Using MIB Browser for SNMP Walk/Query

At times you would need to quick easy way to do a SNMPwalk/query for specific OIDs of your managed devices for some troubleshooting purpose.

This could be done using open/free snmp tools available on the internet. I found the Ireasoning mib browser quick helpful and easy.

http://ireasoning.com/mibbrowser.shtml

Install the Mib Browser and add your managed device using v2/v3.

Configured the MIB browser as following: Tools > Options > Agent > Add > Add the managed device ip address and the community string.

Get the correct MIB file for your managed device. I am using Cisco WLC as the managed device and got the MIB downloaded from the Cisco support Site.

http://software.cisco.com/download/release.html?mdfid=284493532&flowid=34542&softwareid=280775088&release=8.0&relind=AVAILABLE&rellifecycle=&reltype=latest

Load the correct MIB file on the Mib Browser. File > Load Mibs > Choose the file location.

Browse and poll for the related OID.

I am polling for the AP native vlan Id as follows:

 

If you know the OID, you can directly use the OID and do get to get the related information:

 

Hope this would be helpful.

 

BGP AD manipulation

Many a times there are situations wherein you are running two routing protocols in our case BGP and any IGP protocol and you would like to prefer the route learned by IGP over BGP. However the problem here is that by default eBGP has an AD of 20 which will take preference over the other IGP protocols (OSPF= 110, EIGRP = 90, IS-IS = 115, RIP = 120).

Lets discuss how we can make this work. There are couple of options to achieve this:

  • Changing the AD for the route learned from the specific BGP neighbor.

 

 

 

 

We will use the command: distance <AD> <neighbor> <wildcard> <optional ACL>

The ip route on the R1 :
====================


R1#show ip route
Codes: C – connected, S – static, R – RIP, M – mobile, B – BGP
D – EIGRP, EX – EIGRP external, O – OSPF, IA – OSPF inter area
N1 – OSPF NSSA external type 1, N2 – OSPF NSSA external type 2
E1 – OSPF external type 1, E2 – OSPF external type 2
i – IS-IS, su – IS-IS summary, L1 – IS-IS level-1, L2 – IS-IS level-2
ia – IS-IS inter area, * – candidate default, U – per-user static route
o – ODR, P – periodic downloaded static route

Gateway of last resort is not set
100.0.0.0/24 is subnetted, 1 subnets
B 100.171.106.0 [20/0] via 20.20.20.3, 00:08:29
20.0.0.0/24 is subnetted, 1 subnets
C 20.20.20.0 is directly connected, FastEthernet0/1
8.0.0.0/24 is subnetted, 1 subnets
B 8.8.8.0 [20/0] via 20.20.20.3, 00:09:10
10.0.0.0/24 is subnetted, 1 subnets
C 10.10.10.0 is directly connected, FastEthernet0/0

R1#show ip route 100.171.106.0
Routing entry for 100.171.106.0/24
Known via “bgp 65457”, distance 20, metric 0
Tag 65000, type external
Last update from 20.20.20.3 00:08:50 ago
Routing Descriptor Blocks:
* 20.20.20.3, from 20.20.20.3, 00:08:50 ago
Route metric is 0, traffic share count is 1
AS Hops 1

After adding the distance statement in BGP on R1 and rebuilding the peering:

R1(config)#access-list 1 permit 100.171.106.0 0.0.0.255
R1(config)#router bgp 65457
R1(config-router)#distance 200 20.20.20.3 255.255.255.255 1
R1#clear ip bgp 20.20.20.3

R1#show ip route
Codes: C – connected, S – static, R – RIP, M – mobile, B – BGP
D – EIGRP, EX – EIGRP external, O – OSPF, IA – OSPF inter area
N1 – OSPF NSSA external type 1, N2 – OSPF NSSA external type 2
E1 – OSPF external type 1, E2 – OSPF external type 2
i – IS-IS, su – IS-IS summary, L1 – IS-IS level-1, L2 – IS-IS level-2
ia – IS-IS inter area, * – candidate default, U – per-user static route
o – ODR, P – periodic downloaded static route
Gateway of last resort is not set100.0.0.0/24 is subnetted, 1 subnets
D 100.171.106.0 [90/30720] via 10.10.10.2, 00:00:38, FastEthernet0/0
20.0.0.0/24 is subnetted, 1 subnets
C 20.20.20.0 is directly connected, FastEthernet0/1
8.0.0.0/24 is subnetted, 1 subnets
B 8.8.8.0 [20/0] via 20.20.20.3, 00:00:10
10.0.0.0/24 is subnetted, 1 subnets
C 10.10.10.0 is directly connected, FastEthernet0/0

R1#show ip route 100.171.106.0
Routing entry for 100.171.106.0/24
Known via “eigrp 1”, distance 90, metric 30720, type internal
Redistributing via eigrp 1
Last update from 10.10.10.2 on FastEthernet0/0, 00:02:38 ago
Routing Descriptor Blocks:

* 10.10.10.2, from 10.10.10.2, 00:02:38 ago, via FastEthernet0/0
Route metric is 30720, traffic share count is 1
Total delay is 200 microseconds, minimum bandwidth is 100000 Kbit
Reliability 255/255, minimum MTU 1500 bytes
Loading 1/255, Hops 1

Please note that this can also cause asymmetric routing issues. Lets see the below example.

In the above topology we are modifying the AD at the R2 and thus following is the R2 configuration:

router ospf 1
log-adjacency-changes
summary-address 192.168.20.0 255.255.255.0
redistribute connected subnets
network 30.30.30.0 0.0.0.255 area 0
!
router bgp 2
no synchronization
bgp log-neighbor-changes
network 192.168.20.0
neighbor 20.20.20.1 remote-as 1
distance 200 0.0.0.0 255.255.255.255 1
no auto-summary

R2#show ip route
Codes: C – connected, S – static, R – RIP, M – mobile, B – BGP
D – EIGRP, EX – EIGRP external, O – OSPF, IA – OSPF inter area
N1 – OSPF NSSA external type 1, N2 – OSPF NSSA external type 2
E1 – OSPF external type 1, E2 – OSPF external type 2
i – IS-IS, su – IS-IS summary, L1 – IS-IS level-1, L2 – IS-IS level-2
ia – IS-IS inter area, * – candidate default, U – per-user static route
o – ODR, P – periodic downloaded static route
Gateway of last resort is not set

20.0.0.0/24 is subnetted, 1 subnets
C 20.20.20.0 is directly connected, FastEthernet0/0
O E2 192.168.10.0/24 [110/20] via 30.30.30.3, 01:22:57, FastEthernet0/1
C 192.168.20.0/24 is directly connected, Loopback0
10.0.0.0/24 is subnetted, 1 subnets
O E2 10.10.10.0 [110/20] via 30.30.30.3, 01:28:45, FastEthernet0/1
30.0.0.0/24 is subnetted, 1 subnets
C 30.30.30.0 is directly connected, FastEthernet0/1

R2#show ip bgp
BGP table version is 4, local router ID is 192.168.20.2
Status codes: s suppressed, d damped, h history, * valid, > best, i – internal,
r RIB-failure, S Stale
Origin codes: i – IGP, e – EGP, ? – incomplete
Network Next Hop Metric LocPrf Weight Path
r> 192.168.10.0 20.20.20.1 0 1 3 i
*> 192.168.20.0 0.0.0.0 0 32768 i

R2#show ip bgp 192.168.10.0
BGP routing table entry for 192.168.10.0/24, version 4
Paths: (1 available, best #1, table Default-IP-Routing-Table, RIB-failure(17))
Not advertised to any peer
1 3
20.20.20.1 from 20.20.20.1 (20.20.20.1)
Origin IGP, localpref 100, valid, external, best

R2#traceroute 192.168.10.3
Type escape sequence to abort.
Tracing the route to 192.168.10.3

1 30.30.30.3 12 msec 28 msec 28 msec

On R3 we still see it preferring BGP route over IGP:

R3#show ip route
Codes: C – connected, S – static, R – RIP, M – mobile, B – BGP
D – EIGRP, EX – EIGRP external, O – OSPF, IA – OSPF inter area
N1 – OSPF NSSA external type 1, N2 – OSPF NSSA external type 2
E1 – OSPF external type 1, E2 – OSPF external type 2
i – IS-IS, su – IS-IS summary, L1 – IS-IS level-1, L2 – IS-IS level-2
ia – IS-IS inter area, * – candidate default, U – per-user static route
o – ODR, P – periodic downloaded static route
Gateway of last resort is not set

20.0.0.0/24 is subnetted, 1 subnets
O E2 20.20.20.0 [110/20] via 30.30.30.2, 01:33:45, FastEthernet0/1
C 192.168.10.0/24 is directly connected, Loopback0
B 192.168.20.0/24 [20/0] via 10.10.10.1, 01:27:13
10.0.0.0/24 is subnetted, 1 subnets
C 10.10.10.0 is directly connected, FastEthernet0/0
30.0.0.0/24 is subnetted, 1 subnets
C 30.30.30.0 is directly connected, FastEthernet0/1

R3#show ip bgp
BGP table version is 5, local router ID is 30.30.30.3
Status codes: s suppressed, d damped, h history, * valid, > best, i – internal,
r RIB-failure, S Stale
Origin codes: i – IGP, e – EGP, ? – incomplete
Network Next Hop Metric LocPrf Weight Path
*> 192.168.10.0 0.0.0.0 0 32768 i
*> 192.168.20.0 10.10.10.1 0 1 2 i

R3#show ip bgp
R3#show ip bgp 192.168.20.0
BGP routing table entry for 192.168.20.0/24, version 5
Paths: (1 available, best #1, table Default-IP-Routing-Table)
Not advertised to any peer
1 2
10.10.10.1 from 10.10.10.1 (20.20.20.1)
Origin IGP, localpref 100, valid, external, best

R3#traceroute 192.168.20.2
Type escape sequence to abort.
Tracing the route to 192.168.20.2

1 10.10.10.1 28 msec 20 msec 16 msec
2 20.20.20.2 16 msec 20 msec 20 msec

You need to take care of asymmetric routing as this can be an issue for many applications.

  • Changing the BGP AD per address family.

 

By default, BGP has these distances:
External distance—20
Internal distance—200
Local distance—200

 

You can change the AD of all routes in the unicast, multicast or vrf address-family. This is done under the address-family section of the BGP process with the command, to change the default distance:

 

distance bgp <ebgp> <ibgp> <local routes>

 

This is not very scalable as all future BGP routes in that address-family will have their AD altered.
 Going back to our second topology, we see that the R2 router prefers BGP to reach to the network 192.168.10.0/24.

 

router bgp 2
no synchronization
bgp log-neighbor-changes
network 192.168.20.0
neighbor 20.20.20.1 remote-as 1
no auto-summary

 

R2#show ip route
Codes: C – connected, S – static, R – RIP, M – mobile, B – BGP
D – EIGRP, EX – EIGRP external, O – OSPF, IA – OSPF inter area
N1 – OSPF NSSA external type 1, N2 – OSPF NSSA external type 2
E1 – OSPF external type 1, E2 – OSPF external type 2
i – IS-IS, su – IS-IS summary, L1 – IS-IS level-1, L2 – IS-IS level-2
ia – IS-IS inter area, * – candidate default, U – per-user static route
o – ODR, P – periodic downloaded static route

Gateway of last resort is not set
20.0.0.0/24 is subnetted, 1 subnets
C 20.20.20.0 is directly connected, FastEthernet0/0
B 192.168.10.0/24 [20/0] via 20.20.20.1, 00:01:01
C 192.168.20.0/24 is directly connected, Loopback0
10.0.0.0/24 is subnetted, 1 subnets
O E2 10.10.10.0 [110/20] via 30.30.30.3, 17:41:21, FastEthernet0/1
30.0.0.0/24 is subnetted, 1 subnets
C 30.30.30.0 is directly connected, FastEthernet0/1

 

Lets modify the default ADs for the BGP routes.

 

R2(config-router)#distance bgp ?
<1-255> Distance for routes external to the AS
R2(config-router)#distance bgp 120 ?
<1-255> Distance for routes internal to the AS
R2(config-router)#distance bgp 120 220 ?
<1-255> Distance for local routes
R2(config-router)#distance bgp 120 220 210 ?
<cr>

R2(config-router)#distance bgp 120 220 210

 

router bgp 2
no synchronization
bgp log-neighbor-changes
network 192.168.20.0
neighbor 20.20.20.1 remote-as 1
distance bgp 120 220 210
no auto-summary
!

R2#show ip protocols
Routing Protocol is “bgp 2”
Outgoing update filter list for all interfaces is not set
Incoming update filter list for all interfaces is not set
IGP synchronization is disabled
Automatic route summarization is disabled
Neighbor(s):
Address FiltIn FiltOut DistIn DistOut Weight RouteMap
20.20.20.1
Maximum path: 1
Routing Information Sources:
Gateway Distance Last Update
20.20.20.1 20 00:02:35
Distance: external 120 internal 220 local 210

R2#show ip route
Codes: C – connected, S – static, R – RIP, M – mobile, B – BGP
D – EIGRP, EX – EIGRP external, O – OSPF, IA – OSPF inter area
N1 – OSPF NSSA external type 1, N2 – OSPF NSSA external type 2
E1 – OSPF external type 1, E2 – OSPF external type 2
i – IS-IS, su – IS-IS summary, L1 – IS-IS level-1, L2 – IS-IS level-2
ia – IS-IS inter area, * – candidate default, U – per-user static route
o – ODR, P – periodic downloaded static route
Gateway of last resort is not set20.0.0.0/24 is subnetted, 1 subnets
C 20.20.20.0 is directly connected, FastEthernet0/0
O E2 192.168.10.0/24 [110/20] via 30.30.30.3, 00:04:55, FastEthernet0/1
C 192.168.20.0/24 is directly connected, Loopback0
10.0.0.0/24 is subnetted, 1 subnets
O E2 10.10.10.0 [110/20] via 30.30.30.3, 17:49:14, FastEthernet0/1
30.0.0.0/24 is subnetted, 1 subnets
C 30.30.30.0 is directly connected, FastEthernet0/1

 

R2#show ip bgp 192.168.10.0
BGP routing table entry for 192.168.10.0/24, version 3
Paths: (1 available, best #1, table Default-IP-Routing-Table, RIB-failure(17))
Not advertised to any peer
1 3
20.20.20.1 from 20.20.20.1 (20.20.20.1)
Origin IGP, localpref 100, valid, external, best

 

R2#show ip bgp rib-failure
Network Next Hop RIB-failure RIB-NH Matches
192.168.10.0 20.20.20.1 Higher admin distance n/a

 

  • Using the BGP Backdoor :

 

With BGP Backdoor, BGP treats that network as a locally assigned network and thus changes the AD from 20 to 200. However it does not advertise that specific network into the BGP updates.

