Friday, May 28, 2010

Weekend Lab Vol.2

Hi all,
after an intensive studying and working week, what's best than relaxing with a full weekend lab?
:-)

Here is my Weekend Lab Vol.2, as usual based on INE world famous topology and without any initial configuration (for BBs you can use INE initial config).

This lab is mpls based, with a confusing design:

L2-L3 topology:


IGPs:


BGP:


Goals:
-create L3 vpns between customer sites (=all non mpls enabled devices) but don't allow rip and eigrp sites to communicate directly
-let say that SW3 and SW4 have central services in common for all sites, the existing and the future ones
-let SW1-SW2 exchange intra-area routes even the portchannel12 is down (oh, by the way... all portchannels aren't directly connected :-) )
-regarding BGP, AS 65123 and AS 65456 are confederation members of the AS 100
-last but not least, this is as usual a full dual stack lab, EVERY feature/behavior on IPv4 have to be if possible identical on IPv6.

have fun and keep your device's fans running :-)
Marco


PS: side notes on this lab:
-you will need very updated IOS images on routers, to support 6VPE (address-family ipv6 under VRFs)
-you need an updated IOS on switches too, to use IPv6 address-family under BGP.
-you have to modify a little bit the INE BBs configuration, at least to add ipv6 address-family on bgp
-last note: the bgp configuration part will be soooo looong (ipv4/6 af, vpnv4/6 af, ipv4/6 vrfs af....)

Monday, May 17, 2010

Understanding the %OSPF-4-CONFLICTING_LSAID Error

hi all,

during my weekend lab I've found an interesting ospf error, and now I'm trying to reproduce and explain it.

Here the topology:



The config is really simple, rip is running between R2 and R3, ospf is running between R1 and R2.
The only particular thing is that the serial link has encapsulation PPP set, and it's using a /31 subnet (192.168.0.0/31) with the ".0" ip on R3.

Here the initial config:

################## R1 Initial config
hostname R1
!
interface FastEthernet0/0
ip address 10.10.10.1 255.255.255.0
!
router ospf 1
log-adjacency-changes
network 10.10.10.0 0.0.0.255 area 0
################## END R1 Initial config

################## R2 Initial config
hostname R2
!
interface FastEthernet0/0
ip address 10.10.10.2 255.255.255.0
!
interface Serial1/0
ip address 192.168.0.1 255.255.255.254
encapsulation ppp
!
router ospf 1
log-adjacency-changes
network 10.10.10.0 0.0.0.255 area 0
!
router rip
version 2
network 192.168.0.0
no auto-summary
################## END R2 Initial config

################## R3 Initial config
hostname R3
!
interface Serial1/0
ip address 192.168.0.0 255.255.255.254
encapsulation ppp
!
router rip
version 2
network 192.168.0.0
no auto-summary
################## END R3 Initial config


No surprise at this point, now we can try to redistribute between ospf and rip at R2:

R2#conf t
Enter configuration commands, one per line. End with CNTL/Z.
R2(config)#router rip
R2(config-router)#redistribute ospf 1 metric 5
R2(config-router)#router ospf 1
R2(config-router)#redistribute rip subnets

*May 17 11:50:48.363: %OSPF-4-CONFLICTING_LSAID: LSA origination prevented by existing LSA with same LSID but a different mask
Existing Type 5 LSA: LSID 192.168.0.0/31
New Destination: 192.168.0.0/32

R2(config-router)#


woops Conflicting LSA ID?

After a little while I realized what's happening: due to ppp encapsulation, R2 has a peer (/32) route on his routing table.

R2#sh ip route | beg Gate
Gateway of last resort is not set

10.0.0.0/24 is subnetted, 1 subnets
C 10.10.10.0 is directly connected, FastEthernet0/0
192.168.0.0/24 is variably subnetted, 2 subnets, 2 masks
C 192.168.0.0/32 is directly connected, Serial1/0
C 192.168.0.0/31 is directly connected, Serial1/0
R2#

And so we have two entries for 192.168.0.0, with mask /31 and /32.
When we redistribute rip into ospf, ospf is trying to generate a type 5 LSA (external) for the network 192.168.0.0.
First it generates the external lsa for 192.168.0.0/31, then it try to generate the lsa for 192.168.0.0/32 but it fails to generate the same lsa ID (192.168.0.0)

Looking into the OSPF database on R2:

R2#sh ip ospf database

OSPF Router with ID (192.168.0.1) (Process ID 1)

Router Link States (Area 0)

Link ID ADV Router Age Seq# Checksum Link count
10.10.10.1 10.10.10.1 873 0x80000003 0x00F9B9 1
192.168.0.1 192.168.0.1 884 0x80000004 0x00A870 1

Net Link States (Area 0)

Link ID ADV Router Age Seq# Checksum
10.10.10.2 192.168.0.1 884 0x80000002 0x001A0B

Type-5 AS External Link States

Link ID ADV Router Age Seq# Checksum Tag
192.168.0.0 192.168.0.1 359 0x80000003 0x001AB1 0

R2#sh ip ospf database external

OSPF Router with ID (192.168.0.1) (Process ID 1)

Type-5 AS External Link States

LS age: 364
Options: (No TOS-capability, DC)
LS Type: AS External Link
Link State ID: 192.168.0.0 (External Network Number )
Advertising Router: 192.168.0.1
LS Seq Number: 80000003
Checksum: 0x1AB1
Length: 36
Network Mask: /31
Metric Type: 2 (Larger than any link state path)
TOS: 0
Metric: 20
Forward Address: 0.0.0.0
External Route Tag: 0

R2#


There is only one external lsa for 192.168.0.0/31 as supposed. The 192.168.0.0/32 generation was failed.

