Term
|
Definition
|
|
Term
|
Definition
|
|
Term
|
Definition
|
|
Term
|
Definition
| Used to specify range ( i.e. [0-9] ) |
|
|
Term
|
Definition
|
|
Term
|
Definition
|
|
Term
|
Definition
|
|
Term
|
Definition
|
|
Term
|
Definition
|
|
Term
|
Definition
| Comma, open or close brace, open or close parentheses, start or end of string, or space |
|
|
Term
|
Definition
|
|
Term
| Locally originated routes |
|
Definition
|
|
Term
|
Definition
|
|
Term
|
Definition
|
|
Term
|
Definition
|
|
Term
|
Definition
|
|
Term
| accept prefixes from [rtrX] that were originated by [AS501] or its directly connected ASes |
|
Definition
|
|
Term
|
Definition
| 001010 is AF XX and DSCP XX |
|
|
Term
|
Definition
|
|
Term
|
Definition
|
|
Term
|
Definition
|
|
Term
PFR - Assign a Zone to an interface
|
|
Definition
int fa0/0
zone-member security zone |
|
|
Term
|
Definition
| zone-pair security zonename source z1 destination z2 |
|
|
Term
zone-pair security zp source z1 destination z2
[command to apply policy p1] |
|
Definition
service-policy type inspect p1 |
|
|
Term
|
Definition
|
|
Term
ZBF - Apply Zone to Interface
|
|
Definition
int fa0/0
zone-member security ... |
|
|
Term
|
Definition
|
|
Term
|
Definition
|
|
Term
|
Definition
|
|
Term
|
Definition
class type inspect class-name
drop - Drops packets that are matched with the defined class
pass - Allows packets that are matched with the defined class.
police rate - Limits traffic matching within a firewall (inspect) policy.
inspect - Enables Cisco IOS stateful packet inspection.
|
|
|
Term
| Lock and Key - Local Username |
|
Definition
username test password test
username test autocommand access-enable host timeout 10 |
|
|
Term
Lock and Key - Interface Access-list
|
|
Definition
interface Ethernet0/0
ip address 10.1.1.1 255.255.255.0
ip access-group 101 in
access-list 101 permit tcp any host 10.1.1.1 eq telnet
!--- 15 (minutes) is the absolute timeout.
access-list 101 dynamic testlist timeout 15 permit ip 10.1.1.0 /24 172.16.1.0 /24 |
|
|
Term
|
Definition
int fa0/x
ip rip auth mode md5
ip rip auth key-chain keychain |
|
|
Term
|
Definition
ip auth mode eigrp 10 md5
ip auth key-chain eigrp 10 keychain |
|
|
Term
| Reflexive ACLs - Apply to Interface |
|
Definition
interface Ethernet0/1
ip address 172.16.1.2 255.255.255.0
ip access-group inboundfilters in
ip access-group outboundfilters out
ip access-list extended outboundfilters
permit icmp 10.1.1.0 0.0.0.255 172.16.1.0 0.0.0.255
permit tcp 10.1.1.0 0.0.0.255 172.16.1.0 0.0.0.255 reflect tcptraffic
ip access-list extended inboundfilters
permit icmp 172.16.1.0 0.0.0.255 10.1.1.0 0.0.0.255
evaluate tcptraffic |
|
|
Term
Reflexive ACLs - Global Options |
|
Definition
| ip reflexive-list timeout 120 |
|
|
Term
IOS IPS -
First, we need a place for IPS configuration files to call home. IPS wants a folder. Lets make a directory on the router flash. Optionally if there were other IOS file systems present, we could use those writable file systems as well. |
|
Definition
R6#mkdir ips
Create directory filename [ips]?
Created dir flash:/ips
R6# |
|
|
Term
| IOS IPS uses a crypto key to verify the digital signature for the master signature file, which is signed using a private key. To verify the signature, we need a corresponding public key. This key is available as a text file on Cisco’s site. The file is called realm-cisco.pub.key.txt. To inject the public key into the router config, we would do the following: |
|
Definition
R6(config)#crypto key pubkey-chain rsa
R6(config-pubkey-chain)#named-key realm-cisco.pub signature
Translating "realm-cisco.pub"
R6(config-pubkey-key)#key-string
Enter a public key as a hexidecimal number ....
R6(config-pubkey)#$2A864886 F70D0101 01050003 82010F00 3082010A 02820101... |
|
|
Term
| Let’s check the ips folder we created on flash. It should still be empty. |
|
Definition
R6#cd ips
R6#dir
Directory of flash:/ips/
No files in directory
255967232 bytes total (187428864 bytes free)
R6#cd .. |
|
|
Term
| Once we complete the IPS configuration, the router can monitor all traffic on the interface and direction we specify. If we want to limit the traffic that goes through the IPS processing, we can use an access-list to filter. Only traffic permitted in the ACL will be subjected to IPS analysis. Let’s create an ACL that matches only on traffic destined to 6.6.6.6, which is the loopback of R6. |
|
Definition
| R6(config)#access-list 123 permit ip any host 6.6.6.6 |
|
|
Term
| Next we will create an IPS rule named “IOS-IPS”, and associate the ACL(123) we just created. In a later step, we will apply IPS rule to an interface. |
|
Definition
| R6(config)#ip ips name IOS-IPS list 123 |
|
|
Term
| IPS needs to know where to keep it’s signature definitions and configurations. It just so happens that we have a folder on flash we created earlier named “ips”. We will use that directory. |
|
Definition
| R6(config)#ip ips config location flash:/ips |
|
|
Term
| IOS IPS - The router can send alerts using Security Device Event Exchange (SDEE) and/or Syslog. We will configure both, and allow up to 2 simultaneous SDEE managers to setup up requests for alerts called subscriptions. To use SDEE, http server must be enabled on the router. Lets take care of these items next. |
|
Definition
R6(config)#ip ips notify sdee
R6(config)#ip sdee subscriptions 2
R6(config)#ip ips notify log
R6(config)#ip http server |
|
|
Term
| IOS IPS - Before we apply the IPS rule to an interface, we are going to set up some safety. We will retire all the signatures, and then enable just the signatures in the “advanced” default set. If we un-retired the “all” category, it is possible that the router could run out of memory. (Your mileage may vary☺) As we exit out of the configuration, we are prompted to accept the changes. |
|
Definition
R6(config)#ip ips signature-category
R6(config-ips-category)#category all
R6(config-ips-category-action)#retired true
R6(config-ips-category-action)#exit
R6(config-ips-category)#
R6(config-ips-category)#category ios_ips advanced
R6(config-ips-category-action)#retired false
R6(config-ips-category-action)#end
Do you want to accept these changes? [confirm]
R6#
Applying Category configuration to signatures ...
R6# |
|
|
Term
| Next we will apply the ips (name is IOS-IPS) rule we created to an interface. We also enable virtual-reassembly so that IPS can better analyze sessions and attacks that comprise multiple packets. |
|
Definition
R6(config)#interface FastEthernet0/0
R6(config-if)#ip ips IOS-IPS in
R6(config-if)#ip virtual-reassembly |
|
|
Term
EEM
event manager applet EEM-NAME
event cli pattern "tclsh" sync yes
action 1.0 syslog msg "Attempted to tclsh at $_event_pub_time"
set 2.0 _exit_status 0
What does the sync yes do? |
|
Definition
| When you use the sync yes option in the event cli command, the EEM applet runs before the CLI command is executed. |
|
|
Term
EEM
event manager applet EEM-NAME
event cli pattern "tclsh" sync yes
action 1.0 syslog msg "Attempted to tclsh at $_event_pub_time"
set 2.0 _exit_status 0
What does the _exit_status 0 do?
|
|
Definition
The EEM applet should set the _exit_status variable to indicate whether the CLI command should be executed (_exit_status set to one) or not (_exit_status set to zero). |
|
|
Term
Make sure that it‟s not possible to use the “tclsh” feature on R9. Also make sure that the when the “tclsh” feature is trying to be used a syslog message is generated and this is sent to the logging server. The syslog message needs to be: "Attempted tclsh command by user at actual time>". Make sure the date and time is added when the actual even occurs. |
|
Definition
event manager applet EEM-NAME
event cli pattern "tclsh" sync yes
action 1.0 syslog msg "Attempted to tclsh at $_event_pub_time"
action 2.0 set _exit_status 0
|
|
|
Term
| With the sync no option, the EEM applet is executed in |
|
Definition
| background in parallel with the CLI command. |
|
|
Term
| As the CLI command starts at the same time as the EEM applet, you cannot use the _exit_status variable anymore; you have to specify whether you want the CLI command to execute with the |
|
Definition
| skip yes|no option of the event cli command. |
|
|
Term
EEM
Name it NoReload.
Ensure that when this command is entered EEM kicks in in-Parrallel but the command does not execute. A syslog msg with a priority of "errors" and a message about what you cannot do should appear |
|
Definition
event manager applet NoReload
event cli pattern "reload" sync no skip yes
action 1.0 syslog priority errors msg "Cannot reload this router"
|
|
|
Term
EEM
Name the applet EEM-NAME
when a user enters "tclsh" the router should execute EEM before the command takes place. A syslog message should say "Attempted to tclsh at " with the last word a variable that puts the time when the event occured. The command should not be executed in the second action. |
|
Definition
event manager applet EEM-NAME
event cli pattern "tclsh" sync yes
action 1.0 syslog msg "Attempted to tclsh at $_event_pub_time"
set 2.0 _exit_status 0 |
|
|
Term
If R7 receives the prefix 150.50.66.6/32 from OSPF and it is added to the routing table. R7 should fire a log message saying: “Evil prefix received”
After bootup R7 should wait 5 minutes before enabling the routing Event Detector.
|
|
Definition
event manager applet 63
event routing prot ospf netw 150.50.66.6/32 type add
action 1 syslog msg “Evil prefix received”
exit
event manager detector routing bootup-delay 300 |
|
|
Term
Loopback0 interface on R1 must always be up. Configure appropriate feature on R1 to monitor if
Loopback0 is disabled and reconfigure it if it happens.
first action "Re-Enabling Loopback0"
next actions - turn it back on |
|
Definition
event syslog occurs 1 pattern "Loopback0.*down"
action 1.0 syslog msg "Re-Enabling Loopback0"
action 1.1 cli command "enable"
action 1.2 cli command "configure terminal"
action 1.3 cli command "interface Loopback0"
action 1.4 cli command "no shutdown" |
|
|
Term
|
Definition
int fa0/0
no ip address
pppoe enable
pppoe-client dial-pool-number 1
int dialer1
mtu 1492
encapsulation ppp
ip add negotiated
dialer pool 1 |
|
|
Term
|
Definition
bba-group pppoe global
virtual-template 1
int virtual-template 1
mtu 1492
encapsulation ppp
ip add 192.168.60.1 255.255.255.0
peer default ip address pool pool1
ip local pool pool1 192.168.60.6 192.168.60.6 |
|
|
Term
PPP Authentication
(plain text)
- Configure a maximum of 3 bad authentication retries
- configure Link control and IP control to predict peer responses
Your router hostname is R1 |
|
Definition
int s0/0/0
ip add 192.168.60.1 255.255.255.0
encapsulation ppp
ppp authentication pap
ppp pap sent-username R1 password ipexpert
ppp lcp predictive
ppp ipcp predictive
ppp max-bad-auth 3
no shut |
|
|
Term
PPP over Frame Relay
Username to use for chap authentication: T3ST123 |
|
Definition
username T3ST123 password ipexpert
int s0/0/0
encapsulation frame-relay
frame-relay interface-dlci 102 ppp virtual-template 1
int virtual-template 1
ip add 192.168.60.1 255.255.255.0
ppp authentication chap
ppp chap hostname T3ST123 |
|
|
Term
MPLS Password Configuration
-Configure the MPLS password for your neighbor. do not use "neighbor password" command. Ensure Both sides require authentication. Use a source of the loopback. |
|
Definition
ip cef
mpls label protocol ldp
mpls ldp password option 1 for 1 cisco
mpls ldp router-id lo0
mpls ldp password required
access-list 1 permit 7.7.7.7
int fa0/0
mpls ip |
|
|
Term
| PPP authentication using PAP with same username (from remote host) configured locally. |
|
Definition
|
|
Term
[/32] (ppp: ip address negotiated)--[/24]
Using RIP authentication neighbor does not form.
To correct this... |
|
Definition
| no validate-update-source |
|
|
Term
Make this acl as small as possible:
access-list 5 permit 172.20.33.2 0.0.0.0
access-list 5 permit 172.20.34.2 0.0.1.0
access-list 5 permit 172.20.36.2 0.0.3.0
access-list 5 permit 172.20.40.2 0.0.3.0
access-list 5 permit 172.20.44.2 0.0.1.0
access-list 5 permit 172.20.46.2 0.0.0.0 |
|
Definition
access-list 5 deny 172.20.32.0 0.0.0.255
access-list 5 deny 172.20.47.0 0.0.0.255
access-list 5 permit 172.20.32.0 0.0.15.255 |
|
|
Term
| area 256 virtual-link 5.5.5.5 [authentication practice] |
|
Definition
|
|
Term
OSPF rfc1587
configure this area according to this RFC |
|
Definition
|
|
Term
configuring a router to OSPF with a switch
what should you ALWAYS DO!!?? |
|
Definition
int fa0/0
ip ospf mtu-ignore |
|
|
Term
OSPF Frame Relay Network
R1 - Serial s0/1/0
R2 Serial s0/1/0 (hub)
R3 - Serieal s0/1/0.1 multipoint
What are the network types and priorities |
|
Definition
R1 - ip ospf network broadcast (pri 0)
R2 - ip ospf network broadcast (pri 255)
R3 - ip ospf network broadcast (pri 0) |
|
|
Term
| set mtu on switch just for routing protocols |
|
Definition
|
|
Term
quick way for pinging
192.168.60.1
192.168.60.2
192.168.60.3
variable IP |
|
Definition
tclsh
foreach IP {
192.168.60.1
192.168.60.2
192.168.60.3
} { ping $IP } |
|
|
Term
When you configure an OSPF area to NSSA (ABR R2) then in another part of the network you configure EIGRP and redistribute that into the OSPF network, the NSSA area would NOT see the routes.
Why not?
What would you need to configure to fix this |
|
Definition
The routes would be type 5 LSA and not propagated in the area.
Configure ABR (R2) to: nssa no-summary |
|
|
Term
on two interfaces running EIGRP
int s0/0/0
int s0/1/0
how would you balance traffic accross both links per packet? |
|
Definition
int s0/0/0
ip load-sharing per-packet
int s0/1/0
ip load-sharing per-packet |
|
|
Term
For Multicast
R2 is loopback is RP
what do you configure under the interface? |
|
Definition
|
|
Term
For Multicast
For A multicast network; a router R3 has the following config:
int lo1
ip igmp join-group 2.2.2.2
Do we configure pim on this interface? |
|
Definition
| no; do not put "ip pim sparse-mode" |
|
|
Term
| Multicast over a frame-relay hub and spoke configuration; what do you configure on the interface going to the frame cloud? |
|
Definition
ip pim nbma
This will help prevent failures and treat each connection to the spokes (for multicast) as point-to-point connections. |
|
|
Term
ipv6 link local
starts with
use ::2
ipv6 add ? |
|
Definition
| ipv6 add fe80::2 link-local |
|
|
Term
| with ospf and eigrp ipv6 under the routing process you should ALWAYS set: |
|
Definition
a router-id
ipv6 router eigrp 256
eigrp router-id 5.5.5.5 |
|
|
Term
| QoS - Set the precedence to 5 under a class map |
|
Definition
class-map test
set precedence 5 |
|
|
Term
|
Definition
|
|
Term
|
Definition
|
|
Term
The “rotary” command, when applies to a “line vty” paragraph, sets that router’s telnet daemon listening on port
for port 3005 the config is: |
|
Definition
3000 + the rotary number
line vty 0 5
rotary 5 |
|
|
Term
ZBF - To police
class type inspect ftp
police rate 2000000 bursts 250000
what must be put in the class first? |
|
Definition
inspect
class type inspect ftp
inspect
police rate 2000000 burst 250000 |
|
|
Term
ZBF - Even loopback interface should be on the inside network
int lo1
zone-member security inside |
|
Definition
int lo1
zone-member security inside |
|
|
Term
ZBF - p2p
there are how many? |
|
Definition
5
class-map type inspect match-any p2p
match protocol bittorrent
match protocol edonkey
match protocol fasttrack
match protocol gnutella
match protocol kazaa2 |
|
|
Term
| ZBF - Drop then log under a p2p class |
|
Definition
class type inspect p2p
drop log |
|
|
Term
Custom Queu 8.4 Qos Lab 1
Pri Queu
ZBF with http & local traffic example (see favorites)
RSVP
EIGPR FD/RD
ford (show command placement) |
|
Definition
|
|
Term
Configure a switchport where
"I want to be a trunk, but if you don't want to, then I won't"
ensure that if trunking is enable, the trunking will be dot1q |
|
Definition
int fa0/0
switchport mode dynamic desirable
switchport trunk encapsulation dot1q |
|
|
Term
| Configure a switchport where, "It's all up to you, I don't want to be a trunk but if you insist, I will" |
|
Definition
int fa0/0
switchport mode dynamic auto |
|
|
Term
| On a switchport, how do you remove a VLAN from an existing list of allowed vlans? |
|
Definition
int fa0/0
switchport trunk allowed vlan remove x |
|
|
Term
| On a switchport, how do you allow all vlans on a port but not vlans 3 and 4 |
|
Definition
int fa0/0
switchport trunk allowed vlan except 3,4 |
|
|
Term
| Disable flow control on an ethernet interface |
|
Definition
int fa0/0
flowcontrol receive off |
|
|
Term
| After reviewing a CCIE lab you see that EXTENDED VLANs will be used throught, which VTP mode MUST you use? |
|
Definition
|
|
Term
| What's the default VTP version of a switch |
|
Definition
|
|
Term
| Your using MST - -'optimize' BPDU transmission in the network. there are never going to be any addional switches added to any interfaces. there are 4 switches (1 is root) |
|
Definition
| spanning-tree mst 0 root primary diameter 3 |
|
|
Term
| ensure all devices can communicate immediately when their interfaces are enabled (even in trunk mode) |
|
Definition
int fa0/0
spanning-tree portfast trunk |
|
|
Term
practice this:
configure spanning-tree that uses less CPU
all VLANs should be mapped to the default
set the revision to be 1 |
|
Definition
spanning-tree mode mst
spanning-tree mst configuration
instance 0 vlan 1-4094
revision 1
|
|
|
Term
on a multilink with an mu69 interface with two s0/0/0 / s0/0/1 interfaces part of the bundle.
Where do you apply the configuration to not automatically create a /32 route for the neighbor |
|
Definition
int mu69
no peer neighbor-route |
|
|
Term
| you have a point-to-point PPP interface s0/0/0 and you want to ensure that a /32 route for your neighbor does not appear. where and what do you configure? |
|
Definition
int s0/0/0
no peer neighbor-route |
|
|
Term
If you have an area 1332 and a virtual link between that area (R1 > R2) and you need to make the area a stub, how do you do it?
|
|
Definition
| -you can't, virtual-links can't traverse stub areas |
|
|
Term
Your requirements: all redistributed routes should have a tag of 1
router ospf 1
redistribute static subnets tag 1
You need to know create a summary route for those redistributed /24's. The summary would be a /23
10.5.5.0/24, 10.5.6.0/24. How would you do it? |
|
Definition
router ospf 1
summary-address 10.5.5.0 255.255.254.0 tag 1 |
|
|
Term
You advertised a summary address via EIGRP, how do you prevent the null0 from appearing in the routing table?
it's a switch. Your interface is vlan 1122. That's the same as your routing protocol |
|
Definition
int vlan 1122
ip summary-address eigrp 1122 10.0.0.0 255.255.255.0 255
- where 255 is the AD |
|
|
Term
router rip
network 166.6.0.0
redistribute connecte route-map loopback
route-map loopback permit 10
match interface lo0
set tag 77
int lo0
ip add 166.6.6.6 255.255.255.255
would you/your neighbors see the tag? |
|
Definition
| Nope! - they are covered by network statement |
|
|
Term
whenever doing mutual redistribution in more than one place - that means your opening up the possibility of a ____. what do you need to do? |
|
Definition
opens a possibility of routing loops
we need to tag and filter |
|
|
Term
|
Definition
router bgp 1220
bgp router-id 166.2.2.2
template peer-session AS1220-session
remote-as 1220
update-source lo0
password ipexpert
template peer-policy AS1220-policy
route-reflector-client
next-hop-self
neighbor 166.1.1.1 inherit peer-session AS1220-session
neighbor 166.1.1.1 inherit peer-policy AS1220-policy
neighbor 166.12.21.21 inherit peer-session AS1220-session
neighbor 166.12.21.21 inherit peer-policy AS1220-policy
neighbor 166.12.21.21 password ipexpert? |
|
|
Term
when they say peer using minimal configuration on all routers
if it's one neighbor - don't use peer groups
more than one - use peer-groups (but not always) |
|
Definition
|
|
Term
| Prevent BGP transit using community |
|
Definition
route-map no-transit permit 10
set community no-export |
|
|
Term
224.0.0.0/4
what's the wild card |
|
Definition
| permit 224.0.0.0 15.255.255.255 |
|
|
Term
| configure this router's loopback 0 interface as a BSR RP |
|
Definition
ip pim bsr-candidate lo0 ( me first)
ip pim rp-candidate lo0 (To be a PIMv2 RP candidate) |
|
|
Term
| (To be a PIMv2 RP candidate) |
|
Definition
ip pim rp-candidate To be a PIMv2 RP candidate |
|
|
Term
R7(config-pmap-c)#int fa0/0.789
R7(config-subif)#service-policy output allocate-SMTP
CBWFQ : Not supported on subinterfaces
what do we do? |
|
Definition
int fa0/0
service-policy output allocate-SMTP |
|
|
Term
| set your ntp server to be 166.21.21.21 |
|
Definition
| ntp server 166.21.21.21 prefer |
|
|
Term
| configure router 1 on interface fa0/0 to be a learn it's time using the multicast address 224.21.21.21 |
|
Definition
ip multicast-routing
int fa0/0
ntp multicast client 224.21.21.21
ip pim sparse-dense-mode |
|
|
Term
Jul 23 01:27:36.487: OSPF: Rcv pkt from 223.5.6.6, Serial0/1/0, area 0.0.0.0
mismatch area 0.0.2.57 in the header
but no virtual links created? |
|
Definition
| All routers have frame-relay connected between them and getting the error from an unused pvc! |
|
|
Term
.9 [ r9 ] ---s0/2/0--- [ r6] .6 (223.9.6.0/27)
.9 [ r9 ] ---s0/2/1--- [ r6] .6 (223.6.9.0/27)
We need to configure back-to-back frame-relay!
