Sunday, December 28, 2008

BGP Lab: Confederations and Route Reflectors

Hi all, here's my final lab for the BGP exam preparation:



There are 3 BGP Autonomous systems, the biggest one, AS 885 is divided into 2 confederations and has 4 Route Reflectors (RR).
In the first version of this lab, I've decided to put CON3 outside the confederation... but I had to modify it because it's impossible, every router in a confederated AS must be in a confederation itself.

Main goals for this lab are:

-configure OSPF as IGP for internal links and Loopbacks (loopbacks are like 1.1.1.1 for CON1, 2.2.2.2 for CON2)
-configure eBGP and iBGP for the 3 AS

-AS 885 must summarize customer's prefixes before propagate to other AS

As usual, the most relevant configuration's part will follow, stay tuned! ,-)

  • First I configured all point-to-point links and tested with a simple ping
  • Then, all IGP routing with OSPF. Note the virtual link in area 25, othervise it will be discontiguous... I decided to configure area 33 as stub no-summary, to reduce routing table size, so Provider Edge routers will have a smaller routing table. Note that on CON1 and CON4 the link between differents AS must be routed in ospf, so all AS855 routers can reach the next hop... Here my OSPF config:

CON1#sh run | beg router ospf[+/-]

CON1#sh run | beg router ospf

router ospf 1
router-id 1.1.1.1
log-adjacency-changes
area 25 virtual-link 13.13.13.13
passive-interface default
no passive-interface Vlan2
no passive-interface Vlan3
no passive-interface Vlan4
no passive-interface Vlan12
no passive-interface Vlan13
network 1.1.1.1 0.0.0.0 area 0
network 10.5.0.5 0.0.0.0 area 0
network 10.5.0.9 0.0.0.0 area 0
network 10.5.0.18 0.0.0.0 area 0
network 10.5.25.9 0.0.0.0 area 25
network 10.5.25.13 0.0.0.0 area 25
network 192.168.1.9 0.0.0.0 area 890


CON4#sh run | beg router ospf[+/-]

CON4#sh run | beg router ospf
router ospf 1
router-id 4.4.4.4
log-adjacency-changes
area 33 stub no-summary
passive-interface default
no passive-interface Vlan2
no passive-interface Vlan5
no passive-interface Vlan6
no passive-interface Vlan8
no passive-interface Vlan10
network 4.4.4.4 0.0.0.0 area 0
network 10.5.0.6 0.0.0.0 area 0
network 10.5.0.14 0.0.0.0 area 0
network 10.5.0.22 0.0.0.0 area 0
network 10.5.33.1 0.0.0.0 area 33
network 10.5.33.9 0.0.0.0 area 33
network 192.168.1.1 0.0.0.0 area 892
network 192.168.1.5 0.0.0.0 area 891

Here area 890/891/892 are used only to route point-to-point with other AS.
I used a different area to avoid suboptimal paths (first I tought to use area 33 but the result was that all traffic from CON7 will go through CON15 and CON4 due to CON7 to 4 link is in area 0, but I don't wont to use area 0 for AS peering).

  • Route reflectors: let's start with the simpliest one: CON13 (no additional/strange configuration is required on RR clients CON9 and CON14, just a single iBGP session)

CON13#sh run | beg router bgp[+/-]

CON13#sh run | beg router bgp
router bgp 65008 !-- here we must use the confederation AS number
no synchronization
bgp log-neighbor-changes
bgp confederation identifier 885 !-- this is the "global" AS number
bgp confederation peers 65002 !-- declaration of other confederations peer (don't declare the same confed, only the peers)
neighbor CORE2 peer-group
neighbor CORE2 remote-as 65002
neighbor CORE2 ebgp-multihop 2 !-- EBGP-multihop required, intra-confed sessions are threated as eBGP sessions
neighbor CORE2 update-source Loopback0
neighbor PE-ROUTERS peer-group
neighbor PE-ROUTERS remote-as 65008
neighbor PE-ROUTERS update-source Loopback0
neighbor PE-ROUTERS route-reflector-client !-- here I declare that they are RR clients, so the Split horizon rule will be modified
neighbor 1.1.1.1 remote-as 65008
neighbor 1.1.1.1 update-source Loopback0
neighbor 4.4.4.4 peer-group CORE2
neighbor 7.7.7.7 peer-group CORE2
neighbor 9.9.9.9 peer-group PE-ROUTERS
neighbor 14.14.14.14 peer-group PE-ROUTERS
no auto-summary
I used peer-groups to improve scalability if more Route Reflector Clients will add.
Now take a look over the RR configuration of CON7 and CON4. Here we must use the bgp cluster-id nn to avoid loops in the route reflection.

CON7#sh run | beg router bgp[+/-]

CON7#sh run | beg router bgp
router bgp 65002
no synchronization
bgp cluster-id 7
bgp log-neighbor-changes
bgp confederation identifier 885
bgp confederation peers 65008
neighbor PE-ROUTERS peer-group
neighbor PE-ROUTERS remote-as 65002
neighbor PE-ROUTERS update-source Loopback0
neighbor PE-ROUTERS route-reflector-client
neighbor CORE8 peer-group
neighbor CORE8 remote-as 65008
neighbor CORE8 ebgp-multihop 2
neighbor CORE8 update-source Loopback0
neighbor 1.1.1.1 peer-group CORE8
neighbor 4.4.4.4 remote-as 65002
neighbor 4.4.4.4 update-source Loopback0
neighbor 6.6.6.6 peer-group PE-ROUTERS
neighbor 13.13.13.13 peer-group CORE8
neighbor 15.15.15.15 peer-group PE-ROUTERS
no auto-summary



CON4#sh run | beg router bgp[+/-]

CON4#sh run | beg router bgp
router bgp 65002
no synchronization
bgp cluster-id 4
bgp log-neighbor-changes
bgp confederation identifier 885
bgp confederation peers 65008
neighbor PE-ROUTERS peer-group
neighbor PE-ROUTERS remote-as 65002
neighbor PE-ROUTERS update-source Loopback0
neighbor PE-ROUTERS route-reflector-client
neighbor CORE8 peer-group
neighbor CORE8 remote-as 65008
neighbor CORE8 ebgp-multihop 2
neighbor CORE8 update-source Loopback0
neighbor 1.1.1.1 peer-group CORE8
neighbor 6.6.6.6 peer-group PE-ROUTERS
neighbor 7.7.7.7 remote-as 65002
neighbor 7.7.7.7 update-source Loopback0
neighbor 13.13.13.13 peer-group CORE8
neighbor 15.15.15.15 peer-group PE-ROUTERS
neighbor 192.168.1.2 remote-as 892
neighbor 192.168.1.6 remote-as 779
no auto-summary

Monday, December 15, 2008

Wism Uptime

Back home, trying slowly to return to my "normal" life...

Now it's Time to reboot our other Wism controller (at 23.45... off peak) !
I have seen the same issue that we have experienced in October with webauth portal, here the uptime screenshot as usual:



Well, system on both our Wism Controllers is a little bit outdated, we have 4.1.181.0 software version, I guess now it's actual the 5.2....

(and always as usual, no new cooling system for network room has appeared, so +30°C inside the controller... and we're in december ;-) )

Wednesday, November 26, 2008

Freezed?

But what happened with my blog?
Actually is "Freezed" because I am on vacation in London UK, looking around for contacts and opportunities....

so be patient, more labs, BGP and MPLS oriented will follow very soon!

stay tuned! ;-)

Marco

Tuesday, November 11, 2008

BGP Lab 2

After a little delay, now it's time to do another BGP lab!
Here the topology:

Each ISP declare only his own /16 network and must suppress more detailed routes coming from customers.
With this lab we can try different Customer configuration, let's start with:


1) CUSTOMER1 (CON14):

Static routing with ISP2. (Easy!)
on Client side, no special configuration is required, just a default route to the ISP interface...

CON14#
interface FastEthernet0/0
description Link CON14 <-> CON13 Service Provider
ip address 150.20.1.14 255.255.255.252
duplex auto
speed auto
!
ip route 0.0.0.0 0.0.0.0 FastEthernet0/0

On the provider side, no BGP neighboring is established with the customer, but the customer's prefixes are statically routed and declared into BGP process.
CON13#
router bgp 2
no synchronization
bgp log-neighbor-changes
redistribute static route-map Comm_no_export
neighbor 10.31.0.1 remote-as 2
neighbor 10.31.0.1 update-source Loopback1
neighbor 10.31.0.1 send-community
neighbor 10.31.0.6 remote-as 2
neighbor 10.31.0.6 update-source Loopback1
neighbor 10.31.0.6 send-community
no auto-summary
!
ip route 150.20.5.0 255.255.255.0 Vlan16
!
route-map Comm_no_export permit 100
set community no-export
!


Here I used "redistribute static" statement into the bgp process, using a route-map that sets community "no-export" to the client's prefixes. (so the prefixes will never be advertised to EBGP neighbors).
With this configuration, additional "single homed" customers can be added simply adding more static routes, that are automatically redistributed into the bgp process. (be careful, maybe they don't ,-) )
But why set the no-export community? Maybe the service provider want to summarize the routes before sending to other service providers, so the customers prefixes will be suppressed.

