The CCIE RS coaching is performed at CCIE coaching universities, which has tutors, lecturers, and boot camps. In the CCIE, you can find six tracks, particularly, Storage Networking, Voice and Wi-fi, Routing & Switching, Service Provider, and Security. This examination is considered to be extremely tough and excellent one to clear, providing you with technical experience and dedication. This also makes you a member of an exclusive group of pros, makes your resume look grand, and will increase your credibility.

Moving forward in career certainly is the ambition of most IT professionals. CCIE RS coaching will provide the platform to supply a bonus within just the job market.  Once you begin in search of higher opportunities in or exterior your company, the CCIE certification will provide help to attain your objective simply on this aggressive environment.

You'll have many reasons for taking CCIE RS coaching; getting excessive salary could possibly be considered one of them. Getting this certification will not be a simple work; it takes years, sometimes, to clear the exams. It takes eighteen months and a whole bunch of dollars to clear this test, that's why there's large marketplace for such licensed industry experts. The plus side to it truly is that, with such limited certified experts and high demand for them, the salaries supplied are rather high.

After receiving the CCIE RS coaching, you might be considered of to be an knowledgeable in the networking field. Subsequently, if a tough scenario arises, you might be at all times called in to settle the problem. When you will have this certification, you may be acknowledged worldwide for having high qualification in the networking and technology industry.

It really is essential to understand the general means of CCIE RS coaching examination, so that you will understand the form of exercise which can be needed. This examination consists of two principal elements, the written, and the lab examination. The written half is of two hours size containing a number of-choice question. You'll be able to sit for the lab examination only if you are successful in the written examination.  The lab examination is an eight-hour one that can take a look at your capacity to put collectively networking and software equipment and your troubleshooting ability.  Three years are presented for passing the lab examination, after which you might need to reappear for the written exam before continuing for the lab test again.

A lot of the candidates showing for a CCIE RS coaching examination do not go on the first attempt. Nonetheless, there is fairly a high price of success inside the second attempt. To enhance the probabilities of success in this test, you should research the subjects that are test specific. One essential issue to be kept in thoughts is that, after receiving this certificate, you should recertify each two years.

Consider finding out concerning the expertise in every area as listed inside the Cisco blueprint. It's always recommended to have not less than four hundred hours of lab follow utilising a simulated gear as a way for you to succeed within the CCIE security lab examination. Dedicate a part of your day in mastering every topic. You will find various study materials obtainable available in the market for better understanding of the subjects talked about inside the blueprint of Cisco. They assist you to in making ready yourself by way of the aid of structured software. You'll be able to spend money on a good coaching software, which lets you improve your degree of expertise.

You can go for online training packages from reputed corporations, which provide observe assessments and different helpful services to enhance your skills. CCIE safety can be utilized as a ladder in the direction of success. It can be accepted as a recognized certification application inside the networking industry worldwide. A CCIE in security will open the gateway towards a shiny career.

The name for the keys will be: Router1.oreilly.com

The router name and domain name are always included in the key. So it is critical to define these two values before generating the keys. If you generate the keys first and then change the router's name or domain, the keys may no longer work:

Router1(config)#hostname Router1

Router1(config)#ip domain-name oreilly.com

When you use the crypto key generate command to create new keys, the router must delete any existing keys:

Router1(config)#crypto key generate rsa

The name for the keys will be: Router1.oreilly.com

% You already have RSA keys defined for Router1.oreilly.com.

% Do you really want to replace them? [yes/no]: yes

Choose the size of the key modulus in the range of 360 to 2048 for your

General Purpose Keys. Choosing a key modulus greater than 512 may take

a few minutes.

How many bits in the modulus [512]: 1024

Generating RSA keys ...

[OK]

Router1(config)#

This has the side effect that, during key generation, any services on the router currently using these keys will be temporarily disabled. Key generation can take a considerable length of time, depending on the model of router and the size of the key modulus. We have seen a low-end access router take as long as an hour to generate a key with a very large modulus for greater security. During this time, the router's CPU load was extremely high. So we urge caution when using this command.

You can remove existing keys with the crypto key zeroize command:

Router1(config)#crypto key zeroize rsa

% Keys to be removed are named Router1.oreilly.com.

Do you really want to remove these keys? [yes/no]: yes

Router1(config)#

If the router has any services that are using the deleted keys, it will automatically disable them until you generate new keys.

You can also generate special usage keys as follows:

Router1(config)#crypto key generate rsa usage-keys

The name for the keys will be: Router1.oreilly.com

% You already have RSA keys defined for Router1.oreilly.com.

% Do you really want to replace them? [yes/no]: yes

Choose the size of the key modulus in the range of 360 to 2048 for your

Signature Keys. Choosing a key modulus greater than 512 may take

a few minutes.

How many bits in the modulus [512]: 1024

Generating RSA keys ...

[OK]

Choose the size of the key modulus in the range of 360 to 2048 for your

Encryption Keys. Choosing a key modulus greater than 512 may take

a few minutes.

How many bits in the modulus [512]: 1024

Generating RSA keys ...

[OK]

Router1(config)#

This command creates separate authentication signature and encryption keys. Note that we have created a 1024-bit key in this example. In general, longer keys are more secure, but also require considerably more computing time to generate. SSH Communications Security Corporation, the original developer of the SSH protocol, currently recommends a key length of 2048 bits for most applications.

You can look at the public keys with the show crypto key command:

Router1#show crypto key mypubkey rsa

% Key pair was generated at: 01:29:04 EST Mar 1 2003

Key name: Router1.oreilly.com

Usage: Signature Key

Key Data:

30819F30 0D06092A 864886F7 0D010101 05000381 8D003081 89028181 00AAED98

0E454C8F ED9DB93E 312B00BD FF561C49 5480344A 094F0EA8 0D994051 AC627CF2

5FA7F802 DB0A1206 4EB8F8E5 122C9B2D 0F3A20D8 C0E90280 D4F6518A 9C6C2E48

A570D05A AE2881CA B9366990 931C4A7E EDC6B352 13815B91 3A02B44E 4655DE6D

1CB5AB35 058B60AA 4639B696 A8EE735E DA15B300 B8A0CE51 7C42B73A 53020301 0001

% Key pair was generated at: 01:29:11 EST Mar 1 2003

Key name: Router1.oreilly.com

Usage: Encryption Key

Key Data:

30819F30 0D06092A 864886F7 0D010101 05000381 8D003081 89028181 00D18F99

EC2A5754 C1FEF911 E16BFD80 6C3E9517 42716B78 99692618 B57B529B A9C19B23

6D4BF3CE 39728DEF 2B3D10F9 3DABBDFD 8CAB09F7 0A56768C 053BB4AF 7F224E44

FA341851 10152A86 28C2084F C13E0738 4C478BED 9960E229 CB112077 097F3DC9

DD40D109 0A513D31 FF0FD51D B3515CEA F81738B6 5BB02FF6 812A01AC F7020301 0001

% Key pair was generated at: 01:29:14 EST Mar 1 2003

Key name: Router1.oreilly.com.server

Usage: Encryption Key

Key Data:

