DocumentCisco WebFlexlinks (backup port)
Na prepinaci:Switch(config)# interface FastEthernet 0/1 Switch(config-if)# switchport backup interface FastEthernet 0/2 Switch(config-if)# switchport backup interface FastEthernet 0/2 preemptiveNa routri:
interface Serial0/0.401 point-to-point backup delay 0 300 backup interface Serial0/1
Interface dampening
Router(config)# interface FastEthernet 0/1 Router(config-if)# dampening HALF-LIFE REUSE SUP-THRES MAX-SUP-TIME
Frame relay Traffic shaping
Plati Tc = BC / CIR, standardny Tc je 125 msR(config)# map-class frame-relay FRTS R(config-map)# frame-relay cir CIR_SPEED R(config-map)# frame-relay bc BC_BURST R(config-map)# frame-relay be EXCESS_BURST R(config)# interface Serial 0/0/0 R(config-if)# frame-relay traffic-shaping R(config-if)# frame-relay class FRTS
QUEUEING pre real-time traffic
R(config-if)# ip rsvp bandwidth XYZ ABC
Commited access rate (CAR)
R(config-if)# rate-limit input CIR BC BE conform-action transmit exceed-action drop
Multicast helper
Funguje v dense mode, vie prebalit unicast//broadcast na multicast a naopak. Netreba zabudnut na "ip forward-protocol udp ..." Na rozhrani sa pouziva "ip multicast helper-map SRC DST ACLVRRP
Pre čísla viac ako 255 je potrebné zapnúť vrrp version 2Login enhancements
login block-for SEC attempts X within SEC login quiet-mode access-class ACL login on-success ... login on-failure ...
DHCP options
066 - TFTP name 150 - TFT IPUDLD
by default, ked sa udld zapne, je zapnute iba na optickych portoch. Na ethernetoch ho treba zapnut manualne. Ak chcem aby pri detekcii UDLD aj port zhodil, treba zapnut udld aggresive modeOSPF MTU
Ak je potrebne OSPFkom prepojit catalyst 3560 s routrom rady 2600/2800 maju rozdielne MTU. MTU na strane katalystu je 1504. Smerovace teda ostanu v stave EXSTART, da sa to vsak upravit bud zmenou ip mtu, alebo v konfiguracii rozhrania cez ip ospf mtu-ignoreMulticast borders
(config-if)# ip multicast-ttl (config-if)# ip multicast boundary ACL (config-if)# ip mutlicast bsr-border
Multicast stub
R(config-if)# ip igmp helper-address ...
Site-to-site VPN
R(config)# crypto isakm enable R(config)# crypto isakmp policy 10 R(config-isakmp)# authentication pre-share R(config-isakmp)# encryption aes 256 R(config-isakmp)# hash sha R(config-isakmp)# group 5 R(config-isakmp)# lifetime 3600 R(config)# crypto isakmp key cisco address IP R(config)# crypto ipsec transform-set 50 esp-aes 256 esp-sha-hmac ah-sha-hmac R(config)# crypto ipsec security-association lifetime seconds 1800 R(config)# crypto map MYMAP 10 ipsec-isakmp R(config-crypto-map)# match ACL R(config-crypto-map)# set peer IP R(config-crypto-map)# set pfs group 5 R(config-crypto-map)# set security-association lifetime seconds 900 R(config-if)# crypto map MYMAP
Multicast rate limiting
interface FastEthernet0/3 ip multicast rate-limit out 1000
IPv6 routing na Cat3550
sdm prefer dual-ipv4-and-ipv6 default
Etherchannel silent/non-silent mode
- silent - defaultný režim. Nekontrolujem, či je na druhej strane PAgP?/LACP klient. Ak nie je, tak port nie je v etherchanneli, alle je schopný fungovať ako normálny port (nastavenia priamo na porte, mimo portchannelu)
- non-silent - striktne kontrolujem zhodu negociačného protokolu a jeho prítomnosť aj na druhej strane. Ak susedné zariadenie nepodporuje PAgP?/LACP, tak jednoducho port nechám v stave disabled a neumožním na ňom žiadnu komunikáciu.
