Saturday, December 25, 2010

Merry Christmas Lab

I Wish you all a Merry Christmas,

When you are relaxing in the evening on the pc/rack/dynamips, you may try to solve my gift-lab:

Topology:



Feel free to use your favorite IGP and ip addressing for all links, but there are also a list of nice tasks:

-All routers will have 3 loopbacks interfaces:
Lo0: 10.x.x.x/24
Lo192: 192.186.x.x/24
Lo172: 172.61.x.x/32
where x is the router number

-R1 and R4 share the same subnet, provide a redundant gateway for R2 using an appropriate protocol

-R1 and R4 are also NAT gateways using the same pool, provide a solution to ensure maximum availability allowing asymmetric traffic

-R2 and R3 are running IPv6, allow the IPv6 networks to communicate using an appropriate tunneling solution, run EIGRPv6 through the tunnel

-R5 must reach R3 IPv6 address even it doesn't run IPv6 at all, configure R2 to obtain this

-R2 is suffering high cpu utilization, use Copp to limit the control plane access. Allow routing protocols and other control traffic up to 100 pps, telnet and ssh up to 20 pps and limit cef exceptions to 15 pps.

-R5 is using OER to route traffic to R3 Lo0, using the lowest delay path

-R5 is also using IPSLA to track R2, R1 and R4 Loopbacks0, perform sla traffic every 1 sec with a size of 3000 bytes

-Finally, Loopbacks 192 belongs to customer A vrf and Loopbacks 172 to customer B vrf. Using NGN services, allow customer sites to communicate. Customers also need a default route to R3 Lo0 as internet access. Using a single static route and a different vrf, provide the default to customers

-(Optional/Bonus task) Why not to run ZBF on R2?



Hope you will enjoy this Christmas lab, I will start it this evening, and if I survive, maybe I'll post some solutions (or proposals of ...)

Marco


Update 10:30 PM: my "solution" [+/-]

Assuming you have already done the very basic config (no ip domain-lookup , logging sync...) and you have read carefully ALL the tasks, here is my initial config:


#R1
hostname R1

ip vrf A
rd 1:1
route-target both 1:1
ip vrf B
rd 2:2
route-target both 2:2
int lo 0
ip add 10.1.1.1 255.255.255.0
int lo 192
ip vrf forw A
ip add 192.186.1.1 255.255.255.0
int lo 172
ip vrf forw B
ip add 172.61.1.1 255.255.255.255
int f 0/0
ip add 10.0.124.1 255.255.255.0
no shut
int s 0/0/1
ip add 10.0.13.1 255.255.255.0
no shut



#R2
hostname R2

ip vrf A
rd 1:1
route-target both 1:1
ip vrf B
rd 2:2
route-target both 2:2
int lo 0
ip add 10.2.2.2 255.255.255.0
int lo 192
ip vrf forw A
ip add 192.186.2.2 255.255.255.0
int lo 172
ip vrf forw B
ip add 172.61.2.2 255.255.255.255
int f 0/0
ip add 10.0.124.2 255.255.255.0
no shut
int s 0/0/0
encap frame
no shut
no frame interface-dlci 205
no frame interface-dlci 206
int s 0/0/0.205 point
ip add 10.0.25.2 255.255.255.0
frame interface-dlci 205
int s 0/0/0.206 point
ip add 10.0.26.2 255.255.255.0
frame interface-dlci 206


#R3
hostname R3

ip vrf A
rd 1:1
route-target both 1:1
ip vrf B
rd 2:2
route-target both 2:2
int lo 0
ip add 10.3.3.3 255.255.255.0
int lo 192
ip vrf forw A
ip add 192.186.3.3 255.255.255.0
int lo 172
ip vrf forw B
ip add 172.61.3.3 255.255.255.255
int s 0/1/0
ip add 10.0.13.3 255.255.255.0
no shut
clock rate 128000
int s 0/2/0
ip add 10.0.34.3 255.255.255.0
no shut


#R4
hostname R4

ip vrf A
rd 1:1
route-target both 1:1
ip vrf B
rd 2:2
route-target both 2:2
int lo 0
ip add 10.4.4.4 255.255.255.0
int lo 192
ip vrf forw A
ip add 192.186.4.4 255.255.255.0
int lo 172
ip vrf forw B
ip add 172.61.4.4 255.255.255.255
int f 0/0
ip add 10.0.124.4 255.255.255.0
no shut
int s 0/2/1
ip add 10.0.34.4 255.255.255.0
no shut
clock rate 128000


#R5
hostname R5

ip vrf A
rd 1:1
route-target both 1:1
ip vrf B
rd 2:2
route-target both 2:2
int lo 0
ip add 10.5.5.5 255.255.255.0
int lo 192
ip vrf forw A
ip add 192.186.5.5 255.255.255.0
int lo 172
ip vrf forw B
ip add 172.61.5.5 255.255.255.255
int f 0/0
ip add 10.0.56.5 255.255.255.0
no shut
int s 0/0/0
encap frame
no shut
no frame interface-dlci 502
int s 0/0/0.502 point
ip add 10.0.25.5 255.255.255.0
frame interface-dlci 502


#R6
hostname R6

ip vrf A
rd 1:1
route-target both 1:1
ip vrf B
rd 2:2
route-target both 2:2
int lo 0
ip add 10.6.6.6 255.255.255.0
int lo 192
ip vrf forw A
ip add 192.186.6.6 255.255.255.0
int lo 172
ip vrf forw B
ip add 172.61.6.6 255.255.255.255
int f 0/0
ip add 10.0.56.6 255.255.255.0
no shut
int s 0/0/0
encap frame
no shut
no frame interface-dlci 602
int s 0/0/0.602 point
ip add 10.0.26.6 255.255.255.0
frame interface-dlci 602



And now all the tasks commented:
-All routers will have 3 loopbacks interfaces:
Lo0: 10.x.x.x/24
Lo192: 192.186.x.x/24
Lo172: 172.61.x.x/32
where x is the router number

Already done in the initial config, note that you need to read all tasks to create the vrfs for loopbacks 192 and 172. (Note also the ip addresses... just to avoid common typing of 192.168 and 172.16 ehehehe)

-R1 and R4 share the same subnet, provide a redundant gateway for R2 using an appropriate protocol

This is a FHRP task, we have to choose from 3 protocols: HSRP, VRRP and GLBP. Reading the next task, it must be clear that we are using NAT stateful (to allow asymmetric traffic), so HSRP is our choice, just to keep it "simple"

Here the HSRP config:

#R1
interface FastEthernet0/0
standby 124 ip 10.0.124.254
standby 124 timers 3 6
standby 124 priority 110
standby 124 preempt
standby 124 authentication md5 key-string XMASLAB
standby 124 name HSRP
standby 124 mac-address 0000.0124.0124
standby 124 track Serial0/0/1 20

#R4
interface FastEthernet0/0
standby 124 ip 10.0.124.254
standby 124 timers 3 6
standby 124 preempt
standby 124 authentication md5 key-string XMASLAB
standby 124 name HSRP
standby 124 mac-address 0000.0124.0124
standby 124 track Serial0/2/1 20



-R1 and R4 are also NAT gateways using the same pool, provide a solution to ensure maximum availability allowing asymmetric traffic

Let's configure NAT stateful, I've added a loopback 1 to have the same NAT pool on R1 and R4

#R1
int s 0/0/1
ip nat outside
int f 0/0
ip nat inside
ip nat Stateful id 1
redundancy HSRP
mapping-id 1
protocol udp
interface Loopback1
description Used for NAT Stateful
ip address 10.14.14.14 255.255.255.0
ip nat pool NATPOOL 10.14.14.140 10.14.14.240 prefix-length 24
ip nat inside source route-map INSIDE-TO-NAT pool NATPOOL mapping-id 1 overload
ip access-list extended INSIDE
remark do not nat routing protocols!
deny ospf any any
deny eigrp any any
deny tcp any any eq bgp
deny udp any any eq 646
deny tcp any any eq 646
deny tcp any eq 646 any
permit ip 10.0.0.0 0.255.255.255 any
route-map INSIDE-TO-NAT permit 10
match ip address INSIDE


#R4
int s 0/2/1
ip nat outside
int f 0/0
ip nat inside
ip nat Stateful id 2
redundancy HSRP
mapping-id 1
protocol udp
interface Loopback1
description Used for NAT Stateful
ip address 10.14.14.14 255.255.255.0
ip nat pool NATPOOL 10.14.14.140 10.14.14.240 prefix-length 24
ip nat inside source route-map INSIDE-TO-NAT pool NATPOOL mapping-id 2 overload
ip access-list extended INSIDE
remark do not nat routing protocols!
deny ospf any any
deny eigrp any any
deny tcp any any eq bgp
deny udp any any eq 646
deny tcp any any eq 646
deny tcp any eq 646 any
permit ip 10.0.0.0 0.255.255.255 any
route-map INSIDE-TO-NAT permit 10
match ip address INSIDE


Short after the configuration, you should see messages like:

*Dec 25 13:45:35.954: %SNAT-5-PROCESS: Id 2, System starts converging
*Dec 25 13:45:39.390: %SNAT-5-PROCESS: Id 2, System fully converged
*Dec 25 13:45:41.390: %SNAT-5-PROCESS: Id 2, System starts converging
*Dec 25 13:45:41.554: %SNAT-5-PROCESS: Id 2, System fully converged

You can verify the status of snat with:

R1#sh ip snat distributed

Stateful NAT Connected Peers

SNAT: Mode IP-REDUNDANCY :: ACTIVE
: State READY
: Local Address 10.0.124.1
: Local NAT id 1
: Peer Address 10.0.124.4
: Peer NAT id 2
: Mapping List 1
R1#


Note that HSRP supports NAT stateful, so it's necessary only to specify the redundancy name. Otherwise, you have to configure the primary and backup router for nat.

The stateful nat require the same pool used for nat, in our case I have added Loopback 1.



