.1.1.1/08:21:06 UTC Mon Mar 1 1993])

=================

sw1(config-if)#ip arp inspection limit rate 10 burst interval 2
sw1(config-if)#
sw1(config-if)#
sw1(config-if)#
sw1(config-if)#do sho ip arp insp inter

Interface        Trust State     Rate (pps)    Burst Interval
—————  ———–     ———-    ————–
Fa0/1            Untrusted               10                 2
Fa0/2            Untrusted               15                 1
Fa0/3            Untrusted               15                 1

=================

mac access-list extended TEST
deny   any any decnet-iv
deny   any any etype-6000
deny   any any etype-8042
permit any any

sw1(config-if)#do sho mac access int f0/10
Interface FastEthernet0/10:
Inbound access-list is TEST
Outbound access-list is not set

===================================

mac access-list extended MAC-forward
permit host 0000.1111.2222 any
permit host 0000.1111.3333 any
mac access-list extended Protocol-forward
permit any any decnet-iv
permit any any vines-ip
mac access-list extended Protocol=forward
mac access-list extended TEST
deny   any any decnet-iv
deny   any any etype-6000
deny   any any etype-8042
permit any any

vlan access-map TST 10
action drop
match ip address R1-2
vlan access-map TST 20
action drop
match ip address UDP
vlan access-map TST 30
action drop
match ip address TCP
vlan access-map TST 40
action drop
match ip address IGMP
vlan access-map TST 50
action drop
match mac address MAC-forward
vlan access-map TST 60
action drop
match mac address Protocol-forward
vlan access-map TST 70
action forward
!
vlan filter TST vlan-list 2

ip access-list extended IGMP
permit igmp any any
ip access-list extended R1-2
permit ip host 10.1.1.1 host 10.1.1.2
permit ip host 10.1.1.2 host 10.1.1.1
ip access-list extended TCP
permit tcp host 10.1.1.3 host 10.1.1.4
permit tcp host 10.1.1.4 host 10.1.1.3
ip access-list extended UDP
permit udp any any
============================

Posted in CATALYST, Routing & Switching Lab | Leave a Comment »

etherchannels

Posted by Peter Kurdziel on January 24, 2009

sw1

interface FastEthernet0/13
channel-group 12 mode auto

interface FastEthernet0/14
channel-group 12 mode auto

interface Port-channel12
switchport trunk encapsulation dot1q
switchport mode trunk

sw2
interface FastEthernet0/13
channel-group 21 mode auto

interface FastEthernet0/14
channel-group 21 mode auto

interface Port-channel 21
switchport trunk encapsulation dot1q
switchport mode trunk
===========================

interface FastEthernet0/16
channel-group 13 mode on

interface FastEthernet0/17
channel-group 13 mode on

interface Port-channel13
switchport trunk encapsulation dot1q
switchport mode trunk

sw1(config-if)#do sho etherc
Channel-group listing:
———————-

Group: 12
———-
Group state = L2
Ports: 2   Maxports = 8
Port-channels: 1 Max Port-channels = 1
Protocol:   PAgP

Group: 13
———-
Group state = L2
Ports: 2   Maxports = 8
Port-channels: 1 Max Port-channels = 1
Protocol:    -

sw1(config-if)#do sho etherc sum
Flags:  D – down        P – in port-channel
I – stand-alone s – suspended
H – Hot-standby (LACP only)
R – Layer3      S – Layer2
U – in use      f – failed to allocate aggregator
u – unsuitable for bundling
w – waiting to be aggregated
d – default port

Number of channel-groups in use: 2
Number of aggregators:           2

Group  Port-channel  Protocol    Ports
——+————-+———–+———————————————–
12     Po12(SU)        PAgP      Fa0/13(P)   Fa0/14(P)
13     Po13(SU)         -        Fa0/16(P)   Fa0/17(P)

==========

w1(config)#port-channel load-balance ?
dst-ip       Dst IP Addr
dst-mac      Dst Mac Addr
src-dst-ip   Src XOR Dst IP Addr
src-dst-mac  Src XOR Dst Mac Addr
src-ip       Src IP Addr
src-mac      Src Mac Addr

sw1(config)#port-channel load-balance ds
sw1(config)#port-channel load-balance dst-m
sw1(config)#port-channel load-balance dst-mac
sw1(config)#do sho ether load-bal
EtherChannel Load-Balancing Configuration:
dst-mac

EtherChannel Load-Balancing Addresses Used Per-Protocol:
Non-IP: Destination MAC address
IPv4: Destination MAC address
IPv6: Destination MAC address
===================

sw2(config)#port-channel load-balance src-dst-ip
sw2(config)#
sw2(config)#
sw2(config)#do sho etherc load-b
EtherChannel Load-Balancing Configuration:
src-dst-ip

