CCIE Study sheet Foreword 4 Access Lists 4 Standard Access Lists 4 Extended Access Lists 4 Named Access Lists 5 Reflexive Access Lists 5 Aliases 5 ATM 5 ATM PVCs – Point-to-Point 5 ATM PVCs – Multipoint 5 ATM SVCs 6 ATM – ARP Server (Classical IP) 6 Bridging 7 Global 7 Interface 7 Bridging – IRB 7 Global 7 Interface 7 Bridging – CRB 7 Global 7 Interface 8 CET – Cisco Encryption Technology 8 Dial 8 Basic Configuration 8 Dialer Stings 8 Dialer Maps 8 Dialer Profiles 9 Callback 9 Floating Static Routes 9 Dial Watch 9 Snapshot routing 9 DLSW 10 Global 10 Interface 10 Firewalls 10 Context Based Access Control (CBAC) 10 Reflexive Access Lists 10 Lock and Key Access 11 Frame Relay 11 Frame-Relay Switching 11 Frame-Relay 12 Frame-Relay Traffic Shaping 12 HSRP 13 ISAKMP 13 1 IPSEC 13 IPX 14 Filtering 14 RIP and SAP 14 NLSP 14 NLSP Route Aggregation 15 Local Area Mobility 15 Multicast 15 IGMP 15 CGMP 15 PIM 15 Network Address Translation (NAT) 16 Outgoing 16 Incoming 16 NTP 17 Password Recovery 17 2500/4000 17 2600/3600/4500 17 Catalyst 1200 and 5000 18 Queuing and Traffic Shaping 18 Priority Queuing 18 Custom Queuing 19 Frame-Relay 19 Regular Expressions 19 Route Maps 19 Policy Route Maps 19 Routing 20 BGP 20 RIP 20 IGRP 20 EIGRP 20 OSPF 21 IS-IS 21 Redistribute 21 Script for all routers 21 Source Route Bridging 22 Global 22 Interface 22 Source Route Translational Bridging 22 Switches 22 Catalyst 5000 22 Catalyst 3920 23 Terminal Server Configuration 24 Trunking 24 ISL: 24 802.1Q: 24 2 ATM PVCs: 25 Tunnels 25 Voice Over FR 25 Voice Over IP 26 3 Foreword The CCIE test is demanding. However your mental state of mind can have a dramatic outcome on your performance. Study the material well and be confident that you will succeed. There is tremendous power in positive thinking! At some point a few days before you take the exam (when you are relaxed) visualize passing the test. Visualize walking into the lab, seeing the rack and getting handed the test. Visualize seeing several things (core topics) on the test that you know cold. There will also be some topics you are very unfamiliar with – this is expected. Part of the CCIE testing is seeing if you can react quickly. These are usually only worth a few points and are not incredibly difficult. Don’t get psyched out by the exam! Visualize yourself completing one task, then another, then another. Visualize completing day 1 with an hour or two left to check your work (and please check it – there will be a few “stupid” mistakes. In fact, given the option of spending the final hour trying to get something to work that has alluded you, you’re probably better off spending it reviewing for completeness all the things you’ve finished.) Visualize walking in the second day and having the instructor say, “Good job, you’re going on to day 2.” Visualize completing the morning of day 2, then going into troubleshooting. Visualize nailing troubleshooting, as that actually isn’t terribly difficult. Visualize getting your CCIE number and imagine what that will feel like. Do this entire process several times; it will help reinforce your confidence. Make up your mind that you are going to study hard, prepare well, execute beautifully and pass the test! Access Lists Standard Access Lists access-list 1 permit 10.2.50.0 0.0.0.255 access-list 1 permit 10.10.0.0 0.0.255.255 interface serial 0/1 ip access-group 1 in line vty 0-4 access-class 1 in Extended Access Lists access-list 100 permit ip 172.18.0.0 0.0.255.255 192.168.1.0 0.0.0.255 access-list 101 permit tcp 155.182.10.0 0.0.0.255 192.233.145.0 0.0.0.255 eq 23 access-list 101 permit udp 10.0.0.0 0.255.255.255 gt 1023 192.168.0.0 0.0.255.255 