307C300D 06092A86 4886F70D 01010105 00036B00 30680261 00B43311 D047EFBC

314C57DB 93F3E755 5CEBF4B5 D0258169 6DAC695B A0F5DA35 C6C7B106 C2BB7863

0201B68A 7C2F3313 47223065 BDF84692 BF974F2E E4037D5D C976DB3A 231D2603

6DE8CDCE 8EAD613E 5C984091 55A6B0F5 920E285B 6E4ED34E 31020301 0001

Router1#

As you can see, the router now has a signature key and an encryption key where it previously had only a general purpose key. However, it is important to remember that this is only the public key. There is also a corresponding private key that you cannot view on the router. The router keeps this key in its NVRAM storage and sets file permissions so nobody can read it. The private key is what the router uses to encrypt things that it sends. The public key can decrypt anything encrypted with the private key. Every device that this router shares encrypted information with will need a copy of the public key, but the private key is secret.

As a side effect of this, the public key provides an excellent authentication system. If a remote device's public key successfully decrypts a message from that device, then you know that this message must have been encrypted with that device's private key. And, consequently, if the private key is really private, the message must actually have been sent by that device.

When you use these keys on routers, we highly recommend using the cut-and-paste feature on your terminal rather than trying to type all of this in manually. A single typographical error in this sequence will make the key useless. Note, however, that there is an inherent security risk in copying and pasting a key like this over a network. If you are using an insecure protocol like Telnet, the packet can be intercepted, and the key information is easily extracted. So you should avoid doing this over untrusted networks, or you should use a more secure access method such as SSH to access the routers.

Router1#configure terminal

Enter configuration commands, one per line.  End with CNTL/Z.

Router1(config)#crypto isakmp policy 10

Router1(config-isakmp)#encr aes 256

Router1(config-isakmp)#authentication pre-share

Router1(config-isakmp)#group 2

Router1(config-isakmp)#exit

Router1(config)#crypto isakmp key TUNNELKEY01 address 172.16.2.1 no-xauth

Router1(config)#crypto ipsec transform-set LAN2LAN-TRANSFORM ah-sha-hmac esp-aes 256

Router1(cfg-crypto-trans)#exit

Router1(config)#access-list 102 permit gre host 172.16.1.1 host 172.16.2.1

Router1(config)#crypto map LAN2LANMAP 10 ipsec-isakmp

% NOTE: This new crypto map will remain disabled until a peer

    and a valid access list have been configured.

Router1(config-crypto-map)#set peer 172.16.2.1

Router1(config-crypto-map)#set transform-set LAN2LAN-TRANSFORM

Router1(config-crypto-map)#match address 103

Router1(config-crypto-map)#exit

Router1(config)#access-list 103 permit ip 192.168.16.0 0.0.0.255 192.168.15.0 0.0.0.255

Router1(config)#interface FastEthernet0/1

Router1(config-if)#ip address 192.168.16.1 255.255.255.0

Router1(config-if)#exit

Router1(config)#interface FastEthernet0/0

Router1(config-if)#ip address 172.16.1.1 255.255.255.0

Router1(config-if)#ip access-group 101 in

Router1(config-if)#crypto map LAN2LANMAP

Router1(config-if)#exit

Router1(config)#ip route 0.0.0.0 0.0.0.0 172.16.1.2

Router1(config)#access-list 101 permit esp host 172.16.2.1 host 172.16.1.1

Router1(config)#access-list 101 permit udp host 172.16.2.1 host 172.16.1.1 eq isakmp

Router1(config)#access-list 101 permit ahp host 172.16.2.1 host 172.16.1.1

Router1(config)#access-list 101 deny ip any any log

Router1(config)#end

Router1#

The configuration for the second router is similar:

Router2#configure terminal

Enter configuration commands, one per line.  End with CNTL/Z.

Router2(config)#crypto isakmp policy 10

Router2(config-isakmp)#encr aes 256

Router2(config-isakmp)#authentication pre-share

Router2(config-isakmp)#group 2

Router2(config-isakmp)#exit

Router2(config)#crypto isakmp key TUNNELKEY01 address 172.16.1.1

Router2(config)#crypto ipsec transform-set LAN2LAN-TRANSFORM ah-sha-hmac esp-aes 256

Router2(cfg-crypto-trans)#exit

Router2(config)#crypto map LAN2LANMAP 10 ipsec-isakmp

% NOTE: This new crypto map will remain disabled until a peer

    and a valid access list have been configured.

Router2(config-crypto-map)#set peer 172.16.1.1

Router2(config-crypto-map)#set transform-set LAN2LAN-TRANSFORM

Router2(config-crypto-map)#match address 103

Router2(config-crypto-map)#exit

Router2(config)#access-list 103 permit ip 192.168.15.0 0.0.0.255 192.168.16.0 0.0.0.255

Router2(config)#interface FastEthernet0/1

Router2(config-if)#description Internal LAN

Router2(config-if)#ip address 192.168.15.1 255.255.255.0

Router2(config-if)#exit

Router2(config)#interface FastEthernet0/0

Router2(config-if)#description Connection to Internet

Router2(config-if)#ip address 172.16.2.1 255.255.255.0

Router2(config-if)#crypto map LAN2LANMAP

Router2(config-if)#exit

Router2(config)#ip route 0.0.0.0 0.0.0.0 172.16.2.2

Router2(config)#access-list 101 permit esp host 172.16.1.1 host 172.16.2.1

Router2(config)#access-list 101 permit udp host 172.16.1.1 host 172.16.2.1 eq isakmp

Router2(config)#access-list 101 permit ahp host 172.16.1.1 host 172.16.2.1

Router2(config)#access-list 101 deny ip any any log

Router2(config)#end

Router2#

Another common way of handling site-to-site VPNs is to take advantage of the native IPSec tunnel capability to create a bridged connection between the inside LAN interfaces of the two routers, which is what we do in this recipe.

Router1(config)#crypto ipsec transform-set LAN2LAN-TRANSFORM ah-sha-hmac esp-aes 256

Router1(cfg-crypto-trans)#exit

The key difference between this transform-set and the one in the previous recipe is to look at what's not there.

Router1(config)#crypto ipsec transform-set TUNNEL-TRANSFORM ah-sha-hmac esp-aes 256

Router1(cfg-crypto-trans)#mode transport

Router1(cfg-crypto-trans)#exit

In this recipe, we want to use IPSec tunnel mode instead of transport mode. We could include a mode tunnel command in our transform set definition, but since that's the default, we have left it out to get the same effect.