2) CUSTOMER 2 (CON2): Load Balancing with BGP
Here the recommended configuration is to use a single EBGP session between loopbacks and two static routes to instruct how to reach loopbacks using two links. There are no reason here to use two different EBGP connections and maximum-paths =2, we are using a single router to terminate both circuits.
Customer has a BGP connection to declare his own prefixes, but don't need the full internet bgp table... just only a default route.
So on CON1 the configuration will be:
CON1# sh run | begin router bgp
router bgp 2
no synchronization
bgp log-neighbor-changes
neighbor 10.31.0.6 remote-as 2
neighbor 10.31.0.6 description iBGP CON6
neighbor 10.31.0.6 update-source Loopback1
neighbor 10.31.0.13 remote-as 2
neighbor 10.31.0.13 description iBGP CON13
neighbor 10.31.0.13 update-source Loopback1
neighbor 172.16.0.2 remote-as 65200
neighbor 172.16.0.2 description Customer 2 EBGP
neighbor 172.16.0.2 ebgp-multihop 2
neighbor 172.16.0.2 update-source Loopback1
neighbor 172.16.0.2 default-originate
neighbor 172.16.0.2 prefix-list default-only out
no auto-summary
!
ip route 172.16.0.2 255.255.255.255 150.20.1.6
ip route 172.16.0.2 255.255.255.255 150.20.1.10
!
ip prefix-list default-only seq 5 permit 0.0.0.0/0

From customer's point of view:
CON2#sh ip bgp
BGP table version is 3, local router ID is 172.16.0.2
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
r RIB-failure, S Stale
Origin codes: i - IGP, e - EGP, ? - incomplete

Network Next Hop Metric LocPrf Weight Path
*> 0.0.0.0 10.31.0.1 0 2 i
*> 150.20.6.0/24 0.0.0.0 0 32768 i


Tuesday, October 21, 2008

BGP Lab


Hi all,
I started studying for CCIP certification, 642-661 BGP will be the next goal, so yesterday I created a lab for "Configure basic BGP" practice:





Finally a protocol that is supported by all mylab equipment! ;-)
Here some configuration principles that I used:
-used Loopbacks for iBGP neighbors and a IGP protocol with redistribution of connected interfaces and passive interface as default
-for the different Bgp AS I used private addressing (RFC1918 ;-) with several overlapping networks, because IGP routes aren't propagated between ASs.

-The AS64512 called "The Internet" is the main injection point, here i used random prefixes, initially I injected about 20000 prefixes copyed from a real route server, but my old 3550 had troubles save with a so big configuration, nvram doesn't have enough space ;-(

Now the lab is ready for Transit/non-Transit configuration, prefix lists, aggregation and so on... I will try each feature and post a small portion of configuration using this topology.

Some tasks to solve for this lab:

1) Configure CustomerA (AS65400) to use the link CON15 <-> CON4 only as backup for both directions (in/out) using weight and AS Prepend

Here a CON15 configuration part:
CON15# sh run | beg router bgp
router bgp 65400
no synchronization
bgp log-neighbor-changes
neighbor 10.0.3.1 remote-as 65002
neighbor 10.0.3.1 description CON3 (AS65002)
neighbor 10.0.3.1 update-source FastEthernet0/1
neighbor 10.0.3.1 route-map BACKUP-LINK-in in !-- for inbound routes, I will set weight = 1000, so this neighbor will be preferred for outbound traffic
neighbor 10.0.3.5 remote-as 65002
neighbor 10.0.3.5 description CON4 (AS65002)
neighbor 10.0.3.5 update-source FastEthernet0/0.3
neighbor 10.0.3.5 route-map BACKUP-LINK-out out !-- for outbound routes, I will set as-path with 65400 3 prepends, so the provider will use the main link for incoming traffic
neighbor 172.31.0.16 remote-as 65400
neighbor 172.31.0.16 description CON16
neighbor 172.31.0.16 update-source Loopback8
no auto-summary
!
route-map BACKUP-LINK-in permit 100
set weight 1000
!
route-map BACKUP-LINK-out permit 100
set as-path prepend 65400 65400 65400

The result, after a clear ip bgp for both neighbors is:

CON4#sh ip bgp
BGP table version is 66, local router ID is 192.168.0.6
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
r RIB-failure, S Stale
Origin codes: i - IGP, e - EGP, ? - incomplete

Network Next Hop Metric LocPrf Weight Path
* 16.17.19.0/24 10.0.3.6 0 65400 65400 65400 65400 i
*>i 10.0.3.2 0 100 0 65400 i
* 130.25.16.0/20 10.0.3.6 0 65400 65400 65400 65400 i
*>i 10.0.3.2 0 100 0 65400 i

and:
CON15# sh ip bgp
BGP table version is 97, local router ID is 10.0.4.6
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
r RIB-failure, S Stale
Origin codes: i - IGP, e - EGP, ? - incomplete

Network Next Hop Metric LocPrf Weight Path
* 16.17.18.0/24 10.0.3.5 0 65002 65300 i
*> 10.0.3.1 1000 65002 65300 i
*>i16.17.19.0/24 172.31.0.16 0 100 0 i
* 130.20.0.0 10.0.3.5 0 65002 65200 64512 i
*> 10.0.3.1 1000 65002 65200 64512 i
r>i130.25.16.0/20 172.31.0.16 0 100 0 i
* 130.25.32.0/20 10.0.3.5 0 65002 65300 i
*> 10.0.3.1 1000 65002 65300 i
* 140.24.0.0/13 10.0.3.5 0 65002 65200 64512 i
*> 10.0.3.1 1000 65002 65200 64512 i
* 140.30.0.0 10.0.3.5 0 0 65002 i
*> 10.0.3.1 0 1000 65002 i
* 150.15.5.0/24 10.0.3.5 0 65002 65200 64512 i
*> 10.0.3.1 1000 65002 65200 64512 i
*> 150.15.10.0/24 10.0.3.5 0 65002 ?
*> 150.15.15.0/24 10.0.3.5 0 65002 ?
CON15#
Ok, now AS 65400 and AS 65002 will use CON15-CON3 link as preferred path.


2) Configure CON3 and CON4 to accept updates only for the customer's assigned prefixes (to avoid customer's mistakes) using prefix-lists

On both CON3 and CON4 I configured two prefix lists and applyed to the Customers neighbor in inbound direction as follows:
CON3#sh run | beg router bgp
router bgp 65002
no synchronization
bgp log-neighbor-changes
aggregate-address 140.30.0.0 255.255.0.0 summary-only
neighbor 10.0.3.2 remote-as 65400
neighbor 10.0.3.2 description CON15 CustA
neighbor 10.0.3.2 update-source Vlan2
neighbor 10.0.3.2 prefix-list CustA in
neighbor 10.0.4.2 remote-as 65300
neighbor 10.0.4.2 description CON6 CustB
neighbor 10.0.4.2 update-source Vlan4
neighbor 10.0.4.2 prefix-list CustB in
neighbor 172.18.0.2 remote-as 65002
neighbor 172.18.0.2 update-source Loopback1
neighbor 172.18.0.3 remote-as 65002
neighbor 172.18.0.3 update-source Loopback1
no auto-summary
!
ip prefix-list CustA seq 100 permit 130.25.16.0/20
ip prefix-list CustA seq 200 permit 16.17.19.0/24
!
ip prefix-list CustB seq 100 permit 130.25.32.0/20
ip prefix-list CustB seq 200 permit 16.17.18.0/24


3) Configure CustomerB (AS65300) as NON-Transit using as-path filter lists

To accomplish this task I simply used a single as-path filter list, on CON6 I applyed that using route-maps, con CON10 using filter-list directly on neighbor

CON6#sh run | beg router bgp
router bgp 65300
no synchronization
bgp log-neighbor-changes
neighbor 10.0.4.1 remote-as 65002
neighbor 10.0.4.1 description CON3 (AS65002)
neighbor 10.0.4.1 update-source FastEthernet0/0
neighbor 10.0.4.1 route-map ALLOW-LOCALLY-ORIGINATED_ONLY out
neighbor 10.0.4.5 remote-as 65002
neighbor 10.0.4.5 description CON4 (AS65002)
neighbor 10.0.4.5 update-source FastEthernet0/1
neighbor 10.0.4.5 route-map ALLOW-LOCALLY-ORIGINATED_ONLY out
neighbor 10.25.5.9 remote-as 65300
neighbor 10.25.5.9 description Neighbor CON9
neighbor 10.25.5.9 update-source Loopback5
neighbor 10.25.5.10 remote-as 65300
neighbor 10.25.5.10 description Neighbor CON10
neighbor 10.25.5.10 update-source Loopback5
neighbor 172.17.5.17 remote-as 65100
neighbor 172.17.5.17 description SP2 CON13
neighbor 172.17.5.17 route-map ALLOW-LOCALLY-ORIGINATED_ONLY out
no auto-summary
!
ip as-path access-list 1 permit ^$
!
route-map ALLOW-LOCALLY-ORIGINATED_ONLY permit 10
match as-path 1

and on CON10:

CON10#sh run | beg router bgp
router bgp 65300
no synchronization
bgp log-neighbor-changes
neighbor 10.25.5.6 remote-as 65300
neighbor 10.25.5.6 description Neighbor CON6
neighbor 10.25.5.6 update-source Loopback5
neighbor 10.25.5.9 remote-as 65300
neighbor 10.25.5.9 description Neighbor CON9
neighbor 10.25.5.9 update-source Loopback5
neighbor 192.168.23.1 remote-as 65200
neighbor 192.168.23.1 description Neighbor with SP1
neighbor 192.168.23.1 filter-list 1 out
no auto-summary
!
ip as-path access-list 1 permit ^$


4) Configure CustomerB (AS65300) to use CON6 <-> CON13 link as preferred path for both directions using MED and local preference.

here MED is insufficent, because MED attribute isn't propagated always, but only within the first AS... if i set MED on CON6 for outbound prefixes to CON13, only AS 65100 will receive MED. When the same prefixes are received to AS65002, through CON8, MED value is removed.
So I must use something like this:

CON6#sh run | beg router bgp
router bgp 65300
no synchronization
bgp log-neighbor-changes
neighbor 10.0.4.1 remote-as 65002
neighbor 10.0.4.1 description CON3 (AS65002)
neighbor 10.0.4.1 update-source FastEthernet0/0
neighbor 10.0.4.1 route-map ALLOW-LOCALLY-ORIGINATED+MED+PREPEND out
neighbor 10.0.4.5 remote-as 65002
neighbor 10.0.4.5 description CON4 (AS65002)
neighbor 10.0.4.5 update-source FastEthernet0/1
neighbor 10.0.4.5 route-map ALLOW-LOCALLY-ORIGINATED+MED+PREPEND out
neighbor 10.25.5.9 remote-as 65300
neighbor 10.25.5.9 description Neighbor CON9
neighbor 10.25.5.9 update-source Loopback5
neighbor 10.25.5.10 remote-as 65300
neighbor 10.25.5.10 description Neighbor CON10
neighbor 10.25.5.10 update-source Loopback5
neighbor 172.17.5.17 remote-as 65100
neighbor 172.17.5.17 description SP2 CON13
neighbor 172.17.5.17 route-map Local-Pref-1000 in
neighbor 172.17.5.17 route-map ALLOW-LOCALLY-ORIGINATED_ONLY out
no auto-summary
!
ip as-path access-list 1 permit ^$
!
route-map ALLOW-LOCALLY-ORIGINATED+MED+PREPEND permit 100
match as-path 1
set metric 100
set as-path prepend 65300 65300
!
route-map ALLOW-LOCALLY-ORIGINATED_ONLY permit 10
match as-path 1
!
route-map Local-Pref-1000 permit 100
set local-preference 1000
(Similar config for CON10)
With this configuration i set MED and AS Path-prepend for the backup links (Biggest MED = worst path) and i allowed only locally generated prefixes as specified in task 3.
This means that MED is right for tell to neighbors what is your preferred link, but it works well only if your neighbors are in the same AS.


Thursday, October 16, 2008

Wism mobility configuration

Today we have experienced some Wireless Lan Controller issues: we have a Wism module with 2 controllers and an external web authentication page.
Well several users today had troubles with web auth, after entering the correct password, they aren't redirected to their requested page, but always return to web auth page, without error messages.

So I tryed with my own pc and see that our Wism "A" wasn't working properly.

Under "Management" - "logs" we see a lot of messages like this:
Oct 16 10:30:28.991 iapp_socket_task.c:580 IAPP-3-MSGTAG015: iappSocketTask: iappRecvPkt returned error
Oct 16 10:30:17.563 pem_api.c:5669 PEM-1-MSGTAG051: Unable to allow user [username was here] into the system - perhaps the useris already logged onto the system?
Well, i look the "monitor" page of Wism A:
System Name WiSM-WLC-A
Up Time 371 days, 21 hours, 58 minutes
Internal Temperature +36 C
Lol! 371 days it's enough... time to reboot it ;-) (old style! )
(note the +36°C internal temp... new cooling system for network and datacenter room pls!)

So i made a configuration backup and proceed to reboot the controller.

I noted that:
-all Access Points with secondary controller setting have registered correctly to the other WLC (our Wism B) in a minute
-the Access Points that haven't a secondary controller configured have to "wait" for Wism A
-when all controllers are up, the APs still registered on Wism B, so i note that our installation man (not me ;-)) haven't configured correctly both controllers for mobility.



Above we can see the Wism A, just rebooted with few APs registered



And Wism B well loaded ;-)

I read the Document ID: 69639 "WLAN Controller Failover for Lightweight Access Points Configuration Example Downloads" to control configuration of Mobility features...

...and see that in our Wism there is a mobility group configured, but during the installation no one has configured the members of mobility group, so each controller see itself only as mobility group member...

After proper configuration, with "AP Fallback" option enabled, the APs doesn't move from one controller to another until a wism falls, or manually reset APs.
It's a good idea read this document's note about primary, secondary and tertiary Ap controllers:
Note: Define only system names under the primary, secondary, and tertiary controller name fields. Do not enter the IP address or the MAC address of the controller in these fields.
We have IP address configured, and registration after an AP reset takes about 30-45 sec... I tryed with the controller name... and it takes 10-15 sec!

Well, this means that someone have to read this document too:
Document ID: 82463 Wireless LAN Controller (WLC) Configuration Best Practices

Thursday, October 2, 2008

MPLS VPN Lab

After a little break, used to complete my last CCNP exam, I'm back with another lab...
Now playing on MPLS VPN!

First, read Reggie Nolasco's document "Understanding How Routes are propagated in an MPLS VPN"

Then I made a sample topology like this:




here we have a service provider (SP) with 3 points of presence (CON6, CON7, CON8) and two different customers.

Service Provider:
-runs OSPF and MBGP AS 65535
-uses VpnV4 to connect customers

Customer1:

-uses EIGRP AS 12

Customer2:
-uses OSPF Area0

Obviously customers have overlapping RFC1918 networks...


Here are my configurations for SP:
CON6[+/-]


!
hostname CON6
!
ip cef
!
ip vrf CUSTOMER1
rd 120:12
route-target export 12:120
route-target import 12:120
!
ip vrf CUSTOMER2
rd 500:20
route-target export 20:500
route-target import 20:500
!
interface Loopback0
description iBGP Peering interface internal to SP domain
ip address 192.168.0.6 255.255.255.255
!
interface FastEthernet0/0
description Link to SP-CON7
ip address 172.17.0.2 255.255.255.252
ip ospf authentication message-digest
ip ospf message-digest-key 1 md5 TEST-SP
ip ospf network point-to-point
ip ospf hello-interval 3
duplex auto
speed auto
mpls ip
!
interface FastEthernet0/1
description Link to CUSTOMER1 (CON14)
ip vrf forwarding CUSTOMER1
ip address 172.31.0.9 255.255.255.252
duplex auto
speed auto
!
!
interface FastEthernet0/0/0
!
interface FastEthernet0/0/1
!
interface FastEthernet0/0/2
description Link to CUSTOMER2 (CON13) - VLAN5
switchport access vlan 5
!
interface FastEthernet0/0/3
!
interface Vlan1
no ip address
!
interface Vlan5
description Link to CUSTOMER2 vlan5 - fa 0/0/2
ip vrf forwarding CUSTOMER2
ip address 172.31.0.13 255.255.255.252
!
router eigrp 120
auto-summary
!
address-family ipv4 vrf CUSTOMER1
redistribute bgp 65535 metric 10000 100 255 1 1500
network 172.31.0.0
no auto-summary
autonomous-system 12
exit-address-family
!
router ospf 2 vrf CUSTOMER2
log-adjacency-changes
redistribute bgp 65535 subnets
network 172.31.0.13 0.0.0.0 area 0
!
router ospf 1
router-id 192.168.0.6
log-adjacency-changes
area 0 authentication message-digest
network 172.17.0.2 0.0.0.0 area 0
network 192.168.0.6 0.0.0.0 area 0
!
router bgp 65535
no synchronization
bgp log-neighbor-changes
neighbor 192.168.0.7 remote-as 65535
neighbor 192.168.0.7 update-source Loopback0
neighbor 192.168.0.8 remote-as 65535
neighbor 192.168.0.8 update-source Loopback0
no auto-summary
!
address-family vpnv4
neighbor 192.168.0.7 activate
neighbor 192.168.0.7 send-community both
neighbor 192.168.0.8 activate
neighbor 192.168.0.8 send-community both
exit-address-family
!
address-family ipv4 vrf CUSTOMER2
redistribute ospf 2 vrf CUSTOMER2
no synchronization
exit-address-family
!
address-family ipv4 vrf CUSTOMER1
redistribute eigrp 12
no synchronization
exit-address-family
!
mpls ldp router-id Loopback0 force
!



