Archives for posts with tag: IP

I was asked question about MPLS labels within a VRF. Well the question was ” when I type the command ‘show mpls ldp bindings vrf xxx‘ ” I don’t see any labels for my remote site prefixes.

In this case these labels aren’t assigned by LDP they are assigned by BGP.

The command he was looking for was “show ip bgp vpnv4 vrf xxx labels” I think a light went on in his head when i explained this to him!

If your still confused , imagine the LSP (unidirectional) R1 -> R4 is basically a virtual connection if you like , where R4 is the egress LSR for the packet. The packet will travel via R1 -> R2 -> R3 -> R4. The next hop actually is listed as R4 even though it has to pass through R2 and R3. Which by the way has it own labels to add on top of bottom of stack label for R4.


R1 pushes on the label 1234 for R4 and another label on top for R2 which is 22, next R2 removes its own label (22) and adds the label for R3 which is 33, R3 removes its own label (33) and forwards the packet with the label 1234 to R4. Bottom of stack bit is set to 1, R4 removes the label and forwards.


It’s worth making some notes on this subject to clear up a few misconceptions I found online.

Firstly I setup a lab to confirm what i’m about to say, the reason we use this command is to allow QoS to correctly classify or view the packets based on the original header, if the packet is encapsulated  it’s  treated the same as any other encapsulated packet. The original header and its QoS value is now unknown to the forwarding device.

So by enabling this command we can apply the classification before the encapsulation or tunneling happens.

Apply the command “qos pre-classify” to a tunnel interface, a crypto-map or a virtual tunnel interface.

Classification based on layer3 and layer4 information is the exact reason we would consider using this feature, classification based on TOS or DSCP values do not need to use this feature, that’s because of TOS byte preservation inherently built into IPSEC.

Once you’ve added the pre-classify command, apply a service-policy to the physical interface outbound, then all IP packets will be classified pre-encapsulation on any tunnels egressing that physical interface. In other words you will see hits on the policy-map individual classes.

A really great resource I found online is this QoS values calculator check it out………….


A common scenario you might come across is having a device on your network that needs to be restricted. So for example a third party PC that doesn’t meet your security requirements but needs to access a production server.

If your network can support it then you would segment this part of your network with a VLAN then route between them on a layer 3 switch or at the router. So in my example its a layer 3 switch, write the access list then apply it at the VLAN interface either inbound or outbound.

Below is the basic config for VLAN 10, anything in this VLAN will only be able to access the production server at which happens to be on VLAN 20, this would apply to devices or whole subnets on a different switch or even across the WAN. I’ll make this interesting and allow the clients only access on TCP port 80, and also allow the clients to lookup DNS on the same server this is UDP port 53.


Create your ACL
ip access-list extended 100
permit ip any
permit tcp any host eq www
permit udp any host eq domain
deny ip any any log 

Apply your ACL to the VLAN interface
interface vlan 10
ip access-group 100 in

That’s all you have to do to restrict the traffic, its very simple the inbound and outbound commands are hard to understand at first but just imagine yourself standing on top of the switch and think of traffic direction, so in my case its inbound to the switch.


Disaster recovery is an important part of my job. One very useful command I use is Cisco IOS archive command. There are a few different things you can do with the command but I mainly use it for backing up my configs. You can also use it to log all commands typed this would be helpful from a security standpoint as it would show what changes were made to a device and by whom, or you can compare differences in archived configs.

The config below backs up your device to an FTP server which you have on your network every 1440 minutes

The $h puts the hostname and the $t puts the date and time stamp on your archived file, so this config is generic. You could also add the “write memory” option this backups everytime you save a changed config.

ip ftp username router
ip ftp password router

  time-period 1440
  write memory

As soon as you enter the commands it will immediatly send a copy of the running-config to the FTP server, something like this.



This command might save you from a whole world of trouble!

For example you’ve got a scheduled change coming up on your WAN router that’s a little risky, you might just cut yourself off from the router half way through the change…….. what do you do to mitigate this risk?

Well if you don’t have OOB (out-of-band) access to the router you would use the following command

#reload in 20

What this does is reload the router in 20 minutes reverting back to the last saved config. So if you’ve been cut off just wait the time you’ve specified and the router will reload with the old config.

To confirm how much time you have before a reload use the command

#show reload

Once you’ve completed your changes and they are successful just issue the command

#reload cancel

Also used to schedule a reload is the command

#reload at 09:45

This reloads your router and the time you specify but obviously relies your NTP settings to be correct so check this first.

Plan ahead!!


Have you ever wondered of an easier way of working out the reverse subnet mask for your ACL’s? Instead of just opening up your subnet calculator you can do it all in your head just like this.
For example a 27 prefix translates to 27 bits so with a reverse mask of

A full 8 bit byte is 255 minus your 224 equals 31 so there you have it your reverse mask of 224 is 31

Let’s look at one more so take 26 prefix is with a reverse mask of

Again take 255 minus your 192 equals 63.