A reflective access list will inspect return traffic. When you allow outbound traffic, you tell the oubound access-list to 'reflect TEST' (where TEST is the dynamic ACL name. You then tell the inbound access-list to evaluate TEST. This will create dynamic entries into an ACL called TEST that should list allowed return traffic that was initiated behind this router.

Some day I will get this right, but I'm also having trouble with dynamic ACLs (by the way - call them A C L 's, not Ackles..I can't stand that. Do you call a BMW a bamwah?). The StN workbook called for creating dynamic ACLs based on authenticated telnet users. I understand the concept, but it's hard to get the syntax down. Additionally, the 'autocommand access-enable' is a hidden prompt. My router accepts the command, but when I telnet to that router, I get a response saying this is not a valid command. Oh well.

Anyway - just jotting some notes. More to come later..

BGP..Better Get Practicing...

I'm slowly making my way through the Soup-to-Nuts E-Workbook. I am probably half-way through the book and I cannot say enough good things about it - especially after doing the BGP mini labs. See, I know the BGP basics and I've worked with BGP for sometime. Er, I should say - eBGP. So beyond the basics of setting up a peering session with an eBGP peer, I was pretty much clueless. The Soup-to-Nuts (StN) workbook goes through about 15 BGP scenarios covering everything from AS path filtering, to route reflectors, to regular expressions and more. Narbik takes a simple approach in showing you BASIC scenarios so you can understand and see how each feature works. Once you know and understand how something works, you can apply that knowledge to more difficult situations such as the CCIE lab.

Anyway...I wanted to post up my BGP related notes before I move on to the QoS section of the workbook.

• "network x mask y backdoor" will assign an AD of 200 to bgp routes so that the configured router would prefer any available IGP routes first.
• advertise-map is the name of a route-map to advertise if the condition of the exist/non-exist route-map are met.
  
• as-set will remove atomic aggregate. An atomic aggregate route can lose important information such as the AS path.
• You can use BGP communities much like tags. Within a route-map, you can "set community x" on the advertising router. On the receiving router, you can "match community x" and do things such as "set ip next-hop...."
• ip community-list standard [name] permit [community] works like an ACL for communities
• local-preference is propogated through the AS to prefer exit point from that AS
• "bgp always-compare-med" enforces MED across all paths
• "bgp bestpath as-path ignore" is a hidden feature that will force the router to look past the AS path as it's first rule for best-match and skip right to metric.
• "_AS$" where AS = AS Number is the regexp to match originating prefix.
• filter-list filters on as-path acl. (neighbor 1.1.1.1 filter-list 1)
• "_AS_" where AS = AS number is the regexp to match AS in path.
• ".*" is the regexp for match-all.
• "^$" matches self-originating prefix. (if your AS is 100, this would match paths with an origin of AS 100)
• "^AS$" where AS = AS number, is the regexp to match AS from neighbor ( ^200$ would match routes originated from bgp neighbor with an AS of 200).
• "bgp regex deterministic" disabled recursive algorithym when processing regular expressions.
• "neighbor x advertisement-interval y" sets the minimum advertisement interval of y for neighbor x.
• You can use replace-as within a local-as command (neighbor 1.1.1.1 local-as 300 no-prepend replace-as"
• no-prepend does NOT place the configured AS (say, router bgp 300) into the bgp path when using local-as.
• "bgp maxas-limit x" limits the number of AS in the path of each prefix where x is the number of paths.
• You can use a route-map with "..default-originate" command for conditional advertisements. (don't use an advertise-map - it doesn't work!)
• You can set the distance per peer as well as per route.
  distance x y z - where x is distance value, y is source IP and z is IP mask. For example - distance 150 1.1.1.1 0.0.0.0 will set a distance of 150 for ALL routes from neighbor 1.1.1.1.
• To set distance per neighbor and per route.
  access-list 3 permit 150.1.1.0 0.0.0.255 - create ACL to match which routes you want to alter AD for.
  distance 132.1.1.1 0.0.0.0 3 - will set a distance of 150 for 150.1.1.1 coming from neighbor 132.1.1.1. If you couldn't tell, you could also set the distance of certain routes for all neighbors using the correct wildcard mask.

Well, that is it for now. I may actually revisit the BGP section of the workbook at some point later. If I have trouble with practice labs and BGP, I will definitely use this workbook.

Well, back to studying. It's time for QoS!

And one week later...

If anyone is paying attention to this thing, you may think I've fallen off the planet. Quite the opposite. While I have had some moments over the past week and a half to study, I did not have anytime to blog the details. In short, I made two trips to D.C., took my son to the hospital for an MRI (all is well ), took him to the doctors office twice and my wife once. All of that on top of my normal everyday life kept me quite busy.

I've been working on Narbik's Soup-To-Nuts workbook. The workbook is great at getting you intimately familiar with the basics. It does not really cover the advanced or really weird topics, but hey - that's what the bootcamp is for, right? Anyway, here are my notes thus far.

