Route redistribute, filtering notes

On a router, redistribute protocol A in to protocol B

Following routes will be distributed into protocol B:
1. all interfaces which running protocol A (exclude ISIS/ODR)
2. all routes learned from protocol A

In case of mutual redistribution at multiple redistribution points, be careful when distribute from a preferred (AD) protocol into a less preferred protocol (e.g from OSPF into RIP)

Because link state protocols do not advertise routes from their routing table as do distance vector protocols, there are no updates to filter. Because of this behavior, route filters are mostly used at redistribution points into link state domains, such as an OSPF ASBR, where they can regulate which routes enter or leave the domain. Within the link state domain, route filters have limited utility.

From Routing TCP.IP

Broadcast 255.255.255.255

 
Why Broadcast?

   Broadcasts are useful when a host needs to find information without
   knowing exactly what other host can supply it, or when a host wants
   to provide information to a large set of hosts in a timely manner.

How router treat 255.255.255.255? 

The address 255.255.255.255 denotes a broadcast on a local hardware
   network, which must not be forwarded.  This address may be used, for
   example, by hosts that do not know their network number and are
   asking some server for it. 

Ref: http://tools.ietf.org/html/rfc919

http://ciscodreamer.blogspot.com/search/label/ICMP

Distance vector vs. Link state

A distance vector protocol shares everything it knows but only with
directly connected neighbors.

Link state protocols announce information only about their directly
connected links, but they share the information with all routers in their routing domain or area.

From book Routing TCP.IP

Bellman–Ford algorithm is used in distance-vector routing protocols

1. Each node calculates the distances between itself and all other nodes within the AS and stores this information as a table.
2. Each node sends its table to all neighboring nodes.
3. When a node receives distance tables from its neighbors, it calculates the shortest routes to all other nodes and updates its own table to reflect any changes. 

http://en.wikipedia.org/wiki/Bellman%E2%80%93Ford_algorithm

Routing Information Protocol (RIP)

RIPv1 is defined in RFC 1058, and operates on UDP port 520.

RIP uses only hop count as its metric, with a maximum of 15 (a metric of 16 indicates unreachability).

Upon initialization, RIP routers issue requests for routes from neighbors. Neighbors issue responses

containing their full routing tables.

Routers broadcast their entire table to the link-local broadcast address of 255.255.255.255 every 30 seconds (on average; a small jitter is included to prevent simultaneous flooding).

RIP Timers

Update (30 seconds) - How often routes are advertised (+/- a small random delay)

Invalid (180 seconds) - How long a received route will stay in the routing table without being

received again, before being marked as invalid.

Flush (240 seconds) - 60 seconds longer than the invalid timer; invalid routes will be flushed

from the table when this timer is reached.

Holddown (180 seconds) - Routes will be kept in the table for this time before being replaced

by an advertisement with a higher metric.


An offset list can be implemented to artificially increase the metric for certain routes:
offset-list <ACL> {in | out} <offset> <interface>

Use distribute-list to filter routes update:
distribute-list <ACL> {in | out} <interface>

When debugging RIP:

*Mar  1 00:15:42.943: RIP: sending v1 update to 255.255.255.255 via Loopback0 (2.2.2.2)
*Mar  1 00:15:42.943: RIP: build update entries
*Mar  1 00:15:42.943:   network 1.0.0.0 metric 2
*Mar  1 00:15:42.947:   network 10.0.0.0 metric 1 <<< this means the network is directly connected (by using network command under rip process)


*Mar  1 00:18:21.435: RIP: sending v2 update to 224.0.0.9 via Loopback0 (2.2.2.2)
*Mar  1 00:18:21.439: RIP: build update entries
*Mar  1 00:18:21.439:   1.1.1.1/32 via 0.0.0.0, metric 2, tag 0
*Mar  1 00:18:21.443:   10.0.12.0/24 via 0.0.0.0, metric 1, tag 0 <<< this means the network is directly connected (by using network command under rip process)




Ref: http://media.packetlife.net/media/library/29/Routing_TCP-IP_Vol_1_Notes.pdf

Using Subnet Zero and the All-Ones Subnet

http://www.cisco.com/en/US/tech/tk648/tk361/technologies_tech_note09186a0080093f18.shtml

PBR set ip next-hop recursive

access-list 100 permit ip host 1.1.1.1 host 4.4.4.4
!
route-map PBR permit 10
 match ip address 100
 set ip next-hop recursive 3.3.3.3

##################################################################################
set ip next-hop recursive [3.3.3.3] - The router will forward matching traffic to the interface of "show ip route 3.3.3.3", if can not find any it forward using normal routing table. 