Now it's time to configure or favorite igp to proceed, since the requirements for the lab doesn't speficy any protocol.
I choosed OSPF, with two areas, using R2 as ABR. R1-2-3-4 belongs to Area 1234, R2-5-6 to Area 0.0.0.0

#R1
int lo 0
ip ospf net point-to-point
int lo 1
ip ospf net point-to-point
router ospf 1
router-id 10.1.1.1
net 10.1.1.0 0.0.0.255 a 1234
net 10.0.13.0 0.0.0.255 a 1234
net 10.0.124.0 0.0.0.255 a 1234
net 10.14.14.0 0.0.0.255 a 1234
int f 0/0
ip ospf authentication message-digest
ip ospf message-digest-key 1 md5 XMASLAB
int ser 0/0/1
ip ospf authentication message-digest
ip ospf message-digest-key 1 md5 XMASLAB


#R2
int lo 0
ip ospf net point-to-point
router ospf 1
router-id 10.2.2.2
net 10.2.2.0 0.0.0.255 a 0.0.0.0
net 10.0.25.0 0.0.0.255 a 0.0.0.0
net 10.0.26.0 0.0.0.255 a 0.0.0.0
net 10.0.124.0 0.0.0.255 a 1234
int fa0/0
ip ospf authentication message-digest
ip ospf message-digest-key 1 md5 XMASLAB
int ser 0/0/0.205
ip ospf authentication message-digest
ip ospf message-digest-key 1 md5 XMASLAB
int ser 0/0/0.206
ip ospf authentication message-digest
ip ospf message-digest-key 1 md5 XMASLAB

#R3
int lo 0
ip ospf net point-to-point
router ospf 1
router-id 10.3.3.3
net 10.3.3.0 0.0.0.255 a 1234
net 10.0.13.0 0.0.0.255 a 1234
net 10.0.34.0 0.0.0.255 a 1234
int ser 0/1/0
ip ospf authentication message-digest
ip ospf message-digest-key 1 md5 XMASLAB
int ser 0/2/0
ip ospf authentication message-digest
ip ospf message-digest-key 1 md5 XMASLAB

#R4
int lo 0
ip ospf net point-to-point
int lo 1
ip ospf net point-to-point
router ospf 1
router-id 10.4.4.4
net 10.4.4.0 0.0.0.255 a 1234
net 10.0.34.0 0.0.0.255 a 1234
net 10.0.124.0 0.0.0.255 a 1234
net 10.14.14.0 0.0.0.255 a 1234
int f 0/0
ip ospf authentication message-digest
ip ospf message-digest-key 1 md5 XMASLAB
int ser 0/2/1
ip ospf authentication message-digest
ip ospf message-digest-key 1 md5 XMASLAB

#R5
int lo 0
ip ospf net point-to-point
router ospf 1
router-id 10.5.5.5
net 10.5.5.0 0.0.0.255 a 0.0.0.0
net 10.0.25.0 0.0.0.255 a 0.0.0.0
net 10.0.56.0 0.0.0.255 a 0.0.0.0
int f 0/0
ip ospf authentication message-digest
ip ospf message-digest-key 1 md5 XMASLAB
int ser 0/0/0.502
ip ospf authentication message-digest
ip ospf message-digest-key 1 md5 XMASLAB


#R6
int lo 0
ip ospf net point-to-point
router ospf 1
router-id 10.6.6.6
net 10.6.6.0 0.0.0.255 a 0.0.0.0
net 10.0.26.0 0.0.0.255 a 0.0.0.0
net 10.0.56.0 0.0.0.255 a 0.0.0.0
int f 0/0
ip ospf authentication message-digest
ip ospf message-digest-key 1 md5 XMASLAB
int ser 0/0/0.602
ip ospf authentication message-digest
ip ospf message-digest-key 1 md5 XMASLAB

ok, now we have all routing informations, we can also try our stateful nat, let's telnet from R5 to R3, then shut a serial interface on R4 or R1, you will see your telnet session freezing a little, but after a little (converging time) your telnet session still alive.


-R2 and R3 are running IPv6, allow the IPv6 networks to communicate using an appropriate tunneling solution, run EIGRPv6 through the tunnel

The only thing here is to choose the right type of tunnel, we have: IPv6IP, IPv6IP 6to4, ISATAP, GRE...
We can exclude IPv6IP 6to4 because 6to4 doesn't support any dynamic routing protocol. For our requirement any of the others will fit, but keep in mind to avoid tunnel traffic to be natted, so:


#R2
ipv6 unicast-routing
int lo 0
ipv6 add 2001:cafe:cc13:2::2/64
ipv6 eigrp 23
interface Tunnel6
no ip address
ipv6 address 2001:CAFE:CC13:23::2/64
ipv6 eigrp 23
tunnel source Loopback0
tunnel destination 10.3.3.3
tunnel mode ipv6ip
ipv6 router eigrp 23
no shut


#R3
ipv6 unicast-routing
int lo 0
ipv6 add 2001:cafe:cc13:3::3/64
ipv6 eigrp 23
interface Tunnel6
no ip address
ipv6 address 2001:CAFE:CC13:23::3/64
ipv6 eigrp 23
tunnel source Loopback0
tunnel destination 10.2.2.2
tunnel mode ipv6ip
ipv6 router eigrp 23
no shut

and let's add on the nat acl a deny for protocol 41 (IPv6IP) (otherwise the source/destination will be natted and tunnel won't come up)

#R1
ip access-list ext INSIDE
45 deny 41 any any

#R4
ip access-list ext INSIDE
45 deny 41 any any

-R5 must reach R3 IPv6 address even it doesn't run IPv6 at all, configure R2 to obtain this.

This is a NATpt task, assuming that we have to nat R5 lo 0 and R3 lo 0

#R2
int tun 6
ipv6 nat
int ser 0/0/0.205
ipv6 nat
int ser 0/0/0.206
ipv6 nat
ipv6 nat prefix 2001:CAFE:CC13:35::/96
ipv6 router eigrp 23
redistribute connected
ipv6 nat v6v4 source 2001:cafe:cc13:3::3 10.2.2.3
ipv6 nat v4v6 source 10.5.5.5 2001:cafe:cc13:35::5


note that the ipv6 nat prefix must be always a /96, and must be reachable from the other ipv6 routers, from here the redistribute connected.
The logic used to create the static natpt is easy to remember, I usually think like "My ipv6 address is seen as this ipv4" for "ipv6 nat v6v4" and viceversa, "My ipv4 address is seen as this ipv6" for "ipv6 nat v4v6"

after a successful ping (remember: source loopback, destination loopback! :-) ) from both sides you will see:

R2(config)#do sh ipv nat tra
Prot IPv4 source IPv6 source
IPv4 destination IPv6 destination
--- --- ---
10.5.5.5 2001:CAFE:CC13:35::5

icmp 10.2.2.3,7 2001:CAFE:CC13:3::3,7
10.5.5.5,7 2001:CAFE:CC13:35::5,7

icmp 10.2.2.3,8079 2001:CAFE:CC13:3::3,8079
10.5.5.5,8079 2001:CAFE:CC13:35::5,8079

--- 10.2.2.3 2001:CAFE:CC13:3::3
--- ---

-R2 is suffering high cpu utilization, use Copp to limit the control plane access. Allow routing protocols and other control traffic up to 100 pps, telnet and ssh up to 20 pps and limit cef exceptions to 15 pps.

So far, so good, don't forget about ldp, as per vpn task.

#R2
ip access-list extended Management
permit tcp any any eq telnet
permit tcp any any eq 22
ip access-list extended Routing+LDP
permit ospf any any
permit tcp any any eq bgp
permit udp any any eq 646
permit tcp any any eq 646
permit tcp any eq 646 any
permit eigrp any any

class-map match-all Routing+LDP
match access-group name Routing+LDP
class-map match-all Management
match access-group name Management
policy-map CoPP
class Routing+LDP
police rate 100 pps
class Management
police rate 20 pps
policy-map CEF-EXCEPT
class class-default
police rate 15 pps

control-plane host
service-policy input CoPP
control-plane cef-exception
service-policy input CEF-EXCEPT

note that you have to use the control-plane subinterface "host" to police the routing protocols, otherwise you can't apply a policy to cef-exception.
Also note that the cef-exception packet rate is too low! a simple ping through the ipv6/natpt path will result in packet loss and the drop counter on control-plane will increment.

eg:

R3(config-if)#do ping 2001:cafe:cc13:35::5 source lo 0 repeat 100

Type escape sequence to abort.
Sending 100, 100-byte ICMP Echos to 2001:CAFE:CC13:35::5, timeout is 2 seconds:
Packet sent with a source address of 2001:CAFE:CC13:3::3
!!!!.!!!!!!.!!!!!!.!!!!!!!.!!!!!.!!!!.!!!!!!!.!!!!!!!.!!!!!!!.!!!!!!!.
!!!!!!!.!!!!!!!.!!!!.!!!!!!!.!
Success rate is 86 percent (86/100), round-trip min/avg/max = 44/44/60 ms
R3(config-if)#

on R2 we see:

R2#sh control-plane counters
Feature Path Packets processed/dropped/errors
Aggregate 352299/0/0
Host 250522/0/0
Transit 2914/0/0
Cef-exception 98863/173/0

-R5 is using OER to route traffic to R3 Lo0, using the lowest delay path

This is a OER master/border config on a single router, the next task has the objective of introducing delay to influence the OER decision...
Well, OER isn't my favorite argument, I did several labs on it, but unsuccessfully most of time, no exception today :-)
Here is my configuration, every suggestion is welcome as usual:

R5#sh run | s oer
oer master
policy-rules MyOerMap
!
border 10.5.5.5 key-chain OER
interface Null0 internal
interface Serial0/0/0.502 external
interface FastEthernet0/0 external
oer border
local Loopback0
master 10.5.5.5 key-chain OER
oer-map MyOerMap 10
match traffic-class prefix-list R3-Lo0
set periodic 90
set mode select-exit best
set backoff 90 90
set holddown 90
set delay threshold 1000
set mode route control
set unreachable relative 250
set active-probe tcp-conn 10.3.3.3 target-port 23
set probe frequency 4
set probe packets 5
R5#sh ip prefix
ip prefix-list R3-Lo0: 1 entries
seq 5 permit 10.3.3.0/24
R5#

With this config my monitored prefix was suddently stuck in OutOfPolicy state...

R5#sh oer master prefix
OER Prefix Statistics:
Pas - Passive, Act - Active, S - Short term, L - Long term, Dly - Delay (ms),
P - Percentage below threshold, Jit - Jitter (ms),
MOS - Mean Opinion Score
Los - Packet Loss (packets-per-million), Un - Unreachable (flows-per-million),
E - Egress, I - Ingress, Bw - Bandwidth (kbps), N - Not applicable
U - unknown, * - uncontrolled, + - control more specific, @ - active probe all
# - Prefix monitor mode is Special, & - Blackholed Prefix
% - Force Next-Hop, ^ - Prefix is denied

Prefix State Time Curr BR CurrI/F Protocol
PasSDly PasLDly PasSUn PasLUn PasSLos PasLLos
ActSDly ActLDly ActSUn ActLUn EBw IBw
ActSJit ActPMOS ActSLos ActLLos
--------------------------------------------------------------------------------
10.3.3.0/24 OOPOLICY 77 10.5.5.5 Se0/0/0.502 RIB-PBR
U U 0 0 0 0
28 125 0 0 0 0
N N
R5#



-R5 is also using IPSLA to track R2, R1 and R4 Loopbacks0, perform sla traffic every 1 sec with a size of 3000 bytes

Here I used a group schedule

R5# sh run | s ip sla
ip sla 1
icmp-echo 10.2.2.2
request-data-size 3000
timeout 1000
threshold 1000
frequency 3
ip sla 2
icmp-echo 10.1.1.1
request-data-size 3000
timeout 1000
threshold 1000
frequency 3
ip sla 3
icmp-echo 10.4.4.4
request-data-size 3000
timeout 1000
threshold 1000
frequency 3
ip sla group schedule 1 1-3 schedule-period 1 frequency range 1-5 start-time now life forever

-Finally, Loopbacks 192 belongs to customer A vrf and Loopbacks 172 to customer B vrf. Using NGN services, allow customer sites to communicate. Customers also need a default route to R3 Lo0 as internet access. Using a single static route and a different vrf, provide the default to customers

Yep, here mpls configuration is required, so let's start enabling ldp and bgp on all routers. The vrfs are ready from the initial config, we must only redistribute connected for every vrf, there's no CE-PE protocol.

