ADVANCED Access Lists (ACL) Configuration

TIP: ACL is applied directly to the interface using the "ip access-group" command:
(config-subif)#ip access-group EXTENDED_OR_STANDARD_ACL [in | out]
TIP: Watch out not to ban the routing protocol traffic!!! You might need to add this to your filter ACL:
(config-ext-nacl)#permit ospf any any
TIP: deny any any doesn't affect the locally generated traffic on the router

It's enough to configure the extended ACL, and hit a question mark when you want to define a PORT, just to realize that there is an entire world of ACL configuration options that we never knew about.

One of the awesome features is playing with the ESTABLISHED attribute, which means - allow back the traffic from the hosts TCP session has already been established with. In this example we're allowing back in the TELNET and HTTP traffic to HOST
(config-ext-nacl)#permit tcp any range 80 23  host established

STEP 1: define the time range using the "time-range TIMERANGE" command in the global configuration mode
*be sure the Clock is correct using the "show clock", and if not - set it using the "clock set", or with NTP server

STEP 2: attach the time-range to the ACL:
(Config)#access-list 120 permit tcp any any eq 23 time-range TIMERANGE

DYNAMIC ACL (aka Lock and key ACL)
Special Feature used for AUTHENTICATION of other devices
Like the time-range, but instead of the time we permit or deny ACLs actions based on Authentication.
The ACL is defined using "access-list 102 dynamic..."

STEP 1: Create and EXTENDED ACL, but be sure to allow all the needed protocols before you apply it on the interface:
(config)#access-list 100 permit eigrp any any
(config)#access-list 100 permit icmp any any

STEP 2: Create a DYNAMIC entry in the defined ACL, which will create a Dynamic ACL called DYN_ACL:
(config)#access-list 100 dynamic DYN_ACL permit ip any any

STEP 3: Apply the ACL on the interface:
(config-if)#ip access-group 100 in

STEP 4: Configure the VTY line for the dynamic ACL using the AUTOCOMMAND feature:
(config-line)#autocommand access-enable host
*"access-enable" is an EXEC, it doesnt appear when "?" is pressed
*"rotary" command under the VTY changes the telnet port to that line. "rotary 5" sets the port on that line to 3005

REFLEXIVE ACL - For Session Filtering
Applied on the outbound interface of the router, we're taking care of the outgoing traffic, and then
we CHECK THE RETURNING TRAFFIC, meaning - we are making sure that the returning traffic is opposite of what went out.
When configuring, you need 2 ACLs:

STEP 1 - OUTBOUND ACL, For the outbound within the extended ACL configure:
(config)#ip access-list extended OUT_ACL
(config-ext-nacl)#permit tcp host any any eq www reflect REFLECT_ACL
(config-ext-nacl)#permit tcp host any any eq telnet reflect REFLECT_ACL
(config-ext-nacl)#permit tcp host any any eq https reflect REFLECT_ACL
(config-ext-nacl)#permit ospf any any

STEP 2: And on the inbound ACL within the extended ACL configuration:
(config)#ip access-list extended IN_ACL
(config-ext-nacl)#permit ospf any any
(config-ext-nacl)#evaluate REFLECT_ACL

STEP 3: Then apply the first one outbound, and the second one inbound on the same interface.
(config-subif)#ip access-group OUT_ACL out
(config-subif)#ip access-group IN_ACL in

After 5 minutes of inactivity the entries expire. it can be modified using the command "ip reflexive-list timeout X":
(config)#ip reflexive-list timeout 120 <-TIME REFLEXIVE ACL EXISTS WHEN NO PACKETS ARE DETECTED (default 300 seconds)

CCIE Blueprint v5 announced

As we've been waiting for, the new v5 Blueprint has been announced.

Starting from June the 4th 2014 the CCIE exam content changes, so if you've been preparing it for a while - you might want to set a date! I've got 3rd of March booked, so wich me luck :)

More details about the CCIE Exam content updates:

IP SLA - Monitor the Network Performance

Probably most typical usage of IP SLA is to measure the and UDP Jitter and Echo, to make sure that the path is good enough to send the sensitive VoIP traffic. Two sides need to be configured, CLIENT and SERVER (RESPONDER).
IP SLA can be configured without configuring a specific PROBE, just configure sending a generated packet to the  RESPONDER, where the RESPONDER is configured to respond with a TIME STAMP information, so the source can calculate the performance values. CAREFULL with the times, configure NTP if you're not certain the devices are synced.