##################################################################################


Successful PBR
*Mar  1 00:19:31.507: IP: tableid=0, s=1.1.1.1 (Ethernet0/0), d=4.4.4.4 (Ethernet1/3), routed via RIB
*Mar  1 00:19:31.507: IP: s=1.1.1.1 (Ethernet0/0), d=4.4.4.4, len 100, policy match
*Mar  1 00:19:31.511:     ICMP type=8, code=0
*Mar  1 00:19:31.511: IP: route map PBR, item 10, permit
*Mar  1 00:19:31.511: IP: s=1.1.1.1 (Ethernet0/0), d=4.4.4.4 (Ethernet0/3), len 100, policy routed
*Mar  1 00:19:31.511:     ICMP type=8, code=0
*Mar  1 00:19:31.511: IP: Ethernet0/0 to Ethernet0/3 10.2.23.3
*Mar  1 00:19:31.515: IP: s=1.1.1.1 (Ethernet0/0), d=4.4.4.4 (Ethernet0/3), g=10.2.23.3, len 100, forward
*Mar  1 00:19:31.515:     ICMP type=8, code=0




Unsuccessful PBR
*Mar  1 00:15:53.939: IP: tableid=0, s=1.1.1.1 (Ethernet0/0), d=4.4.4.4 (Ethernet1/3), routed via RIB
*Mar  1 00:15:53.939: IP: s=1.1.1.1 (Ethernet0/0), d=4.4.4.4, len 100, policy match
*Mar  1 00:15:53.943:     ICMP type=8, code=0
*Mar  1 00:15:53.943: IP: route map PBR, item 10, permit
*Mar  1 00:15:53.943: IP: s=1.1.1.1 (Ethernet0/0), d=4.4.4.4 (Ethernet1/3), len 100, policy rejected -- normal forwarding
*Mar  1 00:15:53.943:     ICMP type=8, code=0
*Mar  1 00:15:53.943: IP: s=1.1.1.1 (Ethernet0/0), d=4.4.4.4 (Ethernet1/3), g=10.0.24.4, len 100, forward
*Mar  1 00:15:53.947:     ICMP type=8, code=0


Ref: http://cisconinja.wordpress.com/category/pbr/
http://www.cisco.com/en/US/docs/ios/12_0s/feature/guide/12s_pbr.html

Cisco spanning tree animation

Cisco spanning tree animation

Unicast RPF Examples

Unicast RPF is an input function and is applied on the interface of a router only in the ingress direction. 

Strict Mode RPF

If the source address is in the FIB and reachable only through the interface on which the packet was received, the packet is passed. The syntax for this method is ip verify unicast source reachable-via rx.  

Ref: http://www.cisco.com/en/US/docs/ios/12_3/security/command/reference/sec_i2g.html

http://www.cisco.com/web/about/security/intelligence/unicast-rpf.html

Bash script to check validate IP address

#!/bin/bash

# Test an IP address for validity:
# Usage:
#      is_ip IP_ADDRESS
#      if is_ip IP_ADDRESS; then return 1; else return 0; fi
#



is_ip(){

    input=$1
    octet1=$(echo $input | cut -d "." -f1)
    octet2=$(echo $input | cut -d "." -f2)
    octet3=$(echo $input | cut -d "." -f3)
    octet4=$(echo $input | cut -d "." -f4)
    stat=0

if [[ $input =~ ^[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}$ ]] && [ $octet1 -le 255 ] && [ $octet2 -le 255 ] && [ $octet3 -le 255 ] && [ $octet4 -le 255 ];
  then
    stat=1
fi


echo "IP $input is $stat."

return  $stat

}

if [ -z $1 ];
  then
   echo "Usage: sh is_ip.sh IP_ADDRESS"
   exit 0
  else
   is_ip $1
fi
Ref: http://www.linuxjournal.com/content/validating-ip-address-bash-script

Bash error [: =: unary operator expected

Use - if [ "$number" = "1" ]; then

NOT - if [ $number = "1" ]; then 

http://linuxcommand.org/wss0100.php

Auto ssh command

$ ssh -q -o BatchMode=yes -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null -l remote_login remote_host "command opts args..."

 Ref: http://www.unix.com/shell-programming-scripting/75930-how-do-i-handle-ssh-response-expect.html

Auto ssh command


In expect script, below one is working:


spawn ssh  -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null $vIP

Expect with different passwords

proc login {user pass} {
    expect "login:"
    send "$user\r"
    expect "password:"
    send "$pass\r"
}
set username spongebob set passwords {squarepants rhombuspants}
set index 0

spawn telnet 192.168.40.100
login $username [lindex $passwords $index]
expect {
    "login incorrect" {
        send_user "failed with $username:[lindex $passwords $index]\n"
        incr index
        if {$index == [llength $passwords]} {
            error "ran out of possible passwords"
        }
        login $username [lindex $passwords $index]
        exp_continue
    }
    "prompt>" }
send_user "success!\n"
# ...
 

http://stackoverflow.com/questions/1538444/using-conditional-statements-inside-expect 

Cisco 10GBASE XENPAK Modules

Cisco 10GBASE XENPAK Modules

http://www.cisco.com/en/US/prod/collateral/modules/ps2797/ps5138/product_data_sheet09186a008007cd00_ps5251_Products_Data_Sheet.html

Traffic Shaping and Policing

A key difference between shaping and policing is the rate at which tokens are replenished. This section reviews the difference.  


