Wednesday, November 18, 2009

STP Root and a simple trick

Hi all,
today I was playing with some switches and I realized this strange STP output:

3560-48#sh spann vlan 10

VLAN0010
  Spanning tree enabled protocol ieee
  Root ID    Priority    24586
             Address     0015.facf.0000
             This bridge is the root
             Hello Time   2 sec  Max Age 20 sec  Forward Delay 15 sec

  Bridge ID  Priority    24586  (priority 24576 sys-id-ext 10)
             Address     0015.facf.0000
             Hello Time   2 sec  Max Age 20 sec  Forward Delay 15 sec
             Aging Time 15

Interface        Role Sts Cost      Prio.Nbr Type
---------------- ---- --- --------- -------- --------------------------------
Fa0/8            Desg FWD 19        128.10   P2p
Fa0/10           Desg FWD 19        128.12   P2p
Fa0/14           Desg FWD 19        128.16   P2p
Fa0/16           Desg FWD 19        128.18   P2p
Fa0/47           Desg LBK 19        128.51   P2p

This switch is the root bridge for Vlan10, but note that port Fa0/47 is in blocking state.

Here the same output after enabling RSTP, nothing changed:

3560-48# sh spanning-tree vlan 10

VLAN0010
  Spanning tree enabled protocol rstp
  Root ID    Priority    24586
             Address     0015.facf.0000
             This bridge is the root
             Hello Time   2 sec  Max Age 20 sec  Forward Delay 15 secstyle="font-family: verdana;"

  Bridge ID  Priority    24586  (priority 24576 sys-id-ext 10)
             Address     0015.facf.0000
             Hello Time   2 sec  Max Age 20 sec  Forward Delay 15 sec
             Aging Time 300

Interface        Role Sts Cost      Prio.Nbr Type
---------------- ---- --- --------- -------- --------------------------------
Fa0/8            Desg FWD 19        128.10   P2p Peer(STP)
Fa0/10           Desg FWD 19        128.12   P2p Peer(STP)
Fa0/14           Desg FWD 19        128.16   P2p Peer(STP)
Fa0/16           Desg FWD 19        128.18   P2p Peer(STP)
Fa0/47           Back BLK 19        128.51   P2p

3560-48#


Well the question is ... why a STP root bridge has a blocked port?
as you can see from the second output, it's classified as "Backup" ... but here we are the root, so doesn't make it sense a backup port to reach the root...

If you want to know how it's possible ....Click HERE and laugh ;-) [+/-]



3560-48#sh run int fa 0/47
Building configuration...

Current configuration : 147 bytes
!
interface FastEthernet0/47
 switchport access vlan 10
 switchport mode access
 switchport nonegotiate
 no keepalive
end


woops and a L1 loopback inserted into fa 0/47 ;-)



With this physical loopback and keepalive disabled, the port goes up and every bpdu sent is also received, so if I have correctly understood, the root bridge is convincted to have an additional port to reach the root ;-)

... I have several Layer 8 problems, I know ;-)))))
Posted by Marco Rizzi at 10:35 PM 3 comments
Labels: , ,

Monday, November 9, 2009

BGPGEN: a simple TCL script to generate BGP prefixes

hi all,
during my courses at Europa Networking (BG, Italy) I've always heard Rocco Tessicini talking about a script to generate BGP prefixes on Cisco routers.
Suddently I haven't found one ready to download, so today I've decided to write my own (the simpler, the better)

Here the resulting script:


##################################################################################
## Tclsh BGPGEN SCRIPT v0.3 Beta: Add random BGP prefixes to a process
## Use with care on CISCO routers
## By Marco Rizzi ( http://rizzitech.blogspot.com ) marco.rizzi.com[A_T]gmail.com
## Date Nov 09, 2009
## licensed under a Creative Commons Attribution 3.0 United States License
## ( http://creativecommons.org/licenses/by/3.0/us/ ) ;-)
##################################################################################
### USAGE:  BGPGEN (number_of_prefixes_to_gen) (bgp_as_number)

