Showing posts from 2013

ADVANCED Access Lists (ACL) Configuration

TIP: ACL is applied directly to the interface using the "ip access-group" command:
(config-subif)#ip access-group EXTENDED_OR_STANDARD_ACL [in | out]
TIP: Watch out not to ban the routing protocol traffic!!! You might need to add this to your filter ACL:
(config-ext-nacl)#permit ospf any any
TIP: deny any any doesn't affect the locally generated traffic on the router

It's enough to configure the extended ACL, and hit a question mark when you want to define a PORT, just to realize that there is an entire world of ACL configuration options that we never knew about.

One of the awesome features is playing with the ESTABLISHED attribute, which means - allow back the traffic from the hosts TCP session has already been established with. In this example we're allowing back in the TELNET and HTTP traffic to HOST
(config-ext-nacl)#permit tcp any range 80 23  host established

STEP 1: define the time range using the "time-range TIMERA…

CCIE Blueprint v5 announced

As we've been waiting for, the new v5 Blueprint has been announced.

Starting from June the 4th 2014 the CCIE exam content changes, so if you've been preparing it for a while - you might want to set a date! I've got 3rd of March booked, so wich me luck :)

More details about the CCIE Exam content updates:

IP SLA - Monitor the Network Performance

Probably most typical usage of IP SLA is to measure the and UDP Jitter and Echo, to make sure that the path is good enough to send the sensitive VoIP traffic. Two sides need to be configured, CLIENT and SERVER (RESPONDER).
IP SLA can be configured without configuring a specific PROBE, just configure sending a generated packet to the  RESPONDER, where the RESPONDER is configured to respond with a TIME STAMP information, so the source can calculate the performance values. CAREFULL with the times, configure NTP if you're not certain the devices are synced.

To configure the RESPONDER with the IP and PORT of the RESPONDER:
(config)#ip sla  monitor responder

Make sure you configure the CLIENT device in accordance with these defined parameters:
(config)#ip sla monitor 10
(config-sla-monitor)#type udpEcho dest-ipaddr dest-port 500
(config-sla-monitor-udp)#frequency 5 <- IN SECONDS
(config-sla-monitor-udp)#hours-of-statistics-kept 1 <-HOW MUCH TIME THE STATISCICS ARE KEPT

PBR - Policy Based Routing

!!!Most Important: To DEBUG the Policy Map:
#debug ip policy

To match the SOURCE IP use the standard ACL:
(config)#access-list 2 permit host

To match the FLOW use the EXTENDED ACL:
(config)#ip access-list extended FLOW1
(config-ext-nacl)#permit ip host host <-TO MATCH THE FLOW
(config-ext-nacl)#permit tcp any any eq 23 <- TO MATCH THE PROTOCOL(PORT)

ROUTE-MAP can be applied GLOBALLY on a router, to change the Routing Table:
(config)#ip local policy route-map ROUTE_MAP
!!!This will not work for traffic transiting this router. For that you need to apply it on the interface

IPv6 Tunnels

First a reminder about a IPv4 GRE tunnel, the most simple and GENERIC one.

Configuration is really simple, create the Tunnel interface, define the MODE and assign the Source and Destination IP or Interface:
(Config)#Interface tunnel
(Config-if)#tunnel mode GRE IP
(Config-if)# tunnel source IP
(Config-if)#tunnel destination IP

Then define the GRE tunnel IP (needs to be in the same subnet on the both sides):
(Config-if)#ip address
By default GRE keep-alives are off, butt they can be turned on

Now the IPv6. There are 4 types of IPv6 Tunnels:

1. IPv6 over IPv6 GRE tunnel, the configuration similar as the IPv4 one:
(Config-tunnel)#tunnel source lo0
(Config-tunnel)#tunnel destination
(Config)#interface tunnel0
(Config-if)#ipv6 add 1:1:1:1::1/64

2. IPv6 over IPv6IP Tunnel
3. IPv6 over IPv4 UDP Teredo Tunnel
4. IPv4 over IPv6 GRE Tunnel

AUTOMATIC Tunnels: 6to4 (IPv4 into IPv6 prefix), ISATAP - have a standard format of the I…


The difference with OSPF is that even if you configure it on the interface:
(config-if)#ipv6 eigrp 100
it will not form an adjacency unless you DEFINE THE ROUTER-ID, and do a NO SHUT:
(config-rtr)#eigrp router-id
*Dec  1 11:18:08.343: %DUAL-5-NBRCHANGE: EIGRP-IPv6 100: Neighbor FE80::4 (Serial1/0.14) is up: new adjacency

