Troubleshooting
Difficulties with an inter-as mpls peering, option C like, using bgp to exchange label for bgp routes.
Configuration
1.5 PPPOE with DHCP reservation
Multiple ways to assign IP in PPP/PPPOE:
Client Server
IPCP (ip add negot) Local pool (peer default ip address pool )
dhcp pool (peer default ip address dhcp-pool )
DHCP (ip add dhcp) dhcp pool (nothing)
For manual bindings, user full dhcp version : a host pool should exist and client should be configured with client-identifier
Client
ip address dhcp client f0/0
Server
ip dhcp pool R1
host 10.1.1.1 /24
client-identifier 01+mac-adress of client F0/0
For IPCP you could force client to request mask
PPP ipcp mask request on client
ppp ipcp mask 255... on server
If Vrf is used the pool should be configured with vrf command
3.2 BGP loop because of RIP summarization
RIP summarize a route. Later it's asked to redistribute RIP in BGP, this cause a loop with summary. The summary has to be filtered in redistribution to BGP
4.4 AS Override
Took a while to find again this command that permits the PE to override originator AS by this OWN (in case every vpn site use the same AS, loop prevention will prevent to re-enter)
Another solution could be allow-as in on CE.
5.3 MSDP Oringiator
MSDP orignator id in case of anycast has to be set to the anycast address.
Took a while to discover that I should another route for multicast between to AS as direct link for not allowed for multicast
7.1 NTP multicast
On server side
int
ntp multicast group
On client side
int
ntp multicas client group
lundi 30 août 2010
dimanche 29 août 2010
IPExpert V3 Lab6
Not so difficult labs, but some bonehead errors
- forgot the mapping of itseld on ipv6 Frame-Relay map
- forgot mtu-ignore on the router side and for ipv6
- Gone with making multicast answering with MPBGP whereas the task didn't ask for it.
- To secure logins attemps in ssh I used 'login block-for' commands proctor user ip ssh max-attemps and timeout commands wich is better as login-block prevent from retrying with another tcp session but you could retry on same connection.
- forgot the mapping of itseld on ipv6 Frame-Relay map
- forgot mtu-ignore on the router side and for ipv6
- Gone with making multicast answering with MPBGP whereas the task didn't ask for it.
- To secure logins attemps in ssh I used 'login block-for' commands proctor user ip ssh max-attemps and timeout commands wich is better as login-block prevent from retrying with another tcp session but you could retry on same connection.
mardi 24 août 2010
IPExpert V2 Lab17
1.1 Vty timeout
Bonehead error, timeout for vty is exec-timeout and not session-timeout used for physical
2.5 Fallback bridging
Not available on dynamips but permits to bridge between 2 vlan for non IP protocols :
bridge 1 proto vlan-bridge
int vlan X
bridge-group 1
int vlan Y
bridge-group 1
4.0 Cisco RIP timer
Task was about disabling the Cisco defined RIP timer, which is holdown :
timers basic 30 180 0 180
4.3 Forbidden RIP to accept routes from future gateway
I used a distribute-list or offset-list, other solution was a distance default of 255 except for the current neighbor.
6.3 OSPF
DR/BDR election timeout : configured by the dead-intervall timer !
Make an ospf neighbor prefered without using cost or bandwidth : AD of course :
distance 109 gateway acl
6.4 OSPF Misc
LSA expiration in DB : configured by pacing on lsa-group
No Null0 with summarization : no discard-route
7.0 BGP
An AS with 2 routers peered with iBGP, each as one eBGP peer, sync and IGP redistribution is forbidden.
Due to sync rule, an iBGP learnt route will not be installed if it's not learnt by an IGP. So eBGP learnt root from one routers will no be learnt by the other thrue iBGP. The solution is using confederation, as sub-as peering become eBGP like peering.