Shaping increments the token bucket at timed intervals using a bits per second (bps) value. A shaper uses the following formula:

Tc = Bc/CIR (in seconds)

In this equation, Bc represents the committed burst, and CIR stands for committed information rate. (See Configuring Frame Relay Traffic Shaping for more information.) The value of Tc defines the time interval during which you send the Bc bits in order to maintain the average rate of the CIR in seconds.


When the excess burst (Be) is configured to a value different than 0, the shaper allows tokens to be stored in the bucket, up to Bc + Be. The largest value that the token bucket can ever reach is Bc + Be, and overflow tokens are dropped. The only way to have more than Bc tokens in the bucket is to not use all Bc tokens during one or more Tc. Since the token bucket is replenished every Tc with Bc tokens, you can accumulate unused tokens for later use up to Bc + Be.

In contrast, class-based policing and rate-limiting adds tokens continuously to the bucket. Specifically, the token arrival rate is calculated as follows:

(time between packets<which is equal to t-t1>* policer rate)/8 bits per byte

In other words, if the previous arrival of the packet was at t1 and the current time is t, the bucket is updated with t-t1 worth of bytes based on the token arrival rate. Note that a traffic policer uses burst values specified in bytes, and the above formula converts from bits to bytes.







Shaping implicitly uses the averaging interval Tc=Bc/CIR to meter the average traffic rate. Larger Bc values allow for better accommodation of bursty traffic flows with oscillating traffic rates. Smaller Bc is good for stable flows, in situations where you don’t tolerate even a small violation of the instant traffic rate.

Ref:
The Meaning of Bc with Traffic Policing
Comparing Traffic Policing and Traffic Shaping for Bandwidth Limiting
Shaping and policing on Cisco

Traffic shaping

AR=Access Rate = Serialization Rate (Ethernet 10Mbps)

It will take 1.2 ms to transmit a 1500Bytes PDU on Ethernet. [1500 * 8 bytes * 1000 ms / 10M]

CIR=Committed Information Rate
Bc=Committed Burst Size
Be=Excessive Burst Size
Tc=Time Interval

Bc/Tc=CIR/SEC

if
CIR=8bps
Tc=125ms

then
Bc=1bit

|125ms_|_|_|_|_|_|_|
<-   1000ms        ->

Reduce Bc for smaller Tc to improve VoIP traffic performance (which will wait shorter per time interval)

Be/Tc=(AR-CIR)/SEC

Be allow customer to bank "credit" from early time intervals and send it later on within a second, the overall traffic will not exceed the CIR.

Understanding Single-Rate and Dual-Rate Traffic Policing

Control Plane Policing Implementation (CPP) Best Practices

Network Core Infrastructure Best Practices 

http://www.nanog.org/meetings/nanog42/presentations/Bhaiji_Network_Core.pdf 

 

Control Plane Policing Implementation Best Practices

http://www.cisco.com/web/about/security/intelligence/coppwp_gs.html 

 

Configuring Denial of Service Protection

http://www.cisco.com/en/US/docs/routers/7600/ios/12.2SR/configuration/guide/dos.html

Protecting the Cisco Catalyst 6500 Series Switches Against Denial-Of-Service Attacks

http://www.cisco.com/en/US/prod/collateral/switches/ps5718/ps708/prod_white_paper0900aecd802ca5d6.html

 

Deploying Control Plane Policing

http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6586/ps6642/prod_white_paper0900aecd804fa16a.html

 

Control Plane Policing

http://www.cisco.com/en/US/docs/ios/12_3t/12_3t4/feature/guide/gtrtlimt.html 

 

ICMP/PING drops when pinging from Nexus 7000

https://supportforums.cisco.com/docs/DOC-15510

Cisco Control Plane Policing

http://security-planet.de/2005/07/26/cisco-control-plane-policing/

Filtering BGP Routes

Using Distribute Lists to Filter Network Prefixes

Using Prefix Lists to Filter BGP Routes

Using Route Maps to Filter BGP Routes

Ref:

http://www.informit.com/library/content.aspx?b=CCIE_Practical_Studies_II&seqNum=102

ICMP PING

ICMP segment structure

The ICMP header starts after the IPv4 header. All ICMP packets will have an 8-byte header and variable-sized data section.

    Windows "ping.exe" adds, by default, 32 bytes of padding
    The Linux "ping" utility adds, by default, 56 bytes of padding

#########################################################
C:\Documents and Settings\wentao.yang>ping 121.59.0.1

Pinging 121.59.0.1 with 32 bytes of data:

Reply from 121.59.0.1: bytes=32 time=1ms TTL=247
#########################################################
yang@test.nmlon:~$ ping 192.168.231.0
PING 192.168.231.0 (192.168.231.0) 56(84) bytes of data.
64 bytes from 192.168.231.0: icmp_seq=1 ttl=251 time=1.06 ms

Ref: http://en.wikipedia.org/wiki/Internet_Control_Message_Protocol
http://ss64.com/bash/ping.html

Steps for sending a packet out

THIS is from https://learningnetwork.cisco.com/thread/15223

       

Steps for sending a packet out -

Step 1 - (IPv4 Routing Lookup) --> Goal is to decide on the following entities first.