The next difference comes in the crypto map configuration, and is also subtle:

Router1(config)#crypto map LAN2LANMAP 10 ipsec-isakmp

% NOTE: This new crypto map will remain disabled until a peer

    and a valid access list have been configured.

Router1(config-crypto-map)#set peer 172.16.2.1

Router1(config-crypto-map)#set transform-set LAN2LAN-TRANSFORM

Router1(config-crypto-map)#match address 103

Router1(config-crypto-map)#exit

Router1(config)#access-list 103 permit ip 192.168.16.0 0.0.0.255 192.168.15.0 0.0.0.255

The principle difference here is that our access-list doesn't match GRE packets on the external Internet-facing interfaces of the routers. Instead it matches all IP packets on the internal LAN interfaces.

The remainders of the configurations are essentially the same as in the previous recipe. But the effect is very different. In this case, we wind up with two routers that bridge their internal LAN interfaces. Any packet matching access-list 103 will be automatically picked up and bridged to the other router. Conversely, in the previous recipe, traffic between the LAN segments at the two different sites was routed across the tunnel.

Note that this is not a fully functional Layer 2 bridge. In particular, it only passes IP traffic that happens to match the defined access-list. If you look at this access-list, you will see that it specifies different IP subnets for the source and destination addresses, which is not how you would normally construct a Layer 2 bridge. But the nice thing about doing this is that it automatically makes bridging loops impossible, which in turn means that we don't need to run Spanning Tree.

In general, we prefer to route rather than bridge. The biggest reason for this is that it allows us to run a routing protocol across the encrypted GRE tunnel. This in turn leads to several benefits:

• The routing protocol Hello packets will ensure that the ISAKMP keys are always refreshed.
• The ability to log neighbor changes makes it possible to track exactly when a VPN goes down and comes back up, which is highly useful in troubleshooting.
• · In cases when there are three or more sites interconnected by VPNs, you can configure a redundant partial mesh of VPNs for relaying packets between sites.

CCIE examination entails two assessments, which are a CCIE prepared check out together with a CCIE lab examination. To be able to endeavor the lab test, you should crystal clear the authored test. Should you be not in a placement to distinct the authored examination the 1st time, you should see to get a hundred and eighty days for retaking it. After clearing the written take a look at, it's leading to make an experiment with for that CCIE lab test inside of eighteen months. It you happen to be unable to distinct the lab examination, you then needs to re-try within 12 months by having a watch to keep up the developed examination end result valid.

It's got a time restrict of two hours and is completed in varieties of take a look at centers across the world. The matters lined throughout the penned exam rely on the specialization or track you select. For services supplier, you could possibly select from classes like Cable, DSL, IP Telephony, Dial, Articles materials Networking, Optical, WAN switching, and Metro Ethernet. Every written examination is created in existence within the beta sort at a value of $50 USD.

The CCIE lab test is unique in naturel, as it truly is an eight-hour exam, which tests the ability for the applicant to configure and troubleshoot networking gear. Cisco has substantial diploma of package in its CCIE labs to be used inside lab exams. The blue print from the lab examination is obtainable on its websites. The lab examination just isn't readily available by any means Pearson VUE or Prometric testing centers.

A regular CCIE R&S lab examination contains a two-hour hassle-taking pictures section by which you could be presented a collection of tickets for preconfigured networks inside the CCIE labs. You'll want to have the ability to identify and resolve the faults. You can proceed towards the configuration part as a result of you end the troubleshooting part.

A sound passing score is critical to try a CCIE Labs test. Cisco uses the help of proctors to guage the candidates in the preliminary rounds in its CCIE labs located worldwide. Factors are awarded when a criterion is met and grading is completed employing some computerized tools. The outcomes of a lab examination are mirrored inside of forty 8 hours. A move/fail is projected in the end end result and in case of a fail, the areas where you are lacking behind are talked about so as to put together properly earlier than a re-try.

Cisco stands out within the area of networking by providing a CCIE certification so that you can pursue your education as well as get acknowledged by a reputed organization. The CCIE lab exam can be utilized being a platform to challenge your capability in varied tracks provided by Cisco. Attempting a lab test requires rigorous instruction and big sense of understanding. The CCIE labs kind step one to your large potential career.

Router#configure terminal

Enter configuration commands, one per line.  End with CNTL/Z.

Router(config)#interface HSSI0/0

Router(config-if)#rate-limit output 500000 4500 9000 conform-action transmit exceed-action drop

Router(config-if)#exit

Router(config)#end

Router#

This next example defines three different traffic classifications using access-lists, and separately limits the rates of these applications:

Router#configure terminal

Enter configuration commands, one per line.  End with CNTL/Z.

Router(config)#access-list 101 permit tcp any eq www any

Router(config)#access-list 101 permit tcp any any eq www

Router(config)#access-list 102 permit tcp any eq ftp any

Router(config)#access-list 102 permit tcp any any eq ftp

Router(config)#access-list 102 permit tcp any eq ftp-data any

Router(config)#access-list 102 permit tcp any any eq ftp-data

Router(config)#access-list 103 permit ip any any

Router(config)#interface HSSI0/0

Router(config-if)#rate-limit output access-group 101 50000 4500 9000 conform-action transmit exceed-action drop

Router(config-if)#rate-limit output access-group 102 50000 4500 9000 conform-action transmit exceed-action drop

Router(config-if)#rate-limit output access-group 103 400000 4500 9000 conform-action transmit exceed-action drop

Router(config-if)#exit

Router(config)#end

Router#

CAR also includes a useful option to match DSCP in the rate-limit command without needing to resort to an access-group. In the following example, the DSCP values with the highest drop precedence values are rate limited. Note that unlike several other Cisco commands, here you must specify the decimal value of the DSCP field. Please refer to Table B-3 in Appendix B for a list of these values:

Router#configure terminal

Enter configuration commands, one per line.  End with CNTL/Z.

Router(config)#interface HSSI0/0

Router(config-if)#rate-limit output dscp 14 50000 4500 9000 conform-action transmit exceed-action drop

Router(config-if)#rate-limit output dscp 22 50000 4500 9000 conform-action transmit exceed-action drop

Router(config-if)#rate-limit output dscp 30 50000 4500 9000 conform-action transmit exceed-action drop

Router(config-if)#exit

Router(config)#end

Router#

And, finally, CAR also allows you to define a new kind of access-list called a rate-limiting access-list:

Router#configure terminal

Enter configuration commands, one per line.  End with CNTL/Z.