access-list 101 permit icmp any any echo-reply 4 router eigrp 200 distribute-list 101 out Named Access Lists ip access-list (standard|extended) nameoflist permit ip 208.14.35.0 0.0.0.255 any permit tcp 155.182.0.0 0.0.255.255 eq 80 any Reflexive Access Lists See “Firewalls” Aliases alias exec i show ip route ATM interface ATM1/0 ip address 20.20.20.1 255.255.255.0 map-group cisco atm pvc 1 5 45 aal5snap ! map-list cisco ip 20.20.20.2 atm-vc 1 broadcast Note: the “new” way to define pvc’s does not need map-groups: interface ATM1/0 ip address 20.20.20.1 255.255.255.0 pvc 0/600 protocol ip 20.20.20.2 broadcast encapsulation aal5snap ATM PVCs – Point-to-Point interface ATM2/0 no ip address ! interface ATM2/0.1 point-to-point ip address 10.2.0.254 255.255.255.0 atm pvc 1 2 254 aal5snap inarp ! interface ATM2/0.3 point-to-point ip address 166.90.188.14 255.255.255.252 atm pvc 3 20 300 aal5snap inarp ATM PVCs – Multipoint interface ATM0 no ip address atm max-paks-vc 40 5 ! interface ATM0.100 multipoint ip address 172.20.10.2 255.255.255.0 atm pvc 1 0 101 aal5snap atm pvc 2 0 201 aal5snap map-group map1 ipx network 304 ! map-list map1 ipx 304.3.3.3 atm-vc 1 broadcast ipx 405.2.2.2 atm-vc 2 broadcast ip 172.20.10.1 atm-vc 1 broadcast ip 172.20.20.1 atm-vc 2 broadcast ! ATM SVCs interface atm 0 atm pvc 1 0 5 qsaal atm pvc 2 0 16 ilmi (optional – you can manually define the ATM address) ! interface atm 0.1 multipoint ip address 131.108.192.1 255.255.255.0 atm nsap-address 11.1111.00000000000000000000.000000000000.00 map-group svc-ip-routerA map-list svc-ip-routerA ip 131.108.192.2 atm-nsap 22.2222.00000000000000000000.000000000000.00 broadcast ip 131.108.192.3 atm-nsap 33.3333.00000000000000000000.000000000000.00 broadcast ip 131.108.192.4 atm-nsap 44.4444.00000000000000000000.000000000000.00 broadcast ATM – ARP Server (Classical IP) On the ATM ARP Server: interface atm0 atm pvc 1 0 5 qsaal atm nsap-address 11.1111.00000000000000000000.000000000000.00 atm arp-server self On the ATM ARP Client: interface atm0 atm pvc 1 0 5 qsaal atm nsap-address 22.2222.00000000000000000000.000000000000.00 atm arp-server nsap 11.1111.00000000000000000000.000000000000.00 or better yet: On the ATM ARP Server: interface atm0 6 atm pvc 1 0 5 qsaal atm pvc 2 0 16 ilmi atm esi-address 3333.3333.3333.00 atm arp-server self On the ATM ARP Client: interface atm0 atm pvc 1 0 5 qsaal atm pvc 2 0 16 ilmi atm esi-address 2222.2222.2222.00 atm arp-server nsap 47.0091810000000060705A9801.333333333333.00 where ilmi provides the atm prefix and 47.0091810000000060705A9801 was identified with a “show atm ilmi-status” on the arp-server router. Bridging Global bridge 1 protocol ieee bridge 1 priority 100 Interface interface e0 bridge-group 1 bridge-group 1 path-cost 50 Bridging – IRB Global bridge irb to allow IRB to bridge and route a protocol (since bridging is enabled by default): bridge 1 route IPX (bridge bridge-group route protocol) to allow IRB to route – but not bridge – a protocol: bridge 1 route IP (bridge bridge-group route protocol) no bridge 1 bridge IP (no bridge bridge-group bridge protocol) Interface interface bvi 1 (interface bvi bridge-group) ip address 10.10.10.1 255.255.255.0 ipx network 1234 ip ospf cost 200 (any protocol info for protocols that will be routed and bridged together…) Bridging – CRB Global bridge crb 7 Interface Same as irb, above. CET – Cisco Encryption Technology The basic steps for configuring CET are 1. Generate DSS public/private keys 2. Exchange DSS public/private keys between routers 3. Enable DES encryption algorithms 4. Define crypto maps and apply them to an interface crypto key generate dss Router1 (often the name