(config-rtr)#no redistribute ospf 1  metric 1 1 1 1 1

To change the timers on the interface the command is a bit BACKWARDS, as in - "" ipv6 hello-interval eigrp..":
(config-if)#ipv6 hello-time eigrp 100 10 <-HELLO
(config-if)#ipv6 hold-time eigrp 100 40 <-DEAD

The command for checking the current timers is also unintuitive, cause you need to add "details" to the end:
#sh ipv6 eigrp interfaces detail  | i Hello
  Hello-interval is 10, Hold-time is 40
  Hello-interval is 60…


If you control OSPFv2 (IPv4 OSPF) wou wont have any problems here. There are, however, a few differences in the configuration. First one - it's configured on the INTERFACE LEVEL, and the Area is also defined there, so there is no need to add the "network" commands within the Router configuration:
(config-if)#ipv6 ospf 1 area 0

!!!Dont forget to define the router-id, because if there are no IPv4 addresses on the router - it cannot pick one! So - FIRST define the RID, and THEN configure OSPF, to avoid restarting the OSPF process later.

LSA Changes: Even though most LSA definitions stay the same, there are a few changes in OSPFv3:

0x2001Router LSA1Router LSA
0x2002Network LSA2Network LSA
0x2003Inter-area Prefix LSA3Network Summary LSA
0x2004Inter-area Router LSA4ASBR Summary LSA
0x4005AS-External LSA5AS-External LSA
0x2006Group Membership LSA6Group Membership LSA
0x2007Type-7 LSA7NSSA External LSA
0x0008Link LSA
0x2009Intra-area Prefix LSA

*If you want an area not to recei…

BGP CONDITIONAL Advertisements - Advertise Maps

This is a pretty complex BGP issue because you really need to know the BGP philosophy and maybe even have some basic experience in programming. The trick is to change the behaviour of the BGP advertisements depending on the routes that are being learned.

Step 1:
Configure 2 Route Maps, one for the CHECK condition, and another for PREFIXES you will advertise if CHECK passes.
For example we want to CHECK if the is learned:
(config)#access-list 2 permit
(config)#route-map CHECK permit 10
(config-rmap)#match ip address 2

And ONLY if it's NOT in the routing table, we want to advertise
(config)#access-list 1 permit
(config)#route-map ADVERTISE permit 10
(config-rmap)#match ip address 1

Step 2:
Configure the advertise map and the condition in the BGP routing process:
(config)#router bgp 65545
(config-router)#neighbor advertise-map ADVERTISE ?
  exist-map      advertise prefix only if prefix is in the condition exists <- CHECK THESE OPTIONS

Advanced BGP Features: Route Dampening

When you check the BGP prefixes using the "show ip bgp", besides the arguments that appeared so far (*, >, r) there
is another "Tag" that can appear, and it's a letter "d", which stends for DAMPENING.
#show ip bgp
BGP table version is 5, local router ID is
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal <- CHECK THIS LINE
              r RIB-failure, S Stale

From Cisco Docs: "Route dampening is a BGP feature designed to minimize the propagation of flapping routes across
an internetwork. A route is considered to be flapping when its availability alternates repeatedly"

If you're configuring it without any parameter tuning, there is an enable command under the BGP process:
(config-router)#bgp dampening

If you want to use this feature - make sure you understand the concept of PENALTIES being "rewarded" to a route
every time it FLAPS, and make sure you're familiar with the PARA…

BGP Peer-Session Templates

Another way to make the BGP configuration easier by avoiding configuring the same command set on every router. It makes your life easier if you have various neighbors to which you'd like to apply a common set of attributes.

Step 1: Define the peer-session and give it a name:
(config-router)#template peer-session MYBGP

Step 2: Assign the attributes to the peer-session:
(config-router-stmp)#version 4
(config-router-stmp)#update-source lo0
(config-router-stmp)#password Cisqueros

Step 3: If you have more groups of neighbors, and they all have some commmon settings (for example the ones defined
in the template IBGP), and some different ones. Then create another template, and inherit the first template:
(config-router)#template peer-session GROUP_1 <- FOR AS 100
(config-router-stmp)#inherit peer-session MYBGP
(config-router-stmp)#remote-as 100

(config-router)#template peer-session GROUP_2 <- FOR AS 200
(config-router-stmp)#inherit peer-session MYBGP
(config-router-stmp)#remote-as 200

