G.729/G.729a

G.729 and G.729a are compatible. The only difference is on the encode site. In RTP stream, both G.729/G.729a use the same payload type(15).


The following is from the IEEE.

This article describes the ITU-T Recommendation G.729 Annex A
(G.729A) for encoding speech signals at 8 kb/s with low complexity. G.729A
is the standard speech coding algorithm for multimedia digital simultaneous
voice and data (DSVD). G.729A is bitstream interoperable with G.729; that
is, speech coded with G.729A can be decoded with G.729, and vice versa. OF CLIP>

DSP resource

Normally we refer one DSP as PVDM2-16 which has 16 channel. So PVDM2-64 have four DSPs onboard.

Trancode can share DSP with voice channel. Conference will use dedicated/whole DSP even you just need fewer session.

1. One DSP has 240 flex credits.
2. Low complexity voice or transcoder uses 15 credits. This is for G.711.
3. Medium complexity voice or transcoder uses 30 credits. This is for G.729a.
4. High complexity voice or transcoder uses 40 credits. This is for G.729.


Here we can calculator how many transcoders one DSP can support.
1. 6 sessions for G.729
2. 8 sessions for G.729a.
3. 2 session for conference with 8 conferees each for G.729/G.729a. Total 16 conferees.
4. 8 session for conference with 8 conferees each for G.711. Total 64 conferees.
5. 16 G.711 voice channels.
6. 8 G.729a voice channels.
7. 6 G.729 voice channels.

Another thing interesting is:
1. For remote branch, PSTN comes in and send to Unity which is G.729a and use 30 credits. Then the call will be forward to local branch, but the Cisco GW still allocated 30 instead of 15 credits.

CUCM call recording

To enable call recording in CUCM,

1) Enable Built-in-bridge on the phone setting.
2) Enable Call monitoring on the DN. There are two configuration, one is "Recording Option", the other is "Recording Profile".

When you set "Recording option" to "Automatic Call Recording Enabled", when the RTP stream is estabilished, the codec will be locked which will cause some issues.

Let's look at a sample, agent A and B are on the same location. User from remote branched call agent A and this is a G729 call. Then agent A transferred the call to agent B using consultative transfer which will create a G722 RTP. Note that right now agent B is locked to G722. But based on the region setting, it should use G729 between the user and agent B. So when agent A hit transfer again, the call will be disconnected.

Here is the solution:
1. Disable G722 option for call recording DNs.
2. Setup Transcoder per branch which will have call recording enabled.

Finally I became a CCIE.

I passed my R&S CCIE on Sept 25, 2009 at RTP. What a relief!! Now I am starting my voice CCIE.

Cat QoS

3550 support both inbound and outbound policy. 3560 only support inbound policy.

1. 3550 per-port per-vlan policy
class-map match-any dscp-class
match ip dscp af31
!
class-map match-all vlan-class
match vlan 5 10-30 40
match class-map dscp-class
!
policy-map vlan-dscp
class-map vlan-class
set dscp CS3
police 128000 8000 exceed-action drop
!
inter fa 1/13
service-policy input vlan-dscp


2. 3560 SVI by using hierarchical policy maps
!
! Any non-IP traffic
!
mac access-list extended MAC_ANY
permit any any 0x0 0xFFFF

!
! Any IP traffic
!
ip access-list extended IP_ANY
permit ip any any

!
! Class for any non-IP traffic
!
class-map MAC_ANY
match access-group name MAC_ANY

!
! Class for any IP traffic
!
class-map IP_ANY
match access-group name IP_ANY

!
! Class to match the port connected to R1
!
class-map PORT_R1
match input-interface FastEthernet 0/1

!
! Class to match the port connected to R3
!
class-map PORT_R3
match input-interface FastEthernet 0/3

!
! Inteface-level policy-maps, limit rate per-port (R1 & R3)
!
policy-map PORT_R1
class PORT_R1
police 64000 8000

