Radius configuration trick to allow "CLID-like" filtering on ACS for l2tp/pptp

Here is "trcik" to allow l2tp/pptp client access filtering based on their IP-address for ACS 5.X
1) configure NAS with "vpdn aaa attribute nas-ip-address vpdn-tunnel-client"
This command will allow IOS to send client ip address in attribute 4 like this output from debug:
RADIUS:  NAS-IP-Address      [4]   6  1.2.3.4
2) Use "compound condition"  in ACS Access Policies - Authorization rules to match based on this attribute.
Tested on 15.1(4)M6 IOS for 7200 series router.

CCIE R&S

Finally I nailed it. I passed on the first try after so much time spent since 2013... Just since June 2015 I was at both Cisco360 workshops and spent more than 400 hours labbing (workshops time is not counted) and more than 300 hours VoD from different training vendors...
Now I feel completely drained and squeezed like a lemon, time to make a pause.

Cisco IOS tcl simple script to use instead of interface level configuration

Example:

tclsh
set area 0
ios_config "router os 1" "router-id [ lindex [exec "sh ip int b lo0 | exclude face"] 1 ] "
foreach i {
Lo0
Et0/0
Et0/1
} { ios_config "router os 1" "net [ lindex [exec "sh ip int b $i | exclude face"] 1 ] 0.0.0.0 area $area"
}

Cisco IOS tclsh oneliner to configure vrf on interface

Example:
ios_config "int Et0/0" "ip vrf for VPNA" [exec "sh run int Et0/0 | i addr"]

More advanced stuff:
foreach i {
Et0/0.10
Et0/0.20
Et0/0.33
Tu1
s1/0
} { ios_config "int $i" "ip vrf for VPNA" [exec "sh run int $i | i addr"] }

Useful EEM to remember

event manager applet ERROR_RATE
event interface name FastEthernet0/0 parameter input_errors entry-op gt entry-type value entry-val 100 poll-interval 15
action 10.1 syslog msg "For $_interface_name, $_interface_parameter is $_interface_value."
action 20.1 cli command "enable"
action 20.2 cli command "show interface FastEthernet0/0 | include 5 minute"
action 20.3 syslog msg "$_cli_result "
action 30.1 cli command "clear counters FastEthernet0/0" pattern "confirm"
action 30.2 cli command "y"
action 40.1 mail server "172.16.254.1" to "monitoring@example.com" from "router@example.com" subject "FastEthernet0/0 input errors counter is above 100" body "$_cli_result"

Simple route-map question for interview

In which range will it match metric?

route-map MATCH_METRIC
 match metric 1 +- 999 1000 500 +- 500 1

quick note: ninja command to use during the lab

sh run | i ospf|eigrp|int|band|delay|access-gr|policy|arp|mac

quick note: standby use-bia

Q. What is the standby use-bia command and how does it work?

A. By default, HSRP uses the preassigned HSRP virtual MAC address <...> In order to configure HSRP to use the burnt-in address of the interface as its virtual MAC address, instead of the default, use the standby use-bia command.

Note: Using the standby use-bia command has these disadvantages:

• When a router becomes active the virtual IP address is moved to a different MAC address. The newly active router sends a gratuitous ARP response, but not all host implementations handle the gratuitous ARP correctly.
• Proxy ARP breaks when use-bia is configured. A standby router cannot cover for the lost proxy ARP database of the failed router.

quick note: mpls ldp router-id

Don't forget yo use "force" to quicker change router-id (don't wait for event that lead to router-id change).

How to test your url filtering via telnet during the lab

Use simple method, don't forget to place two new lines after "Host":

telnet 10.1.1.1 8080
Trying 10.1.1.1....
Connected to 10.1.1.1.
Escape character is '^]'.
GET /testurl.html HTTP/1.0
Host: R1.lab

Most awesome show running-config parsing shortcuts for CCIE R&S Lab I'm using

Find passwords with space sign at the end:
sh run | i _$

Show "router bgp/eigrp/ospf/rip" section of the configuration:
sh run | s r b
sh run | s r e
sh run | s r o
sh run | s r r

Show interface config only:
sh run | s int
Note: you can't use sh ru | s i because "i" in this case means "section include", also as "e" means "exclude"

Use short and informative route-map names, for example:
route-m c2e
to describe route-map for redistribution from connected to EIGRP.