• ip hello-interval eigrp 100 30 - this is the interface level command for setting eigrp hello intervals
• ip hold-time eigrp 100 120 - interface level command for hold time
• metric weight 0 1 0 0 0 0 - sets the k1 EIGRP metric values to use only BW. (sidebar: should I memorize eigrp K values?)
• A leak map will advertise component subnets in addition to summary address. If route-map referenced is undefined, only summary is advertised. If access-list is undefined, summary and all components are advertised. If both are defined, only specified subnets within ACL are advertised w/ summary.
• By default, EIGRP uses up to 50% of interface bandwidth.
  
• ignore lsa mospf - disables syslog messages concerning type 6 LSAs not supported by Cisco
• ip ospf name-lookup - global command to enable ospf domain lookup
• max-lsa [x] - maximum number of non self-generated LSAs that the routing process can receive
• ip ospf message-digest-key 1 md5 [password] sets the OSPF md5 password. (not ip ospf authentication-key .....this sets plain text key)
• no discard-route [internal|external] - disables null routes on summarizing router
• stub routers cannot use Virtual Link but can use Tunnels
• no ASBRs with stub routers
• no type 5 externals w/i stub.
  
• area xx default-cost yy - sets the default route-cost in OSPF
• you only need "...stub no-summary" on the ABR
• Totally stubby filters IA routes
• You can filter LSAs using "neighr [x] database-filter all out". Must be point-to-multipoint network.
  
• distribute-list out only words on ASBR.
  
• Summary address can be used to not-advertise". Cannot be used to filter internal.
• area x range y not-advertise to filter internal routes.
  
• max-metric router-lsa is done so other routes do not prefer configured router.
• Tunnels are almost always an option to a seemingly crazy request!!!

Well, that's all for now. I've got more notes on switching and RIP that I'm just too lazy to type up right now. More studying tomorrow and next week using the Soup-to-nuts workbook. Then it's off to bootcamp March 7th!

Completed IPExpert CoD...

Here are the last of my notes for the IPExpert CoD.

• Use distribute lists out from one routing protocol to another. Use under original process.
• BGP only accepts internal OSPF routes by default.
• RIP redistribution requires metric or it may get 16.
• Always filter routes when redistributing. Particularly by using distribute lists and route tagging.
• Watch for connected routes when redistributing.
• ip policy route-map for remote, ip local policy route-map for local.
• You must have a multicast mapping agent when using autoRP. Assign mapping agent to hub router or behind in FR networks.
• ip pim send-rp-announce [src inter] scope [ttl] group-list [acl] to enable autoRP
  
• ip pim send-rp-disc scope [ttl] to enable mapping agent
• ip pim autorp listener works as an override in sparse mode only operation. (when you are forbidden from using dense or sparse-dense-mode)
• BSR is sparse mode only
• hop-by-hop bsr messages exchanged by PIM routers.
• ip pim bsr-candidate [interface] [hash] [priority] to enable BSR
• ip pim rp-candidate [interface] [ttl] to enable RP w/i BSR
• BSR elected 1st based on highest priority or IP
• RP candidates are fed to elected BSR
• AutoRP overrides static RP
• ip pim rp-address [ip] [acl] override - to prefer static over autoRP
• ip pim nbma-mode and ip pim sparse-mode on FR interfaces.
• FR may need map agent as well as RP.
• autoRP doesn't work in FR PtMulti.
• ntp trusted-key required on all clients to authenticate.
• create snmpv3 group before users
• You need a separate pool/scope for manual DHCP bindings
• debug ip dhcp server to determine client ID for dhcp reservation
• dhcp bootp ignore - disasble bootp requests
• default TC is 125ms data, 1/100 voice
• Tc = Bc/CIR
• BC = CIR/Tc
• Be = (AcessRate/Tc) - Bc
• You can queue outbound only, police in and out
• On inside interfaces, Inbound reflect, outbound evaluate
• When tunneling, make sure route to tunnel destination does not change to point to tunnel IP
• To route a NAT pool, assign to loopback and advertise through IGP.
• FE80 is link local
• FEC0 is site local
• FF00 is multicast
• 0x8644 is IPv6 ethertype

Well, that is all the notes I have. There was a fantastic section on wildcard access-lists that totally makes sense to me. If you have ever seen anything about creating an access-list with the least lines possible, and the subnets are spaced all over, this is when you need to break down the subnets into bits. I won't try to recap this, but if you have any trouble with this, I highly suggest you check out Scott Morris' IPExpert CoD. He does a fantastic job. Overall, I'm pretty happy with the CoD. It's fairly comprehensive and detailed. Unfortunately, there is no hands-on with the routers which would have made the CoD three times better. I also have InternetworkExperts CoD series, but the videos are much longer and do include hands-on router sections. I don't think I need to spend so much time watching more videos on some things I'm pretty comfortable with. I need to get back to hacking IOS. If I have trouble with a particular topic, I'm going to watch that particular video in addition to reading the DocCD (which I've become pretty familiar with).