Router(config)#access-list rate-limit 55 5

Router(config)#interface HSSI0/0

Router(config-if)#rate-limit output access-group rate-limit 55 50000 4500 9000 conform-action transmit exceed-action drop

Router(config-if)#exit

Router(config)#end

Router#

People are often confused about the difference between CAR and traffic shaping because they appear to perform extremely similar functions. However, there is one very important difference. When a traffic shaping interface experiences a burst of data, it attempts to buffer the excess. But CAR just does whatever exceed-action you have specified:

Router(config-if)#rate-limit output 500000 4500 9000 conform-action transmit exceed-action drop

In this example, the exceed-action is to simply drop the packet. Meanwhile, the conform-action in each example is to simply transmit the packet. Any traffic that falls below the configured rate is said to conform. CAR includes several other possibilities besides simply transmitting or dropping the packet:

drop

CAR drops the packet.

transmit

CAR transmits the packet unchanged.

set-prec-transmit

CAR changes the IP Precedence of the packet and then transmits it.

continue

CAR moves on to evaluate the next rate-limit command on this interface

set-prec-continue

CAR changes the IP Precedence and then evaluates the next rate-limit command.

Cisco has added several additional options to IOS Versions 12.0(14)ST and higher:

set-dscp-continue

CAR changes the DSCP field and then evaluates the next rate-limit command.

set-dscp-transmit

CAR changes DSCP field and then transmits the packet.

set-qos-continue

CAR sets the qos-group and then evaluates next command.

set-qos-transmit

CAR sets the qos-group and then transmits the packet.

And two additional commands that you can use with MPLS to alter the MPLS Experimental field:

set-mpls-exp-continue

This sets the experimental field and then continues.

set-mpls-exp-transmit

This option sets the experimental field and transmits the packet.

The various continue options allow you to string together a series of CAR commands on an interface to do more sophisticated things:

Router#configure terminal

Enter configuration commands, one per line.  End with CNTL/Z.

Router(config)#access-list 101 permit tcp any eq www any

Router(config)#access-list 101 permit tcp any any eq www

Router(config)#access-list 103 permit ip any any

Router(config)#interface HSSI0/0

Router(config-if)#rate-limit output 50000 4500 4500 conform-action transmit exceed-action continue

Router(config-if)#rate-limit output access-group 101 100000 4500 9000 conform-action set-prec-transmit 3 exceed-action continue

Router(config-if)#rate-limit output access-group 103 100000 4500 9000 conform-action set-prec-transmit 0 exceed-action drop

Router(config-if)#exit

Router(config)#end

Router#

In this example, the interface will transmit all packets when the rate is 50,000 bps or less. As soon as the traffic exceeds rate, however, the router starts to bump up the IP Precedence of all HTTP traffic to a value of 3, and all other traffic goes down to a precedence of 0. It will continue to transmit all of these packets until the average rate exceeds 100,000 bps. You can use this sort of technique to carefully tune how your network behaves in congestion situations.

You can also use CAR and the exceed-action set-prec-transmit command to lower the Precedence of high-priority IP traffic when it exceeds its allocated portion of the bandwidth. Simply transmitting it with a lower Precedence represents a nice and useful intermediate step to dropping high priority packets outright. However, with real-time packets, it is better to drop than buffer or remark, because those options would introduce unwanted latency and jitter:

The other useful thing you can do with CAR is to rate-limit inbound traffic:

Router(config-if)#rate-limit input 50000 4500 4500 conform-action transmit exceed-action drop

Of course, it's never completely ideal to allow a remote device to send too many packets across the network, only to drop them as they are received. But it is sometimes useful when your network acts as a service provider to other networks. For example, you might have downstream customers who have subscribed to a sub-rate service. This would include things like selling access through an Ethernet port, but restricting the customer to some lower rate such as 100 Kbps.

Alternatively, you could use inbound rate-limit commands to ensure that your downstream customers are allowed to use your network for surfing the Web, but only if the rate is kept below some threshold:

Router(config)#access-list 101 permit tcp any eq www any

Router(config)#access-list 101 permit tcp any any eq www

Router(config)#access-list 103 permit ip any any

Router(config)#interface HSSI0/0

Router(config-if)#rate-limit input 50000 4500 4500 conform-action transmit exceed-action continue

Router(config-if)#rate-limit input access-group 101 100000 4500 9000 conform-action drop exceed-action continue

Router(config-if)#rate-limit input access-group 103 100000 4500 9000 conform-action transmit exceed-action drop

Router(config-if)#exit

Router(config)#end

Router#

Or you could even use CAR to simply rewrite the IP Precedence values of all packets received from a customer:

Router(config)#interface HSSI0/0

Router(config-if)#rate-limit input 100000 4500 9000 conform-action set-prec-transmit 0 exceed-action set-prec-transmit 0

Router(config-if)#exit

Router(config)#end

Router#

This same technique is also helpful in combating Internet-based Denial of Service attacks. For example, if your network is being inundated with PING flood or SYN ACK attacks, you might want to look specifically for these types of packets, and make sure that they are restricted to a low but reasonable rate. This way, the legitimate uses of these packets will not suffer, but you will reduce the service denial problem.

The last example in the Solution section of this recipe needs a little bit of explanation because some of the properties can be confusing:

Router(config)#access-list rate-limit 55 5

Router(config)#interface HSSI0/0

Router(config-if)#rate-limit output access-group rate-limit 55 50000 4500 9000 conform-action transmit exceed-action drop

The access-list rate-limit command allows you to create a new and special variety of access-lists, especially for use with CAR. There are three ranges of rate-limiting access-list index numbers. You use access-lists with values between 0 and 99 to match IP Precedence values. If the index number is between 100 and 199, it will match MAC addresses, and if it is between 200 and 299, it matches MPLS experimental field values.

In the example above, access-list number 55 simply matches all packets with IP Precedence values of 5. You can also use a precedence bit mask to match several values in an 8-bit Precedence field that Cisco invented especially for this task. In this field, Precedence value 0 is represented by the binary number 00000001, 1 is represented as 00000010, and so forth up to IP Precedence value 7, which is 10000000. The mask is found by adding these binary values for each of the Precedence values you wish to include. For example, to match Precedence values 0, 1, and 2, you could use a mask of 00000111, which is 0x07 in hex:

Router(config)#access-list rate-limit 56 mask 07

The MPLS access-lists work in a similar way, matching the value in the MPLS experimental field:

Router(config)#access-list rate-limit 255 6

Router(config)#access-list rate-limit 256 mask 42

And the MAC address access-lists work on standard Ethernet or Token Ring 48-bit MAC addresses:

Router(config)#access-list rate-limit 155 0000.0c07.ac01

You have to be careful about how you use these rate-limiting access-lists, because it's easy to get them confused with regular access-lists. You can have a regular access-list with the same number as a rate-limiting access-list. The only difference is that you apply rate-limiting access-lists with the rate-limit keyword on the rate-limit command as follows:

Router(config)#interface HSSI0/0

Router(config-if)#rate-limit output access-group rate-limit 55 50000 4500 9000 conform-action transmit exceed-action drop

CCIE Bootcamps offer you primarily the most simple method of passing out the checks of CCIE. One can find many different firms reasonably institutes which offer CCIE Bootcamp training comparable to Cathay Faculty. With a watch to grow for being qualified for that bootcamps the institutes quite often existing a prerequisite. It will help to boost the prospect with the applicants to maneuver the CCIE exams in a very higher way than people. This prerequisite is termed CCNP standing.

