21 mai 2010

Back up and Restore Configuration Files

Automatic Backup of Configuration using the Kron Method:

Router(config)#kron policy-list SaveConfig
Router(config-kron-policy)#cli write
Router(config-kron-policy)#exit

Router(config)#kron occurrence SaveConfigSchedule at 23:00 Sun recurring
Router(config-kron-occurrence)#policy-list SaveConfig


11 mai 2010

Multi-chassis LACP

http://www.cisco.com/en/US/docs/ios/cether/configuration/guide/ce_mlacp.html

15 avr. 2010

PIM Flags

Flags in the "show ip route" output:

 • D—Dense.
 • S—Sparse.
 • B—Bidir Group. Indicates that a multicast group is operating in bidirectional mode.
 • s—SSM Group. Indicates that a multicast group is within the SSM range of IP addresses. This flag is reset if the SSM range changes.
 • C—Connected. A member of the multicast group is present on the directly connected interface.
 • L—Local. The router itself is a member of the multicast group. Groups are joined locally by the ip igmp join-group command (for the configured group), the ip sap listen command (for the well-known session directory groups), and rendezvous point (RP) mapping (for the well-known groups 224.0.1.39 and 224.0.1.40). Locally joined groups are not fast switched.
 • P—Pruned. Route has been pruned. The Cisco IOS software keeps this information so that a downstream member can join the source.
 • R—RP-bit set. Indicates that the (S, G) entry is pointing toward the RP. This flag typically indicates a prune state along the shared tree for a particular source.
 • F—Register flag. Indicates that the software is registering for a multicast source.
 • T—SPT-bit set. Indicates that packets have been received on the shortest path source tree.
 • J—Join SPT.
    For (*, G) entries, indicates that the rate of traffic flowing down the shared tree is exceeding the SPT-Threshold set for the group. (The default SPT-Threshold setting is 0 kbps.) When the J - Join shortest path tree (SPT) flag is set, the next (S, G) packet received down the shared tree triggers an (S, G) join in the direction of the source, thereby causing the router to join the source tree.
    For (S, G) entries, indicates that the entry was created because the SPT-Threshold for the group was exceeded. When the J - Join SPT flag is set for (S, G) entries, the router monitors the traffic rate on the source tree and attempts to switch back to the shared tree for this source if the traffic rate on the source tree falls below the SPT-Threshold of the group for more than 1 minute.
    Note The router measures the traffic rate on the shared tree and compares the measured rate to the SPT-Threshold of the group once every second. If the traffic rate exceeds the SPT-Threshold, the J - Join SPT flag is set on the (*, G) entry until the next measurement of the traffic rate. The flag is cleared when the next packet arrives on the shared tree and a new measurement interval is started.
    If the default SPT-Threshold value of 0 kbps is used for the group, the J - Join SPT flag is always set on (*, G) entries and is never cleared. When the default SPT-Threshold value is used, the router immediately switches to the shortest path source tree when traffic from a new source is received.
 • M—MSDP created entry. Indicates that a (*, G) entry was learned through a Multicast Source Discovery Protocol (MSDP) peer. This flag is applicable only for an RP running MSDP.
 • E—Extranet source mroute entry. Indicates that a (*, G) or (S, G) entry in the VRF routing table is a source Multicast VRF (MVRF) entry and has extranet receiver MVRF entries linked to it.
 • X—Proxy Join Timer Running. Indicates that the proxy join timer is running. This flag is set only for (S, G) entries of an RP or "turnaround" router. A "turnaround" router is located at the intersection of a shared path (*, G) tree and the shortest path from the source to the RP.
 • A—Candidate for MSDP Advertisement. Indicates that an (S, G) entry was advertised through an MSDP peer. This flag is applicable only for an RP running MSDP.
 • U—URD. Indicates that a URL Rendezvous Directory (URD) channel subscription report was received for the (S, G) entry.
 • I—Received Source Specific Host Report. Indicates that an (S, G) entry was created by an (S, G) report. This (S, G) report could have been created by Internet Group Management Protocol Version 3 (IGMPv3), URD, or IGMP v3lite. This flag is set only on the designated router (DR).
 • Z—Multicast Tunnel. Indicates that this entry is an IP multicast group that belongs to the Multicast Distribution Tree (MDT) tunnel. All packets received for this IP multicast state are sent to the MDT tunnel for decapsulation.
 • Y—Joined MDT-data group. Indicates that the traffic was received through an MDT tunnel that was set up specifically for this source and group. This flag is set in Virtual Private Network (VPN) mroute tables only.