CON7[+/-]


!
hostname CON7
!
ip cef
!
ip vrf CUSTOMER1
rd 120:12
route-target export 12:120
route-target import 12:120
!
interface Loopback0
description iBGP Peering interface internal to SP domain
ip address 192.168.0.7 255.255.255.255
!
interface FastEthernet0/0
no ip address
duplex full
speed 100
!
interface FastEthernet0/1
ip address 172.17.0.1 255.255.255.252
ip ospf authentication message-digest
ip ospf message-digest-key 1 md5 TEST-SP
ip ospf network point-to-point
ip ospf hello-interval 3
duplex full
speed 100
mpls ip
!
interface Serial0/0/0
no ip address
no fair-queue
!
interface Serial0/0/1
no ip address
clock rate 2000000
!
interface Serial0/1/0
no ip address
fair-queue
!
interface Serial0/1/1
no ip address
!
interface Serial0/2/0
ip address 172.17.0.5 255.255.255.252
ip ospf authentication message-digest
ip ospf message-digest-key 1 md5 TEST-SP
ip ospf hello-interval 3
mpls ip
!
interface Serial0/2/1
ip vrf forwarding CUSTOMER1
ip address 172.31.0.1 255.255.255.252
!
interface Serial0/3/0
no ip address
fair-queue
!
interface Serial0/3/1
no ip address
!
router eigrp 120
auto-summary
!
address-family ipv4 vrf CUSTOMER1
redistribute bgp 65535 metric 10000 100 255 1 1500
network 172.31.0.0
no auto-summary
autonomous-system 12
exit-address-family
!
router ospf 1
router-id 192.168.0.7
log-adjacency-changes
area 0 authentication message-digest
passive-interface default
no passive-interface FastEthernet0/1
no passive-interface Serial0/2/0
network 172.17.0.1 0.0.0.0 area 0
network 172.17.0.5 0.0.0.0 area 0
network 192.168.0.7 0.0.0.0 area 0
!
router bgp 65535
no synchronization
bgp log-neighbor-changes
neighbor 192.168.0.6 remote-as 65535
neighbor 192.168.0.6 update-source Loopback0
neighbor 192.168.0.8 remote-as 65535
neighbor 192.168.0.8 update-source Loopback0
no auto-summary
!
address-family vpnv4
neighbor 192.168.0.6 activate
neighbor 192.168.0.6 send-community both
neighbor 192.168.0.8 activate
neighbor 192.168.0.8 send-community both
exit-address-family
!
address-family ipv4 vrf CUSTOMER1
redistribute eigrp 12
no synchronization
exit-address-family
!
mpls ldp router-id Loopback0 force
!




CON8[+/-]


!
hostname CON8
!
ip cef
!
ip vrf CUSTOMER1
rd 120:12
route-target export 12:120
route-target import 12:120
!
ip vrf CUSTOMER2
rd 500:20
route-target export 20:500
route-target import 20:500
!
interface Loopback0
description iBGP Peering interface internal to SP domain
ip address 192.168.0.8 255.255.255.255
!
interface FastEthernet0/0
ip vrf forwarding CUSTOMER1
ip address 172.31.0.17 255.255.255.252
duplex full
speed 100
!
interface FastEthernet0/1
ip vrf forwarding CUSTOMER2
ip address 172.31.0.5 255.255.255.252
duplex auto
speed auto
!
interface Serial0/0/0
ip address 172.17.0.6 255.255.255.252
ip ospf authentication message-digest
ip ospf message-digest-key 1 md5 TEST-SP
ip ospf hello-interval 3
mpls ip
no fair-queue
clock rate 2000000
!
router eigrp 120
auto-summary
!
address-family ipv4 vrf CUSTOMER1
redistribute bgp 65535 metric 10000 100 255 1 1500
network 172.31.0.0
no auto-summary
autonomous-system 12
exit-address-family
!
router ospf 2 vrf CUSTOMER2
log-adjacency-changes
redistribute bgp 65535 subnets
network 172.31.0.5 0.0.0.0 area 0
!
router ospf 1
router-id 192.168.0.8
log-adjacency-changes
area 0 authentication message-digest
passive-interface default
no passive-interface Serial0/0/0
network 172.17.0.6 0.0.0.0 area 0
network 192.168.0.8 0.0.0.0 area 0
!
router bgp 65535
no synchronization
bgp log-neighbor-changes
neighbor 192.168.0.6 remote-as 65535
neighbor 192.168.0.6 update-source Loopback0
neighbor 192.168.0.7 remote-as 65535
neighbor 192.168.0.7 update-source Loopback0
no auto-summary
!
address-family vpnv4
neighbor 192.168.0.6 activate
neighbor 192.168.0.6 send-community both
neighbor 192.168.0.7 activate
neighbor 192.168.0.7 send-community both
exit-address-family
!
address-family ipv4 vrf CUSTOMER2
redistribute ospf 2 vrf CUSTOMER2
no synchronization
exit-address-family
!
address-family ipv4 vrf CUSTOMER1
redistribute eigrp 12
no synchronization
exit-address-family
!
mpls ldp router-id Loopback0 force
!



Customers configuration are really simple, they didn't have a special configuration but something like this:
-for Customer 1 (eigrp 12)

router eigrp 12
network 172.31.0.0
network 192.168.2.0
no auto-summary
-for Customer 2 (ospf area 0)
router ospf 1
log-adjacency-changes
network 172.31.0.14 0.0.0.0 area 0
network 192.168.2.1 0.0.0.0 area 0

note that on SP CON6 we see the following routing protocols:
CON6#sh ip protocols
Routing Protocol is "eigrp 120"
Outgoing update filter list for all interfaces is not set
Incoming update filter list for all interfaces is not set
Default networks flagged in outgoing updates
Default networks accepted from incoming updates
EIGRP metric weight K1=1, K2=0, K3=1, K4=0, K5=0
EIGRP maximum hopcount 100
EIGRP maximum metric variance 1
Redistributing: eigrp 120
EIGRP NSF-aware route hold timer is 240s
Automatic network summarization is in effect
Maximum path: 4
Routing for Networks:
Routing Information Sources:
Gateway Distance Last Update
Distance: internal 90 external 170

Routing Protocol is "bgp 65535"
Outgoing update filter list for all interfaces is not set
Incoming update filter list for all interfaces is not set
IGP synchronization is disabled
Automatic route summarization is disabled
Neighbor(s):
Address FiltIn FiltOut DistIn DistOut Weight RouteMap
192.168.0.7
192.168.0.8
Maximum path: 1
Routing Information Sources:
Gateway Distance Last Update
Distance: external 20 internal 200 local 200

Routing Protocol is "ospf 1"
Outgoing update filter list for all interfaces is not set
Incoming update filter list for all interfaces is not set
Router ID 192.168.0.6
Number of areas in this router is 1. 1 normal 0 stub 0 nssa
Maximum path: 4
Routing for Networks:
172.17.0.2 0.0.0.0 area 0
192.168.0.6 0.0.0.0 area 0
Reference bandwidth unit is 100 mbps
Routing Information Sources:
Gateway Distance Last Update
192.168.0.8 110 01:14:20
192.168.0.7 110 01:14:20
Distance: (default is 110)

CON6#

Ospf process 2 is applied to vrf CUSTOMER2, so is not visible here... but we can see with:
CON6#sh ip protocols vrf CUSTOMER2
Routing Protocol is "bgp 65535"
Outgoing update filter list for all interfaces is not set
Incoming update filter list for all interfaces is not set
IGP synchronization is disabled
Automatic route summarization is disabled
Redistributing: ospf 2
Maximum path: 1
Routing Information Sources:
Gateway Distance Last Update
192.168.0.8 200 01:15:52
Distance: external 20 internal 200 local 200

Routing Protocol is "ospf 2"
Outgoing update filter list for all interfaces is not set
Incoming update filter list for all interfaces is not set
Router ID 172.31.0.13
It is an area border and autonomous system boundary router
Redistributing External Routes from,
bgp 65535, includes subnets in redistribution
Number of areas in this router is 1. 1 normal 0 stub 0 nssa
Maximum path: 4
Routing for Networks:
172.31.0.13 0.0.0.0 area 0
Reference bandwidth unit is 100 mbps
Routing Information Sources:
Gateway Distance Last Update
13.13.13.13 110 01:15:47
Distance: (default is 110)

CON6#

From customer2 perspective, the MP-BGP learned routes are viewed as inter-area "O IA", despite all Customer2 networks are declared in area0:


CON10#sh ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route

Gateway of last resort is not set

172.31.0.0/30 is subnetted, 2 subnets
C 172.31.0.4 is directly connected, FastEthernet0/0
O IA 172.31.0.12 [110/2] via 172.31.0.5, 01:17:08, FastEthernet0/0
C 192.168.1.0/24 is directly connected, Loopback1
192.168.2.0/32 is subnetted, 1 subnets
O IA 192.168.2.1 [110/3] via 172.31.0.5, 01:16:51, FastEthernet0/0
CON10#
CON10#sh ip ospf data
CON10#sh ip ospf database

OSPF Router with ID (10.10.10.10) (Process ID 1)

Router Link States (Area 0)

Link ID ADV Router Age Seq# Checksum Link count
10.10.10.10 10.10.10.10 662 0x80000004 0x00C2FD 2
172.31.0.5 172.31.0.5 745 0x80000005 0x006286 1

Net Link States (Area 0)

Link ID ADV Router Age Seq# Checksum
172.31.0.5 172.31.0.5 745 0x80000003 0x00CDD2

Summary Net Link States (Area 0)

Link ID ADV Router Age Seq# Checksum
172.31.0.12 172.31.0.5 745 0x80000003 0x001AF9
192.168.2.1 172.31.0.5 745 0x80000003 0x001764
CON10#

Wednesday, September 17, 2008

ISCW Lab (and BSCI review )

NOTE: this is a ISCW lab only, it uses basic mpls setup, I agree that a real ISP will implement mpls vpn instead of direct routing the customers prefixes...

