Cisco SD-WAN Policy automation with REST API

I’ve been working with Cisco SD-WAN recently and decided to summarize my experience to demonstrate REST API capabilities in Viptela vManage (The management plane component).

Interaction to networking components with out-of-band SDN controllers is much robust than working with devices directly. Everything from the operational and greenfield deployment perspective is possible via vManage REST API. It is very flexible to Automate repetitive tasks or initial configuration or even expand SD-WAN capabilities to bring the new features to it!

Short introduction of the scenario.

Typically when we need to filter access to something, what we do is to create FW rules, Access-lists, route-maps, etc., which looks at the Packet/Frame in the data plane to match SRC/DST, Protocol or port numbers, pretty much anything that each of the packet or frame contains.

What I wanted to do is to create continuously updated dynamic access-lists with the latest information available in Control-plane to apply in Dataplane.

Below is the simplified topology illustrated:

With topology shown above, I want to create a policy that will block inter-spoke communication but forwards traffic to internet destined resources.

You might think that its easy peasy to do with Traditional access-control mechanisms in SD-WAN or Classic VPN routing schemes, but again it depends on the conditions. Imagine that your hundreds of Branches/Spokes are in a completely different prefix block, which is impossible to summarize. You are in trouble to define access-lists with hundreds of destinations. This is not a manageable and time-consuming process that does not scale!
Given that, something more is needed to create a single-lined and simple data policy, for this reason, I’ve decided to use SITE-ID, which is Cisco SD-WAN specific and is advertised via OMP along with the route.
If we match the Site-id range to cover all the Branches/Spokes, then we will be able to create dynamic data policy ( with data prefix-list), which blocks inter-spoke traffic based on control-plane information (Site-ID). However, this feature is not available in native-GUI, and python code is needed to take out all the necessary information from the controller with REST-API, process it, and push it back with the updated data.

Here is the list of the SITE-IDs and VPNs defined, which of course could be created via REST but for now i will be focusing on the functionality described above.

I’ve created a data policy that matches the destination data prefix-list “BLOCK_INTER_SPOKE,” which we need to work with to update with proper data! Topology is Hub-Spoke. As shown above, vSmart would not reflect routes received from one spoke to another via OMP, but there is a default route in which traffic within the VPN follows it to reach the other end of the spoke. Therefore route-control alone is not enough to restrict inter-spoke communication.


SPOKE1# show ip routes omp
100 omp – – – – gold ipsec F,S

SPOKE1# ping source vpn 100
Ping in VPN 100
PING ( from : 56(84) bytes of data.
64 bytes from icmp_seq=1 ttl=63 time=218 ms
64 bytes from icmp_seq=2 ttl=63 time=350 ms
64 bytes from icmp_seq=3 ttl=63 time=388 ms

With the following ugly python code below, first, I request a vManage controller to get all the OMP routes from the vSmart controller ( DeviceId is actual system-ip of the vSmart node) and store it in the file.

response = req.get("",auth=('admin', 'admin'), verify=False)

with open('rest-data.txt', 'w') as f: 
json.dump(response.json(), f, indent=4)

Below is the portion of response data in JSON Format:

    "data": [
            "overlay-id": "1",
            "color": "gold",
            "vdevice-name": "",
            "prefix": "",
            "ip": "",
            "from-peer": "",
            "label": "1005",
            "encap": "ipsec",
            "site-id": "200",
            "originator": "",
            "vpn-id": "100",
            "vdevice-host-name": "vsmart",
            "path-id": "75",
            "protocol": "static",
            "vdevice-dataKey": "",
            "metric": "0",
            "lastupdated": 1580152072459,
            "attribute-type": "installed",
            "address-family": "ipv4",
            "status": "C R"
            "overlay-id": "1",
            "color": "gold",
            "vdevice-name": "",
            "prefix": "",
            "ip": "",
            "from-peer": "",
            "label": "1005",
            "encap": "ipsec",
            "site-id": "200",
            "originator": "",
            "vpn-id": "100",
            "vdevice-host-name": "vsmart",
            "path-id": "75",
            "protocol": "connected",
            "vdevice-dataKey": "",
            "metric": "0",
            "lastupdated": 1580152072459,
            "attribute-type": "installed",
            "status": "C R"
            "overlay-id": "1",
            "color": "gold",
            "vdevice-name": "",
            "prefix": "",
            "ip": "",
            "from-peer": "",
            "label": "1005",
            "encap": "ipsec",
            "site-id": "201",
            "originator": "",
            "vpn-id": "100",
            "vdevice-host-name": "vsmart",
            "path-id": "75",
            "protocol": "connected",
            "vdevice-dataKey": "",
            "metric": "0",
            "lastupdated": 1580152072460,
            "attribute-type": "installed",
            "status": "C R"
            "overlay-id": "1",
            "color": "gold",
            "vdevice-name": "",
            "prefix": "",
            "ip": "",
            "from-peer": "",
            "label": "1005",
            "encap": "ipsec",
            "site-id": "202",
            "originator": "",
            "vpn-id": "100",
            "vdevice-host-name": "vsmart",
            "path-id": "75",
            "protocol": "connected",
            "vdevice-dataKey": "",
            "metric": "0",
            "lastupdated": 1580152072460,
            "attribute-type": "installed",
            "status": "C R"


Clearly, we can spot OMP prefix and site-id associated with it, but we have to sort it to match the routes advertised by Spokes only.

This portion of code opens previously created file ( rest-data.txt), looks for the Key ‘site-id’ in nested JSON, and appends prefixes within the range of 201-202 site-id and appends it to python list. In the end, the JSON dictionary is populated with data which can be used later to create prefix-list

prefixes = []

with open('rest-data.txt', 'r') as data_file:
    data = json.load(data_file)
    for d in data['data']:
        if int(d['site-id']) >= 201 and int(d['site-id']) <= 202:  # Range of Site-ID

json_dict = {
    "name": "BLOCK_INTER_SPOKE",  # Name of the Data Prefix-list
    "entries": [{'ipPrefix': prefixes} for prefixes in prefixes]
with open('prefixes.json', 'w') as f:
    json.dump(json_dict, f, indent=4)

Print output of prefixes.json file.

    "name": "BLOCK_INTER_SPOKE",
    "entries": [
            "ipPrefix": ""
            "ipPrefix": ""

Now we have Spoke prefixes in JSON format, the only thing left is to update existing policy with provided data.
First List-Id is required to update right prefix-list which can be retrieved with quick postman call to

Screen Shot 2020-01-27 at 7.58.18 PMFollowing post request updates prefix-list “BLOCK_INTER_SPOKE” with the entries described in prefixes.json file.

headers = {'Content-Type' : 'application/json'}

p = req.put("",auth=('admin', 'admin'), data=open('prefixes.json', 'rb'), verify=False, headers=headers)

Quick check to validate if prefix-list is updated with right input.
Screen Shot 2020-01-28 at 11.27.09 AM

Perfect, now vSmart policy needs to be activated, and configuration template re-applied to propagate updated data policy down to vEdge/cEdge.

activate_policy.json contains empty brackets “{}”

#Activate Data Policy after updating prefix-list
headers = {'Content-Type' : 'application/json'}
r ="",auth=('admin', 'admin'), data=open('activate_policy.json', 'r'), verify=False, headers=headers, cookies=s.cookies)

Again,  policy ID can be retrieved via GET request in Postman or Curl to the following address

Upon activation of the vSmart policy, template configuration must be re-applied to propagate policy down to Spoke routers, which will result in an access restriction between the spokes.
For the sake of simplicity, I’ve used the CLI vSMart template, but this can be a regular configuration template.

