IOS, IOS XE and configure … revert timer X

If you are familiar with IOS XR and JunOS, it lacks a rollback to IOS and IOS XE. You can do it with “archive” such as :

  1. Configure where your archive will be stored.
  2. Say to your OS to “archive” at a point
  3. Configure your router with a “revert timer”
  4. Confirm if it is ok for you

Here we go in details now :

  1. Configure where your archive will be stored.
Router# conf t
Router(conf)# archive
Router(conf-archive)# path bootflash:myconfig
Router(conf-archive)# maximum 10
Router(conf-archive)# end
Router# wr

2. Say to your OS to “archive” at a point

Router# archive config 
Router# 
Router# show archive
The maximum archive configurations allowed is 10.
There are currently 1 archive configurations saved.
The next archive file will be named bootflash:myconfig-<timestamp>-1
 Archive #  Name
   1        bootflash:myconfig-Jan--3-2022-08-34-34.348-CET-0 <- Most Recent
   2         
   3         
   4         
   5         
   6         
   7         
   8         
   9         
   10   
Router#     

3. Configure your router with a “revert timer”

Router# configure terminal revert timer 1
Router(conf)# Rollback Confirmed Change: Backing up current running config to bootflash:myconfig-Jan--3-2022-08-35-01.511-CET-1

Enter configuration commands, one per line.  End with CNTL/Z.
Router(config)#Rollback Confirmed Change: Rollback will begin in one minute.
Enter "configure confirm" if you wish to keep what you've configured

*Jan  3 2022 08:35:01.670 CET: %ARCHIVE_DIFF-5-ROLLBK_CNFMD_CHG_BACKUP: Backing up current running config to bootflash:myconfig-Jan--3-2022-08-35-01.511-CET-1
*Jan  3 2022 08:35:01.670 CET: %ARCHIVE_DIFF-5-ROLLBK_CNFMD_CHG_START_ABSTIMER: User: console(Priv: 15, View: 0): Scheduled to rollback to config bootflash:myconfig-Jan--3-2022-08-35-01.511-CET-1 in 1 minutes
*Jan  3 2022 08:35:01.670 CET: %ARCHIVE_DIFF-5-ROLLBK_CNFMD_CHG_WARNING_ABSTIMER: System will rollback to config bootflash:myconfig-Jan--3-2022-08-35-01.511-CET-1 in one minute. Enter "configure confirm" if you wish to keep what you've configured
Router(conf)# hostname BLAH
BLAH(conf)#
[................... WAITING FOR A MINUTE ........................]
Rollback Confirmed Change: rolling to:bootflash:myconfig-Jan--3-2022-08-35-01.511-CET-1

!Pass 1
!List of Rollback Commands:
no hostname BLAH
hostname Router
end


Total number of passes: 1
Rollback Done

*Jan  3 2022 08:36:01.669 CET: %ARCHIVE_DIFF-5-ROLLBK_CNFMD_CHG_ROLLBACK_START: Start rolling to: bootflash:myconfig-Jan--3-2022-08-35-01.511-CET-1
*Jan  3 07:36:01.722: Rollback:Acquired Configuration lock.


Router(conf) # end

4. Confirm if it is ok for you

If between your “conf t revert time X” and t0+X, you are ok with the configuration you have made, so you can confirm your changes.

Router# configure confirm

That’s it ! Have fun.

Long long time ago, blog and FreeBSD…

It was a long long timeago I wrote here. ot of things happens to me but I don’t think it is the time and place to explain it.

This post is about a new experience to me : hosting this blog on FreeBSD machine. I am in love with BSD but don’t use it everyday. Networking&Telco is not an professional area where you can use it or your employer allow you to use it. Damn Windows, Teams, … and his egemony.

I will move this blog from Debian to FreeBSD server. I think it will lot of fun. If I have FreeBSD’s tips or remarks I will post it here. By the way I am currently studying for Cisco’s CCNP SPCOR (350-501) exam. Either I will try to give me a kick in the ass to post more technical posts.