EtherChannel Load-Balancing Addresses Used Per-Protocol:
Non-IP: Source XOR Destination MAC address
IPv4: Source XOR Destination IP address
IPv6: Source XOR Destination IP address
===============

interface FastEthernet0/19
channel-group 24 mode desirable

interface FastEthernet0/20
channel-group 24 mode desirable

interface Port-channel24
switchport trunk encapsulation isl
switchport mode trunk

sw4(config-if-range)#do sho etherc prot
Channel-group listing:
———————-

Group: 24
———-
Protocol:  PAgP

sw4(config-if-range)#do sho etherc sum
Flags:  D – down        P – in port-channel
I – stand-alone s – suspended
H – Hot-standby (LACP only)
R – Layer3      S – Layer2
U – in use      f – failed to allocate aggregator
u – unsuitable for bundling
w – waiting to be aggregated
d – default port

Number of channel-groups in use: 1
Number of aggregators:           1

Group  Port-channel  Protocol    Ports
——+————-+———–+———————————————–
24     Po24(SU)        PAgP      Fa0/16(P)   Fa0/17(P)

==================

sw3
interface Port-channel34
switchport trunk encapsulation isl
switchport mode trunk

interface FastEthernet0/19
channel-group 34 mode passive

interface FastEthernet0/20
channel-group 34 mode passive

sw4

interface Port-channel43
switchport trunk encapsulation isl
switchport mode trunk
!
interface FastEthernet0/19
channel-group 43 mode active
!
interface FastEthernet0/20
channel-group 43 mode active

sw3(config-if)#do sho ether
Channel-group listing:
———————-

Group: 31
———-
Group state = L2
Ports: 2   Maxports = 8
Port-channels: 1 Max Port-channels = 1
Protocol:    -

Group: 34
———-
Group state = L2
Ports: 2   Maxports = 16
Port-channels: 1 Max Port-channels = 16
Protocol:   LACP

sw3(config-if)#do sho ether sum
Flags:  D – down        P – in port-channel
I – stand-alone s – suspended
H – Hot-standby (LACP only)
R – Layer3      S – Layer2
U – in use      f – failed to allocate aggregator
u – unsuitable for bundling
w – waiting to be aggregated
d – default port

Number of channel-groups in use: 2
Number of aggregators:           2

Group  Port-channel  Protocol    Ports
——+————-+———–+———————————————–
31     Po31(SU)         -        Fa0/13(P)   Fa0/14(P)
34     Po34(SU)        LACP      Fa0/19(P)   Fa0/20(P)

=================================

interface Port-channel23
no switchport
ip address 10.1.23.2 255.255.255.0

interface FastEthernet0/16
no switchport
no ip address
channel-group 23 mode on

interface FastEthernet0/17
no switchport
no ip address
channel-group 23 mode on

sw2(config-if)#do sho ether sum
Flags:  D – down        P – in port-channel
I – stand-alone s – suspended
H – Hot-standby (LACP only)
R – Layer3      S – Layer2
U – in use      f – failed to allocate aggregator
u – unsuitable for bundling
w – waiting to be aggregated
d – default port

Number of channel-groups in use: 3
Number of aggregators:           3

Group  Port-channel  Protocol    Ports
——+————-+———–+———————————————–
21     Po21(SU)        PAgP      Fa0/13(P)   Fa0/14(P)
23     Po23(RU)         -        Fa0/16(P)   Fa0/17(P)
24     Po24(SU)        PAgP      Fa0/19(P)   Fa0/20(P)

Posted in CATALYST, Routing & Switching Lab | Leave a Comment »

Private vlans

Posted by Peter Kurdziel on January 24, 2009

vlan 10
private-vlan primary
private-vlan association 20,30,40
!
vlan 12
!
vlan 20
private-vlan community
!
vlan 30
private-vlan community
!
vlan 40
private-vlan isolated

.

sw1(config)#do sho vlan private-vl

Primary Secondary Type              Ports
——- ——— —————– ——————————————
10      20        community
10      30        community
10      40        isolated

interface FastEthernet0/1
switchport private-vlan mapping 10 20,30,40
switchport mode private-vlan promiscuous
!
interface FastEthernet0/2
switchport private-vlan host-association 10 20
switchport mode private-vlan host
!
interface FastEthernet0/3
!
interface FastEthernet0/4
switchport private-vlan host-association 10 30
switchport mode private-vlan host
!