7.5 BGP Community override
The task was to prevent prefix to be sent out of AS (no-export community) except for one router. Only way to do that is re-write the prefix on inbound for this router (internet community)
Bonehead error, timeout for vty is exec-timeout and not session-timeout used for physical
2.5 Fallback bridging
Not available on dynamips but permits to bridge between 2 vlan for non IP protocols :
bridge 1 proto vlan-bridge
int vlan X
bridge-group 1
int vlan Y
bridge-group 1
4.0 Cisco RIP timer
Task was about disabling the Cisco defined RIP timer, which is holdown :
timers basic 30 180 0 180
4.3 Forbidden RIP to accept routes from future gateway
I used a distribute-list or offset-list, other solution was a distance default of 255 except for the current neighbor.
6.3 OSPF
DR/BDR election timeout : configured by the dead-intervall timer !
Make an ospf neighbor prefered without using cost or bandwidth : AD of course :
distance 109 gateway acl
6.4 OSPF Misc
LSA expiration in DB : configured by pacing on lsa-group
No Null0 with summarization : no discard-route
7.0 BGP
An AS with 2 routers peered with iBGP, each as one eBGP peer, sync and IGP redistribution is forbidden.
Due to sync rule, an iBGP learnt route will not be installed if it's not learnt by an IGP. So eBGP learnt root from one routers will no be learnt by the other thrue iBGP. The solution is using confederation, as sub-as peering become eBGP like peering.
7.5 BGP Community override
The task was to prevent prefix to be sent out of AS (no-export community) except for one router. Only way to do that is re-write the prefix on inbound for this router (internet community)
dimanche 22 août 2010
IPExpert V3 Lab5
Troubleshooting
Ticket 1
Spent some time figuring out why IP of the frame relay where /32 -> The network type was point-to-multipoint nonbroadcast so the /32 is learned from elswhere. As it was forbidden to change IGP we see that the problem is multihop with ebgp connection.
Ticket 4
PG set the distance of BGP mulitcast to be prefered, this seems a bit unusefull as there is no RPF tie because no PIM on the interface use for Unicast.
Ticket 7
Sham link to make MLPS prefered path :
-Ospf domain-id should be set in order the routes be IA.
-Shame link is done between 2 loopback own by the VRF and redistributed on the BGP vrf.
-The loopbakc could be filtered toward OSPF VRF.
Configuration
1.3 PPP secured without CHAP
Only EAP
ppp authent eap
ppp eap identify (no default identity in EAP)
ppp eap password
ppp eap local (to use local username database
1.5 Catalyst Interface tracking
Permits to group multiple 'server interface' (downstream) with uplink interface (upstream) for redundancy purposes. When all upstream are down, downstreams are shut.
In this case the purpose was to err-disabled some links when uplinks are unavailable.
int Uplink
link state group 1 upstream
int ToServer
link state group 1downpstream
link state track 1
2.4 Redistribution
Tricky redistribution scenario. Follow those pinciples :
-Don't forget 170 external AD of EIGRP wich prevent external be preferes
-RIP areas were stub. Playing with distance >170 for external routes and 120 for rip routes prevent a lot of problems
-Between eigrp and ospf as there is mutual redistribution, filtering with tag is necessary. Proctor use a tag of the advertising router.
3.5 OER/PFR
Setting oer/pfr network component is ok, others phase less :
Profile : choose the optimized traffic
Measure : monitor the traffic and give threshold
Control : choose the way to play on best route.
Everything is done on master thrue an oer-map
oer-map TEST
match traffic-clas .... (profile)
set delay threshold ... (measure)
set active-probe ...
set mode route control (control, bgp)
set mode router metric bgp local-pref ..)
To review
Ticket 1
Spent some time figuring out why IP of the frame relay where /32 -> The network type was point-to-multipoint nonbroadcast so the /32 is learned from elswhere. As it was forbidden to change IGP we see that the problem is multihop with ebgp connection.
Ticket 4
PG set the distance of BGP mulitcast to be prefered, this seems a bit unusefull as there is no RPF tie because no PIM on the interface use for Unicast.
Ticket 7
Sham link to make MLPS prefered path :
-Ospf domain-id should be set in order the routes be IA.
-Shame link is done between 2 loopback own by the VRF and redistributed on the BGP vrf.