headers = {'Content-Type' : 'application/json'}
r ="",auth=('admin', 'admin'), data=open('tempcli.json', 'r'), verify=False, headers=headers, cookies=s.cookies)

tempcli.json file contains:
TemplateID – Configuration Template
csv-DeviceId – vSmart DeviceID
csv-DeviceIP – vSmart Device IP
csv-Hostname- vSmart Hostname

    "deviceTemplateList": [
            "templateId": "a9b74c36-9b80-41cb-8e53-aa6ae47ac9c0",
            "device": [
                    "csv-status": "complete",
                    "csv-deviceId": "2e196eb0-dd1b-4878-9e04-397d77aa4ff2",
                    "csv-deviceIP": "",
                    "csv-host-name": "vsmart",
                    "csv-templateId": "a9b74c36-9b80-41cb-8e53-aa6ae47ac9c0"
            "isEdited": false

That’s it all, policy is successfully applied to Spoke routers.

SPOKE2# show policy from-vsmart
from-vsmart data-policy _100_DATA_POLICY
 direction from-service
 vpn-list 100
  sequence 1
    destination-data-prefix-list BLOCK_INTER_SPOKE
   action drop
  default-action accept
from-vsmart lists vpn-list 100
 vpn 100
from-vsmart lists data-prefix-list BLOCK_INTER_SPOKE

Below is a full code.
Keep in mind to maintain JSESSIONID Cookie for each request.

import requests as req
import json
headers = {'Content-Type' : 'application/json'}

s = req.Session()
s = req.get("",
auth=('admin', 'admin'), verify=False)

with open('rest-data.txt', 'w') as f:
    json.dump(s.json(), f, indent=4)

prefixes = []

with open('rest-data.txt', 'r') as data_file:
    data = json.load(data_file)
    for d in data['data']: # Nested JSON , Information is Under Data!
        if int(d['site-id']) >= 201 and int(d['site-id']) <= 202:  # Range of Site-ID

json_dict = {
    "name": "BLOCK_INTER_SPOKE",  # Name of the Data Prefix-list
    "description": "",
    "type": "dataPrefix",
    "listId": "3c2742b7-d449-4345-a8df-4a27df28711c",
    "entries": [{'ipPrefix': prefixes} for prefixes in prefixes]
with open('prefixes.json', 'w') as f:
    json.dump(json_dict, f, indent=4)

# Update Prefix List
r = req.put("",
auth=('admin', 'admin'), data=open('prefixes.json', 'r'), verify=False, headers=headers, cookies=s.cookies)

#Activate Data Policy after updating prefix-list
r ="",auth=('admin', 'admin'), data=open('activate_policy.json', 'r'), verify=False, headers=headers, cookies=s.cookies)

#Attach Template
r ="",auth=('admin', 'admin'), data=open('tempcli.json', 'r'), verify=False, headers=headers, cookies=s.cookies)


IS-IS Authentication

I’ve been playing recently with IS-IS Authentication and want to share informational notes.
We know that almost every IGP’s Authentication mechanism works practically the same way, but it’s a little bit different in the case of IS-IS.
Let’s start with Simple topology, Two Router RA & RB connected with Broadcast Network Type.
Untitled Diagram

The configuration is basic, creation of IS-IS routing process, and enabling is-is instance under interface.

Router A

router isis 1

net 00.0000.0000.0002.00

interface Ethernet0/2

ip address

ip router isis 1

isis circuit-type level-2-only

Router B

router isis 1

net 00.0000.0000.0001.00

interface Ethernet0/0

ip address

ip router isis 1

Neighborship is formed

RA#show isis neighbors

Tag 1:

System Id      Type Interface   IP Address      State Holdtime Circuit Id

RB             L2   Et0/2        UP    9        RB.04              

and wee see that Router B is elected as DIS, which means it sends CSNP’s every 10 seconds.

Now enable authentication, there is two options MD5 and clear-text this time we will configure MD5 authentication.

