Monday, October 26, 2009

Another spaghetti rack

I was in a building last week, for some troubleshooting tasks.

When I entered the wiring closet to find a switch port for my laptop, it looked like...



one of the best spaghetti rack ever seen!




and here I found my port ;-)

(2nd switch from above, port 0/45...)

Marco

Thursday, October 22, 2009

Tip-of-day: ip access-list resequence

Hi all,

today's trick is access-list resequence.

Consider an access-list with ugly sequence numbers, maybe derived from several configuration changes, eg:


R6# sh access-lists
Extended IP access list test
1 permit tcp any any eq www
2 permit tcp any any eq 443
3 permit tcp any any eq domain
4 permit tcp 172.16.0.0 0.0.255.255 any eq telnet
5 permit tcp 172.16.0.0 0.0.255.255 any eq ssh
6 deny ip any any

R6#sh run | sec access-list
ip access-list extended test
permit tcp any any eq www
permit tcp any any eq 443
permit tcp any any eq domain
permit tcp 172.16.0.0 0.0.255.255 any eq telnet
permit tcp 172.16.0.0 0.0.255.255 any eq 22
deny ip any any


If I have to modify it, the "old times" method was to remove acl from interfaces, delete it, recreate it and then reapply on interfaces ... but this is an extended acl, you can insert and modify statements since they have sequence numbers.

In this case, as you can see, there's no space between sequence numbers, so today's trick is to resequence the acl with the "ip access-list resequence" command.
( see "Refining an IP Access List" )

Let's try it

R6#sh access-lists
Extended IP access list test
1 permit tcp any any eq www
2 permit tcp any any eq 443
3 permit tcp any any eq domain
4 permit tcp 172.16.0.0 0.0.255.255 any eq telnet (394 matches)
5 permit tcp 172.16.0.0 0.0.255.255 any eq 22
6 deny ip any any (24 matches)

R6# conf t
R6(config)#ip access-list resequence test ?
<1-2147483647> Starting Sequence Number

R6(config)#ip access-list resequence test 10 ?
<1-2147483647> Step to increment the sequence number

R6(config)#ip access-list resequence test 10 10 ?
< cr >

R6(config)#ip access-list resequence test 10 10
R6(config)#do sh ip access-lists test
Extended IP access list test
10 permit tcp any any eq www
20 permit tcp any any eq 443
30 permit tcp any any eq domain
40 permit tcp 172.16.0.0 0.0.255.255 any eq telnet (496 matches)
50 permit tcp 172.16.0.0 0.0.255.255 any eq 22
60 deny ip any any (24 matches)
R6(config)#


et voila', named access-list ready to be modified ;-)

Marco

Wednesday, October 14, 2009

Mpls Vpn review

Hi all,
I'm completely busy on studying CCIE R&S written but I want to share a mpls vpn lab for reviewing mpls arguments.

Here is the topology:



Task list for this lab is:
-R1-R2-R3-R4-R5-R6-R7 (ISP) cannot elect any DR/BDR to speed up convergence
-Any OSPF area 0.0.0.0 neighbor fault must be detected within 1 second or less (NOTE: if you use dynamips, this requirement can be skipped or "relaxed"..., the high cpu % utilization will bring up/down your adjacency when you perform some operations like enable mpls...)
-area 0.0.0.0 must be ready for future traffic engineer configurations
-All ISP loopbacks must be reachable by igp
-R1 act as MpBGP Route Reflector
-CE11, CE12 and CE13 belongs to the same organization named "Customer1", they use EIGRP AS 1 for L3-vpn connections
-CE21, CE22 and CE23 belongs to the same organization named "Customer2", they use BGP as 65222 for L3-vpn connections
-BB1 and BB2 are "the internet", they must declare at least 10.000 prefixes with bgp
-R1 must prefer BB1 for odd networks, BB2 for even networks
-Customers must receive only a default route to reach internet for every customer site

I used gns3 with 7200 for ISP and 3640 for customers.


Here the initial configs, just to speed up the lab start: [+/-]




!-------------------------------
!-- R1 initial config

conf t
hostname R1

no ip domain-lookup
line con 0
logging sync
no exec-timeout

int fa 0/0
desc R1 <-> R3
speed 100
duplex full
ip address 172.16.0.4 255.255.255.254
no shut

int fa 1/0
desc R1 <-> R2
speed 100
duplex full
ip address 172.16.0.2 255.255.255.254
no shut

int fa 1/1
desc R1 <-> R4
speed 100
duplex full
ip address 172.16.0.6 255.255.255.254
no shut

int fa 2/0
desc R1 <-> BB1
speed 100
duplex full
ip address 172.31.0.0 255.255.255.254
no shut

int fa 2/1
desc R1 <-> BB2
speed 100
duplex full
ip address 172.31.0.2 255.255.255.254
no shut

int lo 0
ip address 1.1.1.1 255.255.255.255
end

!-- END R1 initial config
!-------------------------------
!-- R2 initial config

conf t
hostname R2

no ip domain-lookup
line con 0
logging sync
no exec-timeout

int fa 0/0
desc R2 <-> R5
ip address 172.16.0.0 255.255.255.254
speed 100
dupl full
no shut

