ADVANCED Access Lists (ACL) Configuration

TIP: ACL is applied directly to the interface using the "ip access-group" command:
(config-subif)#ip access-group EXTENDED_OR_STANDARD_ACL [in | out]
TIP: Watch out not to ban the routing protocol traffic!!! You might need to add this to your filter ACL:
(config-ext-nacl)#permit ospf any any
TIP: deny any any doesn't affect the locally generated traffic on the router

It's enough to configure the extended ACL, and hit a question mark when you want to define a PORT, just to realize that there is an entire world of ACL configuration options that we never knew about.

One of the awesome features is playing with the ESTABLISHED attribute, which means - allow back the traffic from the hosts TCP session has already been established with. In this example we're allowing back in the TELNET and HTTP traffic to HOST
(config-ext-nacl)#permit tcp any range 80 23  host established

STEP 1: define the time range using the "time-range TIMERANGE" command in the global configuration mode
*be sure the Clock is correct using the "show clock", and if not - set it using the "clock set", or with NTP server

STEP 2: attach the time-range to the ACL:
(Config)#access-list 120 permit tcp any any eq 23 time-range TIMERANGE

DYNAMIC ACL (aka Lock and key ACL)
Special Feature used for AUTHENTICATION of other devices
Like the time-range, but instead of the time we permit or deny ACLs actions based on Authentication.
The ACL is defined using "access-list 102 dynamic..."

STEP 1: Create and EXTENDED ACL, but be sure to allow all the needed protocols before you apply it on the interface:
(config)#access-list 100 permit eigrp any any
(config)#access-list 100 permit icmp any any

STEP 2: Create a DYNAMIC entry in the defined ACL, which will create a Dynamic ACL called DYN_ACL:
(config)#access-list 100 dynamic DYN_ACL permit ip any any

STEP 3: Apply the ACL on the interface:
(config-if)#ip access-group 100 in

STEP 4: Configure the VTY line for the dynamic ACL using the AUTOCOMMAND feature:
(config-line)#autocommand access-enable host
*"access-enable" is an EXEC, it doesnt appear when "?" is pressed
*"rotary" command under the VTY changes the telnet port to that line. "rotary 5" sets the port on that line to 3005

REFLEXIVE ACL - For Session Filtering
Applied on the outbound interface of the router, we're taking care of the outgoing traffic, and then
we CHECK THE RETURNING TRAFFIC, meaning - we are making sure that the returning traffic is opposite of what went out.
When configuring, you need 2 ACLs:

STEP 1 - OUTBOUND ACL, For the outbound within the extended ACL configure:
(config)#ip access-list extended OUT_ACL
(config-ext-nacl)#permit tcp host any any eq www reflect REFLECT_ACL
(config-ext-nacl)#permit tcp host any any eq telnet reflect REFLECT_ACL
(config-ext-nacl)#permit tcp host any any eq https reflect REFLECT_ACL
(config-ext-nacl)#permit ospf any any

STEP 2: And on the inbound ACL within the extended ACL configuration:
(config)#ip access-list extended IN_ACL
(config-ext-nacl)#permit ospf any any
(config-ext-nacl)#evaluate REFLECT_ACL

STEP 3: Then apply the first one outbound, and the second one inbound on the same interface.
(config-subif)#ip access-group OUT_ACL out
(config-subif)#ip access-group IN_ACL in

After 5 minutes of inactivity the entries expire. it can be modified using the command "ip reflexive-list timeout X":
(config)#ip reflexive-list timeout 120 <-TIME REFLEXIVE ACL EXISTS WHEN NO PACKETS ARE DETECTED (default 300 seconds)

CCIE Blueprint v5 announced

As we've been waiting for, the new v5 Blueprint has been announced.

Starting from June the 4th 2014 the CCIE exam content changes, so if you've been preparing it for a while - you might want to set a date! I've got 3rd of March booked, so wich me luck :)

More details about the CCIE Exam content updates:

IP SLA - Monitor the Network Performance

Probably most typical usage of IP SLA is to measure the and UDP Jitter and Echo, to make sure that the path is good enough to send the sensitive VoIP traffic. Two sides need to be configured, CLIENT and SERVER (RESPONDER).
IP SLA can be configured without configuring a specific PROBE, just configure sending a generated packet to the  RESPONDER, where the RESPONDER is configured to respond with a TIME STAMP information, so the source can calculate the performance values. CAREFULL with the times, configure NTP if you're not certain the devices are synced.

To configure the RESPONDER with the IP and PORT of the RESPONDER:
(config)#ip sla  monitor responder

Make sure you configure the CLIENT device in accordance with these defined parameters:
(config)#ip sla monitor 10
(config-sla-monitor)#type udpEcho dest-ipaddr dest-port 500
(config-sla-monitor-udp)#frequency 5 <- IN SECONDS
(config-sla-monitor-udp)#hours-of-statistics-kept 1 <-HOW MUCH TIME THE STATISCICS ARE KEPT
(config-sla-monitor-udp)#request-data-size 1500 <- PACKET SIZE

And then just START the IP SLA on the CLIENT (in this case starts immediately and lasts for 100 seconds only):
(config)#ip sla monitor schedule 10 start-time now life 100

Check the statistics:
#sh ip sla moni statistics
Round trip time (RTT)   Index 10
Latest operation start time: *14:47:06.923 UTC Fri Dec 6 2013
Latest operation return code: OK
Number of successes: 10
Number of failures: 0
Operation time to live: 52 sec

And on the RESPONDER:
#sh ip sla monit responder
IP SLA Monitor Responder is: Enabled
Number of control message received: 17 Number of errors: 0
Recent sources: [14:25:11.241 UTC Fri Dec 6 2013] [14:25:06.241 UTC Fri Dec 6 2013] [14:25:01.237 UTC Fri Dec 6 2013] [14:24:56.237 UTC Fri Dec 6 2013] [14:24:51.237 UTC Fri Dec 6 2013]

If you are using IP SLA for ROUTING, meaning - you want to TRACK a certain route using ICMP (ping), and depending on the result - "tune" the routing table, you have 2 options:

OPTION 1: Use a TRACK object and attach it to the STATIC ROUTE:
(config)#track 10 ip route reachability
(config)#ip route track 10

Check the status of the TRACK 10 object, and based on that - you can know if your STATIC route is UP:
#sh track 10
Track 10
  IP route reachability
  Reachability is Up (connected)
    3 changes, last change 00:04:04
  First-hop interface is Serial0/1/0
  Tracked by:

IMPORTANT: Make sure that the prefix you are tracking isn't available using some other protocol, like OSPF:
#sh track 10
Track 10
  IP route reachability
    3 changes, last change 00:03:59
  First-hop interface is FastEthernet0/0
  Tracked by:

OPTION 2: Use the IP SLA ICMP ECHO (ipIcmpEcho) to monitor end-to-end response

(config)#ip sla monitor 10
(config-sla-monitor)#$type echo protocol ipIcmpEcho source-ipaddr
(config-sla-monitor-echo)#frequency 5

(config)#ip sla monitor schedule 10 start-time now life forever

STEP 3: DEFINE THE TRACK Object using the defined IP SLA:
(config)#track 15 rtr 10 reachability <- 15 is RTR NUMBER, 10 is the IP SLA we're attaching

*Make sure the TRACK is UP before you attach it to the route:
#sh track 15
Track 15
  Response Time Reporter 10 reachability
  Reachability is Up
    2 changes, last change 00:00:18
  Latest operation return code: OK
  Latest RTT (millisecs) 36
  Tracked by:

STEP 4: Attach the TRACK OBJECT to the STATIC ROUTE, like in the option 1:
(config)#ip route track 15

PBR - Policy Based Routing

!!!Most Important: To DEBUG the Policy Map:
#debug ip policy

To match the SOURCE IP use the standard ACL:
(config)#access-list 2 permit host

To match the FLOW use the EXTENDED ACL:
(config)#ip access-list extended FLOW1
(config-ext-nacl)#permit ip host host <-TO MATCH THE FLOW
(config-ext-nacl)#permit tcp any any eq 23 <- TO MATCH THE PROTOCOL(PORT)

ROUTE-MAP can be applied GLOBALLY on a router, to change the Routing Table:
(config)#ip local policy route-map ROUTE_MAP
!!!This will not work for traffic transiting this router. For that you need to apply it on the interface

IPv6 Tunnels

First a reminder about a IPv4 GRE tunnel, the most simple and GENERIC one.

Configuration is really simple, create the Tunnel interface, define the MODE and assign the Source and Destination IP or Interface:
(Config)#Interface tunnel
(Config-if)#tunnel mode GRE IP
(Config-if)# tunnel source IP
(Config-if)#tunnel destination IP

Then define the GRE tunnel IP (needs to be in the same subnet on the both sides):
(Config-if)#ip address
By default GRE keep-alives are off, butt they can be turned on

Now the IPv6. There are 4 types of IPv6 Tunnels:

1. IPv6 over IPv6 GRE tunnel, the configuration similar as the IPv4 one:
(Config-tunnel)#tunnel source lo0
(Config-tunnel)#tunnel destination
(Config)#interface tunnel0
(Config-if)#ipv6 add 1:1:1:1::1/64

2. IPv6 over IPv6IP Tunnel
3. IPv6 over IPv4 UDP Teredo Tunnel
4. IPv4 over IPv6 GRE Tunnel

AUTOMATIC Tunnels: 6to4 (IPv4 into IPv6 prefix), ISATAP - have a standard format of the IP address, so only the tunnel source and the IP address are configured in accordance to that standard - and the Tunnel goes UP.