Convert MAC to Link Local IPv6 Address

Check how the Link Local address has been generated using the interface MAC address using the following command:

#sh int fa0/0 | i Hard
  Hardware is Gt96k FE, address is 001e.be5d.27f0 (bia 001e.be5d.27f0)

  IPv6: FE80::21E:BEFF:FE5D:27F0

Step 1: Start with the Link-Local "Signature", which is FE80:: - For Link Local IPv6 Addresses

Step 2: First two 0s from MAC are replaced with a HEX 2, to fill up MACs 48 bits up to the 64 bits that we need

Step 3:  Then the "" part is COPIED and PASTED - 2|1E:BE|FF:FE|5D:27F0

Step 4:  FFFE is Added after this, in the MIDDLE of the MAC address

Step 5:  The rest of MAC follows
  So - 2 + 4HEXofMAC + FFEE + 6HEXofMAC

Now check the complete IPv6 configuration of the interface:

#sh ipv6 int fa0/0
FastEthernet0/0 is up, line protocol is up
  IPv6 is enabled, link-local address is FE80::21E:BEFF:FE5D:27F0
  No global unicast address is configured

  Joined group address(es):
    FF02::1 <- 0 after F means the IPv6 is PERMANENT (if it were …

IPv6 Basics

Loopback: ::1/128
Multicast: FF00::/8
Link Local: FE80::/10 - used for stateless auto-configuration, Neighbor discovery, Router discovery
FC00::/7 Unique Local, Unicast (equivalent to the IPv4 private addresses), not routable via global BGP
EUI-64 - always use the /64 addresses for all the INTERFACES
!!!(MAC can be converted into EUI-64 format to get the interface address)

ARP has been replaced with ICMPv6 Neighbor Discovery.
Inverse ARP has been removed, so for NBMA networks we need to provide a static L2-L3 mapping

TIP: before enabling IPv6 on a router and configuring the interfaces male sure there is a IPv4 connectivity

IPv6 is not enabled by default, so first enable IPv6 globally on the Router/Switch:
(config)#ipv6 unicast-routing

On a ROUTER you should enable IPv6 on an interface:
(config-if)#ipv6 enable
!!!LINK-LOCAL address is generated based on the interfaces MAC Address by doing "ipv6 enable"

Assign the UNICAST IPv6 address:
(config)#no switchport <--- DONT FORGET…

OSPF Forward Address Suppression

The aim is to SUPRESS the address of the router that originated the Prefix. When the area is NSSA, and you want to CONTROL the remap process of the LSA7 to LSA5, but use as the forwarding address instead of the one specified in the LSA7:
(config-router)#area 1 nssa translate type7 suppress-fa ?
  default-information-originate  Originate Type 7 default into NSSA area
  no-redistribution              No redistribution into this NSSA area
  no-summary                     Do not send summary LSA into NSSA

Before the command has been applied the external (LSA5) subnet within the area 0 is seen as:
#sh ip ospf database external
            OSPF Router with ID ( (Process ID 1)
                Type-5 AS External Link States
  LS age: 557
  Options: (No TOS-capability, DC)
  LS Type: AS External Link
  Link State ID: (External Network Number )
  Advertising Router:
  LS Seq Number: 80000003
  Checksum: 0x1286
  Length: 36
  Network Mask: /8

NTP - Network Time Protocol

First there is an "old school" method of setting time on your IOS Device, which is fine if you're one of those :)
#clock set 16:50:00 15 NOVEMBER 2013
*Nov 15 16:50:00.000: %SYS-6-CLOCKUPDATE: System clock has been updated from 15:50:31 UTC Fri Nov 15 2013 to 16:50:00 UTC
Fri Nov 15 2013, configured from console by console.

Now if you set this time really good, and the Switch is new generation and you really trust it, then in order to have
an entire network to be synchronized (and absolutely no external NTP available), set the most awesome switch to be
a NTP Server:
(config)#ntp master ?
  <1-15>  Stratum number <- STRATUM Number, all DOWNFLOW routers shall have SERVER + Number of HOPS

Check what's happening:
#show ntp status
Clock is synchronized, stratum 2, reference is
nominal freq is 250.0000 Hz, actual freq is 250.0000 Hz, precision is 2**18
reference time is D630D0D3.99A45AAB (16:56:51.600 UTC Fri Nov 15 2013)
clock offset is 0.0000 msec, r…

IRDP - ICMP Router Discovery Protocol

IRDP enables Routers to automatically discover the IP of their potential Default Gateway. It uses ICMP and Solicitation Messages.