## BE CAREFUL! too much prefixes will consume a lot of router resource!
## DON'T USE ON PRODUCTION SYSTEMS, IT'S ONLY FOR LAB TESTING
## No warranty, provided "AS IS" 

## Main procedure
proc BGPGEN {n_prefixes bgp_as} {
    ## 1) adds a redistribute static command under your bgp process
    ios_config "router bgp $bgp_as" "redistribute static"
    
    ## 2) creates random static routes to null0 interface from /16 to /24
    for {set i 0} {$i <= $n_prefixes} {incr i} {
      Gen_rnd_Static
    }
}


####################################################################

proc Gen_rnd_Static {} {
## Generate random static routes 
## to null0 with variable subnet mask betw 16 and 24 bits

    ## Network: A.B.C.0 Subnet Mask: 255.255.CM.0
    set bits [expr {int(rand()*8)}]
    set CM 0
    if {$bits == 0} { set CM 0 ; set C 0 }
    if {$bits == 1} { set CM 128 ; set C [expr {int(rand()*1)*128}]}
    if {$bits == 2} { set CM 192 ; set C [expr {int(rand()*3)*64}]}
    if {$bits == 3} { set CM 224 ; set C [expr {int(rand()*7)*32}]}
    if {$bits == 4} { set CM 240 ; set C [expr {int(rand()*15)*16}]}
    if {$bits == 5} { set CM 248 ; set C [expr {int(rand()*31)*8}]}
    if {$bits == 6} { set CM 252 ; set C [expr {int(rand()*63)*4}]}
    if {$bits == 7} { set CM 254 ; set C [expr {int(rand()*127)*2}]}
    if {$bits == 8} { set CM 255 ; set C [expr {int(rand()*255)}]}

    ## Create the random network: A.B.C.0
    set A [expr {int(rand()*223)}]
    ## some not bullet-proof control to avoid 
    ## "strange" or private addresses (can be improved ;-) )
    if {$A <= 10} { set A [expr {$A + int(rand()*200)}]}
    if {$A == 127} { set A [expr {int(rand()*223)}]}
    if {$A == 172} { set A [expr {int(rand()*223)}]}
    if {$A == 192} { set A [expr {int(rand()*223)}]}

    set B [expr {int(rand()*254)}]

    ## configure the final static
    ios_config "ip route $A.$B.$C.0 255.255.$CM.0 null0"

}

################################# END OF SCRIPT ###################################
##
##
### USAGE:  BGPGEN (number_of_prefixes_to_gen) (bgp_as_number)
#### enjoy ;-)


Obviously I'm not a good programmer, so it can be improved.

to execute it, simply type tclsh and paste the code, look if there are some errors due to the fast paste, in this case, copy and paste smaller pieces...

then type eg.:
R3(tcl)#BGPGEN 10000 64500

and wait until BGPGEN execution terminates.

on the bgp neighbor you can see the prefixes arriving....
eg:

R2#sh ip bgp summary
BGP router identifier 23.23.23.2, local AS number 65000
BGP table version is 146398, main routing table version 146398
34489 network entries using 4552548 bytes of memory
34489 path entries using 1793428 bytes of memory
2/1 BGP path/bestpath attribute entries using 296 bytes of memory
1 BGP AS-PATH entries using 24 bytes of memory
0 BGP route-map cache entries using 0 bytes of memory
0 BGP filter-list cache entries using 0 bytes of memory
BGP using 6346296 total bytes of memory
BGP activity 90156/55667 prefixes, 90707/56218 paths, scan interval 60 secs

Neighbor        V    AS MsgRcvd MsgSent   TblVer  InQ OutQ Up/Down  State/PfxRcd
12.12.12.1      4 65000    3238     794        0    0    0 00:02:46 Active
23.23.23.3      4 64500     855      71   146237    0    0 00:01:49    34489
R2#


as well as you can see errors and experience crashes. ;-)

Any comment and/or feature/improvement is always wellcome!

have phun with your routing tables ;-)
Marco
Posted by Marco Rizzi at 5:04 PM 4 comments
Labels: , ,

Friday, November 6, 2009

AUX back-to-back: poor man's connection

Hi all,

today I have focused my attention on the Aux port, the only free I have in my old 2600's lab....

