I was recently asked to take the Cisco Security Express SA Exam 500-651. This had its problems pre-March 2018 where many of the questions didn’t actually make sense! I watched the videos (which along with the blueprint represents ALL the study material!).
Here is the mind map i made from watching the videos and prior to passing the exam! Please ignore any spelling etc errors. It was done in a rush so obviously no warranty provided!
S,
Cisco Security Express SA Exam 500-651
These are my notes on OSPF Throttling for CCIE study.
This is a feature to delay running the SPF process which could be useful in unstable networks or for other reasons. It works on the basis that the router controls when to run the shortest path first algorithm, and in a network where LSA are constantly being received can reduce the burden on the router. The default for Cisco routers are spf-start & hold of 5secs, and max is 10sec. There are 3 variables:
spf-start: The time between receiving an LSA and rerunning SPF calculation
spf-hold: The minimum delay AFTER running SPF, before allowing another recalculation. This values doubles each time its referenced until its more than max-wait.
spf-max-wait: this is used for both the max wait between SPF calcs, and the time to pass before the network is considered stable.
Example Below R4#conf t Enter configuration commands, one per line. End with CNTL/Z. R4(config)#router ospf 1 R4(config-router)#timers throttle ? lsa OSPF LSA throttle timers spf OSPF SPF throttle timers R4(config-router)#timers throttle spf ? Delay between receiving a change to SPF calculation in milliseconds R4(config-router)#timers throttle spf 3000 ? Delay between first and second SPF calculation in milliseconds R4(config-router)#timers throttle spf 3000 10000 ? Maximum wait time in milliseconds for SPF calculations R4(config-router)#timers throttle spf 3000 10000 50000 R4# show ip ospf | in SPF Initial SPF schedule delay 3000 msecs Minimum hold time between two consecutive SPFs 10000 msecs Maximum wait time between two consecutive SPFs 50000 msecs Incremental-SPF disabled SPF algorithm last executed 00:17:44.824 ago SPF algorithm executed 11 times SPF algorithm last executed never ago SPF algorithm executed 0 times R4#debug ip ospf spf statistic OSPF SPF statistics debugging is on ###I then shut, unshut an interface within the area several times. R4# *Apr 8 22:17:04.827: OSPF-1 MON : reset throttling to 3000ms next wait-interval 10000ms R4# *Apr 8 22:17:07.827: OSPF-1 STATS: Begin SPF at 2321.288ms, process time 468ms *Apr 8 22:17:07.827: OSPF-1 STATS: Last spf_time 00:36:45.964, wait_interval 3000ms *Apr 8 22:17:07.851: OSPF-1 MON : Setting next wait-interval to 10000ms <<< Sets to hold *Apr 8 22:17:07.851: OSPF-1 STATS: Schedule time 00:38:41.312, Next wait_interval 10000ms R4# *Apr 8 22:17:32.067: OSPF-1 STATS: Begin SPF at 2345.528ms, process time 564ms *Apr 8 22:17:32.067: OSPF-1 STATS: Last spf_time 00:38:54.516, wait_interval 10000ms *Apr 8 22:17:32.079: OSPF-1 MON : Setting next wait-interval to 20000ms <<< Sets to double current hold *Apr 8 22:17:32.079: OSPF-1 STATS: Schedule time 00:39:05.540, Next wait_interval 20000ms R4# *Apr 8 22:17:52.079: OSPF-1 STATS: Begin SPF at 2365.540ms, process time 588ms *Apr 8 22:17:52.079: OSPF-1 STATS: Last spf_time 00:39:05.540, wait_interval 20000ms *Apr 8 22:17:52.103: OSPF-1 MON : Setting next wait-interval to 40000ms <<< Sets to double current hold *Apr 8 22:17:52.103: OSPF-1 STATS: Schedule time 00:39:25.564, Next wait_interval 40000ms R4# *Apr 8 22:18:32.107: OSPF-1 STATS: Begin SPF at 2405.568ms, process time 664ms *Apr 8 22:18:32.107: OSPF-1 STATS: Last