!
policy-map PORT_R3
class PORT_R3
police 512000 64000

!
! VLAN policy-map; two levels
!
policy-map VLAN_POLICY
class IP_ANY
set dscp 24
service-policy PORT_R1
class MAC_ANY
set dscp ef
service-policy PORT_R3
!
! Attach a switch-wide VLAN policy
!
interface VLAN 1
service-policy input VLAN_POLICY
!
! Enabe VLAN based-QoS on some ports
!
interface range FastEthernet 0/1, FastEthernet 0/3
mls qos vlan-based

Route-map for Redistribution

1. match ip next-hop prefix-list is not supported in redistribution route-map.
So it is better to use ACL whenever is possible in route-map when doing redistribution.

Wording

1. Using MQC, rate limit the traffic to 8kbps with minimum possible burst.
The burst doesn't Be, it is actually mean Bc. So the minimum configuration for bc is 1000
So the command would be "policy cir 8000 bc 1000"

NAT virtual interface

Legacy NAT is domain based NAT. You need to define inside and outside. And the order of routing and NAT is different.
Traffic from outside, NAT first then routing.
Traffic from inside, routing first then NAT.

The new NAT virtual interface has no difference between interface outside or inside.
1. First it will check the packet to see if it needs to be NAT
2. If it needs to be NAT, it will be routed to the virtual interface then doing the NAT.
3. After the NATed, it will be routed again.

Sample:

R3:
interface Serial 1/0.301 point-to-point
no ip nat inside
ip nat enable
!
interface Serial 1/0.302 multipoint
no ip nat outside
ip nat enable

!
!  Remove old rules
!
no ip nat inside source static 155.1.13.1 155.1.23.1
no ip nat outside source static 155.1.23.2 155.1.13.2

!
! Add "domainless" rules
!
ip nat source static 155.1.13.1 155.1.23.1
ip nat source static 155.1.23.2 155.1.13.2

Frame relay QoS

MQC_Based Frame relay traffice shaping:

In summary:

- Legacy command frame-relay traffic-shaping is incompatible with MQC-based FRTS (you can’t mix them)
- Fancy queueing could not be used as a PVC-queueing strategy: CBWFQ is the only option available
- Per-VC CBWFQ is configured via hierarchical policy-maps configuration: Parent policy sets shaping values, while child policy implements CBWFQ
- You may apply policy-map per-interface (subinterface) or per-VC, using match fr-dlci under class-map submode
- You can’t apply FRF.12 fragmentation with MQC commands – it should be applied at physical interface level. By doing so, FRF.12 is effectively enabled for all PVCs
- Physical interface queue could be set to any of WFQ/CQ/PQ or CBWFQ (not restricted to FIFO as with FRTS legacy) – though this is rarely needed

Sample: Shape PVC DLCI 112 to 384Kpbs and enable FRF.12 fragmentation for all PVCs

class-map VOICE
match ip dscp ef
!
class-map DATA
match ip dscp cs1

!
! Match the specific DLCI
!
class-map DLCI_112
match fr-dlci 112

!
! "Child" policy-map, used to implement CBWFQ
!

policy-map CBWFQ
class VOICE
priority 64
class DATA
bandwidth 128
class class-default
fair-queue

!
! "Parent" policy map, used for PVC shaping
! With multiple classes, we can match different DLCIs
! all at the same physical interface (where they belongs)
!

policy-map INTERFACE_POLICY
class DLCI_112
shape average 384000
shape adaptive 192000
service-policy CBWFQ

!
! Apply the parent policy map at physical interface level
! Also, configure FRF.12 "global" settings here
!

interface Serial 0/0/0
service-policy output INTERFACE_POLICY
frame-relay fragment 640 end-to-end


==========================================================

Legacy Frame Relay traffic shaping:

- Enabled with frame-relay traffic-shaping command at physical interface level
- Incompatible with GTS or MQC commands at subinterfaces or physical interface levels
- With FRTS you can enforce bitrate per-VC (VC-granular, unlike GTS), by applying a map-class to PVC
- When no map-class is explicitly applied to PVC, it’s CIR and Tc are set to 56K/125ms by default
- Shaping parameters are configured under map-class frame-relay configuration submode
- Allows to configure fancy-queueing (WFQ/PQ/CQ) or simple FIFO per-VC
- No option to configure fancy-queueing at interface level: interface queue is forced to FIFO (if no FRF.12 is configured)
- Allows for adaptive shaping (throttling down to minCIR) on BECN reception (just as GTS) and option to reflect incoming FECNs as BECNs
- Option to enable adaptive shaping which responds to interface congestion (non-empty interface queue)

Frame Relay Fragmentation

FRF.12 - Enable under the class map

FRF.11 Annex C - use "vofr" under frame relay dlci configuration mode

Cisco - use "vofr cisco" under frame relay dlci configuration mode

Notes:
1. The class-map defines the fragment size, vofr [cisco] just states that the dlci is encapsulated using FRF.11 or Cisco.

Frame Relay Compression

Stacker vs Predictor
1. Stacker is more CPU intensive.
2. Predictor is more Memory intensive.

Frame relay compression schemes:
1. Data payload compression.
1.1 Cisco proprietary packet-by-packet payload compression. It uses Stacker compression
For a multiple interface use:
frame-relay map ip 10.1.1.1 100 payload-compress packet-by-packet
For P2P interface:
frame-relay payload-compress packet-by-packet.

1.2 FRF.9 uses Stacker. It has better compression ratio than packet by packet.
You should use IETF encapsulation for the pvc that uses FRF.9. Actually when you enable the rfr9 stac keyword, IETF encapsulation is automatically enabled.
For a multiple interface use:
frame-relay map ip 10.1.1.1 100 payload-compress FRF9 stac
For P2P interface:
frame-relay payload-compress FRF9 stac.



2. Packet header compression
2.1 TCP/IP. See RFC 1144
It is important to note that TCP/IP header compression is hop-by-hop compression scheme. The TCP/IP header must be replaced at each node. So it adds latency and CPU load.
And TCP/IP compression requires Cisco proprietary encapsulation.
For physical interface:
frame-relay ip tcp head-compression [passive]
For DLCI
frame-relay map ip 10.1.1.1 100 tcp header-compression [active|passive]
You can also disable it by:
frame-relay map ip 10.1.1.1 100 nocompress

2.2 RTP. See RFC 1889
It is also hop-by-hop compression. And only support Cisco encapsulation
frame-relay ip rtp header-compression [passive]
frame-relay map ip 10.1.1.1 100 rtp header-compression.
frame-relay map ip 10.1.1.1 100 compress (Enabel both tcp and rtp compression).

BGP desicion

With the best-path algorithm, BGP assigns the first valid path as the current best path. BGP then compares the best path with the next path in the list, until it reaches the end of the list of valid paths. The newest one is the first one and the eldest one is the end.



WLLA
OMNI

1. Weight
2. Local Prefer
3. Local injected
4. AS_Path

5. Original. IGP>EGP>Incompleted
6. Metric
7. Network Type. EBGP > IBGP
8. IGP metric to next hop.


The following has more details from cisco.com.

===================================================================

How the Best Path Algorithm Works

BGP assigns the first valid path as the current best path. BGP then compares the best path with the next path in the list, until BGP reaches the end of the list of valid paths. This list provides the rules that are used to determine the best path:

1. Prefer the path with the highest WEIGHT.
Note: WEIGHT is a Cisco-specific parameter. It is local to the router on which it is configured.

2. Prefer the path with the highest LOCAL_PREF.
Note: A path without LOCAL_PREF is considered to have had the value set with the bgp default local-preference command, or to have a value of 100 by default.

3. Prefer the path that was locally originated via a network or aggregate BGP subcommand or through redistribution from an IGP.
Local paths that are sourced by the network or redistribute commands are preferred over local aggregates that are sourced by the aggregate-address command.