This would allow each (chosen dlci) to be in it's own VRF/etc!
Less commands on R9!
|
|
Definition
R6 (switch/server)
frame-relay switching
default int s0/2/0
deault int s0/2/1
int s0/2/0
encapsulation frame-relay
frame-relay intf-type dce
no shut
int s0/2/0.609 point-to-point
ip add 223.9.6.6 255.255.255.224
frame-relay interface-dlci 609
int s0/2/1
encapsulation frame-relay
frame-relay intf-type dce
no shut
int s0/2/1.906 point-to-point
ip add 223.6.9.6 255.255.255.224
frame-relay interface-dlci 906
r9
default int s0/2/0
default int s0/2/1
int s0/2/0
encapsulation frame-relay
no shut
int s0/2/1
encapsulation frame-relay
no shut
int s0/2/0.609 point-to-point
ip add 223.6.9.9 255.255.255.224
frame-relay interface-dlci 609
int s0/2/1.906 point-to-point
ip add 223.9.6.9.255.255.255.224
frame-relay interface-dlci 906
|
|
|
Term
EIGRP metric weight K1=1, K2=0, K3=1, K4=0, K5=0
This is the default metric weights. What are the values K1 , and K3? |
|
Definition
K1 = Bandwidth = 1
K2 = load = 0
K3 = Delay = 1
K4 = Reliability = 0
K5 = MTU = 0 |
|
|
Term
| make sure eigrp takes bandwidth, delay , reliability, load into account when calculating metric |
|
Definition
Cisco.com > metric weights tos k1 k2 k3 k4 k5
answer: metric weights 0 1 1 1 1 1 |
|
|
Term
bgp -
using confederations
you are asked to prepend your local loopback.you are in sub-as 6. your loop back is 215.0.0.6. Your pre-pend is supposed to be 66. What will your bgp confederation configuration look like? Your real as is 55 and your neighbor sub-as is 4678. |
|
Definition
router bgp 55
bgp bestpath med missing-as-worst
bgp confederation identifier 66 4678
bgp confederation peers 478
bgp router-id 215.0.0.6 |
|
|
Term
r6 should not accept peering sessions from as478 is hold-time is configured to a value lower than 30 seconds.
your neighbor is 215.0.0.4
Do you configure this on r6 only or on r6 and it's neighbor? |
|
Definition
neighbor 215.0.0.4 timers 60 180 30
r6 only! |
|
|
Term
| bgp - with confederation sub-as eBGP peering should you set the next-hop-self? |
|
Definition
|
|
Term
bgp - on your router loopback 0 (215.1.1.1/32) needs to be advertised using bgp.
Also you need to pre-pend as 77 to it.
How would you do it? |
|
Definition
router bgp as
network 215.1.1.1 mask 255.255.255.255
neighbor 1.1.1.1 route-map my-as out
ip prefix-list loopback0 permit 215.1.1.1/32
route-map my-as permit 10
match ip address prefix-list loopback0
set as-path prepend 77
route-map my-as permit 20 |
|
|
Term
| bgp - always watch out for what when peering? |
|
Definition
| neighbor [n] next-hop-self |
|
|
Term
| configuration to join the group 239.0.0.4 on loopback0 |
|
Definition
int lo0
ip pim sparse-mode
ip igmp join-group 239.0.0.4 |
|
|
Term
R7(config)#ip pim bsr-candidate lo0 ?
<0-32> Hash Mask length for RP selection
<cr> |
|
Definition
ip pim bsr-candidate lo0 0 255 |
|
|
Term
R7(config)#ip pim bsr-candidate lo0 0 ?
<0-255> Priority value for candidate bootstrap router
<cr>
Default boostrap priority? |
|
Definition
|
|
Term
| Do not initiate BGP sessions to BB1 but wait for BB1 (215.0.0.21) to initiate it. Your as is 478. |
|
Definition
router bgp 478
neighbor 215.0.0.21 transport connection-mode passive |
|
|
Term
Filter pim neighbors to specific ip. What is the command?
access-list 1 permit host 1.1.1.1 |
|
Definition
int fa0/1.821
ip pim neighbor-filter 1 |
|
|
Term
Re: Police vs police cir vs police rate |
|
Definition
1st option
police 96(Kbps i.e)
This means SINGLE RATE TWO COLOR(One Bucket)
in this option u define only
confirm action = (mostly transmite)
exced action= (mostly drop)
2nd Option
Police CIR 96(kbps ie) bc xxxx be xxxx
This is called Single Rate Three Color Policer (Two Buckets)
in this option u define
police cir xxx bc xxx be
confirm action, Exced action violate action
3rd Option
Two Rate Three-color policer(Two Buckets)
in this u define CIR and PIR
police rate (cir)xxxx (pir) xxxx and than confirm action, Exced action violate action |
|
|
Term
Your on a switch:
you issue the command -
interface FastEthernet0/7
mls qos trust dscp
Is QoS enabled on this switch globally? |
|
Definition
Cat2#sh mls qos
QoS is disabled
QoS ip packet dscp rewrite is enabled |
|
|
Term
configure netflow export on r2 [215.12.34.28].
export version 5 packets using fully reliable method and port 3434. if the primary server is not reachable in 3 seconds, use [215.12.34.27] as destination. When the primary server comes back into operation, wait 30 seconds before switching back to it. |
|
Definition
ip flow-export version 5
ip flow-export source lo0
ip flow-export destination 215.12.34.28 3434 sctp
reliability full
backup mode fail-over
backup destination 215.12.34.27 3434
backup fail-over 3000
backup restore-time 30
int s0/1/0.204
ip flow ingress
int s0/1/0.206
ip flow ingress |
|
|
Term
RIP TO EIGRP
MTU: 1500
Realiability: Maximum
load: minimum
delay: 10 milliseconds
bandwidth: 100 mb/s
what's the default metric? |
|
Definition
| default-metric 100000 1000 255 1 1500 |
|
|
Term
Eigrp 10 milliseconds is expressed as?
|
|
Definition
|
|
Term
If you have a "frame-relay MESH"
the interfaces should be either what or what?
also should have the appropriate?
as well as have what disabled? |
|
Definition
multipoint sub interfaces or main interfaces
appropriate map statements
inverse arp disabled |
|
|
Term
| using a class-map; this PVC has 48 Kb/s CIR guarantee, with CIR peak to 64 Kb/s. |
|
Definition
map-class frame-relay FR-QoS
frame-relay cir 64000
frame-relay mincir 48000 |
|
|
Term
| Practice conversion from milliseconds/microseconds bits/bits/mbits etc. |
|
Definition
|
|
Term
when you see:
router ospf 1
distance ospf intra-area 255 external 109
how would you remove this line of command? |
|
Definition
router ospf 1
default distance ospf |
|
|
Term
neighbor 86.87.232.23 local-as 2 no-prepend replace-as dual-as
What does each bold item do? |
|
Definition
no-prepend Do not prepend local-as to updates from ebgp peers
replace-as Replace real AS with local AS in the EBGP updates
dual-as Accept either real AS or local AS from the ebgp peer |
|
|
Term
show ip bgp 86.87.0.0 255.255.255.0 longer-prefixes
shows what? |
|
Definition
all BGP routes in the bgp table that start with 86.87.0.
-- GENIUS |
|
|
Term
Configure a kron policy name Save
this should reoccur every 3 minutes
the config should be saved
the router should be reloaded |
|
Definition
kron occurrence Save in 3 recurring
policy-list Save
kron policy-list Save
cli write memory
cli reload running-config |
|
|
Term
spanning-tree mode mst
spanning-tree mst configuration
>
>
What's missing? |
|
Definition
spanning-tree mode mst
spanning-tree mst configuration
name IPexpert
revision 1 |
|
|
Term
Rate Limit
2000 Kb/s
rate-limit output 2000000 a b
a = <1000-512000000> Normal burst bytes
b = <2000-1024000000> Maximum burst bytes
What is the result of a and b? What is the formula? |
|
Definition
rate-limit output 2000000 375000 750000
Normal burst bytes: CAR x (1/8) x 1.5
Maximum burst bytes: double the above value |
|
|
Term
Rate Limit
you have a router r8
[fa0/0]--attached to interface dialer1
Where do you place the rate-limit command? |
|
Definition
|
|
Term
EIGRP -
r7 should perform equal-cost load-sharing traffic to lo0 of r4
How do we solve this? |
|
Definition
| equal-cost!!!! Means we DO NOT use variance |
|
|
Term
| Multicast IPv4 - If you specify the multicast IPv4 address family, you can configure the router to exchange routes to |
|
Definition
| multicast sources (as opposed to routes to unicast destinations). |
|
|
Term
conf t
policy-map type inspect z1-z2-pmap
class type inspect service-cmap
inspect|drop|allow
You have configured the following. Now you would like to apply an audit trail for logging. Where would you configure this at? |
|
Definition
conf t
policy-map type inspect z1-z2-pmap
class type inspect service-cmap
inspect|drop|allow [service-parameter-map] (or log)
stg(config)#parameter-map type inspect z1-z2-pmap
stg(config-profile)#?
parameter-map commands:
alert Turn on/off alert
audit-trail Turn on/off audit trail
dns-timeout Specify timeout for DNS
exit Exit from parameter-map
icmp Config timeout values for icmp
max-incomplete Specify maximum number of incomplete connections before
clamping
no Negate or set default values of a command
one-minute Specify one-minute-sample watermarks for clamping
sessions Maximum number of inspect sessions
tcp Config timeout values for tcp connections
udp Config timeout values for udp flows |
|
|
Term
BGP - changing the next-hop ip address of routes received via BGP using a "neighbor 1.1.1.1" statment?
How would you do that? |
|
Definition
neighbor 1.1.1.1 route-map changenexthop in
route-map changenexthop permit 10
set ip next-hop peer-address |
|
|
Term
| BGP - Need TEMPLATE ON HERE |
|
Definition
|
|
Term
| create a frame-relay map class for the speed of 512Kb/s |
|
Definition
map-class frame-relay hub-to-spoke
frame-relay cir 512000
frame-relay mincir 512000 |
|
|
Term
CATX - You want to track the interfaces going to your upstream switches. If those go down, you want to bring down your connections to switchports.
this command starts with
|
|
Definition
link state track 1
----
int range fa0/6 - 7
link state group 1 downstream
int range fa0/12 - 13
link state group 1 downstream
!upstream
int po32
link state group 1 upstream
int po42
link state group 1 upstream |
|
|
Term
R9(config-router)#redistribute connected metric 1 ?
<0-4294967295> EIGRP delay metric, in 10 microsecond units
you need to redistiribute with a delay of 1 second |
|
Definition
|
|
Term
redistribute anything into eigrp
What is the metric you should be good at typing fast?? |
|
Definition
| metric 10000 100 255 1 1500 |
|
|
Term
BGP - With Confederation. Which location is the REAL AS?
router bgp X
or router bgp X
bgp confederation identifier X
?? |
|
Definition
| bgp confederation identifier!!!! |
|
|
Term
BGP - Regex
sh ip bgp regex _____
I want to look for just routes originated in confederation 22
* 193.44.0.7/32 193.44.0.22 0 100 0 (22) 17 i
* 193.44.0.8/32 193.44.0.22 0 100 0 (22) 17 218 i
* 193.44.0.21/32 193.44.0.22 0 100 0 (22) 17 218 ?
r> 193.44.0.22/32 193.44.0.22 0 100 0 (22) ? |
|
Definition
sh ip bgp regexp ^_\(22\)$
*> 21.21.10.0/24 193.44.0.22 0 100 0 (22) ?
*> 21.21.11.0/24 193.44.0.22 0 100 0 (22) ?
*> 21.21.12.0/24 193.44.0.22 0 100 0 (22) ? |
|
|
Term
BGP - for an aggregate-address
21.21.0.0 255.255.0.0 attribute-map Aggr
21.21.0.0 255.255.0.0 route-map Aggr
route-map Aggr
set community 52:2
Which would NOT work? |
|
Definition
| None fool. They both would. |
|
|
Term
you want to tell your neighbor to allow your AS to be shown in a route's AS path.
your neighbor is 193.44.124.4.
What is the command? |
|
Definition
| neighbor 193.44.124.4 allowas-in 1 |
|
|
Term
Here are good ones:
.* Matches anything
.+ Match at least one character
^$ Match routes local to this AS
_1800$ Originated by 1800
^1800_ Received from 1800
_1800_ Via 1800
_790_1800_ Passing through 1800 then 790
_(1800_)+ Match at least one of 1800 in sequence
_\(65350\)_ Via 65350 (confederation AS)
^[0-9]+$ Match AS_PATH length of one
^[0-9]+_[0-9]+$ Match AS_PATH length of two
^[0-9]*_[0-9]+$ Match AS_PATH length of one or two
^[0-9]*_[0-9]*$ Match AS_PATH length of one or two, and will also match zero
^[0-9]+_[0-9]+_[0-9]+$ Match AS_PATH length of three
_(701|1800)_ Match anything which has gone through AS701 or AS1800
_1849(_.+._)12163$ Match anything of origin AS12163 and passed through AS1849 |
|
Definition
|
|
Term
|
Definition
oer master
mode route metric bgp local-pref 500
active-probe echo 193.44.0.21
active-probe echo 193.44.0.22
active-probe echo 193.44.0.23
ip prefix-list OER permit 193.44.0.21/32
ip prefix-list OER permit 193.44.0.22/32
ip prefix-list OER permit 193.44.0.23/32
oer-map AS469-OER
match traffic-class prefix-list OER
set mode route control
set delay threshold 8
set mode select-exit best
set mode monitor active |
|
|
Term
If you have a serial cloud point-to-multipoint R2-R4 and R2-R5 and R2 was configured with:
int s0/1/0
ipv6 ospf 1 area 0
ipv6 ospf network broadcast
ipv6 ospf priority 255
ipv6 ospf 1 area 0
Would R4 and R5 adj come up? they use s0/X/0 int(no sub). |
|
Definition
NO! You MUST put:
ipv6 ospf network broadcast
on both sides! |
|
|
Term
ospf distance command uses which IP address in bold?
router ospf 1
distance 19 56.56.56.5 0.0.0.0 2
access-list 2 permit 56.56.56.5 0.0.0.0 |
|
Definition
| ospf neighbor router-id -- NOT NEXT HOP IP ADDRESS!!!! |
|
|
Term
[r8:fa0/0]------[bb1:78.1.1.1]
you want to exchange mpls labels with bb1. bb1 does not support link-level label exchange.
What two commands do you need to put in. 1 in interface towards bb1 and the other in router bgp configuration mode |
|
Definition
int fa0/0
mpls bgp forwarding
router bgp 1
neighbor 78.1.1.1 send-label
R8#sh mpls forwarding-table
Local Outgoing Prefix Bytes Label Outgoing Next Hop
Label Label or VC or Tunnel Id Switched interface
16 No Label 78.78.78.7/32 0 Se0/0/0 point2point
17 Pop Label 78.1.1.1/32 0 Fa0/1 78.1.1.1
R8#sh mpls interface
Interface IP Tunnel BGP Static Operational
FastEthernet0/1 No No Yes No Yes
R8#sh ip bgp label
Network Next Hop In label/Out label
1.1.1.1/32 78.1.1.1 nolabel/imp-null
24.24.24.2/32 78.1.1.1 nolabel/17
78.78.78.7/32 78.78.78.7 16(from LDP)/nolabel
78.78.78.8/32 0.0.0.0 imp-null(from LDP)/nolabel
|
|
|
Term
ip dhcp excluded-address 10.8.45.4
!
ip dhcp pool R8
host 10.8.45.8 255.255.255.0
client-identifier 001b.d50f.f3e9
!
ip dhcp pool OTHERS
network 10.8.45.0 255.255.255.0
int fa0/1.48
no ip address 10.8.45.4 255.255.255.0
pppoe enable group global
bba-group pppoe global
virtual-template 1
int virtual-template1
ip address 10.8.45.4 255.255.255.0
encapsulation ppp
peer default ip address dhcp-pool R8
ppp ipcp mask 255.255.255.0 |
|
Definition
int fa0/1
no ip address
pppoe-client dial-pool-number 1
int dialer 1
encapsulation ppp
ip address dhcp client-id FastEthernet0/1
mtu 1492
dialer pool 1
ppp ipcp mask request |
|
|
Term
EIGRP - Metric Weights
Defualt: BLDRM
Default K: 1 0 1 0 0
If you are going to enable Reliability; what would the K values be?
router eigrp
metric weights 0 _ _ _ _ _ |
|
Definition
metric weight 0 1 0 1 1 1
Why?? the last "1" - MTU must be on for the formula to calculate Reliability! |
|
|
Term
|
Definition
|
|
Term
|
Definition
|
|
Term
|
Definition
Match at least one character |
|
|
Term
|
Definition
Match routes local to this AS |
|
|
Term
|
Definition
|
|
Term
|
Definition
|
|
Term
|
Definition
|
|
Term
Passing through 1800 then 790 |
|
Definition
|
|
Term
Match at least one of 1800 in sequence |
|
Definition
|
|
Term
Via 65350 (confederation AS) |
|
Definition
|
|
Term
Match AS_PATH length of one |
|
Definition
|
|
Term
Match AS_PATH length of two |
|
Definition
|
|
Term
Match AS_PATH length of one or two |
|
Definition
|
|
Term
Match AS_PATH length of one or two, and will also match zero |
|
Definition
|
|
Term
Match AS_PATH length of three |
|
Definition
|
|
Term
Match anything which has gone through AS701 or AS1800 |
|
Definition
|
|
Term
Match anything of origin AS12163 and passed through AS1849 |
|
Definition
|
|
Term
Switch Fallback bridging looks like..?
you have two vlan's vlan1111 and vlan2222
Then..how do you verify? |
|
Definition
bridge 1 protocol vlan-bridge
interface Vlan2222
bridge-group 1
interface Vlan1111
bridge-group 1
Cat1#sh bridge group
Bridge Group 1 is running the VLAN Bridge compatible Spanning Tree protocol
Port 32 (Vlan1111) of bridge group 1 is listening
Port 31 (Vlan2222) of bridge group 1 is listening |
|
|
Term
Research this...
R1(config)#bridge ?
<1-255> Bridge Group number for Bridging.
cmf Constrained multicast flooding
crb Concurrent routing and bridging
irb Integrated routing and bridging
and...
R1(config)#bridge 1 protocol vlan-bridge ?
<cr>
|
|
Definition
|
|
Term
FEC
FED
FEE
FEF
Are all site-local address.
An example:
int fa0/0
ipv6 add ? |
|
Definition
int fa0/0
ipv6 add fec0:0:0:XXXX::5/64
where XXXX is the subnet |
|
|
Term
fe80::5
what kind of ipv6 address? |
|
Definition
link local
ipv6 add fe80::5 link-local |
|
|
Term
FRF.16 is also know as what?
what does it look like? |
|
Definition
Multilink Frame-Relay
int mfr1
no keepalive
int mfr1.1 point-to-point
frame-relay interface-dlci 609
ip address 200.110.69.9 255.255.255.0
int s0/2/0
bandwidth 768
encapsulation frame-relay mfr1
no arp frame-relay
no shut
int s0/2/1
bandwidth 768
encapsulation frame-relay mfr1
no arp frame-relay
no shut |
|
|
Term
What does MLPPPoFR look like?