Well:
A new lab for practice ISCW arguments, thanks to Luca Moretti for partecipating.


Here the topology:




Scenario:
Acme Gmbh is a trading company that have a central office named "Hannover"(CON6 and CON7) and two branches (CON8 = branch "Bergamo" and CON11+CON1 = branch "Trento").
The connection between Hannover and Trento is made by a fastethernet connection with an ISP named "Majico Connecting World" ;-) (CON2 + CON3 + CON4) and have a redundant E1 (serial link) as backup link.

Goal of this lab:
-configure routing between branches and provider (see topology map) (backup serial link betw Hannover and Trento is a leased line, it costs much and have a traffic based bill, so be careful and use ISP as preferred route!)
-do not redistribute ISP internal routes to customers, but generate a default for each office using bgp
-loopbacks representing office lans and have to be routed with correct netmask
-configure basic mpls for ISP routers
-configure various tunnels to secure branches connections

...more tasks and configurations as soon as possible...

-(optional ONT refresh) configure QoS using nbar on link between CON7 and CON8 (both directions), assign the appropriate bandwidth values for Voip, sql, default and sacvenger (p2p, kazaa...) classes. CON8 (Trento) office has 15 ip Cisco 7940 with G.729 codec.
-(optional ONT refresh 2) configure QoS on CON11 to minimize bandwidth waste due to peer-to-peer traffic

Solution config parts:

1) routing:

CON11#
router ospf 1
router-id 172.16.99.11
log-adjacency-changes
passive-interface default
no passive-interface FastEthernet0/0
no passive-interface Tunnel0
network 172.17.1.2 0.0.0.0 area 15
network 192.168.0.0 0.0.0.3 area 15 !-- this network is used for tunneling..
!
router bgp 64815
no synchronization
bgp log-neighbor-changes
redistribute ospf 1 match internal
neighbor 172.16.0.22 remote-as 65000
neighbor 172.17.1.1 remote-as 64815
neighbor 172.17.1.1 next-hop-self !-- Next-hop-self for neighbour CON1, because CON1 don't have a route to the link betw CON11 and CON2
no auto-summary

One of the most difficult task was the use of ISP between CON7 and CON8 instead of backup serial link... because CON7 and 8 use the same BGP as ...

CON8#
router bgp 64814
no synchronization
bgp log-neighbor-changes
redistribute ospf 1
neighbor 172.16.0.1 remote-as 65000
neighbor 172.16.0.1 allowas-in 1 !-- this allows prefixes with the same as in path (here 64814), 1 means 1 recursion allowed
neighbor 172.16.0.1 route-map LAN-via-ISP in !--route map to set weight
neighbor 172.17.1.6 remote-as 64814
no auto-summary
!
ip forward-protocol nd
!
!
ip http server
no ip http secure-server
!
ip access-list extended LAN-CON7 !-- matches internal lan of CON7 and CON6
permit ip 10.2.0.0 0.0.0.255 any
permit ip 10.3.0.0 0.0.0.255 any
!
!
route-map LAN-via-ISP permit 10
match ip address LAN-CON7
set weight 35500 !-- the weight for locally generated routes is 32768, so a value of 35500 is preferred and prefixes inserted into routing table


the same for CON7, modify access-list prefixes (and bgp neighbour) only.

Thursday, September 11, 2008

Configuring a Cisco Adsl router acting as PPTP CLIENT

At work we have a PPTP Access Server for remote dial-in users.
Why PPTP? Because it's very easy to configure for users, and don't require any software installation on win Pcs....

Well at home for me it's a bit annoying to bring up the pptp connection every time I need and set-up static routes on my pc... so I realized that my poor outdated Cisco 827 maybe can act as PPTP client.

First I tryed to find how configure it, but CLIENT configuration for PPTP is unusual, I only have found this document: http://groups.google.com/group/comp.dcom.sys.cisco/msg/81d58c31469d558b
and a page with mppe on Cisco site (it was a "new feature" on IOS 12.0):
http://www.cisco.com/univercd/cc/td/doc/product/software/ios120/120newft/120limit/120xe/120xe5c/pptp.htm

well, tryed and it works, so I adapted to my requirements:
  • use the normal ADSL as default route
  • use PPTP only to reach specified private/public networks of my workplace


The final and explained config is HERE [+/-]



!
service internal !---> necessary to enable VPDN to allow a request-dialin group to be part of a rotary group or dialer pool.

!
no ip gratuitous-arps !---> recommended
!
vpdn enable
!
vpdn-group 2
request-dialin
protocol pptp !--> recent Ioses doesn't have pptp support... try "protocol ? " too see..
rotary-group 2 !---> Lol! we're now members of Rotay Club? ;-)) no! is the dialer-group specification for vpdn..
initiate-to ip A.B.C.D !---> A.B.C.D is the ip of my pptp Access Server
!
!
interface ATM0
no ip address
no ip mroute-cache
atm ilmi-keepalive
bundle-enable
dsl operating-mode auto
hold-queue 224 in
pvc 8/35
encapsulation aal5mux ppp dialer
dialer pool-member 1
!
!
interface Dialer0
description ADSL-side Dialer
ip address negotiated
ip access-group 101 in
ip mtu 1492
ip nat outside
ip inspect autosec_inspect out
encapsulation ppp
ip tcp adjust-mss 542
dialer pool 1
no cdp enable
ppp chap hostname yourhostname
ppp chap password yourpassword
!
interface Dialer2 !---> why dialer2 and not 1 ... don't know this time I like #2 ;-)
description PPTP-side Dialer
ip address negotiated
ip access-group 102 in
ip nat outside
encapsulation ppp
dialer in-band
dialer idle-timeout 0 !---> PPTP is slow to negotiate and start, so better an infinite timeout... (this doesn't affect negotiation time, but forces the dialer interface after connection to stay "always up" regardless of interesting traffic)
dialer string 123 !---> seems to be ignored so.. senseless string
dialer vpdn
dialer-group 2 !---> Remember Rotary? see dialer-list 2 below
no cdp enable
ppp pfc local forbid !---> do not perform compression locally
ppp pfc remote reject !---> reject remote compression proposals
ppp encrypt mppe auto !---> mppe = Micro$oft Point-to-Point Encryption (128bit max) You MUST have a "k9" IOS image to perform encryption, as usual
ppp chap hostname your-pptp-username !---> use username@domain if your pptp server is a Micro$oft Isa server, Alex Pronin has experienced that domain\username isn't understood
ppp chap password your-pptp-password
!
ip nat inside source list 111 interface Dialer0 overload !---> NAT for ADSL-exit
ip nat inside source list 110 interface Dialer2 overload !---> NAT for PPTP-exit, you will share your pptp-assigned ip inside your private lan
!
ip classless !---> recommended if you will apply static routes correctly
ip route 0.0.0.0 0.0.0.0 Dialer0 !---> Default route to ADSL
ip route 172.16.0.0 255.255.0.0 Dialer2 !---> some private routes to PPTP
ip route 172.17.0.0 255.255.0.0 Dialer2
ip route 172.18.0.0 255.255.0.0 Dialer2
ip route 192.168.206.0 255.255.255.0 Dialer2
ip route 192.168.236.0 255.255.255.0 Dialer2
ip route A.B.C.0 255.255.255.0 Dialer2 !---> if you want to route the public class of pptp access server though the pptp (un)secure connection,
ip route A.B.C.D 255.255.255.255 Dialer0 !---> you must route the access server out to ADSL, and the full public class through pptp (LONGEST BIT MATCH will do the rest ;-)
!
!
access-list 101 permit !---> Place your ADSL-side permit Here
access-list 101 deny ip any any
!
access-list 102 permit !---> Place your PPTP-side permit Here
access-list 102 deny ip any any
!
!---> Acl101: used for PPTP NAT
access-list 110 deny ip any host A.B.C.D !----> no nat for your Access Server (maybe unnecessary)
access-list 110 permit ip any A.B.C.0 0.0.0.255 !----> NAT for the rest of Access Server C Class
access-list 110 permit ip any 192.168.206.0 0.0.0.255 !----> NAT for the statically routed classes thorugh pptp tunnel
access-list 110 permit ip any 192.168.236.0 0.0.0.255
access-list 110 permit ip any 172.16.0.0 0.0.255.255
access-list 110 permit ip any 172.17.0.0 0.0.255.255
access-list 110 permit ip any 172.18.0.0 0.0.255.255
access-list 110 deny ip any any
!
!---> Acl111: used for ADSL NAT
access-list 111 permit ip any host A.B.C.D !----> NAT for your Access Server
access-list 111 deny ip any A.B.C.0 0.0.0.255 !----> no NAT for the rest of Access Server C Class
access-list 111 deny ip any 192.168.206.0 0.0.0.255 !----> NAT for the statically routed private classes
access-list 111 deny ip any 192.168.236.0 0.0.0.255
access-list 111 deny ip any 172.16.0.0 0.0.255.255
access-list 111 deny ip any 172.17.0.0 0.0.255.255
access-list 111 deny ip any 172.18.0.0 0.0.255.255
access-list 111 permit ip any

dialer-list 2 protocol ip permit !<---- used to initiate the pptp tunnel, permit all traffic, the acl110 will permit/block in more depth