#R1
mpls ldp router-id lo 0 for
mpls label proto ldp
mpls label range 1000 1999
mpls ldp explicit-null
mpls ip
int f 0/0
mpls ip
int s 0/0/1
mpls ip

#R2
mpls ldp router-id lo 0 for
mpls label proto ldp
mpls label range 2000 2999
mpls ldp explicit-null
mpls ip
int f 0/0
mpls ip
int s 0/0/0.205
mpls ip
int s 0/0/0.206
mpls ip


#R3
mpls ldp router-id lo 0 for
mpls label proto ldp
mpls label range 3000 3999
mpls ldp explicit-null
mpls ip
int s 0/1/0
mpls ip
int s 0/2/0
mpls ip


#R4
mpls ldp router-id lo 0 for
mpls label proto ldp
mpls label range 4000 4999
mpls ldp explicit-null
mpls ip
int f 0/0
mpls ip
int s 0/2/1
mpls ip


#R5
mpls ldp router-id lo 0 for
mpls label proto ldp
mpls label range 5000 5999
mpls ldp explicit-null
mpls ip
int f 0/0
mpls ip
int s 0/0/0.502
mpls ip


#R6
mpls ldp router-id lo 0 for
mpls label proto ldp
mpls label range 6000 6999
mpls ldp explicit-null
mpls ip
int f 0/0
mpls ip
int s 0/0/0.602
mpls ip


note that the stateful nat uses the same ip address, so ldp see the same prefix from two different neighbor and logs something like :

*Dec 25 20:49:40.261: %TAGCON-3-DUP_ADDR_RCVD: Duplicate Address 10.14.14.14 advertised by peer 10.4.4.4:0 is already bound to 10.1.1.1:0

Now the BGP configuration:

#R1
R1(config-router)#do sh run | s bgp
router bgp 100
bgp router-id 10.1.1.1
no bgp default ipv4-unicast
bgp log-neighbor-changes
neighbor 10.0.13.3 remote-as 300
neighbor 10.0.124.2 remote-as 200
neighbor 10.0.124.4 remote-as 400
!
address-family vpnv4
neighbor 10.0.13.3 activate
neighbor 10.0.13.3 send-community both
neighbor 10.0.124.2 activate
neighbor 10.0.124.2 send-community both
neighbor 10.0.124.4 activate
neighbor 10.0.124.4 send-community both
exit-address-family
!
address-family ipv4 vrf B
redistribute connected
no synchronization
exit-address-family
!
address-family ipv4 vrf A
redistribute connected
no synchronization
exit-address-family

#R2
R2(config-router-af)#do sh run | s bgp
router bgp 200
no bgp default ipv4-unicast
bgp log-neighbor-changes
neighbor 10.0.25.5 remote-as 500
neighbor 10.0.26.6 remote-as 600
neighbor 10.0.124.1 remote-as 100
neighbor 10.0.124.4 remote-as 400
!
address-family vpnv4
neighbor 10.0.25.5 activate
neighbor 10.0.25.5 send-community both
neighbor 10.0.26.6 activate
neighbor 10.0.26.6 send-community both
neighbor 10.0.124.1 activate
neighbor 10.0.124.1 send-community both
neighbor 10.0.124.4 activate
neighbor 10.0.124.4 send-community both
exit-address-family
!
address-family ipv4 vrf B
redistribute connected
no synchronization
exit-address-family
!
address-family ipv4 vrf A
redistribute connected
no synchronization
exit-address-family

#R3
R3(config-router-af)#do sh run | s bgp
router bgp 300
no bgp default ipv4-unicast
bgp log-neighbor-changes
neighbor 10.0.13.1 remote-as 100
neighbor 10.0.34.4 remote-as 400
!
address-family vpnv4
neighbor 10.0.13.1 activate
neighbor 10.0.13.1 send-community both
neighbor 10.0.34.4 activate
neighbor 10.0.34.4 send-community both
exit-address-family
!
address-family ipv4 vrf B
redistribute connected
no synchronization
exit-address-family
!
address-family ipv4 vrf A
redistribute connected
no synchronization
exit-address-family

#R4
R4(config-router)#do sh run | s bgp
router bgp 400
bgp router-id 10.4.4.4
no bgp default ipv4-unicast
bgp log-neighbor-changes
neighbor 10.0.34.3 remote-as 300
neighbor 10.0.124.1 remote-as 100
neighbor 10.0.124.2 remote-as 200
!
address-family vpnv4
neighbor 10.0.34.3 activate
neighbor 10.0.34.3 send-community both
neighbor 10.0.124.1 activate
neighbor 10.0.124.1 send-community both
neighbor 10.0.124.2 activate
neighbor 10.0.124.2 send-community both
exit-address-family
!
address-family ipv4 vrf B
redistribute connected
no synchronization
exit-address-family
!
address-family ipv4 vrf A
redistribute connected
no synchronization
exit-address-family

#R5
R5(config-router-af)#do sh run | s bgp
router bgp 500
no bgp default ipv4-unicast
bgp log-neighbor-changes
neighbor 10.0.25.2 remote-as 200
neighbor 10.0.56.6 remote-as 600
!
address-family vpnv4
neighbor 10.0.25.2 activate
neighbor 10.0.25.2 send-community both
neighbor 10.0.56.6 activate
neighbor 10.0.56.6 send-community both
exit-address-family
!
address-family ipv4 vrf B
redistribute connected
no synchronization
exit-address-family
!
address-family ipv4 vrf A
redistribute connected
no synchronization
exit-address-family

#R6
R6(config-router-af)#do sh run | s bgp
router bgp 600
no bgp default ipv4-unicast
bgp log-neighbor-changes
neighbor 10.0.26.2 remote-as 200
neighbor 10.0.56.5 remote-as 500
!
address-family vpnv4
neighbor 10.0.26.2 activate
neighbor 10.0.26.2 send-community both
neighbor 10.0.56.5 activate
neighbor 10.0.56.5 send-community both
exit-address-family
!
address-family ipv4 vrf B
redistribute connected
no synchronization
exit-address-family
!
address-family ipv4 vrf A
redistribute connected
no synchronization
exit-address-family

On R1 and R4 I have to set manually the bgp router-id, otherwise they will took the same router-id always due to the stateful nat configuration.

Now all customers see their respective routes, then it's time to give "internet" to our customers through a default route. The task mention a single static on R3 and a different vrf, so:

#R3
ip vrf INTERNET
rd 3:3
route-target export 3:3
route-target import 3:3
ip route vrf INTERNET 0.0.0.0 0.0.0.0 Null0

router bgp 300
address-family ipv4 vrf INTERNET
redistribute static
default-information originate
no synchronization
exit-address-family

then on all routers

ip vrf A
route-target import 3:3
ip vrf B
route-target import 3:3

let us check:

R6(config-vrf)#do sh ip route vrf A | beg Gate
Gateway of last resort is 10.0.26.2 to network 0.0.0.0

B 192.186.4.0/24 [20/0] via 10.0.26.2, 00:18:07
B 192.186.5.0/24 [20/0] via 10.0.56.5, 00:20:30
C 192.186.6.0/24 is directly connected, Loopback192
B 192.186.1.0/24 [20/0] via 10.0.26.2, 00:17:36
B 192.186.2.0/24 [20/0] via 10.0.26.2, 00:20:30
B 192.186.3.0/24 [20/0] via 10.0.26.2, 00:18:07
B* 0.0.0.0/0 [20/0] via 10.0.26.2, 00:00:28
R6(config-vrf)#do sh ip route vrf B | beg Gate
Gateway of last resort is 10.0.26.2 to network 0.0.0.0

172.61.0.0/32 is subnetted, 6 subnets
C 172.61.6.6 is directly connected, Loopback172
B 172.61.5.5 [20/0] via 10.0.56.5, 00:20:33
B 172.61.4.4 [20/0] via 10.0.26.2, 00:18:10
B 172.61.3.3 [20/0] via 10.0.26.2, 00:18:10
B 172.61.2.2 [20/0] via 10.0.26.2, 00:20:33
B 172.61.1.1 [20/0] via 10.0.26.2, 00:17:39
B* 0.0.0.0/0 [20/0] via 10.0.26.2, 00:00:31
R6(config-vrf)#



-(Optional/Bonus task) Why not to run ZBF on R2?

How many points for this one? :-D

Marco

Monday, December 6, 2010

Design: does it really matter for a network engineer?

A couple of days ago,
I was using a demo account on Safari Books, released to my university library.

It's nice and interesting to go through the whole Cisco Press catalog and look at titles and arguments that aren't strictly on my CCIE R&S track. There is always something that opens new ideas on my mind, something interesting and useful to read.

I started reading a couple of pages of the "NX-OS and Cisco Nexus Switching: Next-Generation Data Center Architectures" book, just to have an eye on the cli commands, then I've seen a bit of "TcL Scripting for Cisco IOS".

Then I landed on "Top-Down Network Design, Third Edition", a book by Priscilla Oppenheimer.
Well, that book looks like non strictly technical, I guess there are no cli commands on it, but it has captured my attention on the interesting topics.

"Design: Logical and Physical architectures" for example (This is one of my favorite arguments, I almost ALWAYS like to chat about it)

It's difficult and require a lot of experience to develop a proper design for a network, even the smallest one, when starts growing, often design issues and mistakes will emerge.

Usually I found very prepared engineers that haven't already assimilated the difference between Logical and Physical, and I do most of times this example:

Given this physical topology:


How to realize this logical topology?


I'm shure all of you can configure this in a couple of minutes. (or maybe you will respond like "you have to recable it" or "it's impossible" [that happened!] )

But how to know when a physical topology, in other words "the way how we connect devices" will be scalable and support future changes and requirements?

Well, that book refers to a lifecycle called PDIOO (Plan Design Implement Operate Optimize)
Here the page, courtesy of Google Books:


All the phases are detailed enough to keep me thinking...
Too often I see these steps squeezed in a sort of lifecycle like this:

-Analyze Requirements becomes a Single Requirement: finish quickly and do the stuff working
-Develop Logical and Physical Design becomes Just Connect in a couple of free ports, who cares about design?
-Test, Optimize and Document Design becomes: skip it, must be done for yesterday :-)
-Implement and Test Network becomes: haven't it done yet?
-Monitor and Optimize Network Performances becomes: ping and keep it up as long as possible

The last phase is called "Retire" (see the next page on Google Books frame..).
Well, the retire phase did me thinking and thinking... a well designed network, has a plan to retire equipments, has an idea of when a solution or an implementation will become obsolete.
Hopefully has a "retirement plan", something like a part of the solution specifically studied for the retire phase.

