Hi,
It’s been a while I have posted a blog entry. A simple tip from IOS 12.4(20) to 12.4(24) and above to use OID “.1.3.6.1.4.1.9.10.77.1.2.3.0” to graph your NAT translations :
R(conf)# ip nat service enable-mib
%NAT: Old NAT-MIB support enabled
R(conf)#
HTH
++Christophe
You will be for me the guy who wrote this kind of post and talk technology with Remy Card (ext2).
Path: bga.com!news.sprintlink.net!pipex!oleane!univ-lyon1.fr!ensta!itesec!frmug.fr.net!renux.frmug.fr.net!marouchka.gna.org!not-for-mail From: ji...@marouchka.gna.org (Jean-Francois Monnet) Newsgroups: fr.comp.os.linux Subject: Re: LINUX ET E-IDE Date: 23 Nov 1994 08:43:22 +0100 Organization: Marouchka, A Private Linux Site, France Lines: 23 Distribution: world Message-ID: <3aurqq$3mb@marouchka.gna.org> References: <3asg5c$sp0@imag.imag.fr> Reply-To: mon...@dir.univ-rouen.fr (Jean-Francois Monnet) NNTP-Posting-Host: marouchka.gna.org Mime-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 8bit X-Newsreader: TIN [version 1.2 PL2] Yves Arrouye (arr...@petole.imag.fr) ecrit: > Tu vas peut-etre pouvoir m'aider : je veux mettre un 3e disque (sur un 2e > controleur). Mon 2e controleur ne tourne que sur irq 14, mais on peut changer > les adresses des disques (il en a deux plages). Je n'arrive pas a ce que le > patch reconnaisse gentiment mon 3e disque, quelque soit la config. Au secours > ! Help ! Chez moi, le deuxieme controleur n'a ete bien reconnu qu'a partir du moment ou j'ai pris le fer a souder et devie la piste IRQ 14 -> IRQ 15, comme explique dans la doc de l'archive atdisk2-0.9.tgz (ancien patch pour gerer deux cartes controleur IDE). Je crois que cette doc n'est plus fournie avec les patches ide-x.x*. Je peux te l'envoyer si tu ne trouves pas l'archive atdisk. Car, meme avec deux adresses I/O differentes pour les cartes, l'utilisation de la meme IRQ avec plus de 2 disques peut poser des problemes. > (Linux 1.1.64 + ide-2.5.patch-64+) Je tourne en 1.1.61 + ide-2.01.patch.61+.gz et ca roule sans pbs pour l'IDE. -- Marouchka - 76 Rouen
And a great linux kernel programmer (Telsat Turbo), rock’n roll & Nina Hagen fan.
Have fun with luxman…
++Jieff :-/
—
~Christophe
Hello guys,
Here it is a tips / reminder how to implement an site-ot-site IKEv2 tunnel :
crypto ikev2 proposal aes-cbc-256-proposal encryption aes-cbc-256 integrity sha1 group 2 crypto ikev2 policy policy1 match address local x.x.x.x proposal aes-cbc-256-proposal crypto ikev2 keyring v2-kr1 peer abc address y.y.y.y pre-shared-key somesecretpass ! crypto ikev2 profile profile1 description IKEv2 profile match address local x.x.x.x match identity remote address y.y.y.y 255.255.255.255 authentication local pre-share authentication remote pre-share keyring v2-kr1 crypto ipsec transform-set myset esp-des esp-md5-hmac crypto map mymap 20 ipsec-isakmp set peer y.y.y.y set security-association lifetime seconds 27000 set transform-set ESP-AES-SHA set ikev2-profile profile1 match address 120
With ACL 120 is your flows / SA and your implement your crypto map on your WAN interface.