It does require frame-relay ____? |
|
Definition
username R2 password ipexpert
map-class frame-relay 128K
frame-relay cir 128000
frame-relay bc 16000
no frame-relay adaptive-shaping becn
int s0/1/0
encapsulation frame-relay
no frame-relay inverse-arp
no shut
frame-relay traffic-shaping
frame-relay class 128K
frame-relay interface-dlci 602 ppp virtual-Template 1
frame-relay interface-dlci 612 ppp virtual-Template 1
frame-relay interface-dlci 622 ppp virtual-Template 1
int virtual-template 1
bandwidth 128
ppp multilink
ppp multilink links minimum 3 mandatory
ppp authentication chap
ip address 200.110.245.6 255.255.255.0
Answer: Frame Relay Traffic Shaping |
|
|
Term
| MPLS - How do you secure LDP and TDP using? |
|
Definition
mpls ldp neighbor x.x.x.x password ipexpert
for TDP - it's not possible to do authentication |
|
|
Term
This isn't coming up. What's missing?
interface Serial0/2/0
encapsulation ppp
ppp multilink
interface Serial0/2/1
encapsulation ppp
ppp multilink
interface Virtual-Template69
ip address 70.18.69.9 255.255.255.240
ppp multilink
ppp multilink links minimum 2 mandatory |
|
Definition
| multilink virtual-template 69 |
|
|
Term
In an NSSA OSPF area:
router ospf 1
area 12 nssa default-information-originate no-summary
How would you prevent this area from receiving a default route? |
|
Definition
router ospf 1
no area 12 nssa default-information-originate no-summary
It will automatically be:
router ospf 1
area 12 nssa
Both "default-information-originate" and "no-summary" will generate a default route! |
|
|
Term
OSPF Type 0 authentication
> No Authentication |
|
Definition
|
|
Term
OSPF Type 1 authentication
> Plain text authentication |
|
Definition
|
|
Term
OSPF Type 2 authentication
> MD5 hash |
|
Definition
|
|
Term
| If a router that has s0/0/0 in rip passive mode, would it send updates and/or receive updates? |
|
Definition
| In passive mode, the interface would only listen to RIP updates, but it DOES NOT send any updates! |
|
|
Term
BGP (as1)
On an inbound route-map from a neighbor 1.1.1.1
you want to remove the following community "no-advertise" but leave the others.
How would you do this? |
|
Definition
ip community-list standard no-community permit no-advertise
route-map no-community
set comm-list no-community delete
router bgp 1
neighbor 1.1.1.1 route-map no-community in |
|
|
Term
BGP - if you want to activate and send vpnv4 information between bgp neighbors.
Do you need to activate the address family ipv4?
router bgp 69
no bgp default ipv4-unicast
bgp log-neighbor-changes
neighbor 187.42.0.9 remote-as 69
neighbor 187.42.0.9 password ipexpert
neighbor 187.42.0.9 update-source Loopback0
!
address-family ipv4
neighbor 187.42.0.9 activate
exit-address-family
!
address-family vpnv4
neighbor 187.42.0.9 activate
neighbor 187.42.0.9 send-community extended
exit-address-family |
|
Definition
No!
router bgp 69
no bgp default ipv4-unicast
bgp log-neighbor-changes
neighbor 187.42.0.9 remote-as 69
neighbor 187.42.0.9 password ipexpert
neighbor 187.42.0.9 update-source Loopback0
!
address-family vpnv4
neighbor 187.42.0.9 activate
neighbor 187.42.0.9 send-community extended
exit-address-family |
|
|
Term
| BGP - What show command to see vpnv4 bgp neighbor status? |
|
Definition
| sh ip bgp vpnv4 all summary |
|
|
Term
If you have two neighbors with the following:
R1
router bgp 69
no bgp default ipv4-unicast
bgp log-neighbor-changes
neighbor 187.42.0.6 remote-as 69
neighbor 187.42.0.6 transport connection-mode passive
R2
router bgp 69
no bgp default ipv4-unicast
bgp log-neighbor-changes
neighbor 187.42.0.6 remote-as 69
neighbor 187.42.0.6 transport connection-mode passive
What do you need to do to bring up the session during troubleshooting lab? |
|
Definition
R1
router bgp 69
neighbor 187.42.0.6 transport connection-mode active
Don't delete the "transport connection-mode" on the routers! |
|
|
Term
What does this command do?
int mfr1
no keepalive |
|
Definition
| It turns off LMI in a back-to-back frame-relay configuration |
|
|
Term
Configure frame-relay back-to-back. Do NOT use sub interfaces
You have one end point; use dlci 609!
Your IP: 163.144.69.6 (R6)
You have two interfaces between router R9 and R6:
int s0/2/0
int s0/2/1 |
|
Definition
int mfr1
no keepalive
no frame-relay inverse-arp
ip add 163.144.69.6 255.255.255.0
frame-relay map ip 163.144.69.6 609 broadcast
frame-relay map ip 163.144.69.9 609 broadcast
no shut
int s0/2/0
encapsulation frame-relay mfr 1
no shut
int s0/2/1
encapsulation frame-relay mfr 1
no shut |
|
|
Term
When it says' area 12 should not allow Type 7 LSA.
What type of configuration under router ospf 1 would you put? |
|
Definition
None.
Type 7 LSA is a: nssa |
|
|
Term
router ospf 1
area 57 nssa no-redistribution default-information-originate metric-type 1
What will the 0.0.0.0/0 route look like?
O IA 163.144.245.0/24 [110/65] via 163.144.57.5, 00:00:02, FastEthernet0/0
O*N1 0.0.0.0/0 [110/2] via 163.144.57.5, 00:00:02, FastEthernet0/0
or
O*IA 0.0.0.0/0 [110/2] via 163.144.57.5, 00:00:02, FastEthernet0/0 |
|
Definition
| O*N1 0.0.0.0/0 [110/2] via 163.144.57.5, 00:00:02, FastEthernet0/0 |
|
|
Term
router ospf 1
area 57 nssa no-redistribution default-information-originate metric-type 1 no-summary
What will the 0.0.0.0/0 route look like?
O IA 163.144.245.0/24 [110/65] via 163.144.57.5, 00:00:02, FastEthernet0/0
O*N1 0.0.0.0/0 [110/2] via 163.144.57.5, 00:00:02, FastEthernet0/0
or
O*IA 0.0.0.0/0 [110/2] via 163.144.57.5, 00:00:02, FastEthernet0/0 |
|
Definition
| O*IA 0.0.0.0/0 [110/2] via 163.144.57.5, 00:00:02, FastEthernet0/0 |
|
|
Term
router ospf 1
area 57 nssa no-redistribution default-information-originate metric-type 1 no-summary
In 12.4T IOS what takes precedence, no-summary or default-information-originate? |
|
Definition
| no-summary ; can't use both of them! |
|
|
Term
You are an OSPF Border router R5. Your connected to area 0 and area 57.
You have the following command
router ospf 1
area 57 nssa default-information-originate
Your OSPF neighbor has the following routes:
O IA 163.144.115.0/24 [110/2] via 163.144.57.5
O IA 163.144.245.0/24 [110/65] via 163.144.57.5
O*N1 0.0.0.0/0 [110/2] via 163.144.57.5, 00:11:43
How would you prevent the IA routes (area 0) from entering this area 57? |
|
Definition
ip prefix-list DEFAULT seq 5 permit 0.0.0.0/0
router ospf 1
router-id 163.144.0.5
log-adjacency-changes
area 57 filter-list prefix DEFAULT in
R5(config-router)#area 57 ?
authentication Enable authentication
default-cost Set the summary default-cost of a NSSA/stub area
filter-list Filter networks between OSPF areas |
|
|
Term
router ospf 1
area 28 filter-list prefix DEFAULT in
What does the "in" stand for? |
|
Definition
R5(config-router)#area 28 filter-list prefix DEFAULT ?
in Filter networks sent to this area
out Filter networks sent from this area |
|
|
Term
You have this:
R5(config-router)#
router ospf 1
redistribute static subnets
area 57 nssa default-information-originate metric-type 1
=remote router=
R7#sh ip route ospf
163.144.0.0/16 is variably subnetted, 3 subnets, 2 masks
O N2 163.144.0.11/32 [110/20] via 163.144.57.5
O*N1 0.0.0.0/0 [110/2] via 163.144.57.5
How do you prevent the External Route (N2)? You cannot add another line of command under the R5 routing process. |
|
Definition
router ospf 1
area 57 nssa no-redistribution default-information-originate metric-type 1
You add the "no-redistribution" command! |
|
|
Term
Under OSPF you configured the following:
router ospf 1
router-id 163.144.0.1
summary-address 163.144.40.0 255.255.248.0
redistribute eigrp 121 subnets
R1#sh ip route ospf
55.0.0.0/22 is subnetted, 1 subnets
O E2 55.6.32.0 [110/20] via 163.144.15.5
O IA 163.144.57.0/24 [110/2] via 163.144.15.5
O 163.144.40.0/21 is a summary, 00:01:36, Null0
You are NOT allowed to have any routes auto generated! How do you resolve this? |
|
Definition
router ospf 1
router-id 163.144.0.1
summary-address 163.144.40.0 255.255.248.0
no discard-route external
R1(config-router)#discard-route ?
external Discard route for redistributed summarised routes
internal Discard route for summarised internal routes |
|
|
Term
You have the following configured:
router ospf 1
router-id 163.144.0.1
redistribute eigrp 121 subnets
Learned from EIGRP are the following subnets:
D EX 163.144.43.0/24
[170/284160] via 163.144.131.13
[170/284160] via 163.144.121.12
D EX 163.144.42.0/24
[170/284160] via 163.144.131.13
[170/284160] via 163.144.121.12
How do you summarize the following networks when redistributing into OSPF? |
|
Definition
router ospf 1
summary-address 163.144.40.0 255.255.248.0 |
|
|
Term
You want to configure a routing protocol on:
Cat1
Protocol is EIGRP. What do you need to enable first? |
|
Definition
ip routing
ip cef distributed |
|
|
Term
| When configuring RIP, what should it start out with: |
|
Definition
router rip
no auto-summary
version 2
passive-interface default
no passive-interface if/if |
|
|
Term
| When configuring EIGRP, what should it start out with: |
|
Definition
router eigrp x
eigrp router-id 1.1.1.1
no auto-summary |
|
|
Term
Review these:
R5(config-router)#area 57 ?
authentication Enable authentication
default-cost Set the summary default-cost of a NSSA/stub area
filter-list Filter networks between OSPF areas
nssa Specify a NSSA area
range Summarize routes matching address/mask (border routers only)
sham-link Define a sham link and its parameters
stub Specify a stub area
virtual-link Define a virtual link and its parameters |
|
Definition
|
|
Term
Quick notepad method for BGP templates:
router bgp 1
?
? |
|
Definition
router bgp 1
template peer-session
template peer-policy |
|
|
Term
router bgp 1
template peer-policy AS1245-policy
What goes under here? |
|
Definition
router bgp 1
template peer-policy AS1245-policy
route-reflector-client
send-community
next-hop-self
route-map
filter-list
distribute-list |
|
|
Term
router bgp 1
template peer-policy AS1245-session
What goes under here? |
|
Definition
router bgp 1
template peer-policy AS1245-session
remote-as 1245
update-source lo0
ebgp-multihop
password |
|
|
Term
R4#sh ip bgp
BGP table version is 13, local router ID is 163.144.0.4
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
r RIB-failure, S Stale
Origin codes: i - IGP, e - EGP, ? - incomplete
Network Next Hop Path
*> 181.11.56.0/24 163.144.46.6 69 23 53 4000 e
*> 181.11.57.0/24 163.144.46.6 69 23 53 4000 e
*> 181.11.58.0/24 163.144.46.6 69 23 4000 e
*> 181.11.59.0/24 163.144.46.6 69 23 4000 e
*>i211.21.20.0 163.144.0.2 22 200 2000 e
* i 163.144.215.21 21 2000 e
*>i211.21.21.0 163.144.0.2 22 200 2000 e
* i 163.144.215.21 21 2000 e
*>i211.21.22.0 163.144.0.2 22 200 2000 e
* i 163.144.215.21 21 2000 e
*>i211.21.23.0 163.144.0.2 22 200 2000 e
* i 163.144.215.21 21 2000 e
What's wrong with the above routes? |
|
Definition
The networks below without ">" have a shorter AS Path than the ones with the just the "*".
After adding next hop self:
Network Next Hop Path
*> 181.11.56.0/24 163.144.46.6 69 23 53 4000 e
*> 181.11.57.0/24 163.144.46.6 69 23 53 4000 e
*> 181.11.58.0/24 163.144.46.6 69 23 4000 e
*> 181.11.59.0/24 163.144.46.6 69 23 4000 e
*>i211.21.20.0 163.144.0.5 21 2000 e
*>i211.21.21.0 163.144.0.5 21 2000 e
*>i211.21.22.0 163.144.0.5 21 2000 e
*>i211.21.23.0 163.144.0.5 21 2000 e |
|
|
Term
When doing configuring this towards router R5:
router bgp 7
bgp router-id 163.144.0.7
bgp confederation identifier 12457
bgp confederation peers 1245
neighbor 163.144.0.5 remote-as 1245
neighbor 163.144.0.5 update-source lo0
neighbor 163.144.0.5 ebgp
neighbor 163.144.0.5 transport connection-mode passive
What should be configured on the other end in regards to transport? |
|
Definition
router bgp 1245
neighbor 163.144.0.7 transport connection-mode active |
|
|
Term
In a BGP speaker in autonomous system 6001, the bgp confederation peers command marks the peers from autonomous systems 6002 and 6003 as special EBGP peers. Hence peers 171.69.232.55 and 171.69.232.56 will get the local-preference, next-hop and MED unmodified in the updates. EBGP speaker and the updates received by it from this peer will be just like a normal EBGP update from a peer in autonomous system 60000.
router bgp 6001
bgp confederation identifier 60000
bgp confederation peers 6002 6003
neighbor 171.69.232.55 remote-as 6002
neighbor 171.69.232.56 remote-as 6003
neighbor 160.69.69.1 remote-as 777 |
|
Definition
|
|
Term
ip bgp-community new-format
router bgp 1245
bgp router-id 163.144.0.2
bgp confederation identifier 12457
bgp confederation peers 7
neighbor 163.144.0.4 remote-as 1245
neighbor 163.144.0.4 update-source lo0
neighbor 163.144.0.4 next-hop-self
neighbor 163.144.0.4 send-community
neighbor 163.144.222.22 remote-as 22
neighbor 163.144.222.22 send-community |
|
Definition
| Always do send-community in this confederation environment |
|
|
Term
You have this configuration; the other side is not coming up. Assume it is configured correctly. What is the problem?
R6:
interface MFR1
no ip address
no frame-relay map ip 163.144.69.6 609
no frame-relay map ip 163.144.69.9 609 broadcast
frame-relay interface-dlci 609 ppp virtual-template 1
int virtual-template1
ip address 163.144.69.6 255.255.255.0
ppp authentication chap
ppp chap hostname Router6
ppp chap password ipexpert |
|
Definition
int virtual-template1
no ppp authentication chap
*Mar 1 01:07:19.711: %LINEPROTO-5-UPDOWN: Line protocol on Interface Virtual-Access1, changed state to up.!
The other side is authenticating R6. |
|
|
Term
If you have the following PPP configuration; what should you remove?
int mfr1
no keepalive
no frame-relay inverse-arp
frame-relay map ip 163.144.69.9 609 broadcast
frame-relay map ip 163.144.69.6 609
frame-relay interface-dlci 609 ppp virtual-Template 1 |
|
Definition
int mfr1
no frame-relay map ip 163.144.69.9 609 broadcast
no frame-relay map ip 163.144.69.6 609 |
|
|
Term
If you have the following configuration:
R6:
int virtual-template 1
ip add 163.144.69.6 255.255.255.0
ppp chap hostname Router6
ppp chap password ipexpert
R9:
int virtual-template 1
ip add 163.144.69.9 255.255.255.0
ppp authentication chap ForR6
Why do you have ppp authentication only on one side? |
|
Definition
| Because R9 is the authenticating router while R6 just presents credentials to R9. R9 was not allowed to present it's credentials to R6. |
|
|
Term
You have this configuration; and you are required to self-ping. How would you do so?
interface MFR1
no ip address
no keepalive
frame-relay interface-dlci 609 ppp Virtual-Template1
no frame-relay inverse-arp
int virtual-template1
ip address 163.144.69.6 255.255.255.0
ppp authentication chap
ppp chap hostname Router6
ppp chap password ipexpert
R6#ping 163.144.69.6
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 163.144.69.6
.....
Success rate is 0 percent (0/5) |
|
Definition
interface Virtual-Template1
no ip address 163.144.69.6 255.255.255.0
ip unnumbered lo1
int lo1
ip address 163.144.69.6 255.255.255.0
Note: be careful not to overwrite your exiting loopbacks |
|
|
Term
You want your banner to say:
Welcome to this router named [R1]
You have connected to the domain [ipexpert.com]
You are on line [0]
Your line description is [vty0]
Replace the variables with the variables needed to show the values even if there is a configuration change. This would make it so you don't have to change the banner. |
|
Definition
banner exec *
Welcome to this router named $(hostname)
You have connected to the domain $(domain)
You are on line $(line)
Your line description is $(line-desc)
* |
|
|
Term
You have the following configuration:
banner exec *
This device is physically located at:
$(line-desc)
*
How do you get this to work? |
|
Definition
line vty 0 5
location Equinox, 5th Floor, Ste 10, San Jose California |
|
|
Term
Enable QoS on Cat2. Ensure that receive EF-marked packets have correct marking when they leave the switch on all ports.
mls qos
mls qos map cos-dscp 0 8 16 24 32 40 48 56
How do you verify when complete? |
|
Definition
mls qos
mls qos map cos-dscp 0 8 16 24 32 [46] 48 56
int range fa0/1 - 24 , gi0/1 - 2
mls qos trust dscp
Explanation:
By default, incoming DSCP value will be rewritten as COS5, which will further be rewritten to DSCP 40. We need to change this and rewrite COS5 to DSCP 46. In order to allow for this on all ports, we should trust incoming DSCP marking on the ports.
Verify: sh mls qos maps cos-dscp |
|
|
Term
Your a ntp client:
Set your server to 6.6.6.6 and use a source of loopback 0. |
|
Definition
| ntp server 6.6.6.6 source loopback0 prefer |
|
|
Term
| Set your clock for 14:00 on January 15th, 2010 |
|
Definition
| clock set 14:00:00 15 January 2010 |
|
|
Term
ip sla responder
ip sla responder udp-echo ipaddress localip port 6453
What is the purpose of the second line? Is it required? |
|
Definition
(Optional) Required only if protocol control is disabled on source. Permanently enables IP SLAs Responder funcionality on specified IP address and port.
Control is enabled by default. |
|
|
Term
You want to create a menu.
Use line-mode. The user can press x to exit the menu.
When users type "R1" they should ping "6.6.6.6"
you have a username and password of bryan that needs to access the menu when they telnet to the device. |
|
Definition
menu Main line-mode
menu Main text R1 =Ping R1=
menu Main command R1 ping 6.6.6.6
menu Main text x Exit Menu
menu Main command x menu-exit
username bryan password bryan
username bryan autocommand menu Main
line vty 0 5
login local |
|
|
Term
IOS Menu
What does it start with. Name it: MainMenu |
|
Definition
|
|
Term
IOS Menu:
Your about to create the following menu:
menu Main single-space
menu Main line-mode
menu Main text R1 Ping R1
menu Main command R1 ping 1.1.1.1
menu Main text R2 Ping R2
menu Main command R2 ping 2.2.2.2
menu Main text x Exit Menu
menu Main command x menu-exit
What should you do BEFORE you start configuring it? |
|
Definition
| save the configuration; if you mess up. Reboot the device. |
|
|
Term
you have the following config. R5/R6 are configured as hub and spoke on s0/0/0.1. What's missing in this command?
R2:
int s0/0/0
ipv6 add 2001::256:2/125
ipv6 add fe80::2 link-local
frame-relay map ipv6 fe80::5 205
frame-relay map ipv6 fe80::6 206
frame-relay map ipv6 2001::256:5 205 broadcast
frame-relay map ipv6 2001::256::6 206 broadcast
frame-relay map ipv6 2001::256::2 206
ipv6 router eigrp 256
eigrp router-id 2.2.2.2
no shut |
|
Definition
| no ipv6 split-horizon eigrp 256 |
|
|
Term
You have the following configured already. Configure R2's Gigabit Ethernet interface to drop ICMP type 0 and type 8 packets with a size from 250 to 300 bytes.
access-list 102 permit icmp any any echo-reply
access-list 102 permit icmp any any echo
class-map match-all ICMP
match packet length min 250 max 300
match access-group 102
policy-map r2gi0/0
class ICMP
drop |
|
Definition
int gi0/0
service-policy output r2gi0/0
service-policy input r2gi0/0
Note: No direction was specified!!!! |
|
|
Term
You have the following configured. What port will be allowed for telnet on this device?
line vty 0 4
rotary 5 |
|
Definition
300X where X equals the rotary X
Port 3005 and port 23 |
|
|
Term
| To have a router except ssh connections on port 2009, what do you configure? |
|
Definition
ip ssh port 2009 rotary 1
line vty 0 1081
rotary 1 |
|
|
Term
You need to allow only 5.5.5.5 to telnet/ssh to a router using an extended ACL. You have already created your certificate.
You have this configuration:
access-list 5 permit 5.5.5.5
line vty 0 4
transport input ssh telnet
access-class 5 in
What is missing? |
|
Definition
You are using SSH, you need to use username/password to login.
username cisco password cisco
line vty 0 4
login local |
|
|
Term
You have the following configuration; You want to allow the rest of the traffic through the firewall. Assumed it is configured correctly. What do you need to add to the policy-map?
class-map type inspect zb-smtp
match protocol smtp
policy-map type inspect outside-to-inside
class type inspect zb-smtp
drop |
|
Definition
class class-default
pass
DO NOT type in: class type inspect class-default (BAD!) |
|
|
Term
When your configuring ZBF, you have been told to put gi0/0 as unsecure and all other interfaces in a more secure zone.
List the types of interfaces on the router that could be one of those? |
|
Definition
int fa0/0
int s0/0/0
int multilink69
int tunnel59
int lo0
int fa0/0.124
int gi0/0.123
Don't forget!!!! |
|
|
Term
HSRP - You are running HSRP between R1/R2 for Cat1/Cat2:
R1--|
|--[CAT1]
R2--|--[CAT2]
|
|--[BB1]
You configure everything correctly and give R2 a priority of 120 to be the active gateway. You then realize your NOT active. You get on R1 and you realize your NOT active either. What do you need to do? |
|
Definition
BB1 is configured with the highest priority and taking over the active role.