- Longest match / Lowest AD / Lowest Metric / Overlapping Routes(Multiple routes to the same destination in the routing table) / Policy Routing (Will override all the above steps)

- Outgoing interface

- Next-hop

Step 2 - (IPv4 Switching Method) --> Goal is to move packets between interfaces. Load Balancing occurs at this stage. Even though we have multiple routes in the routing table, the load balancing will not occur if the switching method is not configured to do so. If the switching method is not configured for load balancing, the packets will follow the same path even though multiple paths exists in the routing table. Can be verified by "show ip cef exact-route <source ip> <destination ip>". The above command based on the inputs of source and destination, will tell us the next hop IP and outgoing interface the packet is taking.

Decide on the following entities in the second step.

- Process

- Fast

- CEF

- Etc.

[Note -

1.) Once CEF is enabled, it will form the FIB and adjacency table with the help of Routing table and at the same moment and it will not check the routing table from then on unless there is change in the routing table and will forward all the packets based on CEF table only. CEF is ON by default on the routers.

2.) If on a local LAN, some users are saying that they are able to surf web without any issues and some are saying that they are having problems in surfing even though they all are on the sam LAN, then it's most probably issue with the underlying switching method. You can verify it using the command ip cef exact-route <source ip> <destination ip>, by giving the different Users source IP address and the same destination IP address. You can see different next-hop IP address, in the output if two route exists in the routing table for the same destination IP address.

3.) "show ip route" command simply checks whether our routing lookup is working or not. If you can see an valid output by show ip route command, it means our Routing Lookup worked fine. Now we can move on to check the Switching method. ]

Step 3 - (Layer 2 Encapsulation) --> Goal is to build Layer 2 frame header based on the next-hop value.

- Multipoint interfaces require layer 3 to layer 2 resolutions (For ethernet it depends on ARP / Proxy-ARP / Reverse ARP. For Frame-Relay it depends on Inverser-ARP / Static Mappings. Note that Ethernet is mapping remote layer 3 to remote layer 2 whereas Frame-Relay is mapping the remote layer 3 to local layer 2.)

- Point-to-Point interfaces do not require layer 3 to layer 2 mapping.

·         Debug ip-packet walkthrough

1.) First and foremost it will only show the process-switched packets.

2.) Secondly, all the packets locally generated or destined to any local interface will only be process switched no matter what. All transit traffic will be fast switched or CEF switched depending on what we have configured on the router.

3.) When you do "debug ip packet", follow the following messages

*Mar  2 02:33:38.559: IP: tableid=0, s=163.1.12.1 (local),d=163.1.12.2(Serial0/0), routed via RIB

*Mar  2 02:33:38.559: IP: s=163.1.12.1 (local), d=163.1.12.2 (Serial0/0),len 100, sending

*Mar  2 02:33:38.559:     ICMP type=8, code=0.

*Mar  2 02:33:41.559: IP: s=163.1.12.1 (local), d=163.1.12.2 (Serial0/0),len 100, encapsulation failed

*Mar  2 02:33:41.559:     ICMP type=8, code=0

STEP 1 - "routed via FIB / RIB" simply means that routing process was successful. Routed via RIB / FIB doesn't mean that the end-to-end connectivity is through.

STEP 2 - "sending" simply means that the packet is being sent to the switching process. The interface mentioned here is the outgoing interface where the switching process put the packet for transfer.

STEP 3 - If the third line in the output shows that "encapsulation failed" message, it means that our STEP 3 of packet forwarding failed. If you do "debug arp" along with "debug ip packet" you can see exactly after step 2, an ARP will be sent for any network not reachable.

[NOTE -

1.) If one of the above step is broken then it does't imply that the other step is broken. For example, if encapsulation is broken, then it doesn't imply that the routing is broken.

2.) If some router is sitting in the middle of the path and it doesn't have a route to the destination, it will generate ICMP unreachable message back to the source. You can verify it via "debug ip icmp". This is useful in determining end to end rechability. ]

Thanks to Brian McGahan for giving a clear picture of the above concept.

Regards,

Somit Maloo....

Troubleshooting Memory Problems

Memory fragmentation

Your router is facing an IO memory leak.  Don't focus on the fragmentation, it's only a side effect of the leak.  The main issue is that you're running out of IO memory and that's why you see MALLOCFAIL in Pool:I/O.

To troubleshoot this, collect 'show buffers'.  Look at which pool is heavily used (high 'total' number), then dump the packets in that pool with 'show buffer pool XXXX dump'.  We'll see what kind of packets are stuck in the buffers.