 

network <network> mask <network mask> backdoor

 

Some useful information on the following link:

 

 

 

R2#show ip route
Codes: C – connected, S – static, R – RIP, M – mobile, B – BGP
D – EIGRP, EX – EIGRP external, O – OSPF, IA – OSPF inter area
N1 – OSPF NSSA external type 1, N2 – OSPF NSSA external type 2
E1 – OSPF external type 1, E2 – OSPF external type 2
i – IS-IS, su – IS-IS summary, L1 – IS-IS level-1, L2 – IS-IS level-2
ia – IS-IS inter area, * – candidate default, U – per-user static route
o – ODR, P – periodic downloaded static route

Gateway of last resort is not set
20.0.0.0/24 is subnetted, 1 subnets
C 20.20.20.0 is directly connected, FastEthernet0/0
192.168.10.0/32 is subnetted, 1 subnets
B 192.168.10.3 [20/0] via 20.20.20.1, 00:06:13
192.168.20.0/32 is subnetted, 1 subnets
C 192.168.20.2 is directly connected, Loopback0
30.0.0.0/24 is subnetted, 1 subnets
C 30.30.30.0 is directly connected, FastEthernet0/1

 

router bgp 2
no synchronization
bgp log-neighbor-changes
network 192.168.10.3 mask 255.255.255.255 backdoor
network 192.168.20.2 mask 255.255.255.255
neighbor 20.20.20.1 remote-as 1
no auto-summary

 

R2#show ip route
Codes: C – connected, S – static, R – RIP, M – mobile, B – BGP
D – EIGRP, EX – EIGRP external, O – OSPF, IA – OSPF inter area
N1 – OSPF NSSA external type 1, N2 – OSPF NSSA external type 2
E1 – OSPF external type 1, E2 – OSPF external type 2
i – IS-IS, su – IS-IS summary, L1 – IS-IS level-1, L2 – IS-IS level-2
ia – IS-IS inter area, * – candidate default, U – per-user static route
o – ODR, P – periodic downloaded static route
Gateway of last resort is not set20.0.0.0/24 is subnetted, 1 subnets
C 20.20.20.0 is directly connected, FastEthernet0/0
192.168.10.0/32 is subnetted, 1 subnets
O 192.168.10.3 [110/2] via 30.30.30.3, 00:00:32, FastEthernet0/1
192.168.20.0/32 is subnetted, 1 subnets
C 192.168.20.2 is directly connected, Loopback0
30.0.0.0/24 is subnetted, 1 subnets
C 30.30.30.0 is directly connected, FastEthernet0/1

 

R2#show ip bgp
BGP table version is 4, local router ID is 192.168.20.2
Status codes: s suppressed, d damped, h history, * valid, > best, i – internal,
r RIB-failure, S Stale
Origin codes: i – IGP, e – EGP, ? – incomplete
Network Next Hop Metric LocPrf Weight Path
r> 192.168.10.3/32 20.20.20.1 0 1 3 i
*> 192.168.20.2/32 0.0.0.0 0 32768 i

 

R2#show ip bgp 192.168.10.3/32
BGP routing table entry for 192.168.10.3/32, version 4
Paths: (1 available, best #1, table Default-IP-Routing-Table, RIB-failure(17))
Not advertised to any peer
1 3
20.20.20.1 from 20.20.20.1 (20.20.20.1)
Origin IGP, localpref 100, valid, external, best

 

R2#show ip bgp rib-failure
Network Next Hop RIB-failure RIB-NH Matches
192.168.10.3/32 20.20.20.1 Higher admin distance n/a

 

  • Changing the AD of IGP :

 

We can also modify the AD of IGP to make it prefer  over BGP:

R2#show ip route
Codes: C – connected, S – static, R – RIP, M – mobile, B – BGP
D – EIGRP, EX – EIGRP external, O – OSPF, IA – OSPF inter area
N1 – OSPF NSSA external type 1, N2 – OSPF NSSA external type 2
E1 – OSPF external type 1, E2 – OSPF external type 2
i – IS-IS, su – IS-IS summary, L1 – IS-IS level-1, L2 – IS-IS level-2
ia – IS-IS inter area, * – candidate default, U – per-user static route
o – ODR, P – periodic downloaded static route

Gateway of last resort is not set
20.0.0.0/24 is subnetted, 1 subnets
C 20.20.20.0 is directly connected, FastEthernet0/0
192.168.10.0/32 is subnetted, 1 subnets
B 192.168.10.3 [20/0] via 20.20.20.1, 00:00:05
192.168.20.0/32 is subnetted, 1 subnets
C 192.168.20.2 is directly connected, Loopback0
30.0.0.0/24 is subnetted, 1 subnets
C 30.30.30.0 is directly connected, FastEthernet0/1

R2(config)#access-list 10 permit 192.168.10.0 0.0.0.255
R2(config)#router ospf 1
R2(config-router)#distan
R2(config-router)#distance 15 30.30.30.3 255.255.255.255 10

router ospf 1
log-adjacency-changes
redistribute connected
network 30.30.30.0 0.0.0.255 area 0
network 192.168.20.0 0.0.0.255 area 0
distance 15 0.0.0.0 255.255.255.255 10

R2#show ip route
Codes: C – connected, S – static, R – RIP, M – mobile, B – BGP
D – EIGRP, EX – EIGRP external, O – OSPF, IA – OSPF inter area
N1 – OSPF NSSA external type 1, N2 – OSPF NSSA external type 2
E1 – OSPF external type 1, E2 – OSPF external type 2
i – IS-IS, su – IS-IS summary, L1 – IS-IS level-1, L2 – IS-IS level-2
ia – IS-IS inter area, * – candidate default, U – per-user static route
o – ODR, P – periodic downloaded static route
Gateway of last resort is not set20.0.0.0/24 is subnetted, 1 subnets
C 20.20.20.0 is directly connected, FastEthernet0/0
192.168.10.0/32 is subnetted, 1 subnets
O 192.168.10.3 [15/2] via 30.30.30.3, 00:01:35, FastEthernet0/1
192.168.20.0/32 is subnetted, 1 subnets
C 192.168.20.2 is directly connected, Loopback0
30.0.0.0/24 is subnetted, 1 subnets
C 30.30.30.0 is directly connected, FastEthernet0/1

 

 

Thanks….

CCIE R&S v5.1 Written Topics

Cisco is changing the CCIE R&S Written Exam from July 25th 2016. Following is the related information and exam topics.

https://learningnetwork.cisco.com/community/certifications/ccie_routing_switching/written_exam_v5/exam-topics