Unlike any other IGP routing protocols, it’s possible to configure authentication separately for an only neighbor adjacency which sets MD5  Hash authentication data to “IIH” Hello PDU’s or for LSDP which authenticates CSNP, PSNP packets which is exchanged after the neighbors form adjacency , both can be configured same time but on different configuration level, IIH authentication is should be configured under interface level and LSDB authentication should be configured under IS-IS routing instance level.

Let’s capture IS-IS LSP’s on Router A to be it more visible, there is IIH & CSNP packet without authentication.

Screen Shot 2016-04-03 at 16.49.46

Screen Shot 2016-04-03 at 16.52.43.png

No authentication information under PDU’s , you can see here that Router B which is DIS sends CSNP’s every 10 second.

Screen Shot 2016-04-03 at 16.54.22.png

RB#show int ethernet 0/0

Ethernet0/0 is up, line protocol is up

  Hardware is AmdP2, address is aabb.cc00.1000 (bia aabb.cc00.1000)

Now enable authentication for IIH under interface level.

Router B

RB(config)#key chain PASS

RB(config-keychain)# key 1

RB(config-keychain-key)#  key-string PWD


RB(config-keychain-key)#int eth0/0

RB(config-if)#isis authentication mode md5

RB(config-if)#isis authentication key-chain PASS

Untill  Router A is enabled for authentication Router B complains that IIH Authentication is failed by syslog.

*Apr  3 13:05:03.529: %CLNS-4-AUTH_FAIL: ISIS: LAN IIH authentication failed

RA(config-keychain-key)#do show clns nei

Tag 1:

System Id      Interface   SNPA                State  Holdtime  Type Protocol

RB             Et0/2       aabb.cc00.1000      Init   22        L2   IS-IS

And adjacancy state is stuck within Init state

Router A

RA(config)#key chain PASS

RA(config-keychain)# key 1

RA(config-keychain-key)#  key-string PWD


 RA(config-keychain-key)#int eth0/2

RA(config-if)#isis authentication mode md5

RA(config-if)#isis authentication key-chain PASS

If we dont specify Level after isis authentication command it is enabled for both Level-1-2 by default.

And for now wee see that IIH Hello packet carries authentication information.


We can enable authentication for LSDB as well right now and have both auth mechanism together but the difference between IS-IS and OSPF is that you can enable authentication for LSDB but if password or hash is incorrect you can still form neighborship and have neighbors in the upstate but routing process does not proceed LSP Packets, which is not true in case of OSPF.

Let’s remove authentication for IIH and enable it for LSDB under the routing process.

Router B

RB(config-if)#int eth0/0

RB(config-if)#no isis authentication mode md5

RB(config-if)#no isis authentication key-chain PASS

RB(config-if)#router isis 1

RB(config-router)#authentication mode md5

RB(config-router)#authentication key-chain PASS

Router A

RA(config-if)#int eth0/2

RA(config-if)#no isis authentication mode md5

RA(config-if)#no isis authentication key-chain PASS

untill we configure authentication under routing proccess on Router A , Router B complains that Authentication for LSP & PSNP is failing by syslog.

*Apr  3 13:18:14.939: %CLNS-4-AUTH_FAIL: ISIS: PSNP authentication failed

*Apr  3 13:19:15.667: %CLNS-4-AUTH_FAIL: ISIS: LSP authentication failed

the reason why we don’t see CSNP authentication error here is that , CSNP’s by default is not sent untill LSDB ages out , it is DIS which sends CSNP’s every 10 second which carries sequence numbers and checksums not routes itself.

RA(config-if)#router isis 1

RA(config-router)#authentication mode md5

RA(config-router)#authentication key-chain PASS

We’ve removed authentication for IIH and enabled it for LSDB , let’s capture it


Now CSNP carries authentication information as well, let me configure incorrect md5 password for Router A.

Router A

RA(config)#key chain PASS

RA(config-keychain)#key 1

RA(config-keychain-key)#key-string INCORRECT

Router A complains about CSNP authentication information.