When you configure them MANUALLY the Tunnel mode can be IPv6IP:
(config)#interface tunnel 0
(config-if)#tunnel mode ipv6ip <- DEFAULT IS GRE

GRE is Protocol 47, and IPV6IP is Protocol 41. You can check this by PINGING one side from another, and debuging
"ip packet details" on the other side:

*Nov 29 18:23:52.126: IP: tableid=0, s= (Serial0/1/0.21), d= (Serial0/1/0.21), routed via RIB
*Nov 29 18:23:52.126: IP: s= (Serial0/1/0.21), d= (Serial0/1/0.21), len 136, rcvd 3, proto=41
*Nov 29 18:23:52.126: IP: s= (Tunnel0), d= (Serial0/1/0.21), len 96, sending, proto=41
*Nov 29 18:23:53.110: IP: tableid=0, s= (Serial0/1/0.21), d= (Serial0/1/0.21), routed via RIB
*Nov 29 18:23:53.110: IP: s= (Serial0/1/0.21), d= (Serial0/1/0.21), len 120, rcvd 3, proto=41

*Nov 29 18:25:30.506: IP: tableid=0, s= (Serial0/1/0.21), d= (Serial0/1/0.21), routed via RIB
*Nov 29 18:25:30.506: IP: s= (Serial0/1/0.21), d= (Serial0/1/0.21), len 140, rcvd 3, proto=47
*Nov 29 18:25:30.574: IP: s= (Tunnel0), d= (Serial0/1/0.21), len 140, sending, proto=47
*Nov 29 18:25:30.622: IP: tableid=0, s= (Serial0/1/0.21), d= (Serial0/1/0.21), routed via RIB
*Nov 29 18:25:30.622: IP: s= (Serial0/1/0.21), d= (Serial0/1/0.21), len 140, rcvd 3, proto=47

6to4 Tunnels: AUTOMATICALLY established, allowing IPv6 connection through IPv4. They require SPECIAL ADDRESSING:
IPv6 of 2002 followed by TRANSLATED IPv4 address. So, we need these steps:

Step 1:
Translate IPv4 into IPv6 address. For example
10 1 1 1
0A 01 01 01

Step 2:
So using the 2002 which is the 6to4 marker, you get> 2002:A01:101::/128, so:
(config-if)#ipv6 add 2002:A01:101::/128

Step 3: 
Configure the TUNNEL MODE as IPV6IP 6to4:
(config-if)#tunnel mode ipv6ip 6to4

Step 4: 
Make sure that the Tunnel Interface is going UP/UP
*Nov 29 19:10:13.709: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel7, changed state to up

ISATAP Tunnel: It's a IETF transition mechanism that allows IPv6 networks to connect over IPv4 Networks. The IPv6 tunnel interface must be configured with a modified EUI-64 address because the last 32 bits in the interface identifier are constructed using the IPv4 tunnel source address. ISATAP also has it's own IPv6 Address Format, which is formed like this:
NETWORK PORTION: can be any IPv6 address
HOST PORTION: starts with 0000:5EFE, and the rest of host portion is TRANSLATED IPv4 of the TUNNEL SOURCE

Step 1: 
Define the Tunnel SOURCE address
(config-if)#tunnel source 10.44:44:44

Step 2: 
Sending of IPv6 router advertisements is disabled by default on tunnel interfaces. This command reenables the sending of IPv6 router advertisements to allow client autoconfiguration:
(config-if)# no ipv6 nd ra suppress

Step 3: ISATAP
The only difference from standard IPv6IP configuration is that the IPv6 address needs to be eui-64 generated, and that the MODE needs to be defined as ISATAP:
(config-if)#ipv6 address 46:1:46::/64 eui-64 <- EUI CONVERTS IPv4 TO IPv6 AUTOMATICALLY
(config-if)#tunnel mode ipv6ip isatap


The difference with OSPF is that even if you configure it on the interface:
(config-if)#ipv6 eigrp 100
it will not form an adjacency unless you DEFINE THE ROUTER-ID, and do a NO SHUT:
(config-rtr)#eigrp router-id
*Dec  1 11:18:08.343: %DUAL-5-NBRCHANGE: EIGRP-IPv6 100: Neighbor FE80::4 (Serial1/0.14) is up: new adjacency

(config-rtr)#no redistribute ospf 1  metric 1 1 1 1 1

To change the timers on the interface the command is a bit BACKWARDS, as in - "" ipv6 hello-interval eigrp..":
(config-if)#ipv6 hello-time eigrp 100 10 <-HELLO
(config-if)#ipv6 hold-time eigrp 100 40 <-DEAD

The command for checking the current timers is also unintuitive, cause you need to add "details" to the end:
#sh ipv6 eigrp interfaces detail  | i Hello
  Hello-interval is 10, Hold-time is 40
  Hello-interval is 60, Hold-time is 180

!!!BE CAREFULL WITH FRAME RELAY, cause EIGRP has SPLIT HORIZON enabled by default on multipoint interfaces, so make sure if you need to disable it or not:
(config-subif)#no ipv6 split-horizon eigrp 100

Like in EIGRPv4, on EIGRPv6 EIGRP Patckets use UP TO 50% of the Links BW. To change that (to 25% in this example):
(config-subif)#ipv6 bandwidth-percent eigrp 100 25

Another similarity to EIGRPv4, you can use "summary-address" to inject the default route:
(config-if)#ipv6 summary-address eigrp 100 ::0/0
*Dec  1 12:32:28.571: %DUAL-5-NBRCHANGE: EIGRP-IPv6 100: Neighbor FE80::2 (Ethernet0/0) is resync: summary configured
*Dec  1 12:32:28.571: %DUAL-5-NBRCHANGE: EIGRP-IPv6 100: Neighbor FE80::3 (Ethernet0/0) is resync: summary configured

EIGRPv6 Authentication: Also similar to EIGRPv4

Step 1: Define the Key Chain
(config)#key chain MAT
(config-keychain)#key 1
(config-keychain-key)#key-string Cisqueros

Step 2: Apply the key chain to the interface:
(config-if)#ipv6 authentication key-chain eigrp 100 MAT

Step 3: Turn ON the authentication on the interface, in this example MD5:
(config-if)#ipv6 authentication mode eigrp 100 md5

Some ADDITIONAL features:
Make sure the incoming prefixes are in less then 50 hops (TTL <= 50)
(config-rtr)#metric maximum-hops 50

"Tune" the Active Time (time before declaring a router STUCK IN ACTIVE - SIA)
(config-rtr)#timers active-time ?
  <1-65535>  active state time limit in minutes
  disabled   disable time limit for active state


If you control OSPFv2 (IPv4 OSPF) wou wont have any problems here. There are, however, a few differences in the configuration. First one - it's configured on the INTERFACE LEVEL, and the Area is also defined there, so there is no need to add the "network" commands within the Router configuration:
(config-if)#ipv6 ospf 1 area 0

!!!Dont forget to define the router-id, because if there are no IPv4 addresses on the router - it cannot pick one! So - FIRST define the RID, and THEN configure OSPF, to avoid restarting the OSPF process later.

LSA Changes: Even though most LSA definitions stay the same, there are a few changes in OSPFv3:

0x2001 Router LSA 1 Router LSA
0x2002 Network LSA 2 Network LSA
0x2003 Inter-area Prefix LSA 3 Network Summary LSA
0x2004 Inter-area Router LSA 4 ASBR Summary LSA
0x4005 AS-External LSA 5 AS-External LSA
0x2006 Group Membership LSA 6 Group Membership LSA
0x2007 Type-7 LSA 7 NSSA External LSA
0x0008 Link LSA
0x2009 Intra-area Prefix LSA

*If you want an area not to receive LSA4 and LSA5, configure it as stub:
(config-rtr)#area 12 stub <- ADDS A DEFAULT ROUTE TO ISOLATED ROUTER (the router that only has stub area)
Default Route added: OI  ::/0 [110/2] via FE80::2, FastEthernet0/0 <- INSTEAD OF ALL EXTERNAL ROUTES

If you want the router to maintain IO INTRA AREA routes only, configure it as NSSA "stub no-summary"

If you want not to propagate EXTERNAL routes- configure an area as NSSA (routes redistributed into NSSA area will appear marked with "ON2"). You can add "default-information-originate" to inject the default route into nssa area. Add "always" to this command if you want to inject the default route, and the local router doesnt have one.

To change the METRIC/COST you can do two things. Either change the DEFAULT COST under OSPF process:
(config-rtr)#auto-cost reference-bandwidth 10000

Or use the "ipv6 ospf cost" command under EACH INTERFACE.

BGP CONDITIONAL Advertisements - Advertise Maps

This is a pretty complex BGP issue because you really need to know the BGP philosophy and maybe even have some basic experience in programming. The trick is to change the behaviour of the BGP advertisements depending on the routes that are being learned.