RPF check pre prichádzajúce unicastové pakety
interface Ethernet0/1 ip verify unicast reverse-path
IP alias
ip alias IP PORT
VTY unsuccessful login
ip host R4 150.1.4.4 ! busy-message R4 “Connection Unsuccessful”
PPP support reliable transfer
interface Serial0/1 encapsulation ppp ppp reliable-link
MAC address aging
mac-address-table aging-time 10 vlan 8
IP PIM neighbor filter
interface FastEthernet0/0 ip pim neighbor-filter 75 ! access-list 75 deny 192.10.1.254 access-list 75 permit any
Multicast boundary
interface Ethernet0/0 ip multicast boundary 51 ! access-list 51 deny 239.0.0.0 0.255.255.255 access-list 51 permit 224.0.0.0 15.255.255.255
Multicast distribution
Ak pre nejaku multicastovu skupinu, nemam vytvorit SBT, ale pouzivat iba sharder-tree:ip pim spt-threshold infinity group-list 52 ! access-list 52 permit 239.0.0.0 0.255.255.255
Frame-relay RTP header compression
interface Serial1/0 frame-relay map ip 162.1.0.4 304 broadcast rtp header-compression passive connections 15
Dot1q tunnel
SW(config-if)# switchport mode dot1q-tunnel
SW(config-if)# switchport access vlan XYZ
SW(config-if)# l2protocol tunnel {cdp|vtp|stp}
Tunnel checksum
V pripade, ze budu nejake data prenosom cez tunel poskodene, nech ich automaticky zahodim.int tunnel 0 tunnel checksum
Druhovrstvové cosy (nastavenie)
switchport priority extend cos X
End-to-end keepalive Frame-Relay
interface Serial0/0.54 point-to-point frame-relay interface-dlci 504 class DLCI_504 ! map-class frame-relay DLCI_504 frame-relay end-to-end keepalive mode request
PPP remove peer route
R(config-if)# no peer neighbor-route
BGP Fast external fallover
Ak chcem zabezpecit, aby sa nasilne cakalo na dead-time a nebral sa do uvahy vypadok fyzickeho rozhrania a okamzita reakcia - tj. widthdraw smerov od neighbora, ktory bol dosazitelny touto linkou, da sa to spravit takto:no bgp fast-external-fallover bgp
TCP synwait
The TCP SYN wait time is the time the router will wait after sending a TCP SYN packet for a SYN/ACK to come back. If the SYN/ACK response has not been received before the timer expires, the connection is reset.ip tcp synwait-time 5
MAC address table SNMP notification
interface FastEthernet0/24 snmp trap mac-notification added ! snmp-server enable traps MAC-Notification snmp-server host 187.1.3.100 CISCOTRAP MAC-Notification mac-address-table notification
OSPF demand-circuit
Ak chcem zabezpecit aby ospf robilo iba inicializacnu cast OSPFka a dalej neposielalo bezne keepalive spravy ale iba spravy o zmenach, da sa pouzit:ip ospf demand-circuit
Frame relay BOOTP neighbor
Na strane servera:frame-relay interface-dlci DLCI protocol ip IP
DHCP-relay po seriovej PPP linke
Klient:interface Serial0/1 ip address negotiated encapsulation pppServer:
interface Serial0/1 encapsulation ppp peer default ip address dhcp clockrate 64000 ! ip dhcp-server 139.1.11.100
Vypnutie kontroly rovnakeho adresneho priestoru neighbora v RIP
no validate-update-source
BGP maximum prefixes
router bgp X neighbor .... maximum-prefix NUM TIME
RIPv2 broadcasting
ip rip v2-broadcast
Oznamenie sieti do DVMRP
interface Tunnel0 ip dvmrp metric 1 list VLAN4_AND_VLAN5 ip dvmrp summary-address 167.1.4.0 255.255.254.0 no ip dvmrp auto-summary ! ip access-list standard VLAN4_AND_VLAN5 permit 167.1.4.0 0.0.0.255 permit 167.1.5.0 0.0.0.255