Potential GW Routers periodically announce the IP address of their IRDP configured interface to a roadcast destination. IRDP Preference value is advertised with these messages, along with the IP Address.

Step 1:
The configuration is pretty straight-forward. First you MUST turn the Routing off on the router that you want to discover it's own GW:
(config)#no ip routing

Step 2:
IRDP Needs to be enabled on the Router:
(config)#ip gdp ?
  eigrp  Discover routers transmitting EIGRP router updates
irdp   Discover routers transmitting IRDP router updates <- THIS ONE is the one we want here
  rip    Discover routers transmitting RIP router updates

Step 3:
Here is what needs to be defined on the interface:
 (config-if)#ip irdp <- ENABLE IRDP ON THE INTERFACE
 (config-if)#ip irdp maxadvertinterval 5 <- DEFINE THE ADVERTISING TIMERS
 (config-if)#ip irdp minadv…

GLBP - Configure the Global Load Balancing Protocol

GLBP is different from HSRP and GLBP, as in - it's more complex and gives more possibilities, such as LoadBalancing

!!!You can have UP TO 4 ROUTERS IN A GLBP GROUP!!!

GLBP Group Members communicate using HELLOs, UDP/3222, by default Hello Timer = 3 sec

Basically there are 2 roles:
- AVG (Active Virtual Gateway) MASTER Router in charge of Assigning Virtual MAC Addresses to other Routers
and it has to know ALL the MACs of the AVFs
- AVFs (Active Virtual Forwarders) the rest of the Routers, which take AVG function if AVG dies.

sh glbp br
Interface   Grp  Fwd Pri State    Address         Active router   Standby route
Fa0/0       1    -   100 Standby        local
Fa0/0       1    1   7   Active   0007.b400.0101  local           -
Fa0/0       1    2   7   Listen   0007.b400.0102        -

You can tune GLBP as you like, which means that (besides all the stuff you can also do in HSRP and VRRP) you can

VRRP - Configure the Virtual Routing Redundancy Protocol

The VRRP configuration is similar to the HSRP, with a few slight differences. For example, there are no
ACTIVE and STANDBU, but MASTER and BACKUP router, as shown below:
#show vrrp brief
Interface          Grp Pri Time  Own Pre State   Master addr     Group addr
Fa0/0              1   200 3218       Y  Master
Fa0/0              2   100 3609       Y  Backup

TIMERS are a bit different to configure. You need to tell Master to ADVERTISE the Hello Timer value to the Backup,
and tell the Backup to LEARN the Hello Timer from the Master:
(config-if)#vrrp 1 timers advertise 10
(config-if)#vrrp 2 timers learn
*Router is Mater for VRRP Group 1, and Backup for VRRP Group 2

VRRP Authentication is configured PER GROUP using the command "vrrp X authentication text PASSWORD", and the debug
on the VRRP Pair router is as follows (before the authentication is configured on BOTH):
ES-MAT-AES-SR02#debug vrrp
*Nov 13 15:04:37.585: VRRP…

HSRP - Configure the Hot Standby Routing Protocol

Redundancy Protocol, Cisco Proprietary.
Configuration is quite straight-forward, but there are many ways to tune it, in accordance with your needs:
interface FastEthernet0/0
 ip address
 standby 1 ip <- Group 1 VIRTUAL IP Address
 standby 1 timers 5 15 <- Can also be done in miliseconds using "standby 1 timers msec 250 800"
 standby 1 priority 150 <- Default it 100, Default
 standby 1 preempt
 standby 1 authentication Cisco
 standby 1 name R2-Act
 standby 2 ip
 standby 2 timers 5 15
 standby 2 authentication Cisco
 standby 2 name R5-Act

"07-ac" is the SIGNARURE part of Virtual MAC Address of the HSRP:
#sh standby | i 07
  Active virtual MAC address is 0000.0c07.ac01
    Local virtual MAC address is 0000.0c07.ac01 (v1 default)

To check the current configuration, including the HSRP Status and whether
preempt is configured:
#sh standby brief
                     P indicates configured to preempt.

