While PIM controls the communication between multicast routers, IGMP is the control protocol between routers and hosts. IGMP is similar with ICMP and it has IP protocol number 2. Because the intention is the communcation between hosts and routers, it is only sent as a link-local packet that has TTL of 1 in the IP packet header.
Uses both Shared-Tree (*,G) and Source-Tree (S,G).
PIM Sparse-Mode (SM) steps:
- Discover PIM neighbor and elect DR.
PIM is the infrastructure to deliver the multicast packet. It builds the multicast network hop-by-hop. It takes the advantage of the routing table to perform RPF but it does not really matter what routing protocol derives it from. Hence this is why it is called Protocol Independent Multicast (PIM).
The way an IP packet delivered from server to client or vice versa is mostly known as unicast delivery. A server will need to know the client’s IP Address and assign this client’s IP address to the IP packet to be delivered. The more clients the server has, the more packets should be created and more bandwidth consumed.
These are some notes to install Cisco VIRL version 0.9.17 (file virl.0.9.17.pc.ova) on VMware Fusion Professional Version 7.1.1 on MAC OSX Mavericks version 10.9.5. If you happen to hit this page, I’m sure you’re also having an issue with it. So, I thought I should write down some notes here.
Cisco ISE can be quite challenging for some and here are some notes when I was testing an ISE for upgrade.
I had been using Samsonite laptop backpack since 2008. It’s just this little problem that it does not have padding on its bottom corner on the laptop compartment. It’s not really a big deal, quite happy so far, until I dropped it exactly on the corner of it. See the photo below and you’ll know how bad it was.
If you’re tasked to configure an Internet router, what features/services you would usually put in? You most definitely require NAT for LAN to Internet IP address translation, ACL for blocking unnecessary traffics from Internet to LAN, and might be a bit of router hardening by locking down some unnecessary services and management/control plane.
A note to myself.
It’s been a little more than a year since I wrote a post to my blog. Quite a few things happened in my life and priorities change.
I decided to postpone my CCIE RS lab for sometime after several failed attempts. No, I’m not giving up yet, It’s just better for myself and my family that I take a pause for it until we’re sure I can dedicate myself into it.
Just a little note for SVI Access-List (or Cisco calls it Router ACL on SVI).
Three routers configured as below.
! R1 int f0/0 ip addr 22.214.171.124 255.255.255.0 no shut router ospf 1 net 0.0.0.0 0.0.0.0 a 0 ! R2 int vlan 100 ip addr 126.96.36.199 255.255.255.0 int f1/0 switchport mode access switchport access vlan 100 int f0/0 ip addr 188.8.131.52 255.255.255.0 router ospf 1 net 0.0.0.0 0.0.0.0 a 0 ! R3 int f0/0 ip addr 184.108.40.206 255.255.255.0 no shut router ospf 1 net 0.0.0.0 0.0.0.0 a 0 ip http server
I’m testing the Access-list on SVI and testing it by ICMP and HTTP from R1 (220.127.116.11) to R3 (18.104.22.168) and check the matches on the ACL. I’m expecting that the HTTP access will be denied and ICMP will be allowed.
The direction of the access-list and the SVI (inbound or outbound) tested as below.
! R2 Extended IP access list ACL 10 deny tcp host 22.214.171.124 host 126.96.36.199 eq www 20 permit ip any any (1 match) int vlan 100 ip access-group ACL out ! RESULT. ICMP and HTTP access are both OK
! R2 Extended IP access list ACL 10 deny tcp host 188.8.131.52 eq www host 184.108.40.206 20 permit ip any any (5 matches) int vlan 100 ip access-group ACL in ! RESULT. ICMP and HTTP access are both OK
! R2 Extended IP access list ACL 10 deny tcp host 220.127.116.11 eq www host 18.104.22.168 (6 matches) 20 permit ip any any interface Vlan100 ip access-group ACL out ! RESULT. ICMP OK, HTTP access is opened then timed-out.
! R2 Extended IP access list ACL 10 deny tcp host 22.214.171.124 host 126.96.36.199 eq www (3 matches) 20 permit ip any any interface Vlan100 ip access-group ACL in ! RESULT. ICMP OK, HTTP access is UNREACHABLE
Summary. The rule of thumb for the direction of the ACL on SVI above are:
ACL always have the form of
- If it’s INBOUND (“ip access-group ACL out”), then it means “It’s going OUT TO the VLAN100 access ports.”
- If it’s OUTBOUND (“ip access-group ACL in”), then it means “It’s going AWAY from the VLAN100”
As much as it’s confusing as it can be, I prefer to use VLAN ACCESS-MAP.
For the egress queue, router interface uses two queues. The first queue is, like Input queue, Output queue is a software queue. The default queuing mechanism is FIFO and it can be change to WFQ or CBWFQ. The default value for this queue is 40 packets.
Rack1R1#sh int e0/0 | i queue Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0 Output queue: 0/40 (size/max) Rack1R1# sh int e0/0 | i Queueing Queueing strategy: fifo