That's amazing!

Try to explain it to the engineer that produly states "my old XY switch is switching frames since 10 years, why I have to change it? Only because it's 10 Rack U for 24 ports?" :-)

moral: You can be a good network engineer, but you MUST work with a good architect with a lot of experience to realize clean, working and scalable networks, otherwise you can do your job using your own criteria, keep networks working as best, but you will pay it in terms of scalability during the years.

(me for example... I'm still asking myself why I did "no switchport" instead of a trunk on switch XYZ years ago... now adding a new vlan will be easy...)

Marco

Tuesday, November 16, 2010

Today's work in a shot: configuring Lwapp AP 1252

Hi all,
here's a shot of this afternoon work :

Looks like a solid wall of LWAPP 1252s !


But wait.... where is my collegue?


here it is! :-)

(just kidding)

Marco

Sunday, November 14, 2010

"vrf definition" command, how to survive

Hi all,

as you may know, the old vrf definition commands are useful only for ipv4 vrfs.

for example:

ip vrf OLD-FORMAT
description old format for vrf definition
rd 1:1
vpn id ABC:DEF
route-target export 1:1
route-target import 1:1
route-target import 1:2


Will create a ipv4 vrf only, you can see it with:

Router(config-vrf)#do sh vrf detail
VRF OLD-FORMAT; default RD 1:1; default VPNID ABC:DEF
Description: old format for vrf definition
No interfaces
Address family ipv4 (Table ID = 0x1):
Export VPN route-target communities
RT:1:1
Import VPN route-target communities
RT:1:1 RT:1:2
No import route-map
No export route-map
VRF label distribution protocol: not configured
VRF label allocation mode: per-prefix
Address family ipv6 not active.


If we try to add an interface to vrf, with both ipv4 and ipv6 addresses, we notice also:

Router(config)#do sh run int f 0/0 | b int
interface FastEthernet0/0
ip vrf forwarding OLD-FORMAT
ip address 10.0.0.1 255.255.255.0
duplex auto
speed auto
ipv6 address FC00:1234:CC13::1/64


Router(config)#do sh ip route vrf OLD-FORMAT | b Gate
Gateway of last resort is not set

10.0.0.0/24 is subnetted, 1 subnets
C 10.0.0.0 is directly connected, FastEthernet0/0
Router(config)#

Router(config)#do sh ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route

Gateway of last resort is not set

Router(config)#do sh ipv6 route
IPv6 Routing Table - Default - 3 entries
Codes: C - Connected, L - Local, S - Static, U - Per-user Static route
B - BGP, M - MIPv6, R - RIP, I1 - ISIS L1
I2 - ISIS L2, IA - ISIS interarea, IS - ISIS summary, D - EIGRP
EX - EIGRP external
O - OSPF Intra, OI - OSPF Inter, OE1 - OSPF ext 1, OE2 - OSPF ext 2
ON1 - OSPF NSSA ext 1, ON2 - OSPF NSSA ext 2
C FC00:1234:CC13::/64 [0/0]
via FastEthernet0/0, directly connected
L FC00:1234:CC13::1/128 [0/0]
via FastEthernet0/0, receive
L FF00::/8 [0/0]
via Null0, receive


As expected, the vrf table is created only for ipv4 address-family, the ipv6 address still in the global table.

Starting from IOS 12.4(20)T (and 12.2(33)Sxx) the new command "vrf definition" was introduced.
According to the Doc-CD, the command creates both the virtual routing tables for ipv4 and ipv6 address-families, and can be used to specify global route-targets for both address-families and also specific route-targets.

So far so good, let's try this relatively new feature and see if it's working as documented:


Router(config)#vrf definition NEW-FORMAT
Router(config-vrf)#rd 2:2
Router(config-vrf)#?
VPN Routing/Forwarding instance configuration commands:
address-family Enter Address Family command mode
context Associate SNMP context with this vrf
default Set a command to its defaults
description VRF specific description
exit Exit from VRF configuration mode
no Negate a command or set its defaults
rd Specify Route Distinguisher
route-target Specify Target VPN Extended Communities
vpn Configure VPN ID as specified in rfc2685

Router(config-vrf)#route-target both 2:2
Router(config-vrf)#route-target import 100:100
Router(config-vrf)#do sh run vrf NEW-FORMAT
Building configuration...

Current configuration : 120 bytes
vrf definition NEW-FORMAT
rd 2:2
route-target export 2:2
route-target import 2:2
route-target import 100:100
!
end


Nice, as you can see, I have placed the route-targets globally, hoping that it will use for both address families.
In fact, this is not happening at all, because seems that the address-families aren't activated:

Router(config-vrf)#sh vrf detail NEW-FORMAT
VRF NEW-FORMAT; default RD 2:2; default VPNID
No interfaces
Address family ipv4 not active.
Address family ipv6 not active.


So if you try to add an interface to this vrf, the result is something strange:

Router(config)#int f 0/1
Router(config-if)#ip vrf forwarding NEW-FORMAT
% Use 'vrf forwarding' command for VRF 'NEW-FORMAT' !-- note that the old format command is rejected
Router(config-if)#vrf forwarding NEW-FORMAT
Router(config-if)#ip add 10.2.2.2 255.255.255.0
Router(config-if)#ipv6 address fc00:2222:2222::2/64
%FastEthernet0/1 is linked to a VRF. Enable IPv6 on that VRF first. !-- IPv6 address is rejected too!
Router(config-if)#do sh run int f 0/1
Building configuration...

Current configuration : 120 bytes
!
interface FastEthernet0/1
vrf forwarding NEW-FORMAT
ip address 10.2.2.2 255.255.255.0
duplex auto
speed auto
end


Seems that the ipv6 address was rejected due the missing address-family activation, but the ipv4 was accepted.

Surprise! The ipv4 still in global routing table, not in the vrf table!

Router(config-if)#do sh ip route | beg Gate
Gateway of last resort is not set

10.0.0.0/24 is subnetted, 1 subnets
C 10.2.2.0 is directly connected, FastEthernet0/1

Router(config-if)#do sh ip route vrf NEW-FORMAT

Router(config-if)#


So let's activate the address families:

Router(config)#vrf definition NEW-FORMAT
Router(config-vrf)#address-family ipv4
Router(config-vrf-af)#route-target both 2:2
Router(config-vrf-af)#exit
Router(config-vrf)#address-family ipv6
Router(config-vrf-af)#route-target both 2:2
Router(config-vrf-af)#exit
Router(config-vrf)#do sh run vrf NEW-FORMAT
Building configuration...

Current configuration : 409 bytes
vrf definition NEW-FORMAT
rd 2:2
route-target export 2:2
route-target import 2:2
route-target import 100:100
!
address-family ipv4
route-target export 2:2
route-target import 2:2
exit-address-family
!
address-family ipv6
route-target export 2:2
route-target import 2:2
exit-address-family
!
!
interface FastEthernet0/1
vrf forwarding NEW-FORMAT
no ip address
duplex auto
speed auto
!
!
end

Router(config-vrf)#

Yup! the ip address disappeared without notice!

Let's re-add both ip and ipv6 addresses

Router(config-vrf)#int f 0/1
Router(config-if)#ip add 10.2.2.2 255.255.255.0
Router(config-if)#ipv add fc00:2222:2222::2/64
Router(config-if)#do sh run vrf NEW-FORMAT
Building configuration...

Current configuration : 464 bytes
vrf definition NEW-FORMAT
rd 2:2
route-target export 2:2
route-target import 2:2
route-target import 100:100
!
address-family ipv4
route-target export 2:2
route-target import 2:2
exit-address-family
!
address-family ipv6
route-target export 2:2
route-target import 2:2
exit-address-family
!
!
interface FastEthernet0/1
vrf forwarding NEW-FORMAT
ip address 10.2.2.2 255.255.255.0
duplex auto
speed auto
ipv6 address FC00:2222:2222::2/64
!
!
end

Router(config-if)#do sh ip route | beg Gate
Gateway of last resort is not set

Router(config-if)#do sh ip route vrf NEW-FORMAT

Routing Table: NEW-FORMAT
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route

Gateway of last resort is not set

10.0.0.0/24 is subnetted, 1 subnets
C 10.2.2.0 is directly connected, FastEthernet0/1
Router(config-if)#do sh ipv6 route vrf NEW-FORMAT
IPv6 Routing Table - NEW-FORMAT - 3 entries
Codes: C - Connected, L - Local, S - Static, U - Per-user Static route
B - BGP, M - MIPv6, R - RIP, I1 - ISIS L1
I2 - ISIS L2, IA - ISIS interarea, IS - ISIS summary, D - EIGRP
EX - EIGRP external
O - OSPF Intra, OI - OSPF Inter, OE1 - OSPF ext 1, OE2 - OSPF ext 2
ON1 - OSPF NSSA ext 1, ON2 - OSPF NSSA ext 2
C FC00:2222:2222::/64 [0/0]
via FastEthernet0/1, directly connected
L FC00:2222:2222::2/128 [0/0]
via FastEthernet0/1, receive
L FF00::/8 [0/0]
via Null0, receive
Router(config-if)#


Finally it's all right, ip and ipv6 addresses are in the vrf routing table, I'm still asking myself what is the purpose of global route-targets...

:-)
Fortunately, seems that they have modified in the 15.0 IOS version. The above tests was on my 12.4T rack, when tryed with dynamips on 15.0...

RackVR1(config)#vrf definition TEST
RackVR1(config-vrf)#rd 1:1
RackVR1(config-vrf)#route-target both 1:1

RackVR1(config)#int f 2/0
RackVR1(config-if)#vrf forwarding TEST
% Cannot configure VRF forwarding since no address family configuration exists in this VRF TEST; Please configure address family first
RackVR1(config-if)#do sh ver
Cisco IOS Software, 7200 Software (C7200-ADVENTERPRISEK9-M), Version 15.0(1)M, RELEASE SOFTWARE (fc2)
...



Marco

Ps: by the way.. I'm back.

Wednesday, November 3, 2010

CCIE Exam... delayed



Hi all, this short one to inform all my readers that I have delayed my exam to 31 Jan 2011.
Just to feel more prepared and more confident.
I will work on speed and accuracy during this additional time, and as usual more lab and lab and lab...

Thank you all for the previous encouraging mails and comments
Marco

Monday, September 13, 2010

Still alive... one month later

Hi all, this short post is to assure my readers, I still alive, but in "radio silence" mode until the exam... the countdown is now -77 !
I'm passing my time doing small labs on dynamips and reading the doc cd... but I feel the time is passing so rapidly that I decided to keep blog on hold :-)

sorry by the way
Marco

Friday, August 13, 2010

QoS on Cisco 3560 diagram

Hi all,

Reading the documentation about catalyst 3560 QoS, you may note that it's hard to understand the 3560 QoS model and how the various pieces will interact during the configuration and the operation of that platform.