Note that the interface dialer2, when up, is in "spoofing" state:

Majico#sh int dialer 2
Dialer2 is up (spoofing), line protocol is up (spoofing)
Hardware is Unknown
Internet address is 10.31.206.10/32
MTU 1500 bytes, BW 56 Kbit, DLY 20000 usec,
reliability 255/255, txload 4/255, rxload 40/255
Encapsulation PPP, loopback not set
Keepalive set (10 sec)
....
here "spoofing" means "listening" for interesting traffic, defined with the dialer-list 2 .
Some useful commands to monitor vpdn status are:
Majico#sh vpdn

%No active L2TP tunnels

%No active L2F tunnels

PPTP Tunnel and Session Information Total tunnels 1 sessions 1

LocID Remote Name State Remote Address Port Sessions VPDN Group
4 A.B.C.D estabd A.B.C.D 1723 1 2

LocID RemID TunID Intf Username State Last Chg Uniq ID
4 22144 4 Vi3 estabd 05:52:17 n/a

here we see the Virtual-Access interface assigned to pptp dialer, and
Majico#sh ppp mppe virtual-Access 3
Interface Virtual-Access3 (current connection)
Software encryption, 128 bit encryption, Stateless mode
packets encrypted = 17155 packets decrypted = 22828
sent CCP resets = 0 receive CCP resets = 0
next tx coherency = 771 next rx coherency = 2348
tx key changes = 17155 rx key changes = 22828
rx pkt dropped = 0 rx out of order pkt= 0
rx missed packets = 0

to see encryption statistics and type of encryption performed by mppe (we have configured "auto" negotiation, remember?)

Thanks to Dan Lanciani for configuration review!

Tuesday, September 2, 2008

Today's work in a shot: cleaning switches after 5 years of continuous service

Today is "tha cleaning day": i cleaned about 15 3550/3500XL inline power and 2 2970.
The 3550s where in production for about 5 years without cleaning or power off...







Inside's dirt...



...and the full stack cleaned and stored

Well... incredible, only one 3550 has a failed fan, all the others still (noisly a bit) working ;-)
For cleaning i used a small portable air compressor and a 150h stud. (thanks Franz)

Tuesday, August 26, 2008

Connecting a NetApp Fas3020 to Cisco 4948 switches

Well, today i'll consider the connection between two switches Cisco 4948 and two Storage Systems NetApp Fas3020.
This is a real situation happened during our recent switch migration....

we have:
2 storage systems:
Fas3020 A <-> Fas3020 B
and 2 Cisco 4948 dedicated to storage networking

Ok what happens when we must connect all toghether to provide the best redundancy as possible?
we follow the NetApp whitepapers and connect as follows:



So, two etherchannels for each switch, if a switch or a Fas3020 fails, we have full redundancy because each Fas3020 is configured with Active-Passive mode.

Fas3020 configuration is well documented by NetApp and obviously it's not my stuff, so i'll focus on Cisco 4948 Configuration.
There are two possible configurations for the switches etherchannels: Access mode if Fas3020 have only one vlan, Trunk mode if Fas3020 have multiple vlans configured on the same interfaces.

We have both configurations in our system, there are 4 Gi ports in access mode and 4 in trunk mode for each Fas3020.

The easiest configuration is for access mode,... [+/-]

we choosed to have an etherchannel with fixed "on" mode in our environment (lacp disabled).

i have configured something like this:

int gi 1/1
desc Fas3020A Vif n
switchport
switchport mode access
switchport access vlan 8
spanning-tree portfast
speed 1000
duplex full
channel-group 2 mode on
!
int gi 1/2
desc Fas3020A Vif n
switchport
switchport mode access
switchport access vlan 8
spanning-tree portfast
speed 1000
duplex full
channel-group 2 mode on
!
int portchannel 2
desc Fas3020A vif n etherchannel
switchport
switchport mode access
switchport access vlan 8
spanning-tree portfast
!


If you forget to enable portchannels and configure the ports simply in access mode... the Fas3020 doesn't matter, but the switch logs errors like "%C4K_EBM-4-HOSTFLAPPING: Host 02:A0:98:04:6F:0F in vlan 8 is flapping between port Gi1/2 and port Gi1/1".
No spanning tree issues and no blocked ports, the Fas3020 uses Active/Passive with his virtual MAC Address, so we can safely disable spanning tree on Fas ports ( spanning-tree portfast command )


For trunking mode i can't find (easly) NetApp configuration examples,... [+/-]


ok they made storage.. not switches, so i must try ;-)

First i tryed with a simple (ingenuous) trunk, but when ports joined ehterchannel, they transit all 802.1d states, aka spanning tree "freezes" trunk ports connected to Fas3020.
Not a funny stuff on a production system... and despite RSTP+ enabled globally on the switch, the Fas3020 it's simply a host...don't "understands" RSTP, so there are 48 seconds of fear ;-)
So i opened my BCMSN book and read about spanning-tree configurations... (this time testing on my lab before... ) ;-)

The well (un)documented command results to be "spanning-tree portfast trunk" that enables portfast even on a trunk port (or portchannel).

So my final configuration for trunking portchannels with fas was like this:


int gi 1/1
desc Fas3020A Vif n
switchport
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 23-26,66
switchport mode trunk
spanning-tree portfast trunk
speed 1000
duplex full
channel-group 2 mode on
!
int gi 1/2
desc Fas3020A Vif n
switchport
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 23-26,66
switchport mode trunk
spanning-tree portfast trunk
speed 1000
duplex full
channel-group 2 mode on
!
int portchannel 2
desc Fas3020A Vif n ehterchannel
switchport
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 23-26,66
switchport mode trunk
spanning-tree portfast trunk
!


bingooo, with this configuration trunks where up without waiting slow STP states and WOW... bulletproof!



Final considerations:
-try before on a testing env, 2 switches will be enough, just disable STP on one switch to simulate Fas3020... ("no spanning-tree vlan n" commands on the TEST switch)
-be careful with trunks betw switches and trunking hosts... hosts DOESN'T send out BPDUs!


Monday, August 25, 2008

connecting Cisco 7911G into the wiring closet for initial configuration

Today's work in a shot:

Here the 7911(s) are connected into the wiring closet to provide initial configuration, after this step, we distributed the phones into their respective offices/desks.

Installed and configured:
2 x 3560G PoE 24 ports switches
1 x 3560G 48 ports switch
unpacked and configured about 30 x 7911G ip phones.

just
a
funny
work
;-)

Monday, August 18, 2008

Reusing OLD DCE-3 for Lab serials



For my lab, i've finished the DCE-female serial cables. I think to buy another 3, but first i tryed to reuse-recycle old Teleco's DCE-3.
Italian Telecom always leaves by customers the dismissed line's equipment, specifically the old 2Mbps DCE-3 modems.
During the years we have collected about 15 Old Dce-3s... so i tryed with the most "new" and used the following models:
Teleco TD 604T Modem DCE-3
Teleco TD 603T Modem DCE-3

On Teleco's site there is an Italian/English documentation page with the command reference and the "dedicated" terminal software for configuration ( HERE for TD 604T model, but 603T is the same).

For a DCE-3 back-to-back connection i used:
2 x DCE-3 TD 603T
2 x Rj11 to Microcoax Adapters (so cossing Rx with TX is more simple, see "accessories" on Teleco's site)
2 x Microcoax cables (old cables for dce to line connection)
2 x V.36 male to V.35 Female adapters (see "accessories" too)
2 x V35 male <-> DB60 male cables (for Dce to router connection)
1 x Cisco Console cable
2 x DB9 Adapters for Cisco Console Cable
1 x Serial DB9 male - male "gender changer" adapter, DCE-3 ACD port is female, Db9 adapter is female...