You need to configure authentication between R1/R2:
int gi0/0
standby 1 authentication md5 key-string ipexpert |
|
|
Term
Your IP is 8.8.8.8. Your BGP neighbor is 10.10.10.10.
Your interface between you and your neighbor is fa0/0.
Ensure that your 10.10.10.10 bgp neighbor is able to talk bgp with you. Ensure that no other devices on the same subnet or it's directly connected bgp peers attempt a bgp session with you inbound on your peering interface. |
|
Definition
ip access-list extended bgp-in
permit tcp host 10.10.10.10 host 8.8.8.8 eq bgp
deny tcp any any eq bgp
deny tcp any eq bgp any
permit ip any any
int fa0/0
ip access-group bgp-in in |
|
|
Term
You have the following configuration; You need to Guarantee 25% interface bandwidth for this traffic and do not allow more than 50% if interface bandwidth to be used by it.
class-map match-all AF21
match dscp af21
policy-map task2.5
class AF21
What command(s) do you need on this interface?
int fa0/0 |
|
Definition
policy-map task2.5
class AF21
bandwidth percent 25
police rate percent 50
int fa0/0
service-policy output task2.5 |
|
|
Term
You have the following configuration:
interface FastEthernet0/0.211
encapsulation dot1Q 11
ip address 1.1.1.1 255.255.255.0
You paste in the following configuration:
interface FastEthernet0/0.211
service-policy output AS21 <---
It does not take the command. Why now? |
|
Definition
| CBWFQ : Not supported on subinterfaces |
|
|
Term
You have a router R1 connected to BB1 via interface fa0/0.11
int fa0/0.11
encapsulation dot1q 11
ip add 192.168.58.1 255.255.255.0
class-map AS21
match dscp af31
policy-map AS21
class AS21
bandwidth 10
You want to apply the following service policy on fa0/0.11:
service-policy output AS21
What do you need to do? |
|
Definition
class-map AS21
match dscp af31
match vlan 11
int fa0/0
service-policy output AS21 |
|
|
Term
You have the following configuration. Under the class-map you want to match the access list AS22, how do you do that?
ip access-list extended AS22
permit ip any host 21.21.21.21
permit ip any host 121.121.121.121
class-map AS22 |
|
Definition
class-map AS22
match access-group name AS22 |
|
|
Term
BGP - You are building an as-path access list. You have configured the following:
route-map R4-out permit 10
match as-path 53
set community local-as additive
route-map R4-out permit 20
Routes that have NOT traversed AS53 should be marked with a local-as community.
Write the as-path access list -- Quickly! |
|
Definition
ip as-path access-list 53 deny _53_
ip as-path access-list 53 permit .* |
|
|
Term
| BGP - Write two community lists that match community 21:21 and name it BB1 and also another community list that matches community 22:22 named BB2. |
|
Definition
ip community-list standard BB1 permit 21:21
ip community-list standard BB2 permit 22:22 |
|
|
Term
BGP - In a route-map if you want to match a specific community for a BGP neighbor then set local preference; what do you need to do?
neighbor 163.144.0.5 route-map r5-set-LP-to-200 in |
|
Definition
You need to MATCH a specific community. You can do this ONLY BY using a Community-list:
ip community-list standard BB1 permit 44:44
R4(config)#ip community-list standard BB1 permit ?
<1-4294967295> community number
aa:nn community number
internet Internet (well-known community)
local-AS Do not send outside local AS (well-known community)
no-advertise Do not advertise to any peer (well-known community)
no-export Do not export to next AS (well-known community) |
|
|
Term
IPv6 EIGRP - You are configuring the following:
ipv6 unicast-routing
ipv6 router ospf 1
redistribute eigrp 1 subnets include-connected
router-id 1.1.1.1
Would the EIGRP 1 process get the networks based on the configuration above? |
|
Definition
Dude -- this command wouldn't take.
ipv6 router ospf 1
redistribute eigrp 1 include-connected
router-id 1.1.1.1
The "subnets" does NOT take anymore for IPv6! :) |
|
|
Term
Your configuring IPv6 EIGRP on a MLS named Cat2.
What is the first thing you would do?
Do you YOUR BEST attempting the command(s) before looking at the answer! |
|
Definition
sdm prefer dual-ipv4-and-ipv6 routing
hope you chose routing! We are routing on these bad boys! |
|
|
Term
You have a hub and spoke frame-relay connection that you want to run multicast on.
R4 is the hub; s0/0/0
R2/R5 are the spokes; s0/1/0
You are running pim sparse mode only. What interface commands do you need to make this happen?
ip multicast-routing has already been configured. |
|
Definition
r4
int s0/0/0
ip pim sparse-mode
ip pim nbma-mode
ip pim dr-priority 100
r2/r5
int s0/1/0
ip pim sparse-mode
ip pim nbma-mode |
|
|
Term
| When should you use the "ip pim nbma-mode" command in a frame-relay environment? |
|
Definition
This command applies to only PIM sparse mode configurations because its functionality is dependent on the PIM sparse mode join message.
An alternative solution to using NBMA mode to configure IP multicast within a Frame Relay network is to use point-to-point subinterfaces for each of the remote sites. For the point-to-point subinterfaces solution, the partially meshed Frame Relay network is divided into a number of virtual, point-to-point networks using subinterfaces. Each new point-to-point subnetwork is assigned its own network number. To the routed protocol, each subnetwork now appears to be located on separate interfaces.
In a Frame Relay network that uses IP multicast, the benefits of point-to-point subinterfaces are as follows:
•No prune message override issues are associated with the partial mesh design of Frame Relay networks.
•They avoid limitations associated with pseudobroadcasts in a Frame Relay network because point-to-point subinterfaces are treated more like standard serial interfaces than LAN interfaces.
•They prevent Auto-RP issues related to multicast routers receiving dense mode traffic.
Note: If your network can support both the point-to-point subinterfaces and NBMA mode solutions, we recommend point-to-point subinterfaces because of its simplicity and ease of use with Auto-RP. |
|
|
Term
Is this correct?
cat4
ip multicast-routing distributed
int lo0
ip pim sparse-mode
ip igmp join-group 239.14.14.14 |
|
Definition
|
|
Term
| Configure r1 and r9. R1 should set the time from loopback0 of r9 which would be configured for correct date, time and UTC+1 timezone. |
|
Definition
r9
clock set 02:03:00 October 29 2011
clock timezone CET 1 0
ntp master 1
ntp source lo0
r1
ntp server 9.9.9.9 source lo0 |
|
|
Term
Configure a router so that it can only be managed in the highest secure way possible. Make sure the login username and password "ip3xpert" is used, and for the enable password "ip3xpert" is used.
The users can only retry 2 times when the wrong credentials are used, and the timeout should be exactly 1 minute. |
|
Definition
ip domain-name ipexpert.com
enable secret ip3xpert
username ip3xpert secret ip3xpert
crypto key gen rsa
2048
line vty 0 15
transport input ssh
login local
ip ssh version 2 (version 2 is more secure that v1)
ip ssh time-out 60
ip ssh authentication-retries 2 |
|
|
Term
You need to put the following commands on this switch; what's the correct order?
vtp mode server
vtp pruning
vtp domain Inexpert
vtp version 2
vtp password VTPpassword |
|
Definition
vtp version 2 (cannot modify this in client mode)
vtp pruning
vtp mode server
vtp domain Inexpert
vtp password VTPpassword |
|
|
Term
On a switch; when your asked to run the latest VTP version..
What version is that? |
|
Definition
vtp version ?
Most recently releases support VTP version 3!!!!
Be careful :) |
|
|
Term
On your VTP Server; you have the following configuration:
vtp version 2
vtp pruning
vtp mode server
vtp domain Inexpert
vtp password VTPpassword
What is required on the client switches? |
|
Definition
vtp mode client
vtp password VTPpassword
vtp domain Inexpert
It will get the VTP version and Pruning settings. |
|
|
Term
On an access port; you are told to prevent send DTP frames.
How would you configure that for an access port vlan 5?
int fa0/1 |
|
Definition
int fa0/1
switchport mode access
switchport access vlan 5
On an access port; DTP is disabled automatically when you set static access mode. STATIC ACCESS MODE.
switchport mode access! |
|
|
Term
You have the following configuration; Ensure that the router uses the local credentials when logging in over the first 10 telnet sessions.
username ipexpert password lab
enable secret isthebest
aaa new-model
aaa authentication login default local
line con 0
login authentication default |
|
Definition
line vty 0 9
login authentication default
privilege level 15
0-9!!!!! Not 0-10 - :) |
|
|
Term
Refresh your memory on the following topics!
ntp access-group {query-only | serve-only | serve | peer} access-list-number
Peer
Server
Serve-only
Query-only |
|
Definition
The access group options are scanned in the following order, from least restrictive to most restrictive:
1. peer— Allows time requests and NTP control queries and allows the system to synchronize itself to a system whose address passes the access list criteria.
2. serve— Allows time requests and NTP control queries, but does not allow the system to synchronize itself to a system whose address passes the access list criteria.
3. serve-only— Allows only time requests from a system whose address passes the access list criteria.
4. query-only— Allows only NTP control queries from a system whose address passes the access list criteria. |
|
|
Term
How do you define a range of ports fa0/21 - 24 as a macro called TRUNKS?
How do you access the Macro to apply configuration for the Trunks? |
|
Definition
define interface-range TRUNKS fa0/21 - 24
interface range macro TRUNKS
switchport trunk encap dot1q
switchport mode trunk |
|
|
Term
| What is the default frame-relay and lmi type? |
|
Definition
frame-relay cisco
lmi type cisco |
|
|
Term
You have the following configuration; you need to ensure that frame-relay inverse-arp has been disabled. What change would need to be made?
int s0/1/0
shut
encapsulation frame-relay
int s0/1/0.100 multipoint
ip add 172.18.100.2 255.255.255.192
frame-relay map ip 172.18.100.4 224 broadcast
frame-relay map ip 172.18.100.6 226 broadcast
frame-relay map ip 172.18.100.2 224
int s0/1/0
no shut |
|
Definition
int s0/1/0
shut
no frame-relay inverse-arp
int s0/1/0.100 multipoint
no frame-relay inverse-arp
Frame Relay inverse-arp DOES NOT carry from physical interface to a multipoint subinterface!
Point-to-Point subinterfaces take the command but do not show it under the configuration. |
|
|
Term
PPP PAP - What do you need to do to send authentication (username/password) to the remote node?
R2
interface Serial0/2/0
no shut
ip address 172.18.25.2 255.255.255.248
encapsulation ppp
ppp authentication pap |
|
Definition
interface Serial0/2/0
ppp pap sent-username R2Lab password Inexpert |
|
|
Term
CHAP - You have the following configuration; You want R2 to challenge R5 and R5 should respond with a hostname of "Inexpert" and "Lab" for the password. What's missing?
R2:
interface Serial0/2/0
ip address 172.18.25.2 255.255.255.248
encapsulation ppp
no peer neighbor-route
R5:
interface Serial0/2/0
ip address 172.18.25.5 255.255.255.248
encapsulation ppp |
|
Definition
R2:
username Inexpert password Lab
interface Serial0/2/0
ppp authentication chap
R5:
interface Serial0/2/0
ppp chap hostname Inexpert
ppp chap password Lab
R5 does NOT need "ppp authentication chap" - R2 is the authenticator! |
|
|
Term
When you configure:
interface Serial0/2/0
no shut
ip address 172.18.25.2 255.255.255.248
encapsulation ppp
ppp authentication chap
no peer neighbor-route <<<<--- This. What do you have to do next? |
|
Definition
| You MUST shut/no shut the interface so that this command takes into effect. |
|
|
Term
R2#sh frame-relay lmi
LMI Statistics for interface Serial0/1/0 (Frame Relay DTE) LMI TYPE = CISCO
..
Num Status Enq. Sent 223 (this increments by 1)
Num Update Status Rcvd 0
Last Full Status Req 00:00:15 (every 10 seconds)
R2#sh frame-relay lmi
..
Num Status Enq. Sent 224 (this increments by 1)
Num Update Status Rcvd 0
Last Full Status Req 00:00:21 (every 10 seconds)
It resets every 60 seconds. So how many full requests per minute? |
|
Definition
| 6 full requests per minute is the default! |
|
|
Term
If you see this:
interface Serial0/1/0
no ip address
encapsulation frame-relay
no frame-relay inverse-arp
frame-relay lmi-n391dte 2
How many seconds does it take before the full LMI update gets requested? |
|
Definition
20 seconds!
If you changed this:
R2(config-if)#interface Serial0/1/0
R2(config-if)#keepalive ?
<0-30> Keepalive period (default 10 seconds)
The changes would MODIFY the FRAME RELAY SWITCH. Don't do it unless asked. |
|
|
Term
| To unicast updates on RIP, it is required to provide the directly connected neighbor's IP address and to disable multicast updates with passive interface. |
|
Definition
|
|
Term
Note: The redistribute CONNECTED route-map takes precedence on protocol redistribution.
For example: on R2:
router rip
redistribute connected route-map conn>rip
route-map conn>rip
match interface lo0
In a different task, you redistribute OSPF to RIP redistribution, the OSPF directly connected interfaces WILL NOT redistribute because the route-map conn>rip denies these interfaces. You will need to include the OSPF directly connected interfaces in order to obtain full reachability. |
|
Definition
|
|
Term
R6 must accept no more than 500 LSA and generate a warning when the database reaches 250 LSA
Try without looking! |
|
Definition
router ospf 1
max-lsa 500 50 warning-only
R6(config-router)#max-lsa 500 ?
<1-100> Threshold value (%) at which to generate a warning msg
R6(config-router)#max-lsa 500 50 ?
ignore-count maximum number of times adjacencies can be suppressed
ignore-time time during which all adjacencies are suppressed
reset-time time after which ignore-count is reset to zero
warning-only Only give warning message when limit is exceeded |
|
|
Term
R6 must also silently discard LSA6 without generating error messages.
What is a type LSA6 and how do you do it? |
|
Definition
R6(config-router)#ignore ?
lsa Do not complain upon receiving LSA of the specified type
R6(config-router)#ignore lsa ?
mospf MOSPF Type 6 LSA
Multicast OSPF! |
|
|
Term
Received this message:
R6(config-router)#
*Oct 30 23:44:18.199: %OSPF-4-ERRRCV: Received invalid packet: mismatch area ID, from backbone area must be virtual-link but not found from 172.18.100.2, Serial0/1/0.100
Both end points had configured the virtual link pointing to each other. After troubleshooting; the router-id was wrong on R2.
R2(config-if)#router ospf 1
R2(config-router)#router-id 2.2.2.2
Reload or use "clear ip ospf process" command, for this to take effect
R2(config-router)#do clear ip ospf proc
Reset ALL OSPF processes? [no]: yes |
|
Definition
R6(config-router)#
*Oct 30 23:44:19.535: %OSPF-5-ADJCHG: Process 1, Nbr 2.2.2.2 on Serial0/1/0.100 from LOADING to FULL, Loading Done |
|
|
Term
You have the following interfaces; What would you configure to make the adjacency unicast
R4:
interface FastEthernet0/0
ip address 172.18.47.4 255.255.255.192
ip ospf 1 area 4.3.2.0
R7
interface FastEthernet0/0.47
encapsulation dot1Q 47
ip address 172.18.47.7 255.255.255.192
ip ospf 1 area 4.3.2.0
router ospf 1 |
|
Definition
interface FastEthernet0/0
ip ospf network non-broadcast
router ospf 1
neighbor 172.18.47.7
interface FastEthernet0/0.47
ip ospf network non-broadcast
router ospf 1
neighbor 172.18.47.4
Or you'll get; *Oct 31 01:04:25.278: %OSPF-4-CFG_NBR_INVAL_NET_TYPE: Can not use configured neighbor: neighbor command is allowed only on NBMA and point-to-multipoint networks |
|
|
Term
On R3; Advertise Loopback 0 subnet into area 100. Configure this.
int lo1
router ospf1 |
|
Definition
int lo0
ip ospf 1 area 100
ip ospf network point-to-point
Advertise Loopback 0 [subnet] into area 100 |
|
|
Term
If you don't set:
router 1
area 0 authentication
And you create a virtual-link to extend area 0; what would you do on the virtual-link configuration?
Use type 1 (clear text) authentication
endpoint 2.2.2.2 password is cisco |
|
Definition
router ospf 1
virtual-link 2.2.2.2 authentication authentication-key cisco
or
router ospf 1
virtual-link 2.2.2.2 authentication message-digest message-digest-key 1 md5 cisco |
|
|
Term
| For OSPF; what's the default reference bandwidth? |
|
Definition
sh ip protocols
Reference bandwidth unit is 100 mbps |
|
|
Term
When redistributing in the Lab:
1. From routing protocol to another; set metric and metric-type (if applicable) to help routing protocol choose better path (rip) or to easily identify route in routing table (i.e. E1)
So...
router rip
redistribute ospf 1 metric 3
router ospf
redistribute ospf 1 subnets route-map rip>ospf
route-map rip>ospf
set metric 10
set metric-type type-1 |
|
Definition
|
|
Term
On R2: You have the following configuration. Everything shown meets the requirement. Something is missing. What is it?
router ospf 1
redistribute connected subnets route-map conn>ospf
redistribute rip subnets route-map rip>ospf
route-map rip>ospf permit 40
set tag 120
set metric 10
set metric-type type-1
route-map conn>ospf permit 20
match interface s0/2/0
set metric-type type-1 |
|
Definition
route-map conn>ospf permit 20
set tag 120
Don't forget to set the tag to 120 just like your rip>ospf redistribution. Or you'll lose points since you need all RIP networks (s0/2/0 being one of them) to be tagged.
Especially since you'll be filter to prevent RIP feedback routes |
|
|
Term
When redistributing from one protocol to another;
You have the following: You need to get gi0/0 (interface from OSPF) into RIP. What's missing and why?
R2:
router rip
redistribute connected route-map con-to-RIP
redistribute ospf 1 metric 2 route-map ospf>rip
router ospf 1
redistribute connected subnets route-map conn>ospf
redistribute rip subnets route-map rip>ospf
route-map conn>ospf permit 10
match interface Loopback1
route-map ospf>rip permit 40
set metric 3
set tag 110 |
|
Definition
route-map con-to-RIP permit 20
match interface gi0/0
set tag 110 !!!!IMPORTANT, your tagging in ospf>rip for filtering. |
|
|
Term
EIGRP - Defaults
Hello Timer:
Hold Timer: |
|
Definition
Hello Timer: 5
Hold Timer: 15
By default, hello packets are sent every 5 seconds. The exception is on low-speed, nonbroadcast multiaccess (NBMA) media, where the default hello interval is 60 seconds. Low speed is considered to be a rate of T1 or slower, as specified with the bandwidth interface configuration command. The default hello interval remains 5 seconds for high-speed NBMA networks.
The default hold time is three times the hello interval, or 15 seconds. For slow-speed NBMA networks, the default hold time is 180 seconds. |
|
|
Term
EIGRP Hello/Hold Interval Timer
Set it to 5 times faster than the default
int fa0/0 |
|
Definition
int fa0/0
ip hello-interval eigrp 123 1
ip hold-time eigrp 123 5 |
|
|
Term
Router id for:
BGP:
EIGRP:
OSPF: |
|
Definition
[B]GP: bgp router-id
[E]IGRP: eigrp router-id
OSPF: router-id |
|
|
Term
On the test; EIGRP
Do not send updates out of unnecessary interfaces. What do you do? |
|
Definition
router eigrp x
passive-interface default
no passive-interface x
-Just DO IT |
|
|
Term
EIGRP -
By default; EIGRP may use a maximum of __% of an interface's bandwidth? |
|
Definition
|
|
Term
You have the following configuration; What does 00:00:00 stand for?
key chain EIGRP
key 3
key-string V3-BLUEPRINT
accept-lifetime 00:00:00 Jan 1 1993 00:00:00 Oct 18 2009
send-lifetime 00:00:00 Jan 1 1993 00:00:00 Oct 18 2009
key 4
key-string V4-BLUEPRINT
accept-lifetime 00:00:00 Oct 18 2009 infinite
send-lifetime 00:00:00 Oct 18 2009 infinite |
|
Definition
00:00:00 Stands for midnight.
accept-lifetime 00:00:00 Jan 1 1993 00:00:00 Oct 18 2009
Accept at midnight Jan 1 1993 (beginning of the day) |
|
|
Term
Is this correct or the other one?
route-map conn>eigrp permit 20
match interface s0/2/0
set tag 120
set metric 100000 100 255 1 1500
route-map conn>eigrp permit 30
match interface fa0/1
set tag 120
set metric 100000 100 255 1 1500
=or========
route-map conn>eigrp permit 20
match interface s0/2/0
match interface fa0/1
set tag 120
set metric 100000 100 255 1 1500 |
|
Definition
|
|
Term
Your configuring RIP. You have the following;
R5(config-router)#distance 171 ?
A.B.C.D IP Source address
You want to configure this distance for routes that match access list 5 and for all source address. How would you configure it?
access-list 5 deny 2.2.2.2
access-list 5 deny 11.11.11.11
access-list 5 permit any |
|
Definition
router rip
distance 171 0.0.0.0 255.255.255.255 5 |
|
|
Term
You have the following BGP routes:
*>172.17.1.0/24
*>172.17.2.0/24
*>172.17.3.0/24
*>172.17.4.0/24
Use only a single line standard numbered access-list to match even prefixes in the third octet on R8 and do R7 for odd prefixes in the third octet.
