BPDU filter

BPDUs are the messages exchanged between switches to calculate the spanning tree topology. BPDU filter is a feature used to filter sending or receiving BPDUs on a switchport.

It is extremely useful on those ports which are configured as portfast ports as there is no need to send or receive any BPDU messages on of these ports.

BPDU filter can be configured globally or under the interface level. When configured globally all portfast enabled ports stop sending and receiving BPDUs, but if a BPDU is received on the port it gets out of the portfast state and normally participate in the spanning tree calculations.

OSPF(ASBR) Summary address

There are 2 summarizations in OSPF routing protocols: Area summarization and External summarization. The area summarization is the summarization between the area. We can use "area x range x.x.x.x x.x.x.x" format to do so.  However, in this post, we will talk about external summarization. We use "summary-address x.x.x.x x.x.x.x" format to achieve this. 

In the example below, we consider R1 and the ASBR of the OSPF because it is a gateway between routing protocols (RIP and OSPF). We will show the effect of the "summary-address x.x.x.x x.x.x.x" command here.

We have network 20.1.1.0/24 being redistributed from RIP to OSPF. The 20.1.1.0/24 network will be an external route and shown in the R3 routing table as E2 type. Below shown the result without using the summary address command and with the command enable.

Without "summary-address" command.

Lets view routing table of R3

R3
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route

Gateway of last resort is not set

     20.0.0.0/24 is subnetted, 1 subnets
O E2    20.1.1.0 [110/20] via 192.168.2.1, 00:00:01, FastEthernet0/0
     172.16.0.0/24 is subnetted, 3 subnets
C       172.16.1.0 is directly connected, Loopback0
C       172.16.2.0 is directly connected, Loopback1
C       172.16.3.0 is directly connected, Loopback2
     10.0.0.0/24 is subnetted, 1 subnets
C       10.1.1.0 is directly connected, Loopback4
O E2 192.168.1.0/24 [110/20] via 192.168.2.1, 00:08:12, FastEthernet0/0
C    192.168.2.0/24 is directly connected, FastEthernet0/0

When enable the ASBR summarization at router R1

Let's see the configuration of R1 first regarding the external summarization.

R1

router ospf 1

 router-id 1.1.1.1

 log-adjacency-changes

 redistribute rip subnets

 network 172.16.0.0 0.0.255.255 area 0

 network 192.168.2.0 0.0.0.255 area 0

 summary-address 20.0.0.0 255.0.0.0

 redistribute ospf 1 metric 3

Let's now check the routing table of R3

R3

R3#sh ip route

Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP

       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area

       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2

       E1 - OSPF external type 1, E2 - OSPF external type 2

       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2

       ia - IS-IS inter area, * - candidate default, U - per-user static route

       o - ODR, P - periodic downloaded static route

Gateway of last resort is not set

O E2 20.0.0.0/8 [110/20] via 192.168.2.1, 00:07:18, FastEthernet0/0

     172.16.0.0/24 is subnetted, 3 subnets

C       172.16.1.0 is directly connected, Loopback0

C       172.16.2.0 is directly connected, Loopback1

C       172.16.3.0 is directly connected, Loopback2

     10.0.0.0/24 is subnetted, 1 subnets

C       10.1.1.0 is directly connected, Loopback4

O E2 192.168.1.0/24 [110/20] via 192.168.2.1, 00:08:03, FastEthernet0/0

C    192.168.2.0/24 is directly connected, FastEthernet0/0

EIGRP Authentication PPPoFR Virtual-template

Example of EIGRP authentication by using different passwords for each neighbor in frame relay network.

R1 - R2  
using md5 and CISCO12 as a password.
R1 - R3
using md5 and CISCO13 as a password.
Note
We are not allowed to use sub-interface at R1

Configuration

R1

key chain MY_KEY13
 key 1
   key-string CISCO13
!
key chain MY_KEY12
 key 1
   key-string CISCO12


interface Serial0/0
 ip address 192.168.1.1 255.255.255.0
 encapsulation frame-relay
 clock rate 2000000
 frame-relay interface-dlci 102 ppp Virtual-Template1
 frame-relay interface-dlci 103 ppp Virtual-Template2
 frame-relay lmi-type ansi
!

interface Virtual-Template1
 ip address 192.168.1.1 255.255.255.0
 ip authentication mode eigrp 1 md5
 ip authentication key-chain eigrp 1 MY_KEY12
!
interface Virtual-Template2
 ip address 192.168.1.1 255.255.255.0
 ip authentication mode eigrp 1 md5
 ip authentication key-chain eigrp 1 MY_KEY13
!
router eigrp 1
 network 0.0.0.0
 auto-summary

 

R2

key chain MY_KEY

 key 1

   key-string CISCO12

interface Serial0/0

 ip address 192.168.1.2 255.255.255.0

 encapsulation frame-relay

 clock rate 2000000

 frame-relay interface-dlci 201 ppp Virtual-Template1

!