Have fun 🙂

Cisco & IP NAT

Hi,

It’s been a while I have posted a blog entry. A simple tip from IOS 12.4(20) to 12.4(24) and above to use OID “.1.3.6.1.4.1.9.10.77.1.2.3.0” to graph your NAT translations :


R(conf)# ip nat service enable-mib
%NAT: Old NAT-MIB support enabled
R(conf)#

HTH
++Christophe

Site to site IKEv2 tunnel

Hello guys,

Here it is a tips / reminder how to implement an site-ot-site IKEv2 tunnel :

crypto ikev2 proposal aes-cbc-256-proposal 
 encryption aes-cbc-256
 integrity sha1
 group 2
crypto ikev2 policy policy1 
 match address local x.x.x.x
 proposal aes-cbc-256-proposal
crypto ikev2 keyring v2-kr1
 peer abc
  address y.y.y.y
  pre-shared-key somesecretpass
 !
crypto ikev2 profile profile1
 description IKEv2 profile
 match address local x.x.x.x
 match identity remote address y.y.y.y 255.255.255.255 
 authentication local pre-share
 authentication remote pre-share
 keyring v2-kr1

crypto ipsec transform-set myset esp-des esp-md5-hmac 

crypto map mymap 20 ipsec-isakmp 
 set peer y.y.y.y
 set security-association lifetime seconds 27000
 set transform-set ESP-AES-SHA 
 set ikev2-profile profile1
 match address 120

With ACL 120 is your flows / SA and your implement your crypto map on your WAN interface.

IPv6 prefix delegation feature

We will dive into IPv6 prefix delegation prefix.

First of all, we will make a real simple topology :

ipv6-delegation-simple

R1 acts as a DHCP server and use the prefix delegation feature. But how it works ? How it is configured ?

R1 :

ipv6 unicast-routing
ipv6 cef
ipv6 dhcp pool POOLv6
 prefix-delegation pool p lifetime 180 120
 domain-name lucas.fr.eu.org

ipv6 local pool p 2001:DB8::/40 48

interface FastEthernet0/0
 ip address 10.0.0.1 255.255.255.0
 duplex half
 ipv6 address 2A02::1/48
 ipv6 enable
 ipv6 dhcp server POOLv6


R1#   show ipv6 dhcp interface 
FastEthernet0/0 is in server mode
  Using pool: POOLv6
  Preference value: 0
  Hint from client: ignored
  Rapid-Commit: disabled
R1#

R2 :

interface FastEthernet0/0
 duplex half
 ipv6 address autoconfig default
 ipv6 enable
 ipv6 dhcp client pd prefix-from-provider

interface FastEthernet1/1
 no ip address
 duplex auto
 speed auto
 ipv6 address prefix-from-provider ::1:0:0:0:1/64
 ipv6 enable

R2#show ipv6 dhcp interface 
FastEthernet0/0 is in client mode
  Prefix State is OPEN
  Renew will be sent in 00:00:04
  Address State is IDLE
  List of known servers:
    Reachable via address: FE80::C805:ADFF:FE80:0
    DUID: 00030001CA05AD800000
    Preference: 0
    Configuration parameters:
      IA PD: IA ID 0x00040001, T1 60, T2 120
        Prefix: 2001:DB8::/48
                preferred lifetime 120, valid lifetime 180
                expires at May 03 2016 10:53 PM (125 seconds)
      Domain name: lucas.fr.eu.org
      Information refresh time: 0
  Prefix name: prefix-from-provider
  Prefix Rapid-Commit: disabled
  Address Rapid-Commit: disabled
R2#

Debug trace on R2 (debug ipv6 dhcp) :

*May  3 22:36:11.859: IPv6 DHCP: Sending RENEW to FF02::1:2 on FastEthernet0/0
*May  3 22:36:11.859: IPv6 DHCP: DHCPv6 changes state from OPEN to RENEW (TIMEOUT) on FastEthernet0/0
*May  3 22:36:11.879: IPv6 DHCP: Received REPLY from FE80::C805:ADFF:FE80:0 on FastEthernet0/0
*May  3 22:36:11.879: IPv6 DHCP: Processing options
*May  3 22:36:11.879: IPv6 DHCP: Adding prefix 2001:DB8::/48 to prefix-from-provider
*May  3 22:36:11.883: IPv6 DHCP: T1 set to expire in 60 seconds
*May  3 22:36:11.883: IPv6 DHCP: T2 set to expire in 120 seconds
*May  3 22:36:11.883: IPv6 DHCP: DHCPv6 changes state from RENEW to OPEN (REPLY_RECEIVED) on FastEthernet0/0

We have acquired the prefix via PD aka Prefix Delegation feature :

R2#show ipv6 general-prefix 
IPv6 Prefix prefix-from-provider, acquired via DHCP PD
  2001:DB8::/48 Valid lifetime 158, preferred lifetime 98
   FastEthernet1/1 (Address command)
R2#

On R3 or R4 :

interface FastEthernet0/0
 no ip address
 duplex half
 ipv6 address autoconfig default
 ipv6 enable
end