*Apr  3 13:27:14.419: %CLNS-4-AUTH_FAIL: ISIS: CSNP authentication failed

RA#show clns neighbors

Tag 1:

System Id      Interface   SNPA                State  Holdtime  Type Protocol

RB             Et0/2       aabb.cc00.1000      Up     7         L2   IS-IS

However neighborhip is in Up state , but if we advertise new network from Router B or from Router A to each other , none of them installs it in LSDB , but old information is stored in database untill it ages out.

Hope you enjoyed,



CCIE R&S Written , My Notes


I Passed CCIE R&S written today and i want to share you my notes which is “hard” & “important” to remember , of course this isn’t enough to study and pass the exam , you need to read CCIE RS certification guide and read several RFCs at minimum.

Here we go 🙂


  • Pim protocol ID = 103
  • IGMP Protocol id = 2
  • IGMPv3 report messages is sent to
  • IGMPv2 reports messages is sent to group address
  • IGMPv3 in ISM mode supports include and exclude , in SSM mode only include
  • MSDP Peers is connected Via TCP
  • If MSDP neighbors is in meshgroup RPF isn’t performed
  • FF00::/8 IPV6 Reserved multicast address range
  • Only sparse mode is supported on IPV6 Multicast
  • MLD2 supports SSM Like IGMPv3
  • Last 23 bit of ip address is used while multicast IP To mac Address mappoing , covert ip to binary and binary to hex then.
  • Only BSR is supported on IPV6 , no Auto-rp
  • PIM type field messages , 0 is hello
  1. Register
  2. Register-stop
  3. Join/Prune
  4. Bootstrap
  5. assert
  6. graft
  7. graft-ack
  8. Candidate-RP Advertisement
  9. state-refresh


  • DSCP = First 6 bit
  • IPP = First 3 bit
  • FRR DE = 1 bit
  • MPLS EXP = 3 bit
  • COS = 3 bit
  • Best effort = DSCP 0
  • EF = DSCP 46
  • LLQ Policing is working during congestion
  • Bandiwdth remaining X command = interface bandwitdth – LLQ BW
  • CBWFQ/LLQ supports 64 queues
  • CBWFQ isn’t supported on sub interfaces
  • WRED Prevents TCP Syn problem
  • WRED can’t be applied to the voice Queue.
  • ON WRED packet drop probabillity is based on , minimum threshold , maximum threshold and mark probability denominator , if the average queue depth is above the minimum threshold , RED starts packet dropping , if denominator is 100 , every 100 packet is being dropped , when the average queue will be at maximum threshold. When the average queue will be above of max threshold all packet is being dropped
  • Shaping Formula – Tc=Bc/CIR -> Bc=Tc x CIR
  • Tc in Shaping = Interval per second
  • Bc in shaping = amount of bits that could be send during Tc
  • Be in shaping = Amount of bits over Bc that could be send during Tc during idle period
  • AIR in shaping = interface port speed
  • CIR in shaping = Bc/Tc Average speed ( shaping rate )
  • Shaping on egress
  • Policing on ingress
  • IN Policing when packet is dropped , no tokens are removed from bucket
  • CAR Policing isn’t supported on , Fast etherchannel , Tunnel , PRI and CEF unsupported interfaces
  • Single tocken bucket is used when no violate-action is configured on policing , two bucket system used when violate-action is specified
  • GTS and class-based shaping using WFQ by default
  • GTS isn’t supported on PPP Multilink inteface
  • Adaptive traffic-shaping isn’t supported on class-based shaping
  • DCEF must be enabled before DTS
  • FRTS At pvc Level
  • On 3560 QOS , 2 ingres queue , Q2 is priority Queue by default
  • on 3560 QOS , 4 egress Queue , Q1 is priority Queue by default
  • on 3560 QOS , Shaped round robin ovverides sharing RR
  • Shared round robin formula of calculating allocated bandiwth ,

srr-queue bandiwt share 30 (Q1)  20 (Q2) 25 (Q3) 25 ( Q4)

on 100 Mbp/s interfaces , ( 30/100×100 = 30 mbps for Q1 )

on 10 Mbp/s interfaces , ( 30/100×10 = 3 mbps for Q1 )


