This is one of the desperate act to twitter support. May those in up high grant me my sanity back.
Just a little note for SVI Access-List (or Cisco calls it Router ACL on SVI).
Three routers configured as below.
! R1 int f0/0 ip addr 184.108.40.206 255.255.255.0 no shut router ospf 1 net 0.0.0.0 0.0.0.0 a 0 ! R2 int vlan 100 ip addr 220.127.116.11 255.255.255.0 int f1/0 switchport mode access switchport access vlan 100 int f0/0 ip addr 18.104.22.168 255.255.255.0 router ospf 1 net 0.0.0.0 0.0.0.0 a 0 ! R3 int f0/0 ip addr 22.214.171.124 255.255.255.0 no shut router ospf 1 net 0.0.0.0 0.0.0.0 a 0 ip http server
I’m testing the Access-list on SVI and testing it by ICMP and HTTP from R1 (126.96.36.199) to R3 (188.8.131.52) and check the matches on the ACL. I’m expecting that the HTTP access will be denied and ICMP will be allowed.
The direction of the access-list and the SVI (inbound or outbound) tested as below.
! R2 Extended IP access list ACL 10 deny tcp host 184.108.40.206 host 220.127.116.11 eq www 20 permit ip any any (1 match) int vlan 100 ip access-group ACL out ! RESULT. ICMP and HTTP access are both OK
! R2 Extended IP access list ACL 10 deny tcp host 18.104.22.168 eq www host 22.214.171.124 20 permit ip any any (5 matches) int vlan 100 ip access-group ACL in ! RESULT. ICMP and HTTP access are both OK
! R2 Extended IP access list ACL 10 deny tcp host 126.96.36.199 eq www host 188.8.131.52 (6 matches) 20 permit ip any any interface Vlan100 ip access-group ACL out ! RESULT. ICMP OK, HTTP access is opened then timed-out.
! R2 Extended IP access list ACL 10 deny tcp host 184.108.40.206 host 220.127.116.11 eq www (3 matches) 20 permit ip any any interface Vlan100 ip access-group ACL in ! RESULT. ICMP OK, HTTP access is UNREACHABLE
Summary. The rule of thumb for the direction of the ACL on SVI above are:
ACL always have the form of
- If it’s INBOUND (“ip access-group ACL out”), then it means “It’s going OUT TO the VLAN100 access ports.”
- If it’s OUTBOUND (“ip access-group ACL in”), then it means “It’s going AWAY from the VLAN100″
As much as it’s confusing as it can be, I prefer to use VLAN ACCESS-MAP.
For the egress queue, router interface uses two queues. The first queue is, like Input queue, Output queue is a software queue. The default queuing mechanism is FIFO and it can be change to WFQ or CBWFQ. The default value for this queue is 40 packets.
Rack1R1#sh int e0/0 | i queue Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0 Output queue: 0/40 (size/max) Rack1R1# sh int e0/0 | i Queueing Queueing strategy: fifo
We know that Router interfaces uses CEF switching on all of its interfaces. When the CPU is too busy to switch the new incoming packets, these packets will be stored in the Input Queue. There is only 1 Input queue and the queuing mechanism is always FIFO. By default the maximum packets can fill up this queue are 75 packets. This value can be change with
hold-queue <value> in under the interface command. If the input queue is full and the CPU still not able to switch the packets. New incoming packets will be dropped.
R1#sh int f0/0 Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0 Queueing strategy: fifo R1#conf t R1(config)#int f0/0 R1(config-if)#hold-queue 100 in R1(config-if)#^Z R1#sh int f0/0 Input queue: 0/100/0/0 (size/max/drops/flushes); Total output drops: 0 Queueing strategy: fifo ! This is OUTPUT Queuing mechanism.
By default, IPv6 addresses configured on an interface are advertised in Router Advertisement (RA). The command
ipv6 nd prefix will block the RA for the specified prefix. Command
ipv6 nd prefix <IPv6> 14400 14400 no-autoconfig will advertise the prefix with A-bit (AUTOCONFIG) bit cleared.
This will work for scenario where you want to block the RA for specific address (no-advertise) or just want to block the specific address from being used for stateless auto-configuration (no-autoconfig).
In addition to that, by default, RA is automatically advertised on Ethernet or FDDI interface (but not other type of interface).
ipv6 nd ra suppress will supress periodic unsolicited RA, but it does not suppress RAs in response to a Router Solicitation (RS). Use
ipv6 nda ra suppress all to suppress all.
- Higher priority value (0-255) is better.
- Default value is 1
- Can be set via neighbor command or interface command.
- Neighbor command sets neighbor priority while interface command sets its own interface priority. Thus, both commands will not interfere each other. Again, one is for neighbor and other is for its own interface.
- If the local interface priority is set and the other router uses neighbor priority command, then interface priority will take precedence.
First, What’s DTP? Having a look on Google will reveal quite a few (if not too many) article about DTP. It’s basically a protocol which negotiate whether a link should turn into a Trunk link or not. You might be aware that the newer switches (e.g. 3560 on-wards) will have its link set as
Dynamic Auto by default.
3560(config)#do sh int f0/14 sw | i Administrative Mode Administrative Mode: dynamic auto
I’m intrigued with Diffie-Hellman usage in IPSec. Most of the sources you can find in the internet will explain you how Diffie-Hellman work. You might want to visit this YouTube video about Diffie-Hellman Key Exchange and probably another YouTube video if you still not getting it.
Skipped the history side of this, in short, Diffie-Hellman is a method so that you can exchange your secret key without the need to pass that key over the network. It can be done with this 5 simple steps.
Step 1. Set up Classification Policy
ip access-list ACL_QOS_GOLD statistics per-entry remark VOICE_RTP <omitted> Continue reading
It’s been a good experience so far, knowing that I failed my CCIE R&S lab for the second time. Well, certainly not the best outcome but certainly was a good experience.
Last year, 31 May 2012, I failed my first lab exam. That time was pretty rough. I was too emotional and nearly walking out of the building for not knowing enough of the technologies. I came out of the building felling stress out. It could probably be that I went to the exam just couple of days after I finished with Narbik’s Bootcamp. Exhausted and agitated.