This post may seem long, but I'm pretty much cramming two days of notes into one post. Tomorrow and Friday I plan on setting up my dynamips to run Narbik's labs. Then I can begin the Soup To Nuts workbook. If I haven't said it before, the lab is all about completing your core properly in the quickest amount of time possible. If you succeed here, you can pick and choose the remaining topics to get you the 80 points. It's during this time that you can rely on the DocCD and configuration examples. It is my hope that with Narbik's training, I can tackle the core without any issues.

More to come later...

IPExpert Day 3 Notes ...

Well first off - I've changed the layout. Hopefully this one looks a little more friendly and easier to read.

Moving on, here are some of my notes and pointers from the IPExpert CoD

• spanning-tree vlan x forward-time sec to reduce ST convergance time
• frame-relay map bridge [dlci] to enable FR bridging.
• On 3550, bridge protocol vlan-bridge instead of protocol ieee
• macro name [name] to define macro, macro apply [name] under interface to apply macro.
• backbonefast used to enable fast switchover to alternate RP
• spanning-tree link-type point-to-point is SP macro for host ports
• spanning-tree mst configuration to enter MST configuration mode.
• mst will always have a default instance 0 for unassigned vlans
• mac access-list extended [name] for defining mac ACL
• vlan access-map functions just like a route-map.
• vlan filter [map name] vlan-list [vlans] to apply vlan map
• switchport protected prevents protected ports from talking to other protected ports.
• errdisable recovery... to restore errdisabled ports automagically
• dot1x system-auth-control to enable dot1x, otherwise dot1x is disabled
• storm-control broadcast/multicast/unicast level [percentage] under interface config to enable storm control
• SDM templates alters switch memory allocation. Available templates are access, extended-match, routing and vlan. Enable with 'sdm prefer [mode]'. Require switch reload.
• split horizon needs disabled for PtM hub routers in FR
• For secondary IPs, primary IP must be advertised 1st, split horizon is likely to have effect and can't use passive interface for primary IP
• Distance can be set globally or per route
• Broadcast and non-broadcast elect DR/BDR; hub must be DR
• Use 'sh ip ospf int' to determine network types
• If you can't change network type, use neighbor command.
  
• 'ip ospf mut ignore' switch setting for ignoring MTU differences
• Stub area = internal and default
• NSSA = Internal, Default and Externals directly entering area
• Totally Stub = interarea only and default
• distribute-list in filters from OSPF DB to routing table
• You can filter between areas - area x filter-list prefix [prefix list]
• dead-interval minimal sets dead timer to 1sec, multiplier is hellos per 1 sec
• With RIP, use neighbor and passive-interface to enable unicast updates only
• 'no validate update-source' to disable source verification, ie; for secondary IPs

Well, that is all for now. In other news, I've scheduled my bootcamp for March 19, 2009 in Chicago. This is Narbik's bootcamp and I am definitely looking forward to it. I've already received the Soup-To-Nuts workbook and I plan on starting this after the IPExpert CoD.

IPExpert Class On Demand Day 1

Well I tore into the IPExpert CoD today. It's a great product with lots of tips but can sometimes be a little light on specific details or examples. Here are a few of the tips I have picked up so far.

• DTE cable is usually terminated at the customer end
• DCE is usually terminated at the provider end and provides clocking
• PVC Status of Inactive indicates an issue between FR switch and router
• PVC Status of Deleted indicates an issue on the router
• Point-to-point subinterfaces require frame-relay interface dlci command on only one side of the link.
• I've mentioned it before, but I need to burn it into my skull. Be careful of Frame Relay network type mismatches with OSPF.
• You cannot use map class with frame-relay map commands.
• LMI is disabled with "no keepalive" command
• There is no LMI when two FR routers are cabled back-to-back and must share the same DLCI.
• Service udp small-servers required to enable TFTP server
• PPPoFR uses virtual-templates
• If using LFI, PPPoFR must be used, if fragmenting only, FRTS can be used.

I'll continue to post interesting tips as I come across them. After completing the IPExpert CoD, I intend to get back to the labs. I am going to try the Soup-to-nuts and Advanced Workbooks before jumping back to IEWB. During the labs, I am going to refer to the DocCD and IE Class-on-demand for specific topics that create trouble for me.

CBT Nuggets QoS...

Well, I gotta say this was a waste of time. The video did not teach any more than I already knew from my CCNP/CCIE studies. Thankfully, it only took me a day and a half to complete the video. If nothing else, I guess it reinforced my knowledge about QoS.

I intend to start viewing the IPExpert class-on-demand series sometime this week. Hopefully the CoD will help me strengthen some of my weaker areas. My study time this week will be cut short because I'll lose about two days of studying due to travel to D.C. Hopefully while I am at work, I'll at least get started on the IPExpert CoD. I've also decided to re-read some of my Ciscopress books - namely the BSCI and CCIE Written books. I've replaced my usual "bathroom reading material" of Car and Driver, Revolver and Motortrend with Ciscopress books. Hey - I may as well make that time beneficial!

So my goal going forward is to complete the IPExpert CoD, and then move on to Narbik's Soup-to-Nuts workbooks. Hopefully, I can squeeze a bootcamp in there as well. After that, I'll once again tackle the IEWB practice labs. I'm going to take a peek at the IPExpert material just to see what I am up against.