Configuring the DHCP Server

Using the DHCP Pool configured on a IOS device is somewhat obsolete, but in cases of smaller companies where this solution is inevitable (or in a case such as mine, preparations for a CCIE exam) - you should know how to configure a full DSCP on a Cisco Router:

Step 1: Enable DHCP Server on a Device:
(config)#service dhcp

Step 2: Configure global DHCP options:
(config)#ip dhcp pool Cisco
(config-dhcp)#network <- Network Range
(config-dhcp)#netbios-note-type h-node <- If you're using WINS, set the HYBRID TYPE
(config-dhcp)#netbios-name-server <- WINS Server IP
(config-dhcp)#dns-server <- Primary and Secondary IPs
(config-dhcp)#lease 3 5 <- The duration of the DHCP Lease (3 days 5 hours)

Step 3: Configure the IP Exclusions (IPs) you do not want to lease, in the Global Config mode:
(config)#ip dhcp excluded-address

Step 4: Disable the DSCP Logging of the Conflicts, because …

Scalability for Stateful NAT (SNAT)

Scalability for Stateful NAT feature allows Stateful Network Address Translation (SNAT) to control the Hot Standby Router Protocol (HSRP) state change until the NAT information is completely exchanged. Reference:

Step 1:
You need to create the SNAT group, and assign a unique identifier to each router within the group:
(config)#ip nat stateful id 1

Step 2:
In order to configure the Stateful Failover, you need to have the HSRP previously configured. Within the stateful
nat group configurarion, assign the HSRP redundancy name to the router:
(config-ipnat-snat)#redundancy HSRP-1

Step 3:
The Active HSRP Router sends the NAT Translation to the Standby Routers. This translation is assigned an ID,
which is called "mapping-id" and it MUST BE THE SAME ON THE ENTIRE GROUP.
(config-ipnat-snat-red)#mapping-id 1

Step 4:
Consider adding features such Asymetric queuing, or define a specific protocol for the redundancy group:

Static NAT redundancy with HSRP

This approach is used when you want to configure NAT and integrate it with HSRP (enable the same NAT on all the
routers that form the HSRP group). In order to do this, it's necessary to NAME each of the HSRP groups:

Step 1: Name the already configured HSRP group:
(config-if)#standby name HSRP-1 <- HSRP Group Name is HSRP-1

Step 2: Congigure NAT on the relevant interfaces
(config-if)#ip nat inside <- NAT inside interface

Step 3: Static NAT redundancy with HSRP
After you've named the HSRP group, configure the Redundancy NAT:
(config)#ip nat inside source static redundancy HSRP-1

This means that the traffic originated from the IP will be NAT-ed into

In this example the router is pinging the IP The final router ( does have the route back to
When the DEBUG is done on the router, the PING done from gives the following display:
*Nov  7 11:34:02.606: NAT*: s=10.18…

PAR - When you need to implement traffic redirections using NAT

You can define the traffic redirection using Static Entries, but there is a trick.
For example you want all the http traffic DESTINED FOR s0/0.5 to be REDIRECTED to the IP instead.
You can configure this by defining the static NAT:
R1(config)#ip nat inside source static tcp 80 int s0/0.5 80

Make sure you understand how this command works, because it´s quite a complicated principle because it works a bit "upside down".

So when you try to telnet R1s IP using the port 80, from the router on the s0/0.5 side (R4):
R4#telnet 80
Trying, 80 ... Open

You see the following debug:

*Nov  6 15:54:48.703: NAT*: s=, d=> [23053] <- Router from where we telnet
*Nov  6 15:54:48.707: NAT*: s=>, d= [31747] <- NATed and FWD-ed to to
*Nov  6 15:54:48.735: NAT*: s=, d=> [23054]
*Nov  6 15:54:48.739: NAT*: s=, d=131.…

PAT (NAT Overload)

Port Address Translation (PAT) means using PORTS in order to NAT various Inside Local IPs to 1 Inside Global IP.

Step 1: Create an ACL with all the Inside Local addresses:
 (config)#access-list 1 permit

Step 2: There are 2 ways to configure PAT, described in Steps 2.1 and 2.2:

Step 2.1: 
- Create the Inside Global IP Pool of any addresses from the Link towards the other Router:
 (config)#ip nat pool OVERLOAD prefix-length 24

- Configure the NAT Overload with the defined pool:
 (config)#ip nat inside source list 1 pool TASK2 overload

Step 2.2:
Configure the NAT to point to the Interface you need the traffic to go out from:
 (config)#ip nat inside source list 1 interface s0/1/0.21

!!! The system adds "overload" argument:
 (config)#do sh run | i nat inside
  ip nat inside
  ip nat inside source list 1 interface Serial0/1/0.21 overload

Load Balancing using NAT

This is a configuration that I´ve never implemented in any production environment, but I see quite a few cases where it can be usefull.