The linked payment for taking the CCIE Stability exam is substantial, so most candidates go to get a preparing study course to cross it in one sitting. Some unbiased organizations and institutions furnish courses and workshop to people selecting CCIE Safety coaching. Even so, most candidates prefer to utilize the instructor-led and on-line workshops, which Cisco present, being a portion of Approved Studying Companions software. The coaching opportunities are provided as well as educators are accepted by Cisco.

For that CCIE Safety certification, you have got to sign up for the written examination as part of your room of specialization. Every one of the exams are carried out at the Cisco licensed facility, which also accepts expenses for the test. The price of taking a CCIE published examination is from $80 to $325. The developed examination is supervised and carried out on the home pc. You'll find it of one or two hours paper made up of a lot of picks, drag and drop questions and fill inside blanks. Aside from white boards and markers for calculations, as being a applicant for CCIE Safety coaching examination, you are not permitted to carry any other item to the test corridor.

CCIE Bootcamp is accompanied that has a amount of techniques to deliver the best preparing content to the students. They mainly produce some must-have publications to get ready them for that composed CCIE get a look at with each other with some net access for the Lab examination. Counting on these two categories the CCIE Bootcamps is divided into two sections. The divisions are course building and also the Lab simulation. The category building calls for two phases and they are fingers-on coaching and lectured-based mostly courses. In the class construction the college students are presented aided by the information of Little bit splitting, VLSM etc. Nevertheless the lab simulation is significant aspect of CCIE Bootcamp. Right here the students are subjected to cope with a lot of real-life challenges additionally, the troubleshooting abilities are checked appropriately. That is certainly the supreme stage of CCIE Bootcamps the position the students are nicely-prepared for your Blueprintv4, MPLS and so forth. These methodologies improve college students to troubleshoot any real-life difficulties and enrich the ability to determine the correct choices.

But there are actually couple trustworthy institutes obtainable on the market inside the advertise which offers entire CCIE Bootcamps. One in all quite a few properly-renowned institutes is Cathay School which renders totally high-quality businesses in case of bootcamps for CCIE. They provide bootcamp services to tremendously great amount of university pupils from more than a few corners around the world like Australia, Norway, United kingdom, Sweden, USA and a great many a good deal more. In accordance aided by the data of this institute from 2005, they are sustaining doc variety of proportion of passing pace in CCIE examination. This file is alone a sort of assure for them. There are lots of will cause to select out Cathay Faculty for CCIE Bootcamps. The report number of passing amount of nearly 90% is the most attractive operate of it. Besides it, a particular other remarkable attribute often is the one-to-one lab coaching which assist the students to filter out most of the doubts related to any downside from the instructors.

The required knowledge associated with the bootcamp is obtainable to the trustworthy organization webpage which happens to be cathayschool.com. It is a really handy blog which will provide many putting amenities like on-line Self-Study CCIE Lab Workbooks, one-on-one internet coaching, Instructor Led workout etcetera. Every one of the facilities together with the class durations together together with the funds are effectively-described here this sort of the visitors should probably not need to experience any form of problem in relation to CCIE Bootcamps.

Router#configure terminal

Enter configuration commands, one per line.  End with CNTL/Z.

Router(config)#interface HSSI0/0

Router(config-if)#rate-limit output 500000 4500 9000 conform-action transmit exceed-action drop

Router(config-if)#exit

Router(config)#end

Router#

This next example defines three different traffic classifications using access-lists, and separately limits the rates of these applications:

Router#configure terminal

Enter configuration commands, one per line.  End with CNTL/Z.

Router(config)#access-list 101 permit tcp any eq www any

Router(config)#access-list 101 permit tcp any any eq www

Router(config)#access-list 102 permit tcp any eq ftp any

Router(config)#access-list 102 permit tcp any any eq ftp

Router(config)#access-list 102 permit tcp any eq ftp-data any

Router(config)#access-list 102 permit tcp any any eq ftp-data

Router(config)#access-list 103 permit ip any any

Router(config)#interface HSSI0/0

Router(config-if)#rate-limit output access-group 101 50000 4500 9000 conform-action transmit exceed-action drop

Router(config-if)#rate-limit output access-group 102 50000 4500 9000 conform-action transmit exceed-action drop

Router(config-if)#rate-limit output access-group 103 400000 4500 9000 conform-action transmit exceed-action drop

Router(config-if)#exit

Router(config)#end

Router#

CAR also includes a useful option to match DSCP in the rate-limit command without needing to resort to an access-group. In the following example, the DSCP values with the highest drop precedence values are rate limited. Note that unlike several other Cisco commands, here you must specify the decimal value of the DSCP field. Please refer to Table B-3 in Appendix B for a list of these values:

Router#configure terminal

Enter configuration commands, one per line.  End with CNTL/Z.

Router(config)#interface HSSI0/0

Router(config-if)#rate-limit output dscp 14 50000 4500 9000 conform-action transmit exceed-action drop

Router(config-if)#rate-limit output dscp 22 50000 4500 9000 conform-action transmit exceed-action drop

Router(config-if)#rate-limit output dscp 30 50000 4500 9000 conform-action transmit exceed-action drop

Router(config-if)#exit

Router(config)#end

Router#

And, finally, CAR also allows you to define a new kind of access-list called a rate-limiting access-list:

Router#configure terminal

Enter configuration commands, one per line.  End with CNTL/Z.

Router(config)#access-list rate-limit 55 5

Router(config)#interface HSSI0/0

Router(config-if)#rate-limit output access-group rate-limit 55 50000 4500 9000 conform-action transmit exceed-action drop

Router(config-if)#exit

Router(config)#end

Router#

People are often confused about the difference between CAR and traffic shaping because they appear to perform extremely similar functions. However, there is one very important difference. When a traffic shaping interface experiences a burst of data, it attempts to buffer the excess. But CAR just does whatever exceed-action you have specified:

Router(config-if)#rate-limit output 500000 4500 9000 conform-action transmit exceed-action drop

In this example, the exceed-action is to simply drop the packet. Meanwhile, the conform-action in each example is to simply transmit the packet. Any traffic that falls below the configured rate is said to conform. CAR includes several other possibilities besides simply transmitting or dropping the packet:

drop

CAR drops the packet.

transmit

CAR transmits the packet unchanged.

set-prec-transmit

CAR changes the IP Precedence of the packet and then transmits it.

continue

CAR moves on to evaluate the next rate-limit command on this interface

set-prec-continue

CAR changes the IP Precedence and then evaluates the next rate-limit command.

