uRPF and its modes : Strict vs Loose

Unicast Reverse Path Forwarding (Unicast RPF) Is a security feature to address the spoofed address attack. it is recommended to configure it on the L3 interfaces of the routers to verify the reach-ability of the source address in packets. Packet will be dropped in case source IP address is not valid. 

Unicast RPF works in one of below modes:

1. Strict mode: Router will perform two checks:. 

    A. Router checks the routing entry for the source address of the packet and will drop the packet in case no route is present on the routing table for the source address.
    B. Router will ensure that the source of incoming packet is reachable via same interface. Router will drop the packet in case source address is learned via different interface than from the one, packet in ingress ed.

Command:- 

Int eth1/1
ip verify unicast reverse-path    --<<< Old command but still available on some platforms
      or
IP verify unicast source reachable-via rx

ip verify unicast reverse-path (Unicast RPF)

2.  Loose mode(default mode): Only make sure that route for the source address is present in the routing table.

Int eth1/1
IP verify unicast source reachable-via Any

Note:-  Above matching criteria is not applicable for default route and will not allow traffic where source is only matching the default route. the " Allow-default" keyword is used to change this behaviour and traffic will be allowed where source address is matching only the default route.

BGP: x.x.x.x Active open failed - no route to peer, open active delayed 9216ms (35000ms max, 60% jitter)

BGP: x.x.x.x Active open failed - no route to peer, open active delayed 9216ms (35000ms max, 60% jitter)

I was working on an issue and got above logs while doing the debug of BGP on the cisco router.

Below are the two thing which we need to test to resolve such issues.

1. Specific route for the BGP neighbor IP address. BGP neighborship is dependent on it and default route won't work.

2. Ebgp multihop. Make sure to configure the eBGP multihop command while making the ebgp neighborship on the indirectly connected routers.

Cisco Traditional Vs Smart Licensing

Below are few important distance between Cisco traditional license and new smart licensing.

Traditional (node locked) licencing	Smart (dynamic) licencing
Manual individual license procurement and installation	Device initiates a call home and requests the licenses it needs.
Node-locked licences - license is associated with a specific device.	Pooled licences - licences are company account-specific, and can be used with any compatible device in your company. You can activate or deactivate different types of licenses on the device without actually installing a license file on the device.
No common install base location to view licenses purchased or software usage trends	Licenses are stored securely on Cisco servers accessible all the time.
No easy means to transfer licenses from one device to another.	Licenses can be moved between product instances without a license transfer. This greatly simplifies the reassignment of a software license as part of the Return Material Authorization (RMA) process.
Limited visibility into all software licenses being used in the network. Licenses are tracked only on per node basis.	Complete view of all Smart Software Licenses used in the network using a consolidated usage report of software licenses and devices in one easy-to-use portal.

IP NAT inside source vs IP NAT outside source

IP NAT inside source vs IP NAT outside source

For more information please refer to below cisco link

https://www.cisco.com/c/en/us/support/docs/ip/network-address-translation-nat/13773-2.html

ISR 4331/4531 features in Evaluation mode

Below are the features available in Evaluation mode.

#sh license feature

Feature name Enforcement Evaluation Subscription Enabled  RightToUse
appxk9         yes          yes         no         no     yes       
uck9           yes          yes         no         no     yes       
securityk9     yes          yes         no         yes    yes       
ipbasek9       no           no          no         yes    no        
cme-srst       yes          yes         no         no     yes       
hseck9         yes          no          no         yes    no        
throughput     yes          yes         no         no     yes       
internal_service yes        no          no         no       no   


How to enable RTU package on ISR 4331/4531

config t
license accept end user agreement
yes
exit
license right-to-use move appxk9
config t
license boot level appxk9
end
wr mem

How to enable evaluation license

license feature appxk9

Catalyst 9000 License

The previous cisco licensing is divided into three following feature sets:

A.     LAN Base: It is primarily a Layer 2 feature set which offers enterprise access layer 2 switching features. It doesn’t provide any l3 functionality.

B.     IP Base: It provides the enterprise access layer 3 switching features in addition to all LAN base features. It doesn’t provide the advance layer3 features.

C.     IP Services: - It is an advance enterprise layer 3 switching features including EIGRP, OSPF, BGP, PIM and IPV6 routing protocols. It also supports all the IP base features.

The Cisco Catalyst 9000 does not use the above feature set and has its own package types. All Cisco Catalyst 9000 hardware has two software options i.e. Essentials and Advantage. Each software option includes two components, as show:

License Level	Network Stack offer (Perpetual and embedded)	Cisco DNA Software Subscription offer (Term based)
-E	Network Essentials	Cisco DNA Essentials (3, 5, or 7 years)
-A	Network Advantage	Cisco DNA Advantage (3, 5, or 7 years)

The Network Stack license is perpetual and embedded in the hardware by default and it is aligned with the hardware PID(-E/-A).

The Cisco DNA license is term-based and preselected by default to the 5-year term but can be changed to 3- or 7-year terms. Minimum of 3-year term DNA license is mandatory.

Customers will be able to upgrade the Network Stack and Cisco DNA license levels for example, -E to -A license upgrade.

Here is the comparison between three-tier packaging and Catalyst 9K new two-tier packaging.

Below features are included in the advantage and essential packages:

Install python and Paramiko on windows machine

We can follow below procedure to install Python on windows machine. Paramiko package is required for the ssh functionality wihtin the python. We cannot install the package directly and require a package manager called PIP. Below is the procedure to isntall paramiko on the windows box.

STEP A: Install Python:

1. Create a folder Python in system and download python from https://www.python.org/downloads/ .

2. Run the exe file and follow the steps.

3. Once it is finished, python is installed on your system.

4. To install additional packages PIP is required. Follow below procedure to install PIP.

STEP B: Install PP

2. To install packages within python we need to install a package manager PIP. You can download PIP "get-pip.py" from https://pypi.org/project/pip/#files.

3. Open a command prompt and navigate to the folder containing.

4. Run the following command:python get-pip.py=

5. Pip is now installed!

STEP C: Install Paramiko

1. Paramiko is used to ssh the devices.

2. Once PIP is install, you can install the paramiko package using command " pip install paramiko".