Telecom

some stuff to be friend with IOS XE/XR

Posted on by clucas

Cisco has released recently lot of materials to be friend with their new technologies. You can know learn more about IOS XE with Cisco CSR1000v  (it is a virtual router based on Cisco IOS XE code) and more recently (02/07/14) you can download Cisco IOS XRv 5.1. You can download it as a demo version (2M of bandwidth, AAA preconfigured, … : some restrictions). It is a virtual machine that you can import in VMware ESX VM.

I think it will be really great to learn, practice over IOS XR without any risks (for those of us who can log in some real ASR9000 or CRSX3, …).

More information :

A really, really good documentation :

http://www.fryguy.net/wp-content/uploads/2013/03/Cisco-IOS-XR-Introduction-Ver-1.pdf

I urge you to read this PDF… Thank you fryguy !

PPTP and ASA 5510

Posted on by clucas

If you search why your rules are applied by PPTP VPN sessions are not albe to established with an error 619 (on windows plateform) :

ASA# conf t
ASA(config)# policy-map global_policy
ASA(config)# (config-pmap)# class inspection_default
ASA(config)# inspect pptp
ASA(config)#

and :

ASA(config)# access-list outbound extended permit gre any any
ASA(config)# access-list outbound extended permit tcp any any eq pptp
ASA(config)# access-group outbound in interface inside

Have fun 🙂

Equivalent to CEF on Redback router

Posted on by clucas

This a question which I ask for a long time : is this e Cisco CEF equivalent on Redback router ?

A friend gives me the answer :

[VRF_FOOBAR]75TOTO-SE400-01#sh ip route 172.16.116.98      
    Longest match Routing entry for 172.16.116.98/32 is 172.16.116.98/32 , version 20
    Route Uptime 38w6d
    Paths: total 1, best path count 1 

    Route has been downloaded to following slots
      iPPA: 01 
    Skipped? No

    Path information : 

      Active path : 
      Known via adjacency, type-hidden route, distance 254, metric 0,
      Tag 0, Next-hop 172.16.116.98, NH-ID 0x3450014E, Adj ID: 0x160, Interface 1/5.13717
      Circuit 1/5:1023:63/1/2/440
[VRF_FOOBAR]75TOTO-SE400-01#

 

You can see there that the packet will live the router by port 1/5. You can confirm this by :

[VRF_FOOBAR]75TOTO-SE400-01#show card all fib 172.16.116.98
Slot 1:
Prefix             Next Hop        Interface                Next Hop Grid
172.16.116.98/32   172.16.116.98   1/5.13717                0x3450014e
[VRF_FOOBAR]75TOTO-SE400-01#

Now, you can see as “sh ip cef … adjacency” :

[VRF_FOOBAR]75TOTO-SE400-01#sh card 1 adjacency | begin 0x3450014e
    NH-Grid 0x3450014e 
    Encap type dot1q, function ether_dot1q_adj_ip_resolved
    e05fb9a6 693c0030 88147df0 81000e85  encap_len 18

 

05fb9a6 693c : destination MAC address
0030 88147df0 : source MAC address
8100 : ethernet encapsulation
0e85 : vlan ID : here 3717
18 : length

For VLAN ID here :

[VRF_FOOBAR]75TOTO-SE400-01#sh bindings 
1/5 vlan-id 3717                 Up    dot1q            interface  1/5.13717@VRF_FOOBAR
[VRF_FOOBAR]75TOTO-SE400-01#

Unicast Flooding

Posted on by clucas

This is for me a new concept I don’t have any see anymore. I only imagine inter-vlan routing by L3 switch or router on a stick.

But you can make this kind of architecture :


In this case : as the request is originated from S1 (who has RA as gateway) to S2.

  • RA acts as router : MAC src = RA ; MAC dsst = S2 in vlan 2

Return :

  • S2 sends to his gateway which this time is RB
  • RB sends packet tthrough SB which has not MAC address of S1 in his CAM for vlan 1
  • So it acts in normal way : IT FLOODS !

 

You can have other ways where you can see unicast flooding :

  • Spanning-Tree TCN changes
  • Forwarding CAM table overflow

You can protect your LAN by using ‘Unicast Flooding protection’

From 12.1(14)E version it is implemented : ‘unicast flood protection

To check : ‘sh mac-address-table unicast-flood‘.

xconnect, wireshark and cie

Posted on by clucas

I have already make tiny lab with xconnect, but my curiosity has been recently exacerbated so that I can see exactly how it works…

sc

 

 

 

 

 

 

 

 

 

What occurs behind the scene when you press ENTER (the reflexive command has already been pushed on R4) ?