!
interface FastEthernet0/10
switchport private-vlan host-association 10 40
switchport mode private-vlan host

!
interface FastEthernet0/11
switchport private-vlan host-association 10 40
switchport mode private-vlan host

sw1(config-if-range)#do sho vlan pri

Primary Secondary Type              Ports
——- ——— —————– ——————————————
10      20        community         Fa0/1, Fa0/2
10      30        community         Fa0/1, Fa0/4
10      40        isolated          Fa0/1, Fa0/10, Fa0/11

sw1(config-if-range)#

Posted in CATALYST, Routing & Switching Lab | Leave a Comment »

security notes

Posted by Peter Kurdziel on January 22, 2009

no service password-recovery – no pw recovery
security passwords min-length 7

enable secret cisco
% Password too short – must be at least 7 characters. Password configuration failed

————————————

service password-encryption

———————————————–

line aux 0
login local
password cisco

——————-

3 failed login attemps + create a syslog msg

security authentication failure rate 3 log
———————————————-

log out con session in 4 min 30 sec

line con 0
exec-timeout 4 30

might need a wr mem & reload
—————————–

username U2 privilege 2 password 7 070C285F4D06
username U3 privilege 3 password 7 01100F17580455
username admin password 7 094F471A1A0A

privilege interface level 3 shutdown
privilege interface level 3 ip address
privilege interface level 3 ip
privilege configure level 3 interface
privilege exec level 2 traceroute
privilege exec level 2 ping
privilege exec level 3 configure terminal
privilege exec level 3 configure
privilege exec level 2 show ip interface brief
privilege exec level 2 show ip interface
privilege exec level 2 show ip
privilege exec level 2 show interfaces
privilege exec level 2 show

line con 0
login local
———————-
not done on line….

config t banner motd #
You are connected to $(hostname) on line $(line) on domain $(domain)
#
ip domain-name ccie2be.4me

*Mar  1 00:48:50.483: %SYS-5-CONFIG_I: Configured from console by console
You are connected to R1 on line 0 on domain ccie2b3.4me
————————————————————–
menu’s

username U2 privilege 15 password 7 030752180500731C1E50
username U2 autocommand men U2
username admin password 7 060506324F415B49554E

menu U2 title ^C CCIE MENU ^C
menu U2 prompt ^C Please choose an option and press enter^C
menu U2 text 1 Display interfaces and ip’s
menu U2 command 1 sh ip int br
menu U2 options 1 pause
menu U2 text 2 Display ethernet 0/0
menu U2 command 2 sho run int e0/0
menu U2 text 3 Logout
menu U2 command 3 logtout
menu U2 text 4 Exit out of menu
menu U2 command 4 menu-exit
menu U2 clear-screen
menu U2 line-mode

CCIE MENU

1          Display interfaces and ip’s

2          Display ethernet 0/0

3          Logout

4          Exit out of menu

Please choose an option and press enter
————————————————–

access-list 1 per ho 1.1.1.1
line vty 0
access-class 1 in

test
telnet 10.1.12.2 <- does not work
telnet 10.1.12.2 /source lo0 <- works
—————————-

allow telnet from r1 to r2 then to r4
r2

line vty 0 871

access-class 2 out
access-list 2 per ho 4.4.4.4

R1(config-if)#do telnet 10.1.12.2 /source lo0
Trying 10.1.12.2 … Open

User Access Verification

Password:
R2>telnet 4.4.4.4
Trying 4.4.4.4 … Open

User Access Verification

Password:
R4>ex
——————————-
SSH
crypto key generate rsa usage-keys <– automaically enables ssh

then

aaa new-model
!
!
aaa authentication login NO-AUTH none
aaa authentication login LOCAL-AUTH local
!
username user1 password 0 cisco

ine con 0
exec-timeout 0 0
logging synchronous
login authentication NO-AUTH
line aux 0
login authentication NO-AUTH
line vty 0 4
password cisco
login authentication LOCAL-AUTH
transport input ssh
line vty 5 181
login authentication LOCAL-AUTH
transport input ssh
——————————————

deny communications between 1.1.1.1 and 4.4.4.4.

r2
access-list 100 deny   ip host 4.4.4.4 host 1.1.1.1
access-list 100 permit ip any any
access-list 101 deny   ip host 1.1.1.1 host 4.4.4.4
access-list 101 permit ip any any

interface Ethernet0/0
ip access-group 101 in

interface Serial1/0.23 point-to-point
ip access-group 100 in
———————————————–

r1 can ping and receive replies from r2. R2 can not ping r1.