So I've decided to order the various things in my mind with a diagram, made with Dia as usual:

Here the .jpg result of my understanding, feel free to suggest improvements or to note errors.. this is the v1.0 version (alpha?) and has to be reviewed.

have fun
Marco



PS: I also suggest to read:
INE Blog: Bridging the gap between 3550 and 3560 QoS: Part I
INE Blog: Bridging the gap between 3550 and 3560 QoS: Part II
INE Blog: Quick Notes on the 3560 Egress Queuing

Wednesday, August 4, 2010

Playing with vlan.dat

Hi all, today I'm a little bit insane (or better, not today only, but a little bit more than usual :-) )

Today morning I've started my journey reading the Catalyst 3560 Configuration Guide on the train.
It's nice discover every day new things, today I've heard about the "internal vlans" for the first time...
Walking to the office, that internal vlans stuff has mixed up in my sleepy mind, so I've started playing insane games with two switches instead of having coffee break.

First, have to satisfy the curiosity to see those internal vlans:

Switch# sh vlan internal usage

VLAN Usage
---- --------------------
1025 FastEthernet0/20

Switch#sh run int fa 0/20
Building configuration...

Current configuration : 87 bytes
!
interface FastEthernet0/20
no switchport
ip address 10.12.12.1 255.255.255.0
end


Ok, let say that every L3 port on a switch have assigned an internal vlan on the extended range.
The only ios command I found about the internal vlans is "vlan internal allocation policy"

Switch(config)#vlan internal allocation policy ?
ascending Allocate internal VLAN in ascending order
descending Allocate internal VLAN in descending order

Switch(config)#vlan internal allocation policy descending

note that this command have effect only after a reload. Basically tell the switch to choose the internal vlans number, from 1006 and above, or from 4094 and below, in the most recent releases seems undocumented and not working... anyway..

It gives me the idea to play with internal vlans, trying to loop/trunk it, but unsuccessfully.

Next insane idea is to play with the vlan.dat file.
Just recall that the vlan.dat file is stored into the flash: by default and contains the informations about VTP and standard range vlan ( from 1 to 1005 ).

Let's look closer this vlan.dat file...

Switch#more flash:vlan.dat
%Error opening flash:vlan.dat (No such file or directory)
Switch#

!-- By default there is no vlan.dat file, it's created when the first vlan is done or when vtp is modified

Switch#conf t
Enter configuration commands, one per line. End with CNTL/Z.
Switch(config)#vtp domain MY-DOMAIN
Changing VTP domain name from NULL to MY-DOMAIN
Switch(config)#end

Switch#sh vtp status
VTP Version : running VTP1 (VTP2 capable)
Configuration Revision : 0
Maximum VLANs supported locally : 1005
Number of existing VLANs : 5
VTP Operating Mode : Server
VTP Domain Name : MY-DOMAIN
VTP Pruning Mode : Disabled
VTP V2 Mode : Disabled
VTP Traps Generation : Disabled
MD5 digest : 0x0F 0x01 0x47 0xF9 0x1D 0xCD 0x9C 0x56
Configuration last modified by 0.0.0.0 at 0-0-00 00:00:00
Local updater ID is 10.0.0.2 on interface Vl1 (lowest numbered VLAN interface fo und)
Switch#

Switch#more flash:vlan.dat
00000000: BADB100D 00000002 02094D59 2D444F4D :[.. .... ..MY -DOM
00000010: 41494E00 00000000 00000000 00000000 AIN. .... .... ....
00000020: 00000000 00000000 00000000 00000000 .... .... .... ....
00000030: 00000000 00000001 30303030 30303030 .... .... 0000 0000
00000040: 30303030 0F0147F9 1DCD9C56 2F420F7D 0000 ..Gy .M.V /B.}
00000050: F2CC391B 00000000 00000000 00000000 rL9. .... .... ....
00000060: 00000000 00000000 00000000 00000000 .... .... .... ....
00000070: 00000000 00000000 00000000 00000000 .... .... .... ....
00000080: 00000000 00000000 00000000 00000000 .... .... .... ....
00000090: 00000000 00000005 02020000 0388CD3C .... .... .... ..M<
000000A0: 07646566 61756C74 00000000 00000000 .def ault .... ....
000000B0: 00000000 00000000 00000000 00000000 .... .... .... ....
000000C0: 00000101 05DC0001 000186A1 00000000 .... .\.. ...! ....
000000D0: 00000000 00000000 00000000 0C666464 .... .... .... .fdd
000000E0: 692D6465 6661756C 74000000 00000000 i-de faul t... ....
000000F0: 00000000 00000000 00000000 00000201 .... .... .... ....
00000100: 05DC03EA 00018A8A 00000000 00000000 .\.j .... .... ....
00000110: 00000000 00000000 12746F6B 656E2D72 .... .... .tok en-r
00000120: 696E672D 64656661 756C7400 00000000 ing- defa ult. ....
00000130: 00000000 00000000 00000301 05DC03EB .... .... .... .\.k
00000140: 00018A8B 00000000 00000000 00000007 .... .... .... ....
00000150: 07000000 0F666464 696E6574 2D646566 .... .fdd inet -def
00000160: 61756C74 00000000 00000000 00000000 ault .... .... ....
00000170: 00000000 00000401 05DC03EC 00018A8C .... .... .\.l ....
00000180: 00000001 00000000 00000000 00000000 .... .... .... ....
00000190: 0D74726E 65742D64 65666175 6C740000 .trn et-d efau lt..
000001A0: 00000000 00000000 00000000 00000000 .... .... .... ....
000001B0: 00000501 05DC03ED 00018A8D 00000002 .... .\.m .... ....
000001C0: 00000000 00000000 00000000 0388D028 .... .... .... ..P(
000001D0: 000003EA 00000008 032FABFC 01010000 ...j .... ./+| ....
000001E0: 04010000 02F610D4 000003EB 00000008 .... .v.T ...k ....
000001F0: 0388D06C 01010000 04010000 032FB620 ..Pl .... .... ./6
00000200: 000003EC 00000008 02F61118 02010000 ...l .... .v.. ....
00000210: 03010001 00000000 000003ED 00000008 .... .... ...m ....
00000220: 032FB664 02010000 03010002 XXXXXXXX ./6d .... .... XXXX

Switch#


Woops! the switch itself displays binary files as hex dumps with the ascii portion in the right side... interesting!

I noted:
-in the first part, the VTP informations, the domain name is visible in cleartext
-the VTP MD5 seen in the sh vtp status output is stored on file on locations 0x44 - 0x4B
-after VTP, VLAN informations are stored, using some data structure, more investigation needed.

So why not to try to modify by hand this system file? No fear on it, if it fails, delete the file and reload, that's it.

First I tryied to do a simple TCL script to modify the vlan.dat, but seems the "seek" on tcl doesn't work as expected:

Switch#tclsh
Switch(tcl)#set f [open "vlan.dat" "r+"]
file0
Switch(tcl)#seek $f 160

Switch(tcl)#tell $f
160
Switch(tcl)#puts -nonewline $f "TEST"

Switch(tcl)#close $f

Switch(tcl)#^Z
Switch#

Switch#more flash:vlan.dat
00000000: BADB100D 00000002 02094D59 2D444F4D :[.. .... ..MY -DOM
00000010: 41494E00 00000000 00000000 00000000 AIN. .... .... ....
00000020: 00000000 00000000 00000000 00000000 .... .... .... ....
00000030: 00000000 00000001 30303030 30303030 .... .... 0000 0000
00000040: 30303030 0F0147F9 1DCD9C56 2F420F7D 0000 ..Gy .M.V /B.}
00000050: F2CC391B 00000000 00000000 00000000 rL9. .... .... ....
00000060: 00000000 00000000 00000000 00000000 .... .... .... ....
00000070: 00000000 00000000 00000000 00000000 .... .... .... ....
00000080: 00000000 00000000 00000000 00000000 .... .... .... ....
00000090: 00000000 00000005 02020000 0388CD3C .... .... .... ..M<
000000A0: 07646566 61756C74 00000000 00000000 .def ault .... ....
000000B0: 00000000 00000000 00000000 00000000 .... .... .... ....
000000C0: 00000101 05DC0001 000186A1 00000000 .... .\.. ...! ....
000000D0: 00000000 00000000 00000000 0C666464 .... .... .... .fdd
000000E0: 692D6465 6661756C 74000000 00000000 i-de faul t... ....
000000F0: 00000000 00000000 00000000 00000201 .... .... .... ....
00000100: 05DC03EA 00018A8A 00000000 00000000 .\.j .... .... ....
00000110: 00000000 00000000 12746F6B 656E2D72 .... .... .tok en-r
00000120: 696E672D 64656661 756C7400 00000000 ing- defa ult. ....
00000130: 00000000 00000000 00000301 05DC03EB .... .... .... .\.k
00000140: 00018A8B 00000000 00000000 00000007 .... .... .... ....
00000150: 07000000 0F666464 696E6574 2D646566 .... .fdd inet -def
00000160: 61756C74 00000000 00000000 00000000 ault .... .... ....
00000170: 00000000 00000401 05DC03EC 00018A8C .... .... .\.l ....
00000180: 00000001 00000000 00000000 00000000 .... .... .... ....
00000190: 0D74726E 65742D64 65666175 6C740000 .trn et-d efau lt..
000001A0: 00000000 00000000 00000000 00000000 .... .... .... ....
000001B0: 00000501 05DC03ED 00018A8D 00000002 .... .\.m .... ....
000001C0: 00000000 00000000 00000000 0388D028 .... .... .... ..P(
000001D0: 000003EA 00000008 032FABFC 01010000 ...j .... ./+| ....
000001E0: 04010000 02F610D4 000003EB 00000008 .... .v.T ...k ....
000001F0: 0388D06C 01010000 04010000 032FB620 ..Pl .... .... ./6
00000200: 000003EC 00000008 02F61118 02010000 ...l .... .v.. ....
00000210: 03010001 00000000 000003ED 00000008 .... .... ...m ....
00000220: 032FB664 02010000 03010002 54455354 ./6d .... .... TEST

Switch#


No luck with tcl... seems my "TEST" string was appended to the file, even the "seek" and "tell" shows a pointer on 160 position.

Well, to recreate the correct file, simply add a vlan, so the switch is forced to overwrite the vlan.dat file.