  • On RSTP , Tc , switch starts timer to equal value to twice the hello timer
  • On RSTP , During Tc switch flushed all mac addressed associated to ports except TCN Recieving interface
  • STP BID = 8 byte
  • 12 bits are reserved for extended-system ID in 802.1D
  • ON Mst , Configuration name = 32 byte
  • On Mst , Revision number  = 2 byte
  • On STP , If cost tie in root path  election , switch prefers lowest upstream BID , if BID tie then Lowest PID ( Port id )
  • On STP BPDUs are send every 2 sec by default
  • RSTP Sync Proccess occurs only on P2P non edge ports
  • Inter region path selection using CST on MSTP
  • With flex link , once primary ink fails every mac addresses moved to backup link , any dummy multicast packet is sent to backup link wit all mac addresses as source
  • Protected ports prevents communication on same vlan at Layer 3
  • VTP Pruning supported only on server and client mode
  • 2 – 1001 vlans are prune eligible
  • VTPv1 in transparent inspects messages and then forwards if Domain name matchs , Not same in V2
  • ISL Frame encapsulation is 30 byte!
  • Dot.1q tag is 4 byte
  • minimal size of frame with dot.1q is 68 byte


  • FC00::/7 – Unique Local Addresses
  • 2001:/3 – Global unicast
  • FF00::/8 – Multicast
  • FE80::/10 – Link-Local
  • Router advertisements is disabled by default on ISATAP Tunnels , can be enabled with command no ipv6 nd suppress-ra
  • OSPF Multicast address = FF02::5 , FF02::6
  • EIGRPv6 Multicast address = FF02::A
  • IPv6IP Tunneling protocol id = 41


  • SNMPv3 supports DES Encryption , in “Fututure” AES will be supported 
  • SNMP Using UDP 161/162 ports


  • On ZBF , self zone by defaut in/out traffic is allowed
  • ON ZBF , Self zone doesn’t supports Application inspection
  • CBAC Session logging can be enabled via audit trails
  • Reflexive ACL Doesn’t supports protocol inspection , only TCP/UDP apps
  • Port security default violation is shutdown
  • ACL log-input keyword gives us src and dst mac & ip address logging opportunity

IOS Services

  • RMON’s has two components , Alarm and Event
  • HSRP Uses multicast on UDP at port 1985
  • Netflow common versions , 5,9
  • On Outside to inside NAT , Routing and then inspection occurs after translation
  • VRF definition command enables multiprotocol VRF
  • GRE Protocol ID = 47
  • IPinIP protoco ID = 4
  • IPv6IP protocol id = 41
  • Tacacs using TCP port 49
  • Radius Using UDP port 1645/1812 for auth , UDP 1646 / 1813 for accounting
  • On BVI , in CRP mode Routers can bridge or route , not both at same time , But IRB allows you to Route and bridge same protocol stack on same interface.
  • On PBR , set ip next-hop verify-availability command checks if neighbor is in cdp peer and then forwards if match in table
  • Cron Timers , ” ***** ” , When zero 0 Value is issued , next timer is proccesed insead of zero 0 value place
  1. Min 0 – 59
  2. Hour 0 – 23
  3. Day of month 1 – 31
  4. Month of year 1 – 12
  5. Day of week 0 – 6 ( 0 is sunday )