So, first I have found some old docs on Cisco.com explaining clearly how to connect two routers back-to-back using the AUX port:

Connecting Routers Back-to-Back Through the AUX Ports (Document ID: 10365 )

and then was time to try it:

1) use an old rollover RJ-45 cable to connect AUX ports (pins 1-8 to 8-1... as learned in CCNA times)


2) Find the AUX tty number on both sides:

R3#sh line
   Tty Typ     Tx/Rx    A Modem  Roty AccO AccI   Uses   Noise  Overruns   Int
*    0 CTY              -    -      -    -    -      0       0     0/0       -
    65 AUX   9600/9600  -    -      -    -    -      0       0     0/0       -
    66 VTY              -    -      -    -    -      0       0     0/0       -
    67 VTY              -    -      -    -    -      0       0     0/0       -
    68 VTY              -    -      -    -    -      0       0     0/0       -
    69 VTY              -    -      -    -    -      0       0     0/0       -
    70 VTY              -    -      -    -    -      0       0     0/0       -

Line(s) not in async mode -or- with no hardware support:
1-64



R5#sh line
   Tty Typ     Tx/Rx    A Modem  Roty AccO AccI   Uses   Noise  Overruns   Int
*    0 CTY              -    -      -    -    -      0       0     0/0       -
     5 AUX   9600/9600  -    -      -    -    -      0       0     0/0       -
     6 VTY              -    -      -    -    -      0       0     0/0       -
     7 VTY              -    -      -    -    -      0       0     0/0       -
     8 VTY              -    -      -    -    -      0       0     0/0       -
     9 VTY              -    -      -    -    -      0       0     0/0       -
    10 VTY              -    -      -    -    -      0       0     0/0       -

Line(s) not in async mode -or- with no hardware support:
1-4

As you can see, different hardware/platform can use different tty numbers for AUX port, here we have tty 65 and tty 5

3) configure the AUX port on both sides:

R5(config)#line aux 0
R5(config-line)#transport input all
R5(config-line)#modem inOut
R5(config-line)#flowcontrol hardware
R5(config-line)#speed 115200  !-- better than 9600...
R5(config-line)#end

!-- same on R3


4) Create and configure the async interfaces (each interface uses the tty number of AUX port as point 2)


R5(config)#int async 5   !-- remember the tty number for AUX?
R5(config-if)#encapsulation ppp
R5(config-if)#async default routing
R5(config-if)#async mode dedicated
R5(config-if)#ip address 10.0.0.5 255.255.255.0
R5(config-if)#end
R5#


R3(config)#int async 65  !-- remember the tty number for AUX?
R3(config-if)#encapsulation ppp
R3(config-if)#async default routing
R3(config-if)#async mode dedicated
R3(config-if)#ip address 10.0.0.3 255.255.255.0
R3(config-if)#end



wait a little and you will see messages like

R5#
*Nov  6 16:58:20.237: %LINK-3-UPDOWN: Interface Async5, changed state to up
*Nov  6 16:58:23.394: %LINEPROTO-5-UPDOWN: Line protocol on Interface Async5, changed state to up
R5#


...Now you have a poor man's additional interface for your lab!
You can ping it and use it for dynamic routing (althrough u can't use it for mpls or other advanced features... ;-) ) (PS: Nov 14, another "informal meeting" aka a beer with Nicola Modena today (CCIE R&S #19119) and he said he used Aux back-to-back connections since a couple of years, and he runs mpls over it! ;-) so I corrected this post (and tryed it with mpls too ;-) )

R2#sh run int async 1 | beg int
interface Async1
 ip address 192.168.0.2 255.255.255.0
 encapsulation ppp
 ip ospf 1 area 0.0.0.0
 async dynamic routing
 async mode dedicated
 mpls ip
 routing dynamic
end