Rate limit pre ICMP unreachables
R(config)# ip icmp rate-limit unreachable 5000
Bridging
bridge irb R(config-if)# bridge-group X bridge 1 protocol ieee bridge 1 route ip
OSPF flood reduction
Ak chcem zrusit renewal OSPF kazdych 30min, mozem pouzit "ip ospf flood-reduction"Alias
R(config)# alias MODE ALIAS-NAME ORIG-COMMAND
Alias pre interface-range
R(config)# define interface-range MM Fa0/1...- 4
Kontrola IOSu po reloade
R(config)# file verify auto
WCCP
R(config)# ip wccp web-cache R(config)# int f 0/0 R(config-if)# ip wccp redirect in
CPU treshold notification (bez RMON)
R(config)# snmp-server enable traps cpu threshold R(config)# process cpu threshold type {total|process|interupt} rising PERCENT interval SEC failing PERCENT interval SECTCP intercept
R(config)# ip tcp intercept list ACL-NUM R(config)# ip tcp intercept mode intercept | watch R(config)# ip tcp intercept watch-timeout SEC R(config)# ip tcp intercept drop-mode oldest | random R(config)# ip tcp intercept max-incomplete low | high NUM R(config)# ip tcp intercept one-minute low | high
Qosy??
Garantovaná minimálna šírka pásma pre komunikáciu podľa ACL
policy-map QoS class SMTP bandwidth 1500
Pakety nad 1250B budú limitované na 2.5M
class-map match-all ABOVE_1250_BYTES match packet length min 1251 ! policy-map QoS class ABOVE_1250_BYTES police cir 2500000
Queueing strategies
WFQ
R(config-if)# fair-queue
CBWFQ
R(config-policy-map)# bandwidth ...
LLQ
R(config-policy-map)# priority ...
Congestion management
WRED
R(config-if)# random-detect R(config-if)# random-detect dscp-based
Policing
R(config-policy-map)# police cir X/percent conform-action ... exceed-action
Defaultné hodnoty ?
- BPDU - vysielané každé 2s
- STP - Blocking (max. 20s), Listening (max. 15s), Learning (max. 15s), Forwarding
- HSRP - 224.0.0.2 port 1985, priorita 100, mac: 0000.0c07.acXX, kde XX je cislo skupiny, Hello 3s, dead 10s
- VRRP - moze mat fyz. addr=virt. a v tom pripade volbu vyhrava, 224.0.0.18 port 112, Hello 1s, down interval 3x Hello
- GLBP - kazde 3s, 224.0.0.102, udp 3222
Otázky:
-
Čo je preferované, ip mtu, alebo ip ospf mtu-ignore pri rôznych OSPF MTU? -
Aký je rozdiel medzi ipv6 enable a ipv6 address autoconfig -
Musí byť pre tunelovanie IPv6 v IPv4 použitý tunnel mode ipv6ip? nemôže byť použitý GRE? -
Preposiela "ip pim auto-rp listener" požiadavky ďalej ako mapping-agent? Na akej adrese? -
Ak uvediem do frame-relay mapy, že moja lokálna IP je dostupná cez DLCI a zároveň mám rovnakú IP nastavenú na sub-rozhraní, prečo sa neobslúži priamo rozhraním, ale prenesie sa po FR linke? -
Aký je rozdiel medzi police X a *police cir X* -
Ako sa správa NSSA oblasť k redistribuovaným smerom? -
rmon absolute vs. delta - vyskusat konfiguraciu OSPF s oznamenim default route podla route mapy - conditional default route, ale spravat sa ako route-server, tj. cez set oznamit inu branu
- vyskusat limitovat EIGRP prijemcov pomocou statickej mac adresy na switchi
- otocit sa na sticku s NATkom na jednom fyzickom rozhrani
DocumentCisco Web
Create New Topic
Index
Search
Changes
Notifications
Statistics
Preferences
DocumentCisco |
|
Copyright © by the contributing authors. All material on this collaboration platform is the property of the contributing authors. Ideas, requests, problems regarding TWiki? Send feedback