These are mostly notes for my own benefit as I work through various labs. In this case, I only worked on specific sections of lab A, as I was a bit short on time.

Section 1: Layer 2 configuration

- when creating an SVI for a given VLAN, always make sure the VLAN itself exists on all switches in the transit path for that VLAN.

- if the lab specifies restricting “management access”, don’t forget to check if the HTTP server is enabled and add a similar access class to it as to the VTY’s.

- Filtering traffic by ethertype

mac access-list extended F0_15
  deny   any any 0x1234 0x0
  permit any any
!
int fa0/15
  mac access-group F0_15 in
!

- VLAN filtering by MAC address

mac access-list extended VL123
  permit host 0000.1234.4321 host 0000.4321.1234
!
vlan access-map VL123 10
  action forward
  match mac address VL123
vlan access-map VL123 999
  action drop
!
vlan filter VL123 vlan-list 123

No real problems with this section other than interpretation on the VLAN filtering. In a lab, I’d ask the proctor if they meant traffic from this *range* of MAC addresses or just between the two.

Section 2: Pix / ASA Configuration

- When originating a default route and running RIP on both inside & outside, use a route-map with ‘match interface’ to control which side we send the default route to.

- don’t be so quick to assume an answer. Configured HTTP/HTTPS and missed that the question said a “Web/SMTP/DNS” server so left out a bunch of the ACL.

- when configuring AAA through a firewall, don’t forget to set the source int on the remote device if required.

- remember that a transparent firewall will not pass anything inbound by default (except ARP) without an access-list. Just like a routed firewall.

- a transparent firewall must have a management IP address configured or it will not pass any traffic, even if that traffic would otherwise be allowed.

- always check for required single/multiple changes, since it needs a reboot of the device and wastes time.

- basic process for setting up contexts

admin-context FOO
context FOO
  config-url disk0:/FOO.txt
!
context BAR
  config-url disk0:/BAR.txt
  allocate-interface eth0/0
  allocate-interface eth0/1
!

- when configuring local authentication on the ASA, don’t forget to explicitly enable it, for ssh/telnet

hostname ASA1
domain-name ipexpert.com
crypto key generate rsa general-keys
ssh 1.2.3.0 255.255.255.0 inside
username cisco password cisco
aaa authentication ssh console LOCAL

Section 3: IDS Configuration

- I need to spend time learning the IDS command line. I’m fairly solid through IDM but not through the CLI.

- IOS IPS basic config

ip ips name FOO
ip ips notify log
logging host 1.2.3.4
logging on
int se0/1/0
ip ips FOO in
!

Section 7: VPN Configuration

- when configuring L2L VPN’s on the VPN3000 through the GUI, be careful when configuring the interesting traffic. The mask is specified as a *wildcard* mask, e.g. 0.0.0.255, not a subnet mask.

When examining inbound traffic at your Internet edge, there are quite a few source networks that should be automatically discarded. RFC 3330 (Special-Use IPv4 Addresses) specifies many of these.

Local Networks

In most sane networks, you should never see inbound traffic from your own address space. Thus, if you have 12.3.45.0/24 as your public address space, your inbound ACL should block traffic appearing to be sourced from this network.

RFC 1918

10.0.0.0 /8
172.16.0.0 /12
192.168.0.0 /16

An easy way to remember the CIDR value for these (found on GroupStudy): each is 4 greater than the last.

Local-only Networks

0.0.0.0 /8
127.0.0.0 /8 - note: not just 127.0.0.1!
169.254.0.0 /16

These are (respectively) the “this network” range, the localhost address space, and the Microsoft AutoNet network (also called APIPA, for Automated Private IP Addressing).

Reserved Networks

192.0.2.0 /24 - TEST-NET, e.g. example.com
198.18.0.0 /15 - Benchmark networks
240.0.0.0 /4 - Class E

Multicast

224.0.0.0 /4

The multicast address space will never appear as a source address in legitimate traffic. A multicast IP is always a destination.