To configure the RESPONDER with the IP and PORT of the RESPONDER:
(config)#ip sla  monitor responder

Make sure you configure the CLIENT device in accordance with these defined parameters:
(config)#ip sla monitor 10
(config-sla-monitor)#type udpEcho dest-ipaddr dest-port 500
(config-sla-monitor-udp)#frequency 5 <- IN SECONDS
(config-sla-monitor-udp)#hours-of-statistics-kept 1 <-HOW MUCH TIME THE STATISCICS ARE KEPT
(config-sla-monitor-udp)#request-data-size 1500 <- PACKET SIZE

And then just START the IP SLA on the CLIENT (in this case starts immediately and lasts for 100 seconds only):
(config)#ip sla monitor schedule 10 start-time now life 100

Check the statistics:
#sh ip sla moni statistics
Round trip time (RTT)   Index 10
Latest operation start time: *14:47:06.923 UTC Fri Dec 6 2013
Latest operation return code: OK
Number of successes: 10
Number of failures: 0
Operation time to live: 52 sec

And on the RESPONDER:
#sh ip sla monit responder
IP SLA Monitor Responder is: Enabled
Number of control message received: 17 Number of errors: 0
Recent sources: [14:25:11.241 UTC Fri Dec 6 2013] [14:25:06.241 UTC Fri Dec 6 2013] [14:25:01.237 UTC Fri Dec 6 2013] [14:24:56.237 UTC Fri Dec 6 2013] [14:24:51.237 UTC Fri Dec 6 2013]

If you are using IP SLA for ROUTING, meaning - you want to TRACK a certain route using ICMP (ping), and depending on the result - "tune" the routing table, you have 2 options:

OPTION 1: Use a TRACK object and attach it to the STATIC ROUTE:
(config)#track 10 ip route reachability
(config)#ip route track 10

Check the status of the TRACK 10 object, and based on that - you can know if your STATIC route is UP:
#sh track 10
Track 10
  IP route reachability
  Reachability is Up (connected)
    3 changes, last change 00:04:04
  First-hop interface is Serial0/1/0
  Tracked by:

IMPORTANT: Make sure that the prefix you are tracking isn't available using some other protocol, like OSPF:
#sh track 10
Track 10
  IP route reachability
    3 changes, last change 00:03:59
  First-hop interface is FastEthernet0/0
  Tracked by:

OPTION 2: Use the IP SLA ICMP ECHO (ipIcmpEcho) to monitor end-to-end response

(config)#ip sla monitor 10
(config-sla-monitor)#$type echo protocol ipIcmpEcho source-ipaddr
(config-sla-monitor-echo)#frequency 5

(config)#ip sla monitor schedule 10 start-time now life forever

STEP 3: DEFINE THE TRACK Object using the defined IP SLA:
(config)#track 15 rtr 10 reachability <- 15 is RTR NUMBER, 10 is the IP SLA we're attaching

*Make sure the TRACK is UP before you attach it to the route:
#sh track 15
Track 15
  Response Time Reporter 10 reachability
  Reachability is Up
    2 changes, last change 00:00:18
  Latest operation return code: OK
  Latest RTT (millisecs) 36
  Tracked by:

STEP 4: Attach the TRACK OBJECT to the STATIC ROUTE, like in the option 1:
(config)#ip route track 15

PBR - Policy Based Routing

!!!Most Important: To DEBUG the Policy Map:
#debug ip policy

To match the SOURCE IP use the standard ACL:
(config)#access-list 2 permit host

To match the FLOW use the EXTENDED ACL:
(config)#ip access-list extended FLOW1
(config-ext-nacl)#permit ip host host <-TO MATCH THE FLOW
(config-ext-nacl)#permit tcp any any eq 23 <- TO MATCH THE PROTOCOL(PORT)

ROUTE-MAP can be applied GLOBALLY on a router, to change the Routing Table:
(config)#ip local policy route-map ROUTE_MAP
!!!This will not work for traffic transiting this router. For that you need to apply it on the interface

IPv6 Tunnels

First a reminder about a IPv4 GRE tunnel, the most simple and GENERIC one.

Configuration is really simple, create the Tunnel interface, define the MODE and assign the Source and Destination IP or Interface:
(Config)#Interface tunnel
(Config-if)#tunnel mode GRE IP
(Config-if)# tunnel source IP
(Config-if)#tunnel destination IP

Then define the GRE tunnel IP (needs to be in the same subnet on the both sides):
(Config-if)#ip address
By default GRE keep-alives are off, butt they can be turned on

Now the IPv6. There are 4 types of IPv6 Tunnels:

1. IPv6 over IPv6 GRE tunnel, the configuration similar as the IPv4 one:
(Config-tunnel)#tunnel source lo0
(Config-tunnel)#tunnel destination
(Config)#interface tunnel0
(Config-if)#ipv6 add 1:1:1:1::1/64

2. IPv6 over IPv6IP Tunnel
3. IPv6 over IPv4 UDP Teredo Tunnel
4. IPv4 over IPv6 GRE Tunnel

AUTOMATIC Tunnels: 6to4 (IPv4 into IPv6 prefix), ISATAP - have a standard format of the IP address, so only the tunnel source and the IP address are configured in accordance to that standard - and the Tunnel goes UP.