of the router) show crypto key mypubkey dss (view public keys) copy system:running-config nvram:startup-config (save private keys) Configure one router to be “active” in key exchange, the other to be “passive”: crypto key exchange dss passive (on one router) crypto key exchange dss ip_address_of_passive Router1 (key name) crypto cisco algorithm des access-list 100 permit ip 10.1.1.0 0.0.0.255 192.168.15.0 0.0.0.255 crypto map mymap 10 cisco set peer Router2 (key name received from other router) match address 100 set algorithm des interface serial 0 crypto map mymap If a router has more than one CET peer, simply add more sequences to the crypto map, one for each remote peer. Dial Basic Configuration isdn switch-type basic-ni1 interface bri0 encapsulation ppp dialer-group 1 ppp authentication chap (optional) dialer-list 1 protocol ip permit Dialer Stings interface bri0 dialer string 1111 Dialer Maps interface bri0 ip address 172.24.1.3 255.255.255.0 8 dialer map ip 172.24.1.1 name router1 broadcast 1111111 dialer map ip 172.24.1.2 name router2 broadcast 1112222 Remember the name of the other router! Dialer Profiles interface bri0 no ip address encapsulation ppp ppp authentication chap ! (optional) dialer pool-member 1 interface dialer 1 encapsulation ppp ! (required!!!) ip address 192.168.1.1 255.255.255.0 dialer remote-name router5 ! (if authentication is used) dialer string 1112223333 dialer pool 1 dialer-group 1 ppp authentication chap Callback On the “client” router (makes first call): int bri0 ppp callback request On the “server” router (makes return call): int bri0 ppp callback accept dialer map ip 192.168.2.1 class myclass name r1 broadcast 5552020 ! map-class dialer myclass dialer callback-server username Floating Static Routes ip route 192.168.100.0 255.255.255.0 172.24.1.1 (or interface BRI0) 200 ipx route default 10.0000.0000.0001 (or bri0) floating-static Dial Watch This can be handy because it is similar to floating statics, but doesn’t actually use statics (often forbidden on CCIE lab). It also works with any routing protocol – though especially well with EIGRP. It looks for routes (as specified in watch-list) to disappear: int bri0 (or int dialer0 – dialer int seems to work better) dialer watch-group 1 dialer map ip 10.205.205.0 name r1 broadcast 5551212 ! dialer watch-list 1 ip 10.205.205.0 255.255.255.0 Snapshot routing The following commands are configured on the client router: 9 interface bri 0 snapshot client 5 360 dialer dialer map snapshot 1 4155556734 dialer map snapshot 2 7075558990 The following commands are configured on the server router: interface bri 0 snapshot server 5 dialer DLSW Global source-bridge ring-group 800 dlsw local-peer peer-id 172.21.200.1 promiscuous group 1 border dlsw remote-peer 0 tcp 172.21.200.19 dlsw remote-peer 0 fst 192.168.154.32 dlsw bridge-group 1 dlsw remote-peer 3 tcp 192.168.10.1 dlsw ring-list 3 rings 5 18 109 Interface interface token ring 0 source-bridge 2176 1 800 interface Ethernet 0 bridge-group 1 Firewalls Context Based Access Control (CBAC) ip inspect name myfirewall tcp interface Ethernet 0 (inside interface) ip inspect myfirewall in interface serial 0 (outside interface) ip access-group 100 in access-list 100 deny ip any any Reflexive Access Lists interface Serial 1 description Access to the Internet via this interface ip access-group inboundfilters in ip access-group outboundfilters out ! ip reflexive-list timeout 120 ! 10 . CCIE Study sheet Foreword 4 Access Lists 4 Standard Access Lists 4 Extended. 3 Foreword The CCIE test is demanding. However your mental state of mind can have a dramatic outcome on your performance. Study the material well