Step 1:
Configure 2 Route Maps, one for the CHECK condition, and another for PREFIXES you will advertise if CHECK passes.
For example we want to CHECK if the is learned:
(config)#access-list 2 permit
(config)#route-map CHECK permit 10
(config-rmap)#match ip address 2

And ONLY if it's NOT in the routing table, we want to advertise
(config)#access-list 1 permit
(config)#route-map ADVERTISE permit 10
(config-rmap)#match ip address 1

Step 2:
Configure the advertise map and the condition in the BGP routing process:
(config)#router bgp 65545
(config-router)#neighbor advertise-map ADVERTISE ?
  exist-map      advertise prefix only if prefix is in the condition exists <- CHECK THESE OPTIONS
  non-exist-map  advertise prefix only if prefix in the condition does not exist
(config-router)#neighbor advertise-map ADVERTISE non-exist-map CHECK

Intuitively we can see that the ADV_ROUTE_MAP is the route map that defines the routes that will be broadcast, in this case if the conditions defined in the route-map CONDITION_ROUTE_MAP is NOT satisfied, meaning - if the prefixes are NOT in the table.

Advanced BGP Features: Route Dampening

When you check the BGP prefixes using the "show ip bgp", besides the arguments that appeared so far (*, >, r) there
is another "Tag" that can appear, and it's a letter "d", which stends for DAMPENING.
#show ip bgp
BGP table version is 5, local router ID is
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal <- CHECK THIS LINE
              r RIB-failure, S Stale

From Cisco Docs: "Route dampening is a BGP feature designed to minimize the propagation of flapping routes across
an internetwork. A route is considered to be flapping when its availability alternates repeatedly"

If you're configuring it without any parameter tuning, there is an enable command under the BGP process:
(config-router)#bgp dampening

If you want to use this feature - make sure you understand the concept of PENALTIES being "rewarded" to a route
every time it FLAPS, and make sure you're familiar with the PARAMETERS of BGP DAMPENING:
#sh ip bgp dampening parameters
 dampening 15 750 2000 60 (DEFAULT)
  Half-life time      : 15 mins       Decay Time       : 2320 secs
  Max suppress penalty: 12000         Max suppress time: 60 mins
  Suppress penalty    :  2000         Reuse penalty    : 750
1. HALF-TIME (default 15 minutes)
When the penalty is assigned to a route, the accumulated penalty is decreased every 5 seconds. When the half-time
expires, accumulated penalties are reduced by half.  Default HALF-TIME is 15 minutes, and range 1-45 minutes.

2. REUSE (default 750)
The route can be REUSABLE if the penalties for flapping route go BELOW THIS VALUE. By default it's 750,
and the range is 1 to 20000

The route is SUPRESSED when the penalties REACH THIS VALUE. Default is 2000, and the range is 1-20000

Max time that the route can STAY SUPRESSED. Default is 4 times Half-Time value (60 minutes), range is 1-255

If you need to configure the BGP DAMPENING for a certain routes, use the ROUTE-MAP:
(config-router)#route-map DAMPEN_1
(config-route-map)#match ip add 15 <- CONFIGURE THE ROUTES YOU ARE DAMPENING IN AN ACL
(config-route-map)#set dampening 15 700 2000 60 <- SET DESIRED DAMPENING PARAMETERS

Then apply it within the BGP configuration process:
(config-router)#bgp dampening route-map DAMPEN_1

!!!This configuration can get quite complicated, so you might need to MATCH THE AS-PATH,
for this you need to be quite comfortable with META CHARACTERS, so for example match prefixes originated in AS 300:
(config)#ip as-path access-list 15 permit ^300$

And then MATCH it in the route-map and SET the dampening parameters:
(config-router)#route-map DAMPEN_2
(config-route-map)#match as-path 15
(config-route-map)#set dampening 15 700 2000 60

BGP Peer-Session Templates

Another way to make the BGP configuration easier by avoiding configuring the same command set on every router. It makes your life easier if you have various neighbors to which you'd like to apply a common set of attributes.

Step 1: Define the peer-session and give it a name:
(config-router)#template peer-session MYBGP

Step 2: Assign the attributes to the peer-session:
(config-router-stmp)#version 4
(config-router-stmp)#update-source lo0
(config-router-stmp)#password Cisqueros

Step 3: If you have more groups of neighbors, and they all have some commmon settings (for example the ones defined
in the template IBGP), and some different ones. Then create another template, and inherit the first template:
(config-router)#template peer-session GROUP_1 <- FOR AS 100
(config-router-stmp)#inherit peer-session MYBGP
(config-router-stmp)#remote-as 100

(config-router)#template peer-session GROUP_2 <- FOR AS 200
(config-router-stmp)#inherit peer-session MYBGP
(config-router-stmp)#remote-as 200

Step 4: Apply the LAST defined Template to RELEVANT NEIGHBORS, that inherited the settings of the initial Templates:
(config-router)#neighbor inherit peer-session GROUP_1
(config-router)#neighbor inherit peer-session GROUP_1
(config-router)#neighbor inherit peer-session GROUP_2

Convert MAC to Link Local IPv6 Address

Check how the Link Local address has been generated using the interface MAC address using the following command:

#sh int fa0/0 | i Hard
  Hardware is Gt96k FE, address is 001e.be5d.27f0 (bia 001e.be5d.27f0)

  IPv6: FE80::21E:BEFF:FE5D:27F0
Step 1: Start with the Link-Local "Signature", which is FE80:: - For Link Local IPv6 Addresses

Step 2: First two 0s from MAC are replaced with a HEX 2, to fill up MACs 48 bits up to the 64 bits that we need

Step 3:  Then the "" part is COPIED and PASTED - 2|1E:BE|FF:FE|5D:27F0

Step 4:  FFFE is Added after this, in the MIDDLE of the MAC address

Step 5:  The rest of MAC follows
  So - 2 + 4HEXofMAC + FFEE + 6HEXofMAC

Now check the complete IPv6 configuration of the interface:

#sh ipv6 int fa0/0
FastEthernet0/0 is up, line protocol is up
  IPv6 is enabled, link-local address is FE80::21E:BEFF:FE5D:27F0
  No global unicast address is configured

  Joined group address(es):
    FF02::1 <- 0 after F means the IPv6 is PERMANENT (if it were 1 - it would be temporal)
    FF02::2 <- Subnet routers MULTICAST
    FF02::1:FF5D:27F0 <- Solicited-Node-Multicast Address

IPv6 Basics

Loopback: ::1/128
Multicast: FF00::/8
Link Local: FE80::/10 - used for stateless auto-configuration, Neighbor discovery, Router discovery
FC00::/7 Unique Local, Unicast (equivalent to the IPv4 private addresses), not routable via global BGP
EUI-64 - always use the /64 addresses for all the INTERFACES
!!!(MAC can be converted into EUI-64 format to get the interface address)

ARP has been replaced with ICMPv6 Neighbor Discovery.
Inverse ARP has been removed, so for NBMA networks we need to provide a static L2-L3 mapping

TIP: before enabling IPv6 on a router and configuring the interfaces male sure there is a IPv4 connectivity

IPv6 is not enabled by default, so first enable IPv6 globally on the Router/Switch:
(config)#ipv6 unicast-routing

On a ROUTER you should enable IPv6 on an interface:
(config-if)#ipv6 enable
!!!LINK-LOCAL address is generated based on the interfaces MAC Address by doing "ipv6 enable"

Assign the UNICAST IPv6 address:
(config)#no switchport <--- DONT FORGET on 3560 OR 3750
(config-if)#ipv6 add 12:1:1::3/64

Assign a LINK-LOCAL IPv6 Address, if you want to configure it STATICALLY:
(config-if)#ipv6 address FE80::1 link-local
!!!Be sure it starts with FE80, or you will get a message "% Invalid link-local address"

By default IPv6 has Neighbor Discovery as a L2-L3 mapping mechanism, instead of ARP. To debug it do:
#debug ipv6 nd

When you configure the "ipv6 enable" on the interface, the Link Local address is assigned:
*Nov 21 08:21:02.068: ICMPv6-ND: Sending NS for FE80::21E:BEFF:FE5D:27F0 on FastEthernet0/0
!!!NS -Neighbor Solicitation
*Nov 21 08:21:03.068: ICMPv6-ND: DAD: FE80::21E:BEFF:FE5D:27F0 is unique.
!!!FE80::21E:BEFF:FE5D:27F0 Assigned. DAD - Duplicate Address Detection confirms IP is UNIQUE!
*Nov 21 08:21:03.068: ICMPv6-ND: Sending NA for FE80::21E:BEFF:FE5D:27F0 on FastEthernet0/0
!!!NA - Neighbor Advertisment for routers Link Local address
*Nov 21 08:21:03.068: ICMPv6-ND: Address FE80::21E:BEFF:FE5D:27F0/10 is up on FastEthernet0/0
!!!Interface comes UP because noone complained

Check if the interface got the correct IPv6 Address:
#sh ipv6 int br
FastEthernet0/0            [up/up]
FastEthernet0/1            [administratively down/down]
Serial0/1/0                [up/down]
Serial0/1/1                [administratively down/down]
Serial0/2/0                [administratively down/down]

When you SHUT the local interface, the Link Local address is deleted:
*Nov 21 08:19:12.972: ICMPv6-ND: Sending Final RA on FastEthernet0/0
*Nov 21 08:19:12.984: ICMPv6-ND: STALE -> DELETE: FE80::213:60FF:FE85:AEEA