If you have a recent IOS, you can also use 'show memory debug leak' (will trigger a high CPU for a minute or so).

If you reload, memory will be cleared but we'll lose the information to troubleshoot the problem.

Only reload if you need to restore service quickly.  It won't fix the problem definitely.  The problem will come back later when the memory will be depleted again.

- show buffer pool Large dump
- show mem debug leak


Copy from: https://supportforums.cisco.com/thread/2053474

http://www.cisco.com/en/US/products/sw/iosswrel/ps1831/products_tech_note09186a00800a6f3a.shtml

IPsec Anti-Replay Window

%CRYPTO-4-PKT_REPLAY_ERR: decrypt: replay check failed

Cisco IPsec authentication provides anti-replay protection against an attacker duplicating encrypted packets by assigning a unique sequence number to each encrypted packet. (Security association [SA] anti-replay is a security service in which the receiver can reject old or duplicate packets to protect itself against replay attacks.) The decryptor checks off the sequence numbers that it has seen before. The encryptor assigns sequence numbers in an increasing order. The decryptor remembers the value X of the highest sequence number that it has already seen. N is the window size, and the decryptor also remembers whether it has seen packets having sequence numbers from X-N+1 through X. Any packet with the sequence number X-N is discarded. Currently, N is set at 64, so only 64 packets can be tracked by the decryptor.

At times, however, the 64-packet window size is not sufficient. For example, Cisco quality of service (QoS) gives priority to high-priority packets, which could cause some low-priority packets to be discarded even though they could be one of the last 64 packets received by the decryptor. The IPsec Anti-Replay Window: Expanding and Disabling feature allows you to expand the window size, allowing the decryptor to keep track of more than 64 packets.

Increasing the anti-replay window size has no impact on throughput and security. The impact on memory is insignificant because only an extra 128 bytes per incoming IPsec SA is needed to store the sequence number on the decryptor. It is recommended that you use the full 1024 window size to eliminate any future anti-replay problems. 

Ref: http://www.cisco.com/en/US/docs/ios/12_3t/12_3t14/feature/guide/gt_iarwe.html#wp1027188
http://www.cisco.com/en/US/tech/tk583/tk372/technologies_tech_note09186a00800949c5.shtml

https://supportforums.cisco.com/thread/2046718

Shell Scripting: Convert Uppercase to Lowercase

vName=$(echo $1 | tr "[:upper:]" "[:lower:]" | sed 's/\.$//')
echo $vName
wtyang@jump0.nmbeijing:~$ ./test.scr AABBCCDDEE.
aabbccddee

Ref: http://www.cyberciti.biz/faq/linux-unix-shell-programming-converting-lowercase-uppercase/
http://ss64.com/bash/tr.html

Test download speed from a Cisco router

Customer_router(config)#ip route 87.51.34.132 255.255.255.255 150.200.1.253
Customer_router(config)#ip host ftp.freebsd.org 87.51.34.132
Customer_router(config)#ip ftp source-interface vlan 1
Customer_router#copy ftp://ftp.freebsd.org/pub/FreeBSD/releases/i386/i386/9.0-RC2/doc.txz flash:
Destination filename [doc.txz]?
Accessing ftp://ftp.freebsd.org/pub/FreeBSD/releases/i386/i386/9.0-RC2/doc.txz...
Loading pub/FreeBSD/releases/i386/i386/9.0-RC2/doc.txz !!!!!!
[OK - 1443296/4096 bytes]

1443296 bytes copied in 29.136 secs (49537 bytes/sec)
Customer_router00_ITASS#

ip flow-top-talkers

In the following example, a maximum of four top talkers is configured. The sort criterion is configured to sort the list of top talkers by the total number of bytes for each top talker.

Router(config)# ip flow-top-talkers

Router(config-flow-top-talkers)# top 4

Router(config-flow-top-talkers)# sort-by bytes 

Reference:Cisco site 

ADSL firmware upgrade on 887/877/857 router

I cannot find instructions on how to use the latest 4.0.18 ADSL firmware on an 887 router.

I've downloaded adsl_alc_20190_4.0.018.bin from the website and copied it to flash, but cannot find any instructions on applying the firmware. Tried rebooting but made no difference.

What commands, etc, am I meant to use to make use of this ADSL firmware release ?

Thank you in advance.

Roger. 

Correct Answer by kmccourt  on May 18, 2010 11:40 AM

Assuming the 887 behaves like the 877/857, the file has to be renamed to:

adsl_alc_20190.bin

and then you reboot.

Ref: https://supportforums.cisco.com/thread/2017655

Problem with ICMP filtering and PMTU-D

Say the customer PC sends a 1500-byte packet, with DF set (which is the default for everything these days).  It’s fine on the switch, it’s fine on our router.  Somewhere between us and the server, it finds a link that only has an MTU of 1400.  The router attached to that link can’t fragment (DF is set), so it sends an ICMP error message back explaining that the packet is too big, and that the originating host must send smaller packets.  That ICMP packet is not part of the data flow, so the firewall will drop it unless configure to pass it.  If the PC never sees the error message, all it knows is that it never got a reply, so it keeps re-transmitting the 1500-byte packet until it eventually times out.