2#show ipv6 dhcp interface 
FastEthernet0/0 is in client mode
  Prefix State is OPEN
  Renew will be sent in 00:00:04
  Address State is IDLE
  List of known servers:
    Reachable via address: FE80::C805:ADFF:FE80:0
    DUID: 00030001CA05AD800000
    Preference: 0
    Configuration parameters:
      IA PD: IA ID 0x00040001, T1 60, T2 120
        Prefix: 2001:DB8::/48
                preferred lifetime 120, valid lifetime 180
                expires at May 03 2016 10:53 PM (125 seconds)
      Domain name: lucas.fr.eu.org
      Information refresh time: 0
  Prefix name: prefix-from-provider
  Prefix Rapid-Commit: disabled
  Address Rapid-Commit: disabled
R2#

If we debug we will see (debug ipv6 interface, debug ipv6 dhcp, debug ipv6 nd) :

May  3 22:05:01.335: ICMPv6-ND: Neighbour FE80::C806:ADFF:FE81:1D on FastEthernet0/0 : LLA ca06.ad81.001d
*May  3 22:05:01.335: ICMPv6-ND: INCMP -> STALE: FE80::C806:ADFF:FE81:1D
*May  3 22:05:01.335: IPv6-Address: intfid_algo is notactive on intf 4
*May  3 22:05:01.339: IPv6-Address: intfid_algo is active on intf 4
*May  3 22:05:01.339: IPv6-Address: Generating IntfID rc 0, prefix: 2001:DB8:0:1::/64, address 2001:DB8:0:1:C808:ADFF:FE85:0
*May  3 22:05:01.343: IPv6-Address: Prefix Information change for 2001:DB8:0:1::/64, 0x0 -> 0x1E0
*May  3 22:05:01.343: IPv6-Address: Adding prefix 2001:DB8:0:1::/64 to FastEthernet0/0
*May  3 22:05:01.343: IPv6-Address: Adding operating owner prefix configured on FastEthernet0/0
*May  3 22:05:01.347: IPv6-Address: Adding operating owner address configured on FastEthernet0/0
*May  3 22:05:01.347: IPv6-Address: Address 2001:DB8:0:1:C808:ADFF:FE85:0 configured on FastEthernet0/0
*May  3 22:05:01.347: IPv6-Addrmgr-
R4(config-if)#ND: DAD request for 2001:DB8:0:1:C808:ADFF:FE85:0 on FastEthernet0/0
*May  3 22:05:01.347: ICMPv6-ND: Sending NS for 2001:DB8:0:1:C808:ADFF:FE85:0 on FastEthernet0/0
*May  3 22:05:01.351: ICMPv6-ND: Autoconfiguring 2001:DB8:0:1:C808:ADFF:FE85:0 on FastEthernet0/0
*May  3 22:05:02.351: IPv6-Addrmgr-ND: DAD: 2001:DB8:0:1:C808:ADFF:FE85:0 is unique.
*May  3 22:05:02.351: ICMPv6-ND: Sending NA for 2001:DB8:0:1:C808:ADFF:FE85:0 on FastEthernet0/0
*May  3 22:05:02.355: IPv6-Address: Address 2001:DB8:0:1:C808:ADFF:FE85:0/64 is up on FastEthernet0/0

Finally, we are able to ping the DHCPv6 server :

R4#ping ipv6 2A02::1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 2A02::1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 32/45/96 ms
R4#traceroute 2A02::1

Type escape sequence to abort.
Tracing the route to 2A02::1

  1 2001:DB8:0:1::1 12 msec 36 msec 12 msec
  2 2A02::1 8 msec 56 msec 36 msec
R4#

IP SLA operation

IP SLA is a great tool to automation some treatment. You could do great things with it. We will work on IP SLA Reaction here.

What is it ? You could launch some action on some state of an IP SLA. Such as (Even if it is not a good example) : some nested ping.

ip-sla-reaction

 

 

 

 

 

 

 

The job here, is to check R4 – R3 and R4 – R2 if IP SLA beetween R1 – R4 is awful.

We could do this such as :
R4 :

ip sla 1
 udp-jitter 10.1.12.1 3200 source-ip 10.1.43.4 source-port 6565 codec g711ulaw codec-size 128
 frequency 5
ip sla schedule 1 start now life forever 

ip sla 43 
 icmp-echo 10.1.43.3 source-ip 10.1.43.4
 frequency 5
ip sla schedule 43 start pending life 60

ip sla 42 
 icmp-echo 10.1.32.2 source-ip 10.1.43.4
 frequency 5
ip sla schedule 42 start pending life 60

ip sla reaction-trigger 1 43
ip sla reaction-trigger 43 42
ip sla reaction-configuration 1 react MOS threshold-type consecutive 4 threshold-value 390 220 action-type trapAndTrigger
ip sla reaction-configuration 43 react rtt threshold-value 100 50 threshold-type immediate action-type trapAndTrigger
ip sla reaction-configuration 42 react rtt threshold-value 100 50 threshold-type immediate action-type trapOnly

snmp-server host 10.1.1.1
snmp-server enable traps syslog

We do an analyze on each segment of path and if it fails on our condition, it traps it.