4. Prefer the path with the shortest AS_PATH.
Note: Be aware of these items:
a. This step is skipped if you have configured the bgp bestpath as-path ignore command.
b. An AS_SET counts as 1, no matter how many ASs are in the set.
c. The AS_CONFED_SEQUENCE and AS_CONFED_SET are not included in the AS_PATH length.

5. Prefer the path with the lowest origin type.
Note: IGP is lower than Exterior Gateway Protocol (EGP), and EGP is lower than INCOMPLETE.

6. Prefer the path with the lowest multi-exit discriminator (MED).
Note: Be aware of these items:
1) This comparison only occurs if the first (the neighboring) AS is the same in the two paths. Any confederation sub-ASs are ignored.
In other words, MEDs are compared only if the first AS in the AS_SEQUENCE is the same for multiple paths. Any preceding AS_CONFED_SEQUENCE is ignored.
2) If bgp always-compare-med is enabled, MEDs are compared for all paths.
You must disable this option over the entire AS. Otherwise, routing loops can occur.
3) If bgp bestpath med-confed is enabled, MEDs are compared for all paths that consist only of AS_CONFED_SEQUENCE.
These paths originated within the local confederation.
4) THE MED of paths that are received from a neighbor with a MED of 4,294,967,295 is changed before insertion into the BGP table. The MED changes to to 4,294,967,294.
5) Paths received with no MED are assigned a MED of 0, unless you have enabled bgp bestpath med missing-as-worst .
If you have enabled bgp bestpath med missing-as-worst, the paths are assigned a MED of 4,294,967,294.
6) The bgp deterministic med command can also influence this step.
Refer to How BGP Routers Use the Multi-Exit Discriminator for Best Path Selection for a demonstration.

7. Prefer eBGP over iBGP paths.
If bestpath is selected, go to Step 9 (multipath).
Note: Paths that contain AS_CONFED_SEQUENCE and AS_CONFED_SET are local to the confederation. Therefore, these paths are treated as internal paths. There is no distinction between Confederation External and Confederation Internal.

8. Prefer the path with the lowest IGP metric to the BGP next hop.
Continue, even if bestpath is already selected.

9. Determine if multiple paths require installation in the routing table for BGP Multipath.
Continue, if bestpath is not yet selected.

10. When both paths are external, prefer the path that was received first (the oldest one).
This step minimizes route-flap because a newer path does not displace an older one, even if the newer path would be the preferred route based on the next decision criteria (Steps 11, 12, and 13).
Skip this step if any of these items is true:
1) You have enabled the bgp best path compare-routerid command.
Note: Cisco IOS Software Releases 12.0.11S, 12.0.11SC, 12.0.11S3, 12.1.3, 12.1.3AA, 12.1.3.T, and 12.1.3.E introduced this command.
2) The router ID is the same for multiple paths because the routes were received from the same router.
3) There is no current best path.
The current best path can be lost when, for example, the neighbor that offers the path goes down.

11. Prefer the route that comes from the BGP router with the lowest router ID.
The router ID is the highest IP address on the router, with preference given to loopback addresses. Also, you can use the bgp router-id command to manually set the router ID.
Note: If a path contains route reflector (RR) attributes, the originator ID is substituted for the router ID in the path selection process.

12.If the originator or router ID is the same for multiple paths, prefer the path with the minimum cluster list length.
This is only present in BGP RR environments. It allows clients to peer with RRs or clients in other clusters. In this scenario, the client must be aware of the RR-specific BGP attribute.

13. Prefer the path that comes from the lowest neighbor address.
This address is the IP address that is used in the BGP neighbor configuration. The address corresponds to the remote peer that is used in the TCP connection with the local router.

STP port stat

How to decide which port is root port.