Now, to the problem with ICMP filtering and PMTU-D

In this case, if the ICMP can't fragment errors can not get back to the source host due to a filter, the host will never know that the packets it is sending are too large. This means it will keep trying to send the same large packet, and it will keep being dropped--silently dropped from the view of any system on the other side of the filter. While a small handful of systems that implement PMTU-D also implement a way to detect such situations, most don't and even for those that do it has a negative impact on performance and the network.
If this is happening, typical symptoms include the ability for small packets (eg. request a very small web page) to get through, but larger ones (eg. a large web page) will simply hang. This situation can be confusing to the novice administrator because they obviously have some connectivity to the host, but it just stops working for no obvious reason on certain transfers.
There is one solution, and several workarounds, for this problem. They include:

http://www.znep.com/~marcs/mtu/ 
Resolve IP Fragmentation, MTU, MSS, and PMTUD Issues with GRE and IPSEC

VPN VRF import map /export map

import map /export map are usually used for selectively import or export prefixes [by adding / filtering the RT values] , which makes inter-vrf communications more flexible.

Whereas route-target export / route-target import will unconditionally import or export

BGP Community Lists

There are two types of community list. One is standard community list and another is expanded community list. Standard community list defines communities attribute. Expanded community list defines communities attribute string with regular expression. Standard community list is compiled into binary format when user define it. Standard community list will be directly compared to BGP communities attribute in BGP updates. Therefore the comparison is faster than expanded community list.

http://www.quagga.net/docs/docs-multi/BGP-Community-Lists.html
http://www.quagga.net/docs/docs-multi/BGP-Extended-Community-Lists.html
http://www.cisco.com/en/US/docs/ios/12_3t/ip_route/command/reference/ip2_s1gt.html
http://www.cisco.com/en/US/docs/ios/12_3t/12_3t11/feature/guide/gtnextcl.html#wp1050903

Queueing

Hardware queue, software queue
https://learningnetwork.cisco.com/thread/4326

Hardware queue
http://www.cisco.com/en/US/products/hw/routers/ps133/products_tech_note09186a0080094791.shtml
http://wiki.nil.com/Queuing_Principles_in_Cisco_IOS/FIFO

Cisco switching options
http://www.cisco.com/en/US/products/sw/iosswrel/ps1831/products_tech_note09186a00800a7306.shtml

BGP only send out prefixes which have been already in the routing table.

BGP only send out prefixes which have been already in the routing table.

MTU of ipsec GRE

MTU from http://www.faqs.org/rfcs/rfc1122.html

The maximum transmission unit, i.e., the size of the
              largest packet that can be transmitted.

         The terms frame, packet, datagram, message, and segment are
         illustrated by the following schematic diagrams:

         A. Transmission on connected network:
           _______________________________________________
          | LL hdr | IP hdr |         (data)              |
          |________|________|_____________________________|

           <---------- Frame ----------------------------->
                    <----------Packet -------------------->

         B. Before IP fragmentation or after IP reassembly:
                    ______________________________________
                   | IP hdr | transport| Application Data |
                   |________|____hdr___|__________________|

                    <--------  Datagram ------------------>
                             <-------- Message ----------->
           or, for TCP:
                    ______________________________________
                   | IP hdr |  TCP hdr | Application Data |
                   |________|__________|__________________|

                    <--------  Datagram ------------------>
                             <-------- Segment ----------->

MTU explaination copy from http://packetlife.net/blog/2008/nov/5/mtu-manipulation/

Overhead calculation of GRE over IPSec (assume ESP-DES & ESP-MD5-HMAC):

ESP overhead (with authentication) : 31 ~ 38 bytes

GRE header: 24 bytes

IP header: 20 byes

 GRE over IPSec with tunnel mode introduces ~75 bytes overhead, GRE over IPSec with transport mode introduces ~55 bytes overhead


http://ieoc.com/forums/t/10365.aspx
http://packetlife.net/blog/2008/nov/5/mtu-manipulation/
http://www.cisco.com/en/US/tech/tk827/tk369/technologies_white_paper09186a00800d6979.shtml

Solutions for the ipsec over GRE:

1. tunnel path-mtu-discovery on the tunnel interface
2. Use the ip tcp adjust-mss command on the tunnel interfaces
3. Use policy routing on the ingress interface of the router and configure a route map to clear the DF bit in the data IP header before it gets to the GRE tunnel interface.

route-map CLEAR-DF permit 10
 set ip df 0
!
interface <LAN>
 ip policy route-map CLEAR-DF
!

