Tag: Cisco IOS

Networking

Cisco IOS Site-to-Site IPsec VPN with GRE: Full Configuration Walkthrough

Working reference for a GRE-over-IPsec site-to-site VPN on Cisco IOS. Why GRE-inside-IPsec instead of plain IPsec (multicast and routing-protocol support), the two-phase IKE/IPsec negotiation (Phase 1 ISAKMP - authentication / encryption / hash / DH group / lifetime; Phase 2 - transform-set / interesting traffic / lifetime), full symmetric configuration on both endpoints (isakmp policy, pre-shared key, transform-set, ACL for interesting traffic that matches GRE between tunnel endpoints, crypto map applied to physical interface NOT tunnel, GRE Tunnel0 with MTU and TCP-MSS clamping), running EIGRP through the tunnel, and the verification order (show crypto isakmp sa, show crypto ipsec sa, show crypto map, tunnel ping, routes). Pitfalls: crypto map on wrong interface, ACL points at LANs instead of GRE, MTU not lowered, NAT-T not allowed, asymmetric configuration.

7 min read
Read →
Networking

Configure BGP on Cisco IOS: Peering, Path Selection, and Route Manipulation

Working reference for BGP on Cisco IOS. eBGP vs iBGP and the iBGP full-mesh problem, peering setup over physical interfaces vs loopbacks (with update-source and next-hop-self), the network statement and its requirement that the prefix be in the IP routing table, the nine-step path-selection process (Weight - Local Pref - AS-Path - Origin - MED - eBGP/iBGP - IGP cost - Router ID), the four most-used manipulations (local-pref for outbound preference, AS-Path prepend for inbound, MED for same-peer multilink, communities for ISP-coordinated traffic engineering), prefix-list filtering on all neighbors, peer groups, soft vs hard reset, and pitfalls (missing IP route, iBGP next-hop, communities not sent, outbound prefix-list omitted).

9 min read
Read →
Networking

Configure EIGRP on Cisco IOS: Metrics, DUAL, Stub, and Authentication

Working reference for EIGRP on Cisco IOS. The composite metric (bandwidth + delay, with K-values), DUAL and the feasibility condition (Successor and Feasible Successor for sub-second convergence), basic configuration with no auto-summary and explicit router-id, passive-interface default + selective unpassive pattern, per-interface summarization, EIGRP stub for branch routers (bounding query scope and avoiding Stuck-In-Active), MD5 authentication via key-chain, the five verification commands, and the pitfalls (auto-summary trap, K-value mismatches, SIA, AS-number agreement).

8 min read
Read →
Networking

Cisco IOS NAT and PAT: Static, Dynamic, and Overload Configuration

Working reference for the four NAT modes on Cisco IOS. The inside-local / inside-global / outside-global vocabulary that confuses everyone the first time, the ip nat inside / ip nat outside interface markings (most common cause of broken NAT), Static NAT with full IP and port-specific variants, Dynamic NAT with a public pool, PAT (overload) with the WAN interface IP and with a pool, the show ip nat translations and statistics commands, clear ip nat translation, and the pitfalls (missing markers, ACL gaps, PAT port exhaustion, NAT/IPsec interaction).

7 min read
Read →
Networking

Cisco IOS Access Control Lists: Standard, Extended, Named, Reflexive, Time-Based

Working reference for the five Cisco IOS ACL types. How an ACL processes a packet (top-down, first-match-wins, implicit deny), where the order of operations relative to NAT matters (in: ACL before NAT, out: NAT before ACL), Standard vs Extended vs Named ACLs with full configuration examples, Reflexive ACLs for basic return-traffic state, Time-based ACLs with absolute and periodic schedules, application to interfaces vs VTY lines (ip access-group vs access-class), placement rules (Standard close to destination, Extended close to source), and the pitfalls (implicit deny, numbered-ACL edit gotcha, wildcard vs subnet mask, NAT-order trap, missing VTY restriction).

8 min read
Read →
Networking

Configure OSPFv2 on Cisco IOS: From Single Area to Multi-Area

Working reference for OSPFv2 on Cisco IOS - the cost metric, hello/dead timers, the six LSA types, the five area types (Backbone, Normal, Stub, TSA, NSSA), router roles (ABR, ASBR, IR), basic configuration with both the network statement and ip ospf interface command, multi-area design, summarization at the ABR (area range vs summary-address), virtual links, MD5 authentication, the five verification commands, and the pitfalls (reference bandwidth mismatch, wildcard vs subnet mask, EXSTART MTU loops, implicit router-id changes).

12 min read
Read →