10 avr. 2010

vlan-to-vlan local-switching

VLAN-to-VLAN Local Switching
R3:
!
interface FastEthernet0/0.345
 encapsulation dot1Q 345
 ip address 192.168.1.3 255.255.255.0
!

R1:
!
FastEthernet0/0.345
 encapsulation dot1Q 345
 ip address 192.168.1.1 255.255.255.
!
R2:
!
interface FastEthernet0/0.345
 encapsulation dot1Q 345
!
FastEthernet0/0.123
 encapsulation dot1Q 123
!
connect ethvl-to-ethvl FastEthernet0/0.123 FastEthernet0/0.345
!

R2#show connection

ID   Name            Segment 1              Segment 2                  State  
================================================================================
1    ethvl-to-ethvl  Fa0/0.123              Fa0/0.345                  UP     


R2#show connection id 1
Connection: 1 - ethvl-to-ethvl
 Current State: UP
 Segment 1: FastEthernet0/0.123 up
 Segment 2: FastEthernet0/0.345 up

CDP is not disabled:
R2#show cdp neighbors
Capability Codes: R - Router, T - Trans Bridge, B - Source Route Bridge
                  S - Switch, H - Host, I - IGMP, r - Repeater, P - Phone

Device ID        Local Intrfce     Holdtme    Capability  Platform  Port ID
R3               Fas 0/0           171            R       7206VXR   Fas 0/0
R1               Fas 0/0           130            R       7206VXR   Fas 0/0
R2#

18 mars 2010

Head-Of-Line blocking

VOQ: Virtual Ouput Queues
HOL: Head-Of-Line

http://en.wikipedia.org/wiki/Head-of-line_blocking

Enjoy !

10 mars 2010

PPPoE Part 1/2 - Theory

PPPoE

- Header PPPoE Format:









- Discovery Stage:
Discovery Ethernet frames have the ETHER_TYPE field set to the value 0x8863

Step 1 - PPPoE Active Discovery Initiation (PADI):
- DESTINATION_ADDR set to the broadcast
- CODE field is set to 0x09
- SESSION_ID MUST be set to 0x0000

Step 2 - PPPoE Active Discovery Offer (PADO):
When the Access Concentrator receives a PADI that it can serve, it replies by sending a PADO packet.
- DESTINATION_ADDR is the unicast address of the Host that sent the PADI
- CODE field is 0x07
- SESSION_ID MUST be set to 0x0000

A PADO packet MUST contain:
One AC-Name TAG containing the Access Concentrator's name,
A Service-Name TAG identical to the one in the PADI,
Any number of other Service-Name TAGs indicating other services that the Access Concentrator offers.

Step 3 - PPPoE Active Discovery Request (PADR):
A host can receive more than one PADI (it uses the broadcast address).
So, the host looks through the PADO packet it receives and chooses one.
The Host then sends one PADR packet to the Access Concentrator that it has chosen.
DESTINATION_ADDR field is set to the unicast Ethernet address of the Access Concentrator that sent the PADO.

Step 4 - PPPoE Active Discovery Session-confirmation (PADS):
When the Access Concentrator receives a PADR packet, it prepares to begin a PPP session. It generates a unique SESSION_ID for the PPPoE session and replies to the Host with a PADS packet.
- DESTINATION_ADDR field is the unicast Ethernet address of the Host that sent the PADR.
- CODE field is set to 0x65
- SESSION_ID MUST be set to the unique value generated for this PPPoE session.

PPPoE Active Discovery Terminate (PADT) packet:
This packet may be sent anytime after a session is established to indicate that a PPPoE session has been terminated.
- DESTINATION_ADDR is a unicast Ethernet address, the CODE field is set to 0xa7 and the SESSION_ID MUST be set to indicate which session is to be terminated.


PPP Session Stage:
Once the PPPoE session begins, PPP data is sent as in any other PPP encapsulation.
All Ethernet packets are unicast.

- ETHER_TYPE is 0x8864.
- CODE MUST be set to 0x00.
- SESSION_ID MUST NOT change for that PPPoE session and MUST be the value assigned in the Discovery stage.

The PPPoE payload contains a PPP frame.