-The loopbakc could be filtered toward OSPF VRF.
Configuration
1.3 PPP secured without CHAP
Only EAP
ppp authent eap
ppp eap identify (no default identity in EAP)
ppp eap password
ppp eap local (to use local username database
1.5 Catalyst Interface tracking
Permits to group multiple 'server interface' (downstream) with uplink interface (upstream) for redundancy purposes. When all upstream are down, downstreams are shut.
In this case the purpose was to err-disabled some links when uplinks are unavailable.
int Uplink
link state group 1 upstream
int ToServer
link state group 1downpstream
link state track 1
2.4 Redistribution
Tricky redistribution scenario. Follow those pinciples :
-Don't forget 170 external AD of EIGRP wich prevent external be preferes
-RIP areas were stub. Playing with distance >170 for external routes and 120 for rip routes prevent a lot of problems
-Between eigrp and ospf as there is mutual redistribution, filtering with tag is necessary. Proctor use a tag of the advertising router.
3.5 OER/PFR
Setting oer/pfr network component is ok, others phase less :
Profile : choose the optimized traffic
Measure : monitor the traffic and give threshold
Control : choose the way to play on best route.
Everything is done on master thrue an oer-map
oer-map TEST
match traffic-clas .... (profile)
set delay threshold ... (measure)
set active-probe ...
set mode route control (control, bgp)
set mode router metric bgp local-pref ..)
To review
mercredi 18 août 2010
IPExpert V2 Lab16
1.0 TCP header-compression
Bonehead error, used UDP compression and forgot to specify frame-relay before ip tcp header-compression.
Verify with show frame tcp header-compression
4.6 IPV6 Multicast RPF
Spent some times resolving an RPF issue. BSR was refused because announced from an interface that was not the RPF interface (because pim was disabled on the RPF int)
Wanted to plays with MPBGP of ipv6 multicast but rules for RPF are differents thant ipv4 :
-No Ipv6 unicast bgp check by default
- longest prefix is choosen in unicast and multicast tables of all routing tables
- Best AD is choosed in case of tie
So BGP IPV6 multicast AF is not prefered as it's the case in IPV4. Need to modify the AD of the IPV6 multicast AF and it works !
6.4 Inter AS MPLS
Did not remember the command to accept prefix with a route-target not attached to a VRF :
no bgp default route-target filter
7.2 RSVP signalling tag with DSCP 46
I used service-policy.
Simlpler :
ip rsvp sig dscp 46
Bonehead error, used UDP compression and forgot to specify frame-relay before ip tcp header-compression.
Verify with show frame tcp header-compression
4.6 IPV6 Multicast RPF
Spent some times resolving an RPF issue. BSR was refused because announced from an interface that was not the RPF interface (because pim was disabled on the RPF int)
Wanted to plays with MPBGP of ipv6 multicast but rules for RPF are differents thant ipv4 :
-No Ipv6 unicast bgp check by default
- longest prefix is choosen in unicast and multicast tables of all routing tables
- Best AD is choosed in case of tie
So BGP IPV6 multicast AF is not prefered as it's the case in IPV4. Need to modify the AD of the IPV6 multicast AF and it works !
6.4 Inter AS MPLS
Did not remember the command to accept prefix with a route-target not attached to a VRF :
no bgp default route-target filter
7.2 RSVP signalling tag with DSCP 46
I used service-policy.
Simlpler :
ip rsvp sig dscp 46
jeudi 12 août 2010
IPExpert V2 Lab15
3.2 BGP No-export
Bonehead error, I set the community via route-map on the aggregate adress but forgot the send-community ower the neighbor.
6.2 MPLS Label Filtering
New way (don't forget to disable mpls ldp advertise-labels for the ACL works, else everythin will be authorized):
mpls ldp advertise-labels for ACL_num
no mpls ldp advertise-labels
Old style (defining oldstyle means only what is on acl is authorized)
mpls ldp advertise-labels for ACL_num
mpls ldp advertise-labels oldstyle
6.3 Broken LSP
Loopback 5 of router 5 is /24 but ospf advertised it with a /32 as it's loopback.