R7:
R8: |
|
Definition
R7: (even prefixes)
access-list 5 permit 0.0.0.0 255.255.254.255
R8: (odd prefixes)
access-list 5 permit 0.0.1.0 255.255.254.255 |
|
|
Term
You have the following BGP AS1 routes:
*>172.17.1.0/24
*>172.17.2.0/24
*>172.17.3.0/24
*>172.17.4.0/24
On R5, configure an inbound route-map to not advertise (no-export) 172.17.2.0/24 and 172.17.3.0/24. You are allowed to use a single line extended named access-list. Your neighbor is 7.7.7.7. |
|
Definition
R5
router bgp 1
neighbor 7.7.7.7 route-map no-export in
ip access-list extended no-export
permit 172.17.2.0 0.0.1.255 host 255.255.255.0
route-map no-export permit 10
match ip address no-export
set community no-export
route-map no-export permit 20
The access-list seems more similar to a prefix list:
host 255.255.255.0 (represents the prefix length) |
|
|
Term
You have the following configured:
R2(config-if)#do sh run int g0/0
interface GigabitEthernet0/0
ip address 172.18.29.2 255.255.255.0
ip ospf 1 area 92
duplex auto
speed auto
media-type rj45
end
You add the following command:
int gi0/0
ip vrf forwarding r2r9
What will be removed by adding this command? |
|
Definition
>Both IP address AND ip ospf 1 area 92 command
-Be careful and look at the interface before applying cmd!
R2(config-if)#int g0/0
R2(config-if)#ip vrf forwarding r2r9
% Interface GigabitEthernet0/0 IP address 172.18.29.2 removed due to enabling VRF r2r9
R2(config-if)#
*Oct 2 15:06:20.559: %OSPF-5-ADJCHG: Process 1, Nbr 9.9.9.9 on GigabitEthernet0/0 from FULL to DOWN, Neighbor Down: Interface down or detached
R2(config-if)#
*Oct 2 15:06:20.563: %OSPF-6-PROC_REM_FROM_INT: OSPF process 1 removed from interface GigabitEthernet0/0 |
|
|
Term
| With IPv6 and frame-relay; do you need to map the IPv6 address for your own IP address? |
|
Definition
| IPv6 doesn't require to map same interface addresses. |
|
|
Term
| IPV6 Frame-relay - Do not map link local address on spoke-to-spoke |
|
Definition
|
|
Term
| RIPng - In RIPng does the process name have to match on each router? |
|
Definition
| Note: RIPng process name is only locally significant, it may be different on different routers. |
|
|
Term
When configuring BGP. You have iBGP peers between R2 and R4. You are about to configure iBGP ipv6 neighbors.
What's the first thing you should do?
router bgp 100 |
|
Definition
router bgp 100
no bgp default ipv 4-unicast
We need to use IPv6 address family without sending IPv4 prefixes since there is already an IPv4 neighbor relationship between R2 and R4. |
|
|
Term
You have the following configured and BGP routes are NOT showing up in the RIP neighbor router. What's wrong?
router bgp 100
neighbor 2001:cc13:100::4 remote-as 100
address-family ipv6 unicast
neighbor 2001:cc13:100::4 activate
redistribute rip Inexpert include-connected
ipv6 router rip Inexpert
redistribute bgp 100 metric 2 |
|
Definition
| As for IPv4, IPv6 address family has the same security feature that prevents iBGP routes to be redistributed into an IGP. Since R2 and R4 are iBGP neighbors, the command "bgp redistribute-internal" under the address-family IPv6 is needed in order to modify the default behavior. |
|
|
Term
If you configured:
address-family ipv6
bgp redistribute-internal
Then did a show run | s router b; where would this command be? |
|
Definition
router bgp 100
bgp log-neighbor-changes
address-family ipv6
bgp redistribute-internal
redistribute rip Inexpert include-connected
exit-address-family |
|
|
Term
You have the following config; You are redistributing RIP between R2 and a cat1 switch advertising it's loopback.
What's missing in order to get it's routes into BGP. Assume RIP is configured correctly.
R2
router bgp 100
neighbor 2001:CC13:100::2 remote-as 100
address-family ipv6
neighbor 2001:CC13:100::2 activate
bgp redistribute-internal
redistribute rip Inexpert
exit-address-family |
|
Definition
address-family ipv6
redistribute rip Inexpert include-connected
You would only have cat1's loopback. This would be advertised to all other iBGP neighbors from R2 but the network between R2-Cat1 would not be. |
|
|
Term
ip pim send-rp-announce
RP or RP-Mapping agent? |
|
Definition
R2(config)#ip pim ?
send-rp-announce - Auto-RP send RP announcement
Answer: RP |
|
|
Term
ip pim send-rp-announce
RP or RP-Mapping agent? |
|
Definition
R2(config)#ip pim ?
send-rp-discovery - Auto-RP send RP discovery message (as RP-mapping agent)
Answer: RP-Mapping agent |
|
|
Term
Who is this?
(*, 224.0.1.39), 00:26:41/stopped, RP 0.0.0.0, flags: DC
Incoming interface: Null, RPF nbr 0.0.0.0
Outgoing interface list: |
|
Definition
| from candidate RP routers |
|
|
Term
Auto-RP Filters
ip pim rp-announce-filter
When using Auto-RP, configure the ip pim rp-announce-filter global configuration command on Auto-RP mapping agent routers to filter Auto-RP announcement messages that arrive on group 224.0.1.39 from candidate RP routers. This command prevents unwanted candidate RP announcement messages from being processed by the mapping agent. Unwanted messages could interfere with the RP election mechanism of the mapping agent. |
|
Definition
The following example shows how to configure the router to accept announcements from RP addresses 10.0.0.1 and 10.0.0.2. This router is also configured to accept announcements for all groups.
ip pim rp-announce-filter rp-list 1 group-list 2
access-list 1 permit 10.0.0.1
access-list 1 permit 10.0.0.2
access-list 2 permit 224.0.0.0 15.255.255.255 |
|
|
Term
When using PIM Sparse in NBMA environment like Frame Relay you need to make sure you enter the ip pim nbma on the hub of the Frame Relay that command is to disable the split horizon rule that traffic coming into the interface is not going out that same interface
you can see after you enable the command when you do "show ip mroute" in the OIL (Outgoing Interface List) IP's instead of the Serial Interface.
Notice that the IP pim nbma is working only for Sparse Mode Group when you enable it on interface that have sparse-dense mode enable you will get a warring that basicly means that this feature will be only valid for sparse groups |
|
Definition
(2.2.2.2, 225.4.3.2), 00:00:14/00:03:24, flags: FT
Incoming interface: Loopback1, RPF nbr 0.0.0.0, Registering
Outgoing interface list:
Serial0/1/0.100, 172.18.100.6, Forward/Sparse, 00:00:14/03:15
|
/|\
------------------------| |
|
|
Term
| Candidate RP need to be able to communicate only with the mapping agent and the Routers in the Domain need to be able to communicate with the Mapping agent so from that we can understand that we need to watch our RPF to the Mapping Agent. |
|
Definition
|
|
Term
Multicast - You have been asked to configure ip pim sparse-mode on all your interfaces and use Auto-RP between your devices.
What is the FIRST thing that should come to your mind that needs to be configured? |
|
Definition
|
|
Term
When in the troubleshooting lab and you are troubleshooting a multicast routing lab.
What is recommended you do first? |
|
Definition
| Before starting it is recommended to draw a simple diagram with the routers and the interfaces participating in multicast routing. |
|
|
Term
Multicast - You have the following configuration:
R2(config)#ip pim send-rp-discovery lo1 scope 20
You want to advertise the discovery messages to all autorp routers on 224.0.1.40. The advertise interval should be set to 5 seconds to speed up the rp convergence.
What is missing from this command? |
|
Definition
R2(config)#ip pim send-rp-discovery lo1 scope 20 interval ?
<1-16383> number of seconds |
|
|
Term
You have the following configuration: Shake dscp cs2 and cs1 traffic to 32k, using a Tc interval of 10ms. What's the value and where do you place the configuration at for the 10ms?
class match-any DSCP-CS2-CS1
match dscp cs2
match dscp cs1
policy-map s0/2/0-policy
class DSCP-EF
priority 64
class DSCP-CS2-CS1
shape average 32000
class class-default
fair-queue |
|
Definition
policy-map s0/2/0-policy
class DSCP-EF
priority 64
class DSCP-CS2-CS1
shape average 32000 320
class class-default
fair-queue |
|
|
Term
To retain dscp values, you have to enable mls qos on all switches and trust the dscp value on all used ports (trunks and access)
Learn more about this! |
|
Definition
|
|
Term
In a multilayer switch; 3560 - by default, the dscp values of _-_ are mapped to queue 1 threshold 1.
This is where you would put voice traffic! This is also known as the priority queue. |
|
Definition
|
|
Term
Reflexive ACL:
ip access-list extended in-r8
permit tcp host 172.18.18.1 eq bgp host 172.18.18.8
permit tcp host 172.18.18.1 host 172.18.18.8 eq bgp
evaluate reflected
ip access-list extended out-r8
permit ip any any reflect reflected
int fa0/0.18
ip access-group in-r8 in
ip access-group out-r8 out |
|
Definition
ip access-list extended in-r8
permit tcp host 172.18.18.1 eq bgp host 172.18.18.8
permit tcp host 172.18.18.1 host 172.18.18.8 eq bgp
evaluate reflected
ip access-list extended out-r8
permit ip any any reflect reflected
int fa0/0.18
ip access-group in-r8 in
ip access-group out-r8 out |
|
|
Term
MAC ACL
int gi0/0
mac-address 0000.0000.0022
mac access-list extended r2-r9-only
permit host 0000.0000.0022 host 0000.0000.0099
permit host 0000.0000.0099 host 0000.0000.0022
vlan access-map r2-r9-only 10
action forward
match mac address r2-r9-only
vlan filter r2-r9-only vlan-list 29 |
|
Definition
|
|
Term
Cat1(config-if)#switchport port-security violation ?
protect Security violation protect mode
restrict Security violation restrict mode
shutdown Security violation shutdown mode
What does protect do? |
|
Definition
| It silently drops unauthorized frames |
|
|
Term
Cat1(config-if)#switchport port-security violation ?
protect Security violation protect mode
restrict Security violation restrict mode
shutdown Security violation shutdown mode
What does restrict do? |
|
Definition
| It silently drops unauthorized frames AND causes the security violation counter to increment |
|
|
Term
Cat1(config-if)#switchport port-security violation ?
protect Security violation protect mode
restrict Security violation restrict mode
shutdown Security violation shutdown mode
What does shutdown do? |
|
Definition
| Puts the interface into error-disabled state immediately and sends an SNMP trap notification |
|
|
Term
ip http server
ip http max-connections 7
ip http access-class 7
ip http port 8080
ip htp secure-server
ip http secure-port 8443
access-list 7 permit 172.18.7.7
access-list 7 permit 7.7.7.7
R5#sh ip http server all |
|
Definition
|
|
Term
There is something in this list that is missing; what is it?
R2
int gi0/0
description VLAN 29
standby version 2
standby 210 ip 172.18.29.1
standby 210 priority 5
standby 210 preempt
standby 210 mac-address CC13.CC1E.CC13
standby 210 track Serial0/2/0
standby 210 track Serial0/1/0.100 |
|
Definition
int gi0/0
standby 210 name VLAN29-HSRP |
|
|
Term
What is the default port state on a Cat 3560?
Think Trunk or Access. |
|
Definition
switchport mode dynamic auto
-Note: you won't see this |
|
|
Term
If your configuring VLANs; and when you try to create vlan 1006 you get the following error:
*Mar 1 04:31:25.047: %PM-4-EXT_VLAN_INUSE: VLAN 1006 currently in use by Port-channel12
*Mar 1 04:31:25.047: %SW_VLAN-4-VLAN_CREATE_FAIL: Failed to create VLANs 1006: VLAN(s) not available in Port Manager
What's the problem?
vlan 20
vlan 2006
vlan 3006
vlan 40
vlan 50
vlan 25
vlan 30
vlan 16
vlan 1006 |
|
Definition
| It's possible that vlan 1006 is already in use as an internal vlan, servicing the portchannel. In this case, simply shutdown the portchannel to free this vlan from internal use. Or modify the "internal vlan policy ascending/descending" in order to allocate internal vlan starting from 1006 or from 4094, but requires a reload to take in effect. |
|
|
Term
When configuring the following VLANs:
vlan 20
vlan 2006
vlan 3006
vlan 40
vlan 50
vlan 25
vlan 30
vlan 16
vlan 1006
Don't automatically assume you'll be using VTP transparent on ALL SWITCHES; maybe just the ones that you will be configuring extended VLANs on. Read carefully. |
|
Definition
|
|
Term
| If your asked to shutdown all remaining switch to router ports. Look at your diagram. Some of the router ports might be shutdown and there is a cable to the switch but not in the diagram. Those need to be shutdown as well! |
|
Definition
|
|
Term
You have two MST instances 0 and 1. Configure R2 to be the root of all VLANs.
R2: |
|
Definition
| spanning-tree mst 0-1 priority 0 |
|
|
Term
Configuring frame-relay; you have been asked:
Configure R2--R5 (frame-relay with no frame-relay switch)
You are not allowed to disable LMI to accomplish this task."
What command(s) do you need to perform on one of the routers? |
|
Definition
frame-relay switching
int s0/2/0
encapsulation frame-relay
frame-relay intf-type dce |
|
|
Term
Configuring Frame Relay; you have been asked to set the interface speed and bandwidth to 128k. You are using virtual-templates for PPP authentication.
How would you do that? |
|
Definition
int s0/2/0
clock rate 128000 (-duh!)
int virtual-template1
bandwidth 128
:) |
|
|
Term
When asked to set the clock rate on the following interfaces: Go ahead and add what?
int s0/2/0
clock rate 64000
encapsulation ppp
ppp multilink group 1
ppp authentication chap
ppp chap password IPexpert
no shut
int s0/2/1
clock rate 128000
encapsulation ppp
ppp multilink group 1
ppp authentication chap
ppp chap password IPexpert |
|
Definition
int s0/2/0
clock rate 64000
bandwidth 64
encapsulation ppp
ppp multilink group 1
ppp authentication chap
ppp chap password IPexpert
no shut
int s0/2/1
clock rate 128000
bandwidth 128
encapsulation ppp
ppp multilink group 1
ppp authentication chap
ppp chap password IPexpert |
|
|
Term
When configuring RIP and you are doing a unicast neighbor adjacency between two endpoints, is the following correct?
R1
int fa0/0
description to R2
192.168.60.1 255.255.255.252
router rip
passive-interface default
neighbor 192.168.60.2 |
|
Definition
| Yes! Unicast updates in RIP requires passive interface and neighbor statement(s). |
|
|
Term
You have been asked to no elect DR/BDR on frame relay links, you are not allowed to create host routes. Which network type do you use?
ip ospf network point-to-point
ip ospf network point-to-multipoint |
|
Definition
| ip ospf network point-to-point. Multipoint will generate /32 host routes |
|
|
Term
By default OSPF assigns a __ Cost to 100 Mbps links?
If you put in the following configuration:
router ospf 1
auto-cost reference-bandwidth 1000
What will the default cost be for a 100 Mbps link? |
|
Definition
A cost of 1. This means that a cost of 1 will be used for 1000 Mbps links. A cost of 10 for 100 Mbps links.
it would then be:
Cost of 10 |
|
|
Term
You have a router; R2. You have been told to redistribute rip into OSPF, do not accept more than 200 prefixes, and generate a warning when 200 prefixes are redistributed. How would you do this?
router ospf 1 |
|
Definition
router ospf 1
redistribute maximum-prefix 200 100
If you were to put WARNING-ONLY; it would DISABLE maximum limit!
R6(config-router)#redistribute maximum-prefix ?
<1-4294967295> Maximum number of IP prefixes redistributed
R6(config-router)#redistribute maximum-prefix 200 ?
<1-100> Threshold value (%) at which to generate a warning message
warning-only Only give warning message when limit is exceeded
R6(config-router)#redistribute maximum-prefix 200 war
R6(config-router)#redistribute maximum-prefix 200 warning-only ?
R6(config-router)#redistribute maximum-prefix 200 100 ?
warning-only Only give warning message when limit is exceeded |
|
|
Term
If you are on R2; you are running both OSPF and RIP and EIGRP.
You have been asked to redistribute RIP into EIGRP so that your EIGRP router R6 will have the 10.10.10.0/24 network. This network is known via all routing protocols.
You look in your routing table on R2 and you indeed have the 10.10.10.0/24 network.
You apply the redistribution command and you look on R6. You do NOT see the route. You have configured redistribute correctly. What is the problem and how do you resolve it? |
|
Definition
R2 is learning the 10.10.10.0/24 route via OSPF. This will not get redistributed into EIGRP.
To solve. You need to lower the AD of RIP to 109 on R2. This is lower than OSPF. Then R6 will start getting the routes! :) |
|
|
Term
Your pasting the following commands in; will it work the first time?
neighbor 6.6.6.6 inherit peer-policy as300-policy
neighbor 6.6.6.6 inherit peer-session as300-session
neighbor 4.4.4.4 inherit peer-policy as300-policy
neighbor 4.4.4.4 inherit peer-session as300-session |
|
Definition
R5(config-router-ptmp)#neighbor 6.6.6.6 inherit peer-policy as300-policy
% Specify remote-as command first
R5(config-router)#neighbor 6.6.6.6 inherit peer-session as300-session
R5(config-router)#neighbor 4.4.4.4 inherit peer-policy as300-policy
% Specify remote-as command first
R5(config-router)#neighbor 4.4.4.4 inherit peer-session as300-session
Nope! You need to use policy first; it has the "remote-as" command!
neighbor inherit peer-policy (1st)
neighbor inherit peer-session (2nd) |
|
|
Term
What is special about this network?
R8#sh ip bgp 4.4.4.0
BGP routing table entry for 4.4.4.0/24, version 44
Paths: (2 available, best #2, table Default-IP-Routing-Table, RIB-failure(17))
Flag: 0x820
Advertised to update-groups:
1
500
4.4.4.4 (metric 2818560) from 4.4.4.4 (4.4.4.4)
Origin IGP, metric 0, localpref 100, valid, external
500
172.27.3.5 from 172.27.3.5 (5.5.5.5)
Origin IGP, localpref 100, valid, external, best |
|
Definition
The Flag: 0x820 -- Appears after enabling:
router bgp 5
network 4.4.4.0 mask 255.255.255.0 backdoor <<-- |
|
|
Term
You are BGP peered with your neighbor via loopback0 and sourced from loopback0. You learn his loopback via BGP and the neighbor adjacency goes down every 180 seconds.
Why? |
|
Definition
Advertising the loopback network via BGP will cause the BGP prefix to be installed in rib, as the eBGP administrative distance is 20. This means you are creating a recursive routing for loopback prefixes.
You will see BGP flapping every 180 seconds, the default hold timer, since loopbacks become unreachable. |
|
|
Term
You need to create a one line as-path access list that denies AS1 or AS2 in any as-path.
Don't configure anything under router BGP |
|
Definition
| ip as-path access-list 1 deny (1|2) |
|
|
Term
Enable IPv6 RIP and name it RnS on interface fa0/0 and lo0.
Is this "name" locally significant? |
|
Definition
ipv6 router rip RnS
int fa0/0
ipv6 rip RnS enable
int lo0
ipv6 rip Rns enable
Yes it is! |
|
|
Term
You need to create and eigrp IPv6 default route to be originated from R9 going to R6 using interface mu1. You are R9. There are no static routes on R9 and you cannot add one.
R9:
ipv6 router eigrp 96 |
|
Definition
ipv6 router eigrp 96
ipv6 summary-address eigrp 96 ::/0 |
|
|
Term
| when doing redistribution in the lab; don't ALWAYS tag unless there is a full circle of mutual redistribution. I just spent 20 minutes on redistribution and tagging in ipv6 and when i was done, there wan't a full circle. -- Waste of time! |
|
Definition
|
|
Term
IPv6 Tunnels:
You have to choose between:
R2(config-if)#tunnel mode ipv6ip ?
6to4 IPv6 automatic tunnelling using 6to4
auto-tunnel IPv6 automatic tunnelling using IPv4 compatible addresses
isatap IPv6 automatic tunnelling using ISATAP
You are not allowed to configure EUI-64 addresses. Which one should you choose? |
|
Definition
tunnel mode ipv6ip 6to4
Note: using ISATAP uses EUI-64 IPv6 addresses |
|
|
Term
Regarding this tunnel mode:
tunnel mode ipv6ip 6to4
>What is the 6to4 used for?
>What is the reserved network for this?
>Give an example for 6.6.6.6 as the source? |
|
Definition
>What is the 6to4 used for:
Used to allow IPv6 to talk to other IPv6 over legacy IPv4 networks. The 6to4 tunnel address is derived from source interface IPv4 address in the format 2002:border-router-IPv4-address::/48. You convert from IPv4 (dotted decimal) to Ipv6 (hexadecimal). This is easy for loopback addresses.
2.2.2.2 is ipv6 add 2002:202:202::2/64 (if it was R2 and applied to an interface)
5.5.5.5 is: 2002:505:505
>What is the reserved network for this:
2002::/16 |
|
|
Term
IPv6 6to4 tunnel.
