IPSEC tunnels with crypto maps

IPSEC = Black magic?

IPSEC tunnels may seem like some kind of black magic that firewalls just happen to figure out how they work. Especially when you start looking at IPSEC configuration at cli level. I expect the topic to come up at the CCIE lab and probably with several twists and definitely some DMVPN as well.

read more

MPLS L3VPN and OSPF Sham Links

Lets jump right into a task, refer to the topology depicted below:

R1 = Route reflector, reflecting VPNv4 routes between PE routers
R2 and R3 = PE routers
R4 and R5 = CE routers

CE routers runs OSPF with PE routers and a MPLS L3VPN is setup, redistributing OSPF<->BGP vpnv4.

A backdoor link is setup between the CE routers directly for redundancy.

Task: The backdoor link is very poor, make sure its used for backup only, and that the mpls link is primarily used.

read more

BGP timers

I just ran across some timers and realized I need to sort things out for myself to be able to repeat before the lab exam.

What timers do we need to know with BGP and what do they do?

  1. BGP Scanner
  2. BGP I/O
  3. BGO keepalive/holdtime interval

BGP scanner

BGP scanner is a function that runs per BGP process. It runs through all prefixes in the BGP table and checks the NEXT_HOP reachability for each prefix to verify that its still valid. It also runs conditional advertisement, route-injection and route-dampening. It imports new routes into the BGP table from RIB via network statement and redistribute commands.


I/O handles BGP Update and keepalive messages and is configured per neighbor. Since it tells the router how often it should update its neighbor with BGP update messages, this implicitly configures prefix batching. With a higher update timer, potentially more prefixes would be sent in same update. With an update-timer of 0, each prefix update would be sent with individual update messages and would not be batched at all.

Update/keepalive is configured per neighbor with the command “advertisement interval

Keepalive interval

Configures keepalive advertisement and holdtime for the entire BGP process which is used to verify if a BGP session is alive or dead. Default values are 60 and 180 seconds.