Unassigned Address Space

Many experts recommend filtering all unallocated address space (networks that have not been assigned to users or ISPs by the various numbering authorities, such as ARIN or APNIC). This requires diligence on the part of network administrators to track new address allocations and keep ACLs up-to-date, to avoid blackholing legitimate traffic from newly-assigned networks. For more information, see the Bogon Reference at Cymru.

A very simple example for when you want to very quickly get a network (for example, a branch office) online behind a DSL line or similar.  This PATs all private network traffic behind the outside interface’s public IP.

interface FastEthernet0/0
  description TO_ISP
  ip nat outside
!
interface FastEthernet0/1
  description TO_LAN
  ip nat inside
!
ip access-list standard NAT_SOURCE
  permit 10.1.1.0 0.0.0.255
!
ip nat inside source list NAT_SOURCE interface FastEthernet0/0 overload

A more detailed post to come…

Getting down to the wire for my lab attempt (22 days to go!)  I’ve been horrible about blogging my progress, but I’m going to try to be more consistent in the home stretch.  Overall I think I’m in good shape, but I really need to focus over the next 3 weeks to be completely ready.

Plans for this week:

• IE just released their first v.5 full labs (lab 1 and lab 10).  I’ll probably skip Lab 1, since it’s only a level 5 and I’ve already watched the live Lab Meetup, but I’ll definitely be hitting lab 10 since it’s an 8.
• I have IE rack rentals Tue-Thu.  My goal is to hit two full IE labs (v.5 lab 10 and probably v.4 lab 7)
• IPexpert rack rentals Fri, Sat, Sun, Mon.  I want to get some solid lab hours in before the Christmas break.  Haven’t picked a set of labs yet, but at least book 3, labs 9 and 10.
• I may try to pay for another IE mock lab during my current Christmas break.  My lab 4 attempt went pretty well (77, with a couple of sections I disagreed with the proctor on).
• Reading:
  • Finish the QoS self-study book
  • Start the Cisco Press multicast and IPv6 books
  • IE workbook 1 v.5 solution guides.  These are terrific for individual technology focus.

Switching

• beware of pruning issues when some switches are transparent and some aren’t.  If not otherwise specified, make all switches transparent if one is.

IP Telephony

• macro apply cisco-phone $access_vlan 5 $voice_vlan 4 sets most things properly
• To change the CoS applied to traffic coming from the PC connected to a phone: switchport priority extend cos 1
• Don’t forget to enable mls qos globally or nothing will work

PPP

• as a general rule, use no peer neighbor-route on all PPP interfaces to avoid random /32 routes showing up in IGPs and redistributions.  They’re only needed if you have different subnets at each end of the link.

IGP’s — RIP

• use the distribute-list gateway option along with a prefix-list to specify the routers from which we will accept routes.
• don’t forget the prefix option (e.g. distribute-list prefix FOO not distribute-list FOO when filtering routing updates
• remember, though, that a distribute-list doesn’t have to use a prefix-list.  It also works just fine with a regular ACL (useful for permit any or deny any).

What I’ve been up to:

• IPExpert’s one week R&S bootcamp in San Jose
• IPExpert’s one week mock lab workshop in San Jose
• InternetworkExpert’s “Open Lecture” multicast troubleshooting (in progress)
• InternetworkExpert’s 5-day lab bootcamp CoD (in progress)
• InternetworkExpert’s Adv. Technology CoD on redistribution (in progress)
• Working through IEWB3 to get better at core technology, especially redistribution

Sources:

• IPexpert BLS class-on-demand
• IPexpert v.10 Workbook 2
• InternetworkExpert ATS CoD v4.5

Notes — PPP General:

• By default, PPP will inject a directly-connected /32 route for the remote end into each device’s routing table.  Can be safely disabled unless both ends of the link are not on the same logical IP subnet (e.g. one side or both sides are using ‘ip unnumbered’).  To disable, use the ‘no peer-neighbor-route' interface-level command.
• The ‘ppp quality‘ interface-level command enables Link Quality Monitoring (LQM), which will bring down the interface if the number of bytes transmitted vs. received over a link falls below a given percentage.
• The ‘ppp reliable-link‘ command enables LAP-B numbered mode to negotiate a reliable link.