The problem is R5 have only the /24 in its routing table and will then advertized a label for the /24. Other network will have a route to the /32 with no mls label toward R5 and do a broken LSP.
this could be verified with show mpls forward :
Local Outgoing Tag Prefix
Tag
20 Untagged 100.23.5.5/32
After loopback is set to point-to-point ospf network type
Local Outgoing Tag Prefix
Tag
20 Pop Tag 100.23.5.0/24
2nd Point,
On a NBMA network, the next-hop of a speak network will be the speak, but there will be no LDP relationship between speaks, so no labels for the speak network. The idea is to force the Hub to reset the next-hop to self in order to match the peer of the advertised label. Or to add a route to speak network to the hub, the best-route next-hop will then match the label advertised by the hub.
7.6 As-override and Site Of Origin
The task was about customer of AS 100 always using AS18 in loop-free manner.
I only configured allow-as 1 on customer side.
Proctor use a Service Provider side solution :
AS-override in order all routes be from AS18 be replaced by the AS 100. As customer are in AS 18 incoming routes from 100 will be accepted creating routing loop.
Using Soo prevent it in cse of multihoming
Incoming route of a site is tagged on the PE
route-map SoO permit 10
set extcomm soo 100:18
neighbor x.x.x.x SoO in
It will automatically prevent the same SoO to re-enter in the same site.
8.4 Identd
Even with doccd didnt found this : it's about telnetting to 113 and know which port my others connection to this router use.
Bonehead error, I set the community via route-map on the aggregate adress but forgot the send-community ower the neighbor.
6.2 MPLS Label Filtering
New way (don't forget to disable mpls ldp advertise-labels for the ACL works, else everythin will be authorized):
mpls ldp advertise-labels for ACL_num
no mpls ldp advertise-labels
Old style (defining oldstyle means only what is on acl is authorized)
mpls ldp advertise-labels for ACL_num
mpls ldp advertise-labels oldstyle
6.3 Broken LSP
Loopback 5 of router 5 is /24 but ospf advertised it with a /32 as it's loopback.
The problem is R5 have only the /24 in its routing table and will then advertized a label for the /24. Other network will have a route to the /32 with no mls label toward R5 and do a broken LSP.
this could be verified with show mpls forward :
Local Outgoing Tag Prefix
Tag
20 Untagged 100.23.5.5/32
After loopback is set to point-to-point ospf network type
Local Outgoing Tag Prefix
Tag
20 Pop Tag 100.23.5.0/24
2nd Point,
On a NBMA network, the next-hop of a speak network will be the speak, but there will be no LDP relationship between speaks, so no labels for the speak network. The idea is to force the Hub to reset the next-hop to self in order to match the peer of the advertised label. Or to add a route to speak network to the hub, the best-route next-hop will then match the label advertised by the hub.
7.6 As-override and Site Of Origin
The task was about customer of AS 100 always using AS18 in loop-free manner.
I only configured allow-as 1 on customer side.
Proctor use a Service Provider side solution :
AS-override in order all routes be from AS18 be replaced by the AS 100. As customer are in AS 18 incoming routes from 100 will be accepted creating routing loop.
Using Soo prevent it in cse of multihoming
Incoming route of a site is tagged on the PE
route-map SoO permit 10
set extcomm soo 100:18
neighbor x.x.x.x SoO in
It will automatically prevent the same SoO to re-enter in the same site.
8.4 Identd
Even with doccd didnt found this : it's about telnetting to 113 and know which port my others connection to this router use.
samedi 7 août 2010
IPExpert V2 Lab14
3.2 PPP Authentification with MPPP
Authentification pap or chap should be done on physical and not on the mu1 or virtual-template interface !! -> Wrong event if Proctor apply it on physical it's ok to put it on multilink interface or virtual-template.
4.4 OSPF Max-metric
The task was about making ospf wait for BGP to converge before advertising links for a maximum of 600 second of wait time.