Obvisouly on R1 :

ip sla responder

BGP rib-failure

I think everyone now what is a RIB-Failure in BGP context. It sounds obviously as an exact same route with a lowest AD as {e|i}BGP. We have VRF-Lite on R1 here :

Capture d’écran 2016-02-01 à 22.29.40

We have :

1#show ip bg vpnv4 vrf CUST
BGP table version is 11, local router ID is 1.1.1.1
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
              r RIB-failure, S Stale, m multipath, b backup-path, f RT-Filter,
              x best-external, a additional-path, c RIB-compressed,
Origin codes: i - IGP, e - EGP, ? - incomplete
RPKI validation codes: V valid, I invalid, N Not found

     Network          Next Hop            Metric LocPrf Weight Path
Route Distinguisher: 65001:1 (default for vrf CUST)
 *>  10.1.1.1/32      12.0.0.2                 0             0 65002 ?
 *>  10.2.2.1/32      12.0.0.2                 0             0 65002 ?
 r>  10.3.3.1/32      12.0.0.2                 0             0 65002 ?
 r>  10.4.4.1/32      12.0.0.2                 0             0 65002 ?
 r>  10.5.5.1/32      12.0.0.2                 0             0 65002 ?
 r>  10.5.5.5/32      12.0.0.2                 0             0 65002 ?
 r>  10.6.6.6/32      12.0.0.2                 0             0 65002 ?
 r>  12.0.0.0/24      12.0.0.2                 0             0 65002 ?
R1#
R1#show ip route vrf CUST

Routing Table: CUST

Gateway of last resort is not set

      10.0.0.0/32 is subnetted, 2 subnets
B        10.1.1.1 [20/0] via 12.0.0.2, 00:37:49
B        10.2.2.1 [20/0] via 12.0.0.2, 00:37:49
      12.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
C        12.0.0.0/24 is directly connected, Ethernet0/0
L        12.0.0.1/32 is directly connected, Ethernet0/0
R1#

So the only route we can have a RIB-Failure due to lowest AD is : 12.0.0.0/24. What is the problem with others ?
We can know this by using :

R1#show ip bg vpnv4 vrf CUST rib-failure
  Network            Next Hop                      RIB-failure   RIB-NH Matches
Route Distinguisher: 65001:1 (default for vrf CUST)
10.3.3.1/32        12.0.0.2                      Route limit              n/a
10.4.4.1/32        12.0.0.2                      Route limit              n/a
10.5.5.1/32        12.0.0.2                      Route limit              n/a
10.5.5.5/32        12.0.0.2                      Route limit              n/a
10.6.6.6/32        12.0.0.2                      Route limit              n/a
12.0.0.0/24        12.0.0.2            Higher admin distance              n/a
R1#

The problem is :

ip vrf CUST
 rd 65001:1
 maximum routes 4 80
!

You know surely now why it is in ‘RIB-Failure’ state…

BGP review – ‘received-only’ prefix state

Today a little review :

edge12.bor03>show ip bg 37.8.8.8
BGP routing table entry for 37.8.0.0/20, version 47221703
Paths: (3 available, best #2, table Default-IP-Routing-Table)
  Advertised to update-groups:
     1
  15975, (received-only)
    17.69.240.117 from 17.69.240.117 (17.69.255.1)
      Origin IGP, metric 16, localpref 500, valid, internal
  12671 15975 15975 15975 15975, (received & used)
    46.218.1.1 from 46.218.1.1 (172.17.1.6)
      Origin IGP, localpref 100, valid, external, best
  12671 15975 15975 15975 15975, (received & used)
    46.218.1.1 from 46.218.1.1 (172.17.1.2)
      Origin IGP, localpref 100, valid, external
edge12.bor03>

Why the path through 17.69.240.117 is not used, although it is the a better path to 37.8.0.0/20 ?
Why is it marked as “received-only”

“Received-only” means as it says that this prefix is received, stored in Adj-IN, but cannot be selected for a valid prefix. Why ?

Lot of reasons. Commons are : route-maps, NEXTHOP not reachable…

http://www.cisco.com/c/en/us/support/docs/ip/border-gateway-protocol-bgp/13753-25.html

In my example, the problem is here : a route-map without an explicit permit.