!

interface Virtual-Template1

 ip address 192.168.1.2 255.255.255.0

 ip authentication mode eigrp 1 md5

 ip authentication key-chain eigrp 1 MY_KEY

!

router eigrp 1

 network 0.0.0.0

 auto-summary

R3

key chain MY_KEY

 key 1

   key-string CISCO13

!

!

!

interface Serial0/0

 ip address 192.168.1.3 255.255.255.0

 encapsulation frame-relay

 clock rate 2000000

 frame-relay interface-dlci 301 ppp Virtual-Template1

!

interface Virtual-Template1

 ip address 192.168.1.3 255.255.255.0

 ip authentication mode eigrp 1 md5

 ip authentication key-chain eigrp 1 MY_KEY

!

router eigrp 1

 network 0.0.0.0

 auto-summary

Nat Extendable option

From http://www.cisco.com/en/US/technologies/tk648/tk361/tk438/technologies_white_paper09186a0080091cb9.html


The extendable keyword allows the user to configure several ambiguous static translations, where an ambiguous translations are translations with the same local or global address.


ip nat inside source static <localaddr> <globaladdr> extendable


Example

Telnet and SSH traffic will be redirected to 192.10.112 port 22 and 23 respectively.

192.10.1.0/24  = inside

204.12.1.0/24  = outside

54.1.8.0/24     =  outside

Because we have more than 1 outside interface, it might have some ambiguous translation. Therefore, we need option "extendable" in the NAT commands.

ip nat inside source static tcp 192.10.1.112 22 54.1.8.6 22 extendable 

ip nat inside source static tcp 192.10.1.112 23 54.1.8.6 23 extendable 

ip nat inside source static tcp 192.10.1.112 22 204.12.1.6 22  extendable 

ip nat inside source static tcp 192.10.1.112 23 204.12.1.6 23 extendable 

Parser View

With CLI view, we can restrict which access each network administrator have based on role. Superviews allow a network administrator to easily assign all users within configured CLI views to a superview instead of having to assign multiple CLI views to a group of users. 


Here is the basic configuration of the Parser View.


R2 <----> R3    
192.168.1.1   <---->  192.168.1.2


Task: 

• Allowing telnet access with the username OPERATOR and password CISCO to be able to configure the HTTP feature in the router only.
• Configure Username ADMIN and password CISCO to have access to every feature in the router.

aaa new-model
!
!
aaa authentication login default local
aaa authentication login VTY local
aaa authentication login CON none
aaa authorization exec default local
aaa authorization exec VTY local

username OPERATOR view HTTP password 0 CISCO

username ADMIN privilege 15 password 0 CISCO

parser view HTTP

 secret 5 $1$6ZRJ$CIjM5cdVUvhpinttlR/361

 commands configure include ip http

 commands configure include ip

 commands exec include configure terminal

 commands exec include configure

 commands exec include show running-config

 commands exec include show

Verify configuration

HTTP View

R2#telnet 192.168.1.2

Trying 192.168.1.2 ... Open

User Access Verification

Username: OPERATOR

Password:

R3#show parser view

Current view is 'HTTP'

 

R3(config)#?

Configure commands:

  do    To run exec commands in config mode

  exit  Exit from configure mode

  ip    Global IP configuration subcommands

R3(config)#

Configure commands:

  do    To run exec commands in config mode

  exit  Exit from configure mode

  ip    Global IP configuration subcommands

R3(config)#

---------------------------------------

Change parser view configuration

To be able to change the configuration of the parser view, you need to enter the view root. In this example, to enter the view root, we have to telnet with login as ADMIN and "enable view".

R2#telnet 192.168.1.2

Trying 192.168.1.2 ... Open

User Access Verification

Username: ADMIN

Password:

R3#en view

Password:

R3#

On R3, you will have the syslog message:

*Mar  3 22:24:04.582: %PARSER-6-VIEW_SWITCH: successfully set to view 'root'.

Now, you can change the configuration of the parser view.

R3#

R3#conf t

Enter configuration commands, one per line.  End with CNTL/Z.

R3(config)#parser view HTTP ?

  superview  SuperView Commands

  <cr>

R3(config)#parser view HTTP

R3(config-view)#?

View commands:

  commands  Configure commands for a view

  default   Set a command to its defaults

  exit      Exit from view configuration mode

  no        Negate a command or set its defaults

  secret    Set a secret for the current view