diff -urpN bwping/bwping.c bwping-patched/bwping.c
--- bwping/bwping.c 2012-10-11 19:23:17.000000000 +0200
+++ bwping-patched/bwping.c 2017-04-20 09:06:23.449540033 +0200
@@ -26,6 +26,7 @@
#include
#include
#include
+#include
#ifdef __CYGWIN__
#include "cygwin.h"
@@ -224,21 +225,39 @@ static int recv_ping (int sock, int iden
return 0;
}
}
+unsigned int transmitted_number, received_number;
+unsigned long int received_volume;
+struct timeval begin, end;
+
+void sig_handler(int signo)
+{
+ if (signo == SIGUSR1) {
+ printf("Total: pkts sent/rcvd: %u/%u, volume rcvd: %lu bytes, time: %d sec, speed: %lu kbps, rtt min/max/average: %llu/%llu/%llu ms\n",
+ transmitted_number, received_number, received_volume, (int)(end.tv_sec - begin.tv_sec),
+ end.tv_sec - begin.tv_sec?((received_volume / (end.tv_sec - begin.tv_sec)) * 8) / 1000:(received_volume * 8) / 1000,
+ min_rtt==DEF_MIN_RTT?0:min_rtt, max_rtt, average_rtt);
+ exit(255);
+ }
+}
int main (int argc, char **argv)
{
int sock, exitval, ch, ident, finish, pktburst, i, n;
- unsigned int bufsize, tos, transmitted_number, received_number;
- unsigned long int kbps, pktsize, volume, rperiod, received_volume;
+ unsigned int bufsize, tos;
+ unsigned long int kbps, pktsize, volume, rperiod;
unsigned long long int min_interval, interval, current_interval, integral_error;
char *ep, *bind_addr, *target;
fd_set fds;
struct sockaddr_in bind_to, to;
struct hostent *hp;
- struct timeval begin, end, report, start, now, seltimeout;
+ struct timeval report, start, now, seltimeout;
sock = socket(AF_INET, SOCK_RAW, IPPROTO_ICMP);
+ if (signal(SIGUSR1, sig_handler) == SIG_ERR)
+ printf("\ncan't catch SIGUSR1\n");
+
+
if (sock==-1) {
perror("bwping: socket(AF_INET, SOCK_RAW, IPPROTO_ICMP) failed");
Download : patch-bwping-sig.diff
If like me you want to give some new energies to your macbook and install some memory and a new SSD hard drive. Be ware of this : you Crucial SSD must be initialized before install El Capitan on it.
I have tested my drive, connectics, … and finally found this URL pointer : http://forum.crucial.com/t5/Crucial-SSDs/How-to-initialize-your-SSD-Mac/ta-p/111490
We will dive into IPv6 prefix delegation prefix.
First of all, we will make a real simple topology :
R1 acts as a DHCP server and use the prefix delegation feature. But how it works ? How it is configured ?
R1 :
ipv6 unicast-routing ipv6 cef ipv6 dhcp pool POOLv6 prefix-delegation pool p lifetime 180 120 domain-name lucas.fr.eu.org ipv6 local pool p 2001:DB8::/40 48 interface FastEthernet0/0 ip address 10.0.0.1 255.255.255.0 duplex half ipv6 address 2A02::1/48 ipv6 enable ipv6 dhcp server POOLv6 R1# show ipv6 dhcp interface FastEthernet0/0 is in server mode Using pool: POOLv6 Preference value: 0 Hint from client: ignored Rapid-Commit: disabled R1#
R2 :
interface FastEthernet0/0
duplex half
ipv6 address autoconfig default
ipv6 enable
ipv6 dhcp client pd prefix-from-provider
interface FastEthernet1/1
no ip address
duplex auto
speed auto
ipv6 address prefix-from-provider ::1:0:0:0:1/64
ipv6 enable
R2#show ipv6 dhcp interface
FastEthernet0/0 is in client mode
Prefix State is OPEN
Renew will be sent in 00:00:04
Address State is IDLE
List of known servers:
Reachable via address: FE80::C805:ADFF:FE80:0
DUID: 00030001CA05AD800000
Preference: 0
Configuration parameters:
IA PD: IA ID 0x00040001, T1 60, T2 120
Prefix: 2001:DB8::/48
preferred lifetime 120, valid lifetime 180
expires at May 03 2016 10:53 PM (125 seconds)
Domain name: lucas.fr.eu.org
Information refresh time: 0
Prefix name: prefix-from-provider
Prefix Rapid-Commit: disabled
Address Rapid-Commit: disabled
R2#
Debug trace on R2 (debug ipv6 dhcp) :