  • EIGRPv6 process is disabled by default , must be enabled with no shutdown command
  • RIPng using UDP 521 port , Multicast FF02::9
  • On RIP , UDP Port 520 for transport
  • RIPv1 updates sent as broadcast
  • RIPv2 updates sent as multicast (
  • On RIP , Update time = 30 Sec
  • On RIP , Invalid time = 180 Sec
  • On RIP , holdown time = 180
  • On RIP , Flush time = 280
  • On RIP , metric 16 is infinite
  • On RIP , offset-list filtering ACL 0 means all routes
  • On RIP , ip rip triggered sends updates only if changes occurs in databes
  • On RIP , rip source validation accepts updates only from same subnet , can be disabled by no validate-update-source command
  • EIGRP Protocol id  = 88
  • EIGRP Multicast addr =
  • EIGRP Hello interval on NBMA – 60
  • EIGRP Hello inverval on broadcast = 5
  • EIGRP Holdtime on NBMA = 180
  • EIGRP Holdtime on broadcast = 15
  • On EIGRP , By default eigrp using 50% of interface bandiwth.
  • On EIGRP , If feasible distance * varience > FS , load balancing occurs  ( Only FS are load balancing candidates
  • On EIGRP , if no fs is in neighbor table , Query mesage is sent when router lost route
  • On EIGRP , Query messages is suppresed by stub and summarization.
  • On EIGRP , Summared routes default AD is 5
  • On OSPF , IF  Forwarding address is suppressed while translation from type 7 to type 5 lsa , traffic s forwarded through ABR!
  • On OSPF , Point-to-multipoint , hub changes next hop itself when advertising one route from spoke to another spoke , and installs /32 spoke routes on each router.
  • On OSPF , DR / BDR is elected only on BROADCAST & non-broadcast network type links
  • On OSPF , if p2p or p2m familly intetface is connected to non p2p or p2m famllly networks , neighborship comes up and LSA’s wil be exchanged but routes not installed into RIB
  • On OSPF , Hello interval on P2P & Broadcast = 10
  • On OSPF , Dead interval on P2P & Broadcast = 40
  • On OSPF , hello interval on P2M , P2M-NB , & Non-broadcast = 30
  • On OSPF , Dead interval on P2M , P2M-NB , & Non-broadcast = 120
  • On OSPF , Point-to-multipoint Non-broadcast is same as P2M but sends ellos as unicast and allows per VC Cost configuration on FRR
  • On OSPF , Loopback network-type is advertised as /32 , can be disabled with ip ospf network point-to-point command
  • On OSPF , IF Multiple ABR’s exist , ABR with higher RID will be elected as LSA type 7 to 5 translator
  • On OSPF , Default redistribute sed metric is 20
  • On OSPF with MPLS , If router runs VRF – Lite router thinks it’s PE router and checks DN-bit in ospf which is set to T3 LSA by default , we can solve it with command capability vrf-lite or set different domain-id on each PE’s which advertise T5 LSA , or simply we can configure sham-links which gives us intra-area routes on CE’s.
  • BGP Denies ospf external routes by default
  • EBGP Routes is allowed to redistribute into IGP , IBGP routes is denied by default
  • On BGP , 4 byte ASN’s on old BGP Speakers are send AS dot numbers encoded as ASN (23456)
  • On BGP , Private ASes is 64512-65535
  • On BGP , Localy originated routes have weight 32,768
  • On BGP , TTL-Security can’tbe configured with peer when already had configured ebgp-multihop
  • On BGP , in RR’s non-clients learned routes isn’t advertised to non-clients
  • On BGP , OSPF External routes osn’t redistributed into BGP by defaylt , special keyword is requried “internal , external” under redistribute statement
  • On BGP , When redistributing from IGP to BGP , metric is automaticaly copied to MED
  • BGP Community – NO-EXPORT = Don’t advertise route to EBGP Peers
  • BGP Community – NO-ADVERTISE = Don’t advertise route to any peers.
  • BGP Community – LOCAL-AS = Don’t Advertise route outside of AS
  • On MPLS , 4 byte header used in MPLS
  • LDP Neighbor discovery to UDP port 646 to