int fa 1/0
desc R2 <-> R1
speed 100
dupl full
ip addr 172.16.0.3 255.255.255.254
no shut

int lo 0
ip address 2.2.2.2 255.255.255.255
end

!-- END R2 initial config
!-------------------------------
!-- R3 initial config

conf t
hostname R3

no ip domain-lookup
line con 0
logging sync
no exec-timeout

int fa 0/0
desc R3 <-> R1
ip address 172.16.0.5 255.255.255.254
speed 100
dupl full
no shut

int fa 1/0
desc R3 <-> R6
speed 100
dupl full
ip addr 172.16.0.10 255.255.255.254
no shut

int lo 0
ip address 3.3.3.3 255.255.255.255
end

!-- END R3 initial config
!-------------------------------
!-- R4 initial config

conf t
hostname R4

no ip domain-lookup
line con 0
logging sync
no exec-timeout

int fa 0/0
desc R4 <-> R7
ip address 172.16.0.8 255.255.255.254
speed 100
dupl full
no shut

int fa 1/0
desc R2 <-> R1
speed 100
dupl full
ip addr 172.16.0.7 255.255.255.254
no shut

int lo 0
ip address 4.4.4.4 255.255.255.255

!-- END R4 initial config
!-------------------------------
!-- R5 initial config

conf t
hostname R5

no ip domain-lookup
line con 0
logging sync
no exec-timeout

int fa 0/0
desc R5 <-> R2
speed 100
dupl full
ip addr 172.16.0.1 255.255.255.254
no shut

int fa 1/0
desc R5 <-> CE21
speed 100
dupl full
ip address 10.21.0.0 255.255.255.254
no shut

int fa 1/1
desc R5 <-> CE11
speed 100
dupl full
ip address 10.11.0.0 255.255.255.254
no shut

int lo 0
ip address 5.5.5.5 255.255.255.255
end

!-- END R5 initial config
!-------------------------------
!-- R6 initial config

conf t
hostname R6

no ip domain-lookup
line con 0
logging sync
no exec-timeout

int fa 0/0
desc R6 <-> R3
ip address 172.16.0.11 255.255.255.254
speed 100
dupl full
no shut

int fa 1/0
desc R6 <-> CE12
speed 100
dupl full
ip addr 10.11.0.4 255.255.255.254
no shut

int fa 1/1
desc R6 <-> CE22
speed 100
dupl full
ip address 10.21.0.4 255.255.255.254
no shut

int lo 0
ip address 6.6.6.6 255.255.255.255
end

!-- END R6 initial config
!-------------------------------
!-- CE11 initial config

conf t
hostname CE11

no ip domain-lookup
line con 0
logging sync
no exec-timeout

int fa 0/0
desc CE11 <-> R5
ip address 10.11.0.1 255.255.255.254
speed 100
dupl full
no shut

int lo 111
ip address 192.168.1.1 255.255.255.0

int lo 112
ip address 172.17.1.1 255.255.255.128
end

!-- END CE11 initial config
!-------------------------------
!-- CE12 initial config

conf t
hostname CE12

no ip domain-lookup
line con 0
logging sync
no exec-timeout

int fa 0/0
desc CE12 <-> R6
ip address 10.11.0.5 255.255.255.254
speed 100
dupl full
no shut

int lo 121
ip address 192.168.2.1 255.255.255.0

int lo 122
ip address 172.17.1.129 255.255.255.128
end

!-- end CE12 initial config
!-------------------------------
!-- CE13 initial config

conf t
hostname CE13

no ip domain-lookup
line con 0
logging sync
no exec-timeout

int fa 0/0
desc CE13 <-> R7
ip address 10.11.0.3 255.255.255.254
speed 100
dupl full
no shut

int lo 131
ip address 192.168.3.1 255.255.255.0

int lo 132
ip address 172.17.2.1 255.255.255.0
end

!-- END CE13 initial config
!-------------------------------
!-- CE21 initial config

conf t
hostname CE21

no ip domain-lookup
line con 0
logging sync
no exec-timeout

int fa 0/0
desc CE21 <-> R5
ip address 10.21.0.1 255.255.255.254
speed 100
dupl full
no shut

int lo 211
ip address 192.168.0.1 255.255.254.0

int lo 212
ip address 172.17.1.1 255.255.252.0
end

!-- END CE21 initial config
!-------------------------------
!-- CE22 initial config

conf t
hostname CE22

no ip domain-lookup
line con 0
logging sync
no exec-timeout

int fa 0/0
desc CE22 <-> R6
ip address 10.21.0.5 255.255.255.254
speed 100
dupl full
no shut

int lo 221
ip address 192.168.2.1 255.255.254.0

int lo 222
ip address 172.17.4.1 255.255.252.0
end

!-- END CE22 initial config
!-------------------------------
!-- CE23 initial config

conf t
hostname CE23

no ip domain-lookup
line con 0
logging sync
no exec-timeout

int fa 0/0
desc CE23 <-> R7
ip address 10.21.0.3 255.255.255.254
speed 100
dupl full
no shut

int lo 231
ip address 192.168.4.1 255.255.254.0

int lo 232
ip address 172.17.8.1 255.255.252.0
end

!-- END CE23 initial config