*May 3 22:36:11.859: IPv6 DHCP: Sending RENEW to FF02::1:2 on FastEthernet0/0 *May 3 22:36:11.859: IPv6 DHCP: DHCPv6 changes state from OPEN to RENEW (TIMEOUT) on FastEthernet0/0 *May 3 22:36:11.879: IPv6 DHCP: Received REPLY from FE80::C805:ADFF:FE80:0 on FastEthernet0/0 *May 3 22:36:11.879: IPv6 DHCP: Processing options *May 3 22:36:11.879: IPv6 DHCP: Adding prefix 2001:DB8::/48 to prefix-from-provider *May 3 22:36:11.883: IPv6 DHCP: T1 set to expire in 60 seconds *May 3 22:36:11.883: IPv6 DHCP: T2 set to expire in 120 seconds *May 3 22:36:11.883: IPv6 DHCP: DHCPv6 changes state from RENEW to OPEN (REPLY_RECEIVED) on FastEthernet0/0
We have acquired the prefix via PD aka Prefix Delegation feature :
R2#show ipv6 general-prefix IPv6 Prefix prefix-from-provider, acquired via DHCP PD 2001:DB8::/48 Valid lifetime 158, preferred lifetime 98 FastEthernet1/1 (Address command) R2#
On R3 or R4 :
interface FastEthernet0/0
no ip address
duplex half
ipv6 address autoconfig default
ipv6 enable
end
2#show ipv6 dhcp interface
FastEthernet0/0 is in client mode
Prefix State is OPEN
Renew will be sent in 00:00:04
Address State is IDLE
List of known servers:
Reachable via address: FE80::C805:ADFF:FE80:0
DUID: 00030001CA05AD800000
Preference: 0
Configuration parameters:
IA PD: IA ID 0x00040001, T1 60, T2 120
Prefix: 2001:DB8::/48
preferred lifetime 120, valid lifetime 180
expires at May 03 2016 10:53 PM (125 seconds)
Domain name: lucas.fr.eu.org
Information refresh time: 0
Prefix name: prefix-from-provider
Prefix Rapid-Commit: disabled
Address Rapid-Commit: disabled
R2#
If we debug we will see (debug ipv6 interface, debug ipv6 dhcp, debug ipv6 nd) :
May 3 22:05:01.335: ICMPv6-ND: Neighbour FE80::C806:ADFF:FE81:1D on FastEthernet0/0 : LLA ca06.ad81.001d *May 3 22:05:01.335: ICMPv6-ND: INCMP -> STALE: FE80::C806:ADFF:FE81:1D *May 3 22:05:01.335: IPv6-Address: intfid_algo is notactive on intf 4 *May 3 22:05:01.339: IPv6-Address: intfid_algo is active on intf 4 *May 3 22:05:01.339: IPv6-Address: Generating IntfID rc 0, prefix: 2001:DB8:0:1::/64, address 2001:DB8:0:1:C808:ADFF:FE85:0 *May 3 22:05:01.343: IPv6-Address: Prefix Information change for 2001:DB8:0:1::/64, 0x0 -> 0x1E0 *May 3 22:05:01.343: IPv6-Address: Adding prefix 2001:DB8:0:1::/64 to FastEthernet0/0 *May 3 22:05:01.343: IPv6-Address: Adding operating owner prefix configured on FastEthernet0/0 *May 3 22:05:01.347: IPv6-Address: Adding operating owner address configured on FastEthernet0/0 *May 3 22:05:01.347: IPv6-Address: Address 2001:DB8:0:1:C808:ADFF:FE85:0 configured on FastEthernet0/0 *May 3 22:05:01.347: IPv6-Addrmgr- R4(config-if)#ND: DAD request for 2001:DB8:0:1:C808:ADFF:FE85:0 on FastEthernet0/0 *May 3 22:05:01.347: ICMPv6-ND: Sending NS for 2001:DB8:0:1:C808:ADFF:FE85:0 on FastEthernet0/0 *May 3 22:05:01.351: ICMPv6-ND: Autoconfiguring 2001:DB8:0:1:C808:ADFF:FE85:0 on FastEthernet0/0 *May 3 22:05:02.351: IPv6-Addrmgr-ND: DAD: 2001:DB8:0:1:C808:ADFF:FE85:0 is unique. *May 3 22:05:02.351: ICMPv6-ND: Sending NA for 2001:DB8:0:1:C808:ADFF:FE85:0 on FastEthernet0/0 *May 3 22:05:02.355: IPv6-Address: Address 2001:DB8:0:1:C808:ADFF:FE85:0/64 is up on FastEthernet0/0
Finally, we are able to ping the DHCPv6 server :
R4#ping ipv6 2A02::1 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 2A02::1, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 32/45/96 ms R4#traceroute 2A02::1 Type escape sequence to abort. Tracing the route to 2A02::1 1 2001:DB8:0:1::1 12 msec 36 msec 12 msec 2 2A02::1 8 msec 56 msec 36 msec R4#
IP SLA is a great tool to automation some treatment. You could do great things with it. We will work on IP SLA Reaction here.
What is it ? You could launch some action on some state of an IP SLA. Such as (Even if it is not a good example) : some nested ping.
The job here, is to check R4 – R3 and R4 – R2 if IP SLA beetween R1 – R4 is awful.