Switch#more flash:vlan.dat
00000000: BADB100D 00000002 02094D59 2D444F4D :[.. .... ..MY -DOM
[...]
00000220: 032FB664 02010000 03010002 54455354 ./6d .... .... TEST

Switch#
Switch#conf t
Enter configuration commands, one per line. End with CNTL/Z.
Switch(config)#vlan 3
Switch(config-vlan)#exit
Switch(config)#exit
Switch#more flash:vlan.dat
00000000: BADB100D 00000002 02094D59 2D444F4D :[.. .... ..MY -DOM
[...]
00000250: 00000000 000003ED 00000008 0382EAB8 .... ...m .... ..j8
00000260: 02010000 03010002 XXXXXXXX XXXXXXXX .... .... XXXX XXXX

Switch#


So I've downloaded the vlan.dat file with tftp and opened with a Hex editor (GHex for Linux by the way...)
Doing several tests, I have mapped the various fields as follows:


Switch(config)#do sh vlan

VLAN Name Status Ports
---- -------------------------------- --------- -------------------------------
1 default active Fa0/1, ....
3 VLAN0003 active
1002 fddi-default act/unsup
1003 token-ring-default act/unsup
1004 fddinet-default act/unsup
1005 trnet-default act/unsup

VLAN Type SAID MTU Parent RingNo BridgeNo Stp BrdgMode Trans1 Trans2
---- ----- ---------- ----- ------ ------ -------- ---- -------- ------ ------
1 enet 100001 1500 - - - - - 0 0
3 enet 100003 1500 - - - - - 0 0
1002 fddi 101002 1500 - - - - - 0 0
1003 tr 101003 1500 - - - - - 0 0
1004 fdnet 101004 1500 - - - ieee - 0 0
1005 trnet 101005 1500 - - - ibm - 0 0

Switch#more flash:vlan.dat
00000000: BADB100D 00000002 0209.... ........ ->I bet here there are Vtp config revision, vtp mode ...
........ ........ ....4D59 2D444F4D ->Vtp domain name: MY -DOM
00000010: 41494E.. ........ ........ ........ ->Vtp domain name: AIN
......00 00000000 00000000 00000000
00000020: 00000000 00000000 00000000 00000001
00000030: 0A000002 00000001 39333033 30313030
00000040: 34303034 ........ ........ ........
........ A1204A8A 0852706C ........ -> Vtp domain MD5 hash (as seen on sh vtp status)
........ ........ ........ 93DC7C07
00000050: C08B0833 00000000 00000000 00000000
00000060: 00000000 00000000 00000000 00000000
00000070: 00000000 00000000 00000000 00000000
00000080: 00000000 00000000 00000000 00000000
00000090: 00000000 00000006 02020000 033B7650
000000A0: 07...... ........ ........ ........
..646566 61756C74 ........ ........ -> Vlan Name: default
........ ........ 00000000 00000000 -> Vlan Name: blank space (vlan name up to 32 bytes)
000000B0: 00000000 00000000 00000000 00000000 -> Vlan Name: blank space (vlan name up to 32 bytes)
000000C0: 00000101 ........ ........ ........ -> Not shure about this one, maybe it is the "vlan count?"
........ 05DC.... ........ ........ -> Vlan MTU : value 0x05DC = 1500 in decimal
........ ....0001 ........ ........ -> Vlan ID : value 0x0001 = vlan id 1
........ ........ 000186A1 ........ -> Vlan SAID: value 0x000186A1 = SAID 100001 in decimal
........ ........ ........ 00000000
000000D0: 00000000 00000000 00000000 08......
........ ........ ........ ..564C41 -> next Vlan Name: VLA
000000E0: 4E303030 33...... ........ ........ -> next Vlan Name: N000 3
........ ..000000 00000000 00000000 -> .... and so on...
000000F0: 00000000 00000000 00000000 00000101 .... .... .... ....
00000100: 05DC0003 000186A3 00000000 00000000 .\.. ...# .... ....
00000110: 00000000 00000000 0C666464 692D6465 .... .... .fdd i-de
00000120: 6661756C 74000000 00000000 00000000 faul t... .... ....
00000130: 00000000 00000000 00000201 05DC03EA .... .... .... .\.j
00000140: 00018A8A 00000000 00000000 00000000 .... .... .... ....
00000150: 00000000 12746F6B 656E2D72 696E672D .... .tok en-r ing-
00000160: 64656661 756C7400 00000000 00000000 defa ult. .... ....
00000170: 00000000 00000301 05DC03EB 00018A8B .... .... .\.k ....
00000180: 00000000 00000000 00000007 07000000 .... .... .... ....
00000190: 0F666464 696E6574 2D646566 61756C74 .fdd inet -def ault
000001A0: 00000000 00000000 00000000 00000000 .... .... .... ....
000001B0: 00000401 05DC03EC 00018A8C 00000001 .... .\.l .... ....
000001C0: 00000000 00000000 00000000 0D74726E .... .... .... .trn
000001D0: 65742D64 65666175 6C740000 00000000 et-d efau lt.. ....
000001E0: 00000000 00000000 00000000 00000501 .... .... .... ....
000001F0: 05DC03ED 00018A8D 00000002 ........
........ ........ ........ 00000000 -> From here to end, I didn't undestood the fields
00000200: 00000000 00000000 03830810 000003EA -> but I've seen the Vlan id (eg. here 0x03EA) repeating
00000210: 00000008 038307CC 01010000 04010000 -> for the FDDI/Token Ring/trn vlans
00000220: 0382E9EC 000003EB 00000008 03830854 -> I bet these are bridge/parent/ring/stp params
00000230: 01010000 04010000 0382EA74 000003EC
00000240: 00000008 0382EA30 02010000 03010001
00000250: 00000000 000003ED 00000008 0382EAB8
00000260: 02010000 03010002 XXXXXXXX XXXXXXXX -> file ends at 0x0267, the "X" are padding of the "more" command


I played a little with the hex editor and have a decent version:

Switch#sh vlan

VLAN Name Status Ports
---- -------------------------------- --------- -------------------------------
1 default active Fa0/1, ....
2 VLAN0002 active
11 VLAN0011 active
12 VLAN0012 active
14 VLAN0014 active

VLAN Type SAID MTU Parent RingNo BridgeNo Stp BrdgMode Trans1 Trans2
---- ----- ---------- ----- ------ ------ -------- ---- -------- ------ ------
1 enet 100001 1500 - - - - - 0 0
2 enet 100002 1500 - - - - - 0 0
11 enet 100011 1500 - - - - - 0 0
12 enet 100012 1500 - - - - - 0 0
14 enet 100014 1500 - - - - - 0 0


Hehehe no more legacy protocols here!! All vlans are type ethernet and active, but suddently I guess they have hard-coded in the Ios procedures the file format of vlan.dat, maybe they have to count at least 5 vlans, otherwise...:

Switch#conf t
Enter configuration commands, one per line. End with CNTL/Z.
Switch(config)#no vlan 2
%Error exiting config-vlan mode 33: Bad VLAN count
Switch(config)#no vlan 11
%Error exiting config-vlan mode 33: Bad VLAN count
Switch(config)#no vlan 12
%Error exiting config-vlan mode 33: Bad VLAN count
Switch(config)#vlan 66
Switch(config-vlan)#name TEST
Switch(config-vlan)#exit
Switch(config)#no vlan 66
Switch(config)#vlan 67
Switch(config-vlan)#name TEST2
Switch(config-vlan)#exit
Switch(config)#no vlan 2
Switch(config)#do sh vlan

VLAN Name Status Ports
---- -------------------------------- --------- -------------------------------
1 default active Fa0/1, ...
11 VLAN0011 active
12 VLAN0012 active
14 VLAN0014 active
67 TEST2 active

VLAN Type SAID MTU Parent RingNo BridgeNo Stp BrdgMode Trans1 Trans2
---- ----- ---------- ----- ------ ------ -------- ---- -------- ------ ------

VLAN Type SAID MTU Parent RingNo BridgeNo Stp BrdgMode Trans1 Trans2
---- ----- ---------- ----- ------ ------ -------- ---- -------- ------ ------
1 enet 100001 1500 - - - - - 0 0
11 enet 100011 1500 - - - - - 0 0
12 enet 100012 1500 - - - - - 0 0
14 enet 100014 1500 - - - - - 0 0
67 enet 100067 1500 - - - - - 0 0




If someone wants to try it, hopefully in a test and safe environment, you can download the vlan.dat.modified version HERE

the nice thing is that this modified vlan.dat can be propagated via VTP, let's try to add another switch:

SW2#sh vtp status
VTP Version : running VTP1 (VTP2 capable)
Configuration Revision : 0
Maximum VLANs supported locally : 1005
Number of existing VLANs : 5
VTP Operating Mode : Server
VTP Domain Name :
VTP Pruning Mode : Disabled
VTP V2 Mode : Disabled
VTP Traps Generation : Disabled
MD5 digest : 0x57 0xCD 0x40 0x65 0x63 0x59 0x47 0xBD
Configuration last modified by 0.0.0.0 at 0-0-00 00:00:00
Local updater ID is 0.0.0.0 (no valid interface found)

!--- after a "no shut" on a dynamic desirable port on the other side...
SW2#
*Mar 1 00:01:08.409: %LINK-3-UPDOWN: Interface FastEthernet0/13, changed state to up
*Mar 1 00:01:10.422: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/13, changed state to up

SW2#sh vtp stat
VTP Version : running VTP2
Configuration Revision : 2
Maximum VLANs supported locally : 1005
Number of existing VLANs : 5
VTP Operating Mode : Server
VTP Domain Name : VTP-domain
VTP Pruning Mode : Enabled
VTP V2 Mode : Enabled
VTP Traps Generation : Disabled
MD5 digest : 0x73 0xE7 0xEC 0x53 0x2F 0xFB 0x8B 0xC4
Configuration last modified by 10.0.0.2 at 3-1-93 00:39:34
Local updater ID is 0.0.0.0 (no valid interface found)
SW2#sh vlan

VLAN Name Status Ports
---- -------------------------------- --------- -------------------------------
1 default active Fa0/1, ....
2 VLAN0002 active
3 VLAN0003 active
4 VLAN0004 active
5 VLAN0005 active

VLAN Type SAID MTU Parent RingNo BridgeNo Stp BrdgMode Trans1 Trans2
---- ----- ---------- ----- ------ ------ -------- ---- -------- ------ ------
1 enet 100001 1500 - - - - - 0 0
2 enet 100002 1500 - - - - - 0 0
3 enet 100003 1500 - - - - - 0 0
4 enet 100004 1500 - - - - - 0 0
5 enet 100005 1500 - - - - - 0 0




Well, enough fun for today, let's go back to study... as last funny thing, readers can modify the "default" vlan 1 name ... :-D

byeee
Marco

Monday, July 26, 2010

Technology Crosswords

Hi all,
summer is time to relax and take a breath from our usual working and studying life, so what's better than doing crosswords at the pool side? at the bus stop?

check out the challenging Europa Networking Technology Crosswords and Puzzles!






You can use it online or print it!

have fun!
Marco

Friday, July 23, 2010

button pressed

Yesterday I've pressed that button:


let the countdown begin...