And we are finally reaching my favorite change in the IPv6, the NEIGHBOR DISCOVERY and DISPLAY:
#show ipv6 neighbors
IPv6 Address                              Age Link-layer Addr State Interface
12:1:1:12::1                                0 0013.6085.aeea  STALE Fa0/0 <- UNICAST
FE80::1                                     0 0013.6085.aeea  STALE Fa0/0 <- LINK-LOCAL

OSPF Forward Address Suppression

The aim is to SUPRESS the address of the router that originated the Prefix. When the area is NSSA, and you want to CONTROL the remap process of the LSA7 to LSA5, but use as the forwarding address instead of the one specified in the LSA7:
(config-router)#area 1 nssa translate type7 suppress-fa ?
  default-information-originate  Originate Type 7 default into NSSA area
  no-redistribution              No redistribution into this NSSA area
  no-summary                     Do not send summary LSA into NSSA

Before the command has been applied the external (LSA5) subnet within the area 0 is seen as:
#sh ip ospf database external
            OSPF Router with ID ( (Process ID 1)
                Type-5 AS External Link States
  LS age: 557
  Options: (No TOS-capability, DC)
  LS Type: AS External Link
  Link State ID: (External Network Number )
  Advertising Router:
  LS Seq Number: 80000003
  Checksum: 0x1286
  Length: 36
  Network Mask: /8
        Metric Type: 2 (Larger than any link state path)
        MTID: 0
        Metric: 20
        Forward Address:
        External Route Tag: 0

While after the command has been implemented, we have:
#sh ip ospf database external
            OSPF Router with ID ( (Process ID 1)
                Type-5 AS External Link States
  Routing Bit Set on this LSA in topology Base with MTID 0
  LS age: 41
  Options: (No TOS-capability, DC)
  LS Type: AS External Link
  Link State ID: (External Network Number )
  Advertising Router:
  LS Seq Number: 80000004
  Checksum: 0x3952
  Length: 36
  Network Mask: /8
        Metric Type: 2 (Larger than any link state path)
        MTID: 0
        Metric: 20
        Forward Address: <- THE FORWARD ADDRESS HAD CHANGED
        External Route Tag: 0

If you add "no-summary" to this command, LSA3 s are filtered, and the default route is advertised instead.
You can use the similar approach to NOT ADVERTISE THE SPECIFIC PREFIXES into the NSSA, but advertise only the defult route on the ABR. In this example the Area 1 is NSSA:
(config-router)#area 1 nssa default-information-originate no-summary

Area 1 (NSSA Area) will learn the Default Route as the LSA7 (N2):
#sh ip route
Gateway of last resort is to network
O*N2 [110/1] via, 00:05:21, Serial1/0.63 is subnetted, 1 subnets

!!!Regardless of whether you´re using the "nssa default-information-originate" or the "nssa no-summary" command
in the OSPF Area, the Default Route will be injected into that area. The difference is the route type:
Gateway of last resort is to network
O*IA [110/65] via, 00:04:22, Serial1/0.43

Gateway of last resort is to network
O*N2 [110/1] via, 00:00:22, Serial1/0.53 is subnetted, 1 subnets

NTP - Network Time Protocol

First there is an "old school" method of setting time on your IOS Device, which is fine if you're one of those :)
#clock set 16:50:00 15 NOVEMBER 2013
*Nov 15 16:50:00.000: %SYS-6-CLOCKUPDATE: System clock has been updated from 15:50:31 UTC Fri Nov 15 2013 to 16:50:00 UTC
Fri Nov 15 2013, configured from console by console.

Now if you set this time really good, and the Switch is new generation and you really trust it, then in order to have
an entire network to be synchronized (and absolutely no external NTP available), set the most awesome switch to be
a NTP Server:
(config)#ntp master ?
  <1-15>  Stratum number <- STRATUM Number, all DOWNFLOW routers shall have SERVER + Number of HOPS

Check what's happening:
#show ntp status
Clock is synchronized, stratum 2, reference is
nominal freq is 250.0000 Hz, actual freq is 250.0000 Hz, precision is 2**18
reference time is D630D0D3.99A45AAB (16:56:51.600 UTC Fri Nov 15 2013)
clock offset is 0.0000 msec, root delay is 0.00 msec
root dispersion is 0.02 msec, peer dispersion is 0.02 msec

Then configure ALL the other Devices to synchronize their time based on the Awesome NTP Master Switch:
(config)#ntp server

Configure the BROADCAST on the Interfaces:
(config-if)#ntp broadcast <- On the NTP MASTER
(config-if)#ntp broadcast client <-ON NTP CLIENTS

IRDP - ICMP Router Discovery Protocol

IRDP enables Routers to automatically discover the IP of their potential Default Gateway. It uses ICMP and Solicitation Messages.

Potential GW Routers periodically announce the IP address of their IRDP configured interface to a roadcast destination. IRDP Preference value is advertised with these messages, along with the IP Address.

Step 1:
The configuration is pretty straight-forward. First you MUST turn the Routing off on the router that you want to discover it's own GW:
(config)#no ip routing

Step 2:
IRDP Needs to be enabled on the Router:
(config)#ip gdp ?
  eigrp  Discover routers transmitting EIGRP router updates
  irdp   Discover routers transmitting IRDP router updates <- THIS ONE is the one we want here
  rip    Discover routers transmitting RIP router updates

Step 3:
Here is what needs to be defined on the interface:
 (config-if)#ip irdp <- ENABLE IRDP ON THE INTERFACE
 (config-if)#ip irdp maxadvertinterval 5 <- DEFINE THE ADVERTISING TIMERS
 (config-if)#ip irdp minadvertinterval 3
 (config-if)#ip irdp holdtime 15
 (config-if)#ip irdp preference 600 <- DEFINE THE ROUTER PREFERENCE

Step 4:
TEST by pinging the IP behind the routers that are supposedly advertising the GW
PING will work ONLY if Proxy-ARP is enabled on the IP Interface
 #sh ip inter fa0/0 | i ARP
  Proxy ARP is enabled <- THIS ONE MATTERS
  Local Proxy ARP is disabled
 #show ip route
 Gateway         Using  Interval  Priority   Interface      IRDP        4       600     FastEthernet0/0      IRDP        4       200     FastEthernet0/0

When you do a DEBUG of ICMP, you see that IRDP is using the ICMP Type 9 Code 0 messages to advertise the GW:
ES-MAT-AES-SR03#debug ip icmp
ICMP packet debugging is on
*Nov 14 16:03:08.288: ICMP: rdp advert rcvd type 9, code 0, from
*Nov 14 16:03:09.340: ICMP: rdp advert rcvd type 9, code 0, from
*Nov 14 16:03:12.288: ICMP: rdp advert rcvd type 9, code 0, from
*Nov 14 16:03:12.340: ICMP: rdp advert rcvd type 9, code 0, from
*Nov 14 16:03:16.288: ICMP: rdp advert rcvd type 9, code 0, from
*Nov 14 16:03:16.340: ICMP: rdp advert rcvd type 9, code 0, from
*Nov 14 16:03:19.340: ICMP: rdp advert rcvd type 9, code 0, from
*Nov 14 16:03:20.288: ICMP: rdp advert rcvd type 9, code 0, from
*Nov 14 16:03:23.288: ICMP: rdp advert rcvd type 9, code 0, from
*Nov 14 16:03:23.340: ICMP: rdp advert rcvd type 9, code 0, from

GLBP - Configure the Global Load Balancing Protocol

GLBP is different from HSRP and GLBP, as in - it's more complex and gives more possibilities, such as LoadBalancing

!!!You can have UP TO 4 ROUTERS IN A GLBP GROUP!!!

GLBP Group Members communicate using HELLOs, UDP/3222, by default Hello Timer = 3 sec

Basically there are 2 roles:
- AVG (Active Virtual Gateway) MASTER Router in charge of Assigning Virtual MAC Addresses to other Routers
and it has to know ALL the MACs of the AVFs
- AVFs (Active Virtual Forwarders) the rest of the Routers, which take AVG function if AVG dies.

sh glbp br
Interface   Grp  Fwd Pri State    Address         Active router   Standby route
Fa0/0       1    -   100 Standby        local
Fa0/0       1    1   7   Active   0007.b400.0101  local           -
Fa0/0       1    2   7   Listen   0007.b400.0102        -

You can tune GLBP as you like, which means that (besides all the stuff you can also do in HSRP and VRRP) you can
choose the Load Balancing method:
ES-MAT-AES-SR03(config-if)#glbp 1 load-balancing ?
  host-dependent  Load balance equally, source MAC determines forwarder choice
  round-robin     Load balance equally using each forwarder in turn
  weighted        Load balance in proportion to forwarder weighting (GLBP places WEIGHT on each router)

As an additional GLBP feature, there is a REDIRECT timer, which sets the time-out for assigning the Virtual MAC
of AVF that has failed.
ES-MAT-AES-SR03(config-if)#glbp 1 timers ?
  <1-60>    Hello interval in seconds
  msec      Specify hello interval in milliseconds
  redirect  Specify time-out values for failed forwarders

TRACKing is also different on GLBP, as in - it's configured in the Global Configuration mode, with a global Track Object.
ADVANTAGE: You can track 2 interfaces at once!!!
ES-MAT-AES-SR03(config)#track 1 interface fa0/0 ?
  ip             IP parameters <- TO TRACK IP ROUTING
  line-protocol  Track interface line-protocol <- TRACK IF THE INTERFACE IS DOWN