When you configure them MANUALLY the Tunnel mode can be IPv6IP:
(config)#interface tunnel 0
(config-if)#tunnel mode ipv6ip <- DEFAULT IS GRE

GRE is Protocol 47, and IPV6IP is Protocol 41. You can check this by PINGING one side from another, and debuging
"ip packet details" on the other side:

*Nov 29 18:23:52.126: IP: tableid=0, s= (Serial0/1/0.21), d= (Serial0/1/0.21), routed via RIB
*Nov 29 18:23:52.126: IP: s= (Serial0/1/0.21), d= (Serial0/1/0.21), len 136, rcvd 3, proto=41
*Nov 29 18:23:52.126: IP: s= (Tunnel0), d= (Serial0/1/0.21), len 96, sending, proto=41
*Nov 29 18:23:53.110: IP: tableid=0, s= (Serial0/1/0.21), d= (Serial0/1/0.21), routed via RIB
*Nov 29 18:23:53.110: IP: s= (Serial0/1/0.21), d= (Serial0/1/0.21), len 120, rcvd 3, proto=41

*Nov 29 18:25:30.506: IP: tableid=0, s= (Serial0/1/0.21), d= (Serial0/1/0.21), routed via RIB
*Nov 29 18:25:30.506: IP: s= (Serial0/1/0.21), d= (Serial0/1/0.21), len 140, rcvd 3, proto=47
*Nov 29 18:25:30.574: IP: s= (Tunnel0), d= (Serial0/1/0.21), len 140, sending, proto=47
*Nov 29 18:25:30.622: IP: tableid=0, s= (Serial0/1/0.21), d= (Serial0/1/0.21), routed via RIB
*Nov 29 18:25:30.622: IP: s= (Serial0/1/0.21), d= (Serial0/1/0.21), len 140, rcvd 3, proto=47

6to4 Tunnels: AUTOMATICALLY established, allowing IPv6 connection through IPv4. They require SPECIAL ADDRESSING:
IPv6 of 2002 followed by TRANSLATED IPv4 address. So, we need these steps:

Step 1:
Translate IPv4 into IPv6 address. For example
10 1 1 1
0A 01 01 01

Step 2:
So using the 2002 which is the 6to4 marker, you get> 2002:A01:101::/128, so:
(config-if)#ipv6 add 2002:A01:101::/128

Step 3: 
Configure the TUNNEL MODE as IPV6IP 6to4:
(config-if)#tunnel mode ipv6ip 6to4

Step 4: 
Make sure that the Tunnel Interface is going UP/UP
*Nov 29 19:10:13.709: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel7, changed state to up

ISATAP Tunnel: It's a IETF transition mechanism that allows IPv6 networks to connect over IPv4 Networks. The IPv6 tunnel interface must be configured with a modified EUI-64 address because the last 32 bits in the interface identifier are constructed using the IPv4 tunnel source address. ISATAP also has it's own IPv6 Address Format, which is formed like this:
NETWORK PORTION: can be any IPv6 address
HOST PORTION: starts with 0000:5EFE, and the rest of host portion is TRANSLATED IPv4 of the TUNNEL SOURCE

Step 1: 
Define the Tunnel SOURCE address
(config-if)#tunnel source 10.44:44:44

Step 2: 
Sending of IPv6 router advertisements is disabled by default on tunnel interfaces. This command reenables the sending of IPv6 router advertisements to allow client autoconfiguration:
(config-if)# no ipv6 nd ra suppress

Step 3: ISATAP
The only difference from standard IPv6IP configuration is that the IPv6 address needs to be eui-64 generated, and that the MODE needs to be defined as ISATAP:
(config-if)#ipv6 address 46:1:46::/64 eui-64 <- EUI CONVERTS IPv4 TO IPv6 AUTOMATICALLY
(config-if)#tunnel mode ipv6ip isatap


The difference with OSPF is that even if you configure it on the interface:
(config-if)#ipv6 eigrp 100
it will not form an adjacency unless you DEFINE THE ROUTER-ID, and do a NO SHUT:
(config-rtr)#eigrp router-id
*Dec  1 11:18:08.343: %DUAL-5-NBRCHANGE: EIGRP-IPv6 100: Neighbor FE80::4 (Serial1/0.14) is up: new adjacency