Step 1: Create a POOL of all the INSIDE IPs, and define the pool type: "type rotary":
 (config)#ip nat pool TASK1 prefix-length 24 type rotary

Step 2: Define an ACL with the Inside Global IP (the one we´re NAT-ing into):
 (config)#access-list 1 permit

Step 3: Do the inside NAT with the ACL 1 as the DESTINATION list, and the POOL or LOCAL IPs:
 (config)#ip nat inside destination list 1 pool ?
   WORD  Pool name for local addresses

Step 4: Define the NAT inside and outside interfaces, exactly like in case of Static/Dynamic NAT:
 (config)#int lo0
 (config-if)#ip nat inside
 (config-if)#int s0/1/0.21
 (config-subif)#ip nat outside

!!!Be sure that the routing is in place (both, go and return path towards the NAT-ed IP,!!!

Step 5: Make sure that the IP NAT Translations are correct, and that the sourc…

NAT - Dynamic NAT

1 - Define the POOL of the DESTINATION IPs (Public)
(config)#ip nat pool DESTIN prefix-length 24

2 - Define the ACCESS-LIST of the PRIVATE IPs
(config)#access-list 1 permit

3- Implement the NAT from-ACL-to-POOL IPs
(config)#ip nat inside source list 1 pool DESTIN

Do not forget to configure the "ip nat inside | outside" on the appropriate interfaces!

Pro Inside global      Inside local       Outside local      Outside global
 ---           ---                ---

NAT - Static NAT

You can do STATIC NAT and just "go out" of the router with a different IP address:
*Traffic sourced from will seem from
*Extendable is used if you need 1 LOCAL IP to be mapped to Various Public IPs
(config)#ip nat inside source static [extendable]

(config)#int lo0 <- PRIVATE IP
(config-if)#ip nat inside

(config-if)#int s0/1/0.21 <- PUBLIC (Global) IP
(config-subif)#ip nat outside

#sh ip nat translations
Pro Inside global      Inside local       Outside local      Outside global
---           ---                ---

Inside Local - Private IP of the host in your Network
Inside Global - Public IP that outside network sees your hosts as
Outside Local - How the local network sees IP of the remote host
Outside Global - Public IP of the remote host

If you want to do NAT for a SUBNET:
(config)#ip nat inside source static network /24

Is SDN really the future?

For all the Network Engineers out there who, like myself, scream inside whenever someone confidently declares that SDN is the future - Don´t panic... But DO consider expanding your skill set with a bit of Scripting/ Process Automation and similar... just in case.

*this article was originally published by

"We are seeing clients looking to hire a lot more DevOps people, because they need folks not just with a tactical, technical skillset, but with the ability to collaborate and coordinate business efforts across different departments," says Laura McGarrity, vice president of marketing for Mondo, an IT recruiting, hiring, and consulting firm.

"Our clients are hearing the terms 'SDN' and 'DevOps' a lot, and they want to find out what DevOps means, how and where to place these positions in their organizations, and whether to hire from outside or to mold talent from within," says Felix Fermin, senior technical recruiter at Mondo.

SDNs esse…

Configure SSH Access

Cisco Documents:
Security>AAA>Secure Shell Configuration Guide

First step would be to make sure that all the devices within your network SUPPORT the Secure Shell. The you need to make sure HOW you want to implement it, as there are 2 options:
1. Configuring a Router for SSH Version 2 Using a Hostname and Domain Name
2. Configuring a Router for SSH Version 2 Using RSA Key Pairs

In the first configuration type, these are the steps to follow:

Step 1: Be sure to have the Hostname and the IP Domain Name configured:
(config)#ip domain name SNArchs

Step 2: Decide the key pair (in bits, by defaut its 512 bits) and generate the RSA key. This ENABLES SSHv2:
(config)#crypto key generate rsa usage-keys
The name for the keys will be: ES-MAT-AES-SR04.SNArchs
Choose the size of the key modulus in the range of 360 to 2048 for your
  Signature Keys. Choosing a key modulus greater than 512 may take a…

AAA Authentication

Cisco Docs: Securing User Services Configuration>Authentication Authorization and Accounting

This is pretty straight forward, because on CCIE R&S exam you wont have to configure an actual ACS server. For starters be sure that the "aaa new-model" is configured.