(config)#track 1 interface fa0/0 line-protocol
(config-track)#track 2 interface s0/1/0 line-protocol

#show track
Track 1
  Interface FastEthernet0/1 line-protocol
  Line protocol is Up
    1 change, last change 00:02:39
Track 2
  Interface Serial0/1/0 line-protocol
  Line protocol is Up
    1 change, last change 00:02:10

Now the TRACK OBJECTS need to be applied to the Interface where GLBP is configured (If any of the tracked interfaces go DOWN, the WEIGHT will be decremented by 10, but these values can be tuned):
ES-MAT-AES-SR03(config-if)#glbp 1 weighting track  1 <-MEMORIZE as it's a bit NON-INTUITIVE
ES-MAT-AES-SR03(config-if)#glbp 1 weighting track  2

VRRP - Configure the Virtual Routing Redundancy Protocol

The VRRP configuration is similar to the HSRP, with a few slight differences. For example, there are no
ACTIVE and STANDBU, but MASTER and BACKUP router, as shown below:
#show vrrp brief
Interface          Grp Pri Time  Own Pre State   Master addr     Group addr
Fa0/0              1   200 3218       Y  Master
Fa0/0              2   100 3609       Y  Backup

TIMERS are a bit different to configure. You need to tell Master to ADVERTISE the Hello Timer value to the Backup,
and tell the Backup to LEARN the Hello Timer from the Master:
(config-if)#vrrp 1 timers advertise 10
(config-if)#vrrp 2 timers learn
*Router is Mater for VRRP Group 1, and Backup for VRRP Group 2

VRRP Authentication is configured PER GROUP using the command "vrrp X authentication text PASSWORD", and the debug
on the VRRP Pair router is as follows (before the authentication is configured on BOTH):
ES-MAT-AES-SR02#debug vrrp
*Nov 13 15:04:37.585: VRRP: Grp 2 Advertisement from has incorrect authentication type 1 expected 0
*Nov 13 15:04:38.001: VRRP: Grp 1 sending Advertisement checksum EBE4
*Nov 13 15:04:38.585: VRRP: Grp 2 Advertisement from has incorrect authentication type 1 expected 0
*Nov 13 15:04:39.001: VRRP: Grp 1 sending Advertisement checksum EBE4
*Nov 13 15:04:39.585: VRRP: Grp 2 Advertisement from has incorrect authentication type 1 expected 0
*Nov 13 15:04:40.001: VRRP: Grp 1 sending Advertisement checksum EBE4
*Nov 13 15:04:40.585: VRRP: Grp 2 Advertisement from has incorrect authentication type 1 expected 0
*Nov 13 15:04:40.973: VRRP: Grp 2 sending Advertisement checksum 87E5
*Nov 13 15:04:41.001: VRRP: Grp 1 sending Advertisement checksum EBE4
*Nov 13 15:04:41.585: VRRP: Grp 2 Advertisement from has incorrect authentication type 1 expected 0
*Nov 13 15:04:42.001: VRRP: Grp 1 sending Advertisement checksum EBE4
ES-MAT-AES-SR02#u all
All possible debugging has been turned off

At the end the configuration on the interface will look similar to the HSRP config:
interface FastEthernet0/0
 ip address
 vrrp 1 description MAT1
 vrrp 1 ip
 vrrp 1 timers learn
 vrrp 1 authentication cisco
 vrrp 2 description MAT2
 vrrp 2 ip
 vrrp 2 timers advertise 10
 vrrp 2 priority 200

!!!IMPORTANT DIFFERENCE between HSRP and VRRP: VRRP has Preempt enabled by default on Cisco devices!

HSRP - Configure the Hot Standby Routing Protocol

Redundancy Protocol, Cisco Proprietary.
Configuration is quite straight-forward, but there are many ways to tune it, in accordance with your needs:
interface FastEthernet0/0
 ip address
 standby 1 ip <- Group 1 VIRTUAL IP Address
 standby 1 timers 5 15 <- Can also be done in miliseconds using "standby 1 timers msec 250 800"
 standby 1 priority 150 <- Default it 100, Default
 standby 1 preempt
 standby 1 authentication Cisco
 standby 1 name R2-Act
 standby 2 ip
 standby 2 timers 5 15
 standby 2 authentication Cisco
 standby 2 name R5-Act

"07-ac" is the SIGNARURE part of Virtual MAC Address of the HSRP:
#sh standby | i 07
  Active virtual MAC address is 0000.0c07.ac01
    Local virtual MAC address is 0000.0c07.ac01 (v1 default)

To check the current configuration, including the HSRP Status and whether
preempt is configured:
#sh standby brief
                     P indicates configured to preempt.
Interface   Grp Prio P State    Active          Standby         Virtual IP
Fa0/0       1   100    Standby      local 
Fa0/0       2   200  P Active   local 

If you need to TRACK an interface, just add the interface line, and define for how much you want to decrease the
HSRP priority in order to fail over to the HSRP Peer:
(config-if)#standby 1 track serial 0/1/0.21 60

Configuring the DHCP Server

Using the DHCP Pool configured on a IOS device is somewhat obsolete, but in cases of smaller companies where this solution is inevitable (or in a case such as mine, preparations for a CCIE exam) - you should know how to configure a full DSCP on a Cisco Router:

Step 1: Enable DHCP Server on a Device:
(config)#service dhcp

Step 2: Configure global DHCP options:
(config)#ip dhcp pool Cisco
(config-dhcp)#network <- Network Range
(config-dhcp)#netbios-note-type h-node <- If you're using WINS, set the HYBRID TYPE
(config-dhcp)#netbios-name-server <- WINS Server IP
(config-dhcp)#dns-server <- Primary and Secondary IPs
(config-dhcp)#lease 3 5 <- The duration of the DHCP Lease (3 days 5 hours)

Step 3: Configure the IP Exclusions (IPs) you do not want to lease, in the Global Config mode:
(config)#ip dhcp excluded-address

Step 4: Disable the DSCP Logging of the Conflicts, because quite a few are likely to occur, and your log file can
fill in the memory:
(config)#no ip dhcp conflict logging

Step 5: Static DHCP entries must be configured IN A SEPARATE POOL!!! This is a trick that you need to know by heart because there is no other (more intuitive) way to do it. So - create another DHCP pool, and assign the hosts IP and the MAC address (THIS HOST WILL INHERIT THE CONFIG FROM THE DEFAULT POOL):
(dhcp-config)#hardware-address 0014.2526.ef46

Check if your manual entry was configured:
#sh ip dhcp binding
Bindings from all pools not associated with VRF:
IP address          Client-ID/              Lease expiration        Type
                    Hardware address/
                    User name       0014.2526.ef46          Infinite                Manual

Scalability for Stateful NAT (SNAT)

Scalability for Stateful NAT feature allows Stateful Network Address Translation (SNAT) to control the Hot Standby Router Protocol (HSRP) state change until the NAT information is completely exchanged. Reference:

Step 1:
You need to create the SNAT group, and assign a unique identifier to each router within the group:
(config)#ip nat stateful id 1

Step 2:
In order to configure the Stateful Failover, you need to have the HSRP previously configured. Within the stateful
nat group configurarion, assign the HSRP redundancy name to the router:
(config-ipnat-snat)#redundancy HSRP-1

Step 3:
The Active HSRP Router sends the NAT Translation to the Standby Routers. This translation is assigned an ID,
which is called "mapping-id" and it MUST BE THE SAME ON THE ENTIRE GROUP.
(config-ipnat-snat-red)#mapping-id 1

Step 4:
Consider adding features such Asymetric queuing, or define a specific protocol for the redundancy group:
IP Stateful NAT Redundancy mode configuration commands:
  as-queuing  Disable asymmetric process for this redundancy group
  exit        Exit from IP Stateful NAT Redundancy config mode
  mapping-id  Configure mapping-id for this redundancy group
  no          Negate or set default values of a command
  protocol    Select transport protocol for this redundancy group

Step 5:
Configure the Dynamic NAT, as described in my previous posts, and just attach the configured mapping-id:
(config)#ip nat inside source route-map ROUTE_MAP_MATCHING_ACL pool INSIDE_GLOBAL mapping-id 1

Step 6:
Check the translations
#sh ip snat distributed

Stateful NAT Connected Peers

No entries will appear until you perform a PING, and when you do, and do a debug, you'll see:
*Nov  7 14:47:12.081: SNAT (Add_node): Allocated database distributed-id 1
*Nov  7 14:47:12.081: SNAT (Add_node): Init RTree for distributed-id 1
*Nov  7 14:47:12.081: SNAT (Add_node): Allocate Node for nat-id 19, Router-id 1
*Nov  7 14:47:12.081: NAT: s=>, d= [271]
*Nov  7 14:47:12.081: NAT*: s=, d=> [271]
*Nov  7 14:47:12.085: NAT*: s=>, d= [272]
*Nov  7 14:47:12.085: NAT*: s=, d=> [272]
*Nov  7 14:47:12.085: NAT*: s=>, d= [273]
*Nov  7 14:47:12.085: NAT*: s=, d=> [273]
*Nov  7 14:47:12.089: NAT*: s=>, d= [274]
*Nov  7 14:47:12.089: NAT*: s=, d=> [274]
*Nov  7 14:47:12.089: NAT*: s=>, d= [275]
*Nov  7 14:47:12.089: NAT*: s=, d=> [275]

