Just another Cisco blog
Posts tagged CCNP
BGP Peer Groups
Jan 29th
Just a short article today on BGP Peer Groups. I’ve been using them while practice labbing for the CCIP exams, thought I’d toss up a short post.
BGP Peer Groups “reduce the load on system resources by allowing the routing table to be checked only once, and updates to be replicated to all peer group members instead of being done individually for each peer in the peer group.” (-Cisco.com) They can also greatly reduce administrative overhead. They’re somewhat self-explanatory, you specify a Peer Group for two or more neighbors, then apply config to the group instead of each individual neighbor. We’re going to use my CCIP topology, but we’ll just focus on the iBGP peers:
We see that all of our PE routers are running iBGP and they’re fully meshed. Let’s look at PE1′s config without Peer Groups:
router bgp 6500 neighbor 6.6.6.6 remote-as 6500 neighbor 6.6.6.6 update-source Loopback0 neighbor 6.6.6.6 next-hop-self neighbor 7.7.7.7 remote-as 6500 neighbor 7.7.7.7 update-source Loopback0 neighbor 7.7.7.7 next-hop-self neighbor 8.8.8.8 remote-as 6500 neighbor 8.8.8.8 update-source Loopback0 neighbor 8.8.8.8 next-hop-self |
CCNP Changes (Finally) Announced
Jan 26th
I meant to make this yesterday, but I got too busy. Cisco has finally announced the new changes that we’ve all known about for months. If you want a proper write up (because we all know you won’t find that on this site 
), check out Wendell Odom’s post, he goes into much better detail than I could.
The new exams are ROUTE, SWITCH and TSHOOT. They’re pretty self-explanatory, ROUTE is the new BSCI and SWITCH is the new BCMSN. TSHOOT is new (though they had a similar exam a few CCNP versions ago). ISCW and ONT are gone with some of their topics moved to ROUTE and SWITCH, while some are gone all together.
Lock and Key ACLs
Jan 14th
A coworker recently came to me for help with an issue. We have a server sitting behind a router at one of our remote sites. Certain people need RDP access to this server, but we do not want it open to the world, this seems like an ideal scenario for Lock and Key access lists. Lock and Key ACLs are a way to permit temporary access to a resource. Static ACLs either allow or deny, they can create temporary openings to suit a specific need. In our example it will be a telnet server behind a router. Here’s the topology:
Here we see a host on one side of R1 (Fa0/0) and a server on the other side (Fa1/0). In this example we want very limited access to Telnet on that server. Here’s our config:
interface FastEthernet0/0 description To Host ip address 192.168.1.1 255.255.255.0 ip access-group Telnet in ! interface FastEthernet1/0 description To Server ip address 192.168.2.1 255.255.255.0 ! ip access-list extended Telnet dynamic allow_telnet permit tcp any host 192.168.2.2 eq telnet deny tcp any host 192.168.2.2 eq telnet permit ip any any ! username allow password 0 allow username allow autocommand access-enable host timeout 10 |
Private VLAN Tutorial
Jan 12th
Today we’ll go over Private VLANs (PVLANs) in Cisco IOS. PVLANs segregate VLANs even further than normal, they are basically VLANs inside of VLANs. The ports share a subnet, but can be prevented from communicating. They use different port types:
Promiscuous ports – These will be the “open ports” of the PVLANs, they can communicate with all other ports.
Community ports – These ports can communicate with other community ports and promiscuous ports.
Isolated ports – These can ONLY communicate with promiscuous ports.
There are different uses for PVLANs. They are used by service providers to allow customer security while sharing a single subnet. Another use could be for DMZ hosts in an enterprise environment. If one host is compromised its ability to inflict damage to the other hosts will be severely limited. That’s the scenario we’ll be using today. This is our topology:
MPLS and BGP Lab Guide, Part 6
Dec 31st
This is the sixth post in the series, the goal of the series is to provide a guide for the MPLS and BGP Lab I posted awhile back. The labs consists of MPLS VPNs and BGP along with some OSPF, NAT, IPSEC and GRE exposure. I will be posting the files needed for this lab at the bottom. Here’s the topology and the requirements:
(click image for fullsize)
Requirements:
Internet
* The two Internet routers should serve as transit ASes. No other routers should permit transit traffic.
* Internet sites (modeled by loopbacks) should be accessible by all lan IPs.
Recent Comments