access-list 100 deny   icmp host 10.1.12.2 any echo
access-list 100 deny   icmp host 2.2.2.2 any echo
access-list 100 deny   icmp host 10.1.23.2 any echo
access-list 100 permit ip any any
!
interface Ethernet0/0
ip access-group 100 in
—————————————

prevent icmp not reachable
s1/0.32
no ip unreachables
———————–

—————————–

filter eigrp

access-list 101 permit ip any any
access-list 101 deny eigrp any any log

e0/0
ip access-group 100 in
————————————

filter with mqc

c > p > s

access-list 100 permit tcp any any eq telnet

class-map match-all TELNET
match access-group 100

policy-map TST
class TELNET
set ip precedence 1

interface Ethernet0/0
ip address 10.1.12.1 255.255.255.0
full-duplex
service-policy output TST

——————————–

block precedence 1 on r3 s1/0.21

class-map match-all IP_PREC
match ip precedence 1
!
!
policy-map TEST
class IP_PREC
drop

int s1/0.32
service-policy input TEST
——————————-

interface Serial1/0.23 point-to-point
ip access-group 100 in

access-list 100 permit ospf any any
access-list 100 permit tcp any any established
————————————————

access-list 100 permit tcp any host 10.1.23.2 eq telnet
access-list 100 permit ospf any any
access-list 100 permit tcp any any established
access-list 100 dynamic TEST permit ip any any

line vty 0 4
password cisco
login local
autocommand access-enable host timeout 2

sho access-lis
Extended IP access list 100
10 permit tcp any host 10.1.23.2 eq telnet (171 matches)
20 permit ospf any any (10 matches)
30 permit tcp any any established
40 Dynamic TEST permit ip any any
50 permit ip host 10.1.34.4 any (5 matches) (time left 115)
——————————————————————–

access-list 100 permit tcp any host 10.1.23.2 eq telnet
access-list 100 permit ospf any any
access-list 100 permit tcp any any established
access-list 100 dynamic TEST timeout 3 permit ip any any
access-list 100 permit tcp any any eq 3005

line vty 0 4
password cisco
login local
autocommand  access-enable host
line vty 5 870
login local
autocommand  access-enable host
line vty 871
login local
rotary 5
autocommand  access-ena host
———————————————–

ip access-list extended inbound
permit ospf any any
evaluate TEST

ip access-list extended outbound
permit tcp any any eq www reflect TEST
permit tcp any any eq telnet reflect TEST
permit tcp any any eq 69 reflect TEST
permit ospf any any

interface Serial1/0.23 point-to-point
ip address 10.1.23.2 255.255.255.0
ip access-group inbound in
ip access-group outbound out

————————————-

ip access-list extended outbound
permit tcp any any eq www reflect TEST time 120
permit tcp any any eq telnet reflect TEST time 60
permit tcp any any eq 69 reflect TEST time 30
permit icmp any any reflect TEST timeout 10
permit udp any any eq 53 reflec TEST time 10
permit ospf any any

interface Serial1/0.23 point-to-point
ip address 10.1.23.2 255.255.255.0
ip access-group inbound in
ip access-group outbound out
——————————-

all reflective acls have a timeout of 120
ip reflexive-list timeout 120
——————————–

time-range WEEKDAYS
periodic weekdays 0:00 to 23:59
!
interface Ethernet0/0
ip address 10.1.12.1 255.255.255.0
ip access-group 100 out

access-list 100 permit tcp any any eq www time-range WEEKDAYS
——————-

internet on weekends only

time-range WEEKENDS
periodic weekend 0:00 to 23:59

access-list 100 permit tcp any any eq www time-range WEEKENDS

interface Ethernet0/0
ip access-group 100 out
—————————————
cbac
tcp, udp, icmp inspection. Traffic initiated from the inside is allowed back in.

access-list 100 permit udp any any eq rip
access-list 100 deny   ip any any log

ip inspect name fw tcp
ip inspect name fw udp
ip inspect name fw icmp

interface Ethernet0/1
ip access-group 100 in
ip inspect fw out
————————————-

access-list 100 permit ip 10.1.123.0 0.0.0.255 any
access-list 101 permit icmp any host 10.1.123.3
access-list 101 permit tcp any host 10.1.123.3 eq telnet

ip inspect name OUT tcp
ip inspect name OUT udp
ip inspect name OUT icmp

interface Ethernet0/0
ip access-group 100 in
ip inspect OUT in

!
interface Ethernet0/1
ip access-group 101 in

sh ip inspect session
—————————

ip inspect log drop-pkt
ip inspect max-incomplete high 800
ip inspect max-incomplete low 600
ip inspect one-minute high 800
ip inspect one-minute low 600
ip inspect tcp idle-time 8
ip inspect tcp finwait-time 8
ip inspect tcp synwait-time 20
ip inspect tcp max-incomplete host 80 block-time 8
ip inspect name OUT udp
ip inspect name OUT icmp
no ip ips deny-action ips-interface

