I’ve been fingers-deep in CCIE Route/Switch prep for the better part of a year, and am coming into the home stretch with about 3 months before my anticipated lab date. Nearly all my prep time these days is in lab samples and simulations, working on my time management, and interpretation skills. One of the parts of the prep that I didn’t really expect to get so darn much of was learning all sorts of odd things that you can do on a switch or a router that only seem to come up on CCIE Lab exams, or in one production network in a thousand. With a hope that I can recall enough of the details of these features to recognize if I get struck again in the actual lab, I figured I’d share some with the community at large. And who knows…maybe someone out there is trying to resolve an odd network issue, and one of these techniques can help save the day.
QoS the Odd way… BGP Attributes to the Rescue
I ran into a strange questions on a lab sample asking to mark traffic coming in an interface on a router based on the community that the destination would match as it left through another interface. My first thought was to use typical MQC with a class-map matching the community, followed by a policy-map setting the proper IPP, and then attach inbound with a service policy. What I found was that you can’t match a community-list with a class-map, as that is reserved for route-map use. What I learned was that you can create a table-map in BGP that references a route-map to match on community-lists (or other attributes) and then set values. Then under an interface, you will use “bgp-policy” to act on this table map. There are several ways “bgp-policy” can be used, but for this example we will use destination-based IP-PREC-MAP.
Here is a sample snippet…
ip community-list 10 permit 100:11 ip community-list 20 permit 100:21 ! route-map BGP-TABLE-MAP permit 10 match community 10 set ip precedence 5 route-map BGP-TABLE-MAP permit 20 match community 20 set ip precedence 3 ! router bgp 100 table-map BGP-TABLE-MAP ! interface FastEthernet0/0 bgp-policy destination ip-prec-map
How to restrict the number of failed login-attempts by local user
We are all familiar with being locked out an account because we mis-typed the password too many times. I’ve locked myself out of my AD account more times than I care to admit. What I didn’t know was that you could set something similar up on a router or switch leveraging the local account database. Part of the AAA service is a feature for just this question.
aaa local authentication attempts max-fail 5
Automatic Image File Verification
I’ve long been a user of the “verify /md5 flash:image.bin” command whenever copying a new IOS to a piece of gear. One time of having to transfer a file over a serial cable was enough for me. What I didn’t know was that you could tell your gear to automatically compute the hash whenever a new file is copied over.
file verify auto
Well, these were three that I learned during my studies this weekend. As I find more features/questions like these that trip me up, I’ll try to carve off some time to continue the series. In the meantime, good luck to all my fellow CCIE candidates out there!