Cisco has added several additional options to IOS Versions 12.0(14)ST and higher:

set-dscp-continue

CAR changes the DSCP field and then evaluates the next rate-limit command.

set-dscp-transmit

CAR changes DSCP field and then transmits the packet.

set-qos-continue

CAR sets the qos-group and then evaluates next command.

set-qos-transmit

CAR sets the qos-group and then transmits the packet.

And two additional commands that you can use with MPLS to alter the MPLS Experimental field:

set-mpls-exp-continue

This sets the experimental field and then continues.

set-mpls-exp-transmit

This option sets the experimental field and transmits the packet.

The various continue options allow you to string together a series of CAR commands on an interface to do more sophisticated things:

Router#configure terminal

Enter configuration commands, one per line.  End with CNTL/Z.

Router(config)#access-list 101 permit tcp any eq www any

Router(config)#access-list 101 permit tcp any any eq www

Router(config)#access-list 103 permit ip any any

Router(config)#interface HSSI0/0

Router(config-if)#rate-limit output 50000 4500 4500 conform-action transmit exceed-action continue

Router(config-if)#rate-limit output access-group 101 100000 4500 9000 conform-action set-prec-transmit 3 exceed-action continue

Router(config-if)#rate-limit output access-group 103 100000 4500 9000 conform-action set-prec-transmit 0 exceed-action drop

Router(config-if)#exit

Router(config)#end

Router#

In this example, the interface will transmit all packets when the rate is 50,000 bps or less. As soon as the traffic exceeds rate, however, the router starts to bump up the IP Precedence of all HTTP traffic to a value of 3, and all other traffic goes down to a precedence of 0. It will continue to transmit all of these packets until the average rate exceeds 100,000 bps. You can use this sort of technique to carefully tune how your network behaves in congestion situations.

You can also use CAR and the exceed-action set-prec-transmit command to lower the Precedence of high-priority IP traffic when it exceeds its allocated portion of the bandwidth. Simply transmitting it with a lower Precedence represents a nice and useful intermediate step to dropping high priority packets outright. However, with real-time packets, it is better to drop than buffer or remark, because those options would introduce unwanted latency and jitter:

The other useful thing you can do with CAR is to rate-limit inbound traffic:

Router(config-if)#rate-limit input 50000 4500 4500 conform-action transmit exceed-action drop

Of course, it's never completely ideal to allow a remote device to send too many packets across the network, only to drop them as they are received. But it is sometimes useful when your network acts as a service provider to other networks. For example, you might have downstream customers who have subscribed to a sub-rate service. This would include things like selling access through an Ethernet port, but restricting the customer to some lower rate such as 100 Kbps.

Alternatively, you could use inbound rate-limit commands to ensure that your downstream customers are allowed to use your network for surfing the Web, but only if the rate is kept below some threshold:

Router(config)#access-list 101 permit tcp any eq www any

Router(config)#access-list 101 permit tcp any any eq www

Router(config)#access-list 103 permit ip any any

Router(config)#interface HSSI0/0

Router(config-if)#rate-limit input 50000 4500 4500 conform-action transmit exceed-action continue

Router(config-if)#rate-limit input access-group 101 100000 4500 9000 conform-action drop exceed-action continue

Router(config-if)#rate-limit input access-group 103 100000 4500 9000 conform-action transmit exceed-action drop

Router(config-if)#exit

Router(config)#end

Router#

Or you could even use CAR to simply rewrite the IP Precedence values of all packets received from a customer:

Router(config)#interface HSSI0/0

Router(config-if)#rate-limit input 100000 4500 9000 conform-action set-prec-transmit 0 exceed-action set-prec-transmit 0

Router(config-if)#exit

Router(config)#end

Router#

This same technique is also helpful in combating Internet-based Denial of Service attacks. For example, if your network is being inundated with PING flood or SYN ACK attacks, you might want to look specifically for these types of packets, and make sure that they are restricted to a low but reasonable rate. This way, the legitimate uses of these packets will not suffer, but you will reduce the service denial problem.

The last example in the Solution section of this recipe needs a little bit of explanation because some of the properties can be confusing:

Router(config)#access-list rate-limit 55 5

Router(config)#interface HSSI0/0

Router(config-if)#rate-limit output access-group rate-limit 55 50000 4500 9000 conform-action transmit exceed-action drop

The access-list rate-limit command allows you to create a new and special variety of access-lists, especially for use with CAR. There are three ranges of rate-limiting access-list index numbers. You use access-lists with values between 0 and 99 to match IP Precedence values. If the index number is between 100 and 199, it will match MAC addresses, and if it is between 200 and 299, it matches MPLS experimental field values.

In the example above, access-list number 55 simply matches all packets with IP Precedence values of 5. You can also use a precedence bit mask to match several values in an 8-bit Precedence field that Cisco invented especially for this task. In this field, Precedence value 0 is represented by the binary number 00000001, 1 is represented as 00000010, and so forth up to IP Precedence value 7, which is 10000000. The mask is found by adding these binary values for each of the Precedence values you wish to include. For example, to match Precedence values 0, 1, and 2, you could use a mask of 00000111, which is 0x07 in hex:

Router(config)#access-list rate-limit 56 mask 07

The MPLS access-lists work in a similar way, matching the value in the MPLS experimental field:

Router(config)#access-list rate-limit 255 6

Router(config)#access-list rate-limit 256 mask 42

And the MAC address access-lists work on standard Ethernet or Token Ring 48-bit MAC addresses:

Router(config)#access-list rate-limit 155 0000.0c07.ac01

You have to be careful about how you use these rate-limiting access-lists, because it's easy to get them confused with regular access-lists. You can have a regular access-list with the same number as a rate-limiting access-list. The only difference is that you apply rate-limiting access-lists with the rate-limit keyword on the rate-limit command as follows:

Router(config)#interface HSSI0/0

Router(config-if)#rate-limit output access-group rate-limit 55 50000 4500 9000 conform-action transmit exceed-action drop

The CCIESecurityTrainingworkout is made of a penned examination to qualify and after that the lab test. You could be suggested to have with the least 3-5 a long time of position expertise before than making an attempt this certification.

The examination for the CCIE Stability is of two-hour duration with a variety of selections. This includes hundred problems, that can cover subjects equal to applications protocols, operating systems, protection technologies, security protocols, and Cisco basic safety purposes. The exam materials are supplied on the spot and you are not allowed to usher in exterior reference materials.

Network engineers possessing a CCIE certificates are thought about as the skilled inside local community engineering discipline along with the masters of CISCO items. The CCIE has introduced revolution in the community field relating to technically tricky assignments and solutions when using the mandatory instruments and methodologies. You can find a program which updates and reorganizes the instruments to supply good quality provider. There can be numerous modes of CCIE Coaching like prepared examination preparing and effectivity based lab. This will help to reinforce the effectiveness and regular within the marketplace. CISCO has launched this certification policy in 1993 that has a watch to tell apart the highest experts through the rest.