(config-rtr)#no redistribute ospf 1  metric 1 1 1 1 1

To change the timers on the interface the command is a bit BACKWARDS, as in - "" ipv6 hello-interval eigrp..":
(config-if)#ipv6 hello-time eigrp 100 10 <-HELLO
(config-if)#ipv6 hold-time eigrp 100 40 <-DEAD

The command for checking the current timers is also unintuitive, cause you need to add "details" to the end:
#sh ipv6 eigrp interfaces detail  | i Hello
  Hello-interval is 10, Hold-time is 40
  Hello-interval is 60, Hold-time is 180

!!!BE CAREFULL WITH FRAME RELAY, cause EIGRP has SPLIT HORIZON enabled by default on multipoint interfaces, so make sure if you need to disable it or not:
(config-subif)#no ipv6 split-horizon eigrp 100

Like in EIGRPv4, on EIGRPv6 EIGRP Patckets use UP TO 50% of the Links BW. To change that (to 25% in this example):
(config-subif)#ipv6 bandwidth-percent eigrp 100 25

Another similarity to EIGRPv4, you can use "summary-address" to inject the default route:
(config-if)#ipv6 summary-address eigrp 100 ::0/0
*Dec  1 12:32:28.571: %DUAL-5-NBRCHANGE: EIGRP-IPv6 100: Neighbor FE80::2 (Ethernet0/0) is resync: summary configured
*Dec  1 12:32:28.571: %DUAL-5-NBRCHANGE: EIGRP-IPv6 100: Neighbor FE80::3 (Ethernet0/0) is resync: summary configured

EIGRPv6 Authentication: Also similar to EIGRPv4

Step 1: Define the Key Chain
(config)#key chain MAT
(config-keychain)#key 1
(config-keychain-key)#key-string Cisqueros

Step 2: Apply the key chain to the interface:
(config-if)#ipv6 authentication key-chain eigrp 100 MAT

Step 3: Turn ON the authentication on the interface, in this example MD5:
(config-if)#ipv6 authentication mode eigrp 100 md5

Some ADDITIONAL features:
Make sure the incoming prefixes are in less then 50 hops (TTL <= 50)
(config-rtr)#metric maximum-hops 50

"Tune" the Active Time (time before declaring a router STUCK IN ACTIVE - SIA)
(config-rtr)#timers active-time ?
  <1-65535>  active state time limit in minutes
  disabled   disable time limit for active state


If you control OSPFv2 (IPv4 OSPF) wou wont have any problems here. There are, however, a few differences in the configuration. First one - it's configured on the INTERFACE LEVEL, and the Area is also defined there, so there is no need to add the "network" commands within the Router configuration:
(config-if)#ipv6 ospf 1 area 0

!!!Dont forget to define the router-id, because if there are no IPv4 addresses on the router - it cannot pick one! So - FIRST define the RID, and THEN configure OSPF, to avoid restarting the OSPF process later.

LSA Changes: Even though most LSA definitions stay the same, there are a few changes in OSPFv3:

0x2001 Router LSA 1 Router LSA
0x2002 Network LSA 2 Network LSA
0x2003 Inter-area Prefix LSA 3 Network Summary LSA
0x2004 Inter-area Router LSA 4 ASBR Summary LSA
0x4005 AS-External LSA 5 AS-External LSA
0x2006 Group Membership LSA 6 Group Membership LSA
0x2007 Type-7 LSA 7 NSSA External LSA
0x0008 Link LSA
0x2009 Intra-area Prefix LSA

*If you want an area not to receive LSA4 and LSA5, configure it as stub:
(config-rtr)#area 12 stub <- ADDS A DEFAULT ROUTE TO ISOLATED ROUTER (the router that only has stub area)
Default Route added: OI  ::/0 [110/2] via FE80::2, FastEthernet0/0 <- INSTEAD OF ALL EXTERNAL ROUTES

If you want the router to maintain IO INTRA AREA routes only, configure it as NSSA "stub no-summary"

If you want not to propagate EXTERNAL routes- configure an area as NSSA (routes redistributed into NSSA area will appear marked with "ON2"). You can add "default-information-originate" to inject the default route into nssa area. Add "always" to this command if you want to inject the default route, and the local router doesnt have one.

To change the METRIC/COST you can do two things. Either change the DEFAULT COST under OSPF process:
(config-rtr)#auto-cost reference-bandwidth 10000

Or use the "ipv6 ospf cost" command under EACH INTERFACE.

Most Popular Posts