R2#sh mpls interfaces detail
Interface Async1:
        IP labeling enabled (ldp):
          Interface config
        LSP Tunnel labeling not enabled
        BGP labeling not enabled
        MPLS operational
        MTU = 1500
R2#



Marco


NOTE: I have found an additional note on Document ID: 5465 (Configuring Dialout using a Modem on the AUX Port )
that say about the AUX speed:

speed 115200
!--- The AUX port on the 2600 supports a speed of 115200.
!--- Note: If you route through the AUX port, each character generates a
!--- processor interrupt. This is an abnormally high load on the CPU,
!--- which can be resolved if you use a lower AUX port speed.

I guess that in a lab environment the cpu usage will be low.
Posted by Marco Rizzi at 3:31 PM 1 comments
Labels: ,

Monday, October 26, 2009

Another spaghetti rack

I was in a building last week, for some troubleshooting tasks.

When I entered the wiring closet to find a switch port for my laptop, it looked like...



one of the best spaghetti rack ever seen!




and here I found my port ;-)

(2nd switch from above, port 0/45...)

Marco
Posted by Marco Rizzi at 12:57 PM 2 comments
Labels: ,

Thursday, October 22, 2009

Tip-of-day: ip access-list resequence

Hi all,

today's trick is access-list resequence.

Consider an access-list with ugly sequence numbers, maybe derived from several configuration changes, eg:


R6# sh access-lists
Extended IP access list test
    1 permit tcp any any eq www
    2 permit tcp any any eq 443
    3 permit tcp any any eq domain
    4 permit tcp 172.16.0.0 0.0.255.255 any eq telnet
    5 permit tcp 172.16.0.0 0.0.255.255 any eq ssh
    6 deny ip any any

R6#sh run | sec access-list
ip access-list extended test
 permit tcp any any eq www
 permit tcp any any eq 443
 permit tcp any any eq domain
 permit tcp 172.16.0.0 0.0.255.255 any eq telnet
 permit tcp 172.16.0.0 0.0.255.255 any eq 22
 deny   ip any any


If I have to modify it, the "old times" method was to remove acl from interfaces, delete it, recreate it and then reapply on interfaces ... but this is an extended acl, you can insert and modify statements since they have sequence numbers.

In this case, as you can see, there's no space between sequence numbers, so today's trick is to resequence the acl with the "ip access-list resequence" command.
( see "Refining an IP Access List" )

Let's try it

R6#sh access-lists
Extended IP access list test
    1 permit tcp any any eq www
    2 permit tcp any any eq 443
    3 permit tcp any any eq domain
    4 permit tcp 172.16.0.0 0.0.255.255 any eq telnet (394 matches)
    5 permit tcp 172.16.0.0 0.0.255.255 any eq 22
    6 deny ip any any (24 matches)

R6# conf t 
R6(config)#ip access-list resequence test ?
  <1-2147483647>  Starting Sequence Number

R6(config)#ip access-list resequence test 10 ?
  <1-2147483647>  Step to increment the sequence number

R6(config)#ip access-list resequence test 10 10 ?
  < cr >

R6(config)#ip access-list resequence test 10 10
R6(config)#do sh ip access-lists test
Extended IP access list test
    10 permit tcp any any eq www
    20 permit tcp any any eq 443
    30 permit tcp any any eq domain
    40 permit tcp 172.16.0.0 0.0.255.255 any eq telnet (496 matches)
    50 permit tcp 172.16.0.0 0.0.255.255 any eq 22
    60 deny ip any any (24 matches)
R6(config)#


et voila', named access-list ready to be modified ;-)

Marco
Posted by Marco Rizzi at 10:07 AM 2 comments
Labels: ,

Wednesday, October 14, 2009

Mpls Vpn review

Hi all,
I'm completely busy on studying CCIE R&S written but I want to share a mpls vpn lab for reviewing mpls arguments.