Written Topics:
=============







10% 1.0 Network Principles
1.1 Network theory
1.1.a Describe basic software architecture differences between IOS and IOS XE
1.1.a (i) Control plane and Forwarding plane
1.1.a (ii) Impact to troubleshooting and performances
1.1.a (iii) Excluding specific platform’s architecture
1.1.b Identify Cisco express forwarding concepts
1.1.b (i) RIB, FIB, LFIB, Adjacency table
1.1.b (ii) Load balancing Hash
1.1.b (iii) Polarization concept and avoidance
1.1.c Explain general network challenges
1.1.c (i) Unicast flooding
1.1.c (ii) Out of order packets
1.1.c (iii) Asymmetric routing
1.1.c (iv) Impact of micro burst
1.1.d Explain IP operations
1.1.d (i) ICMP unreachable, redirect
1.1.d (ii) IPv4 options, IPv6 extension headers
1.1.d (iii) IPv4 and IPv6 fragmentation
1.1.d (iv) TTL
1.1.d (v) IP MTU
1.1.e Explain TCP operations
1.1.e (i) IPv4 and IPv6 PMTU
1.1.e (ii) MSS
1.1.e (iii) Latency
1.1.e (iv) Windowing
1.1.e (v) Bandwidth delay product
1.1.e (vi) Global synchronization
2015 Cisco Systems, Inc. This document is Cisco Public. Page 2
1.1.e (vii) Options
1.1.f Explain UDP operations
1.1.f (i) Starvation
1.1.f (ii) Latency
1.1.f (iii) RTP/RTCP concepts
1.2 Network implementation and operation
1.2.a Evaluate proposed changes to a network
1.2.a (i) Changes to routing protocol parameters
1.2.a (ii) Migrate parts of a network to IPv6
1.2.a (iii) Routing protocol migration
1.2.a (iv) Adding multicast support
1.2.a (v) Migrate spanning tree protocol
1.2.a (vi) Evaluate impact of new traffic on existing QoS design
1.3 Network troubleshooting
1.3.a Use IOS troubleshooting tools
1.3.a (i) debug, conditional debug
1.3.a (ii) ping, traceroute with extended options
1.3.a (iii) Embedded packet capture
1.3.a (iv) Performance monitor
1.3.b Apply troubleshooting methodologies
1.3.b (i) Diagnose the root cause of networking issue (analyze symptoms,
identify and describe root cause)
1.3.b (ii) Design and implement valid solutions according to constraints
1.3.b (iii) Verify and monitor resolution
1.3.c Interpret packet capture
1.3.c (i) Using Wireshark trace analyzer
1.3.c (ii) Using IOS embedded packet capture
13% 2.0 Layer 2 Technologies
2.1 LAN switching technologies
2.1.a Implement and troubleshoot switch administration
2.1.a (i) Managing MAC address table
2.1.a (ii) errdisable recovery
2.1.a (iii) L2 MTU
2.1.b Implement and troubleshoot layer 2 protocols
2.1.b (i) CDP, LLDP
2.1.b (ii) UDLD
2.1.c Implement and troubleshoot VLAN
2.1.c (i) Access ports
2.1.c (ii) VLAN database
2.1.c (iii) Normal, extended VLAN, voice VLAN
2.1.d Implement and troubleshoot trunking
2.1.d (i) VTPv1, VTPv2, VTPv3, VTP pruning
2.1.d (ii) dot1Q
2.1.d (iii) Native VLAN
2.1.d (iv) Manual pruning
2015 Cisco Systems, Inc. This document is Cisco Public. Page 3
2.1.e Implement and troubleshoot EtherChannel
2.1.e (i) LACP, PAgP, manual
2.1.e (ii) Layer 2, layer 3
2.1.e (iii) Load‐balancing
2.1.e (iv) Etherchannel misconfiguration guard
2.1.f Implement and troubleshoot spanning‐tree
2.1.f (i) PVST+/RPVST+/MST
2.1.f (ii) Switch priority, port priority, path cost, STP timers
2.1.f (iii) port fast, BPDUguard, BPDUfilter
2.1.f (iv) loopguard, rootguard
2.1.g Implement and troubleshoot other LAN switching technologies
2.1.g (i) SPAN, RSPAN, ERSPAN
2.1.h Describe chassis virtualization and aggregation technologies
2.1.h (i) Multichassis
2.1.h (ii) VSS concepts
2.1.h (iii) Alternative to STP
2.1.h (iv) Stackwise
2.1.h (v) Excluding specific platform implementation
2.1.i Describe spanning‐tree concepts
2.1.i (i) Compatibility between MST and RSTP
2.1.i (ii) STP dispute, STP bridge assurance
2.2 Layer 2 multicast
2.2.a Implement and troubleshoot IGMP
2.2.a (i) IGMPv1, IGMPv2, IGMPv3
2.2.a (ii) IGMP snooping
2.2.a (iii) IGMP querier
2.2.a (iv) IGMP filter
2.2.a (v) IGMP proxy
2.2.b Explain MLD
2.2.c Explain PIM snooping
2.3 Layer 2 WAN circuit technologies
2.3.a Implement and troubleshoot HDLC
2.3.b Implement and troubleshoot PPP
2.3.b (i) Authentication (PAP, CHAP)
2.3.b (ii) PPPoE
2.3.b (iii) MLPPP
2.3.c Describe WAN rate‐based ethernet circuits
2.3.c (i) Metro and WAN Ethernet topologies
2.3.c (ii) Use of rate‐limited WAN ethernet services
37% 3.0 Layer 3 Technologies
3.1 Addressing technologies
3.1.a Identify, implement and troubleshoot IPv4 addressing and subnetting
3.1.a (i) Address types, VLSM
3.1.a (ii) ARP
3.1.b Identify, implement and troubleshoot IPv6 addressing and subnetting
2015 Cisco Systems, Inc. This document is Cisco Public. Page 4
3.1.b (i) Unicast, multicast
3.1.b (ii) EUI‐64
3.1.b (iii) ND, RS/RA
3.1.b (iv) Autoconfig/SLAAC, temporary addresses (RFC4941)
3.1.b (v) Global prefix configuration feature
3.1.b (vi) DHCP protocol operations
3.1.b (vii) SLAAC/DHCPv6 interaction
3.1.b (viii) Stateful, stateless DHCPv6
3.1.b (ix) DHCPv6 prefix delegation
3.2 Layer 3 multicast
3.2.a Troubleshoot reverse path forwarding
3.2.a (i) RPF failure
3.2.a (ii) RPF failure with tunnel interface
3.2.b Implement and troubleshoot IPv4 protocol independent multicast
3.2.b (i) PIM dense mode, sparse mode, sparse‐dense mode
3.2.b (ii) Static RP, auto‐RP, BSR
3.2.b (iii) BiDirectional PIM
3.2.b (iv) Source‐specific multicast
3.2.b (v) Group to RP mapping
3.2.b (vi) Multicast boundary
3.2.c Implement and troubleshoot multicast source discovery protocol
3.2.c (i) Intra‐domain MSDP (anycast RP)
3.2.c (ii) SA filter
3.2.d Describe IPv6 multicast
3.2.d (i) IPv6 multicast addresses
3.2.d (ii) PIMv6
3.3 Fundamental routing concepts
3.3.a Implement and troubleshoot static routing
3.3.b Implement and troubleshoot default routing
3.3.c Compare routing protocol types
3.3.c (i) Distance vector
3.3.c (ii) Link state
3.3.c (iii) Path vector
3.3.d Implement, optimize and troubleshoot administrative distance
3.3.e Implement and troubleshoot passive interface
3.3.f Implement and troubleshoot VRF lite
3.3.g Implement, optimize and troubleshoot filtering with any routing protocol
3.3.h Implement, optimize and troubleshoot redistribution between any routing
protocol
3.3.i Implement, optimize and troubleshoot manual and auto summarization with
any routing protocol
3.3.j Implement, optimize and troubleshoot policy‐based routing
3.3.k Identify and troubleshoot sub‐optimal routing
3.3.l Implement and troubleshoot bidirectional forwarding detection
3.3.m Implement and troubleshoot loop prevention mechanisms
3.3.m (i) Route tagging, filtering
2015 Cisco Systems, Inc. This document is Cisco Public. Page 5
3.3.m (ii) Split horizon
3.3.m (iii) Route poisoning
3.3.n Implement and troubleshoot routing protocol authentication
3.3.n (i) MD5
3.3.n (ii) Key‐chain
3.3.n (iii) EIGRP HMAC SHA2‐256bit
3.3.n (iv) OSPFv2 SHA1‐196bit
3.3.n (v) OSPFv3 IPsec authentication
3.4 RIP (v2 and v6)
3.4.a Implement and troubleshoot RIPv2
3.4.b Describe RIPv6 (RIPng)
3.5 EIGRP (for IPv4 and IPv6)
3.5.a Describe packet types
3.5.a (i) Packet types (hello, query, update, and such)
3.5.a (ii) Route types (internal, external)
3.5.b Implement and troubleshoot neighbor relationship
3.5.b (i) Multicast, unicast EIGRP peering
3.5.b (ii) OTP point‐to‐point peering
3.5.b (iii) OTP route‐reflector peering
3.5.b (iv) OTP multiple service providers scenario
3.5.c Implement and troubleshoot loop free path selection
3.5.c (i) RD, FD, FC, successor, feasible successor
3.5.c (ii) Classic metric
3.5.c (iii) Wide metric
3.5.d Implement and troubleshoot operations
3.5.d (i) General operations
3.5.d (ii) Topology table, update, query, active, passive
3.5.d (iii) Stuck in active
3.5.d (iv) Graceful shutdown
3.5.e Implement and troubleshoot EIGRP stub
3.5.e (i) Stub
3.5.e (ii) Leak‐map
3.5.f Implement and troubleshoot load‐balancing
3.5.f (i) equal‐cost
3.5.f (ii) unequal‐cost
3.5.f (iii) add‐path
3.5.g Implement EIGRP (multi‐address) named mode
3.5.g (i) Types of families
3.5.g (ii) IPv4 address‐family
3.5.g (iii) IPv6 address‐family
3.5.h Implement, troubleshoot and optimize EIGRP convergence and scalability
3.5.h (i) Describe fast convergence requirements
3.5.h (ii) Control query boundaries
3.5.h (iii) IP FRR/fast reroute (single hop)
3.5.8 (iv) Summary leak‐map
3.5.h (v) Summary metric
2015 Cisco Systems, Inc. This document is Cisco Public. Page 6
3.6 OSPF (v2 and v3)
3.6.a Describe packet types
3.6.a (i) LSA yypes (1, 2, 3, 4, 5, 7, 9)
3.6.a (ii) Route types (N1, N2, E1, E2)
3.6.b Implement and troubleshoot neighbor relationship
3.6.c Implement and troubleshoot OSPFv3 address‐family support
3.6.c (i) IPv4 address‐family
3.6.c (ii) IPv6 address‐family
3.6.d Implement and troubleshoot network types, area types and router types
3.6.d (i) Point‐to‐point, multipoint, broadcast, non‐broadcast