:-)
Marco

Sunday, July 11, 2010

QoS: Policing mini-lab

Hi all, here as promised the next mini-lab on Qos topics: today is the Policing lab :-)

using the same topology as the last post, here is the .net file:

autostart = False
[localhost:7200]
workingdir = /tmp
udp = 10000
[[3640]]
image = /opt/IOS/c3640-jk9o3s-mz.124-16.bin
chassis = 3640
ghostios = True
sparsemem = True
[[ROUTER R1]]
model = 3640
console = 4002
slot0 = NM-4T
s0/0 = R2 s0/0
[[ROUTER R2]]
model = 3640
console = 4003
slot0 = NM-4T
s0/0 = R1 s0/0
s0/1 = R3 s0/0
[[ROUTER R3]]
model = 3640
console = 4004
slot0 = NM-4T
s0/0 = R2 s0/1


and the initial configs:

!------ R1 initial config -----------------
hostname R1
!
no ip domain-lookup
!
interface Loopback0
ip address 1.1.1.1 255.255.255.255
!
interface Serial0/0
bandwidth 128
ip address 12.12.12.1 255.255.255.0
load-interval 30
tx-ring-limit 1
tx-queue-limit 1
serial restart-delay 0
no fair-queue
!
router ospf 1
router-id 1.1.1.1
log-adjacency-changes
network 0.0.0.0 255.255.255.255 area 0
!
line con 0
exec-timeout 0 0
logging synchronous
!------ END R1 initial config -----------------

!------ R2 initial config -----------------
hostname R2
!
no ip domain-lookup
!
interface Loopback0
ip address 2.2.2.2 255.255.255.255
!
interface Serial0/0
bandwidth 128
ip address 12.12.12.2 255.255.255.0
load-interval 30
tx-ring-limit 1
tx-queue-limit 1
serial restart-delay 0
no fair-queue
!
interface Serial0/1
bandwidth 128
ip address 23.23.23.2 255.255.255.0
encapsulation frame-relay
ip ospf network point-to-point
load-interval 30
tx-ring-limit 1
tx-queue-limit 1
no keepalive
serial restart-delay 0
no fair-queue
frame-relay map ip 23.23.23.3 666 broadcast
no frame-relay inverse-arp
!
router ospf 1
router-id 2.2.2.2
log-adjacency-changes
network 0.0.0.0 255.255.255.255 area 0
!
line con 0
exec-timeout 0 0
logging synchronous
!------ END R2 initial config -----------------

!------ R3 initial config -----------------
hostname R3
!
no ip domain-lookup
!
interface Loopback0
ip address 3.3.3.3 255.255.255.255
!
interface Serial0/0
bandwidth 128
ip address 23.23.23.3 255.255.255.0
encapsulation frame-relay
ip ospf network point-to-point
load-interval 30
tx-ring-limit 1
tx-queue-limit 1
no keepalive
serial restart-delay 0
no fair-queue
frame-relay map ip 23.23.23.2 666 broadcast
no frame-relay inverse-arp
!
router ospf 1
router-id 3.3.3.3
log-adjacency-changes
network 0.0.0.0 255.255.255.255 area 0
!
line con 0
exec-timeout 0 0
logging synchronous
!------ END R3 initial config -----------------


Let's start trying the different policing options:

1) Police single rate with two colors

For the policing, one important thing is that Bc and Be are expressed in BYTES, so you may expect different values as shaping.
The logic also is a little bit different, there is no Tc interval to refill the Token Bucket, but the arrival time in seconds of each packet is considered. Every time a packet is arrived, the token bucket is refilled with a variable amount of tokens, using this formula:

refill = ((time packet arrival sec - time arrival last packet sec) * Police rate ) /8

so more closely packets arrives, less refill will happen.
Obviously, if there aren't enough tokens, the packet is exceeding the cir, so the exceeding action will executed.
With single rate policing, the Bc value is used only as first filling value, then the refill formula above is applyed.

Let's try on R2:

R2(config-pmap-c)#do sh run | sec policy-map
policy-map POLICE-SINGLE-RATE-TWO-COLORS
class class-default
police 64000 conform-action transmit exceed-action drop

R2(config-pmap-c-police)#do sh policy-map
Policy Map POLICE-SINGLE-RATE-TWO-COLORS
Class class-default
police cir 64000 bc 2000
conform-action transmit
exceed-action drop


Here I haven't specified any initial Bc value, so the default 2000 Bytes is taken, as the show policy-map output.

Let's apply on Ser 0/0 of R2 and generate some traffic:

R2(config-pmap-c)#int s 0/0
R2(config-if)#service-policy output POLICE-SINGLE-RATE-TWO-COLORS

R2(config-if)#do ping 1.1.1.1 repeat 1000 timeout 0 size 500

Type escape sequence to abort.
Sending 1000, 500-byte ICMP Echos to 1.1.1.1, timeout is 0 seconds:
......dots dots.......

R2(config-pmap-c)#do sh policy-map int s 0/0
Serial0/0

Service-policy output: POLICE-SINGLE-RATE-TWO-COLORS

Class-map: class-default (match-any)
1006 packets, 504551 bytes
30 second offered rate 117000 bps, drop rate 117000 bps
Match: any
police:
cir 64000 bps, bc 2000 bytes
conformed 4 packets, 2016 bytes; actions:
transmit
exceeded 996 packets, 501984 bytes; actions:
drop
conformed 1000 bps, exceed 117000 bps


as you can see, the conformed rate is very low, since all our packets are sent in a too short amount of time, we can barely assume that the 4 conformed packets are using the initial 2000 Bytes Bc (500 Bytes x 4 packets...).
Here we can see a big difference between policing and shaping, with shaping the link utilization will be higher.

2) Police single rate with three colors

Woks in the same way of Single Rate dual colors, but uses two token bukets. When the conform bucket is full, the spillage refills the exceed bucket. The refill of the conform bucket uses always the packet arrival time as reference.


R2(config-pmap-c-police)#do sh policy-map
Policy Map POLICE-SINGLE-RATE-THREE-COLORS
Class class-default
police cir 64000 bc 2000 be 2000
conform-action transmit
exceed-action set-dscp-transmit default
violate-action drop

R2(config-pmap-c-police)#do sh run | sec policy-map
policy-map POLICE-SINGLE-RATE-THREE-COLORS
class class-default
police 64000 conform-action transmit exceed-action set-dscp-transmit 0 violate-action drop


The main objective with three colors is to perform a different action than drop for the exceeding or violating traffic.


3) Police dual rate with three colors

With Dual rate, policing is a little bit different. There are two buckets, one conforming and one exceeding, and they are filled in a independent way, both using the time arrival based formula.
When a packet conforms, that means there are enough tokens in the conforming bucket, but also in the exceeding one. So tokens for conforming packets are taken twice, one from each bucket.
If a packet exceeds, that means there aren't enough tokens in the conforming bucket but there are in the exceeding bucket, otherwise the packet violates.

Here an example:


R2(config-pmap-c-police)#do sh run | sec policy-map
policy-map POLICE-TWO-RATES-THREE-COLORS
class class-default
police cir 64000 pir 96000
conform-action transmit
exceed-action set-dscp-transmit default
violate-action drop

R2(config-pmap-c-police)#do sh policy-map
Policy Map POLICE-TWO-RATES-THREE-COLORS
Class class-default
police cir 64000 bc 2000 pir 96000 be 3000
conform-action transmit
exceed-action set-dscp-transmit default
violate-action drop

R2(config-if)#do sh policy-map int s 0/0
Serial0/0

Service-policy output: POLICE-TWO-RATES-THREE-COLORS

Class-map: class-default (match-any)
9011 packets, 576851 bytes
30 second offered rate 73000 bps, drop rate 68000 bps
Match: any
police:
cir 64000 bps, bc 2000 bytes
pir 96000 bps, be 3000 bytes
conformed 384 packets, 24576 bytes; actions:
transmit
exceeded 198 packets, 12672 bytes; actions:
set-dscp-transmit default
violated 8418 packets, 538752 bytes; actions:
drop
conformed 4000 bps, exceed 3000 bps, violate 68000 bps


The dual rate policing is used when you want to have the flexibility of the three colors, but the exceeding traffic has to be set with a custom value, usually less than cir rate.

As usual the policying methods can be used with the percent value:


R2(config-pmap-c-police)#do sh run | sec policy-map
policy-map POLICE-PERCENT
class class-default
police cir percent 50 pir percent 75
conform-action transmit
exceed-action set-dscp-transmit af13
violate-action drop

R2(config-pmap-c-police)#do sh policy-map
Policy Map POLICE-PERCENT
Class class-default
police cir percent 50 pir percent 75 be 0
conform-action transmit
exceed-action set-dscp-transmit af13
violate-action drop

R2(config-if)#do sh policy-map int ser 0/0
Serial0/0

Service-policy output: POLICE-PERCENT

Class-map: class-default (match-any)
33 packets, 2717 bytes
30 second offered rate 0 bps, drop rate 0 bps
Match: any
police:
cir 50 %
cir 64000 bps, bc 2000 bytes
pir 75 %
pir 96000 bps, be 3000 bytes
conformed 2 packets, 272 bytes; actions:
transmit
exceeded 0 packets, 0 bytes; actions:
set-dscp-transmit af13
violated 0 packets, 0 bytes; actions:
drop
conformed 0 bps, exceed 0 bps, violate 0 bps


Well, enough for today, this week I have reviewed the whole QoS exam certification guide, the only thing I miss to review is the SRR/WRR differences, since the book is a little bit outdated (it uses 2950s).
Well, the next week of vacations will be the turn of Routing TCP/IP vol.I, I hope to preserve it from the beach sand :-)

have fun
Marco

Thursday, July 8, 2010

QoS: shaping mini-lab

Hi all,
using sone spare time on vacations, I'm reading the QoS exam certification guide to refresh qos topics.

Here a little lab I did today to refresh the shaping features, that always confusing me:



the .net file:

autostart = False
[localhost:7200]
workingdir = /tmp
udp = 10000
[[3640]]
image = /opt/IOS/c3640-jk9o3s-mz.124-16.bin
chassis = 3640
ghostios = True
sparsemem = True
[[ROUTER R1]]
model = 3640
console = 4002
slot0 = NM-4T
s0/0 = R2 s0/0
[[ROUTER R2]]
model = 3640
console = 4003
slot0 = NM-4T
s0/0 = R1 s0/0
s0/1 = R3 s0/0
[[ROUTER R3]]
model = 3640
console = 4004
slot0 = NM-4T
s0/0 = R2 s0/1


The initial configurations are:

!------ R1 initial config -----------------
hostname R1
!
no ip domain-lookup
!
interface Loopback0
ip address 1.1.1.1 255.255.255.255
!
interface Serial0/0
bandwidth 128
ip address 12.12.12.1 255.255.255.0
load-interval 30
tx-ring-limit 1
tx-queue-limit 1
serial restart-delay 0
no fair-queue
!
router ospf 1
router-id 1.1.1.1
log-adjacency-changes
network 0.0.0.0 255.255.255.255 area 0
!
line con 0
exec-timeout 0 0
logging synchronous
!------ END R1 initial config -----------------

!------ R2 initial config -----------------
hostname R2
!
no ip domain-lookup
!
interface Loopback0
ip address 2.2.2.2 255.255.255.255
!
interface Serial0/0
bandwidth 128
ip address 12.12.12.2 255.255.255.0
load-interval 30
tx-ring-limit 1
tx-queue-limit 1
serial restart-delay 0
no fair-queue
!
interface Serial0/1
bandwidth 128
ip address 23.23.23.2 255.255.255.0
encapsulation frame-relay
ip ospf network point-to-point
load-interval 30
tx-ring-limit 1
tx-queue-limit 1
no keepalive
serial restart-delay 0
no fair-queue
frame-relay map ip 23.23.23.3 666 broadcast
no frame-relay inverse-arp
!
router ospf 1
router-id 2.2.2.2
log-adjacency-changes
network 0.0.0.0 255.255.255.255 area 0
!
line con 0
exec-timeout 0 0
logging synchronous
!------ END R2 initial config -----------------

!------ R3 initial config -----------------
hostname R3
!
no ip domain-lookup
!
interface Loopback0
ip address 3.3.3.3 255.255.255.255
!
interface Serial0/0
bandwidth 128
ip address 23.23.23.3 255.255.255.0
encapsulation frame-relay
ip ospf network point-to-point
load-interval 30
tx-ring-limit 1
tx-queue-limit 1
no keepalive
serial restart-delay 0
no fair-queue
frame-relay map ip 23.23.23.2 666 broadcast
no frame-relay inverse-arp
!
router ospf 1
router-id 3.3.3.3
log-adjacency-changes
network 0.0.0.0 255.255.255.255 area 0
!
line con 0
exec-timeout 0 0
logging synchronous
!------ END R3 initial config -----------------



As you can see, the R2 to R3 link is a frame relay back-to-back, just to try frame relay traffic shaping. All the serial interfaces have a configured bandwidth of 128k and a TX buffer of 1.
This last setting is the hardware queue of the interface, setting it to 1 (1 packet) will force to use the software queues, that's useful to see our qos features in action.