1. root cost
2. neighbor bridge identifier
3. neighbor port identifier
4. local port identifier

Match Traceroute reply packet

NAT better remember enable overload.


ip nat inside source list 100 interface Loopback0 overload

permit icmp any any time-exceeded
permit icmp any any port-unreachable

BGP policy processing order

BGP Policy Processing Order

Inbound

1. Route map
2. Filter list, AS-path access list, or IP policy
3. IP prefix list or Distribute list

Outbound
1. IP prefix list or Distribute-list
2. Filter list, AS-path access list, or IP policy
3. Route map

BGP OSPF redistribution.

1. By default, BGP only redistribute ospf network type internal. To redistribute other type of ospf network, you need to add to the redistribution
redistribute ospf 1 ------ Only internal (intra and inter-area) routes
redistribute ospf 1 match external ---- Only external type 1 and 2 route
redistribute ospf 1 match internal external 2 --- only internal and external type 2
redistribute ospf 1 match nssa-external 1 ---- Only nssa-external type 1.

2. By default, iBGP redistribution into IGP is disabled.
Issue the bgp redistribute-internal command under router bgp process in order to enable redistribution of iBGP routes into IGP.

3. BGP and OSPF router-id
If BGP synchronization is enabled, there must be a match for the prefix in the IP routing table in order for an internal BGP (iBGP) path to be considered a valid path.

4. Link for tips. 911network.

IPv6 ACL implicit rules

IPv6 ACL Implicit Rules
• Implicit permit rules allow neighbor discovery

The following implicit rules exist at the end of each IPv6 ACL to allow ICMPv6 neighbor discovery:

permit icmp any any nd-na
permit icmp any any nd-ns
deny ipv6 any any

Timer for different routing protocol

1. OSPF
Both sides must match the hello and hold timer.
For fast hello which the hello intervla is lower than 1 second, the hello is carried as 0. So the hello multipler dose not need to be match.


2. EIGRP
Two sides will exchange the hold time. It does not need to be matched. The router will use the hold time learn from the neighbor as the hold timer.
Let's say you configure R1 hello=10 Hold=60. R2 with default hello=5, hold=15.
On R1 show ip eigrp neighbor, it will should hold time 15 for R2.
On R2 show ip eigrp neighbor, it will should hold time 60 for R1.

3. BGP
Two sides will exchange the hold time. But the difference between EIGRP and BGP is, BGP will choose the small one as the hold time for both side. And if hello time is not configure, it will calculator from hold time.

PIM v2 State refresh

State refresh is used in PIM Dense mode.

By default cisco router will process state-refresh message and forward it. It won't originate the state-refresh message by default.

To enable originate state-refresh message, you need to enable it in the interface on the router that directly connect to the source. This way the router knows when the mroute will be timeout and stop generate the state-refresh message.

interface ser 1/0.25
ip pim state-refresh originate-interval [sec]