To be able to be licensed, to begin with composed examination will have to be passed as a result of which has to cross the lab exam. CISCO at all instances tries to use fully unique CCIE Coaching techniques for bigger efficiency. There are a selection of actions for your CCIE certification. The initial action for certification will be to pass a two hrs lasting personal computer centered primarily MCQ oriented published test. For this examination necessary payments have to be accomplished via via the internet. This examination is linked with exam vouchers and promotional codes. The authenticity within the voucher delivering company ought to be nicely known into the candidates. The promotional code need to be accessed accurately and in the event of fraudulent vouchers in addition to promotional codes shouldn't suitable and CISCO is not going to repay the cost. The candidates have to wait 5 days for your published examination once cost and they can't sit for the similar exam for the following 100 eighty days in the event of recertification.

With a look at to obtain licensed and qualified for your CCIE Exercise some elements are to be remembered appropriately. Upon passing the written examination the candidates have a very nearly all of eighteen months time for wanting the lab examination. Should the time period exceeds then the authenticity for the developed test will undoubtedly be invalid. For that foremost timer utilized to own CCIE certification the authored test is obtainable inside of the sort of Beta examination with discounts attainable. Around the Beta interval the candidates can sit only when for that examination. The outcomes will occur within 6 to 8 weeks subsequent to the examination is about.

Another phase for your CCIE certification is definitely the Lab exam. The shortlisted candidates of this prepared test can entirely apply for that fingers-on lab test. However there are lots of created examination centers of CISCO at the same time Lab test amenities are minimal. You'll find it an eight hour fingers-on useful centered generally examination whereby the power of troubleshooting and configuring local community chiefly dependent situations and software programs are checked. For the scheduling of Lab examination the shortlisted candidates of this previously developed exam must current the identification amount in conjunction with passing rating and the date of passing.

The associated fee for Lab examination needs to be cleared earlier than 90 days of your scheduled test. With out the price the reservation may likely be cancelled. Upon passing the Lab test mixed with the prepared exam the candidates can apply for the CCIE certification. By contemplating

Router#configure terminal

Enter configuration commands, one per line.  End with CNTL/Z.

Router(config)#class-map highprec

Router(config-cmap)#description Highest priority Prec=5

Router(config-cmap)#match ip precedence 5

Router(config-cmap)#exit

Router(config)#class-map medhiprec

Router(config-cmap)#description Medium-high priority Prec=4

Router(config-cmap)#match ip precedence 4

Router(config-cmap)#exit

Router(config)#class-map medloprec

Router(config-cmap)#description Medium-low priority Prec=2,3

Router(config-cmap)#match ip precedence 2 3

Router(config-cmap)#exit

Router(config)#policy-map cbwfqpolicy

Router(config-pmap)#class highprec

Router(config-pmap-c)#bandwidth percent 25

Router(config-pmap-c)#exit

Router(config-pmap)#class medhiprec

Router(config-pmap-c)#bandwidth percent 25

Router(config-pmap-c)#exit

Router(config-pmap)#class medloprec

Router(config-pmap-c)#bandwidth percent 25

Router(config-pmap-c)#exit

Router(config-pmap)#class class-default

Router(config-pmap-c)#fair-queue 512

Router(config-pmap-c)#queue-limit 96

Router(config-pmap-c)#exit

Router(config-pmap)#exit

Router(config)#interface serial0/1

Router(config-if)#service-policy output cbwfqpolicy

Router(config-if)#exit

Router(config)#end

Router#

This feature is available in IOS levels 12.0(5)T and higher.

CBWFQ need not be significantly different from regular WFQ. In the example we have defined all traffic with an IP Precedence value of critical (5) to have a special queue. We have also created a single queue for traffic with Precedence 4, and another one for traffic with Precedence values of 2 and 3. All other traffic, including traffic with Precedence 0 and 1, as well as all nonIP traffic uses regular WFQ. To make this fact slightly more clear, we have modified the default WFQ parameters with the following commands:

Router(config)#policy-map cbwfqpolicy

Router(config-pmap)#class class-default

Router(config-pmap-c)#fair-queue 512

Router(config-pmap-c)#queue-limit 96

This simply modifies the default WFQ behavior for all traffic that doesn't match one of the other defined classes. It sets the number of WFQ queues to 512, and sets the queue depth to a maximum of 96 packets.

Router(config-if)#fair-queue 96 512 0

But that example doesn't give you the ability to also have separate queues for special classes of traffic, as shown in this recipe. We note in passing that the final argument for this fair-queue interface command specifies the number of queues to set aside for RSVP. We are trying to duplicate the effect of the cbwfqpolicy policy map, which doesn't include any RSVP queues, so we have set the last argument to zero here.

You can create up to 64 Class-based queues for use with CBWFQ. You can control the share of the bandwidth to each queue using the bandwidth keyword either by using an absolute value in kilobits per second, or a percentage of the total available bandwidth. The following example shows the syntax for using a percentage:

Router(config-pmap)#class highprec

Router(config-pmap-c)#bandwidth percent 25

Router(config-pmap-c)#exit

The bandwidth percent command is available in IOS levels 12.1(1) and higher. For earlier releases, you can only specify an absolute bandwidth:

Router(config-pmap-c)#bandwidth 5000

The argument for this version of the command is a value in kilobits per second between 8 and 2,000,000, which should be sufficient for most interface types. Note that the upper limit here is 2 Mbps, which is roughly the E1 speed mentioned earlier as the effective upper limit to using WFQ. Because CBWFQ generally uses fewer queues and doesn't need to sort based on flow, you can use it for higher speed interfaces as well. However, you should let your average CPU utilization be your guide here. If you do too many tests when classifying packets, you might find that the router can't keep up with high packet rates.

In both versions, you have to keep two important factors in mind. First, although this is essentially a Layer 3 feature, when configuring the bandwidth you have to include any Layer 2 framing overhead. If a given queue supports a streaming multimedia application with a known bit rate, it is often a good idea to slightly overestimate the requirements to include this Layer 2 overhead. If the application doesn't use the excess, CBWFQ allocates it to other queues.

The second important factor is that the total allocated bandwidth must not exceed a configurable maximum value. By default, this maximum is 75 percent. You can change it, for example, to 80 percent by using the following interface level command:

Router(config-if)#max-reserved-bandwidth 80

You would apply this command to the interface that runs CBWFQ and needs a little extra reserved capacity. It is usually best to leave this at its default value, however. The router uses the remainder for unclassified traffic and network control packets. In this case, we have configured WFQ for the unclassified traffic. It is vital, however, to reserve enough bandwidth for critical network functions such as Layer 2 keepalive frames and routing protocols.