When you connect on ACD (console) on DCE-3 you can use the Telco terminal software or another terminal emulator (parameters: baud rate=600, data bits=7, parity=Even, stop bits=1, Flow control=XON/XOFF ) , you must use the following commands for bringin'up your "line":

  • AT&Z0 <-- Resets to default configuration, useful before other commands, resets the DCE-3
  • ATF31 <-- sets line speed: 31 channels x 64k bps (don't try to use all 32 channels if you don't want crc errors on router's interface!)
  • AT&N0 <-- "e" bit CRC CCITT line side
  • AT&N7 <-- "e" bit CRC CCITT user side
  • ATU2 <-- bit 4 TS0B line side report loop 3C
  • ATV1 <-- bit 5 TS0B line side fixed to 1
  • ATX0 <-- bit 6 TS0B line side fixed to 0
  • ATY3 <-- bit 7 TS0B line side used for HDLC
  • ATD1 <-- bit 8 TS0B line side fixed to 1
  • AT&L0 <-- User interface X/V active
  • AT&I1 <-- V.13 disabled
  • AT&K1 <-- V.38 disabled
  • AT&R0 <-- C105 forced to ON
  • AT&C0 <-- C107 forced to ON
  • AT&S1 <-- C140 disabled
  • AT&P1 <-- C141 disabled
  • AT&B0 <-- DCE-3 connected to MUX-F
Useful commands also:
  • AT*C <-- List of current configuration end errors
  • AT&W <-- writes configuration to Dce's nvram (DON'T FORGET IT!)

Use the same configuration on both DCE-3, connect serial DTE cables to routers and... that's all with 3 simple commands you
have:
-saved to buy new serial DCE cables
-recycled/reused trash Dce-3
-saved some quantity of CO2 (don't know how much ;-) )

NOTE: this is a theorical example only, used for examining the possibility of a communication equipment. It's provided "as-is" without any warranty. Don't try this lab on DCE's that are property of Telco ... they aren't your own! ;-)))

Thursday, August 14, 2008

Expanding my lab

Well, during those hot summer days, i've decided to expand my lab with additionals old-fashioned Cisco Routers, so i go down at work, finding ANY dismissed material.
The result is this expanded lab (now something about 18 Rack U) ;-)



Old 2601s with only one Ethernet are not so useful for routing labs, but i'll use for tunnels and as mpls "customers" ;-)

Tuesday, August 12, 2008

Switch migration continues...

What uptime!

DIT_s.Macchine_2970#sh ver
Cisco IOS Software, C2970 Software (C2970-LANBASE-M), Version 12.2(25)SEB4, RELEASE SOFTWARE (fc1)
Copyright (c) 1986-2005 by Cisco Systems, Inc.
Compiled Tue 30-Aug-05 12:19 by yenanh

ROM: Bootstrap program is C2970 boot loader
BOOTLDR: C2970 Boot Loader (C2970-HBOOT-M) Version 12.1(14r)EA1a, RELEASE SOFTWARE (fc1)

DIT_s.Macchine_2970 uptime is 2 years, 6 days, 56 minutes
System returned to ROM by power-on
System restarted at 15:02:44 MEST Mon Aug 7 2006
System image file is "flash:c2970-lanbase-mz.122-25.SEB4/c2970-lanbase-mz.122-25.SEB4.bin"

cisco WS-C2970G-24TS-E (PowerPC405) processor (revision L0) with 118784K/12280K bytes of memory.
Processor board ID CAT0944N332
Last reset from power-on
2 Virtual Ethernet interfaces
28 Gigabit Ethernet interfaces
The password-recovery mechanism is enabled.


Ok, 2 years aren't so much... but this 24 ports gigabit switch still works fully loaded and connected to a Netapp Fas3020 without problems. Not Bad! How we can call it... "affordable"? ,-)

Wednesday, August 6, 2008

Spaghetti Connection(s)

Lol! today's reportage is a spaghetti connection...
in the next weeks we must replace all the switches...
but first we must find them! ;-)




Friday, August 1, 2008

New Lab today: OSPF + IS-IS + EIGRP + OSPFv3 + NAT-PT

Here is a new lab topology:


Steps are:
  1. configure all point-to-point links, where i have a double link, i'll use L3 portchannel.
  2. configure all routing protocols for IPv4 networks
  3. configure Loopback 0 redistribution into all protocols for every router using route maps
  4. configure protocols redistribution betw OSPF, IS-IS and EIGRP avoiding loops and using tags
  5. configure all IPv6 networks and configure OSPFv3
  6. configure NAT-PT
  7. configure BGP AS 65065 and AS 64806, use Lo0 address for Ibgp and p2p address for Ebgp
Ok, i try to configure it and for each step i'll write a comment about problems.


Step1: configure all point-to-point links, where i have a multiple link, use L3 portchannel.
No problems here, i configured the two portchannels as follow, using PAGP and LACP:

Portchannels Configuration [+/-]

CON3#
interface Port-channel1
description Portchannel CON3 <-> CON2
no switchport
ip address 172.32.0.26 255.255.255.252
!
interface Port-channel2
description Portchannel CON3 <-> CON4
no switchport
no ip address
ipv6 address 2001:3434::1/64
!
interface FastEthernet1/0/1
description Portchannel CON3 <-> CON2
no switchport
no ip address
channel-group 1 mode passive
!
interface FastEthernet1/0/2
description Portchannel CON3 <-> CON2
no switchport
no ip address
channel-group 1 mode passive
!
interface FastEthernet1/0/11
description Portchannel CON3 <-> CON4
no switchport
no ip address
channel-group 2 mode auto
!
interface FastEthernet1/0/12
description Portchannel CON3 <-> CON4
no switchport
no ip address
channel-group 2 mode auto
!
CON2#
interface Port-channel1
description Portchannel CON2 <-> CON3
no switchport
ip address 172.32.0.25 255.255.255.252
!
interface FastEthernet0/3
description Portchannel CON2 <-> CON3
no switchport
no ip address
channel-group 1 mode active
!
interface FastEthernet0/4
description Portchannel CON2 <-> CON3
no switchport
no ip address
channel-group 1 mode active
!
CON4#
interface Port-channel1
description Portchannel CON4 <-> CON3
no switchport
no ip address
ipv6 address 2001:3434::2/64
!
interface FastEthernet1/0/11
description Portchannel CON4 <-> CON3
no switchport
no ip address
channel-group 1 mode desirable
!
interface FastEthernet1/0/12
description Portchannel CON4 <-> CON3
no switchport
no ip address
channel-group 1 mode desirable
2. configure all routing protocols for IPv4 networks
No problems here, i configured authentication on OSPF, EIGRP and IS-IS

3. configure Loopback 0 redistribution into all protocols for every router using route maps
Here i used a route map as follows:

Route-map for Lo0 redistribution [+/-]

route-map Redistr_Lo0 permit 10
match interface Loopback0
set tag 0
!
route-map Redistr_Lo0 deny 20


4. configure protocols redistribution betw OSPF, IS-IS and EIGRP avoiding loops and using tags
This is a difficult step: first of all, we must consider the Administrative Distance of the different protocols, here we have:
EIGRP 90
OSPF 110
ISIS 115
EIGRP-Ext 170
So we can modify default administrative distance when redistributing routes, or use tags to avoiding loops.
After i read here this Cisco
Document ID: 49111 I realized that IS-IS doesn't support route tags, so we must use Administrative Distance instead.

Loop example: [+/-]

CON1# traceroute 22.0.0.1

Type escape sequence to abort.
Tracing the route to 22.0.0.1

1 172.32.0.2 0 msec 0 msec 0 msec
2 172.32.0.10 0 msec 0 msec 4 msec
3 172.32.0.5 0 msec 0 msec 4 msec
4 172.32.0.2 0 msec 4 msec 0 msec
5 172.32.0.10 4 msec 4 msec 0 msec
6 172.32.0.5 4 msec 0 msec 4 msec
7 172.32.0.2 0 msec 4 msec 4 msec
8 172.32.0.10 0 msec 0 msec 4 msec
9 172.32.0.5 4 msec 0 msec 4 msec
10 172.32.0.2 4 msec 0 msec 0 msec
11 172.32.0.10 4 msec 4 msec 4 msec
12 172.32.0.5 4 msec 4 msec 0 msec
13 172.32.0.2 4 msec 4 msec 4 msec
14 172.32.0.10 4 msec 4 msec 4 msec
15 172.32.0.5 4 msec 4 msec 4 msec
16 172.32.0.2 4 msec 4 msec 4 msec
17 172.32.0.10 4 msec 8 msec 4 msec
18 172.32.0.5 4 msec 4 msec 4 msec
19 172.32.0.2 4 msec 4 msec 4 msec
20 172.32.0.10 8 msec 4 msec 4 msec
21 172.32.0.5 8 msec 4 msec 4 msec
22 172.32.0.2 4 msec 4 msec 4 msec
23 172.32.0.10 4 msec 8 msec 4 msec
24 172.32.0.5 8 msec 4 msec 4 msec
25 172.32.0.2 8 msec 4 msec 4 msec
26 172.32.0.10 4 msec 8 msec 4 msec
27 172.32.0.5 8 msec 4 msec 8 msec
28 172.32.0.2 4 msec 8 msec 8 msec
29 172.32.0.10 8 msec 8 msec 4 msec
30 172.32.0.5 8 msec 4 msec 8 msec
What a loop! Here CON1 sends traffic for 22.0.0.0/24 to CON5,
CON1#sh ip route 22.0.0.0
Routing entry for 22.0.0.0/24, 1 known subnets
O E1 22.0.0.0 [110/126] via 172.32.0.2, 19:34:32, FastEthernet0/24
CON5 sends to CON6
CON5#sh ip route 22.0.0.0
Routing entry for 22.0.0.0/24, 1 known subnets
Redistributing via ospf 1, isis
i L2 22.0.0.0 [115/89] via 172.32.0.10, Serial1/0
and CON6 sends back to CON1 ;-(
CON6#sh ip route 22.0.0.0
Routing entry for 22.0.0.0/24, 1 known subnets
Redistributing via eigrp 33
O E1 22.0.0.0 [110/127] via 172.32.0.5, 19:36:39, FastEthernet0/1


to understand why this happens, we must analyze every router and consider who advertise this prefix and the reason why it's placed into the routing table.