Notes — PPP Multilink

• The ‘ppp multilink links minimum‘ interface option (under the Multilink interface) specifies how many physical circuits must be up before the bundle comes up.  The ‘mandatory‘ option brings the bundle down if the number of active links falls below the minimum.

Notes — PPP Authentication:

• The ‘ppp authentication <protocol>‘ command is only required on the side of the link that is issuing the challenge (the “server” side).  This may also be referred to as the side that’s “doing authentication” or that is “authenticating <OtherRouter>”
• CHAP (and EAP) will use the hostname of the router as the username, by default.  PAP requires the username to be explicitly specified with the ‘ppp pap sent-user‘ command. If you need to use a different username, you can specify it using the ‘ppp chap hostname‘ or ‘ppp eap identity‘ commands.
• For CHAP, if you don’t want to specify the global username/password combo on the client (or you don’t know the server’s hostname), you can specify just the password to be sent to any remote authentication challenge with the ‘ppp chap password‘ command at the interface level.
• If you want to use the same username in both directions with CHAP, use the ‘no ppp chap ignoreus‘ interface-level command, since by default CHAP will refuse to authenticate with “ourself” if the hostname matches.
• EAP is an additional “secure” protocol distinct from CHAP.  MS-CHAP and MS-CHAPv2 probably aren’t “different enough” from CHAP to satisfy a lab requirement of two different secure protocols.
• You must specify ‘ppp eap local‘ for EAP to work unless you have a radius server available.
• EAP doesn’t use the shared password from the ‘username‘ statement when responding to a challenge.  You need to specify the password using ‘ppp eap password <pass>‘

I’m in San Jose, CA for IPExpert’s two-week End-to-End route/switch bootcamp.  I was very lucky to win this training at Cisco Networkers this year and am definitely looking forward to it.  The flight out was a bit annoying (flew Airtran instead of Delta and you could really notice the little differences).  Just got back from dinner at Chipotle’s and am planning to take an early night and hopefully get my internal clock synced up.

Timers

• Hello and Dead interval timers are set on a per-interface basis with
  ip hello-interval eigrp <AS> <seconds>
ip hold-time eigrp <AS> <seconds>
• The stuck-in-active (SIA) timer is configured with the router-level command
  timers active-time <seconds|disabled>

Metrics

• The metric calculation in an EIGRP AS can be changed with the router-level command
  metric weight 0 <bandwidth> <load> <delay> <offset> <reliability>
• The metric calculation formula is

  ( ( k1 * bandwidth ) +

    ( k2 * bandwidth ) / ( 256 - load ) +

    ( k3 * delay ) +

    ( k5 / reliability ) +

    k4

  ) * 256

• To configure the hop count considered unreachable (default 100) use router-level command
  metric maximum-hops <count>
• The administrative distance of internal and external routes can be configured using the router-level command
  distance eigrp <internal> <external>

Bandwidth Used for EIGRP

• EIGRP uses 50% of the interface bandwidth by default
• Can be changed using the interface-level command
  ip bandwidth-percentage eigrp <AS> <percent>

Stubs

• A stub can be configured to only receive (not send) routes using the router-level command
  eigrp stub receive-only

Logging

• no eigrp log-neighbor-changes
• eigrp log-neighbor-warning <interval> will log updates that are received from an IP not in the subnet of the receiving interface.

Summary Addresses

• The leak-map option to ip summary-address eigrp references a route-map that defines what component routes of a summary supernet are also injected along side the summary. It is only available on physical and VirtualTemplate interfaces (not on subinterfaces).

Load Balancing

• For unequal-cost load balancing, the AD of the worst route must be less than the FD
• Take the AD of the worst route and divide by the AD of the best route (rounding up) to get the variance.

Authentication

• same as RIP, but configured on a per-interface and per-AS basis
  ip authentication mode eigrp 300 md5