Frame Relay

  • inverse-arp Request can be disabled with no frame-relay inverse-arp command , Reply can’t be  disabled
  • InARP Is disabled when static mapping is configured , and dynamic maping is overided by static entrys
  • If is in frame relay mapping table , it means auto-install is failed and can’t get configuration from tftp
  • auto-install happens when routers doesn’t have configuration in NVRAM
  • Frame relay gets address and TFTP information Via BootP
  • Ansi and Q933a LMI Types listens for messages on DLCI 0 , CISCO LMI Type listens on DLCI 1023


  • Once neighbors negotiate IPCP , Router adds each others /32 routes into RIB , Can be disabled this behaviour with no peer neighbor-route command
  • PAP Auth – Clear text usr , clear text pass
  • CHAP Auth – Clear text usr , MD5 hashed pass
  • PPP Adds 8 bit on PPPoFR
  • in PPP , Dialer persisten means that circuit is always up

Hope this helps.

Aaand my long time journey is starting here , moving to lab 🙂

Fun with OSPF and my first blogpost

Hello there guys , this is my first blogpost on this blog , i’ll try to write everything about R&S and SP stuff when i’ll have time and muse 🙂 Stay tuned with my CCIE Journey.

Recently i had a great conversation with my twitter friend @icemarkom about OSPF LSA T4 propagation he showed me how i was wrong ,  so this article will be interesting for people who still thinks ( like i was thinking before ) that LSA T5 is neccessary on ASBR’s to Advertise T4 LSA through ABR.

Well okay , When router becomes ASBR it will set E flag on LSA T1 LSU , Some people think that ABR’s need to receive Type 5 LSA to generate Type 4 LSA into another area , As i was thinking before the conversation. 🙂

Here is the little scenario ,

Run ospf with simple configuration ,R1#

router ospf 10
 network area 1
router ospf 10
 network area 1
 network area 0

router ospf 10
 network area 1
 network area 0

Here is the Simple LSA Type 1 LSU From R1 to R2 without any redistribution , We see Flag s 0x00 .Image

What about if we redistribute connected or  routing protocol routes into ospf  with routmap which doesn’t match anything?!
Let’s do it

R1(config)#ip access-list standard nothing
R1(config-std-nacl)#deny any
R1(config)#route-map nothing
R1(config-route-map)#match ip address nothing
R1(config-route-map)#router ospf 10
R1(config-router)#redistribute connected subnets route-map nothing

Let’s look at LSU from R1 to R2 , Now we see Flag is 0x02 which means here is something called E-bit


Now R2 is advertising Type 4 LSA to Area 0 with LSID

Router#sh ip ospf database asbr-summary

            OSPF Router with ID ( (Process ID 1)

        Summary ASB Link States (Area 0)

  Routing Bit Set on this LSA
  LS age: 156
  Options: (No TOS-capability, DC, Upward)
  LS Type: Summary Links(AS Boundary Router)
  Link State ID: (AS Boundary Router address)
  Advertising Router:
  LS Seq Number: 80000001
  Checksum: 0x20BE
  Length: 28
  Network Mask: /0
    TOS: 0     Metric: 1

What about R1’s or R2’s LSDB? there is not anything about external T5 or T7 LSA.

R1#show ip ospf database external

OSPF Router with ID ( (Process ID 10)
R2#show ip ospf database external

OSPF Router with ID ( (Process ID 10)

I said it is so stupid decision to send LSU with E-bit without any external route , but as marko said when you are redistributing from any routing protocol or connected route it doesn’t matter this will create or not Type 5 external LSA’s into LSDB , ASBR Always set E-bit when there is redistribution statement under ospf proccess , So ospf avoid SPF calculation when Type 5 LSA is removed or  Added Into LSDB  during redistribution , SPF Calc happens when Type 1 or Type 2 LSA’s are changed , Every other lsa is used for interarea communication and uses Distance vector logic.

That’s all , special thanks to marko for clearing somethings for me! ,

Hope this helps 🙂