The idea is to use the max-metric command to make the generated lsa the least prefered until bgp has converged :
max-metric router-lsa on-startup wai-for-bgp
5.1 BGP new configuration style
was just about configuring the peers inside the IPV4 AF.
12.3 filtering Imported route into a VRF
I used a route-map on the neighbor in the VPNv4 family but it's not scalable as it will filter the prefix for all VRF (not a problem in this case because there's one but in real life ...)
Filtering with route-map could be done inside the vrf with
ip vrf ccie
import map ROUTE-MAP-NAME
Authentification pap or chap should be done on physical and not on the mu1 or virtual-template interface !! -> Wrong event if Proctor apply it on physical it's ok to put it on multilink interface or virtual-template.
4.4 OSPF Max-metric
The task was about making ospf wait for BGP to converge before advertising links for a maximum of 600 second of wait time.
The idea is to use the max-metric command to make the generated lsa the least prefered until bgp has converged :
max-metric router-lsa on-startup wai-for-bgp
5.1 BGP new configuration style
was just about configuring the peers inside the IPV4 AF.
12.3 filtering Imported route into a VRF
I used a route-map on the neighbor in the VPNv4 family but it's not scalable as it will filter the prefix for all VRF (not a problem in this case because there's one but in real life ...)
Filtering with route-map could be done inside the vrf with
ip vrf ccie
import map ROUTE-MAP-NAME
IPExpert V2 Lab13
1.0 PVC Bandwidth
Was only about setting bandwidth information for routing protocol and no Traffic shaping
3.1 DCE Clocking
to see wich side is DCE/FT
sh controller serial
The clock rate is set only on DCE side.
On dynamips both sides are DCE
6.2 BGp Aggregation
Bonehead mak error!
Was only about setting bandwidth information for routing protocol and no Traffic shaping
3.1 DCE Clocking
to see wich side is DCE/FT
sh controller serial
The clock rate is set only on DCE side.
On dynamips both sides are DCE
6.2 BGp Aggregation
Bonehead mak error!
lundi 2 août 2010
IPExpert V3 Lab4
2.1 Unicast RIP
Using neighbor was the right way, but to prevent multicast I used access-list a simpler way was to make the interface passive. Neighbor command override the passive. Network is also needed
2.3 EIGRP Weight
A bit of recall :
Metric order with set metric command is : bandwidth delay reliabiliy load mtu
K order for weight command is : TOS K1(bandwidth) K2(load) K3(delay) K4(reliability) K5(mtu)
5.2 QOS on subinterface
I used hierarchical policy-map to apply CBWFQ on a fast-ethernet sub-interface.
Other solution was to apply on physical and match the vlan of the subinterface :
class-map PIN
match dscp af31
match vlan 211
6.3 Activate ssh
crypto key generate rsa
ip domain-name ipexpert.com
line vty 0 4
transport input telnet ssh
6.4 Archive Backup
Permits to perform backup of running-conf on a regulary basis or when a running-conf is done, and keep a revision history.
archive
maximum 10
path flash:backup
time-period 30
write-memory
show archive
Using neighbor was the right way, but to prevent multicast I used access-list a simpler way was to make the interface passive. Neighbor command override the passive. Network is also needed
2.3 EIGRP Weight
A bit of recall :
Metric order with set metric command is : bandwidth delay reliabiliy load mtu
K order for weight command is : TOS K1(bandwidth) K2(load) K3(delay) K4(reliability) K5(mtu)
5.2 QOS on subinterface
I used hierarchical policy-map to apply CBWFQ on a fast-ethernet sub-interface.
Other solution was to apply on physical and match the vlan of the subinterface :
class-map PIN
match dscp af31
match vlan 211
6.3 Activate ssh
crypto key generate rsa
ip domain-name ipexpert.com
line vty 0 4
transport input telnet ssh
6.4 Archive Backup
Permits to perform backup of running-conf on a regulary basis or when a running-conf is done, and keep a revision history.
archive
maximum 10
path flash:backup
time-period 30
write-memory
show archive
Inscription à :
Articles (Atom)