PPP 
The PPPoE frame begins with the PPP Protocol-ID.
http://tools.ietf.org/html/rfc1548
http://tools.ietf.org/html/rfc1332


- Header PPPoE Format:







Protocol Field:

c021 Link Control Protocol
0021 Internet Protocol

Establishment:
1 - Test the data-link: LCP
2 - Authenticate (optional)
3 - Choose Network Layer Protocol (NCP)


LCP:
Used to control PPP links:
 - Link Configuration
 - Link Maintenance
 - Link Termination


LCP Messages:
 - Configure-Request
 - Configure-Ack (all of the options have acceptable values)
 - Configure-Nack (one or more options have unacceptable values)
 - Configure-Reject (one or more of the options are unknown or not negotiable)
 - Echo-Request
 - Echo-Reply
 - Terminate-Request
 - Terminate-Ack

Link Configuration Stage:
Common options:
 - Maximum Receive Unit (MRU)
 - Authentication Protocol (EAP, MS-CHAP, PAP...)
 - Magic Number (used to distinguish a peer a detect loopback lines)
 - Protocol Compression
 - Address and Control Field Compression
 - Callback

Link Maintenance Stage:
Code-Reject, Protocol-Reject, Echo-Request, Echo-Reply, and Discard-Request
Echo-Request and Echo-Reply message act as keepalive.
Link Termination Stage:
Terminate-Request and Terminate-Ack are a mechanism for closing a connection.


















http://blog.ine.com/2008/01/20/example-configurations-for-ppp-over-ethernet-pppoe/

2 mars 2010

BGP Dampening - Part 3/3

Le dampening s'applique également lorsqu'un attribut bgp change sur un préfixe donné.
Dans ce cas, la pénalité n'est que de 500 (contre 1000 pour un flap classique).

Sur la même maquette que précédemment, on modifie l'attribut MED du préfixe 4.3.2.0/24:
R1:
!
ip prefix-list ModifyMED seq 5 permit 4.3.2.0/24 le 32
!
route-map RM_ModifyMED permit 10
match ip address prefix-list ModifyMED
set metric 12345
!
route-map RM_ModifyMED permit 20
!


Sur R2:
Avant :
R2#show ip bgp 4.3.2.0/24
BGP routing table entry for 4.3.2.0/24, version 8
Paths: (1 available, best #1, table default)
Flag: 0x10800
Not advertised to any peer
1
192.168.1.1 from 192.168.1.1 (10.1.1.254)
Origin IGP, metric 0, localpref 100, valid, external, best
!

Après application de la route-map:
R2#
*Mar 2 17:05:15.130: EvD: charge penalty 500, new accum. penalty 500, flap count 1
*Mar 2 17:05:15.134: EvD: unsuppress item left in reuse timer array with penalty 500
*Mar 2 17:05:15.138: BGP(0): charge penalty for 4.3.2.0/24 path 1 with halflife-time 15 reuse/suppress 750/2000
*Mar 2 17:05:15.138: BGP(0): flapped 1 times since 00:00:00. New penalty is 500
*Mar 2 17:05:15.142: EvD: accum. penalty 500, not suppressed
R2#show ip bgp 4.3.2.0/24
BGP routing table entry for 4.3.2.0/24, version 10
Paths: (1 available, best #1, table default)
Flag: 0x10800
Not advertised to any peer
1
192.168.1.1 from 192.168.1.1 (10.1.1.254)
Origin IGP, metric 12345, localpref 100, valid, external, best
Dampinfo: penalty 500, flapped 1 times in 00:00:04
!

BGP Dampening - Part 2/3

Lab Dampening:











Configuration de R1:

hostname R1
!
interface Loopback1
ip address 172.16.1.1 255.240.0.0
!
interface Loopback2
ip address 4.3.2.1 255.255.255.0
!
router bgp 1
no synchronization
bgp log-neighbor-changes
network 4.3.2.0 mask 255.255.255.0
network 10.0.0.0
network 172.16.0.0 mask 255.240.0.0
neighbor 192.168.1.2 remote-as 2
no auto-summary
!