do sho ip insp config
Dropped packet logging is enabled
Session audit trail is disabled
Session alert is enabled
one-minute (sampling period) thresholds are [600:800] connections
max-incomplete sessions thresholds are [600:800]
max-incomplete tcp connections per host is 80. Block-time 8 minutes.
tcp synwait-time is 20 sec — tcp finwait-time is 8 sec
tcp idle-time is 8 sec — udp idle-time is 30 sec
dns-timeout is 5 sec
Inspection Rule Configuration
Inspection name OUT
udp alert is on audit-trail is off timeout 30
icmp alert is on audit-trail is off timeout 10

—————————

CBAC & java blocking

ip inspect name FW http java-list 1 alert on audit-trail on
ip inspect name FW smtp
ip inspect name FW h323

!
interface Ethernet0/1
ip address 10.1.14.1 255.255.255.0
ip access-group 100 in
ip inspect FW out

access-list 1 permit 4.4.4.0 0.0.0.255
access-list 100 permit icmp any any
access-list 100 permit udp any any eq rip
————————————————-

router w/ 3 interfaces, inside, outside and DMZ

ip inspect name OUT tcp
ip inspect name OUT udp
ip inspect name OUT icmp
ip inspect name OUT-DMZ tcp

interface Ethernet0/0
ip address 10.1.1.1 255.255.255.0
ip access-group 101 in
ip inspect OUT in

access-list 100 permit ip 10.1.1.0 0.0.0.255 any
access-list 101 permit icmp any 10.2.2.0 0.0.0.255
access-list 101 permit tcp any 10.2.2.0 0.0.0.255 eq www
access-list 102 permit icmp 10.1.2.0 0.0.0.255 any
access-list 103 permit icmp any 10.1.2.0 0.0.0.255
access-list 103 permit tcp any 10.2.2.0 0.0.0.255 eq www

int e0/1
ip access-group 102 in
ip access-group 103 out
—————————————————————–
R1(config)# do sho ip port-map http
Default mapping:  http                 tcp port 80                         system defined

ip port-map http port tcp 8000 list 1
ip port-map http port tcp 8080 list 2
access-list 1 permit 10.1.1.3
access-list 2 permit 10.1.1.4

do sho ip port-ma htt
Default mapping:  http                 tcp port 80                         system defined
Host specific:    http                 tcp port 8000           in list 1   user defined
Host specific:    http                 tcp port 8080           in list 2   user defined

————————————————

code red

class-map match-any CODERED
match protocol http url “*cmd.exe*”
match protocol http url “*.ida*”
match protocol http url “*roote.exe*”
match protocol http url “*readme.eml*”

policy-map NOCODERED
class CODERED
set ip precedence 4

interface Ethernet0/0
ip address 10.6.6.6 255.255.255.0
ip access-group 100 out

interface Serial1/0.64 point-to-point
ip address 10.1.46.6 255.255.255.0
frame-relay interface-dlci 604
service-policy input NOCODERED

access-list 100 deny   ip any any precedence flash-override
access-list 100 permit ip any any

Posted in Routing & Switching Lab | Leave a Comment »

Multicast notes

Posted by Peter Kurdziel on January 19, 2009

mcast

ref: http://www.cisco.com/en/US/i/100001-200000/120001-130000/127001-128000/127866.jpg

sh ip pim interface
sh ip mroute
sh ip rpf 10.1.13.1  < – -after ping on another router to this one.

ip multicast rpf interval 15
ip multicast rpf interval 5 list 1  < — w/ acl
ip multicast rpf interval 5 ROUTEMAPFORGROUP < – route-map
———————

R1(config)#ip multicast route-limit 5 < — limit mroutes to 5

———————
R1(config)#do  sho ip pim int e0/0

Address          Interface                Ver/   Nbr    Query  DR     DR
Mode   Count  Intvl  Prior
10.1.13.1        Ethernet0/0              v2/D   1      30     1      10.1.13.3
R1(config-if)#int e0/0
R1(config-if)#ip pim dr-priority 10
R1(config-if)#do  sho ip pim int e0/0

Address          Interface                Ver/   Nbr    Query  DR     DR
Mode   Count  Intvl  Prior
10.1.13.1        Ethernet0/0              v2/D   1      30     10     10.1.13.1