3.6.d (ii) LSA types, area type: backbone, normal, transit, stub, NSSA, totally
stub
3.6.d (iii) Internal router, ABR, ASBR
3.6.d (iv) Virtual link
3.6.e Implement and troubleshoot path preference
3.6.f Implement and troubleshoot operations
3.6.f (i) General operations
3.6.f (ii) Graceful shutdown
3.6.f (iii) GTSM (Generic TTL Security Mechanism)
3.6.g Implement, troubleshoot and optimize OSPF convergence and scalability
3.6.g (i) Metrics
3.6.g (ii) LSA throttling, SPF tuning, fast hello
3.6.g (iii) LSA propagation control (area types, ISPF)
3.6.g (iv) IP FRR/fast reroute (single hop)
3.6.g (v) LFA/loop‐free alternative (multi hop)
3.6.g (vi) OSPFv3 prefix suppression
3.7 BGP
3.7.a Describe, implement and troubleshoot peer relationships
3.7.a (i) Peer‐group, template
3.7.a (ii) Active, passive
3.7.a (iii) States, timers
3.7.a (iv) Dynamic neighbors
3.7.b Implement and troubleshoot IBGP and EBGP
3.7.b (i) EBGP, IBGP
3.7.b (ii) 4 bytes AS number
3.7.b (iii) Private AS
3.7.c Explain attributes and best‐path selection
3.7.d Implement, optimize and troubleshoot routing policies
3.7.d (i) Attribute manipulation
3.7.d (ii) Conditional advertisement
3.7.d (iii) Outbound route filtering
3.7.d (iv) Communities, extended communities
3.7.d (v) Multi‐homing
3.7.e Implement and troubleshoot scalability
3.7.e (i) Route‐reflector, cluster
3.7.e (ii) Confederations
2015 Cisco Systems, Inc. This document is Cisco Public. Page 7
3.7.e (iii) Aggregation, AS set
3.7.f Implement and troubleshoot multiproctocol BGP
3.7.f (i) IPv4, IPv6, VPN address‐family
3.7.g Implement and troubleshoot AS path manipulations
3.7.g (i) Local AS, allow AS in, remove private AS
3.7.g (ii) Prepend
3.7.g (iii) Regexp
3.7.h Implement and troubleshoot other features
3.7.h (i) Multipath
3.7.h (ii) BGP synchronization
3.7.h (iii) Soft reconfiguration, route refresh
3.7.i Describe BGP fast convergence features
3.7.i (i) Prefix independent convergence
3.7.i (ii) Add‐path
3.7.i (iii) Next‐hop address tracking
3.8 ISIS (for IPv4 and IPv6)
3.8.a Describe basic ISIS network
3.8.a (i) Single area, single topology
3.8.b Describe neighbor relationship
3.8.c Describe network types, levels and router types
3.8.c (i) NSAP addressing
3.8.c (ii) Point‐to‐point, broadcast
3.8.d Describe operations
3.8.e Describe optimization features
3.8.e (i) Metrics, wide metric
13% 4.0 VPN Technologies
4.1 Tunneling
4.1.a Implement and troubleshoot MPLS operations
4.1.a (i) Label stack, LSR, LSP
4.1.a (ii) LDP
4.1.a (iii) MPLS ping, MPLS traceroute
4.1.b Implement and troubleshoot basic MPLS L3VPN
4.1.b (i) L3VPN, CE, PE, P
4.1.b (ii) Extranet (route leaking)
4.1.c Implement and troubleshoot encapsulation
4.1.c (i) GRE
4.1.c (ii) Dynamic GRE
4.1.c (iii) LISP encapsulation principles supporting EIGRP OTP
4.1.d Implement and troubleshoot DMVPN (single hub)
4.1.d (i) NHRP
4.1.d (ii) DMVPN with IPsec using preshared key
4.1.d (iii) QoS profile
4.1.d (iv) Pre‐classify
4.1.e Describe IPv6 tunneling techniques
4.1.e (i) 6in4, 6to4
4.1.e (ii) ISATAP
2015 Cisco Systems, Inc. This document is Cisco Public. Page 8
4.1.e (iii) 6RD
4.1.e (iv) 6PE/6VPE
4.1.g Describe basic layer 2 VPN —wireline
4.1.g (i) L2TPv3 general principals
4.1.g (ii) ATOM general principals
4.1.h Describe basic L2VPN — LAN services
4.1.h (i) MPLS‐VPLS general principals
4.1.h (ii) OTV general principals
4.2 Encryption
4.2.a Implement and troubleshoot IPsec with preshared key
4.2.a (i) IPv4 site to IPv4 site
4.2.a (ii) IPv6 in IPv4 tunnels
4.2.a (iii) Virtual tunneling Interface (VTI)
4.2.b Describe GET VPN
5% 5.0 Infrastructure Security
5.1 Device security
5.1.a Implement and troubleshoot IOS AAA using local database
5.1.b Implement and troubleshoot device access control
5.1.b (i) Lines (VTY, AUX, console)
5.1.b (ii) SNMP
5.1.b (iii) Management plane protection
5.1.b (iv) Password encryption
5.1.c Implement and troubleshoot control plane policing
5.1.d Describe device security using IOS AAA with TACACS+ and RADIUS
5.1.d (i) AAA with TACACS+ and RADIUS
5.1.d (ii) Local privilege authorization fallback
5.2 Network security
5.2.a Implement and troubleshoot switch security features
5.2.a (i) VACL, PACL
5.2.a (ii) Stormcontrol
5.2.a (iii) DHCP snooping
5.2.a (iv) IP source‐guard
5.2.a (v) Dynamic ARP inspection
5.2.a (vi) port‐security
5.2.a (vii) Private VLAN
5.2.b Implement and troubleshoot router security features
5.2.b (i) IPv4 access control lists (standard, extended, time‐based)
5.2.b (ii) IPv6 traffic filter
5.2.b (iii) Unicast reverse path forwarding
5.2.c Implement and troubleshoot IPv6 first hop security
5.2.c (i) RA guard
5.2.c (ii) DHCP guard
5.2.c (iii) Binding table
5.2.c (iv) Device tracking
5.2.c (v) ND inspection/snooping
2015 Cisco Systems, Inc. This document is Cisco Public. Page 9
5.2.c (vii) Source guard
5.2.c (viii) PACL
5.2.d Describe 802.1x
5.2.d (i) 802.1x, EAP, RADIUS
5.2.d (ii) MAC authentication bypass
12% 6.0 Infrastructure Services
6.1 System management
6.1.a Implement and troubleshoot device management
6.1.a (i) Console and VTY
6.1.a (ii) telnet, HTTP, HTTPS, SSH, SCP
6.1.a (iii) (T)FTP
6.1.b Implement and troubleshoot SNMP
6.1.b (i) v2c, v3
6.1.c Implement and troubleshoot logging
6.1.c (i) Local logging, syslog, debug, conditional debug
6.1.c (ii) Timestamp
6.2 Quality of service
6.2.a Implement and troubleshoot end‐to‐end QoS
6.2.a (i) CoS and DSCP mapping
6.2.b Implement, optimize and troubleshoot QoS using MQC
6.2.b (i) Classification
6.2.b (ii) Network based application recognition (NBAR)
6.2.b (iii) Marking using IP precedence, DSCP, CoS, ECN
6.2.b (iv) Policing, shaping
6.2.b (v) Congestion management (queuing)
6.2.b (vi) HQoS, sub‐rate ethernet link
6.2.b (vii) Congestion avoidance (WRED)
6.2.c Describe layer 2 QoS
6.2.c (i) Queuing, scheduling
6.2.c (ii) Classification, marking
6.3 Network services
6.3.a Implement and troubleshoot first‐hop redundancy protocols
6.3.a (i) HSRP, GLBP, VRRP
6.3.a (ii) Redundancy using IPv6 RS/RA
6.3.b Implement and troubleshoot network time protocol
6.3.b (i) NTP master, client, version 3, version 4
6.3.b (ii) NTP Authentication
6.3.c Implement and troubleshoot IPv4 and IPv6 DHCP
6.3.c (i) DHCP client, IOS DHCP server, DHCP relay
6.3.c (ii) DHCP options
6.3.c (iii) DHCP protocol operations
6.3.c (iv) SLAAC/DHCPv6 interaction
6.3.c (v) Stateful, stateless DHCPv6
6.3.c (vi) DHCPv6 prefix delegation
6.3.d Implement and troubleshoot IPv4 network address translation
2015 Cisco Systems, Inc. This document is Cisco Public. Page 10
6.3.d (i) Static NAT, dynamic NAT, policy‐based NAT, PAT
6.3.d (ii) NAT ALG
6.3.e Describe IPv6 network address translation
6.3.e (i) NAT64
6.3.e (ii) NPTv6
6.4 Network optimization
6.4.a Implement and troubleshoot IP SLA
6.4.a (i) ICMP, UDP, Jitter, VoIP
6.4.b Implement and troubleshoot tracking object
6.4.b (i) Tracking object, tracking list
6.4.b (ii) Tracking different entities (e.g. interfaces, routes, IPSLA, and such)
6.4.c Implement and troubleshoot netflow
6.4.c (i) Netflow v5, v9
6.4.c (ii) Local retrieval
6.4.c (iii) Export (configuration only)
6.4.d Implement and troubleshoot embedded event manager
6.4.d (i) EEM policy using applet
6.4.e Identify performance routing (PfR)
6.4.e (i) Basic load balancing
6.4.e (ii) Voice optimization
10% 7.0 Evolving Technologies
7.1 Cloud
7.1.a Compare and contrast Cloud deployment models
7.1.a (i) Infrastructure, platform, and software services (XaaS)
7.1.a (ii) Performance and reliability
7.1.a (iii) Security and privacy
7.1.a (iv) Scalability and interoperability
7.1.b Describe Cloud implementations and operations
7.1.b (i) Automation and orchestration
7.1.b (ii) Workload mobility
7.1.b (iii) Troubleshooting and management
7.1.b (iv) OpenStack components
7.2 Network programmability (SDN)
7.2.a Describe functional elements of network programmability (SDN) and how they
interact
7.2.a (i) Controllers
7.2.a (ii) APIs
7.2.a (iii) Scripting
7.2.a (iv) Agents
7.2.a (v) Northbound vs. Southbound protocols
7.2.b Describe aspects of virtualization and automation in network environments
7.2.b (i) DevOps methodologies, tools and workflows
7.2.b (ii) Network/application function virtualization (NFV, AFV)
2015 Cisco Systems, Inc. This document is Cisco Public. Page 11
7.2.b (iii) Service function chaining
7.2.b (iv) Performance, availability, and scaling considerations
7.3 Internet of Things
7.3.a Describe architectural framework and deployment considerations for Internet of
Things (IoT)
7.3.a (i) Performance, reliability and scalability
7.3.a (ii) Mobility
7.3.a (iii) Security and privacy
7.3.a (iv) Standards and compliance
7.3.a (v) Migration
7.3.a (vi) Environmental impacts on the network