Searching route in all VRFs:
sh ip ro vrf * | i ...

Show "crypto" part of the configuration (everything about IPSec):
sh run | s ^cr
or
sh run | s cry

Show routing part of the configuration with route-maps and without route-maps(longer and less used):
sh run | s ^r
sh run | s router

Less used, but valuable.
Show all ip prefix lists:
sh run | s ip p

Show all ip access-lists:
sh run | s ip ac

Note: I'm using sh run instead of sh ru because there is show rudpv1 command also exists.

Useful command to debug ip tos precedence packets

Yet another note for myself:

R1#sh run int s1/0
Building configuration...

Current configuration : 244 bytes
!
interface Serial1/0
 ip address 172.16.13.1 255.255.255.0
 ip accounting precedence input

...

R1#sh interfaces s1/0 precedence
Serial1/0
  Input
    Precedence 0:  408 packets, 42172 bytes
    Precedence 3:  2812 packets, 180528 bytes
    Precedence 4:  2819 packets, 180976 bytes
    Precedence 6:  613 packets, 41872 bytes

Please don't forget to enable PIM!

When you joining to multicast group with "ip igmp join-group" 

How to get list of processes from Cisco IOS router/switch and CPU usage per process via SNMP

With help of snmpwalk utility you can list processes and their CPU usage per-process even if router is at 100% CPU load. Use the following OIDs to list processes: 1.3.6.1.4.1.9.9.109.1.2.1.1.2.1 and this OID to list corresponding CPU usage per-process: 1.3.6.1.4.1.9.9.109.1.2.2.1.7.1

For example here is output from snmpwalk from 2811 router with 99% cpu and no SSH/telnet access because of high CPU load with appropriate retry/timeout parameters:

snmpwalk -r 9 -t 5 -v 2c -c public 10.81.1.1 1.3.6.1.4.1.9.9.109.1.2.1.1.2.1

...

iso.3.6.1.4.1.9.9.109.1.2.1.1.2.1.188 = STRING: "CCVPM_HDSPRM"

iso.3.6.1.4.1.9.9.109.1.2.1.1.2.1.189 = STRING: "FLEX DSPRM MAIN"

iso.3.6.1.4.1.9.9.109.1.2.1.1.2.1.190 = STRING: "FLEX DSP KEEPALIVE MAIN"

iso.3.6.1.4.1.9.9.109.1.2.1.1.2.1.191 = STRING: "HDA DSPRM MAIN"

iso.3.6.1.4.1.9.9.109.1.2.1.1.2.1.192 = STRING: "cpf_process_msg_holdq"

iso.3.6.1.4.1.9.9.109.1.2.1.1.2.1.193 = STRING: "AAA Cached Server Group"

iso.3.6.1.4.1.9.9.109.1.2.1.1.2.1.194 = STRING: "ENABLE AAA"

iso.3.6.1.4.1.9.9.109.1.2.1.1.2.1.195 = STRING: "EM Background Process"

iso.3.6.1.4.1.9.9.109.1.2.1.1.2.1.196 = STRING: "Key chain livekeys"

iso.3.6.1.4.1.9.9.109.1.2.1.1.2.1.197 = STRING: "LINE AAA"

iso.3.6.1.4.1.9.9.109.1.2.1.1.2.1.198 = STRING: "LOCAL AAA"

iso.3.6.1.4.1.9.9.109.1.2.1.1.2.1.199 = STRING: "TPLUS"

iso.3.6.1.4.1.9.9.109.1.2.1.1.2.1.200 = STRING: "VSP_MGR"

