Welcome to all: October 2013

Tuesday, October 15, 2013

match-any vs match-all

MATCH-ANY is OR logic, MATCH-ALL is AND logic

The difference is how many LINES, not how many options.

Same line will always be OR logic.

So you could have:

class-map match-all test1

match ip precedence 2 3 4

match protocol http

And the things you'll get are:

HTTP + Prec2

HTTP + Prec3

HTTP + Prec4

Both lines MUST be matches.

Example : 1

class-map match-all test1

match ip precedence 2 3 4

match protocol http

The class-map is AND logic between each line. So the match ip prec must be true as well as match protocol http. The match ip precedence is OR logic within that single line.

Example : 2

class-map match-any test1

match ip precedence 2

match ip precedence 3

match ip precedence 4

match protocol http

"Match-any" is OR logic between each line in the class-map. If any of those entries hold true. So if ip prec is 2, 3, 4, or if the traffic is http the class-map will have a match. The following would be true.

Prec/protocol

0/http

2/any proto

3/any proto

4/any proto

5/http

6/http

7/http

Ref link: https://learningnetwork.cisco.com/thread/15500

Thursday, October 10, 2013

Default Timers - Cisco

RIP default timers
Timer type		Value (seconds)
Update		30
Hold-Down		90
Timeout		180
Flush		120

EIGRP default timers
Timer type		Value (seconds)
Hello/Hold timer		5/15
Hello/Hold timer NBMA		60/180

IS-IS default timers
Timer type		Value (seconds)
Hello		10
Dead-interval		30

BGP default timers
Timer type		Value (seconds)
Keepalive		60
Hold-down		180 (3 multiplied by Keepalive)
*Note: BGP Fast-external-fallover command terminates external BGP sessions of any directly adjacent peer if the link used to reach the peer goes down; without waiting for the hold-down timer to expire.

LDP discover neighbor default timers
Timer type		Value (seconds)
Hello		5
Hold timer		15

MPLS ldp session protection default timers
Timer type		Value (seconds)
Holdup		86400 (1day)

IGMP
Timer type		Value (seconds)
Query Interval		60
Querier Timeout		120
Max Query Response		10

My Note (NAT)

NAT overview:

Inside-to-Outside		Outside-to-Inside
If IPSec then check input access list		If IPSec then check input access list
decryption - for CET (Cisco Encryption Technology) or IPSec		decryption - for CET or IPSec
check input access list		check input access list
check input rate limits		check input rate limits
input accounting		input accounting
redirect to web cache		redirect to web cache
policy routing		NAT outside to inside (global to local translation)
routing		policy routing
NAT inside to outside (local to global translation)		routing
crypto (check map and mark for encryption)		crypto (check map and mark for encryption)
check output access list		check output access list
inspect (Context-based Access Control (CBAC))		inspect CBAC
TCP intercept		TCP intercept
encryption		encryption
Queueing		Queueing

Note: NAT inside to ouside-> check routing before take place of NAT		Note: NAT outside to inside -> Translation occurs before routing

-----------------------------------------------------------------

NAT on stick:
Ref: link - http://www.cisco.com/en/US/tech/tk648/tk361/technologies_tech_note09186a0080094430.shtml
-----------------------------------------------------------------
NAT extendable:
ip nat inside source static 10.1.1.1 200.2.2.2 extendable
ip nat inside source static 10.1.1.1 200.3.3.3 extendable

Note: Don't forget ip nat inside, ip nat outside interface command.

Keyword "Extendable is used for the IOS will allow you to have TWO NAT entries for the same source ip address.
-----------------------------------------------------------------
NAT Stateful failover:
# ip nat stateful id 1 <--router br="" group="" in="" snat=""># redundancy HSRP-1 (standby 1 group name) <--specifies br="" group="" hsrp="" the=""># mapping id 100 <--uniquely active="" br="" hsrp="" indentifies="" s="" send="" standby="" that="" the="" to="" translation="">
# access-list 100 permit ip host 10.1.1.1 host 20.1.1.4 <--communication and="" between="" br="" destination="" source=""># route-map TST permit 10
# match ip add 100

# ip nat pool TST-POOL 192.1.1.1 192.1.1.2 prefix-length 24 <--create br="" dynamic="" nat="" pool="">
# ip nat inside source route-map TST pool POOL mapping-id 100-----------------------------------------------------------------

Wednesday, October 09, 2013

My Note (RIP)

RIP

Validate-update-source:

RIP and IGRP are the ONLY TWO routing protocols that validate the source IP address of incoming updates. Before RIP and IGRP routing protocols accept routes from a given neighbor, they want to make sure that the source IP address of the advertising router is form the same IP address space as the link that the two routers are connected to. If the routers that have to exchange routing information are from different IP address spaces, then the source validation should be negated using "no validate-update-source"

NOTE: even though the network are in the routing table, they are NOT reachable because it does not have NLRI. Static route to next hop ip address (the other interface ip address) via directly connect interface will be needed to provide reachability.
----------------------------------------------------------------------------

Exchange update:

If the "passive-interface" command is NOT used, the routers will send both Unicast and Multicast updates to each other when using with neighbor command.

If the "passive-interface" command is used, the routers will send Unicast updates to each other when using with neighbor command.

If the "ip rip v2-broadcast" command is used under interface, routing exchange will be using with broadcast.