4. Increase the "ip mtu" on the GRE tunnel interface to be equal to the outbound interface MTU. This will allow the data IP packet to be GRE encapsulated without fragmenting it first. The GRE packet will then be IPsec encrypted and then fragmented to go out the physical outbound interface. In this case you would not configure tunnel path-mtu-discovery command on the GRE tunnel interface. This can dramatically reduce the throughput because IP packet reassembly on the IPsec peer is done in process-switching mode.   

Troubleshooting BGP peer flapping issue

Enable “bgp log-neighbor-changes” so you get a log message when a peer flaps

%BGP-5-ADJCHANGE: neighbor 1.1.1.1 Down BGP Notification sent
%BGP-3-NOTIFICATION: sent to neighbor 1.1.1.1 4/0 (hold time expired) 0 bytes
R2#show ip bgp neighbor 1.1.1.1 | include Last reset
Last reset 00:01:02, due to BGP Notification sent, hold time expired

• We are not receiving keepalives from the other side!

Let’s take a look at our peer!

• Hellos are stuck in OutQ behind update packets!
• Notice that the MsgSent counter has not moved

Possible causes
Remote router is not healthy (OutQ)
Lower layer problems (IP)

Things to check
MTU values
Traffic shaping
Rate-limiting parameters

• Looks like a Layer 2 problem
• At this point we have verified that BGP is not at fault
• Next step is to troubleshoot layer 2…

Ref: http://meetings.ripe.net/ripe-44/presentations/ripe44-eof-bgp.pdf
http://docstore.mik.ua/cisco/pdf/routing/Cisco%20Networkers%20-%20Troubleshooting%20Bgp%20In%20Large%20Ip%20Networks.pdf

Match VoIP ports

ip access-list extended REAL-TIME-CLASSIFY
    remark VOIP (H323/SIP/IAX/IAX2)
    permit udp any any eq 4569
    permit udp any eq 4569 any
    permit udp any any eq 5036
    permit udp any eq 5036 any
    permit udp any any eq 5060
    permit tcp any any eq 5060
    permit udp any eq 5060 any
    permit tcp any eq 5060 any
    permit udp any any eq 1719
    permit udp any eq 1719 any
    remark VOIP (RTP) traffic
    permit udp any any range 16384 32767
    permit udp any range 16384 32767 any

Ref: http://www.voip-info.org/wiki/view/QoS+Cisco

VoIP packet size

 Very good notes from learningnetwork.cisco.com


The best explanation is in chapter 5 of the Authorized Self-Study Guide for Cisco Voice over IP (CVoice) Second Edition by Kevin Wallace.  Basically, the formula is Bytes_per_sample = Sample_Size * CODEC_Bandwidth / 8 plus overhead.
So, if your sample size is 20 ms (.02 seconds)  and you are using the G.711 CODEC, then your basic voice information requires
.02 * 64000 / 8 = 160 bytes per sample.  To that, you must add the overhead, which would be 20 bytes for the IP header,
8 bytes for the UDP header, and 12 bytes for the RTP header (to make sure your packets are in the correct order at the receiving end).
So, each voice packet will require 200 bytes.  Then, you need to add your Layer 2 overhead (at least 18 bytes for Ethernet). 
So, each frame will require at least 218 bytes.  And you may also have trunk or tunneling overhead to consider.

Yes, voice packets are small, but you need a lot of them to carry voice.  That's why we use compression techniques.
cRTP compresses the IP/UDP/RTP header to either 2 or 4 bytes (4 if you implement check sum).  This significantly reduces the overhead.

In addition, you can use a CODEC that requires lower bandwidth.  The G.729 CODEC only requires 8000 bits per second, so if you used
G.729 and RTP header compression you would get
.02 * 8000 / 8 = 20 bytes of voice information plus 4 bytes for IP/UDP/RTP for an IP packet size of 24 bytes.  Then, you can add your
Layer 2 overhead, whatever it is.

Chapter 1 of the CCNP ONT Official Exam Certification Guide by Amir Ranjbar also contains a lot of good information.

http://www.cisco.com/en/US/tech/tk652/tk698/technologies_tech_note09186a0080094ae2.shtml
https://learningnetwork.cisco.com/thread/11162

Next Hop Resolution Protocol (NHRP)

References:
http://en.wikipedia.org/wiki/Next_Hop_Resolution_Protocol
http://www.cisco.com/en/US/docs/ios/12_4/ip_addr/configuration/guide/hadnhrp.html#wp1054887
http://www.netcraftsmen.net/resources/archived-articles/433.html
http://www.cisco.com/en/US/tech/tk583/tk372/technologies_white_paper09186a008018983e.shtml

show derived-config

Usage Guidelines

Configuration commands can be applied to an interface from sources such as static templates, dynamic templates bound by resource pooling, dialer interfaces, AAA per-user attributes and the configuration of the physical interface. The show derived-config command displays all the commands that apply to an interface.

The output for the show derived-config command is nearly identical to that of the show running-config command. It differs when the configuration for an interface is derived from a template, a dialer interface, or some per-user configuration. In those cases, the commands derived from the template, dialer interface, and so on, will be displayed for the affected interface.