iso.3.6.1.4.1.9.9.109.1.2.1.1.2.1.201 = STRING: "Crypto WUI"

iso.3.6.1.4.1.9.9.109.1.2.1.1.2.1.202 = STRING: "Crypto Support"

iso.3.6.1.4.1.9.9.109.1.2.1.1.2.1.203 = STRING: "IPSECv6 PS Proc"

iso.3.6.1.4.1.9.9.109.1.2.1.1.2.1.204 = STRING: "EPM MAIN PROCESS"

iso.3.6.1.4.1.9.9.109.1.2.1.1.2.1.205 = STRING: "CCVPM_HTSP"

iso.3.6.1.4.1.9.9.109.1.2.1.1.2.1.206 = STRING: "VPM_MWI_BACKGROUND"

iso.3.6.1.4.1.9.9.109.1.2.1.1.2.1.207 = STRING: "CCVPM_R2"

iso.3.6.1.4.1.9.9.109.1.2.1.1.2.1.208 = STRING: "EPHONE MWI Refresh"

iso.3.6.1.4.1.9.9.109.1.2.1.1.2.1.209 = STRING: "FB/KS Log HouseKeeping"

iso.3.6.1.4.1.9.9.109.1.2.1.1.2.1.210 = STRING: "EPHONE MWI BG Process"

iso.3.6.1.4.1.9.9.109.1.2.1.1.2.1.211 = STRING: "Skinny HW conference digit event"

iso.3.6.1.4.1.9.9.109.1.2.1.1.2.1.212 = STRING: "VOICE REG BG Process"

...

snmpwalk -r 9 -t 5 -v 2c -c public 10.81.1.1 1.3.6.1.4.1.9.9.109.1.2.2.1.7.1

...

iso.3.6.1.4.1.9.9.109.1.2.2.1.7.1.189 = Gauge32: 0

iso.3.6.1.4.1.9.9.109.1.2.2.1.7.1.190 = Gauge32: 0

iso.3.6.1.4.1.9.9.109.1.2.2.1.7.1.191 = Gauge32: 0

iso.3.6.1.4.1.9.9.109.1.2.2.1.7.1.192 = Gauge32: 0

iso.3.6.1.4.1.9.9.109.1.2.2.1.7.1.193 = Gauge32: 0

iso.3.6.1.4.1.9.9.109.1.2.2.1.7.1.194 = Gauge32: 0

iso.3.6.1.4.1.9.9.109.1.2.2.1.7.1.195 = Gauge32: 0

iso.3.6.1.4.1.9.9.109.1.2.2.1.7.1.196 = Gauge32: 0

iso.3.6.1.4.1.9.9.109.1.2.2.1.7.1.197 = Gauge32: 0

iso.3.6.1.4.1.9.9.109.1.2.2.1.7.1.198 = Gauge32: 0

iso.3.6.1.4.1.9.9.109.1.2.2.1.7.1.199 = Gauge32: 87

iso.3.6.1.4.1.9.9.109.1.2.2.1.7.1.200 = Gauge32: 0

iso.3.6.1.4.1.9.9.109.1.2.2.1.7.1.201 = Gauge32: 0

iso.3.6.1.4.1.9.9.109.1.2.2.1.7.1.202 = Gauge32: 0

iso.3.6.1.4.1.9.9.109.1.2.2.1.7.1.203 = Gauge32: 0

iso.3.6.1.4.1.9.9.109.1.2.2.1.7.1.204 = Gauge32: 0

iso.3.6.1.4.1.9.9.109.1.2.2.1.7.1.205 = Gauge32: 0

iso.3.6.1.4.1.9.9.109.1.2.2.1.7.1.206 = Gauge32: 0

iso.3.6.1.4.1.9.9.109.1.2.2.1.7.1.207 = Gauge32: 0

...

As you can see, TPLUS process is using 87% CPU. Seems it is a software defect and my IOS will be upgraded.