Static NAT redundancy with HSRP

This approach is used when you want to configure NAT and integrate it with HSRP (enable the same NAT on all the
routers that form the HSRP group). In order to do this, it's necessary to NAME each of the HSRP groups:

Step 1: Name the already configured HSRP group:
(config-if)#standby name HSRP-1 <- HSRP Group Name is HSRP-1

Step 2: Congigure NAT on the relevant interfaces
(config-if)#ip nat inside <- NAT inside interface

Step 3: Static NAT redundancy with HSRP
After you've named the HSRP group, configure the Redundancy NAT:
(config)#ip nat inside source static redundancy HSRP-1

This means that the traffic originated from the IP will be NAT-ed into

In this example the router is pinging the IP The final router ( does have the route back to
When the DEBUG is done on the router, the PING done from gives the following display:
*Nov  7 11:34:02.606: NAT*: s=>, d= [226]
*Nov  7 11:34:02.606: NAT*: s=, d=> [226]
*Nov  7 11:34:02.610: NAT*: s=>, d= [227]
*Nov  7 11:34:04.606: NAT*: s=>, d= [228]
*Nov  7 11:34:04.606: NAT*: s=, d=> [228]
*Nov  7 11:34:04.606: NAT*: s=>, d= [229]
*Nov  7 11:34:04.606: NAT*: s=, d=> [229]
*Nov  7 11:34:04.610: NAT*: s=>, d= [230]
*Nov  7 11:34:04.610: NAT*: s=, d=> [230]

PAR - When you need to implement traffic redirections using NAT

You can define the traffic redirection using Static Entries, but there is a trick.
For example you want all the http traffic DESTINED FOR s0/0.5 to be REDIRECTED to the IP instead.
You can configure this by defining the static NAT:
R1(config)#ip nat inside source static tcp 80 int s0/0.5 80

Make sure you understand how this command works, because it´s quite a complicated principle because it works a bit "upside down".

So when you try to telnet R1s IP using the port 80, from the router on the s0/0.5 side (R4):
R4#telnet 80
Trying, 80 ... Open

You see the following debug:

*Nov  6 15:54:48.703: NAT*: s=, d=> [23053] <- Router from where we telnet
*Nov  6 15:54:48.707: NAT*: s=>, d= [31747] <- NATed and FWD-ed to to
*Nov  6 15:54:48.735: NAT*: s=, d=> [23054]
*Nov  6 15:54:48.739: NAT*: s=, d=> [23055]
*Nov  6 15:55:48.739: NAT*: s=>, d= [31748]
*Nov  6 15:55:48.767: NAT*: s=, d=> [23056]
*Nov  6 15:56:48.763: NAT*: s=>, d= [31749]
*Nov  6 15:56:48.791: NAT*: s=, d=> [23057]
*Nov  6 15:57:12.959: NAT*: s=, d=> [23058]
*Nov  6 15:57:13.127: NAT*: s=, d=> [23059]
*Nov  6 15:57:13.155: NAT*: s=>, d= [31750]
*Nov  6 15:57:13.311: NAT*: s=, d=> [23060]
*Nov  6 15:57:13.507: NAT*: s=>, d= [31751]

PAT (NAT Overload)

Port Address Translation (PAT) means using PORTS in order to NAT various Inside Local IPs to 1 Inside Global IP.

Step 1: Create an ACL with all the Inside Local addresses:
 (config)#access-list 1 permit

Step 2: There are 2 ways to configure PAT, described in Steps 2.1 and 2.2:

Step 2.1: 
- Create the Inside Global IP Pool of any addresses from the Link towards the other Router:
 (config)#ip nat pool OVERLOAD prefix-length 24

- Configure the NAT Overload with the defined pool:
 (config)#ip nat inside source list 1 pool TASK2 overload

Step 2.2:
Configure the NAT to point to the Interface you need the traffic to go out from:
 (config)#ip nat inside source list 1 interface s0/1/0.21

!!! The system adds "overload" argument:
 (config)#do sh run | i nat inside
  ip nat inside
  ip nat inside source list 1 interface Serial0/1/0.21 overload

Load Balancing using NAT

This is a configuration that I´ve never implemented in any production environment, but I see quite a few cases where it can be usefull.

Step 1: Create a POOL of all the INSIDE IPs, and define the pool type: "type rotary":
 (config)#ip nat pool TASK1 prefix-length 24 type rotary

Step 2: Define an ACL with the Inside Global IP (the one we´re NAT-ing into):
 (config)#access-list 1 permit

Step 3: Do the inside NAT with the ACL 1 as the DESTINATION list, and the POOL or LOCAL IPs:
 (config)#ip nat inside destination list 1 pool ?
   WORD  Pool name for local addresses

Step 4: Define the NAT inside and outside interfaces, exactly like in case of Static/Dynamic NAT:
 (config)#int lo0
 (config-if)#ip nat inside
 (config-if)#int s0/1/0.21
 (config-subif)#ip nat outside

!!!Be sure that the routing is in place (both, go and return path towards the NAT-ed IP,!!!

Step 5: Make sure that the IP NAT Translations are correct, and that the sources VARY:
 #sh ip nat translations
Pro Inside global      Inside local       Outside local      Outside global

NAT - Dynamic NAT

1 - Define the POOL of the DESTINATION IPs (Public)
(config)#ip nat pool DESTIN prefix-length 24

2 - Define the ACCESS-LIST of the PRIVATE IPs
(config)#access-list 1 permit

3- Implement the NAT from-ACL-to-POOL IPs
(config)#ip nat inside source list 1 pool DESTIN

Do not forget to configure the "ip nat inside | outside" on the appropriate interfaces!

Pro Inside global      Inside local       Outside local      Outside global
 ---           ---                ---

NAT - Static NAT

You can do STATIC NAT and just "go out" of the router with a different IP address:
*Traffic sourced from will seem from
*Extendable is used if you need 1 LOCAL IP to be mapped to Various Public IPs
(config)#ip nat inside source static [extendable]

(config)#int lo0 <- PRIVATE IP
(config-if)#ip nat inside

(config-if)#int s0/1/0.21 <- PUBLIC (Global) IP
(config-subif)#ip nat outside

#sh ip nat translations
Pro Inside global      Inside local       Outside local      Outside global
---           ---                ---

Inside Local - Private IP of the host in your Network
Inside Global - Public IP that outside network sees your hosts as
Outside Local - How the local network sees IP of the remote host
Outside Global - Public IP of the remote host

If you want to do NAT for a SUBNET:
(config)#ip nat inside source static network /24

Is SDN really the future?

For all the Network Engineers out there who, like myself, scream inside whenever someone confidently declares that SDN is the future - Don´t panic... But DO consider expanding your skill set with a bit of Scripting/ Process Automation and similar... just in case.

*this article was originally published by

"We are seeing clients looking to hire a lot more DevOps people, because they need folks not just with a tactical, technical skillset, but with the ability to collaborate and coordinate business efforts across different departments," says Laura McGarrity, vice president of marketing for Mondo, an IT recruiting, hiring, and consulting firm.

"Our clients are hearing the terms 'SDN' and 'DevOps' a lot, and they want to find out what DevOps means, how and where to place these positions in their organizations, and whether to hire from outside or to mold talent from within," says Felix Fermin, senior technical recruiter at Mondo.

SDNs essentially automate networking functions. By removing the intelligence from traditional networking hardware and delegating network decision-making capabilities to the server, the data layer (the actual information traveling on a network) is decoupled from the control layer (the technology that determines how, when, and where that information flows), and each layer is automated.

This means independent control of each layer is possible without either the expensive, complicated hardware and software (e.g., routers and switches) or the highly skilled professionals who manage those devices, says Steve Shah, senior director of product management, of the Netscaler group at Citrix.

This push toward automation is a crucial element of SDN technology and one of the main reasons DevOps experience will be in high demand, says Shah.

"The kind of expertise you'll look for is no longer a hard-core, specialized programmer who focuses on individual devices and pieces of the network, but someone who can write code or scripts to automate processes and actions," Shah says.

"You may have to let people go in order to add new folks with the right skills. You may have to look long and hard, and spend more money to find experienced DevOps people, because you're looking at folks with a programmer's salary and with senior experience." --Steve Shah, senior director of product management, of the Netscaler group at Citrix.

"You need programming and scripting expertise, yes, but also folks with the broader business knowledge to see the entire data center topography and where inefficiencies and bottlenecks are happening - DevOps," Shah says.

Say Goodbye to Network Troubleshooters (YES, This scares the *** out of Network Engineers)

What kind of people have these skills? Higher-level networking pros, middle management types and DevOps people, Shah says. While the conventional argument is that low-level, junior network troubleshooters are all that's needed to keep an automated network running, Shah says the opposite is true.

"I think, contrary to popular belief, that entry-level, network troubleshooters who have expertise only on specific devices will suffer," Shah says.

"What makes an elite networking person special is the ability not just to troubleshoot, but to see the larger network topography, to understand how and why processes are automated, and to perform complicated heuristics to quickly get to the root of the problem," Shah says. "These guys have both a breadth and a depth to their skill set; they know not just how to design and deploy an automated network but also how to troubleshoot and fix problems at the command line. That's valuable."

