Here is a sample configuration of ISIS for Cisco routers. This example is a level2 only zone (like a backbone area 0 in OSPF).
Note : Loopback addresses are (or should be) always configured with /32 netmask.
It's a good practice to dedicate a contiguous range for all your loopback addresses, this range is most of time the first of your supernet (i.e. your "big" network allocation), or the one with a zero.
Let's begin to create an loopback interface and annonce this IP (In this example we will use the first /24 of our "big" range for loopbacks) :
interface Loopback100
ip address 10.0.0.1 255.255.255.255
ip router isis
We configure the physical interface, annonce the connected range in ISIS and lower hello interval to 1 second :
interface gi0/0/0 ip address 10.10.10.8 255.255.255.252
ip router isis
isis network point-to-point
isis metric 20 level-2
isis hello-interval 1
And finally the configuration of the protocol : router isis
log-adjacency-changes
no hello padding
spf-interval 1 1 100
lsp-gen-interval 1 1 100
is-type level-2-only
metric-style wide level-2
net 49.0000.0000.0008.00
passive-interface loopback 100
Each node in ISIS must have a different "net" (= ID), it's a good practice to begin with 49 and end with 00 (see links below).
It is really important to lower sfp-interval to get a faster convergence (~1sec) , lsp-gen-interval helps also but only a few compared to sfp-interval.
Padding is useless (come on, MTU to 9000 for everybody!), so we deactivate it. And we don't need to generate hello packets on the loopback interface, never.
Here are a few commands really important to troubleshoot : sh isis neighbors
sh isis database
sh isis topology
sh ip route isis
And if you need to announce/originate a default route (make sure your routeur knows how to reach "THE Internet", blackhole spotted otherwise) : router isis
default-information originate always
Cisco Catalyst switches use CAM and TCAM to store MAC addresses, ACL, QoS tables in order to have wire-speed switching : they are ASICs and search the entire memory in one operation.
The CAM (Content Addressable Memory) stores MAC addresses, VLAN and ports assignments. During a lookup, the CAM returns the address where the data is stored (the inverse of regular RAM). It is used on L2 swich. The TCAM (Ternary Content Addressable Memory) is used on L3 switch to store the routing table (it is also used to store ACL and QoS information). During the lookup, keys are network and mask and result can be next-hop or action (permit or deny) for ACL.
To see CAM and CAM usage (Theses commands were used on a 3750):
show mac address-table dynamic
show mac address-table count
To see TCAM usage :
show platform tcam utilization
To see routes that could'nt be inserted into TCAM :
show platform ip unicast counts
To view the number of route entries for each protocol :
show ip route summary
If you find a high number of prefixes not in TCAM, and a high TCAM usage, you should considering changing the SDM (switch database management) template.
To see the currently used SDM :
show sdm prefer
To see anoter SDM template :
show sdm prefer dual-ipv4-and-ipv6 routing
To apply a new sdm :
conf t
sdm prefer dual-ipv4-and-ipv6 routing
reload
In the worst case when the TCAM is full, "ip cef" is desactivated and switching is done by CPU,
to see CPU usage :
show processes cpu history
CEF (Cisco Express Forwarding) is a forwarding model in which all routing information is put into the FIB (forwarding information base). The FIB is used to store IP routing information (prefixes and next-hop), in addition to the FIB, CEF uses adjacency tables to store Layer 2 addressing information.
Cisco devices can filter mac addesses inbund with port-security or ACL, but remember ACL are checked on hardware with ASICS on the ports, and Port Security is checked in soft (and can cause big trubble when used in restrict/protect mode when many violations occur):
---Port-security on cat 6500---
in the example we allow 100 mac addresses on this trunk port, but only 2 specific mac on the vlan 4 (interface conf mode):
But default, if the maximum mac addresses is reached, the port will be shutdown, you can auto-reenable the port after an amount of time with (global config mode):
errdisable recovery cause psecure-violation
errdisable recovery interval 300
You can also choose other actions if a port violation occurs (interface conf mode):
Telnet is "bad", this is how to enable ssh and disable telnet login, and BTW we only want ssh v2 as v1 is vulnerable to several attacks:
When asked choose a least 1024bits for the key
hostname switch
ip domain-name mydomain.tld
aaa new-model
crypto key generate rsa
ip ssh version 2
line vty 0 15
transport input ssh
Remember to add ACL, this is always a good thing
access-list 99 permit 192.0.2.0 0.0.0.255
ipv6 access-list ACL-RESTRICTED-IN
permit ipv6 2001:db8::/32 any
line vty 0 15
access-class 99 in
ipv6 access-class ACL-RESTRICTED-IN in
when you create your ACL, remember it's even better to only accept login from your network
OH! BTW if you use clogin/rancid to log into your equipments, make sure your MOTD does not have any # or the auto-enable won't work...
I told you : MOTD (with #) + SSH + clogin = no auto enable
enable view
conf t
parser view readonly
secret 5 ???
commands exec include show vlan
commands exec include show
exit
username test view readonly password 0 ????
flow-sampler-map SAMPLER
mode random one-out-of 100
ip flow-export version 5
ip flow-export destination 192.168.0.2 2055
interface Gi0/1
flow-sampler SAMPLER