Configuration de R2:

hostname R2
!
interface FastEthernet0/0.100
encapsulation dot1Q 100
ip address 192.168.1.2 255.255.255.0
!
router bgp 2
bgp log-neighbor-changes
neighbor 192.168.1.1 remote-as 1
!
address-family ipv4
no synchronization
bgp dampening route-map RM_Dampening
neighbor 192.168.1.1 activate
no auto-summary
exit-address-family
!
ip prefix-list RFC1918_Dampening seq 5 permit 10.0.0.0/8 le 32
ip prefix-list RFC1918_Dampening seq 10 permit 172.16.0.0/12 le 32
ip prefix-list RFC1918_Dampening seq 15 permit 192.168.0.0/16 le 32
route-map RM_Dampening permit 10
match ip address prefix-list RFC1918_Dampening
set dampening 15 100 1000 60
!
route-map RM_Dampening permit 20
set dampening 15 750 2000 60
!


Ici, les prefixes RFC1918 ont des valeurs de dampening différentes des valeurs par défaut.
Si les valeurs choisies pour une route-map ne sont pas cohérente, un msg d'erreur apparait:

%BGP-5-DAMPENING_LOW_MAX_PENALTY Maximum penalty (12800) is less than allowed maximum (20000). Dampening is OFF

%BGP-5-DAMPENING_HIGH_MAX_PENALTY: Maximum penalty (128000) is more than allowed maximum (20000). Dampening is OFF


Validations:
On fait flapper la loopback 172.16.0.0/12. Le préfixe est annoncé puis retiré plusieurs fois de R2.
Ce network entre dans la première itération de la route-map:


* reuse-limit: 100
* suppress-penalty: 1000
* half-life: 15
* max-suppress-time: 60 (4x15)

On vérifie:

R2#show ip bgp 172.16.0.0/12
BGP routing table entry for 172.16.0.0/12, version 6
Paths: (1 available, no best path)
Not advertised to any peer
1, (suppressed due to dampening)
192.168.1.1 from 192.168.1.1 (10.1.1.254)
Origin IGP, metric 0, localpref 100, valid, external
Dampinfo: penalty 1024, flapped 2 times in 00:11:49, reuse in 00:06:08

R2#show ip bgp
BGP table version is 6, local router ID is 10.0.0.2
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
r RIB-failure, S Stale
Origin codes: i - IGP, e - EGP, ? - incomplete

Network Next Hop Metric LocPrf Weight Path
*> 4.3.2.0/24 192.168.1.1 0 0 1 i
*d 172.16.0.0/12 192.168.1.1 0 0 1 i

R2#show ip bgp dampening flap-statistics
BGP table version is 6, local router ID is 10.0.0.2
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
r RIB-failure, S Stale
Origin codes: i - IGP, e - EGP, ? - incomplete

Network From Flaps Duration Reuse Path
*d 172.16.0.0/12 192.168.1.1 2 00:22:43 00:06:03 1

R2#show ip bgp dampening dampened-paths
BGP table version is 6, local router ID is 10.0.0.2
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
r RIB-failure, S Stale
Origin codes: i - IGP, e - EGP, ? - incomplete

Network From Reuse Path
*d 172.16.0.0/12 192.168.1.1 00:06:43 1 i

1 mars 2010

BGP Dampening - Part 1/3

BGP Route dampening:
  • Diminue la charge du routeur.
  • Définition : RFC2439
  • Ne supprime pas une route qui flappe occasionnellement
  • Supprime une route qui à tendance à flapper.
Chaque flap ajoute 1000 "penalty points". La modification d'un attribut ajoute 500 "penalty points".
Lorsque la pénalité dépasse la valeur ''suppress limit", la route est "dampened" : plus utilisée, plus propagée.
Lorsque pénalité d'un path passe en dessous de la reuse limit, la route est de nouveau valide. L'historique est annulé lorsque la pénalité du préfixe passe sous 50% de la reuse limit. Une route n'est jamais dampened plus longtemps que la durée maximum suppress limit.

Une pénalité est appliquée sur le path d'un préfixe et pas sur un préfixe.
R1(config-router)#bgp dampening [half-life reuse suppress max-suppress-time] [route-map map-name]
Defaults:
  • Half-Life: 15 minutes
  • Suppress: 2000
  • Reuse: 750
  • Max-suppress-time: 60 minutes
  • Per-flap penalty : 1000
Il est possible de spécifier des valeurs différentes pour certains préfixes (mais il n'est pas possible de désactiver le dampening pour ces préfixes).
Attention, les valeurs ne sont pas aléatoires et dépendent d'une formule:




NTP - ACL

NTP - Network Time Protocol Packet types: -  Control messages : don't bother with this. -  NTP request/update messages: used for time sy...