———-

sh ip pim int e0/0  count

State: * – Fast Switched, D – Distributed Fast Switched
H – Hardware Switching Enabled
Address          Interface                FS  Mpackets In/Out
10.1.13.1        Ethernet0/0              *   2/0

——————–

R1(config-if)#do sho ip pim int e0/0

Address          Interface                Ver/   Nbr    Query  DR     DR
Mode   Count  Intvl  Prior
10.1.13.1        Ethernet0/0              v2/D   1      30     10     10.1.13.1

R1(config-if)#ip pim query-interval 60

R1(config-if)#do sho ip pim int e0/0

Address          Interface                Ver/   Nbr    Query  DR     DR
Mode   Count  Intvl  Prior
10.1.13.1        Ethernet0/0              v2/D   1      60     10    10.1.13.1

—————————————————————-

R6(config-if)#ip igmp join-group 224.1.1.1
sho ip igmp int
———————

troubleshooting  – I can not ping 224.1.1.1(r6) from r1

R1#mtrace 10.1.246.6
Type escape sequence to abort.
Mtrace from 10.1.246.6 to 10.1.13.1 via RPF
From source (?) to destination (?)
Querying full reverse path…
0  10.1.13.1
-1  10.1.13.1 PIM  [10.1.246.0/24]
-2  10.1.13.3 None No route

R1#ping 224.1.1.1

Type escape sequence to abort.
Sending 1, 100-byte ICMP Echos to 224.1.1.1, timeout is 2 seconds:
.
R1#

R6(config-if)#do sho ip rpf 10.1.13.1
RPF information for ? (10.1.13.1)
RPF interface: Ethernet0/0
RPF neighbor: ? (10.1.246.4)
RPF route/mask: 10.1.13.0/24
RPF type: unicast (ospf 1)
RPF recursion count: 0
Doing distance-preferred lookups across tables
R6(config-if)#

R4(config-if)#do sho ip rpf 10.1.13.1
RPF information for ? (10.1.13.1)
RPF interface: Serial1/0.45
RPF neighbor: ? (10.1.45.5)
RPF route/mask: 10.1.13.0/24
RPF type: unicast (ospf 1)
RPF recursion count: 0
Doing distance-preferred lookups across tables

R5(config-if)#do sho ip rpf 10.1.13.1
RPF information for ? (10.1.13.1) failed, no route exists
R5(config-if)#

R5(config-if)#do sho ip rpf 10.1.13.1
RPF information for ? (10.1.13.1) failed, no route exists
R5(config-if)#do sho ip route 10.1.13.1
Routing entry for 10.1.13.0/24
Known via “ospf 1″, distance 110, metric 20, type intra area
Last update from 10.1.35.3 on Ethernet0/1, 00:44:06 ago
Routing Descriptor Blocks:
* 10.1.35.3, from 3.3.3.3, 00:44:06 ago, via Ethernet0/1
Route metric is 20, traffic share count is 1

R3#sh ip mroute 10.1.246.6 224.1.1.1
IP Multicast Routing Table
Flags: D – Dense, S – Sparse, B – Bidir Group, s – SSM Group, C – Connected,
L – Local, P – Pruned, R – RP-bit set, F – Register flag,
T – SPT-bit set, J – Join SPT, M – MSDP created entry,
X – Proxy Join Timer Running, A – Candidate for MSDP Advertisement,
U – URD, I – Received Source Specific Host Report,
Z – Multicast Tunnel, z – MDT-data group sender,
Y – Joined MDT-data group, y – Sending to MDT-data group
Outgoing interface flags: H – Hardware switched, A – Assert winner
Timers: Uptime/Expires
Interface state: Interface, Next-Hop or VCD, State/Mode

(*, 224.1.1.1), 00:06:55/00:00:08, RP 0.0.0.0, flags: D
Incoming interface: Null, RPF nbr 0.0.0.0
Outgoing interface list:
Serial1/0.35, Forward/Dense, 00:06:55/00:00:00
Ethernet0/0, Forward/Dense, 00:06:55/00:00:00

THE PROBLEM IS THAT ON R5 mcast IS NOT TAKING THE right path. It should go the

way it came. ON r3 it shows that it learned about 224.1.1.1 from s1/0.35. But

R5 shows the path is through e0/1.