Turn the TACACS+ authentication ON, and set LOCAL DB as backup:
(config)#aaa authentication login MYTACACS group tacacs+ local enable
*MYTACACS is the authentication policy. If you put "default" instead of specifying the policy, there is no need to assign the policy to VTY line later, it's a default policy on a device, from where ever you try to authenticate. In case you have a default policy, you need to ALSO define a NO_AUTH policy to apply where you dont want TACACS, like AUX and CONSOLE ports maybe.

Define the TACACS+ as a server, and set the Shared Secret:
(config)#tacacs-server host ke…

Multiple Spanning Tree Protocol (MST)

Supports up to 4096 instances of Spanning Tree

(config)#spanning-tree mode mst
(config)#spanning-tree mst configuration
(config-mst)#revision 1
(config-mst)#instance 1 vlan 12, 34
(config-mst)#instance 2 vlan 56, 90
(config-mst)#name CCIE <--- MST REGION NAME

SW2#show spanning-tree mst configuration
Name      [ ]
Revision  1     Instances configured 3

Instance  Vlans mapped
--------  ---------------------------------------------------------------------
0         1-11,13-33,35-55,57-89,91-4094
1         12,34
2         56,90

Check the ROOT:
#show spanning-tree root
                                        Root    Hello Max Fwd
MST Instance           Root ID          Cost    Time  Age Dly  Root Port
---------------- -------------------- --------- ----- --- ---  ------------
MST0             32768 aabb.cc00.0600         0    2   20  15
MST1                 1 aabb.cc00.0600         0    2   20  15
MST2              …

Advanced Spanning Tree

root primary - sets the priority to:
if ROOT > 24576 - sets to 24576 (priority 24576 sys-id-ext 12)
if ROOT =< 24576 - sets to 4096
root secondary - sets the priority to 28762

#show spanning-tree bridge <- See the MAC address of the Switch
#show version | i Base 

Cat-1#show spanning-tree vlan 12
  Spanning tree enabled protocol ieee
  Root ID    Priority    24588              <--- ABOUT THE ROOT BRIDGE, 24588 = 32768 + 12 (vlan 12) - 8192
             Address     ec44.768a.6d80
             This bridge is the root
             Hello Time   2 sec  Max Age 20 sec  Forward Delay 15 sec

  Bridge ID  Priority    24588  (priority 24576 sys-id-ext 12)    <--- ABOUT THIS SWITCH (LOCAL Bridge)
             Address     ec44.768a.6d80 <-- ON ROOT BridgeID and RootID have the same MAC
             Hello Time   2 sec  Max Age 20 sec  Forward Delay 15 sec
             Aging Time 300

Interface           Role Sts Cost      Prio.Nbr Type           <--- ABOUT I…

Private VLANs


This belongs to L2 SECURITY rather then L2 SWITCHING

1. Promiscuous - belongs to PRIMARY VLAN, can communicate with EVERYONE
(config)#vlan 10
(config-vlan)#private-vlan primary
(config-vlan)#private-vlan association add 20,30,40

(config-if)#switchport mode private-vlan promiscuous
(config-if)#switchport private-vlan mapping 10 add 30,40,50<---map Promiscuous VLAN 10 to Community and Isolated VLANs

2. Isolated - can only communicate with Promiscuous
(config)#vlan 40
(config-vlan)#private-vlan isolated

(config-if)#switchport mode private-vlan host
(config-if)#switchport private-vlan host-association 10 40

3. Community - Can communicate within the SAME community or with Promiscuous
(config)#vlan 30
(config-vlan)#private-vlan community

(config-if)#switchport mode private-vlan host
(config-if)#switchport private-vlan host-association 10 20 <--- Associate Community VLAN 20 with Promiscuous VLAN 10

DONT FORGET TO ASSOCIATE Secondary VLANs to the Prima…

VMPS: VLAN Membership Policy Server

VLAN Membership Policy Server - provides a centralized server for selecting the VLAN for a port dynamically based on the MAC address of the device connected to the port.

VMPS uses a UDP port to listen toVQP (VLAN Query Protocol) requests from clients, so, it is not necessary for VMPS clients to know if the VMPS resides on a local or remote device on the network.

Upon receiving a valid request from a VMPS client, a VMPS server searches its database for an entry of a MAC-address to VLAN mapping.