Here is the topology:



Task list for this lab is:
-R1-R2-R3-R4-R5-R6-R7 (ISP) cannot elect any DR/BDR to speed up convergence
-Any OSPF area 0.0.0.0 neighbor fault must be detected within 1 second or less (NOTE: if you use dynamips, this requirement can be skipped or "relaxed"..., the high cpu % utilization will bring up/down your adjacency when you perform some operations like enable mpls...)
-area 0.0.0.0 must be ready for future traffic engineer configurations
-All ISP loopbacks must be reachable by igp
-R1 act as MpBGP Route Reflector
-CE11, CE12 and CE13 belongs to the same organization named "Customer1", they use EIGRP AS 1 for L3-vpn connections
-CE21, CE22 and CE23 belongs to the same organization named "Customer2", they use BGP as 65222 for L3-vpn connections
-BB1 and BB2 are "the internet", they must declare at least 10.000 prefixes with bgp
-R1 must prefer BB1 for odd networks, BB2 for even networks
-Customers must receive only a default route to reach internet for every customer site

I used gns3 with 7200 for ISP and 3640 for customers.


Here the initial configs, just to speed up the lab start: [+/-]




!-------------------------------
!-- R1 initial config

conf t 
hostname R1

no ip domain-lookup
line con 0 
logging sync
no exec-timeout

int fa 0/0
desc R1 <-> R3
speed 100
duplex full
ip address 172.16.0.4 255.255.255.254
no shut

int fa 1/0
desc R1 <-> R2
speed 100
duplex full
ip address 172.16.0.2 255.255.255.254
no shut

int fa 1/1
desc R1 <-> R4
speed 100
duplex full
ip address 172.16.0.6 255.255.255.254
no shut

int fa 2/0
desc R1 <-> BB1
speed 100
duplex full
ip address 172.31.0.0 255.255.255.254
no shut

int fa 2/1
desc R1 <-> BB2
speed 100
duplex full
ip address 172.31.0.2 255.255.255.254
no shut

int lo 0 
ip address 1.1.1.1 255.255.255.255
end

!-- END R1 initial config
!-------------------------------
!-- R2 initial config

conf t 
hostname R2

no ip domain-lookup
line con 0 
logging sync
no exec-timeout

int fa 0/0
desc R2 <-> R5
ip address 172.16.0.0 255.255.255.254
speed 100
dupl full
no shut

int fa 1/0
desc R2 <-> R1 
speed 100
dupl full
ip addr 172.16.0.3 255.255.255.254
no shut

int lo 0 
ip address 2.2.2.2 255.255.255.255
end

!-- END R2 initial config
!-------------------------------
!-- R3 initial config

conf t 
hostname R3

no ip domain-lookup
line con 0 
logging sync
no exec-timeout

int fa 0/0
desc R3 <-> R1
ip address 172.16.0.5 255.255.255.254
speed 100
dupl full
no shut

int fa 1/0
desc R3 <-> R6
speed 100
dupl full
ip addr 172.16.0.10 255.255.255.254
no shut

int lo 0 
ip address 3.3.3.3 255.255.255.255
end

!-- END R3 initial config
!-------------------------------
!-- R4 initial config

conf t 
hostname R4

no ip domain-lookup
line con 0 
logging sync
no exec-timeout

int fa 0/0
desc R4 <-> R7
ip address 172.16.0.8 255.255.255.254
speed 100
dupl full
no shut

int fa 1/0
desc R2 <-> R1
speed 100
dupl full
ip addr 172.16.0.7 255.255.255.254
no shut

int lo 0 
ip address 4.4.4.4 255.255.255.255

!-- END R4 initial config
!-------------------------------
!-- R5 initial config

conf t 
hostname R5

no ip domain-lookup
line con 0 
logging sync
no exec-timeout

int fa 0/0
desc R5 <-> R2 
speed 100
dupl full
ip addr 172.16.0.1 255.255.255.254
no shut

int fa 1/0
desc R5 <-> CE21
speed 100
dupl full
ip address 10.21.0.0 255.255.255.254
no shut