The Cisco IOS Release 12.4T System Message Guide ( http://www.cisco.com/en/US/docs/ios/12_4t/system/messages/sm_ht05.html#wp1078361 states:


"Error Message

%OSPF-4-CONFLICTING_LSAID : Process [dec] area [chars]: LSA origination prevented by LSA with same LSID but a different mask
Existing Type [dec] LSA: LSID [IP_address][IP_netmask]
New Destination: [IP_address][IP_netmask]

Explanation An LSA origination was prevented by a conflicit with an existing
LSA with the same LSID but a different mask. The algorithm in RFC 2328, Appendix E is used to resolve conflicts when multiple LSAs with the same prefix and differing masks are advertised. When using this algorithm and host routes are advertised there are situations where conflict resolution is impossible and either the host route or the conflicting prefix is not advertised.

Recommended Action Locate the prefix that is not advertised and the conflicting prefix by entering the show ip route and show ip ospf database comamnds. Decide which route or prefix is more important to advertise and take steps to prevent advertising the conflicting route or prefix.
"

So the only fix proposed is to remove the unnecessary duplicate prefix, in our case the ppp peer route /32.

Quick fix on R2:


R2(config)#int ser 1/0
R2(config-if)#no peer neighbor-route
R2(config-if)#shutdown
*May 17 12:24:54.995: %LINK-5-CHANGED: Interface Serial1/0, changed state to administratively down
R2(config-if)#no shutdown
*May 17 12:24:55.995: %LINEPROTO-5-UPDOWN: Line protocol on Interface Serial1/0, changed state to down
*May 17 12:24:58.043: %LINK-3-UPDOWN: Interface Serial1/0, changed state to up
*May 17 12:24:59.075: %LINEPROTO-5-UPDOWN: Line protocol on Interface Serial1/0, changed state to up
R2(config-if)#do sh ip route | beg Gate
Gateway of last resort is not set

10.0.0.0/24 is subnetted, 1 subnets
C 10.10.10.0 is directly connected, FastEthernet0/0
192.168.0.0/31 is subnetted, 1 subnets
C 192.168.0.0 is directly connected, Serial1/0

R2(config-if)#router ospf 1
R2(config-router)#redistribute rip subnets
R2(config-router)#do sh ip ospf data

OSPF Router with ID (192.168.0.1) (Process ID 1)

Router Link States (Area 0)

Link ID ADV Router Age Seq# Checksum Link count
10.10.10.1 10.10.10.1 528 0x80000004 0x00F7BA 1
192.168.0.1 192.168.0.1 499 0x80000005 0x00A671 1

Net Link States (Area 0)

Link ID ADV Router Age Seq# Checksum
10.10.10.2 192.168.0.1 499 0x80000003 0x00180C

Type-5 AS External Link States

Link ID ADV Router Age Seq# Checksum Tag
192.168.0.0 192.168.0.1 3 0x80000001 0x001EAF 0
R2(config-router)#



If someone wants to read the mentioned RFC2328 appendix E, pag 236 http://www.ietf.org/rfc/rfc2328.txt, there is the algorithm to avoid lsa ID conficts.
Using that algorithm the /32 lsa can have a different LSAID than the /31 by reversing the host bits to 1, from here the error because it's a /32.... there are no host bits to reverse.

have fun
Marco

Saturday, May 15, 2010

Weekend Lab Vol.1

Hi all, this weekend I want to share my homeworks with all my readers...
so, this is the insane lab I have in progress now, the physical cabling is the world famous Internetwork Expert topology (See here..) without the BBs:
L3 logical topology:



IGP diagram:



BGP peering:




I don't provide any initial config, but some of requirements that buzzing in my head are:
-spanning tree MST with 2 instances
-use the other inter-switch links as L2 trunk with etherchannel
-use an addressing scheme with 3 separate RFC1918 major networks, one for the inter-switch portchannels, one for the vlans, the other for the serial links.
-the full lab has to be completely dual stack, so IPv4 and IPv6 routing is required
-the ipv6 addresses have to recall the v4 address when possible (eg: 192.168.12.1 2001:192:168:12::1/64 )

for IGPs and BGP use the most fine-tuned configurations, including authentication, the most correct network-types... and everything you want to test on redistribution and bgp.

At the end, just divide the topology in two portions, upper and lower, and play with multicast using different RPs and placing boundaries.

have fun on it! :-)
Marco

Monday, May 10, 2010

Cisco Nightmare vol.2

Hi all, today Cisco Nightmare is....

Support page unavailable!



... and then, after a little while, as usual, restored:




Have a nice day!
Marco

Thursday, May 6, 2010

Today's work in a shot: load balancers installation








Today's work was the Alteon/Radware load balancer installation and configuration.
Thanks to Massimo Cereda and his collegue (omg I forgot his name again...) for the balancers config, I've done the server configuration on CentOS, the rack mounting and cabling and the Juniper SRX rules.
(look at "my" cabling versus the other mess :-) )

More fun with all this stuff will follow in the next days
Marco

PS: Just heard the change on CCIE R&S Lab exam, no more OEQ... I wasn't scared about oeq, but nice to have additional 30 minutes for config section. so that's a good news!