Kurt Marko, an author, networking consultant and analyst, agrees with Shah's assessment.

"The low-level command line expert's going to go the way of the shell-scripting Linux wizard, or the DOS guy who was really good at writing batch jobs -- in other words, extinct," Marko says.

"With SDNs, networking devices are becoming so much more programmable with higher-level languages, and the networking guys are going to have to reskill to learn automation tools, scripting languages and the like," Marko says.

A First Time for Everything.

There's some uncertainty involved in making such a huge shift, and the technology and hiring decisions may be different for each company, Citrix's Shah says. That's where having a DevOps strategy, even if it's vague, can be helpful.

"Many times CIOs are encountering the need to hire DevOps folks for the first time, and there's by no means one simple way to go about fulfilling this new demand," Shah says. "Businesses should be asking, 'Where do I put them? How do I find system administrators who can write code? Or programmers who understand the larger IT landscape? We have ERP or CRM programmers on staff already - do we go with what we've got, invest in additional education for them, and promote them? Or should we hire some hard-core programmers and try and teach them the business side?'," Shah says.

Many organizations are asking these same questions, says Mondo's Fermin. While some of Mondo's clients are looking to hire DevOps professionals, Fermin says, many are simply in the early stages of assessing whether or not such positions will be valuable to their business.

That said, the sudden spike in interest from clients has Mondo predicting a strong demand for SDN-related skillsets and DevOps professionals into 2014.

There's no right or wrong approach, says McGarrity, so for now Mondo is tackling the issue from both sides: counseling candidates on how to beef up existing skills or add new ones that are applicable to these kinds of positions, and on the hiring side advising clients on which skills to look for, or how to identify and mold talent from within, she says.

Those decisions are unique to the needs of each business, but Citrix's Shah notes that these hard questions can lead to some hard decisions.

"You may have to let people go in order to add new folks with the right skills. You may have to look long and hard, and spend more money to find experienced DevOps people, because you're looking at folks with a programmer's salary and with senior experience," he says.

You also must remember that DevOps folks need to be involved in higher-level business decisions so they can create software and automation processes that can act in concert with or react quickly to changing business requirements, he says.

The bottom line is that both businesses and technology professionals must accept and adapt to the new landscape of an automated data center, including SDNs, says Marko.

In this sense, the advent of SDNs follows the trajectory of other disruptive IT technologies.

"Server administrators had to learn virtualization technologies. Networking guys are going to have to do the same, now," Marko says. "While there's still some value in these high-level, specialized networking skill sets, these professionals are going to have to adapt to whatever new skills are necessary, or be out of a job," he says.

A must read:
Isaac Asimov - The Last Question

Configure SSH Access

Cisco Documents:
Security>AAA>Secure Shell Configuration Guide

First step would be to make sure that all the devices within your network SUPPORT the Secure Shell. The you need to make sure HOW you want to implement it, as there are 2 options:
1. Configuring a Router for SSH Version 2 Using a Hostname and Domain Name
2. Configuring a Router for SSH Version 2 Using RSA Key Pairs

In the first configuration type, these are the steps to follow:

Step 1: Be sure to have the Hostname and the IP Domain Name configured:
(config)#ip domain name SNArchs

Step 2: Decide the key pair (in bits, by defaut its 512 bits) and generate the RSA key. This ENABLES SSHv2:
(config)#crypto key generate rsa usage-keys
The name for the keys will be: ES-MAT-AES-SR04.SNArchs
Choose the size of the key modulus in the range of 360 to 2048 for your
  Signature Keys. Choosing a key modulus greater than 512 may take a few minutes.
How many bits in the modulus [512]:
Choose the size of the key modulus in the range of 360 to 2048 for your
  Encryption Keys. Choosing a key modulus greater than 512 may take a few minutes.
How many bits in the modulus [512]: 512
% Generating 512 bit RSA keys, keys will be non-exportable...[OK]
% Generating 512 bit RSA keys, keys will be non-exportable...[OK]
*Dec  5 12:58:48.123: %SSH-5-ENABLED: SSH 2.0 has been enabled

Then configure the VTY port for the user database to use (TACACS or LOCAL), and to use SSH:
(config)#line vty 0 4
(config-line)#login local <-WONT BE AVAILABLE AFTER SSH IS ENABLED
(config-line)#transport input ssh
*When testing the access via SSH don't forget to use the "-l" to define the username:
#ssh -l mat

You can also use AAA to define the AUTHENTICATION PROFILE (AAA_AUTH), that can later be applied to ALL VTY ports:
(config)#aaa new-model
(config)#aaa authentication login AAA_AUTH local

Now apply it to the VTY port:
(config)#line vty 0 4
(config-line)#transport input ssh
(config-line)#login authentication AAA_AUTH
*"rotary" command under the VTY changes the telnet port to that line. "rotary 5" sets the port on that line to 3005

AAA Authentication

Cisco Docs: Securing User Services Configuration>Authentication Authorization and Accounting

This is pretty straight forward, because on CCIE R&S exam you wont have to configure an actual ACS server. For starters be sure that the "aaa new-model" is configured.

Turn the TACACS+ authentication ON, and set LOCAL DB as backup:
(config)#aaa authentication login MYTACACS group tacacs+ local enable
*MYTACACS is the authentication policy. If you put "default" instead of specifying the policy, there is no need to assign the policy to VTY line later, it's a default policy on a device, from where ever you try to authenticate. In case you have a default policy, you need to ALSO define a NO_AUTH policy to apply where you dont want TACACS, like AUX and CONSOLE ports maybe.

Define the TACACS+ as a server, and set the Shared Secret:
(config)#tacacs-server host key cisco

Define the source interface from which you will authenticate:
(config)#ip tacacs source-interface Loopback0

Apply the authentication settings to the VTY line:
(config-line)#login authentication MYTACACS

#test aaa group tacacs+ USERNAME PASSWORD legacy

Multiple Spanning Tree Protocol (MST)

Supports up to 4096 instances of Spanning Tree

(config)#spanning-tree mode mst
(config)#spanning-tree mst configuration
(config-mst)#revision 1
(config-mst)#instance 1 vlan 12, 34
(config-mst)#instance 2 vlan 56, 90
(config-mst)#name CCIE <--- MST REGION NAME

SW2#show spanning-tree mst configuration
Name      [ ]
Revision  1     Instances configured 3

Instance  Vlans mapped
--------  ---------------------------------------------------------------------
0         1-11,13-33,35-55,57-89,91-4094
1         12,34
2         56,90

Check the ROOT:
#show spanning-tree root
                                        Root    Hello Max Fwd
MST Instance           Root ID          Cost    Time  Age Dly  Root Port
---------------- -------------------- --------- ----- --- ---  ------------
MST0             32768 aabb.cc00.0600         0    2   20  15
MST1                 1 aabb.cc00.0600         0    2   20  15
MST2              4098 aabb.cc00.0600         0    2   20  15

Advanced Spanning Tree

root primary - sets the priority to:
if ROOT > 24576 - sets to 24576 (priority 24576 sys-id-ext 12)
if ROOT =< 24576 - sets to 4096
root secondary - sets the priority to 28762

#show spanning-tree bridge <- See the MAC address of the Switch
#show version | i Base 

Cat-1#show spanning-tree vlan 12
  Spanning tree enabled protocol ieee
  Root ID    Priority    24588              <--- ABOUT THE ROOT BRIDGE, 24588 = 32768 + 12 (vlan 12) - 8192
             Address     ec44.768a.6d80
             This bridge is the root
             Hello Time   2 sec  Max Age 20 sec  Forward Delay 15 sec

  Bridge ID  Priority    24588  (priority 24576 sys-id-ext 12)    <--- ABOUT THIS SWITCH (LOCAL Bridge)
             Address     ec44.768a.6d80 <-- ON ROOT BridgeID and RootID have the same MAC
             Hello Time   2 sec  Max Age 20 sec  Forward Delay 15 sec
             Aging Time 300

Interface           Role Sts Cost      Prio.Nbr Type           <--- ABOUT INTERFACES IN THIS VLAN 
------------------- ---- --- --------- -------- ------
Gi3/0/19            Desg FWD 4         128.127  P2p     <--- COST IS 4 CAUSE THIS IS GigabitEthernet Port 
Gi3/0/20            Desg FWD 4         128.128  P2p          (on FastEth is would be 19)

Great command to check the ROOT>
#show spanning-tree root

                                        Root    Hello Max Fwd
Vlan                   Root ID          Cost    Time  Age Dly  Root Port
---------------- -------------------- --------- ----- --- ---  ------------
VLAN0001         32769 aabb.cc00.0600       200    2   20  15  Et2/2
VLAN0100         24676 aabb.cc00.0600       200    2   20  15  Et2/2
VLAN0200         24776 aabb.cc00.0700       100    2   20  15  Et2/2
VLAN0300         24876 aabb.cc00.0800       100    2   20  15  Et3/1
VLAN0400         24976 aabb.cc00.0900         0    2   20  15 <--- COST TO ROOT IS 0, SO I'm the ROOT!!!