When a port is configured as "dynamic," it receives VLAN information based on the MAC-address that is on the port.
The VLAN is not statically assigned to the port; it is dynamically acquired from the VMPS based on the MAC-address on the port.

SECURE MODE: If MAC has not been found in VMPS Server - shut down the port

On VMPS Server:
(config)# vmps server [ipaddress | hostname] primary

On all the switches in the LAN (VMPS Clients):
(config-if)# switchport access vlan dynamic

Define how many…

SDM (Switch Database Management) - L3 Switch Memory Optimization

Depending on the Switch purpose (If the switch is used only for L2 Switching or for  IP Routing), Memory allocations can be optimized. This is what SDM is all about.

SDM (Switch Database Management), and there are 4 templates:
- ACCESS - For QoS and Security
- ROUTING - for IP Routing
- VLAN - Sets Switch to L2 and disables IP Routing
- Extended Match - for WCCP and multiple VRF (reformats memory space to allow 144-bit L3 TCAM support)

 (config)#sdm prefer [routing | dual-ipv4-and-ipv6 | vlan]

(config)#sdm prefer  ?
access              Access bias
default             Default bias
dual-ipv4-and-ipv6  Support both IPv4 and IPv6 <--- USE THIS MODE WHEN YOU HAVE BOTH, IPv4 and IPv6
ipe                 IPe bias
routing             Unicast bias <--- IF YOU USE THE SWITCH AS A ROUTER
vlan                VLAN bias <--- ONLY L2 SWITCH

Check the achieved results:
#show sdm prefer
 The current template is "desktop default" template. <--- COMMAND NOT ACTIVE BEFORE THE SWITCH HAS B…

uRPF - Unicast Reverse Path Forwarding

Cisco Docs: Cisco Docs: Secure DATA PLANE>Security Configuration Guide: Unicast Reverse Path Forwarding

The Unicast RPF feature helps to mitigate problems that are caused by the introduction of malformed or forged (spoofed) IP source addresses into a network by discarding IP packets that lack a verifiable IP source address

Configure the receiving interface, which allows Unicast RPF to verify the best return path before forwarding the packet on to the next destination. For example, verify if the SOURCE IP is reachable via that exact interface:
(config-subif)#ip verify unicast source reachable-via ?
any  Source is reachable via any interface
rx   Source is reachable via interface on which packet was received <-EXACT INTERFACE

#sh ip int s1/0.21 | b verify
  IP verify source reachable-via RX
   0 verification drops
   0 suppressed verification drops
   0 verification drop-rate


Zone Based Firewall

Cisco Docs: Secure DATA PLANE>Security Configuration Guide:Zone-Based Policy Firewall

To configure the Zone Based FW, the approach is somewhat similar to the MQC method in the QoS configuration.

STEP 1> Start by creating a class map of INSPECT TYPE, and match HTTP, and DROP everything else:
(config)#class-map type inspect match-any OUTSIDE
(config-cmap)#match protocol http
(config-pmap)#class type inspect OUTSIDE 

STEP 2> Create a inspect type POLICY-MAP that matches the defined CLASS-MAP, and INSPECTS:
(config)#policy-map type inspect OUTSIDE_POLICY
(config-pmap)#class OUTSIDE
(config-pmap-c)#inspect ?
  WORD  Parameter-map (inspect) name <PARAMETER MAP CAN BE DEFINED to tune the inspection

STEP 3> Define the SECURITY ZONES for the interfaces you need, and assign them to the interfaces:
(config)#zone security DMZ

BGP Regular Expressions - explained with the examples

REMINDER of the META Characters

^- START of Line
$- END of Line
|- Logical OR
?- ZERO instances of the PRECEDING character
*- ZERO OR MODE instances of the PRECEDING character
+- ONE OR MORE instances of the PRECEDING character
(x)- Combine the enclosed String as a single entity
[x]- Wildcard where any position can match the position in AS-Path
.- Any Character


_65505$ - Prefixes that END with the AS 65505, meaning - they were originated by that AS

_65505_ - Prefixes that traversed the AS 65505

^$- Locally Originated Prefixes (START and END of the line)

.*- ANY prefix (zero or more instances of ANY character)

^[0-9]+$ - All the prefixes from DIRECTLY CONNECTED ASs (meaning - they have only 1 AS in the AS PAth)


If you want to STOP using the recursive algorithm in order to be able to control more complex  regular expressions

(config-router)#bgp regexp deterministic

Now you can actually DISPLAY the prefixes that match your condition …