Creating the policy map alone doesn't actually change the way the router behaves. To do that, you have to attach this policy to an interface as follows:

Router(config)#interface serial0/1

Router(config-if)#service-policy output cbwfqpolicy

One of the classes defined in this example is a high-priority class that we called highpriority. This class map simply looks for traffic that is tagged with an IP precedence value of 5. The policy map then tells the interface to give up to 25 percent of its bandwidth to this high priority traffic. If there is not enough high-priority traffic to use this, the router will allocate the excess to the remaining traffic.

Cloud#configure terminal

Enter configuration commands, one per line.  End with CNTL/Z.

Cloud(config)#frame-relay switching

Cloud(config)#interface Serial0

Cloud(config-if)#description Frame-relay connection to Central - DLCI 50

Cloud(config-if)#encapsulation frame-relay

Cloud(config-if)#clock rate 125000

Cloud(config-if)#frame-relay lmi-type cisco

Cloud(config-if)#frame-relay intf-type dce

Cloud(config-if)#frame-relay route 101 interface Serial1 50

Cloud(config-if)#frame-relay route 102 interface Serial2 50

Cloud(config-if)#exit

Cloud(config)#interface Serial1

Cloud(config-if)#description Frame-relay connection to Branch1 - DLCI 101

Cloud(config-if)#encapsulation frame-relay

Cloud(config-if)#clock rate 125000

Cloud(config-if)#frame-relay lmi-type cisco

Cloud(config-if)#frame-relay intf-type dce

Cloud(config-if)#frame-relay route 50 interface Serial0 101

Cloud(config-if)#exit

Cloud(config)#interface Serial2

Cloud(config-if)#description Frame-relay connection to Branch2 - DLCI 102

Cloud(config-if)#encapsulation frame-relay

Cloud(config-if)#clock rate 125000

Cloud(config-if)#frame-relay lmi-type cisco

Cloud(config-if)#frame-relay intf-type dce

Cloud(config-if)#frame-relay route 50 interface Serial0 102

Cloud(config-if)#exit

Cloud(config)#end

Cloud#

This type of configuration can be extremely useful when you need to test basic Frame Relay functionality in a lab, and you don't happen to have a real Frame Relay switch available. However it's extremely important to remember that a router is not a Frame Relay switch, and it doesn't emulate all of the functionality of the switch. In particular, the router will not support switching of SVCs. Also, although Cisco has introduced the frame-relay congestion-management command, you can still only generate FECN and BECN notifications on a limited set of router hardware and software configurations. So if you are using this type of configuration to test adaptive traffic shaping or any other feature that relies on BECN notifications, it will not give you a reliable simulation of a real cloud.

To use the router as a Frame Relay switch, you must first enable the frame-relay switching option. Then you must configure each interface as DCE with the frame-relay intf-type command, and supply a clock signal with the clock rate command. Cisco routers will not allow you to configure this command unless you use a DCE cable on the interface. And, finally, you need to map the PVCs. The central router can see both of the branch routers, one with DLCI 101, and the other with DLCI 102. Both of the branch routers see the central router with DLCI 50. The two branch routers cannot see one another directly.

In this example, all three of the Frame Relay connections are to DTE devices such as routers, so all of the interfaces are configured for DCE signaling. However, you can also configure connections to other switching devices. This might be useful if you were interested in constructing your own private Frame Relay cloud. In this case, you would still need to designate one of the devices to be the physical DCE and supply the clock. Then you would configure the interface type on both devices as nni:

Cloud#configure terminal

Enter configuration commands, one per line.  End with CNTL/Z.

Cloud(config)#interface Serial2

Cloud(config-if)#description Frame-relay connection to next switch

Cloud(config-if)#encapsulation frame-relay

Cloud(config-if)#clock rate 125000

Cloud(config-if)#frame-relay lmi-type cisco

Cloud(config-if)#frame-relay intf-type nni

Cloud(config-if)#exit

Cloud(config)#end

Cloud#

You would also use frame-relay route statements to configure one or more PVCs to be served by this neighboring switch. The PVC routing commands in this case are identical to those for DCE interfaces.

You can look at the routing of the virtual circuits on a router that is configured for Frame Relay switching with the show frame-relay route command:

Cloud#show frame-relay route

Input Intf      Input Dlci      Output Intf     Output Dlci     Status

Serial0         101             Serial1         50              active

Serial0         102             Serial2         50              inactive

Serial0         103             Serial3         50              inactive

Serial1         50              Serial0         101             active

Serial1         102             Serial2         101             inactive

Serial1         103             Serial3         101             inactive

Serial2         50              Serial0         102             inactive

Serial2         101             Serial1         102             inactive

Serial2         103             Serial3         102             inactive

Serial3         50              Serial0         103             inactive

Serial3         101             Serial1         103             inactive

Serial3         102             Serial2         103             inactive

Cloud#

This output shows, for example, that traffic received on DLCI number 101 through interface Serial0 is forwarded to DLCI number 50 on Serial1. And a few lines lower, you can see the reverse path as well. The status for both of these lines is active, so this virtual circuit is working properly.

Another extremely useful option for creating private Frame Relay networks is the ability to specify a GRE tunnel as the destination of a Frame Relay route command:

Cloud(config)#interface Loopback1

Cloud(config-if)#ip address 192.168.2.1 255.255.255.255

Cloud(config-if)#exit

Cloud(config)#interface Tunnel1

Cloud(config-if)#ip address 192.168.1.5 255.255.255.252

Cloud(config-if)#tunnel source 192.168.2.1

Cloud(config-if)#tunnel destination 192.168.2.2

Cloud(config-if)#exit

Cloud(config)#interface Serial1

Cloud(config-if)#frame-relay route 201 interface Tunnel1 101

Cloud(config-if)#exit

In this case, we have created a GRE tunnel interface called Tunnel1, which terminates on another router somewhere else in the network. Then we route Frame Relay DLCI 201 to this tunnel interface. On the other router, you would need to create a similar GRE tunnel interface. Then, on a Serial interface on that other router, you would put a matching frame-relay route statement:

Cloud9(config)#interface Loopback1

Cloud9(config-if)#ip address 192.168.2.2 255.255.255.255

Cloud9(config-if)#exit

Cloud9(config)#interface Tunnel1

Cloud9(config-if)#ip address 192.168.1.6 255.255.255.252

Cloud9(config-if)#tunnel source 192.168.2.2

Cloud9(config-if)#tunnel destination 192.168.2.1

Cloud9(config-if)#exit

Cloud9(config)#interface Serial1

Cloud9(config-if)#frame-relay route 301 interface Tunnel1 101

Cloud9(config-if)#exit

This is an extremely efficient way of creating a virtual Frame Relay cloud layered on top of an existing IP network.