How to generate a valid ike debug, vpn debug and fw monitor

Solution

It is very helpful to gather the IKE information in both directions by having both endpoints initiate communications at different times so you can see what each machine proposes to the other and then reconcile the differences. Generate debugs for ike and vpnd on both endpoints. These debugs are valid for VPN connections between SecureClient and Security Gateways, as well as for site to site VPN connections. Follow the steps below to generate debug information: Note: For SecurePlatform you must be logged in as Expert. Initiate vpn debug on both Security Gateways from the CLI: # vpn debug trunc Notes: # vpn debug trunc initiates both vpn debug and ike debug. # vpn debug on only initiates vpn debug. If you need the level of detail provided by TDERROR_ALL_ALL=5, then you need to run: vpn debug on TDERROR_ALL_ALL=5. Initiate packet capture on both Security Gateways (or tcpdump, or Wireshark pcap): Note: You can press "Alt + F1" to open a second terminal, or open a second ssh session, or (for Windows) open a second command prompt. # fw monitor -e "accept;" -o monitor.out or fw monitor -e "accept sport=500 or dport=500;" -o monitor.out Note: Since VPN-1 Pro NGX R60, you can also run # fw monitor -e "accept port(500) or port(4500);" -o monitor.out or # vpn debug mon If you run # vpn debug mon, the output file is ikemonitor.snoop. In this output file, all the IKE payloads are in clear. Whereas, in monitor.out, all the IKE payloads are encrypted. Run vpn tu. Note: Before running vpn tu, kill all traffic over the VPN. Then select the option that reads "Delete all IPsec+IKE SAs for a given peer (GW)". Enter your remote Security Gateway IP address. Exit the utility. Important This procedure closes open VPN tunnels. It may be useful, in that, the next time communication is attempted, you will capture the VPN tunnel creation information. Please be aware that existing VPN tunnels with this remote peer will be closed and will have to be reestablished. This is especially important in a Production environment. Reproduce the issue, attempt to connect FROM YOUR NETWORK to a device in the remote encryption domain. This initiates the tunnel. Run vpn tu. Note: Before running vpn tu, kill all traffic over the VPN. Then select the option that reads "Delete all IPsec+IKE SAs for a given peer (GW)". Enter your remote Security Gateway IP address. Exit the utility. Reproduce the issue, attempt to connect FROM THE REMOTE NETWORK to a device in the local encryption domain. This initiates the tunnel. Stop vpn debug on both Security Gateways: # vpn debug off # vpn debug ikeoff Notes: If you used vpn debug on TDERROR_ALL_ALL=5, you only have to run # vpn debug off. If you run # vpn debug mon, you need to run # vpn debug moff. Stop packet capture by pressing "CTRL+C". Please send the following files from the Security Gateways to Check Point Support: $FWDIR/log/ike.elg $FWDIR/log/vpnd.elg monitor.out ikemonitor.snoop.

Reseting IKE/IPSec SA in Checkpoint

In VPN-1 NG all IKE/IPSec SAs are saved in the kernal. Therefore, deleting the appropriate kernal table is sufficent.

1. To delete IKE SAs, delete the IKE_SA_table;
2. To delete IPSec SAs, delete the inbound_SPI and the outbound_SPI table.

Notes: All three tables are 'keep' and, therefore, will not be deleted upon policy installation.

To delete a table,

1. Run the command fw -t table_name -x
2. Type 'yes' in the confirmation prompt.

IGMP v2 Timer

The following timer(1-3) are configurable in the Cisco router under the interface.

1. Query interval: (ip igmp query-interval)
A time period between General Queries sent by a router. Cisco default is 60 sec. (RFC is 125 sec)

2. Query Response Interval: (ip igmp max-response-time)
The maximum response time (MRT) for hosts to respond to the periodic general Queries. Default is 10 sec. MRT timer to suppress many of the unnecessary IGMP reports. Report suppression is when a host receives a report sent by another host for the same mcast group for which it is planning to send a report, host does not send. 3 second MRT is expressed as 30.

3. Other Querier Present Interval (RFC) or Querier Timeout (Cisco)
To configure the timeout period before the router triggers Internet Group Management Protocol (IGMP) querier reelection for the interface, use the ip igmp querier-timeout command in interface configuration mode. To restore the default value, use the no form of this command.

4. Last Member Query Interval and Last Member Query Count
These values determine how long it takes a router to believe that all hosts on a LAN have left a particular group. By default, routers use an MRT of 10 (1 second) for Group-Specific Queries; because a router should receive a response to a Group-Specific Query in that amount of time, the router uses the MRT value as the value of the Last Member Query Interval. So, the router uses the following process:
1). Send a Group-Specific Query in response to an IGMP Leave.
2). If no Report is received within the Last Member Query Interval, repeat Step 1.
3). Repeat Step 1 the number of times defined by the value of the Last Member Query Count.
The Last Member Query Count is the number of consecutive Group-Specific Queries sent for the same group before the router concludes that there are no active members of the group on a subnet.
The default value for the Last Member Query Count is 2. So, the leave latency is typically less than 3 seconds, compared to up to 3 minutes with IGMPv1.
ip igmp last-member-query-count
ip igmp last-member-query-interval


The following ones are not configurable.
1. Group Membership Interval
The Group Membership Interval is the amount of time that must pass before a multicast router decides there are no more members of a group on a network. This value MUST be ((the Robustness Variable) times (the Query Interval)) plus (one Query Response Interval).