Configure a static route to the reserved tunnel network? |
|
Definition
| ipv6 route 2002::/16 Tunnel0 |
|
|
Term
| IPv6 default route to 2002::606:606::5 |
|
Definition
| ipv6 route ::/0 2002:606:606::5 |
|
|
Term
What is this configuration:
R2:
ipv6 unicast-routing
int tu0
ipv6 add 2002:202:202::2/64
tunnel source lo0
tunnel mode ipv6ip 6to4
ipv6 route 2002::/16 Tunnel0
ipv6 route ::/0 2002:606:606::6
ipv6 route ::/0 2002:606:606::5
R5:
int tu0
ipv6 add 2002:505:505::5/64
tunnel source lo0
tunnel mode ipv6ip 6to4
ipv6 route 2002::/16 tu0 |
|
Definition
| IPv6 6to4 Tunnel Configuration. R2 is an router with a default route to R5 and R6. R5 is a head-end with one single route into the IPv6 6to4 reserved tunnel. |
|
|
Term
Which RP will be preferred?
Group(s) 225.0.0.0/8
RP 5.5.5.5 (?), v2
Info source: 172.27.54.5 (?), via bootstrap, priority 0, holdtime 150
Uptime: 00:04:51, expires: 00:01:38
RP 10.10.10.10 (?), v2
Info source: 172.27.61.10 (?), via bootstrap, priority 255, holdtime 150
Uptime: 00:04:02, expires: 00:02:23 |
|
Definition
| The LOWEST priority. RP 5.5.5.5 |
|
|
Term
You have configured the following; What is missing?
mls qos
mls qos aggregate-policer 7and8 500000 62500 exceed-action policed-dscp-transmit
mls qos map policed-dscp 46 to 26
class-map DSCP-EF
match ip dscp EF
policy-map agg
class DSCP-EF
police aggregate 7and8
int fa0/7
service-policy input agg |
|
Definition
int fa0/7
mls qos trust dscp |
|
|
Term
How do you apply an aggregate policer to an interface?
mls qos aggregate-policer 7and8 500000 62500 exceed-action policed-dscp-transmit
mls qos map policed-dscp 46 to 26 |
|
Definition
class-map DSCP-EF
match ip dscp EF
policy-map agg
class DSCP-EF
police aggregate 7and8
int fa0/7
mls qos trust dscp
service-policy input agg |
|
|
Term
You configured the following; what should you do as well!
username noc priv 15 secret adminop
aaa new-model
aaa authentication login default none
aaa authentication login VTY group radius local
radius-server host 172.27.64.66 key IPexpert
line vty 0 15
login authentication VTY |
|
Definition
line con 0
login authentication default |
|
|
Term
How would you apply this to the control plane?
class-map match-any protocols
match protocol bgp
match protocol ospf
class-map match-all telnet
match protocol telnet
policy-map cp
class protocols
class telnet
police rate 30 pps |
|
Definition
control-plane
service-policy cp in
R7(config-cp)#service-policy input cp
Unsupported protocol in 'match protocol'
Unsupported protocol in 'match protocol'
error: failed to install policy map cp
R7(config-cp)#exit
You CAN'T USE match protocol into the control plane! |
|
|
Term
Tunnels -
You are going to do Q-in-Q tunneling. What additional size 802.1Q tag will be used to transport tagged traffic? |
|
Definition
4 Bytes for this additional tag.
Raise MTU to 1504 |
|
|
Term
Tunnels -
You are going to do Q-in-Q tunneling.
You are also (after looking a head) doing MPLS (2 tags)
What MTU value should be set on the Cat switches? |
|
Definition
4 Bytes for this additional tag.
Raise MTU to 1504 on Cat switches for Q-in-Q
Raise MTU to 1512 on Cat switches for 2 more 4 Byte tags
Answer: 1512 |
|
|
Term
When you are using Q-in-Q and dot1q trunks, errdisable will block ports because it detects a recursion, this happens when a Q-in-Q port receives a frame with the well known reserved multicast mac address 01-00-0c-cd-cd-d0.
You are using vlan 666 and 999.
In this case; you can safely disable ________ because you are controlling the propagation of vlan 666 and 999 on trunks. |
|
Definition
Answer: l2ptguard
no errdisable detect cause l2ptguard |
|
|
Term
When configuring the bandwidth command; what should you ALWAYS DO also?
int s0/2/0
bandwidth 256
peer default ip address pool r9-s0/2/0
backup interface s0/2/1
backup delay 0 30 |
|
Definition
int s0/2/0
clock rate 256000 |
|
|
Term
You have the following configuration; what is the 0 and 30 for?
int s0/2/0
peer default ip address pool r9-s0/2/0
backup interface s0/2/1
backup delay 0 30 |
|
Definition
| The "delay" parameters will control the preemption, the first is the delay for switching to the backup when the primary fails, the second is the delay to preempt to primary when restored. |
|
|
Term
You have two interfaces
You want to put the command "backup interface" on the backup interface for s0/2/0. Where do you place it at? Also, how do you verify your backup configuration?
R1
int s0/2/0
int s0/2/1
R2
int s0/2/0
int s0/2/1
Is it placed on both routers? |
|
Definition
R1
int s0/2/0
int s0/2/1
R2
int s0/2/0
backup interface s0/2/1
int s0/2/1
show backup
No, only on one side. |
|
|
Term
You are configuring the hub R6 for ODR routing.
Your stub neighbor is R9. You have three interface; fa0/0, fa0/1, s0/1/0. Your neighbor is connected to you on s0/2/0, s0/2/1. Configure on demand routing so that R9 obtains reachability in 15 seconds. |
|
Definition
r6
int fa0/1
no cdp enable
int s0/1/0
no cdp enable
cdp timer 5
cdp holdtime 15
router odr
r9
cdp timer 5
cdp holdtime 15 |
|
|
Term
ip ospf mtu-ignore is required only on which device?
[R1:1500]----[CAT1:1512]
[R1:1504]----[CAT2:1500] |
|
Definition
This is only required on the device with the smaller MTU.
[R1:1500](here)----[CAT1:1512]
[R1:1504]----(here)[CAT2:1500] |
|
|
Term
When looking at OSPF neighbors:
R1#show ip ospf neighbor
10.7.80.80 1 FULL/BDR 00:00:37
10.7.1.1 1 1 EXSTART/DROTHER 00:00:37
This is Normal or Not Normal? |
|
Definition
| Not Normal. Neighbor 10.7.1.1 is in EXSTART. There is an MTU mismatch between R1 and this 10.7.1.1 switch! |
|
|
Term
Everything should paste correctly, correct?
router ospf 1
router-id 10.7.70.70
area 100 virtual-link 10.7.10.10
neighbor 10.75.1.80
router ospf 100 vrf V7
router-id 10.7.70.70
area 100 virtual-link 10.7.10.10 |
|
Definition
Wrong. Haha. Okay; you CANNOT use the same router-id for two different ospf processes.
R7(config)#router ospf 100 vrf V7
R7(config-router)#router-id 10.7.70.70
OSPF: router-id 10.7.70.70 in use by ospf process 1 |
|
|
Term
You are on R1. Your OSPF topology is:
[R1]---100---[R8]---100---[R7]
|
|
600
|
|
[cat1]
On R1 you just summarized a block of IP addresses (10.7.0.0/16) to cat1 with the command:
router ospf 1
area 100 range 10.7.0.0 255.255.0.0
R7 now has this route. How do you resolve this?
All existing ospf configuration is correct. |
|
Definition
R1:
router ospf 1
area 0 filter-list prefix filter-to-area-0 in
ip prefix-list filter-to-area-0 deny 10.7.0.0/16
ip prefix-list filter-to-area-0 permit 0.0.0.0/0 le 32
R1 has a virtual link to R7 via area 100!
Be careful! :) |
|
|
Term
| You are R1 running OSPF and EIGRP. If you were told you had to advertise your Loopback0 as an EIGRP External route. But you could NOT redistribute connected. How would you do it? |
|
Definition
| Advertise the route into another protocol and then perform redistribution. |
|
|
Term
You are on R1. You have configured the following:
R1:
int lo0
ip add 10.7.60.1 255.255.255.0
int fa0/1
ip summary-address eigrp 16 10.7.0.0 255.255.0.0
ip summary-address eigrp 16 10.75.0.0 255.255.0.0
These two summaries are to be propagated to Cat1, which is already an EIGRP neighbor via fa0/1.
Cat1 only has a 10.75.0.0/16 route via EIGRP and NOT the 10.7.0.0/16 route. Why not? How do you resolve? |
|
Definition
| Summaries are NOT advertised until at least one or more specific route(s) is learned via EIGRP or advertised. In this case, advertise Loopback0 on R1 to have the 10.7.0.0/16 summary advertised to Cat1. |
|
|
Term
On R1, you have configured the following. What is missing?
int fa0/1
ip summary-address eigrp 16 10.7.0.0 255.255.0.0
ip summary-address eigrp 16 10.75.0.0 255.255.0.0
router rip
redistribute eigrp 16 route-map eigrp>rip
route-map eigrp>rip deny 10
match tag 120
route-map eigrp>rip permit 20
set tag 9016
set metric 3 |
|
Definition
When performing redistribution, pay attention to summary routes. Summary routes are installed on rip as EIGRP internal routes to Null0. During redistribution tasks, keep in mind to filter out summaries, to avoid unwanted propagation to these routes to other domains.
ip prefix-list SUMMARY permit 10.7.0.0/16
ip prefix-list SUMMARY permit 10.75.0.0/16
route-map eigrp>rip deny 15
match ip address prefix-list SUMMARY |
|
|
Term
EIGRP - Unicast Updates
Your neighbor is: 10.75.90.20
You can get to it via fa0/0.20
router eigrp 126
eigrp router-id 10.7.10.10
no auto-summary
network 10.75.90.10 0.0.0.0 |
|
Definition
router eigrp 126
neighbor 10.75.90.20 fa0/0.20 |
|
|
Term
OSPF - Unicast Updates
Your neighbor is: 10.75.90.20
You can get to it via fa0/0.20
router ospf 1
router-id 10.75.90.10 |
|
Definition
router ospf 1
neighbor 10.75.90.20
int fa0/0
ip ospf network non-broadcast |
|
|
Term
|
Definition
|
|
Term
| How do you verify if unicast is being sent to your neighbor via EIGRP? |
|
Definition
R1#sh ip eigrp int detail
...
IP-EIGRP interfaces for process 126
Hello interval is 5 sec
Next xmit serial
Un/reliable mcasts: 0/0 Un/reliable ucasts: 3/3
Mcast exceptions: 0 CR packets: 0 ACKs suppressed: 0
Retransmissions sent: 0 Out-of-sequence rcvd: 0
Authentication mode is md5, key-chain is "EIGRP"
Use unicast |
|
|
Term
Can you do take this route-map and do the one below?
route-map eigrp>rip permit 10
match tag 160
set metric 6
route-map eigrp>rip permit 20
match tag 9016
set metric 6
route-map eigrp>rip permit 30
match tag 110
set metric 6
This one:
route-map eigrp>rip permit 10
match tag 160 9016 110
set metric 6 |
|
Definition
|
|
Term
You are redistributing from AS 90126 into RIP. Connected to RIP are two stub networks. EIGRP 9016 and ODR (tag 160). What is missing for statement 20?
route-map eigrp>rip deny 10
match tag 120
route-map eigrp>rip 20
route-map eigrp>rip permit 30
match tag 110
set metric 6
route-map eigrp>rip permit 40
set tag 90126
set metric 3 |
|
Definition
route-map eigrp>rip deny 20
desc no need to put this stub networks back into RIP
match tag 160 9016 |
|
|
Term
| BGP - It is BEST PRACTICE to peer using loopbacks for iBGP neighbors |
|
Definition
|
|
Term
BGP - Don't ALWAYS assume that you have two RR in a BGP AS - that you need to use BGP cluster-id's.
Save this for when each client is peering to both. I just made a mistake! |
|
Definition
|
|
Term
| Configure an as-path access-list for traffic destined to AS 2 |
|
Definition
|
|
Term
BGP -
Is MED compared after or before as-path? |
|
Definition
| MED is compared after as-path. |
|
|
Term
BGP -
You have two peers to AS1234 and AS01234. Your routers are R1 and R2. AS1234 is advertising a MED of 10000 via peer 1 and a MED of 500 from peer 2 in the other AS.
Which Path is preferred? |
|
Definition
| By default, MED is compared only if the prefix is received from neighbors in the same AS! |
|
|
Term
You are R7. You look at R8 bgp table for routes terminating or originating inside AS 6427.
R8#sh ip bgp regex ^6427$
Network Next Hop Metric
*> 10.7.90.0/24 10.75.1.70
* i 10.7.10.10 0
R8 has a backup path through another iBGP neighbor. You want to influence R8 to use it's iBGP neighbor. How would you do this?
1. Create an as-path access-list
2. Build the route-map
3. Apply it to your 10.75.1.80 neighbor (R8)
4. Your BGP AS is 6427 |
|
Definition
router bgp 6427
neighbor 10.75.1.80 route-map med-out out
ip as-path access-list 7 permit ^$
route-map med-out permit 10
match as-path 7
set metric 1000
route-map med-out permit 20
Results:
R8#sh ip bgp regex ^6427$
Network Next Hop Metric
r 10.7.90.0/24 10.75.1.70 1000
r>i 10.7.10.10 0 |
|
|
Term
BGP/MPLS/OSPF SHAM LINK
int lo7
ip vrf forwarding V7
ip add 10.78.7.7 255.255.255.255
router ospf 100 vrf V7
area 0 sham-link 10.78.7.7 10.78.4.4
router bgp 6427
address-family ipv4 vrf V7
network 10.78.7.7 mask 255.255.255.255
--
int lo4
ip vrf forwarding V4
ip add 10.78.4.4 255.255.255.255
router ospf 100 vrf V4
area 0 sham-link 10.78.4.4 10.78.7.7
router bgp 6427
address-family ipv4 vrf V4
network 10.78.4.4 mask 255.255.255.255 |
|
Definition
|
|
Term
IPv6 -
To simplify the IPv6 deployment, configure the IPv6 address using the name "V6NET" representing the first 16 bits.
R6:
s0/1/0 FE80::60
s0/1/0 FC05::60/64
Configure it:
ipv6 unicast-routing
int s0/1/0 |
|
Definition
ipv6 unicast-routing
ipv6 general-prefix V6NET FC05::/16
int s0/1/0
ipv6 add fe80::60 link-local
ipv6 add V6NET ::60/64 |
|
|
Term
IPv6 -
Your a spoke router R4; here is your Hub router is R2 via DLCI 602 and ipv6 IP (::20). What is missing?
int s0/1/0
ipv6 add fe80::60 link-local
ipv6 add V6NET ::60/64
frame-relay map ipv6 fe80::20 602 broadcast
frame-relay map ipv6 fc05::20 602
frame-relay map ipv6 fc05::40 602 |
|
Definition
Nothing! When you are a spoke, you only need to map the link-local address of the Hub (link local :) then map the IP address to that DCLI.
If you were a HUB (like R2); it would look like this:
int s0/1/0
frame-relay map ipv6 fe80::60 206 broadcast
frame-relay map ipv6 fc05::60 206
frame-relay map ipv6 fe80::40 214 broadcast
frame-relay map ipv6 fc05::40 214 |
|
|
Term
IPv6 -
You have to configure the IPv6 address:
R7:
fa0/1 FE80::70
fa0/1 FC05:0:0:30::70/64
Configure a general prefix for this network representing the first 16 bits. Name it "V6NET" |
|
Definition
ipv6 unicast-routing
ipv6 general-prefix V6NET FC05::/16
int fa0/1
ipv6 add fe80::70 link-local
ipv6 add V6NET ::30:0:0:0:70/64
Note: General Prefix always terminates with a double colon ("::"), precluding (make impossible) the use of another double colon in the address. |
|
|
Term
| IPv6 - Remember, with IPv6 you don't need to map your own IP address to the DLCI to be able to ping it. |
|
Definition
|
|
Term
aaa new-model
enable password cisco
[what's missing here?]
config t
aaa authentication login default none
aaa authentication login VTY local
aaa authorization exec VTY local
username cisco priv 15 view root password cisco
username restricted priv 15 view restricted password lame
parser view restricted
secret cisco
commands exec include ping
commands exec include show
commands exec include exit
ip domain-name ipexpert.com
crypto key gen rsa
1024
line vty 0 15
transport input ssh
login authentication VTY
authorization exec VTY |
|
Definition
enable view root
(confirm with "show parser view") |
|
|
Term
You have a router R1 providing DHCP to a switch. You are performing static assignment for the Cat1 IP address.
By default; a client-identifier is 01+the mac-address. But when option 82 information is enabled it becomes this 63 byte string (HUGE client-identifier).
To accept the DHCP request with the Option 82 information from Cat1 you must trust the information relayed from Cat1 on Gi0/0.21.
What is the command? |
|
Definition
int gi0/0.21
ip dhcp relay information trusted
Context Help:
R1(config-if)#ip dhcp relay information ?
...
trusted Received DHCP packet may contain relay info option with zero giaddr
R1(config-if)#ip dhcp relay information trusted ?
|
|
|
Term
| Add a crypto key in only one line of command! This should be used for SSH. |
|
Definition
| crypto key gen rsa general-keys modulus 1024 |
|
|
Term
You have the following NAT configuration; Can you NAT to other "outside" interfaces if the NAT-to-IP is directly connected to your gi0/0.26 interface?
int gi0/0.1
ip nat inside
int gi0/0.26
!ip add 70.18.26.2 255.255.255.0
ip nat outside
int gi0/0.25
ip nat outside
int s0/1/0.215
ip nat outside
ip nat inside source stati tcp 70.18.21.21 22 70.18.26.10 22
access-list 1 permit 70.18.21.0 0.0.0.255
ip nat pool vlan21 70.18.26.150 70.18.26.150 prefix-le 24
ip nat inside source list 1 pool vlan21 overload |
|
Definition
|
|
Term
IPv6 - What is 6to4 Tunnel network prefix?
This is that prefix that you would create the static routes to.
Source this tunnel from this new loopback4, with ip address 120.49.64.4/32. What is the HEX value.
The remote 6to4 tunnel will be source from 3.3.3.3 with the last IPv6 octet being ::13. Use ::4 on R4.
Create the loopback and the tunnel!
Create the static route to this 6to4 tunnel |
|
Definition
2002::/16
Hex: 7831:4004 > 2002:7831:4004::4
Hex: 0303:0303 > 303:303 > 2002:303:303::13
int lo4
ip add 120.49.64.4 255.255.255.255
int tu0
ipv6 add 2002:7831:4004::4/128
tunnel source lo4
tunnel mode ipv6 6to4
ipv6 route 2002::/16 tu0 |
|
|
Term
IPv6 OSPF neighbor unicast adjacency:
Problem: multicast is blocked on the LAN
Note: Since IPv6 uses neighbor discovery for mapping IPv6 neighbors on a network which uses multicast address FF02::1 address to communicate with each other. Since neighbor discover messages are not taking place thus IPv6 "ARP" doesn't allow mapping the directly connected neighbors.
What needs to be configured on each router?
r1
int fa0/0
ipv6 ospf network non-broadcast
ipv6 ospf neighbor fe80::2
r2
ipv6 ospf network non-broadcast
ipv6 ospf neighbor fe80::1 |
|
Definition
r1
ipv6 neighbor 2120:49:44::2 fa0/0 0019.0606.71c1
r2
ipv6 neighbor 2120:49:44::1 fa0/0 0019.0606.71c2 |
|
|
Term
| IPv6 - How do you disable RIP split horizon in IPv6? |
|
Definition
ipv6 router rip RIPng
no split-horizon |
|
|
Term
REVIEW -
ip nbar port-map http tcp 80 8080 8088
time-range work-weekdays
periodic weekdays 8:00 to 16:59
access-list 108 permit ip any any time-range work-weekdays
class-map match-any SITES
match protocol http host *youtube.com
match protocol http host *facebook.com
class-map BLOCK-SITES
match access-group 108
match class-map SITES
policy-map block-websites
class BLOCK-SITES
drop
int s0/0/0
service-policy output block-websites |
|
Definition
|
|
Term
| ACL - Create an access-list numbered 146 to match DSCP EF |
|
Definition
| access-list 146 permit ip any any dscp ef |
|
|
Term
Custom Queuing -
What does it start with in EXEC mode? |
|
Definition
|
|
Term
Custom Queuing - Review
access-list 146 permit ip any any dscp ef
queue-list 1 protocol ip 0 list 146
queue-list 1 protocol ip 1 tcp telnet
queue-list 1 protocol ip 2 tcp ftp
queue-list 1 default 3
int s0/1/0
custom-queue-list 1 |
|
Definition
|
|
Term
Custom Queuing -
What does it start with in interface mode?
How do you verify it ("show")? |
|
Definition
int s0/1/0
custom-queue-list 1
show queuing custom |
|
|
Term
SNMP - Allowing RO or RW from SNMP Networks/Host:
ip access-list standard SNMP-WRITE
permit host 10.75.40.45
ip access-list standard SNMP-READ
permit 10.75.0.0 0.0.255.255
snmp-server community ADMINS SNMP-WRITE
snmp-server community MONITOR ro SNMP-READ |
|
Definition
|
|
Term
SNMP - Sending Traps
You have enabled the following SNMP Traps on R1
snmp-server enable traps ospf state-change
snmp-server enable traps config
Send traps to 10.75.40.45 using version 2c and password TRAP! whenever the router is configured or an OSPF adjacency experiences a state change. |
|
Definition
| snmp-server host 10.75.40.45 version 2c TRAP! config ospf |
|
|
Term
SNMP - Turning on Traps
Turn on the SNMP Trap for when a router is configured |
|
Definition
| snmp-server enable traps config |
|
|
Term
| SNMP - Enable the administrators to reload the router via SNMP |
|
Definition
| snmp-server system-shutdown |
|
|
Term
IPS - You have to protect a MS-SQL server listening on tcp and udp 1433-1434 ports from attacks. Use the built-in intrusion prevention system signatures on R9. The server IP address is 10.7.90.100. When an attack is detected, generate a syslog message.