spf_time 00:39:25.568, wait_interval 40000ms *Apr 8 22:18:32.123: OSPF-1 MON : Setting next wait-interval to 50000ms <<< Sets to Max-Age *Apr 8 22:18:32.123: OSPF-1 STATS: Schedule time 00:40:05.584, Next wait_interval 50000ms R4# *Apr 8 22:19:22.127: OSPF-1 STATS: Begin SPF at 2455.588ms, process time 736ms *Apr 8 22:19:22.127: OSPF-1 STATS: Last spf_time 00:40:05.588, wait_interval 50000ms *Apr 8 22:19:22.151: OSPF-1 MON : Setting next wait-interval to 50000ms *Apr 8 22:19:22.155: OSPF-1 STATS: Schedule time 00:40:55.616, Next wait_interval 50000ms ###I waited for the max-age to time out then shut, unshut an interface within the area. *Apr 8 22:22:37.767: OSPF-1 MON : reset throttling to 3000ms next wait-interval 10000ms R4# *Apr 8 22:22:40.767: OSPF-1 STATS: Begin SPF at 2654.228ms, process time 776ms *Apr 8 22:22:40.767: OSPF-1 STATS: Last spf_time 00:40:55.616, wait_interval 3000ms *Apr 8 22:22:40.795: OSPF-1 MON : Setting next wait-interval to 10000ms *Apr 8 22:22:40.795: OSPF-1 STATS: Schedule time 00:44:14.256, Next wait_interval 10000ms
This is a feature to delay generating the same LSA (the same being link, type and originator). There are 3 variables and these have the same functionality as the spf timers. Start-interval, Hold-Interval an Max-interval. The default values for Cisco are start 0Sec, hold and max of 5Secs each.
R1(config-if)#router ospf 1
R1(config-router)#timers throttle lsa 3000 10000 50000
R1(config-if)#do show ip ospf | in LSA
R1#show ip ospf | in LSA
Initial LSA throttle delay 3000 msecs
Minimum hold time for LSA throttle 10000 msecs
Maximum wait time for LSA throttle 50000 msecs
Minimum LSA arrival 1000 msecs
LSA group pacing timer 240 secsAs well as throttling outbound, the command “timers lsa arrival {msec}” which will only process the first of the same LSAs with the time specified. It is 1000 msec by default.
Here is a basic ping script for Cisco tcl shell:
tclsh
foreach X {
150.1.1.1
150.1.2.2
150.1.3.3
150.1.4.4
150.1.5.5
150.1.6.6
150.1.7.7
150.1.8.8
150.1.9.9
150.1.10.10
} { ping $X }
Where are the ports-group boundaries on the Nexus 7700 M3 Cards for VDCs?
Found single slide within Cisco docs…
This was in the depths of this article here.
Remembering what happened in your last putty session!
Within Session > Logging > {all session output } insert the following
C:\Users\<user>\Documents\Projects\PUTTY SESSIONS\&H-&Y&M&D&T.log
It will save all session output into the folder specified with the filename of Host-Year-Month-Day-Time.log
Save this in the default profile to enable it for future use.
I am using putty Release 0.67
Needing to monitoring the traffic on an F5.
Running a packet capture over SSH and then grabbing the file using sftp or winscp.
tcpdump -s0 -nni 0.0 host <Client_IP> and port <number> and host <VS_IP> -w /var/tmp/Monitor_Resets.pcap where: -s0 gives the complete packet. -nni disable service port lookups, dns lookups and specifies internal interface
All the rest of the options can be found at F5 here.
I hit this Firepower bug while upgrading two 5525x firepower modules to 6.1.0. Everything appeared normal until i got to one of the 6.1.0 firepower images.
The error appeared in the sfr console logs as:
Cisco-Firewall# show module sfr log console DB error - will retry: Cannot connect to DB at /usr/local/sf/lib/perl/5.10.1/SF/SFDBI.pm line 588. DB error - will retry: Cannot connect to DB at /usr/local/sf/lib/perl/5.10.1/SF/SFDBI.pm line 588. DB error - will retry: Cannot connect to DB at /usr/local/sf/lib/perl/5.10.1/SF/SFDBI.pm line 588.
This ties in with following bug at Cisco.com.
Re-imaging SFR module to 6.1 fails on ASA version 9.5(2) : CSCvb53856