Using IP Multicast Over Frame Relay Networks

A few concern.

A multipoint interface won't, by default, send multicast received from one spoke out to another spoke.

Either of the following recommended solutions—which are described in this document—can be used to configure IP multicast over Frame Relay:
•NBMA mode
•Point-to-point subinterfaces

Cisco suggests to use P2P. But in the lab, you have no choise to choose.


NBMA interface:
In reality, however, broadcast or multicast traffic sent by a remote site router will be received only by the central site router, not by the other remote site routers, because each remote site router is connected point-to-point to the central site router.

The following example illustrates a specific issue regarding IP multicast deployment within the partial mesh design of Frame Relay networks. If a remote site router sends a Protocol Independent Multicast (PIM) prune message, only the central site router will receive the prune message. Consequently, other remote site routers cannot override this prune message. This situation could prevent members of multicast groups from receiving multicast traffic that they want.

NBMA mode solution:

In a Frame Relay network that uses IP multicast, NBMA mode improves router performance for the following reasons:
•Traffic is fast-switched rather than process-switched.
•Routers receive traffic only for the multicast groups to which they are joined.


When using the ip pim nbma-mode command, note the following usage guidelines:
•This command applies to only PIM sparse mode configurations because its functionality is dependent on the PIM sparse mode join message.
•As the number of PIM neighbors increases, the outgoing interface list increases. Each interface entry requires additional resources from the NBMA mode-enabled router, therefore increasing data replication time and memory utilization.


Auto-RP Issues with NBMA Mode
The NBMA mode feature does not support PIM dense mode. Auto-RP, a method for disseminating rendezvous point (RP) information in an IP multicast network, relies on dense mode flooding of data from two well-known multicast group addresses, 224.0.1.39 and 224.0.1.40. These groups are candidate RP and RP mapping information groups. Without dense mode flooding capability, multicast routers in a Frame Relay network using Auto-RP may have problems receiving RP mapping information unless the Mapping Agent (MA) is placed in the appropriate location within the network or a more costly full mesh architecture is created.
Use the following guidelines when placing the MA in your network:
•All candidate RPs must be connected to the MA.
•All MAs must be connected to all PIM routers.

IP SLA - Timeout or Threshold

Timeout is the maximum time required for SLA operation to complete - for example the timeout waiting for probe response. Threshold is boundary value measured ove the operation RESULT (e.g. RTT, or jitter value collected during the opearation). Crossing threshold usually means SLA contract violation. Note that these two values apply to DIFFERENT objects.

Timeout is directly used to restart the operation. Threshold is used to activate a response to IP SLA violation, e.g. send SNMP trap or start seconday SLA operation.

You should configure the sla based on Frequency > Timeout > Threshold.



For Cisco.com

Q. What does the term threshold and timeout in IP SLA operation mean?

A. Threshold sets the rising threshold that generates a reaction event and stores history information for an IP SLAs operation.
Timeout sets the amount of time an IP SLAs operation waits for a response from its request packet.


Example:

If you configure Timeout > Threshold, you can see the RTT and if the RTT exceed Threshold, it is a failure. If you configure Threshold > Timeout, if the RTT exceed timeout but less than Threshold, it won't show the RTT but it is still a failure.
So failure is RTT exceed either Timeout or Threshold.

ip sla monitor 1
type echo protocol ipIcmpEcho 115.0.0.1
timeout 500
threshold 20
frequency 10

Rack1R6#show ip sla monitor statistics
Round trip time (RTT) Index 1
Latest RTT: 36 ms
Latest operation start time: *04:12:47.001 UTC Mon Mar 4 2002
Latest operation return code: Over threshold
Number of successes: 0
Number of failures: 6
Operation time to live: Forever

Traffic filter

1. Using ACL

2. Using policy-map.

class-map from-bb1
match input-interface fa 0/0
policy-map
class from-bb1
drop.