Change the COST on the interface level to change the PATH

Private VLANs


This belongs to L2 SECURITY rather then L2 SWITCHING

1. Promiscuous - belongs to PRIMARY VLAN, can communicate with EVERYONE
(config)#vlan 10
(config-vlan)#private-vlan primary
(config-vlan)#private-vlan association add 20,30,40

(config-if)#switchport mode private-vlan promiscuous
(config-if)#switchport private-vlan mapping 10 add 30,40,50 <---map Promiscuous VLAN 10 to Community and Isolated VLANs

2. Isolated - can only communicate with Promiscuous
(config)#vlan 40
(config-vlan)#private-vlan isolated

(config-if)#switchport mode private-vlan host
(config-if)#switchport private-vlan host-association 10 40

3. Community - Can communicate within the SAME community or with Promiscuous
(config)#vlan 30
(config-vlan)#private-vlan community

(config-if)#switchport mode private-vlan host
(config-if)#switchport private-vlan host-association 10 20 <--- Associate Community VLAN 20 with Promiscuous VLAN 10

DONT FORGET TO ASSOCIATE Secondary VLANs to the Primary, so that they can all communicate with Promiscuous:
(config-vlan)#private-vlan association add 20,30,40

 #show vlan private-vlan

Primary Secondary Type              Ports
------- --------- ----------------- ------------------------------------------
10      20        community   Et0/2
10      30        community   Et0/0
10      40        isolated            Et0/0


VMPS: VLAN Membership Policy Server

VLAN Membership Policy Server - provides a centralized server for selecting the VLAN for a port dynamically based on the MAC address of the device connected to the port.

VMPS uses a UDP port to listen to VQP (VLAN Query Protocol) requests from clients, so, it is not necessary for VMPS clients to know if the VMPS resides on a local or remote device on the network.

Upon receiving a valid request from a VMPS client, a VMPS server searches its database for an entry of a MAC-address to VLAN mapping.

When a port is configured as "dynamic," it receives VLAN information based on the MAC-address that is on the port.
The VLAN is not statically assigned to the port; it is dynamically acquired from the VMPS based on the MAC-address on the port.

SECURE MODE: If MAC has not been found in VMPS Server - shut down the port

On VMPS Server:
(config)# vmps server [ipaddress | hostname] primary

On all the switches in the LAN (VMPS Clients):
(config-if)# switchport access vlan dynamic

Define how many times you want Client to contact the Server, like if you want to retry 5 times:
(config)# vmps retry 5 
(config)# vmps reconfirm 30 <--- RETRY IN 30 MINUTES IF 5 ATTEMPTS FAIL

SDM (Switch Database Management) - L3 Switch Memory Optimization

Depending on the Switch purpose (If the switch is used only for L2 Switching or for  IP Routing), Memory allocations can be optimized. This is what SDM is all about.

SDM (Switch Database Management), and there are 4 templates:
- ACCESS - For QoS and Security
- ROUTING - for IP Routing
- VLAN - Sets Switch to L2 and disables IP Routing
- Extended Match - for WCCP and multiple VRF (reformats memory space to allow 144-bit L3 TCAM support)

 (config)#sdm prefer [routing | dual-ipv4-and-ipv6 | vlan]

(config)#sdm prefer  ?
  access              Access bias
  default             Default bias
  dual-ipv4-and-ipv6  Support both IPv4 and IPv6 <--- USE THIS MODE WHEN YOU HAVE BOTH, IPv4 and IPv6
  ipe                 IPe bias
  routing             Unicast bias <--- IF YOU USE THE SWITCH AS A ROUTER
  vlan                VLAN bias <--- ONLY L2 SWITCH

Check the achieved results:
#show sdm prefer
 The current template is "desktop default" template. <--- COMMAND NOT ACTIVE BEFORE THE SWITCH HAS BEEN REBOOTED
 The selected template optimizes the resources in the switch to support this level of features for 8 routed interfaces and 1024 VLANs.
  number of unicast mac addresses:                  6K
  number of IPv4 IGMP groups + multicast routes:    1K
  number of IPv4 unicast routes:                    8K
    number of directly-connected IPv4 hosts:        6K
    number of indirect IPv4 routes:                 2K
  number of IPv4 policy based routing aces:         0
  number of IPv4/MAC qos aces:                      0.5K
  number of IPv4/MAC security aces:                 1K

#show sdm prefer
 The current template is "desktop routing" template. <--- AFTER THE REBOOT THE SWITCH CHANGES THE SDM MODE
 The selected template optimizes the resources in  the switch to support this level of features for 8 routed interfaces and 1024 VLANs.

  number of unicast mac addresses:                  3K
  number of IPv4 IGMP groups + multicast routes:    1K <--- MEMORY ALLOCATION HAS BEEN CHANGED
  number of IPv4 unicast routes:                    11K
    number of directly-connected IPv4 hosts:        3K
    number of indirect IPv4 routes:                 8K
  number of IPv4 policy based routing aces:         0.5K
  number of IPv4/MAC qos aces:                      0.5K
  number of IPv4/MAC security aces:                 1K

uRPF - Unicast Reverse Path Forwarding

Cisco Docs: Cisco Docs: Secure DATA PLANE>Security Configuration Guide: Unicast Reverse Path Forwarding

The Unicast RPF feature helps to mitigate problems that are caused by the introduction of malformed or forged (spoofed) IP source addresses into a network by discarding IP packets that lack a verifiable IP source address

Configure the receiving interface, which allows Unicast RPF to verify the best return path before forwarding the packet on to the next destination. For example, verify if the SOURCE IP is reachable via that exact interface:
(config-subif)#ip verify unicast source reachable-via ?
  any  Source is reachable via any interface
  rx   Source is reachable via interface on which packet was received <-EXACT INTERFACE

#sh ip int s1/0.21 | b verify
  IP verify source reachable-via RX
   0 verification drops
   0 suppressed verification drops
   0 verification drop-rate

!!!If the check fails, and this is NOT the best interface to reach the IP from which the incoming packed was sourced the packed it DROPPED.

Zone Based Firewall

Cisco Docs: Secure DATA PLANE>Security Configuration Guide:Zone-Based Policy Firewall

To configure the Zone Based FW, the approach is somewhat similar to the MQC method in the QoS configuration.

STEP 1> Start by creating a class map of INSPECT TYPE, and match HTTP, and DROP everything else:
(config)#class-map type inspect match-any OUTSIDE
(config-cmap)#match protocol http
(config-pmap)#class type inspect OUTSIDE 

STEP 2> Create a inspect type POLICY-MAP that matches the defined CLASS-MAP, and INSPECTS:
(config)#policy-map type inspect OUTSIDE_POLICY
(config-pmap)#class OUTSIDE
(config-pmap-c)#inspect ?
  WORD  Parameter-map (inspect) name <PARAMETER MAP CAN BE DEFINED to tune the inspection

STEP 3> Define the SECURITY ZONES for the interfaces you need, and assign them to the interfaces:
(config)#zone security DMZ
(config-if)#zone-member security DMZ

(config)#zone security OUTSIDE
(config-if)#zone-member security OUTSIDE

STEP 4> Set the POLICIES between each ZONE PAIR:
(config)#zone-pair security OUT-to-DMZ source OUTSIDE destination DMZ
(config-sec-zone-pair)#service-policy type inspect OUTSIDE_POLICY

#show policy-map type inspect zone-pair session
policy exists on zp OUT-to-DMZ
 Zone-pair: OUT-to-DMZ
  Service-policy inspect : OUTSIDE_POLICY
    Class-map: INSIDE (match-any)
      Match: protocol tcp
        0 packets, 0 bytes
        30 second rate 0 bps
      Match: protocol udp
        0 packets, 0 bytes
        30 second rate 0 bps
      Match: protocol icmp
        0 packets, 0 bytes
        30 second rate 0 bps
    Class-map: class-default (match-any)
      Match: any
        0 packets, 0 bytes

PARAMETER MAP can be created to tune to drop logs, handle alarms, max&min session numbers and much more, for example:
(config)# parameter-map type inspect eng-network-profile
(config-profile)# tcp synwait-time 3 <-HOW LONG TO WAIT FOR SYN FOR THE TCP SESSION

BGP Regular Expressions - explained with the examples

REMINDER of the META Characters

^ - START of Line
$ - END of Line
| - Logical OR
? - ZERO instances of the PRECEDING character
* - ZERO OR MODE instances of the PRECEDING character
+ - ONE OR MORE instances of the PRECEDING character
(x) - Combine the enclosed String as a single entity
[x] - Wildcard where any position can match the position in AS-Path
. - Any Character


_65505$ - Prefixes that END with the AS 65505, meaning - they were originated by that AS

_65505_ - Prefixes that traversed the AS 65505

^$ - Locally Originated Prefixes (START and END of the line)

.* - ANY prefix (zero or more instances of ANY character)

^[0-9]+$ - All the prefixes from DIRECTLY CONNECTED ASs (meaning - they have only 1 AS in the AS PAth)


If you want to STOP using the recursive algorithm in order to be able to control more complex  regular expressions

(config-router)#bgp regexp deterministic

Now you can actually DISPLAY the prefixes that match your condition in the AS-PATH before defining the AS-PATH ACL

#show ip bgp regexp REGULAR_EXPRESSION

*There is a TRICK here, you need to add a MEMORY location you want to temporarily place thhe results, so instead of the expression ^300$ you would have to type:

#show ip bgp regexp (^300$)(_\1)*$

You can also display the Filter List before applying it to the neighbor:

#show ip bgp filter-list 1

Most Popular Posts