Wednesday, July 30, 2008

today: Datacenter Switch Migration in a new RACK

No new topologies for today, the "exercise" is a real migration of switches in my actual datacenter environment.
The mission is to move existing switches from servers rack into a new dedicated Panduit rack (photos when finished, Panduit have great vert/hor cables management!).

There are: 2 x 4948 + 1 x 2960 really full, there are only 2 free ports!
In the new rack we will move: 2 x existing 4948 + 3 x new 4948. In addition, two of this 4948 will be used only for storage vlans (iscsi and nfs), these vlans aren't routed, but only L2.


Topology:



The first problem is how will reacts existing switches configured with STP 802.1D standard when i will add two new switch configured with RPVST+ (rapid stp, one process for each for vlan). Well this is adetail of one vlan in my production switches:

xxx#sh spanning-tree vlan 23 detail

VLAN0023 is executing the ieee compatible Spanning Tree protocol
Bridge Identifier has priority 32768, sysid 23, address 0019.e79d.1b00
Configured hello time 2, max age 20, forward delay 15
Current root has priority 32791, address 0015.fa7c.3c80
Root port is 45 (GigabitEthernet1/45), cost of root path is 4
Topology change flag not set, detected flag not set
Number of topology changes 2071 last change occurred 2w6d ago
from GigabitEthernet1/27
Times: hold 1, topology change 35, notification 2
hello 2, max age 20, forward delay 15
Timers: hello 0, topology change 0, notification 0, aging 300
Ok, i will try to use a mixed STP environment, with 2 switches using traditional STP and 2 configured with RPSTP+.
I'll test it on my own lab before go into production system, because i want to know how are reacting traditional STP sw to avoiding STP to run on storage vlan (i don't want to destroy all in production! ;-)| )
So, this is the lab topology: (but i said "no new topologies for today?" ;-) a refresh of bcmsn!)

CON1 and CON2 will have STP 802.1D, CON3 and CON4 will have RPVSTP+ i'll activate the 2 links betw CON2 and CON3 and debug spanning-tree on all 4 switches to see what happens.

Here the 4 sw configuration [+/-]









CON1#CON2#CON3#spanning-tree mode rapid-pvstCON4#spanning-tree mode rapid-pvst
interface FastEthernet0/11
description Trunk CON1 <-> CON2
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 1-3
switchport mode trunk
!
interface FastEthernet0/12
description Trunk CON1 <-> CON2
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 1-3
switchport mode trunk
!
interface GigabitEthernet0/2
description Trunk CON1 <-> CON2
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 1-3
switchport mode trunk
!
interface FastEthernet0/3
description Trunk CON2 <-> CON3
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 1-3
switchport mode trunk
shutdown
!
interface FastEthernet0/4
description Trunk CON2 <-> CON3
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 1-3
switchport mode trunk
shutdown
!
interface FastEthernet0/11
description Trunk CON2 <-> CON1
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 1-3
switchport mode trunk
!
interface FastEthernet0/12
description Trunk CON2 <-> CON1
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 1-3
switchport mode trunk
!
interface GigabitEthernet0/2
description Trunk CON2 <-> CON1
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 1-3
switchport mode trunk
!
interface FastEthernet1/0/1
description Trunk CON3 <-> CON2
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 1-3
switchport mode trunk
shutdown
!
interface FastEthernet1/0/2
description Trunk CON3 <-> CON2
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 1-3
switchport mode trunk
shutdown
!
interface FastEthernet1/0/11
description Trunk CON3 <-> CON4
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 1-3
switchport mode trunk
!
interface FastEthernet1/0/12
description Trunk CON3 <-> CON4
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 1-3
switchport mode trunk
!
interface FastEthernet1/0/11
description Trunk CON4 <-> CON3
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 1-3
switchport mode trunk
!
interface FastEthernet1/0/12
description Trunk CON4 <-> CON3
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 1-3
switchport mode trunk
!
CON1#sh spanning-tree summary
Switch is in pvst mode
Root bridge for: VLAN0001-VLAN0003
....
CON2#sh spanning-tree summary
Switch is in pvst mode
Root bridge for: none
....
CON3#sh spanning-tree summary
Switch is in rapid-pvst mode
Root bridge for: VLAN0001-VLAN0003
....
CON4#sh spanning-tree summary
Switch is in rapid-pvst mode
Root bridge for: none
....



Ok now i enable debug spanning-tree events and bring up links betw CON2 and CON3:

CON2#
01:53:51: %LINK-3-UPDOWN: Interface FastEthernet0/3, changed state to up
01:53:51: %LINK-3-UPDOWN: Interface FastEthernet0/4, changed state to up
01:53:52: set portid: VLAN0001 Fa0/3: new port id 8003
01:53:52: STP: VLAN0001 Fa0/3 -> listening
01:53:52: set portid: VLAN0002 Fa0/3: new port id 8003
01:53:52: STP: VLAN0002 Fa0/3 -> listening
01:53:52: set portid: VLAN0003 Fa0/3: new port id 8003
01:53:52: STP: VLAN0003 Fa0/3 -> listening
01:53:52: set portid: VLAN0001 Fa0/4: new port id 8004
01:53.52: STP: VLAN0001 Fa0/4 -> listening
01:53:52: set portid: VLAN0002 Fa0/4: new port id 8004
01:53:52: STP: VLAN0002 Fa0/4 -> listening
01:53:52: set portid: VLAN0003 Fa0/4: new port id 8004
01:53:52: STP: VLAN0003 Fa0/4 -> listening
01:53:53: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/3, changed state to up
01:53:53: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/4, changed state to up
01:53:56: STP: VLAN0001 Topology Change rcvd on Fa0/3
01:53:56: STP: VLAN0001 sent Topology Change Notice on Gi0/2
01:53:56: STP: VLAN0002 Topology Change rcvd on Fa0/3
01:53:56: STP: VLAN0002 sent Topology Change Notice on Gi0/2
01:53:56: STP: VLAN0003 Topology Change rcvd on Fa0/3
01:53:56: STP: VLAN0003 sent Topology Change Notice on Gi0/2
01:54:07: STP: VLAN0001 Fa0/3 -> learning
01:54:07: STP: VLAN0002 Fa0/3 -> learning
01:54:07: STP: VLAN0003 Fa0/3 -> learning
01:54:07: STP: VLAN0001 Fa0/4 -> learning
01:54:07: STP: VLAN0002 Fa0/4 -> learning
01:54:07: STP: VLAN0003 Fa0/4 -> learning
01:54:22: STP: VLAN0001 sent Topology Change Notice on Gi0/2
01:54:22: STP: VLAN0001 Fa0/3 -> forwarding
01:54:22: STP: VLAN0002 sent Topology Change Notice on Gi0/2
01:54:22: STP: VLAN0002 Fa0/3 -> forwarding
01:54:22: STP: VLAN0003 sent Topology Change Notice on Gi0/2
01:54:22: STP: VLAN0003 Fa0/3 -> forwarding
01:54:22: STP: VLAN0001 Fa0/4 -> forwarding
01:54:22: STP: VLAN0002 Fa0/4 -> forwarding
01:54:22: STP: VLAN0003 Fa0/4 -> forwarding
CON2#
Bingooo, only the upcoming port will transit upon spanning-tree states, other ports are not affected..
On CON3 we see CON2 as 802.1d


CON3#sh spanning-tree vlan 1

VLAN0001
Spanning tree enabled protocol rstp
Root ID Priority 32769
Address 0013.1a55.8000
Cost 23
Port 3 (FastEthernet1/0/1)
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec

Bridge ID Priority 32769 (priority 32768 sys-id-ext 1)
Address 0014.a98c.8780
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
Aging Time 300

Interface Role Sts Cost Prio.Nbr Type
---------------- ---- --- --------- -------- --------------------------------
Fa1/0/1 Root FWD 19 128.3 P2p Peer(STP)
Fa1/0/2 Altn BLK 19 128.4 P2p Peer(STP)
Fa1/0/11 Desg FWD 19 128.13 P2p
Fa1/0/12 Desg FWD 19 128.14 P2p