Thanks…

CCIE R&S v5.0 Written and Lab Topics

With effect from July 26th 2016 Cisco is changing the CCIE R&S Exam.

Following is the list of existing topics for the 5.0 version. Next post will follow the 5.1 topics.

 

https://learningnetwork.cisco.com/community/certifications/ccie_routing_switching/written_exam_v5/exam-topics

https://learningnetwork.cisco.com/community/certifications/ccie_routing_switching/lab_exam_v5/exam-topics

 

Written Topics:
============





10% 1.0 Network Principles
1.1 Network theory
1.1.a Describe basic software architecture differences between IOS and IOS XE
1.1.a (i) Control plane and Forwarding plane
1.1.a (ii) Impact to troubleshooting and performances
1.1.a (iii) Excluding specific platform’s architecture
1.1.b Identify Cisco express forwarding concepts
1.1.b (i) RIB, FIB, LFIB, Adjacency table
1.1.b (ii) Load balancing Hash
1.1.b (iii) Polarization concept and avoidance
1.1.c Explain general network challenges
1.1.c (i) Unicast flooding
1.1.c (ii) Out of order packets
1.1.c (iii) Asymmetric routing
1.1.c (iv) Impact of micro burst
1.1.d Explain IP operations
1.1.d (i) ICMP unreachable, redirect
1.1.d (ii) IPv4 options, IPv6 extension headers
1.1.d (iii) IPv4 and IPv6 fragmentation
1.1.d (iv) TTL
1.1.d (v) IP MTU
1.1.e Explain TCP operations
1.1.e (i) IPv4 and IPv6 PMTU
1.1.e (ii) MSS
2013 Cisco Systems, Inc. This document is Cisco Public. Page 2
1.1.e (iii) Latency
1.1.e (iv) Windowing
1.1.e (v) Bandwidth delay product
1.1.e (vi) Global synchronization
1.1.e (vii) Options
1.1.f Explain UDP operations
1.1.f (i) Starvation
1.1.f (ii) Latency
1.1.f (iii) RTP/RTCP concepts
1.2 Network implementation and operation
1.2.a Evaluate proposed changes to a network
1.2.a (i) Changes to routing protocol parameters
1.2.a (ii) Migrate parts of a network to IPv6
1.2.a (iii) Routing protocol migration
1.2.a (iv) Adding multicast support
1.2.a (v) Migrate spanning tree protocol
1.2.a (vi) Evaluate impact of new traffic on existing QoS design
1.3 Network troubleshooting
1.3.a Use IOS troubleshooting tools
1.3.a (i) debug, conditional debug
1.3.a (ii) ping, traceroute with extended options
1.3.a (iii) Embedded packet capture
1.3.a (iv) Performance monitor
1.3.b Apply troubleshooting methodologies
1.3.b (i) Diagnose the root cause of networking issue (analyze symptoms, identify and describe root cause)
1.3.b (ii) Design and implement valid solutions according to constraints
1.3.b (iii) Verify and monitor resolution
1.3.c Interpret packet capture
1.3.c (i) Using Wireshark trace analyzer
1.3.c (ii) Using IOS embedded packet capture
15% 2.0 Layer 2 Technologies
2.1 LAN switching technologies
2.1.a Implement and troubleshoot switch administration
2.1.a (i) Managing MAC address table
2.1.a (ii) errdisable recovery
2.1.a (iii) L2 MTU
2.1.b Implement and troubleshoot layer 2 protocols
2.1.b (i) CDP, LLDP
2.1.b (ii) UDLD
2013 Cisco Systems, Inc. This document is Cisco Public. Page 3
2.1.c Implement and troubleshoot VLAN
2.1.c (i) Access ports
2.1.c (ii) VLAN database
2.1.c (iii) Normal, extended VLAN, voice VLAN
2.1.d Implement and troubleshoot trunking
2.1.d (i) VTPv1, VTPv2, VTPv3, VTP pruning
2.1.d (ii) dot1Q
2.1.d (iii) Native VLAN
2.1.d (iv) Manual pruning
2.1.e Implement and troubleshoot EtherChannel
2.1.e (i) LACP, PAgP, manual
2.1.e (ii) Layer 2, layer 3
2.1.e (iii) Load-balancing
2.1.e (iv) Etherchannel misconfiguration guard
2.1.f Implement and troubleshoot spanning-tree
2.1.f (i) PVST+/RPVST+/MST
2.1.f (ii) Switch priority, port priority, path cost, STP timers
2.1.f (iii) port fast, BPDUguard, BPDUfilter
2.1.f (iv) loopguard, rootguard
2.1.g Implement and troubleshoot other LAN switching technologies
2.1.g (i) SPAN, RSPAN, ERSPAN
2.1.h Describe chassis virtualization and aggregation technologies
2.1.h (i) Multichassis
2.1.h (ii) VSS concepts
2.1.h (iii) Alternative to STP
2.1.h (iv) Stackwise
2.1.h (v) Excluding specific platform implementation
2.1.i Describe spanning-tree concepts
2.1.i (i) Compatibility between MST and RSTP
2.1.i (ii) STP dispute, STP bridge assurance
2.2 Layer 2 multicast
2.2.a Implement and troubleshoot IGMP
2.2.a (i) IGMPv1, IGMPv2, IGMPv3
2.2.a (ii) IGMP snooping
2.2.a (iii) IGMP querier
2.2.a (iv) IGMP filter
2.2.a (v) IGMP proxy
2.2.b Explain MLD
2.2.c Explain PIM snooping
2013 Cisco Systems, Inc. This document is Cisco Public. Page 4
2.3 Layer 2 WAN circuit technologies
2.3.a Implement and troubleshoot HDLC
2.3.b Implement and troubleshoot PPP
2.3.b (i) Authentication (PAP, CHAP)
2.3.b (ii) PPPoE
2.3.b (iii) MLPPP
2.3.c Describe WAN rate-based ethernet circuits
2.3.c (i) Metro and WAN Ethernet topologies
2.3.c (ii) Use of rate-limited WAN ethernet services
40% 3.0 Layer 3 Technologies
3.1 Addressing technologies
3.1.a Identify, implement and troubleshoot IPv4 addressing and subnetting
3.1.a (i) Address types, VLSM
3.1.a (ii) ARP
3.1.b Identify, implement and troubleshoot IPv6 addressing and subnetting
3.1.b (i) Unicast, multicast
3.1.b (ii) EUI-64
3.1.b (iii) ND, RS/RA
3.1.b (iv) Autoconfig/SLAAC, temporary addresses (RFC4941)
3.1.b (v) Global prefix configuration feature
3.1.b (vi) DHCP protocol operations
3.1.b (vii) SLAAC/DHCPv6 interaction
3.1.b (viii) Stateful, stateless DHCPv6
3.1.b (ix) DHCPv6 prefix delegation
3.2 Layer 3 multicast
3.2.a Troubleshoot reverse path forwarding
3.2.a (i) RPF failure
3.2.a (ii) RPF failure with tunnel interface
3.2.b Implement and troubleshoot IPv4 protocol independent multicast
3.2.b (i) PIM dense mode, sparse mode, sparse-dense mode
3.2.b (ii) Static RP, auto-RP, BSR
3.2.b (iii) BiDirectional PIM
3.2.b (iv) Source-specific multicast
3.2.b (v) Group to RP mapping
3.2.b (vi) Multicast boundary
3.2.c Implement and troubleshoot multicast source discovery protocol
3.2.c (i) Intra-domain MSDP (anycast RP)
3.2.c (ii) SA filter
3.2.d Describe IPv6 multicast
3.2.d (i) IPv6 multicast addresses
2013 Cisco Systems, Inc. This document is Cisco Public. Page 5
3.2.d (ii) PIMv6
3.3 Fundamental routing concepts
3.3.a Implement and troubleshoot static routing
3.3.b Implement and troubleshoot default routing
3.3.c Compare routing protocol types
3.3.c (i) Distance vector
3.3.c (ii) Link state
3.3.c (iii) Path vector
3.3.d Implement, optimize and troubleshoot administrative distance
3.3.e Implement and troubleshoot passive interface
3.3.f Implement and troubleshoot VRF lite
3.3.g Implement, optimize and troubleshoot filtering with any routing protocol
3.3.h Implement, optimize and troubleshoot redistribution between any routing protocol
3.3.i Implement, optimize and troubleshoot manual and auto summarization with any routing protocol
3.3.j Implement, optimize and troubleshoot policy-based routing
3.3.k Identify and troubleshoot sub-optimal routing
3.3.l Implement and troubleshoot bidirectional forwarding detection
3.3.m Implement and troubleshoot loop prevention mechanisms
3.3.m (i) Route tagging, filtering
3.3.m (ii) Split horizon
3.3.m (iii) Route poisoning
3.3.n Implement and troubleshoot routing protocol authentication
3.3.n (i) MD5
3.3.n (ii) Key-chain
3.3.n (iii) EIGRP HMAC SHA2-256bit
3.3.n (iv) OSPFv2 SHA1-196bit
3.3.n (v) OSPFv3 IPsec authentication
3.4 RIP (v2 and v6)
3.4.a Implement and troubleshoot RIPv2
3.4.b Describe RIPv6 (RIPng)
2013 Cisco Systems, Inc. This document is Cisco Public. Page 6
3.5 EIGRP (for IPv4 and IPv6)
3.5.a Describe packet types
3.5.a (i) Packet types (hello, query, update, and such)
3.5.a (ii) Route types (internal, external)
3.5.b Implement and troubleshoot neighbor relationship
3.5.b (i) Multicast, unicast EIGRP peering
3.5.b (ii) OTP point-to-point peering
3.5.b (iii) OTP route-reflector peering
3.5.b (iv) OTP multiple service providers scenario
3.5.c Implement and troubleshoot loop free path selection
3.5.c (i) RD, FD, FC, successor, feasible successor
3.5.c (ii) Classic metric
3.5.c (iii) Wide metric
3.5.d Implement and troubleshoot operations
3.5.d (i) General operations
3.5.d (ii) Topology table, update, query, active, passive
3.5.d (iii) Stuck in active
3.5.d (iv) Graceful shutdown
3.5.e Implement and troubleshoot EIGRP stub
3.5.e (i) Stub
3.5.e (ii) Leak-map
3.5.f Implement and troubleshoot load-balancing
3.5.f (i) equal-cost
3.5.f (ii) unequal-cost
3.5.f (iii) add-path
3.5.g Implement EIGRP (multi-address) named mode
3.5.g (i) Types of families
3.5.g (ii) IPv4 address-family
3.5.g (iii) IPv6 address-family
3.5.h Implement, troubleshoot and optimize EIGRP convergence and scalability
3.5.h (i) Describe fast convergence requirements
3.5.h (ii) Control query boundaries
3.5.h (iii) IP FRR/fast reroute (single hop)
3.5.8 (iv) Summary leak-map
3.5.h (v) Summary metric
3.6 OSPF (v2 and v3)
3.6.a Describe packet types
3.6.a (i) LSA yypes (1, 2, 3, 4, 5, 7, 9)
3.6.a (ii) Route types (N1, N2, E1, E2)
2013 Cisco Systems, Inc. This document is Cisco Public. Page 7
3.6.b Implement and troubleshoot neighbor relationship
3.6.c Implement and troubleshoot OSPFv3 address-family support
3.6.c (i) IPv4 address-family
3.6.c (ii) IPv6 address-family
3.6.d Implement and troubleshoot network types, area types and router types
3.6.d (i) Point-to-point, multipoint, broadcast, non-broadcast
3.6.d (ii) LSA types, area type: backbone, normal, transit, stub, NSSA, totally stub
3.6.d (iii) Internal router, ABR, ASBR
3.6.d (iv) Virtual link
3.6.e Implement and troubleshoot path preference
3.6.f Implement and troubleshoot operations
3.6.f (i) General operations
3.6.f (ii) Graceful shutdown
3.6.f (iii) GTSM (Generic TTL Security Mechanism)
3.6.g Implement, troubleshoot and optimize OSPF convergence and scalability
3.6.g (i) Metrics
3.6.g (ii) LSA throttling, SPF tuning, fast hello
3.6.g (iii) LSA propagation control (area types, ISPF)
3.6.g (iv) IP FRR/fast reroute (single hop)
3.6.g (v) LFA/loop-free alternative (multi hop)
3.6.g (vi) OSPFv3 prefix suppression
3.7 BGP
3.7.a Describe, implement and troubleshoot peer relationships
3.7.a (i) Peer-group, template
3.7.a (ii) Active, passive
3.7.a (iii) States, timers
3.7.a (iv) Dynamic neighbors
3.7.b Implement and troubleshoot IBGP and EBGP
3.7.b (i) EBGP, IBGP
3.7.b (ii) 4 bytes AS number
3.7.b (iii) Private AS
3.7.c Explain attributes and best-path selection
3.7.d Implement, optimize and troubleshoot routing policies
3.7.d (i) Attribute manipulation
3.7.d (ii) Conditional advertisement
3.7.d (iii) Outbound route filtering
3.7.d (iv) Communities, extended communities
3.7.d (v) Multi-homing
2013 Cisco Systems, Inc. This document is Cisco Public. Page 8
3.7.e Implement and troubleshoot scalability
3.7.e (i) Route-reflector, cluster
3.7.e (ii) Confederations
3.7.e (iii) Aggregation, AS set
3.7.f Implement and troubleshoot multiprotocol BGP
3.7.f (i) IPv4, IPv6, VPN address-family
3.7.g Implement and troubleshoot AS path manipulations
3.7.g (i) Local AS, allow AS in, remove private AS
3.7.g (ii) Prepend
3.7.g (iii) Regexp
3.7.h Implement and troubleshoot other features
3.7.h (i) Multipath
3.7.h (ii) BGP synchronization
3.7.h (iii) Soft reconfiguration, route refresh
3.7.i Describe BGP fast convergence features
3.7.i (i) Prefix independent convergence
3.7.i (ii) Add-path
3.7.i (iii) Next-hop address tracking
3.8 ISIS (for IPv4 and IPv6)
3.8.a Describe basic ISIS network
3.8.a (i) Single area, single topology
3.8.b Describe neighbor relationship
3.8.c Describe network types, levels and router types
3.8.c (i) NSAP addressing
3.8.c (ii) Point-to-point, broadcast
3.8.d Describe operations
3.8.e Describe optimization features
3.8.e (i) Metrics, wide metric
15% 4.0 VPN Technologies
4.1 Tunneling
4.1.a Implement and troubleshoot MPLS operations
4.1.a (i) Label stack, LSR, LSP
4.1.a (ii) LDP
4.1.a (iii) MPLS ping, MPLS traceroute
4.1.b Implement and troubleshoot basic MPLS L3VPN
4.1.b (i) L3VPN, CE, PE, P
2013 Cisco Systems, Inc. This document is Cisco Public. Page 9
4.1.b (ii) Extranet (route leaking)
4.1.c Implement and troubleshoot encapsulation
4.1.c (i) GRE
4.1.c (ii) Dynamic GRE
4.1.c (iii) LISP encapsulation principles supporting EIGRP OTP
4.1.d Implement and troubleshoot DMVPN (single hub)
4.1.d (i) NHRP
4.1.d (ii) DMVPN with IPsec using pre-shared key
4.1.d (iii) QoS profile
4.1.d (iv) Pre-classify
4.1.e Describe IPv6 tunneling techniques
4.1.e (i) 6in4, 6to4
4.1.e (ii) ISATAP
4.1.e (iii) 6RD
4.1.e (iv) 6PE/6VPE
4.1.g Describe basic layer 2 VPN —wireline
4.1.g (i) L2TPv3 general principals
4.1.g (ii) ATOM general principals
4.1.h Describe basic L2VPN — LAN services
4.1.h (i) MPLS-VPLS general principals
4.1.h (ii) OTV general principals
4.2 Encryption
4.2.a Implement and troubleshoot IPsec with pre-shared key
4.2.a (i) IPv4 site to IPv4 site
4.2.a (ii) IPv6 in IPv4 tunnels
4.2.a (iii) Virtual tunneling Interface (VTI)
4.2.b Describe GET VPN
5% 5.0 Infrastructure Security
5.1 Device security
5.1.a Implement and troubleshoot IOS AAA using local database
5.1.b Implement and troubleshoot device access control
5.1.b (i) Lines (VTY, AUX, console)
5.1.b (ii) SNMP
5.1.b (iii) Management plane protection
5.1.b (iv) Password encryption
5.1.c Implement and troubleshoot control plane policing
5.1.d Describe device security using IOS AAA with TACACS+ and RADIUS
2013 Cisco Systems, Inc. This document is Cisco Public. Page 10
5.1.d (i) AAA with TACACS+ and RADIUS
5.1.d (ii) Local privilege authorization fallback
5.2 Network security
5.2.a Implement and troubleshoot switch security features
5.2.a (i) VACL, PACL
5.2.a (ii) Stormcontrol
5.2.a (iii) DHCP snooping
5.2.a (iv) IP source-guard
5.2.a (v) Dynamic ARP inspection
5.2.a (vi) port-security
5.2.a (vii) Private VLAN
5.2.b Implement and troubleshoot router security features
5.2.b (i) IPv4 access control lists (standard, extended, time-based)
5.2.b (ii) IPv6 traffic filter
5.2.b (iii) Unicast reverse path forwarding
5.2.c Implement and troubleshoot IPv6 first hop security
5.2.c (i) RA guard
5.2.c (ii) DHCP guard
5.2.c (iii) Binding table
5.2.c (iv) Device tracking
5.2.c (v) ND inspection/snooping
5.2.c (vii) Source guard
5.2.c (viii) PACL
5.2.d Describe 802.1x
5.2.d (i) 802.1x, EAP, RADIUS
5.2.d (ii) MAC authentication bypass
15% 6.0 Infrastructure Services
6.1 System management
6.1.a Implement and troubleshoot device management
6.1.a (i) Console and VTY
6.1.a (ii) telnet, HTTP, HTTPS, SSH, SCP
6.1.a (iii) (T)FTP
6.1.b Implement and troubleshoot SNMP
6.1.b (i) v2c, v3
6.1.c Implement and troubleshoot logging
6.1.c (i) Local logging, syslog, debug, conditional debug
6.1.c (ii) Timestamp
6.2 Quality of service
6.2.a Implement and troubleshoot end-to-end QoS
6.2.a (i) CoS and DSCP mapping
2013 Cisco Systems, Inc. This document is Cisco Public. Page 11
6.2.b Implement, optimize and troubleshoot QoS using MQC
6.2.b (i) Classification
6.2.b (ii) Network based application recognition (NBAR)
6.2.b (iii) Marking using IP precedence, DSCP, CoS, ECN
6.2.b (iv) Policing, shaping
6.2.b (v) Congestion management (queuing)
6.2.b (vi) HQoS, sub-rate ethernet link
6.2.b (vii) Congestion avoidance (WRED)
6.2.c Describe layer 2 QoS
6.2.c (i) Queuing, scheduling
6.2.c (ii) Classification, marking
6.3 Network services
6.3.a Implement and troubleshoot first-hop redundancy protocols
6.3.a (i) HSRP, GLBP, VRRP
6.3.a (ii) Redundancy using IPv6 RS/RA
6.3.b Implement and troubleshoot network time protocol
6.3.b (i) NTP master, client, version 3, version 4
6.3.b (ii) NTP Authentication
6.3.c Implement and troubleshoot IPv4 and IPv6 DHCP
6.3.c (i) DHCP client, IOS DHCP server, DHCP relay
6.3.c (ii) DHCP options
6.3.c (iii) DHCP protocol operations
6.3.c (iv) SLAAC/DHCPv6 interaction
6.3.c (v) Stateful, stateless DHCPv6
6.3.c (vi) DHCPv6 prefix delegation
6.3.d Implement and troubleshoot IPv4 network address translation
6.3.d (i) Static NAT, dynamic NAT, policy-based NAT, PAT
6.3.d (ii) NAT ALG
6.3.e Describe IPv6 network address translation
6.3.e (i) NAT64
6.3.e (ii) NPTv6
6.4 Network optimization
6.4.a Implement and troubleshoot IP SLA
6.4.a (i) ICMP, UDP, Jitter, VoIP
6.4.b Implement and troubleshoot tracking object
6.4.b (i) Tracking object, tracking list
6.4.b (ii) Tracking different entities (e.g. interfaces, routes, IPSLA, and such)
6.4.c Implement and troubleshoot netflow
2013 Cisco Systems, Inc. This document is Cisco Public. Page 12
6.4.c (i) Netflow v5, v9
6.4.c (ii) Local retrieval
6.4.c (iii) Export (configuration only)
6.4.d Implement and troubleshoot embedded event manager
6.4.d (i) EEM policy using applet
6.4.e Identify performance routing (PfR)
6.4.e (i) Basic load balancing
6.4.e (ii) Voice optimization