R6(config-if)# xconnect 4.4.4.4 1111 encapsulation mpls

 

You can see on R4 :

R4#debug mpls ldp targeted-neighbors
LDP Directed Adjacency changes debugging is on
R4#debug mpls ldp transport connections 
LDP transport connection events debugging is on
R4#debug mpls ldp transport events 
LDP transport events debugging is on
[...]
*Aug 17 22:22:17.663: ldp: Peer LDP Id set to 6.6.6.6:0 for trgt 6.6.6.6, lcl addr = 4.4.4.4
*Aug 17 22:22:17.667: ldp: Rcvd ldp dir hello to 4.4.4.4 from 6.6.6.6 (6.6.6.6:0); FastEthernet0/1; opt 0xF
*Aug 17 22:22:17.671: ldp: ldp Hello from 6.6.6.6 (6.6.6.6:0) to 4.4.4.4, opt 0xF
*Aug 17 22:22:17.671: ldp: New directed adjacency 0x67A32E68 to 4.4.4.4 from 6.6.6.6 (6.6.6.6:0)
*Aug 17 22:22:17.675: ldp: Immediately request dhcb send hello back from 4.4.4.4 to 6.6.6.6
*Aug 17 22:22:17.675: ldp: local idb = targeted, holdtime = 90000, peer 6.6.6.6 holdtime = 90000
*Aug 17 22:22:17.675: ldp: dhcb intvl mbr cnt = 1, intvl = 10000, target = 6.6.6.6
*Aug 17 22:22:17.679: ldp: Opening listen port 646 for 6.6.6.6, 6.6.6.6
*Aug 17 22:22:17.683: ldp: No MD5 password protection for peer 6.6.6.6:0
*Aug 17 22:22:17.683: ldp: Registered TCB with LDP TCB database tcb 0x66BB49A0 [key
R4# 1779], total 2
*Aug 17 22:22:17.683: ldp: Open LDP listen TCB 0x66BB49A0; lport = 646; fhost = 6.6.6.6; with normal priority
*Aug 17 22:22:17.683: ldp: Add listen TCB to list; tcb 0x66BB49A0 [key 1779]; addr 6.6.6.6
*Aug 17 22:22:17.683: ldp: Send ldp dir hello; no idb, src/dst 4.4.4.4/6.6.6.6, inst_id 0
*Aug 17 22:22:18.027: ldp: Rcvd ldp dir hello to 4.4.4.4 from 6.6.6.6 (6.6.6.6:0); FastEthernet0/1; opt 0xF
*Aug 17 22:22:18.027: ldp: ldp Hello from 6.6.6.6 (6.6.6.6:0) to 4.4.4.4, opt 0xF
*Aug 17 22:22:18.027: ldp: local idb = targeted, holdtime = 90000, peer 6.6.6.6 holdtime = 90000
*Aug 17 22:22:18.027: ldp: dhcb intvl mbr cnt = 1, intvl = 10000, target = 6.6.6.6
*Aug 17 22:22:18.043: ldp: Registered TCB with LDP TCB database tcb 0x66BB4FDC [key 1780], total 3
*Aug 17 22:22:18.047: ldp: Incoming ldp conn 4.4.4.4:646  6.6.6.6:38742; with normal priority
*Aug 17 22:22:18.051: ldp: Found adj 0x67A32E68 for 6.6.6.6 (Hello xport addr opt)
*Aug 17 22:22:18.051: ldp: New t
R4#emporary adj 0x66BB5618 from 6.6.6.6
*Aug 17 22:22:18.055: ldp: Real adj 0x67A32E68 bound to 6.6.6.6:0, replacing temp adj 0x66BB5618
*Aug 17 22:22:18.059: ldp: Adj 0x66BB5618; state set to closed
*Aug 17 22:22:18.183: ldp: Data received!
*Aug 17 22:22:18.187: ldp: : peer 6.6.6.6:0 down reason reset to None
*Aug 17 22:22:18.187: %LDP-5-NBRCHG: LDP Neighbor 6.6.6.6:0 (2) is UP
*Aug 17 22:22:18.191: ldp-trgtnbr: 6.6.6.6 Received address addition notif start; flags 0x13
*Aug 17 22:22:18.195: ldp-trgtnbr: 6.6.6.6 Set peer start; flags 0x13
*Aug 17 22:22:18.195: ldp-trgtnbr: 6.6.6.6 Set peer finished; flags 0x1F
*Aug 17 22:22:18.195: ldp-trgtnbr: 6.6.6.6 Received address addition notif finish; flags 0x1

 

One LDP targeted session is build to establish the xconnect session. This targeted session is possible thanks to IGP (here OSPF).

You could read the pcap beetween R6 and R3 I have recorded. Really interesting.

http://www.cloudshark.org/captures/6e68003ead16

You can see the double MPLS tag, one for the xconnect P2P link established with R4 for the VC-ID 1111 and one to route the label through the MPLS cloud.

I hope this can help someone. For my part, I have had fun to do this tiny lab.

New tool for CCIE prep

Posted on by clucas

photo
I bought refurbished MacBook Pro mid-2010. It is a good machine. I think it will be great for a CCIE dedicated laptop 🙂

I have begun to make a wireless link to the place where my lab will be hosted. Let’s go to host a server and cyclades TS 1000 (which I will buy on ebay) to access my networking device.

 

 

I own now :

  • 2 x C2500
  • 1 x 1841
  • 1 x 2611
  • 1 x WS-C3550SMI
  • 1 x HWIC

There are a lot of stuff to buy, but it is in progress…