If the same command is configured differently in two different sources that apply to the same interface, the command coming from the source that has the highest precedence will appear in the display.

Examples

The following examples show sample output for the show running-config and show derived-config commands for serial interface 0:23 and dialer interface 0. The output of the show running-config and show derived-config commands is the same for dialer interface 0 because none of the commands that apply to that interface are derived from any sources other than the configuration of the dialer interface. The output for the show running-config and show derived-config commands for serial interface 0:23 differs because some of the commands that apply to serial interface 0:23 come from dialer interface 0.

Router# show running-config interface Serial0:23 

Ref: http://www.cisco.com/en/US/docs/ios/12_1/configfun/command/reference/frd2002.html#wp1019868 

Standard streams shift command

Bash script

 "$#" will expand to the number of arguments passed to the script.

Ref: http://www.ibm.com/developerworks/linux/library/l-bash2/index.html
http://www.ibm.com/developerworks/linux/library/l-bash/index.html

The shift Command

The shift command moves the current values stored in the positional parameters (command line args) to the left one position. For example, if the values of the current positional parameters are:$1 = -f $2 = foo $3 = bar
and you executed the shift command the resulting positional parameters would be as follows:
$1 = foo $2 = bar

Ref:  http://www.freeos.com/guides/lsst/ch04sec14.html

What does those mean? 

2>&1

>&2

On the unix command line, each command can print to stdout (standard output) or stderr (standard error). By convention, error messages go to stderr, and normal messages go to stdout. You usually connect stdout to the stdin (standard input) of another process. Having a long pipe of commands and this stderr/stdout convention means that the error messages from one command don't go polluting the input to the next command. It also means that you can see the error messages of the commands, since stderr is shown on your terminal (if they were printed to stdout, then you would not see the error messages, since they would be sent to the input of another command).
When writing your own little scripts, it's a good idea to print your error messages to stderr. The usual way to print in a bash script is to use the echo shell builtin command. You can "echo" to stderr like this:

echo "Your error message here" >&2

This is a normal echo (which goes to stdout), however the >&2 (which is shorthand for 1>&2), means 'mix the stdout to the stderr'. 1 is stdout, and 2 is stderr here.

Ref: http://www.kindle-maps.com/blog/how-to-echo-to-stderr.html
http://en.wikipedia.org/wiki/Standard_streams
http://en.wikipedia.org/wiki/Pipeline_%28Unix%29
http://en.wikipedia.org/wiki/File_descriptor
http://www.unix.com/shell-programming-scripting/113138-what-does-code-mean.html

Linux cut sed examples

Linux cut and sed examples:

cut -d" " -f3 
example:
echo this is cut example |cut -d" " -f3

cut

sed 's/\.$//' # cut the last . from the line
example:
echo this is sed example. | sed 's/\.$//'
this is sed example





Mix:  |cut -d" " -f3 |sed 's/\.$//'
echo this is mixexample. | cut -d" " -f3 |sed 's/\.$//'
mixexample

Ref: http://www.ibm.com/developerworks/linux/library/l-sed3/index.html
http://www.grymoire.com/Unix/Sed.html

CEF

Check CEF
http://www.cisco.com/en/US/products/sw/iosswrel/ps1828/products_tech_note09186a00801e1e46.shtml

Some basic Linux scripts

Sample Shell Script

Here is what you need to put in a shell script:

#!/bin/bash
# script to send simple email
# email subject
SUBJECT="SET-EMAIL-SUBJECT"
# Email To ?
EMAIL="admin@somewhere.com"
# Email text/message
EMAILMESSAGE="/tmp/emailmessage.txt"
echo "This is an email message test"> $EMAILMESSAGE
echo "This is email text" >>$EMAILMESSAGE
# send an email using /bin/mail
/bin/mail -s "$SUBJECT" "$EMAIL" < $EMAILMESSAGE

Ref: http://theos.in/shell-scripting/send-mail-bash-script/

Change sender's email address  

Use the following:

mail -s "subject" mail1@server.com -- -r "from@fromserver.com" -f </path/to/file>

Ref: http://www.linuxquestions.org/questions/linux-newbie-8/option-to-specify-senders-address-in-mail-command-374223/

Change the lines

this command: echo “first line \nsecond line” will result in the below line:
first line \nsecond line (as you can see there is no new line)
but this one: echo -e “first line \nsecond line” (with the -e) will result in what you want:
echo -e “first line \nsecond line”
first line
second line

http://techteam.wordpress.com/2008/09/25/n-not-creating-new-line-in-bash-script/

String contain test

string='My string';
if [[ $string =~ .*My.* ]]
then
   echo "It's there!"
fi

Ref: http://stackoverflow.com/questions/229551/string-contains-in-bash 

Online PDF info

http://www.yuzhigang.com/blog/share/page/2

NAT

How NAT works?

NAT: Local and Global Definitions

NAT command reference

Everything else about NAT from Cisco