We could do this such as :
R4 :
ip sla 1 udp-jitter 10.1.12.1 3200 source-ip 10.1.43.4 source-port 6565 codec g711ulaw codec-size 128 frequency 5 ip sla schedule 1 start now life forever ip sla 43 icmp-echo 10.1.43.3 source-ip 10.1.43.4 frequency 5 ip sla schedule 43 start pending life 60 ip sla 42 icmp-echo 10.1.32.2 source-ip 10.1.43.4 frequency 5 ip sla schedule 42 start pending life 60 ip sla reaction-trigger 1 43 ip sla reaction-trigger 43 42 ip sla reaction-configuration 1 react MOS threshold-type consecutive 4 threshold-value 390 220 action-type trapAndTrigger ip sla reaction-configuration 43 react rtt threshold-value 100 50 threshold-type immediate action-type trapAndTrigger ip sla reaction-configuration 42 react rtt threshold-value 100 50 threshold-type immediate action-type trapOnly snmp-server host 10.1.1.1 snmp-server enable traps syslog
We do an analyze on each segment of path and if it fails on our condition, it traps it.
Obvisouly on R1 :
ip sla responder
I don’t know if it will really help someone but you can download here my CCIE planner spreadsheet : CCIE_Planner
It will provide you :
It is provided as is and under GPLv2.
Have fun with your studies.
I think everyone now what is a RIB-Failure in BGP context. It sounds obviously as an exact same route with a lowest AD as {e|i}BGP. We have VRF-Lite on R1 here :
We have :
1#show ip bg vpnv4 vrf CUST
BGP table version is 11, local router ID is 1.1.1.1
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
r RIB-failure, S Stale, m multipath, b backup-path, f RT-Filter,
x best-external, a additional-path, c RIB-compressed,
Origin codes: i - IGP, e - EGP, ? - incomplete
RPKI validation codes: V valid, I invalid, N Not found
Network Next Hop Metric LocPrf Weight Path
Route Distinguisher: 65001:1 (default for vrf CUST)
*> 10.1.1.1/32 12.0.0.2 0 0 65002 ?
*> 10.2.2.1/32 12.0.0.2 0 0 65002 ?
r> 10.3.3.1/32 12.0.0.2 0 0 65002 ?
r> 10.4.4.1/32 12.0.0.2 0 0 65002 ?
r> 10.5.5.1/32 12.0.0.2 0 0 65002 ?
r> 10.5.5.5/32 12.0.0.2 0 0 65002 ?
r> 10.6.6.6/32 12.0.0.2 0 0 65002 ?
r> 12.0.0.0/24 12.0.0.2 0 0 65002 ?
R1#
R1#show ip route vrf CUST
Routing Table: CUST
Gateway of last resort is not set
10.0.0.0/32 is subnetted, 2 subnets
B 10.1.1.1 [20/0] via 12.0.0.2, 00:37:49
B 10.2.2.1 [20/0] via 12.0.0.2, 00:37:49
12.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
C 12.0.0.0/24 is directly connected, Ethernet0/0
L 12.0.0.1/32 is directly connected, Ethernet0/0
R1#
So the only route we can have a RIB-Failure due to lowest AD is : 12.0.0.0/24. What is the problem with others ?
We can know this by using :
R1#show ip bg vpnv4 vrf CUST rib-failure Network Next Hop RIB-failure RIB-NH Matches Route Distinguisher: 65001:1 (default for vrf CUST) 10.3.3.1/32 12.0.0.2 Route limit n/a 10.4.4.1/32 12.0.0.2 Route limit n/a 10.5.5.1/32 12.0.0.2 Route limit n/a 10.5.5.5/32 12.0.0.2 Route limit n/a 10.6.6.6/32 12.0.0.2 Route limit n/a 12.0.0.0/24 12.0.0.2 Higher admin distance n/a R1#
The problem is :
ip vrf CUST rd 65001:1 maximum routes 4 80 !
You know surely now why it is in ‘RIB-Failure’ state…
Today a little review :
edge12.bor03>show ip bg 37.8.8.8
BGP routing table entry for 37.8.0.0/20, version 47221703
Paths: (3 available, best #2, table Default-IP-Routing-Table)
Advertised to update-groups:
1
15975, (received-only)
17.69.240.117 from 17.69.240.117 (17.69.255.1)
Origin IGP, metric 16, localpref 500, valid, internal
12671 15975 15975 15975 15975, (received & used)
46.218.1.1 from 46.218.1.1 (172.17.1.6)
Origin IGP, localpref 100, valid, external, best
12671 15975 15975 15975 15975, (received & used)
46.218.1.1 from 46.218.1.1 (172.17.1.2)
Origin IGP, localpref 100, valid, external
edge12.bor03>
Why the path through 17.69.240.117 is not used, although it is the a better path to 37.8.0.0/20 ?
Why is it marked as “received-only”
“Received-only” means as it says that this prefix is received, stored in Adj-IN, but cannot be selected for a valid prefix. Why ?
Lot of reasons. Commons are : route-maps, NEXTHOP not reachable…
http://www.cisco.com/c/en/us/support/docs/ip/border-gateway-protocol-bgp/13753-25.html
In my example, the problem is here : a route-map without an explicit permit.