 

LAB Topics:
==========
 
 
 
20% 1.0 Layer 2 Technologies
1.1 LAN switching technologies
1.1.a Implement and troubleshoot switch administration
1.1.a (i) Managing MAC address table
1.1.a (ii) errdisable recovery
1.1.a (iii) L2 MTU
1.1.b Implement and troubleshoot layer 2 protocols
1.1.b (i) CDP, LLDP
1.1.b (ii) UDLD
1.1.c Implement and troubleshoot VLAN
1.1.c (i) access ports
1.1.c (ii) VLAN database
1.1.c (iii) normal, extended VLAN, voice VLAN
1.1.d Implement and troubleshoot trunking
1.1.d (i) VTPv1, VTPv2, VTPv3, VTP pruning
1.1.d (ii) dot1Q
1.1.d (iii) Native VLAN
1.1.d (iv) Manual pruning
1.1.e Implement and troubleshoot etherchannel
1.1.e (i) LACP, PAgP, manual
1.1.e (ii) layer 2, layer 3
1.1.e (iii) load-balancing
1.1.e (iv) etherchannel misconfiguration guard
1.1.f Implement and troubleshoot spanning-tree
1.1.f (i) PVST+/RPVST+/MST
1.1.f (ii) switch priority, port priority, path cost, STP timers
1.1.f (iii) port fast, BPDUguard, BPDUfilter
1.1.f (iv) loopguard, rootguard
1.1.g Implement and troubleshoot other LAN switching technologies
2013 Cisco Systems, Inc. This document is Cisco Public. Page 2
1.1.g (i) SPAN, RSPAN, ERSPAN
1.2 Layer 2 Multicast
1.2.a Implement and troubleshoot IGMP
1.2.a (I) IGMPv1, IGMPv2, IGMPv3
1.2.a (ii) IGMP snooping
1.2.a (iii) IGMP querier
1.2.a (iv) IGMP filter
1.2.a (v) IGMP proxy
1.3 Layer 2 WAN circuit technologies
1.3.a Implement and troubleshoot HDLC
1.3.b Implement and troubleshoot PPP
1.3.b (i) authentication (PAP, CHAP)
1.3.b (ii) PPPoE
1.3.b (iii) MLPPP
1.4 Troubleshooting layer 2 technologies
1.4.a Use IOS troubleshooting tools
1.4.a (i) debug, conditional debug
1.4.a (ii) ping, traceroute with extended options
1.4.a (iii) Embedded packet capture
1.4.b Apply troubleshooting methodologies
1.4.b (i) Diagnose the root cause of networking issue (analyze symptoms, identify and describe root cause)
1.4.b (ii) Design and implement valid solutions according to constraints
1.4.b (iii) Verify and monitor resolution
1.4.c Interpret packet capture
1.4.c (i) Using wireshark trace analyzer
1.4.c (ii) Using IOS embedded packet capture
40% 2.0 Layer 3 Technologies
2.1 Addressing technologies
2.1.a Identify, implement and troubleshoot IPv4 addressing and sub-netting
2.1.a (i) Address types, VLSM
2.1.a (ii) ARP
2.1.b Identify, implement and troubleshoot IPv6 addressing and sub-netting
2.1.b (i) Unicast, multicast
2.1.b (ii) EUI-64
2.1.b (iii) ND, RS/RA
2.1.b (iv) Autoconfig/SLAAC temporary addresses (RFC4941)
2.1.b (v) Global prefix configuration feature
2.2 Layer 3 Multicast
2.2.a Troubleshoot reverse path forwarding
2.2.a (i) RPF failure
2.2.a(ii) RPF failure with tunnel interface
2013 Cisco Systems, Inc. This document is Cisco Public. Page 3
2.2.b Implement and troubleshoot IPv4 protocol independent multicast
2.2.b (i) PIM dense mode, sparse mode, sparse-dense mode
2.2.b (ii) Static RP, auto-RP, BSR
2.2.b (iii) Bidirectional PIM
2.2.b (iv) Source-specific multicast
2.2.b (v) Group to RP mapping
2.2.b (vi) Multicast boundary
2.2.c Implement and troubleshoot multicast source discovery protocol
2.2.c.(i) Intra-domain MSDP (anycast RP)
2.2.c.(ii) SA filter
2.3 Fundamental routing concepts
2.3.a Implement and troubleshoot static routing
2.3.b Implement and troubleshoot default routing
2.3.c Compare routing protocol types
2.3.c (i) distance vector
2.3.c (ii) link state
2.3.c (iii) path vector
2.3.d Implement, optimize and troubleshoot administrative distance
2.3.e Implement and troubleshoot passive interface
2.3.f Implement and troubleshoot VRF lite
2.3.g Implement, optimize and troubleshoot filtering with any routing protocol
2.3.h Implement, optimize and troubleshoot redistribution between any routing protocol
2.3.i Implement, optimize and troubleshoot manual and auto summarization with any routing protocol
2.3.j Implement, optimize and troubleshoot policy-based routing
2.3.k Identify and troubleshoot sub-optimal routing
2.3.l Implement and troubleshoot bidirectional forwarding detection
2.3.m Implement and troubleshoot loop prevention mechanisms
2.3.m (i) Route tagging, filtering
2.3.m (ii) Split horizon
2.3.m (iii) Route poisoning
2.3.n Implement and troubleshoot routing protocol authentication
2.3.n (i) MD5
2.3.n (ii) key-chain
2.3.n (iii) EIGRP HMAC SHA2-256bit
2.3.n (iv) OSPFv2 SHA1-196bit
2.3.n (v) OSPFv3 IPsec authentication
2.4 RIP v2
2.4.a Implement and troubleshoot RIPv2
2.5 EIGRP (for IPv4 and IPv6)
2.5.a Describe packet types
2.5.a (i) Packet types (hello, query, update, and such)
2.5.a (ii) Route types (internal, external)
2.5.b Implement and troubleshoot neighbor relationship
2013 Cisco Systems, Inc. This document is Cisco Public. Page 4
2.5.b (i) Multicast, unicast EIGRP peering
2.5.c Implement and Troubleshoot Loop free path selection
2.5.c (i) RD, FD, FC, successor, feasible successor
2.5.c (ii) Classic metric
2.5.c (iii) Wide metric
2.5.d Implement and troubleshoot operations
2.5.d (i) General operations
2.5.d (ii) Topology table, update, query, active, passive
2.5.d (iii) Stuck in active
2.5.d (iv) Graceful shutdown
2.5.e Implement and troubleshoot EIGRP stub
2.5.e (i) stub
2.5.e (ii) leak-map
2.5.f Implement and troubleshoot load-balancing
2.5.f (i) equal-cost
2.5.f (ii) unequal-cost
2.5.f (iii) add-path
2.5.g Implement EIGRP (multi-address) named mode
2.5.g (i) Types of families
2.5.g (ii) IPv4 address-family
2.5.g (iii) IPv6 address-family
2.5.h Implement, troubleshoot and optimize EIGRP convergence and scalability
2.5.h (i) Describe fast convergence requirements
2.5.h (ii) Control query boundaries
2.5.h (iii) IP FRR/fast reroute (single hop)
2.5.h (iv) Summary leak-map
2.5.h (v) Summary metric
2.6 OSPF (v2 and v3)
2.6.a Describe packet types
2.6.a (i) LSA types (1, 2, 3, 4, 5, 7, 9)
2.6.a (ii) Route types (N1, N2, E1, E2)
2.6.b Implement and troubleshoot neighbor relationship
2.6.c Implement and troubleshoot OSPFv3 address-family support
2.6.c (i) IPv4 address-family
2.6.c (ii) IPv6 address-family
2.6.d Implement and troubleshoot network types, area types and router types
2.6.d (i) Point-to-point, multipoint, broadcast, non-broadcast
2.6.d (ii) LSA types, area type: backbone, normal, transit, stub, NSSA, totally stub
2.6.d (iii) Internal router, ABR, ASBR
2.6.d (iv) Virtual link
2.6.e Implement and troubleshoot path preference
2.6.f Implement and troubleshoot operations
2.6.f (i) General operations
2.6.f (ii) Graceful shutdown
2.6.f (iii) GTSM (generic TTL security mechanism)
2013 Cisco Systems, Inc. This document is Cisco Public. Page 5
2.6.g Implement, troubleshoot and optimize OSPF convergence and scalability
2.6.g (i) Metrics
2.6.g (ii) LSA throttling, SPF tuning, fast hello
2.6.g (iii) LSA propagation control (area types, ISPF)
2.6.g (iv) IP FR/fast reroute (single hop)
2.6.g (v) LFA/loop-free alternative (multi hop)
2.6.g (vi) OSPFv3 prefix suppression
2.7 BGP
2.7.a Describe, implement and troubleshoot peer relationships
2.7.a (i) Peer-group, template
2.7.a (ii) Active, passive
2.7.a (iii) States, timers
2.7.a (iv) Dynamic neighbors
2.7.b Implement and troubleshoot IBGP and EBGP
2.7.b (i) EBGP, IBGP
2.7.b (ii) 4 bytes AS number
2.7.b (iii) Private AS
2.7.c Explain attributes and best-path selection
2.7.d Implement, optimize and troubleshoot routing policies
2.7.d (i) Attribute manipulation
2.7.d (ii) Conditional advertisement
2.7.d (iii) Outbound route filtering
2.7.d (iv) Communities, extended communities
2.7.d (v) Multi-homing
2.7.e Implement and troubleshoot scalability
2.7.e (i) Route-reflector, cluster
2.7.e (ii) Confederations
2.7.e (iii) Aggregation, AS set
2.7.f Implement and troubleshoot multi-protocol BGP
2.7.f (i) IPv4, IPv6, VPN address-family
2.7.g Implement and troubleshoot AS path manipulations
2.7.g (i) Local AS, allow AS in, remove private AS
2.7.g (ii) Prepend
2.7.g (iii) Regexp
2.7.h Implement and Troubleshoot Other Features
2.7.h (i) Multipath
2.7.h (ii) BGP synchronization
2.7.h (iii) Soft reconfiguration, route refresh
2.8 Troubleshooting layer 3 technologies
2.8.a Use IOS troubleshooting tools
2.8.a (i) debug, conditional debug
2.8.a (ii) ping, traceroute with extended options
2.8.a (iii) Embedded packet capture
2.8.b Apply troubleshooting methodologies
2.8.b (i) Diagnose the root cause of networking issue (analyze symptoms, identify and describe root cause)
2013 Cisco Systems, Inc. This document is Cisco Public. Page 6
2.8.b (ii) Design and implement valid solutions according to constraints
2.8.b (iii) Verify and monitor resolution
2.8.c Interpret packet capture
2.8.c (i) Using wireshark trace analyzer
2.8.c (ii) Using IOS embedded packet capture
20% 3.0 VPN Technologies
3.1 Tunneling
3.1.a Implement and troubleshoot MPLS operations
3.1.a (i) Label stack, LSR, LSP
3.1.a (ii) LDP
3.1.a (iii) MPLS ping, MPLS traceroute
3.1.b Implement and troubleshoot basic MPLS L3VPN
3.1.b (i) L3VPN, CE, PE, P
3.1.b (ii) Extranet (route leaking)
3.1.c Implement and troubleshoot encapsulation
3.1.c (i) GRE
3.1.c (ii) Dynamic GRE
3.1.d Implement and troubleshoot DMVPN (single hub)
3.1.d (i) NHRP
3.1.d (ii) DMVPN with IPsec using preshared key
3.1.d (iii) QoS profile
3.1.d (iv) Pre-classify
3.2 Encryption
3.2.a Implement and troubleshoot IPsec with preshared key
3.2.a (i) IPv4 site to IPv4 site
3.2.a (ii) IPv6 in IPv4 tunnels
3.2.a (iii) Virtual tunneling interface (VTI)
3.3 Troubleshooting VPN technologies
3.3.a Use IOS troubleshooting tools
3.3.a (i) debug, conditional debug
3.3.a (ii) ping, traceroute with extended options
3.3.a (iii) Embedded packet capture
3.3.b Apply troubleshooting methodologies
3.3.b (i) Diagnose the root cause of networking issue (analyze symptoms, identify and describe root cause)
3.3.b (ii) Design and implement valid solutions according to constraints
3.3.b (iii) Verify and monitor resolution
3.3.c Interpret packet capture
3.3.c (i) Using wireshark trace analyzer
3.3.c (ii) Using IOS embedded packet capture
5% 4.0 Infrastructure Security
4.1 Device security
4.1.a Implement and troubleshoot IOS AAA using local database
4.1.b Implement and troubleshoot device access control
2013 Cisco Systems, Inc. This document is Cisco Public. Page 7
4.1.b (i) Lines (VTY, AUX, console)
4.1.b (ii) SNMP
4.1.b (iii) Management plane protection
4.1.b (iv) Password encryption
4.1.c Implement and troubleshoot control plane policing
4.2 Network security
4.2.a Implement and troubleshoot switch security features
4.2.a (i) VACL, PACL
4.2.a (ii) Stormcontrol
4.2.a (iii) DHCP snooping
4.2.a (iv) IP source-guard
4.2.a (v) Dynamic ARP inspection
4.2.a (vi) Port-security
4.2.a (vii) Private VLAN
4.2.b Implement and troubleshoot router security features
4.2.b (i) IPv4 access control lists (standard, extended, time-based)
4.2.b (ii) IPv6 traffic filter
4.2.b (iii) Unicast reverse path forwarding
4.2.c Implement and troubleshoot IPv6 first hop security
4.2.c (i) RA guard
4.2.c (ii) DHCP guard
4.2.c (iii) Binding table
4.2.c (iv) Device tracking
4.2.c (v) ND inspection/snooping
4.2.c (vi) Source guard
4.2.c (vii) PACL
4.3 Troubleshooting infrastructure security
4.3.a Use IOS troubleshooting tools
4.3.a (i) debug, conditional debug
4.3.a (ii) ping, traceroute with extended options
4.3.a (iii) Embedded packet capture
4.3.b Apply troubleshooting methodologies
4.3.b (i) Diagnose the root cause of networking issue (analyze symptoms, identify and describe root cause)
4.3.b (ii) Design and implement valid solutions according to constraints
4.3.b (iii) Verify and monitor resolution
4.3.c Interpret packet capture
4.3.c (i) Using wireshark trace analyzer
4.3.c (ii) Using IOS embedded packet capture
15% 5.0 Infrastructure Services
5.1 System management
5.1.a Implement and troubleshoot device management
5.1.a (i) Console and VTY
5.1.a (ii) telnet, HTTP, HTTPS, SSH, SCP
5.1.a (iii) (T)FTP
2013 Cisco Systems, Inc. This document is Cisco Public. Page 8
5.1.b Implement and troubleshoot SNMP
5.1.b (i) v2c, v3
5.1.c Implement and troubleshoot logging
5.1.c (i) Local logging, syslog, debug, conditional debug
5.1.c (ii) Timestamp
5.2 Quality of service
5.2.a Implement and troubleshoot end to end QoS
5.2.a (i) CoS and DSCP mapping
5.2.b Implement, optimize and troubleshoot QoS using MQC
5.2.b (i) Classification
5.2.b (ii) Network based application recognition (NBAR)
5.2.b (iii) Marking using IP precedence, DSCP, CoS, ECN
5.2.b (iv) Policing, shaping
5.2.b (v) Congestion management (queuing)
5.2.b (vi) HQoS, sub-rate ethernet link
5.2.b (vii) Congestion avoidance (WRED)
5.3 Network services
5.3.a Implement and troubleshoot first-hop redundancy protocols
5.3.a (i) HSRP, GLBP, VRRP
5.3.a (ii) Redundancy using IPv6 RS/RA
5.3.b Implement and troubleshoot network time protocol
5.3.b (i) NTP master, client, version 3, version 4
5.3.b (ii) NTP authentication
5.3.c Implement and troubleshoot IPv4 and IPv6 DHCP
5.3.c (i) DHCP client, IOS DHCP server, DHCP relay
5.3.c (ii) DHCP options
5.3.c (iii) DHCP protocol operations
5.3.c (iv) SLAAC/DHCPv6 interaction
5.3.c (v) Stateful, stateless DHCPv6
5.3.c (vi) DHCPv6 prefix delegation
5.3.d Implement and troubleshoot IPv4 network address translation
5.3.d (i) Static NAT, dynamic NAT, policy-based NAT, PAT
5.3.d (ii) NAT ALG
5.4 Network optimization
5.4.a Implement and troubleshoot IP SLA
5.4.a (i) ICMP, UDP, jitter, VoIP
5.4.b Implement and troubleshoot tracking object
5.4.b (i) Tracking object, tracking list
5.4.b (ii) Tracking different entities (e.g. interfaces, routes, IPSLA, and such)
5.4.c Implement and troubleshoot netflow
5.4.c (i) Netflow v5, v9
5.4.c (ii) Local retrieval
5.4.c (iii) Export (configuration only)
5.4.d Implement and troubleshoot embedded event manager
5.4.d (i) EEM policy using applet
2013 Cisco Systems, Inc. This document is Cisco Public. Page 9
5.5 Troubleshooting infrastructure services
5.5.a Use IOS troubleshooting tools
5.5.a (i) debug, conditional debug
5.5.a (ii) ping, traceroute with extended options
5.5.a (iii) Embedded packet capture
5.5.b Apply troubleshooting methodologies
5.5.b (i) Diagnose the root cause of networking issue (analyze symptoms, identify and describe root cause)
5.5.b (ii) Design and implement valid solutions according to constraints
5.5.b (iii) Verify and monitor resolution
5.5.c Interpret packet capture
5.5.c (i) Using wireshark trace analyzer
5.5.c (ii) Using IOS embedded packet capture

Thanks….

 

Problem uploading Thawte issued certificate on the Cisco WLC….Certificate not properly chained.