You have configured the following access list already:
access-list 101 permit tcp any host 10.7.90.100 range 1433 1434
access-list 101 permit udp any host 10.7.90.100 range 1433 1434
Apply the IPS to s0/2/0 and s0/2/1 |
|
Definition
ip ips notify log
ip ips name MS-SQL list 101
int s0/2/0
ip ips MS-SQL in
int s0/2/1
ip ips MS-SQL in |
|
|
Term
Security - Limit DoS attacks
You have the following access list already created:
access-list 101 permit tcp any host 10.7.90.100 range 1433 1434
access-list 101 permit udp any host 10.7.90.100 range 1433 1434
Limit the impact of DoS attacks, using an IOS security feature. Allow a maximum of 100 incomplete tcp sessions, randomly drop connections when this limit is reached. |
|
Definition
ip tcp intercept list 101
ip tcp intercept max-incomplete low 100 high 100
ip tcp intercept drop-mode random |
|
|
Term
CBAC - Create a CBAC inspect name called "PERMIT-JAVA". Make sure that only then users that match access list 10 are permitted to use java.
access-list 10 permit 192.168.60.0 0.0.0.255 |
|
Definition
| ip inspect name PERMIT-JAVA http java-list 10 |
|
|
Term
ip inspect name Internet ftp
ip inspect name tcp
ip inspect name udp
ip inspect name icmp router-traffic
int fa0/0
ip access-group Internet in
ip inspect Internet out
ip access-list extended Internet
deny ip any any |
|
Definition
|
|
Term
Spanning-tree -
Enable 802.1w |
|
Definition
|
|
Term
Spanning-tree -
Enable 802.1s |
|
Definition
|
|
Term
Frame-Relay -
What is NOT possible with the command below:
int s0/1/0
encapsulation frame-relay ietf
no frame-relay inverse-arp
ip add 192.168.254.5 255.255.255.128
frame-relay map ip 192.168.254.6 506
frame-relay map ip 192.168.254.5 506
bandwidth 128
int s0/1/0.1 point-to-point
ip add 192.168.253.5 255.255.255.128
bandwidth 128
no frame-relay inverse-arp
frame-relay interface-dlci 516 |
|
Definition
You cannot put "no frame-relay inverse-arp" on sub-interfaces. Move it to the interface.
R5(config-if)#int s0/1/0.1 point-to-point
R5(config-subif)#ip add 192.168.253.5 255.255.255.128
R5(config-subif)#no frame-relay inverse-arp
R5(config-subif)#bandwidth 128
R5(config-subif)#frame-relay interface-dlci 516
R5#sh run int s0/1/0.1
!
interface Serial0/1/0.1 point-to-point
bandwidth 128
ip address 192.168.253.5 255.255.255.128
frame-relay interface-dlci 516
end |
|
|
Term
If you are told to configured RFC 1490/2427 (IETF) on R2 s0/1/0.1 and the remaining interfaces will use default; What's missing?
int s0/1/0
encapsulation frame-relay
ip add 192.168.253.6 255.255.255.128
int s0/1/0.1 multipoint
ip add 192.168.254.6 255.255.255.128
bandwidth 128
no frame-relay inverse-arp
frame-relay map ip 192.168.254.2 602
frame-relay map ip 192.168.254.5 605
frame-relay map ip 192.168.254.6 605 |
|
Definition
int s0/1/0.1 multipoint
ip add 192.168.254.6 255.255.255.128
bandwidth 128
no frame-relay inverse-arp
frame-relay map ip 192.168.254.2 602 ietf
frame-relay map ip 192.168.254.5 605 ietf
frame-relay map ip 192.168.254.6 605 ietf |
|
|
Term
If you are told you are NOT allowed to use inverse-arp on R2 sub-interface; what is missing?
int s0/1/0
encapsulation frame-relay ietf
int s0/1/0.1 point-to-point
ip add 192.168.254.2 255.255.255.128
bandwidth 128
frame-relay interface-dlci 206 |
|
Definition
| Nothing; you are already NOT using frame-relay inverse-arp on the sub-interface! |
|
|
Term
If you are told to configured RFC 1490/2427 on R2 s0/1/0 and the remaining interfaces will use default; What's missing?
int s0/1/0
encapsulation frame-relay
no frame-relay inverse-arp
ip add 192.168.254.5 255.255.255.128
frame-relay map ip 192.168.254.6 506
bandwidth 128
int s0/1/0.1 point-to-point
ip add 192.168.253.5 255.255.255.128
bandwidth 128
frame-relay interface-dlci 516 |
|
Definition
int s0/1/0
encapsulation frame-relay ietf <<<
int s0/1/0.1 point-to-point
ip add 192.168.253.5 255.255.255.128
bandwidth 128
frame-relay interface-dlci 516 cisco <<< |
|
|
Term
PPP -
When configuring PPP. You can disable automatic host routes if both sides are in the same subnet (unless restricted to do so). How do you do that? |
|
Definition
|
|
Term
FRAME RELAY - Is the following configuration possible? Reference the inverse arp!
int s0/1/0
encapsulation frame-relay
no frame-relay inverse-arp
ip add 192.168.253.6 255.255.255.128
bandwidth 128
frame-relay map ip 192.168.253.5 615
int s0/1/0.1 multipoint
ip add 192.168.254.6 255.255.255.128
bandwidth 128
no frame-relay inverse-arp |
|
Definition
| Yes - You HAVE to put "no frame-relay inverse-arp" on multipoint sub-interfaces when you are asked to disable. |
|
|
Term
If you are told to set the interface bandwidth to 128k bps; would you do it on the s0/1/0 or s0/1/0.1 sub interface?
int s0/1/0
shut
encapsulation frame-relay ietf
no frame-relay inverse-arp
ip add 192.168.254.5 255.255.255.128
frame-relay map ip 192.168.254.6 506
frame-relay map ip 192.168.254.2 506
frame-relay map ip 192.168.254.5 506
int s0/1/0.1 point-to-point
ip add 192.168.253.5 255.255.255.128
frame-relay interface-dlci 516 cisco |
|
Definition
Both!
int s0/1/0
shut
encapsulation frame-relay ietf
no frame-relay inverse-arp
bandwidth 128
ip add 192.168.254.5 255.255.255.128
frame-relay map ip 192.168.254.6 506
frame-relay map ip 192.168.254.2 506
frame-relay map ip 192.168.254.5 506
int s0/1/0.1 point-to-point
ip add 192.168.253.5 255.255.255.128
frame-relay interface-dlci 516 cisco
bandwidth 128 |
|
|
Term
PPP -
Note: On PPP links it's expected NOT to ping the same-interface address. |
|
Definition
|
|
Term
PPPoE Client - New Commands
int fa0/1
no ip address
pppoe enable
pppoe-client dial-pool-number 1
int dialer1
mtu 1492
ip add negotiated
encapsulation ppp
ppp chap password Secure
dialer pool 1
dialer persistent <<<<<<< |
|
Definition
R1(config-if)#dialer ?
persistent Configure dialing without interesting traffic |
|
|
Term
PPPoE Server - New Command
int virtual-template 1
ip address 192.168.48.2 255.255.255.128
peer default ip address pool R1
encapsulation ppp
ppp authentication chap
no peer neighbor-route |
|
Definition
Get's rid of this:
R2(config)#do sh ip route
C 192.168.48.1/32 is directly connected, Virtual-Access1.1 |
|
|
Term
You are peering Cat3 to BB2 on vlan 12 using RIP. Your not learning routes. Then you debug and see:
Cat3#debug ip rip
*Mar 1 05:11:41.075: RIP: ignored v2 update from bad source 22.22.22.22 on Vlan12
You enable: router rip then no validate-update-source
You then learn your routes:
Cat3#sh ip route rip
R 192.168.243.0/24 [120/1] via 22.22.22.22, 00:00:01
R 192.168.242.0/24 [120/1] via 22.22.22.22, 00:00:01
R 192.168.241.0/24 [120/1] via 22.22.22.22, 00:00:01
R 192.168.240.0/24 [120/1] via 22.22.22.22, 00:00:01
Since you had to put in "no validate-update-source" - something must be wrong with the source. You do a "show ip route 22.22.22.22" and there isn't a route. What do you do? You cannot ping any of your RIP routes! |
|
Definition
Cat3#sh ip route 22.22.22.22
% Network not in table
Cat3(config)#ip route 22.22.22.22 255.255.255.255 vlan 12
Cat3#sh ip route 22.22.22.22
Routing entry for 22.22.22.22/32
Known via "static", distance 1, metric 0 (connected)
Redistributing via rip
Advertised by rip
Routing Descriptor Blocks:
* directly connected, via Vlan12
Route metric is 0, traffic share count is 1 |
|
|
Term
You are on Cat3 trying to send a RIP summary address out vlan 12 to BB1. You get the following error:
Cat3(config)#int vlan 12
Cat3(config-if)#ip summary-address rip 192.168.0.0 255.255.0.0
Summary mask must be greater or equal to major net
Cat3(config-if)#
What do you need to do? |
|
Definition
You have to do manually the same things that summarization does automatically:
>Configure a static route to null with less preferred AD
>Redistribute static into RIP
>Filter all other RIP routes to BB1
ip prefix-list SUMMARY-ONLY permit 192.168.0.0/16
router rip
redistribute static metric 1
distribute-list prefix SUMMARY-ONLY out vlan 12 |
|
|
Term
RIP - If in the Lab; you are using 192.168.x.0 subnets all over the network.
You do NOT need to set "passive-interface default" -- since all the networks are class C.
So, when you are advertising a loopback0 (192.168.6.1) interface; you can just do what instead? |
|
Definition
router rip
network 192.168.6.0
passive-interface loopback 0 |
|
|
Term
| Create an access-list 7 that just matches ODD routes in the third octet only. |
|
Definition
| access-list 7 permit 0.0.1.0 255.255.254.255 |
|
|
Term
OSPF -
When in the lab and you see two partitioned areas (area 12) for example. How would you repair this partitioned area to have consistent routing? |
|
Definition
You cannot use virtual-links in this case, because a virtual link belongs always to area 0. You would create a tunnel interface.
If you were asked not to add IP addresses, here is how you would perform this on the area border routers:
int tu0
ip unnumbered lo0
ip ospf 10 area 12
tunnel source gi0/1
tunnel destination 192.168.79.4
int tu0
ip unnumbered lo0
ip ospf 10 area 12
tunnel source fa0/0
tunnel destination 192.168.92.2 |
|
|
Term
Redistribution -
Just because you have all interfaces covered in a routing protocol and you are doing mutual redistribution and tagging in the entire network DOES NOT MEAN that you will have full reachability.
Depending on the underlying topology, you may need to redistribute connected!!!!!!!! |
|
Definition
|
|
Term
What's missing unless otherwise stated?
router bgp 1
bgp router-id 1.1.1.1
aggregate-address 172.31.132.0 255.255.252.0 |
|
Definition
|
|
Term
BGP -
Cat4 is advertising the following summary:
router bgp 344
aggregate-addr 172.31.132.0 255.255.252.0 summary-only as-set
On R8(AS 289) you want to (upon receiving the agg) advertise the following networks that are currently NOT in the BGP routing table and keep them in this AS:
172.31.132.0/24
172.31.134.0/24
Top: [Cat4:192.168.72.4]---Ethernet---[R8:.8]
What would you use to make this happen and how? |
|
Definition
>BGP inject-map
ip prefix-list cat4-summary permit 172.31.132.0/22
ip prefix-list SUMMARY permit 172.31.132.0/24
ip prefix-list SUMMARY permit 172.31.134.0/24
ip prefix-list ROUTE-SOURCE permit 192.168.72.4/32
route-map INJECT permit 10
set ip address prefix-list SUMMARY
set community no-export
route-map EXISTS permit 10
match ip address prefix-list cat4-summary
match ip route-source prefix-list ROUTE-SOURCE
router bgp 289
bgp inject-map INJECT exist-map EXISTS |
|
|
Term
Your device is R9. It's connected to R7 via [fa0/0] to [fa0/1.45] on r7. You need to summarize the following two serial interfaces towards R7.
int s0/2/0
ipv6 add 2001:196::9/112
ipv6 rip IPv6RIP enable
int s0/2/1
ipv6 add 2001:169::9/112
ipv6 rip IPv6RIP enable
Once you have created the summary; you'll also need to have this summary installed on R7 with a metric of 6. Looking at R7's routing table; it's currently a metric of 2. |
|
Definition
R9
int fa0/0
ipv6 add 2001:45::9/112
ipv6 enable
ipv6 rip IPv6RIP enable
ipv6 rip IPv6RIP summary-address 2001:100::/24
R7
int fa0/1.45
ipv6 rip IPv6RIP metric-offset 5
(this is applied inbound on R7 since summaries are applied in incoming direction)
Look at your favorites under "CCIE R&S" for a CCIE Pilot link to learn more about IPv6 summary. |
|
|
Term
QoS -
Configure CAT2 port fa0/8 for queue 1 to shape outgoing traffic to 2% of interface bandwidth. Do not use a service policy to accomplish this task |
|
Definition
int fa0/8
srr-queue bandwidth shape 50 0 0 0
Cat2#sh mls qos int fa0/8 queueing
FastEthernet0/8
Egress Priority Queue : disabled
Shaped queue weights (absolute) : 50 0 0 0
Recall that shape bandwidth is 1/weight, so to obtain 2% of bandwidth, you have to configure a weight of 50, 1/50 = 0.02, that means 2%. |
|
|
Term
Cisco recommends the following values for the normal and extended burst parameters:
normal burst = configured rate * (1 byte)/(8 bits) * 1.5 seconds
extended burst = 2 * normal burst |
|
Definition
Cisco recommends the following values for the normal and extended burst parameters:
normal burst = configured rate * (1 byte)/(8 bits) * 1.5 seconds
extended burst = 2 * normal burst |
|
|
Term
You have four switches interconnected with spanning-tree. You have the following configuration. What is needed on cat1/2?
cat4
vlan 789
remote-span
monitor session 1 source interface fa0/7 - 9 both
monitor session 1 destination remote vlan 789
cat3
vlan 789
remote-span
monitor session 1 source remote vlan 789
monitor session 1 destination interface fa0/10 |
|
Definition
|
|
Term
Configure R7 to provide an encrypted connection and limit failed logins to 3 in 1 minute.
If the maximum failed logins number is reached, do not accept further logins for 2 minutes, except for IP addresses on vlan 45 (192.168.45.0/25). |
|
Definition
ip domain-name ipexpert.com
crypto key gen rsa mod 1024
line vty 0 15
transport input ssh
login block-for 120 attempts 3 within 60
login quiet-mode access-class 1
access-list 1 permit 192.168.45.0 0.0.0.127 |
|
|
Term
| Configure R7 to send all configuration commands issued on R7 to a syslog server with IP 192.168.17.17, do not send any password to syslog server. |
|
Definition
logging host 192.168.17.17
archive
log config
logging enable
notify syslog contenttype plaintext
hidekeys |
|
|
Term
On R8 allow three web servers with the IP address 192.168.72.101 , 192.168.72.102 and 192.168.72.103 to be accessed as a single server via the ip 192.168.72.100 from
CAT1 networks via fa0/1:
192.168.32.0 255.255.255.128
192.168.11.0 255.255.255.128
Vlan 72 is 192.168.72.0/25 connected to fa0/0 |
|
Definition
ip nat pool real-hosts 192.168.72.101 192.168.72.103 prefix-length 25 type rotary
ip nat inside destination list 101 pool real-hosts
access-list 101 permit tcp 192.168.32.0 0.0.0.127 host 192.168.72.100 eq 80
access-list 101 permit tcp 192.168.11.0 0.0.0.127 host 192.168.72.100 eq 80
int fa0/0
ip nat inside
int fa0/1
ip nat outside |
|
|
Term
What configuration is required on a catalyst switch connected to hosts (vlan 28) that are requesting for IP address from an upstream Cisco router that is configured for DHCP?
The Catalyst switch is running DHCP snooping on vlan 28.
cat2
ip dhcp snooping vlan 28
ip dhcp snooping |
|
Definition
cat2
Answer:
no ip dhcp snooping information option
DHCP snooping will insert option 82 information with the giaddr field set to 0.0.0.0.
Cisco routers acting as DHCP server will discard the request by default. You can solve this by instructing the switches not to set the giaddr field. Here we disabled the option 82 insertion only on Cat1, to have the dhcp client work! |
|
|
Term
| How do you configure a Cisco IOS Router to ignore a Catalyst switch from inserting option 82 information with the giaddr field set to 0.0.0.0 because it is running DHCP snooping on the same VLAN that the DHCP host/client is requesting the IP address? |
|
Definition
R9
int fa0/0
ip dhcp relay information trusted |
|
|
Term
You have the following topology:
[R1:DHCP Client]-cat1-[R7:RELAY]-cat2-[R9:DHCP SERVER]
If configuring DHCP snooping; what interfaces would you configure DHCP Trust on?
cat1/2
ip dhcp snooping vlan 28
ip dhcp snooping
[R1]-fa0/1-cat1-fa0/7-[R7]-fa0/7-cat2-fa0/9-[R9] |
|
Definition
int fa0/7
ip dhcp snooping trust
The DHCP messages will be coming from R9 as unicast; then out of R7 as broadcast! So fa0/7 is connected to R7 which will make it's way to R1 on the same VLAN. |
|
|
Term
| When configuring DHCP Snooping and configuring Trust Points on your network. In a normal lab with four catalyst switches; what do you configure on each one - in addition to the per-port Trusting? |
|
Definition
You have to set all inter-switch trunks as dhcp snooping trusted ports, to provide redundancy in case of link failures.
int range po1 - 3
ip dhcp snooping trust
-This automatically turns on TRUST on all the L2 trunk ports connected to po1 - 3 (fa0/19 - 24) |
|
|
Term
What happens when you paste the following commands:
int range fa0/21 - 22
channel-group 13 mode on
int range fa0/21 - 22
no switchport
int po13
no switchport
ip add 192.168.60.1 255.255.255.192 |
|
Definition
The interface po13 would be DOWN. Why?
Because when you paste "no switchport" ; it removes the "channel-group 13 mode on" command.
int range fa0/21 - 22
no switchport
You must do it in the following order:
int range fa0/21 - 22
no switchport
channel-group 13 mode on |
|
|
Term
| Storm Control - What is the default action when traffic thresholds are exceeded? |
|
Definition
silently discard
can be changed by: storm-control action trap/shutdown |
|
|
Term
You have configured the following:
Cat2#sh run int fa0/12
interface FastEthernet0/12
storm-control broadcast level pps 10
storm-control multicast level 5.00
Looking at the options below; would the falling thresholds need to be set to the same value as the rising threshold shown above?
Cat2(config-if)#storm-control broadcast level pps 10 ?
<0.0 - 10000000000.0>[k|m|g] Enter falling threshold
Cat2(config-if)#storm-control multicast level 5 ?
<0.00 - 100.00> Enter falling threshold
|
|
Definition
Nope. It does it automatically. Verify when-in-doubt!
Cat2#sh storm-control multicast
Interface Filter State Upper Lower Current
--------- ------------- ----------- ----------- ----------
Fa0/12 Forwarding 5.00% 5.00% 0.00%
Cat2#sh storm-control broadcast
Interface Filter State Upper Lower Current
--------- ------------- ----------- ----------- ----------
Fa0/12 Forwarding 10 pps 10 pps 0 pps |
|
|
Term
You are configuring frame-relay on R2 s0/2/0 interface. You have been asked to set the bandwidth to 128k bps; how do you do it with the configuration below?
[R5]-serial/frame-s0/2/0[R2]s0/2/0.1--frame-cloud--[RX]
R2:
int s0/2/0
encapsulation frame-relay
no frame-relay inverse-arp
int s0/2/0.1 multipoint
no frame-relay inverse-arp
ip add 192.168.0.132 255.255.255.128
frame-relay map ip 192.168.0.134 555 broadcast |
|
Definition
int s0/2/0
encapsulation frame-relay
clock rate 128000
int s0/2/0.1 multipoint
bandwidth 128 |
|
|
Term
You have the following: This is a back to back frame-relay configuration. You have the following DLCI requirements:
-Do not use the "no keepalive" command to disable LMI
-R2>R5 DLCI 255
-R5>R2 DLCI 522
Note: This is a little different than back to back frame-relay with one DLCI.