solution:
R5(config)#ip mroute 10.1.13.1 255.255.255.255 s1/0.53

R5(config)#do sho ip rpf 10.1.13.1
RPF information for ? (10.1.13.1)
RPF interface: Serial1/0.53
RPF neighbor: ? (10.1.100.3)
RPF route/mask: 10.1.13.1/32
RPF type: static
RPF recursion count: 0
Doing distance-preferred lookups across tables

r1 ping 224.1.1.1

R5(config)#do sho ip mroute 224.1.1.1
IP Multicast Routing Table
Flags: D – Dense, S – Sparse, B – Bidir Group, s – SSM Group, C – Connected,
L – Local, P – Pruned, R – RP-bit set, F – Register flag,
T – SPT-bit set, J – Join SPT, M – MSDP created entry,
X – Proxy Join Timer Running, A – Candidate for MSDP Advertisement,
U – URD, I – Received Source Specific Host Report,
Z – Multicast Tunnel, z – MDT-data group sender,
Y – Joined MDT-data group, y – Sending to MDT-data group
Outgoing interface flags: H – Hardware switched, A – Assert winner
Timers: Uptime/Expires
Interface state: Interface, Next-Hop or VCD, State/Mode

(*, 224.1.1.1), 00:04:27/stopped, RP 0.0.0.0, flags: D
Incoming interface: Null, RPF nbr 0.0.0.0
Outgoing interface list:
Serial1/0.54, Forward/Dense, 00:04:27/00:00:00
Serial1/0.52, Forward/Dense, 00:04:27/00:00:00
Serial1/0.53, Forward/Dense, 00:04:27/00:00:00

(10.1.13.1, 224.1.1.1), 00:00:06/00:02:53, flags: T
Incoming interface: Serial1/0.53, RPF nbr 10.1.100.3, Mroute
Outgoing interface list:
Serial1/0.52, Prune/Dense, 00:00:06/00:02:53
Serial1/0.54, Forward/Dense, 00:00:06/00:00:00

******** SEND PINGS TO 224.1.1.1 to see output for some of these commands *****
——————————————————

R2(config)#ip pim rp-address 2.2.2.2 1
R2(config)#access-list 1 per 224.1.1.1

this is needed on all routers and I need to advertise 2.0.0.0/8 too so there is

route to the RP.

———————————————-

R6(config-if)#do sho ip pim rp
Group: 224.1.1.1, RP: 2.2.2.2, uptime 00:01:18, expires never
—————————————-

ip pim rp-address 5.5.5.5 5
access-list 5 per 224.5.5.5
——————————–

sho ip pim nei
—————–

R2(config)#ip pim send-rp-announce lo0 scope 6 interval 20

ttl = 6
interval= every 20 sec

access-list 26 per 224.26.26.26
ip pim send-rp-announce lo0 scope 6 group-list 26 in 20

r6 debug ip pim auto-rp
sh ip mroute 224.0.1.39
the routers who are config with the above cmds should be in the table.
———————————–

int lo 0
ip pim sparse-dense

ip pim send-rp-discovery loo0 scope 5 interval 10

sho ip mroute 224.0.1.40
IP Multicast Routing Table
Flags: D – Dense, S – Sparse, B – Bidir Group, s – SSM Group, C – Connected,
L – Local, P – Pruned, R – RP-bit set, F – Register flag,
T – SPT-bit set, J – Join SPT, M – MSDP created entry,
X – Proxy Join Timer Running, A – Candidate for MSDP Advertisement,
U – URD, I – Received Source Specific Host Report,
Z – Multicast Tunnel, z – MDT-data group sender,
Y – Joined MDT-data group, y – Sending to MDT-data group
Outgoing interface flags: H – Hardware switched, A – Assert winner
Timers: Uptime/Expires
Interface state: Interface, Next-Hop or VCD, State/Mode

(*, 224.0.1.40), 06:09:59/stopped, RP 0.0.0.0, flags: DCL
Incoming interface: Null, RPF nbr 0.0.0.0
Outgoing interface list:
Loopback0, Forward/Sparse-Dense, 00:02:48/00:00:00
Serial1/0.54, Forward/Sparse-Dense, 06:09:59/00:00:00
Serial1/0.53, Forward/Sparse-Dense, 06:09:59/00:00:00
Serial1/0.52, Forward/Sparse-Dense, 06:09:59/00:00:00

(5.5.5.5, 224.0.1.40), 00:02:04/00:02:55, flags: LT
Incoming interface: Loopback0, RPF nbr 0.0.0.0
Outgoing interface list:
Serial1/0.52, Forward/Sparse-Dense, 00:02:04/00:00:00
Serial1/0.53, Forward/Sparse-Dense, 00:02:04/00:00:00
Serial1/0.54, Forward/Sparse-Dense, 00:02:04/00:00:00
r5 is forwarding rp-discovery out every interface.