Recently I came upon couple of scenarios where the Cisco WLC would not accept a web-auth server cert issued by Thawte (Known CA). This is because the later version of the Cisco WLC (I believe 7.6 and above) need to have a chained certificate before you can upload it on the WLC.If you do further debugging on the WLC you will see the following error logs, which clearly points to the problem with the issuer certificate:

*TransferTask: Feb 12 12:26:05.987: Adding cert (7728 bytes) with certificate key password.
*TransferTask: Feb 12 12:26:06.015: sshpmCheckWebauthCert: Verification return code: 0
*TransferTask: Feb 12 12:26:06.015: Verification result text: unable to get issuer certificate
*TransferTask: Feb 12 12:26:06.015: Error at 2 depth: unable to get issuer certificate
*TransferTask: Feb 12 12:26:06.027: sshpmAddWebauthCert: Error decoding certificate, Deleting it.
*TransferTask: Feb 12 12:26:06.027: RESULT_STRING: Error installing certificate.
*TransferTask: Feb 12 12:26:06.027: RESULT_CODE:12
*TransferTask: Feb 12 12:26:06.027: Memory overcommit policy restored from 1 to 0
*emWeb: Feb 12 12:26:07.041: sshpmGetIdCertIndex: called to lookup cert >bsnSslWebauthCert<
*emWeb: Feb 12 12:26:07.041: sshpmGetIdCertIndex: found match in row 4
*emWeb: Feb 12 12:26:07.041: sshpmGetCID: called to evaluate <bsnSslWebauthCert>
*emWeb: Feb 12 12:26:07.041: sshpmGetCID: comparing to row 0, CA cert >bsnOldDefaultCaCert<

When you open the cert it does not appear to have any problem and the cert will look perfect. You OS will also not recognize it as invalid, this is because your laptop already has the Root and the Intermediate Certificate installed and even if the cert is not correctly chained it marks it as valid unlike the WLC.

 

Following is the mmc snapshot of the known Trusted CA on my laptop.

Now lets look at where the problem is:
==================================
One you open the certificate in a notepad you will see the following format:

Server Cert >>> Intermediate Cert >>> Root Cert (Generally the Root Cert should validate itself i.e the Root Cert is Root CA issuing itself a cert like below, where the issuer and the issued to is the same.)

The certificate looks something like this: (For security I have not shown the entire certificate).

Bag Attributes
localKeyID: 3B DB 85 15 63 AF CA B7 57 27 4E A3 E5 0B 84 32 1D AC 06 18
subject=/C=XX/ST=XX/L=Sydney/O=XX/OU=XX/CN=XY.com.au
issuer=/C=US/O=thawte, Inc./CN=thawte SSL CA – G2

—–BEGIN CERTIFICATE—–
MIIE/TCCA+WgAwIBAgIQF//T50TPBQL4+/7Iqh7dsTANBgkqhkiG9w0BAQsFADBB
—————-Snipping————————————
MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMdGhhd3RlLCBJbmMuMRswGQYDVQQDExJ0
—–END CERTIFICATE—–

Bag Attributes: <No Attributes>
subject=/C=US/O=thawte, Inc./CN=thawte SSL CA – G2
issuer=/C=US/O=thawte, Inc./OU=Certification Services Division/OU=(c) 2006 thawte, Inc. – For authorized use only/CN=thawte Primary Root CA

—–BEGIN CERTIFICATE—–
MIIEsjCCA5qgAwIBAgIQFofWiG3iMAaFIz2/Eb9llzANBgkqhkiG9w0BAQsFADCB
———————Snipping————————————-
sjFuz4DliAc2UXu6Ya9tjSNbNKOVvKIxf/L157fo78S1JzLp955pxyvovrsMqufq
YBLqJop4
—–END CERTIFICATE—–

Bag Attributes: <No Attributes>
subject=/C=US/O=thawte, Inc./OU=Certification Services Division/OU=(c) 2006 thawte, Inc. – For authorized use only/CN=thawte Primary Root CA
issuer=/C=ZA/ST=Western Cape/L=Cape Town/O=Thawte Consulting cc/OU=Certification Services Division/CN=Thawte Premium Server CA/emailAddress=premium-server@thawte.com

—–BEGIN CERTIFICATE—–
MIIERTCCA66gAwIBAgIQM2VQCHmtc+IwueAdDX+skTANBgkqhkiG9w0BAQUFADCB
————————Snipping————————————
95OBBaqStB+3msAHF/XLxrRMDtdW3HEgdDjWdMbWj2uvi42gbCkLYeA=
—–END CERTIFICATE—–

So if we go through the certificate we see the certificate being issued to XY.com.au by thawte SSL CA – G2 (Intermediate CA).

Down the chain we see the Intermediate CA cert, cert issue to thawte SSL CA – G2 by thawte Primary Root CA (Can be a Root or another Intermediate CA).

Further down the chain we see thawte Primary Root CA being issued a cert by Thawte Premium Server CA and there is no other cert following this.

So the problem here is either thawte Primary Root CA can be a Root CA or an Intermediate CA. If it is a Root CA, the last cert is chain should had been for thawte Primary Root CA issued by thawte Primary Root CA itself.

If it is an intermediate CA, there should have been another cert down the chain, issued to Thawte Premium Server CA by itself, it being the Root.

In this scenario the WLC is looking for the Root Cert which is not there is the chain and thus marks the certificate as invalid.

How to fix this:
==============

Thawte do provide the Root CA and Intermediate CA cert on its website from where you can download the missing cert easily.

https://www.thawte.com/roots/index.html

So the fix would be either make thawte Primary Root CA as the Root CA and download the cert file for the Thawte website and replace the last cert in the chain, so that we have the cert for thawte Primary Root CA issued by thawte Primary Root CA.


Or, keep the same chain and download the Root CA cert for Thawte Premium Server CA and add it at the end of the chain so that the certificate chain is complete.

Once the chain is complete please follow the Cisco document to compile the cert along with the private key and get the final cert.

Please refer to the previous posts on certs:

http://rameshkumarroy.com/creating-chained-certificate-fro/

Hope this was helpful.

 

DHCP Fingerprinting

DHCP Fingerprinting is a method of detecting the end device OS based on the dhcp exchange packets. In today’s network where we are talking about IoE , BYOD it is required to identify the devices in your network and mark them accordingly.

Why do we need Fingerprinting:
========================

With BYOD personal devices are making their way into the workplace, and it is a tough job for the network administrators to dynamically detect these devices and make sure these devices are compliant and to enforce required polices on these devices. Detecting the devices type/OS is also part of the play.

Due to the proliferation of BYOD (Bring Your Own Devices)/mobile devices connecting mostly over the Wireless Network, it becomes difficult to identify and control the types of devices that can connect to the network, and once connected, to determine what access privileges they might have.

With DHCP Fingerprinting, DHCP Servers or devices like IPAM Controllers or Wireless Controllers, can use DHCP Fingerprinting to identify the device type, manufacturer name and OS of the clients/devices connecting to the network, categorize them into ACLs, and control which device can connect to the network and what it can do.

How it works:
===========

DHCP Fingerprinting is one of the methods that help us in identifying the OS on the devices bases on the dhcp option.

The complete DHCP process is like this:

 

The DHCP packets contain multiple options. One of the most important option which is used for dhcp fingerprinting is the option : 55 called Parameter request list, this option is present in the packets sent from the client end i.e the Discover and Request Packets.

 

The option 55: Parameter Request list in the above capture is :

1,6,15,44,3,33,150 and 43

A DHCP discover request asks for DHCP options in a specific sequence. This makes DHCP Fingerprinting possible – identifying a device or OS requesting an IP address based on the requested DHCP options.

Fingerbank has got a repository of such fingerprints:

https://fingerbank.inverse.ca/

Some of the captured fingerprints in hex:

Android_device    3C64686370636420342E302E3135
Android 2.X           3c6468637063642034
Android 2.2           3701792103061c333a3b
Android 2.3.X        0c616E64726F69645F
Android 4.0.X        37012103060f1c333a3b
Android 4.0.X(2)    37012103061c333a3b
Blackberry 2          3C426C61636B4265727279
Blackberry(2)         370103060F775ffc2c2e2f
iOS Device             370103060F77FC
iPad                        37011c02030f06770c2c2f1a792a
OS X 10.6               370103060f775ffc2c2e2f
OS X 10.7               370103060f775ffc2c2e
Win Mobile            3c4d6963726f736f66742057696e646f77732043450
Win Mobile6          370103060f2c2e2f

Aruba implementation of DHCP Fingerprinting:

http://community.arubanetworks.com/t5/Unified-Wired-Wireless-Access/COTD-DHCP-Fingerprinting-how-to-ArubaOS-6-0-1-0-and-above/td-p/11164

http://community.arubanetworks.com/t5/Controller-less-WLANs/DHCP-FINGERPRINTING-WITH-Aruba-Instant/ta-p/183272

Hope this was informative.

 

Understanding Browser’s user-agent

So basically the user-agent string is something which identifies your browser and provides certain system details to servers hosting the webpage you are visiting. When you visit a webpage, the browser sends the user-agent string to the server hosting the page that you are visiting. This string indicates which browser is being, its version number, and details about your system, such as operating system and version. The web server can use this information to provide content that is tailored for your specific browser.You can see the user-agent in the wireshark captures when you machine sends out the GET request or on the browser itself.

You can also check the user-agent on the browser itself. Lets see how:

Chrome:
=========

Type chrome://version in the address bar.

FireFox:
==========

Type about: in the address bar.

Internet Explorer:
=============

—————————
Message from webpage
—————————
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; InfoPath.3; .NET4.0C; .NET4.0E; rv:11.0) like Gecko
—————————
OK
—————————

Type javascript:alert(navigator.userAgent) in the address bar, the user-agent string would show up in a dialog box. You can do CTRL+C to copy it.

While we might be considered user agent sniffing a horrible practice on the client side, however sniffing user agent is done quite a bit on the server side to serve up the appropriate page version of a site, or redirect to, for example, the mobile version of the site.  This can be a dangerous road but most large site with a separate mobile interface do it.

 

The following is the user agent for Firefox on a mobile device:
 Mozilla/5.0 (Mobile; rv:18.0) Gecko/18.0 Firefox/18.0

 

History of User Agent:
==================
I came across this blog which talks about the history of User-Agent.

 

 

In the beginning there was NCSA Mosaic, and Mosaic called itself NCSA_Mosaic/2.0 (Windows 3.1), and Mosaic displayed pictures along with text, and there was much rejoicing. And behold, then came a new web browser known as “Mozilla”, being short for “Mosaic Killer,” but Mosaic was not amused, so the public name was changed to Netscape, and Netscape called itself Mozilla/1.0 (Win3.1), and there was more rejoicing. And Netscape supported frames, and frames became popular among the people, but Mosaic did not support frames, and so came “user agent sniffing” and to “Mozilla” webmasters sent frames, but to other browsers they sent not frames.

 

And Netscape said, let us make fun of Microsoft and refer to Windows as “poorly debugged device drivers,” and Microsoft was angry. And so Microsoft made their own web browser, which they called Internet Explorer, hoping for it to be a “Netscape Killer”. And Internet Explorer supported frames, and yet was not Mozilla, and so was not given frames. And Microsoft grew impatient, and did not wish to wait for webmasters to learn of IE and begin to send it frames, and so Internet Explorer declared that it was “Mozilla compatible” and began to impersonate Netscape, and called itself Mozilla/1.22 (compatible; MSIE 2.0; Windows 95), and Internet Explorer received frames, and all of Microsoft was happy, but webmasters were confused.And Microsoft sold IE with Windows, and made it better than Netscape, and the first browser war raged upon the face of the land. And behold, Netscape was killed, and there was much rejoicing at Microsoft. But Netscape was reborn as Mozilla, and Mozilla built Gecko, and called itself Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.1) Gecko/20020826, and Gecko was the rendering engine, and Gecko was good. And Mozilla became Firefox, and called itself Mozilla/5.0 (Windows; U; Windows NT 5.1; sv-SE; rv:1.7.5) Gecko/20041108 Firefox/1.0, and Firefox was very good. And Gecko began to multiply, and other browsers were born that used its code, and they called themselves Mozilla/5.0 (Macintosh; U; PPC Mac OS X Mach-O; en-US; rv:1.7.2) Gecko/20040825 Camino/0.8.1 the one, and Mozilla/5.0 (Windows; U; Windows NT 5.1; de; rv:1.8.1.8) Gecko/20071008 SeaMonkey/1.0 another, each pretending to be Mozilla, and all of them powered by Gecko.

 

And Gecko was good, and IE was not, and sniffing was reborn, and Gecko was given good web code, and other browsers were not. And the followers of Linux were much sorrowed, because they had built Konqueror, whose engine was KHTML, which they thought was as good as Gecko, but it was not Gecko, and so was not given the good pages, and so Konquerer began to pretend to be “like Gecko” to get the good pages, and called itself Mozilla/5.0 (compatible; Konqueror/3.2; FreeBSD) (KHTML, like Gecko) and there was much confusion. Then cometh Opera and said, “surely we should allow our users to decide which browser we should impersonate,” and so Opera created a menu item, and Opera called itself Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; en) Opera 9.51, or Mozilla/5.0 (Windows NT 6.0; U; en; rv:1.8.1) Gecko/20061208 Firefox/2.0.0 Opera 9.51, or Opera/9.51 (Windows NT 5.1; U; en) depending on which option the user selected.

 

And Apple built Safari, and used KHTML, but added many features, and forked the project, and called it WebKit, but wanted pages written for KHTML, and so Safari called itself Mozilla/5.0 (Macintosh; U; PPC Mac OS X; de-de) AppleWebKit/85.7 (KHTML, like Gecko) Safari/85.5, and it got worse.