R2(DTE):
int s0/2/0
encapsulation frame-relay
no frame-relay inverse-arp
ip add 192.168.25.132 255.255.255.128
frame-relay map ip 192.168.25.135 255 broadcast
frame-relay map ip 192.168.25.132 255
R5:
frame-relay switching
int s0/2/0
encapsulation frame-relay
frame-relay intf-type dce
no frame-relay inverse-arp
ip add 192.168.25.135 255.255.255.128
frame-relay map ip 192.168.25.132 522 broadcast
frame-relay map ip 192.168.25.135 522 broadcast |
|
Definition
R2:
int s0/2/0
encapsulation frame-relay
no frame-relay inverse-arp
ip add 192.168.25.132 255.255.255.128
frame-relay map ip 192.168.25.135 255 broadcast
frame-relay map ip 192.168.25.132 255
frame-relay interface-dlci 255
frame-relay local-dlci 522
R5:
frame-relay switching
int s0/2/0
encapsulation frame-relay
frame-relay intf-type dce
no frame-relay inverse-arp
ip add 192.168.25.135 255.255.255.128
frame-relay map ip 192.168.25.132 522 broadcast
frame-relay map ip 192.168.25.135 522 broadcast
frame-relay interface-dlci 522
frame-relay local-dlci 255 |
|
|
Term
When configuring the following, what is also required to have R6 forward the DHCP broadcast (as unicast) towards the DHCP server?
interface Virtual-Template1
ip address 192.168.60.136 255.255.255.128
ppp authentication pap
peer default ip address dhcp
R6(config-if)#peer default ip address ?
dhcp Use DHCP proxy client mechanism to allocate a peer IP
dhcp-pool Use local DHCP pools to allocate a peer IP address
pool Use IP pool mechanism to allocate a peer IP address |
|
Definition
ip dhcp-server 192.168.0.134
ip address-pool dhcp-proxy-client |
|
|
Term
RIP -
You have the following configuration. You are peered with R1 via RIP. R1 must receive a default route from CAT4, but with a metric of 15.
Cat1:
router rip
version 2
no auto-summary
passive-interface default
no passive-interface vlan10
network 10.20.14.0 |
|
Definition
router rip
default-information originate route-map default
route-map default
set metric 15
R1:
R* 0.0.0.0/0 [120/15] via 10.20.14.4, 00:00:11, FastEthernet0/1 |
|
|
Term
RIP - You are told to configure RIP on R1 and advertise Loopback0 on R1; use only a single network statement on R1.
R1 has two different networks. How do you do this?
router rip
version 2
no auto-summary |
|
Definition
router rip
network 0.0.0.0
passive-interface lo0
It's a good practice to use passive interfaces in order to control the outgoing RIP updates, even if it's not specified on the task. |
|
|
Term
RIP - You have the following configuration. You are peered with R1 via RIP. R1 must receive a default route from CAT4, but not propagate it to R1's Peer BB3.
Cat1:
router rip
version 2
no auto-summary
R1:
router rip
version 2
no auto-summary |
|
Definition
Cat1:
router rip
default-information originate
R1:
ip prefix-list NO-DEFAULT deny 0.0.0.0/0
ip prefix-list NO-DEFAULT permit 0.0.0.0/0 le 32
router rip
distribute-list prefix NO-DEFAULT out fa0/0 |
|
|
Term
OSPF - You have the following Routers and Loopbacks: You want to advertise the subnets into OSPF area 0. How would you do this? You cannot use any network statements under process 2.
R1
int lo0
ip add 192.168.50.1 255.255.255.0
R4
int lo0
ip add 192.168.60.4 255.255.255.128
R9
int lo0
ip add 192.168.90.9 255.255.255.255
R10
int lo0
ip add 192.168.30.10 255.255.255.248 |
|
Definition
Since the loopback is a /32, you are not required to modify the default network type on loopbacks.
R1
int lo0
ip ospf 2 area 0
ip ospf network point-to-point
R4
int lo0
ip ospf 2 area 0
ip ospf network point-to-point
R9
int lo0
ip ospf 2 area 0
R10
int lo0
ip ospf 2 area 0
ip ospf network point-to-point |
|
|
Term
OSPF - What is the default OSPF network type for the following interface?
R9:
interface Virtual-Template1
ip address negotiated
ip ospf 2 area 22 |
|
Definition
R9#sh ip ospf int virtual-template1
Virtual-Template1 is down, line protocol is down
Internet Address 0.0.0.0/0, Area 22
Process ID 2, Router ID 192.168.255.9, Network Type POINT_TO_POINT, Cost: 1
or
R9#sh ip ospf int virtual-access1
Virtual-Access1 is up, line protocol is up
Internet Address 192.168.49.139/32, Area 22
Process ID 2, Router ID 192.168.255.9, Network Type POINT_TO_POINT, Cost: 1 |
|
|
Term
OSPF - You have PPP in area 22 links and you want to avoid the propagation of these routes to other areas. How do you do it?
router ospf 2 |
|
Definition
You can use summarization on ABRs.
Example:
router ospf 2
area 22 range 192.168.60.0 255.255.255.128
area 22 range 192.168.49.0 255.255.255.128 |
|
|
Term
| Redistribution - There is no need to tag routes redistributed into an isolated routing protocol if there is no return paths for these routes. |
|
Definition
|
|
Term
| Redistribution - When doing redistribution; make sure to read each routing protocol redistribution requirements just in-case you have to modify your current redistribution to make a task work on another redistribution task. |
|
Definition
|
|
Term
EIGRP - By looking at the below info; your Reported Distance (FD) is 145920. You need to load balance between each path. Currently only THe path through Port-chanel13 is in the routing table. How would you do so? All the info is below for your configuration!
Cat3#sh ip eigrp top 192.168.255.44/32
EIGRP-IPv4:(46) (AS 46): Topology entry 192.168.255.44/32
1 Successor(s), FD is 145920
Descriptor Blocks:
172.29.13.1 (Port-channel13), from 172.29.13.1
Composite metric is (145920/143360), Route is Internal
Vector metric:
Minimum bandwidth is 200000 Kbit
Total delay is 5200 microseconds
Reliability is 255/255
Load is 1/255
Minimum MTU is 1508
Hop count is 2
172.29.60.4 (Vlan60), from 172.29.60.4
Composite metric is (158976/158720), Route is Internal
Vector metric:
Minimum bandwidth is 100000 Kbit
Total delay is 5210 microseconds
Reliability is 255/255
Load is 1/255
Minimum MTU is 1500
Hop count is 3
|
|
Definition
Note: The second route has a RD of 158720. This is HIGHER than the current FD of this route (145920).
You CANNOT use variance in this scenario!
You'll need an offset list. Subtract from the FD!!!!
158976-145920=13056
access-list 1 permit 192.168.255.44 255.255.255.255
router eigrp 46
offset-list 1 in 13056 po13 |
|
|
Term
On Cat4 you have the following configuration. Do you need the sequence 10?
Cat4(config-router)#
D 192.168.255.11 [90/143360] via 172.29.14.1, 01:48:39, Po14
D 192.168.255.33 [90/145920] via 172.29.14.1, 01:48:38, Po14
C 192.168.255.44 is directly connected, Loopback0
route-map rip>eigrp deny 10
match ip address prefix-list default
route-map rip>eigrp permit 20
set tag 123
set metric 100000 100 255 1 1500
router rip
default-information originate |
|
Definition
| Nope! Unless Cat4 has a default route in it's Routing table via RIP, there is no need for it. |
|
|
Term
| BGP - What are the well-known mandatory attributes? |
|
Definition
| ORIGIN, AS_PATH, NEXT_HOP |
|
|
Term
IPv6/EIGRP - You have the following configuration; would this work? Yes/No - If No, what command would you be referencing?
ipv6 unicast-routing
ipv6 router eigrp 78
no shut
int lo0
ipv6 add 3001:255::7/128
interface Serial0/0/0
ipv6 eigrp 78
ipv6 unnumbered Loopback0 |
|
Definition
|
|
Term
| ISATAP tunnels use a modified version of ____ address to provide automatic connectivity through the IPv4 cloud. |
|
Definition
|
|
Term
You are unable to ping R9 tunnel interface via a far endpoint. All other device configuration is correct. Here is R9's configuration. What is the problem?
R9#
sh run int virtual-template1
interface Virtual-Template1
ip address negotiated
int tu0
ipv6 add 3001::/64 eui-64
tunnel source virtual-template1
tunnel mode ipv6ip isatap |
|
Definition
On R9 you have to configure the IP address manually as tunnel source, you cannot use the virtual-template interface, since virtual-template is configured to use dhcp.
int tu0
ipv6 add 3001::/64 eui-64
tunnel source 192.168.49.139
tunnel mode ipv6ip isatap
You won't be able to ping this end-point unless you do this. The tunnel0 would be down. |
|
|
Term
IPv6 - ISATAP Tunnels are a non-broadcast multipoint network, you can configure OSPF by setting the correct network type and manually specifying neighbors.
You are on R8. You have three end-points:
R7| 3001::5EFE:A14:2F07
R5| 3001::5EFE:AC1D:2805
R9| 3001::5EFE:C0A8:318B |
|
Definition
Note - You MUST use Link Local Addresses!
int tu0
ipv6 ospf 1 area 0
ipv6 ospf network point-to-multipoint non-broadcast
ipv6 ospf neighbor FE80::5EFE:A14:2F07
ipv6 ospf neighbor FE80::5EFE:AC1D:2805
ipv6 ospf neighbor FE80::5EFE:C0A8:318B
R5(config-if)#ipv6 ospf neighbor 3001::5EFE:A14:1208
OSPFv3: Neighbor address needs to be a link-local address |
|
|
Term
What Multicast Group is this for?
224.0.0.13 |
|
Definition
| Protocol Independent Multicast (PIM) Version 2 |
|
|
Term
What Multicast Group is this for?
224.0.0.22 |
|
Definition
| Internet Group Management Protocol (IGMP) Version 3 |
|
|
Term
You are asked to configure SSM Multicast and have a few routers become clients via loopback0 using IGMP.
Your current configuration:
ip multicast-routing
ip pim ssm default
int lo0
ip pim sparse-mode
ip igmp join-group 235.1.1.1 source 192.168.255.44
What needs to be added? What is wrong with the above config? |
|
Definition
ip pim ssm range 1
access-list 1 permit host 235.1.1.1
The default SSM range is 232/8
R1(config)#ip pim ssm ?
default Use 232/8 group range for SSM |
|
|
Term
What is the default SSM range for Source Specific Multicast (SSM)?
How do you change it to 235.1.1.1? |
|
Definition
R1(config)#ip pim ssm ?
default Use 232/8 group range for SSM
How to change it:
ip pim ssm range 1
access-list 1 permit host 235.1.1.1 |
|
|
Term
You enabled the following frame-relay compression:
int s0/1/0
frame-relay map ip 192.168.0.134 624 broadcast compress
frame-relay map ip 192.168.0.136 624 compress
frame-relay map ip 192.168.0.132 624 compress
How do you verify this? show... |
|
Definition
R6#show frame-relay map
Serial0/1/0 (up): ip 192.168.0.132 dlci 624(0x270,0x9C00), static,
CISCO, status defined, active
TCP/IP Header Compression (enabled), connections: 256
RTP Header Compression (enabled), connections: 256 |
|
|
Term
QoS - Look at this output; how do you make the "Appliance Trust" set to 1?
Cat3#sh int fa0/10 switchport
Name: Fa0/10
Switchport: Enabled
Administrative Mode: static access
Operational Mode: static access
[..]
Capture VLANs Allowed: ALL
Protected: false
Unknown unicast blocked: disabled
Unknown multicast blocked: disabled
Appliance trust: none |
|
Definition
int fa0/10
switchport priority extend cos 1 |
|
|
Term
Configure port fa0/10 to use vlan 10 for data and vlan 40 for voice traffic. Force the IP phones to assign COS 1 to data traffic.
mls qos
int fa0/10 |
|
Definition
int fa0/10
switchport mode access
switchport access vlan 10
switchport voice vlan 40
switchport priority extend cos 1
mls qos trust cos
mls qos trust device cisco-phone |
|
|
Term
Configure R1 to send all HTTP traffic directed to BB3 networks to a web cache with IP address 10.20.14.60.
R1-fa0/0(10.20.14.0/26)
|
fa0/1(10.20.13.0/26)
|
BB3 |
|
Definition
ip access-list standard WCCP
permit host 10.20.14.60
ip wccp web-cache
ip wccp web-cache group-list WCCP
interface FastEthernet0/1
ip wccp web-cache redirect in |
|
|
Term
IPv6 Access list -
You have created the following ACL. You need to apply this on interface Tunnel0 (inbound). How do you do it?
ipv6 access-list Block
deny ipv6 host 3001:255::9 host 3001:255::8
deny ipv6 host 3001:255::5 host 3001:255::8
permit ipv6 any any |
|
Definition
int tu0
ipv6 traffic-filter Block in |
|
|
Term
int fa0/0
ip add 192.168.60.1 255.255.255.0
ip nat outside
int fa0/1
ip add 192.168.61.1 255.255.255.0
ip nat inside
ip nat inside destination list LOAD_BALANCE pool ROTARY
ip nat pool prefix-length 24 type rotary
address 192.168.61.2 192.168.61.2
address 192.168.61.3 192.168.61.3
ip address extended LOAD_BALANCE
permit tcp any host 192.168.60.1 eq telnet |
|
Definition
|
|
Term
| How to figure out the TOS from Precedence...multiply it by 32! Precedence of 3 would be TOS 96. It's easy to turn on IP Accounting for precedence packets...'ip accounting precedence' but the regular 'show ip accounting' does not show anything. Instead you need to 'show interface s0/1 precedence'. |
|
Definition
|
|
Term
R1
ip nat stateful id 1
primary 1.1.1.1
peer 2.2.2.2
mapping-id 5
r2
ip nat stateful id 2
backup 2.2.2.2
peer 1.1.1.1
mapping-id 5
ip nat inside source list 1 pool Pool1 mapping-id 5
ip nat pool Pool1 192.168.60.1 192.168.60.2 prefix-length 24 |
|
Definition
|
|
Term
IP SLA, VRRP and HSRP are all pretty simple. GLBP can be slightly more difficult, only because of the load-balancing aspect to it. The weighting always trips me up, but to do a 2:1 ratio, just do the following:
R4(config-if)#glbp 146 weighting 20
R4(config-if)#glbp 146 load-balancing weighted
R6(config-subif)#glbp 146 weighting 10
R6(config-subif)#glbp 146 load-balancing weighted |
|
Definition
|
|
Term
Something pretty easy - you can have DHCP update ARP. And then you can only allow authorized arp entries thus disabling dynamic ARP.
ip dhcp pool VL146
network 155.1.146.0 255.255.255.0
default-router 155.1.146.4 155.1.146.6
dns-server 155.1.146.4 155.1.146.6
lease 0 12
update arp
ip dhcp pool R1
host 155.1.146.11 255.255.255.0
client-identifier 01c2.0005.c500.00
update arp
interface FastEthernet0/0.146
encapsulation dot1Q 146
ip address 155.1.146.6 255.255.255.0
ip rip advertise 10
arp authorized
If not all hosts are DHCP, you need to statically add their ARP entries; 'arp 155.1.146.4 1234.5678.90AB.CDEF'. |
|
Definition
|
|
Term
Example: Configuring IRDP (Server)
The following example shows how to configure IRDP on a router:
Router(config)# interface fastethernet 0/1
Router(config-if)# no shutdown
Router(config-if)# ip address 172.16.10.1 255.255.255.0
Router(config-if)# ip irdp
Router(config-if)# ip irdp multicast
Router(config-if)# ip irdp holdtime 120
Router(config-if)# ip irdp maxadvertinterval 60
Router(config-if)# ip irdp minadvertinterval 10
Router(config-if)# ip irdp preference 900
Router(config-if)# ip irdp address 192.168.10.2 90 |
|
Definition
Client Command: R2(config)#ip gdp irdp
R2(config)#ip gdp ?
eigrp Discover routers transmitting EIGRP router updates
irdp Discover routers transmitting IRDP router updates
rip Discover routers transmitting RIP router updates
IRDP Overview
ICMP Router Discovery Protocol (IRDP) allows hosts to locate routers that can be used as a gateway to reach IP-based devices on other networks. When the device running IRDP operates as a router, router discovery packets are generated. When the device running IRDP operates as a host, router discovery packets are received. |
|
|
Term
ip dhcp pool POOL
network 192.168.61.0 255.255.255.0
class VLAN61
address range 192.168.61.3 192.168.61.3
ip dhcp class VLAN61
relay agent information
relay-information hex 00000000*
debug ip dhcp server class
ip dhcp class VLAN61
relay agent information
no relay-information hex 00000000*
relay-information hex 020c020a0000c0a83d01010000000606564c414e3631 |
|
Definition
|
|
Term
bridge irb
bridge 100 protocol ieee
no bridge 100 bridge appletalk
int bvi 100
ip add 10.10.10.1 255.255.255.0
int fa0/0
bridge-group 100
int fa0/1
bridge-grouop 100 |
|
Definition
|
|
Term
BGP, OSPF>BGP
-By default ONLY OSPF intra-area and inter-area routes are redistributed into BGP |
|
Definition
|
|
Term
Refresh BGP:
http://www.bbfish.net/router/router_7511.html |
|
Definition
|
|
Term
BGP private
64,512 - 65,535 |
|
Definition
|
|
Term
If you are asked to create the following VLANs on your VTP server:
vlan 100,200,12,67
spanning-tree vlan 12,67,100 priority 0
Then you are asked to create trunks between switches as shown:
int range fa0/21 - 22
switchport trunk encapsulation dot1q
switchport mode trunk
switchport trunk native vlan 123
channel-group 21 mode on
no shut
What's missing? |
|
Definition
vlan 100,200,12,67,123
spanning-tree vlan 12,67,100 priority 0
Don't forget about vlan 123
-I wasn't told to make this switch the root for vlan 123. |
|
|
Term
show vtp status
Show's this:
Local updater ID is 35.35.35.35 on interface Lo1 (preferred interface)
Preferred interface name is Loopback1 (mandatory)
You configured what? |
|
Definition
vtp interface Loopback1 only
Only -- makes it "mandatory" - Preferred only -- leave off "
only" |
|
|
Term
When configuring this:
int s0/2/0
ppp lcp predictive
ppp ipcp predictive
You need to do this on both sides!!!!!! |
|
Definition
|
|
Term
If both of your routers are setup like this; what command is required?
username T3ST123 password PPPoverFr@m3
int s0/1/0
frame-relay interface-dlci 504 ppp virtual-template 1
int virtual-template 1
ip add 141.141.45.5 255.255.255.0
ppp authentication chap
no ppp chap ignoreus
ppp chap hostname T3ST123 |
|
Definition
int virtual-template 1
no ppp chap ignoreus |
|
|
Term
| OSPF - Configure area 12 and you should use the option discussed in RFC 158 |
|
Definition
|
|
Term
ip multicast boundary access-list [filter-autorp]
Example:
Router(config-if)# ip multicast boundary 10 filter-autorp
Configures an administratively scoped boundary.
•Perform this step on the interfaces that are boundaries to other routers.
•The access list is not shown in this task.
•An access list entry that uses the deny keyword creates a multicast boundary for packets that match that entry. |
|
Definition
|
|
Term
When redistributing; ensure that on the redistributing routers; all connected interfaces are in the respective routing protocol.
If you were asked to create a tunnel (i.e.:)
int tu69
ipv6 add 2001:DB8:5:9::9/64
tunnel source lo0
tunnel destination 166.5.5.5
tunnel mode ipv6ip
ipv6 ospf 2 area 0
Then make sure this is in the routing protocols (if you were asked for full reachability -- that always! |
|
Definition
|
|
Term
ZBF - Is this configured completely?
zone security INSIDE
zone security OUTSIDE
int fa0/1.789
zone-member security OUTSIDE
int mu69
zone-member security INSIDE
class-map type inspect smtp-traffic
match protocol smtp
policy-map type inspect drop-smtp
class type inspect smtp-traffic
drop
zone-pair security zp1 source OUTSIDE destination INSIDE
service-policy type inspect drop-smtp |
|
Definition
You are dropping all other traffic!!!!
R9#sh policy-map type inspect zone-pair zp1
policy exists on zp zp1
Zone-pair: zp1
Service-policy inspect : drop-smtp
Class-map: smtp-traffic (match-all)
Match: protocol smtp
Drop
4 packets, 96 bytes
Class-map: class-default (match-any)
Match: any
Drop
13 packets, 585 bytes
R9#
policy-map type inspect drop-smtp
class type inspect smtp-traffic
drop
class class-default
pass |
|
|
Term
| When you redistribute internal networks into BGP (from OSPF(example)), you MOST LIKELY redistribute BGP back into other protocol (example:RIP) since it was learning this network from internal routing protocols and the ABR router is not redistributing it into the RIP domain since it is learning it via BGP and not eigrp>rip where it was redistributing. |
|
Definition
|
|
Term
Multicast Boundary
Always DENY what you want to have the boundary take into effect. Then PERMIT the rest.
access-list 1 deny 224.1.0.0 15.255.255.255
access-list 1 permit 224.0.0.0 15.255.255.255
int fa0/0.74
ip multicast boundary 1 filter-autorp |
|
Definition
|
|
Term
| 1 millisecond (ms) = 1000 microseconds (µs) und 1 second (s) = 1,000,000 microseconds (106 µs) |
|
Definition
|
|
Term
| MTU when enabling 802.1Q Tunneling? |
|
Definition
| 1504 (then save/reboot switch) |
|
|
Term
| AD of ODR (On Demand Routing) |
|
Definition
160
Rack17R5#show ip route odr
150.17.0.0/24 is subnetted, 5 subnets
o 150.17.4.0 [160/1] via 155.17.0.4, 00:00:06, Serial0/0/0 |
|
|
Term
| Frame Relay: Is CDP Enabled by default on interface s0/0/0? |
|
Definition
|
|
Term
| Frame Relay: Is CDP Enabled by default on interface s0/0/0.1 point-to-point? |
|
Definition
|
|
Term
| Frame Relay: Is CDP Enabled by default on interface s0/0/0.2 multipoint? |
|
Definition
|
|