int fa 1/1
desc R5 <-> CE11
speed 100
dupl full
ip address 10.11.0.0 255.255.255.254
no shut

int lo 0
ip address 5.5.5.5 255.255.255.255
end

!-- END R5 initial config
!-------------------------------
!-- R6 initial config

conf t 
hostname R6

no ip domain-lookup
line con 0 
logging sync
no exec-timeout

int fa 0/0
desc R6 <-> R3
ip address 172.16.0.11 255.255.255.254
speed 100
dupl full
no shut

int fa 1/0
desc R6 <-> CE12
speed 100
dupl full
ip addr 10.11.0.4 255.255.255.254
no shut

int fa 1/1
desc R6 <-> CE22
speed 100
dupl full
ip address 10.21.0.4 255.255.255.254
no shut

int lo 0 
ip address 6.6.6.6 255.255.255.255
end

!-- END R6 initial config
!-------------------------------
!-- CE11 initial config

conf t 
hostname CE11

no ip domain-lookup
line con 0 
logging sync
no exec-timeout

int fa 0/0
desc CE11 <-> R5
ip address 10.11.0.1 255.255.255.254
speed 100
dupl full
no shut

int lo 111
ip address 192.168.1.1 255.255.255.0

int lo 112
ip address 172.17.1.1 255.255.255.128
end

!-- END CE11 initial config
!-------------------------------
!-- CE12 initial config

conf t 
hostname CE12

no ip domain-lookup
line con 0 
logging sync
no exec-timeout

int fa 0/0
desc CE12 <-> R6
ip address 10.11.0.5 255.255.255.254
speed 100
dupl full
no shut

int lo 121
ip address 192.168.2.1 255.255.255.0

int lo 122 
ip address 172.17.1.129 255.255.255.128
end

!-- end CE12 initial config
!-------------------------------
!-- CE13 initial config

conf t 
hostname CE13

no ip domain-lookup
line con 0 
logging sync
no exec-timeout

int fa 0/0
desc CE13 <-> R7
ip address 10.11.0.3 255.255.255.254
speed 100
dupl full
no shut

int lo 131
ip address 192.168.3.1 255.255.255.0

int lo 132 
ip address 172.17.2.1 255.255.255.0
end

!-- END CE13 initial config
!-------------------------------
!-- CE21 initial config

conf t 
hostname CE21

no ip domain-lookup
line con 0 
logging sync
no exec-timeout

int fa 0/0
desc CE21 <-> R5
ip address 10.21.0.1 255.255.255.254
speed 100
dupl full
no shut

int lo 211
ip address 192.168.0.1 255.255.254.0

int lo 212
ip address 172.17.1.1 255.255.252.0
end

!-- END CE21 initial config
!-------------------------------
!-- CE22 initial config

conf t 
hostname CE22

no ip domain-lookup
line con 0 
logging sync
no exec-timeout

int fa 0/0
desc CE22 <-> R6
ip address 10.21.0.5 255.255.255.254
speed 100
dupl full
no shut

int lo 221
ip address 192.168.2.1 255.255.254.0

int lo 222
ip address 172.17.4.1 255.255.252.0
end

!-- END CE22 initial config
!-------------------------------
!-- CE23 initial config

conf t 
hostname CE23

no ip domain-lookup
line con 0 
logging sync
no exec-timeout

int fa 0/0
desc CE23 <-> R7
ip address 10.21.0.3 255.255.255.254
speed 100
dupl full
no shut

int lo 231
ip address 192.168.4.1 255.255.254.0

int lo 232 
ip address 172.17.8.1 255.255.252.0
end

!-- END CE23 initial config

Posted by Marco Rizzi at 12:27 PM 0 comments
Labels: , , ,

Thursday, September 17, 2009

Today's work in a shot

Several boxes are waiting me since a week...

today I've unpacked two 4948 and several 2950, here the shots (only one 2950 already out of box)!





And the 4948s with redundant power supply:


Posted by Marco Rizzi at 8:01 PM 0 comments
Labels:
Subscribe to: Posts (Atom)