 

And Microsoft feared Firefox greatly, and Internet Explorer returned, and called itself Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0) and it rendered good code, but only if webmasters commanded it to do so. And then Google built Chrome, and Chrome used Webkit, and it was like Safari, and wanted pages built for Safari, and so pretended to be Safari. And thus Chrome used WebKit, and pretended to be Safari, and WebKit pretended to be KHTML, and KHTML pretended to be Gecko, and all browsers pretended to be Mozilla, and Chrome called itself Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US) AppleWebKit/525.13 (KHTML, like Gecko) Chrome/0.2.149.27 Safari/525.13, and the user agent string was a complete mess, and near useless, and everyone pretended to be everyone else, and confusion abounded.

 

 

Hope this was informative.

CIMC Secure Page not opening in Firfox while works for Chrome and IE.

While working on my UCS box I came across a problem, where the GUI/CICM page would not load on my Firefox browser while it worked fine on Chrome and IE.Doing some search I found that this has been already reported by Cisco under the Bug # CSCun04933.

Symptom:
============
Following error is observed while trying to access CIMC web page

SSL received a malformed Server Key Exchange handshake message. (Error code: ssl_error_rx_malformed_server_key_exch)

Conditions:
=========
When accessing CIMC web page with Firefox web browser version 27.0 and above.

Workaround:
===========
Change the max TLS version in Firefox.

1) Go to about:config
2) Search for ‘tls’
3) Change ‘3’ to ‘2’
4) Restart firefox

The workaround has worked for my issue seen on my Firefox version 35.0.1.

 

Double click on the Preference Name to change the value.

Hope this was helpful.

IPERF to measure throughput

Iperf is a handy tool to measure the bandwidth and the quality of a network link. It is a commonly used network testing tool that can create Transmission Control Protocol (TCP) and User Datagram Protocol (UDP) data streams and measure the throughput of a network that is carrying them.Iperf allows the users to vary various parameters that can be used for testing the network, or alternatively for optimizing and tuning a network. Iperf has a client and server functionality, and can measure the throughput between the two ends, either unidirectionally or bi-directionally.

Iperf can be installed very easily on any Linux or Microsoft Windows system, where one host can be configured as a client, the other one as server.

Setup required for running the iperf test:

1. Download the iperf setup, you can download it from: https://iperf.fr/
2. Copy the setup file on the two hosts you would be using to perform the test.
3. Set one host in the server mode and the other in the client mode with the following syntax:

To set the host in server mode use the command : iperf -s

C:\IOS\Imagesiperf-2.0.5-2-win32>iperf -s
————————————————————
Server listening on TCP port 5001
TCP window size: 64.0 KByte (default)
————————————————————

To set the client in client mode use the command : iperf -c <server ip address>

C:\IOS\Imagesiperf-2.0.5-2-win32>iperf -c 192.168.1.5      // Where 192.168.1.5 is server ip address.

The other parameters available in iperf are:

C:\IOS\Imagesiperf-2.0.5-2-win32>iperf –help

Usage: iperf [-s|-c host] [options]
       iperf [-h|–help] [-v|–version]
Client/Server:
  -f, –format    [kmKM]   format to report: Kbits, Mbits, KBytes, MBytes
  -i, –interval  #        seconds between periodic bandwidth reports
  -l, –len       #[KM]    length of buffer to read or write (default 8 KB)
  -m, –print_mss          print TCP maximum segment size (MTU – TCP/IP header)
  -o, –output    <filename> output the report or error message to this specified file
  -p, –port      #        server port to listen on/connect to
  -u, –udp                use UDP rather than TCP
  -w, –window    #[KM]    TCP window size (socket buffer size)
  -B, –bind      <host>   bind to <host>, an interface or multicast address
  -C, –compatibility      for use with older versions does not sent extra msgs
  -M, –mss       #        set TCP maximum segment size (MTU – 40 bytes)
  -N, –nodelay            set TCP no delay, disabling Nagle’s Algorithm
  -V, –IPv6Version        Set the domain to IPv6
 
Server specific:
  -s, –server             run in server mode
  -U, –single_udp         run in single threaded UDP mode
  -D, –daemon             run the server as a daemon

 

Client specific:
============

 

-b, –bandwidth #[KM]    for UDP, bandwidth to send at in bits/sec
                           (default 1 Mbit/sec, implies -u)
  -c, –client    <host>   run in client mode, connecting to <host>
  -d, –dualtest           Do a bidirectional test simultaneously
  -n, –num       #[KM]    number of bytes to transmit (instead of -t)
  -r, –tradeoff           Do a bidirectional test individually
  -t, –time      #        time in seconds to transmit for (default 10 secs)
  -F, –fileinput <name>   input the data to be transmitted from a file
  -I, –stdin              input the data to be transmitted from stdin
  -L, –listenport #       port to receive bidirectional tests back on
  -P, –parallel  #        number of parallel client threads to run
  -T, –ttl       #        time-to-live, for multicast (default 1)
  -Z, –linux-congestion <algo>  set TCP congestion control algorithm (Linux only)
 
Miscellaneous:
  -x, –reportexclude [CDMSV]   exclude C(connection) D(data) M(multicast) S(settings) V(server) reports
  -y, –reportstyle C      report as a Comma-Separated Values
  -h, –help               print this message and quit
  -v, –version            print version information and quit
 
[KM] Indicates options that support a K or M suffix for kilo- or mega-

 

The TCP window size option can be set by the environment variable TCP_WINDOW_SIZE. Most other options can be set by an environment variable.
IPERF_<long option name>, such as IPERF_BANDWIDTH.
Report bugs to <iperf-users@lists.sourceforge.net>
C:\IOS\Imagesiperf-2.0.5-2-win32>

 

Server side:
=========

 

#iperf -s
———————————————————— 
Server listening on TCP port 5001 
TCP window size: 8.00 KByte (default) 
———————————————————— 
[852] local 10.1.1.1 port 5001 connected with 10.6.2.5 port 33453 
[ ID]   Interval          Transfer       Bandwidth 
[852]   0.0-10.6 sec   1.26 MBytes   1.03 Mbits/sec 

 

Client side:
=========
#iperf -c 10.1.1.1
———————————————————— 
Client connecting to 10.1.1.1, TCP port 5001 
TCP window size: 16384 Byte (default) 
———————————————————— 
[ 3] local 10.6.2.5 port 33453 connected with 10.1.1.1 port 5001 
[ 3]   0.0-10.2 sec   1.26 MBytes   1.05 Mbits/sec 

 

Another example:
Use the syntax with some additional parameters ” iperf.exe – c  <IP address of the server>   -P 10  -w 1000k ” (  -P refers to the number of parallel TCP streams and –w referes to the TCP window size  )

 

Hope this was helpful.

SLAAC with Stateless DHCP

As discussed in my previous post, we can use SLAAC to auto assign ip address based on the prefix advertised in the RA. However with SLAAC you only get the IPv6 address and the gateway and still need to depend on DHCP for the DNS server, domain name and the other options. This is called Stateless DHCP as it does not track the client mac and the ip (No dhcp binding table is formed).Please refer the the previous post on how SLAAC works and how to configure it.

http://rameshkumarroy.com/ipv6-slaac-gns3-example/

In this post we’ll build upon the previous post and will add Stateless DHCP to it to provide DNS server ip and the domain name to the host devices.

Since GNS3 VPCS was not giving options related to DNS I have created a loopback adapter on my laptop and will be using it to replicate a host machine shown in the topology as a Cloud.

Please refer to my previous posts on how to create a loopback adapter and how to use it in GNS3 as a host machine.

http://rameshkumarroy.com/creating-loopback-adapter-on-windows/

http://rameshkumarroy.com/using-vpcs-in-gns3-to-replicate-hos/

Following is the Topology I am using:

I have created an IPv6 DHCP pool on the R1 to provide only DNS Server ip and Domain name:

R1#show running-config | sec ipv6 dhcp

ipv6 dhcp pool Stateless_DHCP
 dns-server 2000:1000::1
 domain-name Test.com
 ipv6 dhcp server Stateless_DHCP

 

I am using the above dhcp pool just for vlan 10 and following configuration would be required on the vlan 10 SVI :

 

interface Vlan10
 no ip address
 ipv6 address 2000:1000::1/64
 ipv6 enable
 ipv6 nd other-config-flag
 ipv6 dhcp server Stateless_DHCP

 

On the R2 the interface fa0/4 is mapped to vlan 10.
R2#show runn int fa 0/4
Building configuration…
Current configuration : 60 bytes
!
interface FastEthernet0/4
 switchport access vlan 10
end

 

I had to play with Spanning tree (The Fa 0/4 port was getting into blocked state) before the loopback adapter on my lab could get the ipv6 address and the dhcp configuration.

 

Ethernet adapter Local Area Connection 3:
   Connection-specific DNS Suffix  . : Test.com
   Description . . . . . . . . . . . : Microsoft Loopback Adapter
   Physical Address. . . . . . . . . : 02-00-4C-4F-4F-50
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes
   IPv6 Address. . . . . . . . . . . : 2000:1000::651c:9aca:97a6:3a7e(Preferred)
   Temporary IPv6 Address. . . . . . : 2000:1000::8c84:1cb9:4268:7fd0(Preferred)
   Link-local IPv6 Address . . . . . : fe80::651c:9aca:97a6:3a7e%17(Preferred)
   IPv4 Address. . . . . . . . . . . : 192.168.10.11(Preferred)
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Default Gateway . . . . . . . . . : fe80::ce00:29ff:feb8:0%17
   DHCPv6 IAID . . . . . . . . . . . : 503447628
   DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-17-EE-19-AD-00-21-CC-C6-CF-CF
   DNS Servers . . . . . . . . . . . : 2000:1000::1
   NetBIOS over Tcpip. . . . . . . . : Enabled
   Connection-specific DNS Suffix Search List :Test.com

 

You will also notice that once you configured the IPv6 dhcp scope on the R1 it also joined to some additional group addresses related to dhcpv6

 

R1#show ipv6 interface
Vlan10 is up, line protocol is up
  IPv6 is enabled, link-local address is FE80::CE00:29FF:FEB8:0
  Global unicast address(es):
    2000:1000::1, subnet is 2000:1000::/64
  Joined group address(es):
    FF02::1
    FF02::2
    FF02::1:2
    FF02::1:FF00:1
    FF02::1:FFB8:0
    FF05::1:3

 

ff02::1:2 All DHCP servers and relay agents on the local network segment (defined in RFC 3315)
ff05::1:3 All DHCP servers on the local network site (defined in RFC 3315)

 

With DHCPv6 there are very interesting, new terms used and implemented in the way how the DHCPv6 will assign ip addresses to the client devices.The DHCPv6 uses UDP port number 546 for clients and port number 547 for servers.
In IPv6 you had the concept of client identified which was the physical mac address of the client device requesting for the DHCP, with IPv6  we have something called a host identifier, named DUID – Device UID – and a set of interface identifiers. The RFC defines a DUID this way:
A DHCP Unique IDentifier for a DHCP participant; each DHCP client and server has exactly one DUID.
Also each interface has an ID, called IAID – Interface Association Identifier – that is a binding between the interface and one or several IP addresses. Each allocation in the DHCPv6 server is identified by a DUID and a IAID.
If you notices the IPv6 details from the host machine in the above topology it also has a DUID and IAID:

 DHCPv6 IAID . . . . . . . . . . . : 503447628
   DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-17-EE-19-AD-00-21-CC-C6-CF-CF
You can check the DUID on the Router using the command: show ipv6 dhcp.

R1#show ipv6 dhcp
This device’s DHCPv6 unique identifier(DUID): 00030001CC0029B8F000

At the moment there are three types of DUID defined:
1) Link-layer address plus time (DUID-LLT)
2) Vendor-assigned unique ID based on Enterprise Number
3) Link-layer address (DUID-LL)

 

Cisco uses a structure based on DUID-LLT (link-layer address plus time). The device uses the MAC address from the lowest numbered interface to form the DUID.
The type of DUID-LLT consists of:
• Two octet type field containing the value 1
• Two octet hardware type code. The hardware type MUST be a valid hardware type assigned by the IANA as described in RFC 826. Ethernet uses hardware type 1 and 48-bit MAC address of the device as the link-layer address.
• Four octets containing a time value
• Link-layer address of any one network interface that is connected to the DHCP device at the time that the DUID is generated. The time value is the time that the DUID is generated, represented in seconds since midnight (UTC), January 1, 2000, modulo 2^32.

 

Lets follow the wireshark capture collected on the PC.

1. The R1 sends out a RA in the Packet 313.
2. The host sends out a Multicast Listener Report to the IP destination address of FF02::16, to which all MLDv2-capable multicast routers listen.

 

 

Here once the host machine has got an RA it has assigned itself and ip address as : 2000:1000::8c84:1cb9:4268:7fd0, and as we know once the device gets a link local address or the Global IPv6 address it also makes itself as the member of the related solicited node multicast group (for both it’s link-local and global address). Here the host machine is sending out the multicast listerner report indicating its interest for the solicited node multicast address associated with its Global ipv6 address.

 

The solicited node multicast address is generated by adding last 24 bits of the link-local/ Global ipv6 address to the prefix : ff02::1:ff00:0/104.

 

Solicited-Node multicast addresses are used in Neighbor Discovery Protocol for obtaining the layer 2 link-layer addresses of other nodes. For our host the solicited node multicast address becomes:

 

ff02::1:ff00:0/104 + 68:7fd0 = ff02::1:ff68:7fd0
Please refer to the Wiki page:

 

 

3. The host machine sends out a network solicitation to the Router at its solicited node multicast address. Nodes send neighbor solicitations to request the link-layer address of a target node while also providing their own link-layer address to the target.

 

4. The Router sends neighbor advertisements in response to neighbor solicitations and sends unsolicited neighbor advertisements in order to propagate new information quickly.

 

5. The host sends out a dhcp information request to All dhcp server address ff02::1:2.

 

6. The server sends out a reply to the host device link local address:

Hope this was helpful 🙂