IPV6 redistribution.

1. By default it won't redistribute the connect interfaces over which the source protocol is running.

To enable it, there is an option " include-connected"

ipv6 router rip 1
redistribute ospf 1 include-connected.

Auto-RP Access-list filter

To enable rp mapping for special group, you need to configure the send-rp-announce filter first on rp, and the use rp-anounce-filter on rp mapping agent.


1. It is not support fancy acl.
access-list 1 permit 224.0.0.0 8.255.255.255
or
access-list 1 permit 224.0.0.0 1.255.255.255
are same, which will cause the rp announce 224.0.0.0/7 out.
Answer:
8 - 00001000
1 - 00000001
both have 7 bits of 0 so it useing 224.0.0.0/7

You can try 14.255.255.255 and 7.255.255.255.
14 - 00001110
7 - 00000111
and they are same. 224.0.0.0/5


So you should just use all right side 1 ACL, cannot have 0 between 1. Just like network mask.

Reason: In the annoucement and mapping messages, it only carries mask length instead of the whole wide card mask.

MLPoFR

In my example, I will show how I bundle two 2 Mbps frame relay line to act as one 4 Mbps line.

We have to do below configuration on both sides.
1)We will make an ordinary frame relay configuration on serial interfaces except “frame-relay interface-dlci 16 ppp Virtual-Template1” line. Here we are adding Virtual-Template1. frame-relay traffic-shaping command is a MUST. (otherwise it will show an error.)
2)Under “interface Virtual-Template1“ we describe that it is a part of multilink interface
3)Under “interface Multilink1” we will configure IP settings.


interface Multilink1
ip address 174.1.23.3 255.255.255.0
no peer neighbor-route
ppp authentication chap
ppp multilink
ppp multilink group 1

interface Virtual-Template1
no ip address
ppp multilink
ppp multilink group 1 (To restrict a physical link to joining only a designated multilink-group interface. By default this command is disabled, which means the link can negotiate to join any bundle in the system.)

interface Serial1/0
no ip address
encapsulation frame-relay
serial restart-delay 0
no dce-terminal-timing-enable
frame-relay interface-dlci 302 ppp Virtual-Template1
!
interface Serial1/1
no ip address
encapsulation frame-relay
serial restart-delay 0
no dce-terminal-timing-enable
frame-relay interface-dlci 312 ppp Virtual-Template1



Note:
1. You can configure both bandwidth under multilink or virtual-template interface. If you only configure virtual-template, the multilink interface will automatically calculator the bandwidth based on how many links. Or if you configure bandwidth under multilink, then it will keep the bandwidth regardless how many links in the bundle.

LAB Strategy

1. Copy running-config to flash for later review.
copy runn flash://bk-confg

2. Put in alias
config t
no ip domain-lookup
alias exec begin show running begin
alias exec section show running section
alias exec sip show ip interface brief excl una
alias exec sir show ip route
alias exec cdp show cdp neighbor
ip cef
line con 0
exec-timeout 0
logging syn
end
wr

3. Find out the physical connection.
For each router, list ethernet connection and cdp neighbor, vlan.
For each switch, list SVI interface.
For each switch has the layer 3 interface, find out the cdp neighbor(It must be connect to another switch port that has the actual vlan configured)

R1 e0/0 -------vl5-------- Sw2 fa1/0
SW1 vlan 7, 77, 777
SW1 fa1/12 IP ------ vl32 --------- SW2 1/12 layer2

4. Draw Layer 2 topology. Based on step 3, you should be able to place routers around and make a better picture. You can use show cdp neighbor to find out the connection to BB routers.