Control Plane Policy

If instruction says that make the ping success rate "3 out of 10", use control plane policy for getting that rate that instruction says.

11.29 IOS Login Enhancements

login quiet-mode access-class ACL#
にて exempted となるのは source address としてだけ。ACL にて permit match しない場合には当然、quiet-mode 中にはアクセスできないが、permit match するアドレスについても login attempt が 1回失敗すると、kick out される。 また、 quiet-mode も設定された時間（下記例では40secが再適用される）

R3 Configuration

access-list 1 permit 150.1.5.5

login block-for 40 attempts 3 within 30
login delay 2
login quiet-mode access-class 1
login on-failure log every 3
login on-success log

username TEST password 0 TEST

Verification

R5 から R3 に telnet login を試行

Rack1R5#telnet 150.1.3.3                     
Trying 150.1.3.3 ... Open

Rack1R5#
User Access Verification

Username: fe
Password:
% Login invalid

Username: fea
Password:
% Login invalid

Username: fea
Password:
% Login invalid

[Connection to 150.1.3.3 closed by foreign host]

*** 150.1.5.5 以外の source address から 3 回ログインに失敗 ***

Rack1R5#telnet 150.1.3.3 /source-interface lo0
Trying 150.1.3.3 ... Open


User Access Verification

Username: TEST
Password:
% Login invalid
*** exempted されている source address 150.1.5.5 なので、ログイン試行は成功。しかし、ログイン試行できる回数は 1回のみ。1回失敗すると、kick out される ***

[Connection to 150.1.3.3 closed by foreign host]
Rack1R5#telnet 150.1.3.3 /source-interface lo0
Trying 150.1.3.3 ... Open


User Access Verification

Username: fa
Password:
% Login invalid

[Connection to 150.1.3.3 closed by foreign host]



上記のケースでの、R3 上でのログ出力
*Mar  1 01:29:22.355: %SEC_LOGIN-4-LOGIN_FAILED: Login failed [user: fa] [Source: 150.1.5.5] [localport: 23] [Reason: Login Authentication Failed - BadUser] at 01:29:22 UTC Fri Mar 1 2002
*Mar  1 01:29:22.363: %SEC_LOGIN-1-QUIET_MODE_ON: Still timeleft for watching failures is 0 secs, [user: fa] [Source: 150.1.5.5] [localport: 23] [Reason: Login Authentication Failed - BadUser] [ACL: 1] at 01:29:22 UTC Fri Mar 1 2002

Rack1R3#sh login
     A login delay of 2 seconds is applied.
     Quiet-Mode access list 1 is applied.
     All successful login is logged.
     Every 3 failed login is logged.

     Router enabled to watch for login Attacks.
     If more than 3 login failures occur in 30 seconds or less,
     logins will be disabled for 40 seconds.

     Router presently in Quiet-Mode.
     Will remain in Quiet-Mode for 37 seconds.
     Restricted logins filtered by applied ACL 1.

Rack1R3#sh login
     A login delay of 2 seconds is applied.
     Quiet-Mode access list 1 is applied.
     All successful login is logged.
     Every 3 failed login is logged.

     Router enabled to watch for login Attacks.
     If more than 3 login failures occur in 30 seconds or less,
     logins will be disabled for 40 seconds.

     Router presently in Quiet-Mode.
     Will remain in Quiet-Mode for 36 seconds.
     Restricted logins filtered by applied ACL 1.

7.27 BGP Bestpath Selection - DMZ Link Bandwidth

During this scenario, I got the message below after clear ip bgp * soft done.



*Mar  1 11:27:45.373: %FIB-4-UNEQUAL: Range of unequal path weightings too large for prefix 28.119.16.0/24. Some available paths may not be used.


Example output below is not related to 28.119.16.0/24 prefix, however, the output should be same (I also confirmed it with 28.119.16.0/24). After modifying bandwidth on R6, the error message has not shown up anymore.

After modifying "Bandwidth" of se0/0 on R6 (connected to BB1)
  >> using 2000(K) which following the workbook answer  <<
 Rack1R1#sh ip bgp 112.0.0.0  
BGP routing table entry for 112.0.0.0/8, version 148
Paths: (2 available, best #1, table Default-IP-Routing-Table)
Multipath: iBGP
Flag: 0x8800
  Advertised to update-groups:
        1    2
  54 50 60, (Received from a RR-client)
    204.12.1.254 (metric 2560002816) from 155.1.146.4 (150.1.4.4)
      Origin IGP, metric 0, localpref 100, valid, internal, multipath, best
      DMZ-Link Bw 12500 kbytes
  54 50 60, (Received from a RR-client)
    54.1.1.254 (metric 2560002816) from 155.1.146.6 (150.1.6.6)
      Origin IGP, metric 0, localpref 100, valid, internal, multipath
      DMZ-Link Bw 250 kbytes
Rack1R1#sh ip route 112.0.0.0
Routing entry for 112.0.0.0/8
  Known via "bgp 100", distance 200, metric 0
  Tag 54, type internal
  Last update from 54.1.1.254 00:00:15 ago
  Routing Descriptor Blocks:
  * 204.12.1.254, from 155.1.146.4, 00:00:15 ago
      Route metric is 0, traffic share count is 48
      AS Hops 3
      Route tag 54
    54.1.1.254, from 155.1.146.6, 00:00:15 ago
      Route metric is 0, traffic share count is 1
      AS Hops 3
      Route tag 54


After modifying "Bandwidth" of se0/0 on R6 (connected to BB1)
  >> changed from 2000(K) from the answer from workbook to 4096(K) <<
Rack1R1#sh ip bgp 112.0.0.0 
BGP routing table entry for 112.0.0.0/8, version 163
Paths: (2 available, best #1, table Default-IP-Routing-Table)
Multipath: iBGP
Flag: 0x8800
  Advertised to update-groups:
        1    2
  54 50 60, (Received from a RR-client)
    204.12.1.254 (metric 2560002816) from 155.1.146.4 (150.1.4.4)
      Origin IGP, metric 0, localpref 100, valid, internal, multipath, best
      DMZ-Link Bw 12500 kbytes
  54 50 60, (Received from a RR-client)
    54.1.1.254 (metric 2560002816) from 155.1.146.6 (150.1.6.6)
      Origin IGP, metric 0, localpref 100, valid, internal, multipath
      DMZ-Link Bw 512 kbytes
Rack1R1#sh ip route 112.0.0.0
Routing entry for 112.0.0.0/8
  Known via "bgp 100", distance 200, metric 0
  Tag 54, type internal
  Last update from 54.1.1.254 00:00:06 ago
  Routing Descriptor Blocks:
  * 204.12.1.254, from 155.1.146.4, 00:00:06 ago
      Route metric is 0, traffic share count is 24
      AS Hops 3
      Route tag 54
    54.1.1.254, from 155.1.146.6, 00:00:06 ago
      Route metric is 0, traffic share count is 1
      AS Hops 3
      Route tag 54

Reference URL
http://cciepursuit.wordpress.com/2008/09/15/disabling-eigrp-unequal-cost-load-balancing/