Let's try the different shaping combinations:

1) Shape Average

First recall the theory: on shape average you have a single Bucket, with Bc + Be capacity, and it's filled every Tc interval with Bc tokens. With shaping Bc and Be values are in bits.

Let's configure it on R1:


policy-map SHAPE-AVERAGE
class class-default
shape average 64000 2000
interface serial 0/0
service-policy output SHAPE-AVERAGE

After we applyed the policy-map on the interface, we can see the effect of our settings:

R1(config-if)#do sh policy-map int ser 0/0
Serial0/0

Service-policy output: SHAPE-AVERAGE

Class-map: class-default (match-any)
3 packets, 192 bytes
30 second offered rate 0 bps, drop rate 0 bps
Match: any
Traffic Shaping
Target/Average Byte Sustain Excess Interval Increment
Rate Limit bits/int bits/int (ms) (bytes)
64000/64000 500 2000 2000 31 250

Adapt Queue Packets Bytes Packets Bytes Shaping
Active Depth Delayed Delayed Active
- 0 2 168 0 0 no

The output commented:
-Target/Average Rate 64000 : is the configured shape rate
-Byte Limit 500 : is the total size of the token bucket, that is Bc + Be, converted in bytes
-Sustain bits/int 2000 : is the so called Bc, as configured is 2000 bits are added every interval
-Excess bits/int 2000 : is the Be, it wasn't configured, so by default is Be = Bc
-Interval (ms) 31 : is the Tc, with the configured shape rate and the Bc, Tc is calculated using the Tc = Bc/CIR formula
-Increment (bytes) 250 : is the Bc value of 2000 bits converted in bytes (2000/8 = 250)

The rest of the output refers to traffic statistics, like packets delayed, bytes delayed and if the shaping is active or not.

let's generate some traffic and see what happens:

R1#ping 2.2.2.2 timeout 0 repeat 2000 size 1500
... more and more dots ....

R1#sh policy-map int ser 0/0
Serial0/0

Service-policy output: SHAPE-AVERAGE

Class-map: class-default (match-any)
4237 packets, 6033454 bytes
30 second offered rate 490000 bps, drop rate 475000 bps
Match: any
Traffic Shaping
Target/Average Byte Sustain Excess Interval Increment
Rate Limit bits/int bits/int (ms) (bytes)
64000/64000 500 2000 2000 31 250

Adapt Queue Packets Bytes Packets Bytes Shaping
Active Depth Delayed Delayed Active
- 55 205 130646 76 112884 yes


Note that the shaping is active, 76 packets have been delayed, but note also the high drop rate, that occours when the shaping buffer is full.

R1#sh policy-map
Policy Map SHAPE-AVERAGE
Class class-default
Traffic Shaping
Average Rate Traffic Shaping
CIR 64000 (bps) Max. Buffers Limit 1000 (Packets)
Bc 2000

Here you can see the shaping buffer default value, 1000 packets, you can increase or decrease using reasonable values, keep in mind that more packets you will shape, more delay and jitter they will experience.

R1(config)#policy-map SHAPE-AVERAGE
R1(config-pmap)#class class-default
R1(config-pmap-c)#shape max-buffers ?
<1-4096> Maximum Buffer Limit

R1(config-pmap-c)#shape max-buffers 250
R1(config-pmap-c)#do sh policy-map
Policy Map SHAPE-AVERAGE
Class class-default
Traffic Shaping
Average Rate Traffic Shaping
CIR 64000 (bps) Max. Buffers Limit 250 (Packets)
Bc 2000


2) Shape Peak
Recall the theory here too: on shape peak you have a single Bucket, with Bc + Be capacity, and it's filled every Tc interval too, but with peak Bc + Be tokens instead of Bc only.. Bc and Be values are in bits, since we are shaping.

So the most relevant difference is that we are filling the bucket with Bc + Be tokens, instead of Bc only as with shape average, so the shaped rate is always at the peak level.

If we configure a shaping peak of 64k bps, and leave the default Tc of 125 ms, the bucket is filled with 8000 Bc tokens + 8000 Be tokens every Tc. The result is that we have a shaped rate of 128K bps.

Let's try it always on R1:

policy-map SHAPE-PEAK
class class-default
shape peak 64000
!
interface Serial 0/0
service-policy output SHAPE-PEAK
!

R1(config-if)#do sh policy-map int ser 0/0
Serial0/0

Service-policy output: SHAPE-PEAK

Class-map: class-default (match-any)
2 packets, 108 bytes
30 second offered rate 0 bps, drop rate 0 bps
Match: any
Traffic Shaping
Target/Average Byte Sustain Excess Interval Increment
Rate Limit bits/int bits/int (ms) (bytes)
128000/64000 2000 8000 8000 125 2000

Adapt Queue Packets Bytes Packets Bytes Shaping
Active Depth Delayed Delayed Active
- 0 1 84 0 0 no



the main change here is the Target Rate, that is automatically set to 128k bps, as expected.

3) Shape average with percent rate

We can also configure the shaped rate as a percent of the configured bandwidth. It works in the same way as shape average or as shape peak, depending on the configuration, but with some small differences.
The Bc and Be values must be expressed as msec values, that are used to calculate the Bc and Be depending on bandwidth.

eg, to have a shaped rate average of 32k bps on a 128k bps of configured bandwidth, with Bc = 4000 bits:

R1(config)#do sh run | sec policy-map
policy-map SHAPE-AVERAGE-PERCENT
class class-default
shape average percent 25 125 ms

R1(config)#do sh policy-map
Policy Map SHAPE-AVERAGE-PERCENT
Class class-default
Traffic Shaping
Average Rate Traffic Shaping
CIR 25 (%) Max. Buffers Limit 1000 (Packets) Bc 125 ms
R1(config)#do sh policy-map int s0/0
Serial0/0

Service-policy output: SHAPE-AVERAGE-PERCENT

Class-map: class-default (match-any)
12 packets, 875 bytes
30 second offered rate 0 bps, drop rate 0 bps
Match: any
Traffic Shaping
Target/Average Byte Sustain Excess Interval Increment
Rate Limit bits/int bits/int (ms) (bytes)
25 (%) 125 (ms) 0 (ms)
32000/32000 1000 4000 4000 125 500

Adapt Queue Packets Bytes Packets Bytes Shaping
Active Depth Delayed Delayed Active
- 0 6 731 0 0 no
R1(config)#


As you can see, I have configured only the shape average percent as 25% (128k x 25% = 32k). To obtain a Bc of 4000 bits, just recall that Tc = Bc / CIR , so Tc = 4000 / 32000 = 0,125 s of Tc, so 125 ms, as configured.




A more complex example is using different shape rates on different classes:

R1(config)#do sh run | sec class-map|policy-map
class-map match-all VOIP
match ip rtp 16384 16383
class-map match-all MISSION-CRIT
description :-) just kidding
match protocol kazaa2
policy-map SHAPE
class VOIP
shape average 64000 1000 1500
shape max-buffers 250
class MISSION-CRIT
shape peak 16000 1000
class class-default
shape average percent 25 100 ms 50 ms

R1(config-pmap-c)#do sh policy-map
Policy Map SHAPE
Class VOIP
Traffic Shaping
Average Rate Traffic Shaping
CIR 64000 (bps) Max. Buffers Limit 250 (Packets)
Bc 1000 Be 1500
Class MISSION-CRIT
Traffic Shaping
Peak Rate Traffic Shaping
CIR 16000 (bps) Max. Buffers Limit 1000 (Packets)
Bc 1000
Class class-default
Traffic Shaping
Average Rate Traffic Shaping
CIR 25 (%) Max. Buffers Limit 1000 (Packets) Bc 100 ms Be 50 ms

R1(config-pmap-c)#do sh policy-map int s0/0
Serial0/0

Service-policy output: SHAPE

Class-map: VOIP (match-all)
0 packets, 0 bytes
30 second offered rate 0 bps, drop rate 0 bps
Match: ip rtp 16384 16383
Traffic Shaping
Target/Average Byte Sustain Excess Interval Increment
Rate Limit bits/int bits/int (ms) (bytes)
64000/64000 312 1000 1500 15 125

Adapt Queue Packets Bytes Packets Bytes Shaping
Active Depth Delayed Delayed Active
- 0 0 0 0 0 no

Class-map: MISSION-CRIT (match-all)
0 packets, 0 bytes
30 second offered rate 0 bps, drop rate 0 bps
Match: protocol kazaa2
Traffic Shaping
Target/Average Byte Sustain Excess Interval Increment
Rate Limit bits/int bits/int (ms) (bytes)
32000/16000 250 1000 1000 62 250

Adapt Queue Packets Bytes Packets Bytes Shaping
Active Depth Delayed Delayed Active
- 0 0 0 0 0 no

Class-map: class-default (match-any)
26 packets, 1918 bytes
30 second offered rate 0 bps, drop rate 0 bps
Match: any
Traffic Shaping
Target/Average Byte Sustain Excess Interval Increment
Rate Limit bits/int bits/int (ms) (bytes)
25 (%) 100 (ms) 50 (ms)
32000/32000 600 3200 1600 100 400

Adapt Queue Packets Bytes Packets Bytes Shaping
Active Depth Delayed Delayed Active
- 0 14 1630 0 0 no



With this configuration, all the 128k bps bandwidth is distributed across the class-maps, using the three different shaping methods. Note also that if I buy more bandwidth, with this configuration only the class-default will have automatically a higher shaping rate, the other classes will require some reconfiguration.


Well, enough for today, next labs and args to try on vacation will be a policing lab, a frame relay traffic shaping lab and lan qos/switching lab.

have fun
Marco