———————

debug ip pim auto-rp
PIM Auto-RP debugging is on
R5(config)#int
*Mar  1 08:51:53.777: Auto-RP(0): Received RP-announce, from 6.6.6.6, RP_cnt 1, ht 61
*Mar  1 08:51:53.781: Auto-RP(0): Update (224.26.26.26/32, RP:6.6.6.6), PIMv2 v1
*Mar  1 08:51:53.785: Auto-RP(0): Received RP-announce, from 6.6.6.6, RP_cnt 1, ht 61
*Mar  1 08:51:53.793: Auto-RP(0): Update (224.26.26.26/32, RP:6.6.6.6), PIMv2 v1
*Mar  1 08:52:02.805: Auto-RP(0): Build RP-Discovery packet
*Mar  1 08:52:02.809: Auto-RP:  Build mapping (224.26.26.26/32, RP:6.6.6.6), PIMv2 v1,
*Mar  1 08:52:02.813: Auto-RP(0): Send RP-discovery packet on Ethernet0/1 (1 RP entries)
*Mar  1 08:52:02.813: Auto-RP(0): Send RP-discovery packet on Serial1/0.52 (1 RP entries)
*Mar  1 08:52:02.817: Auto-RP(0): Send RP-discovery packet on Serial1/0.53 (1 RP entries)
*Mar  1 08:52:02.821: Auto-RP(0): Send RP-discovery packet on Serial1/0.54 (1 RP entries)
*Mar  1 08:52:02.825: Auto-RP: Send RP-discovery packet on Loopback0 (1 RP entries)
————————

sh ip pim auto-rp

sh ip pim int count

State: * – Fast Switched, D – Distributed Fast Switched
H – Hardware Switching Enabled
Address          Interface                FS  Mpackets In/Out
10.1.5.5         Ethernet0/1              *   0/111
10.1.25.5        Serial1/0.52             *   1867/0
10.1.100.5       Serial1/0.53             *   0/433
10.1.45.5        Serial1/0.54             *   1/431
5.5.5.5          Loopback0                *   103/0
R5#
———————————————————

sho ip mroute 224.0.1.4
—————————————————–

filter r1 from r3

sho ip pim nei
PIM Neighbor Table
Neighbor          Interface                Uptime/Expires    Ver   DR
Address                                                            Prio/Mode
10.1.13.1         Ethernet0/0              09:26:18/00:01:28 v2    1 / S
10.1.100.5        Serial1/0.35             09:27:45/00:01:28 v2    1 / S

sh access-list

access-list 1 deny 10.1.13.1
———————> acl 1 per = is not needed here because all neighbor are allowed to

become neighbors anyway. <——————

int e0/0
ip pim neightbr-filter 1

sho ip pim nei
PIM Neighbor Table
Neighbor          Interface                Uptime/Expires    Ver   DR
Address                                                            Prio/Mode
10.1.100.5        Serial1/0.35             09:29:47/00:01:24 v2    1 / S

——————————–

if a filter is between r1 r5, on r3 one r1 int facing r3:

ip igmp helper-address 10.1.13.3
——————————————

sho ip pim rp

clear ip pim rp-mapping
——————————

before:
Group: 224.2.2.2, RP: 6.6.6.6, v2, v1, uptime 00:02:33, expires 00:00:27
Group: 224.4.4.4, RP: 6.6.6.6, v2, v1, uptime 00:02:33, expires 00:00:27
Group: 224.6.6.6, RP: 6.6.6.6, v2, v1, uptime 00:02:33, expires 00:00:27

ip pim send-rp-discovery Loopback0 scope 6 interval 10
ip pim rp-announce-filter rp-list R2 group-list R2-group
ip pim rp-announce-filter rp-list R4 group-list R4-group
ip pim rp-announce-filter rp-list R6 group-list R6-group

ip access-list standard R2
permit 2.2.2.2
ip access-list standard R2-group
permit 224.2.2.2
ip access-list standard R4
permit 4.4.4.4
ip access-list standard R4-group
permit 224.4.4.4
ip access-list standard R6
permit 6.6.6.6
ip access-list standard R6-group
permit 224.6.6.6

sho ip pim rp
Group: 224.2.2.2, RP: 2.2.2.2, v2, v1, uptime 00:01:43, expires 00:00:26
Group: 224.4.4.4, RP: 4.4.4.4, v2, v1, uptime 00:01:49, expires 00:00:03
Group: 224.6.6.6, RP: 6.6.6.6, v2, v1, uptime 00:01:12, expires 00:00:03
—————————————————————————-

Posted in Multicast, Routing & Switching Lab | Leave a Comment »

« Previous Entries
 
Follow

Get every new post delivered to your Inbox.