Troubleshooting
Ticket 4 Vrf leaking
The purpose was to interconnect 2 ospf area0 thrue another router that shoudn't be aware of those routes without GRE.
Solution is VRF. I used one vrf on the middle routers, put the interface interconnecting the domains on the vrf and an ospf process. The routes then appears as intra-area whereas it was asked to be inter-area. The solution for it :
- 1 vrf by domain
- 1 ospf process by domain redistributing bgp
- Vrf leaking between both vrf with import/export route-targer
- Redistributing of bgp<->ospf of each Vrf.
Configuration
Task 2.5
Use of community local-as : use in a confederation, permits to advertise only inside the local-as and not to ebgp peers nor ebgp inside the confederation.
Task 5.1
AAA authentication.
Usually, the list of methods used for authentication is used in order if the first fails it uses the second. Fails means no answer and not an authentication failure due to missing user or wrong password.
It seems that there is an exception with local. If local is put first it will first try local if wrong password the process stop. But if the user doesn't exist on local database it will goes to next :
username ccie password ipexpert
aaa authentication login default local group radius
Will authethenticate ccie locally, and use radius for others users.
lundi 20 septembre 2010
lundi 13 septembre 2010
IPExpert V3 Lab9
1.1 VTP pruning in transparent mode
A sh vtp status output show transparent mode with vtp pruning enabled.
Need to configure pruning in server then switch to transparent. Be careful if extended vlan are configured !
1.2 Load Balancing method over etherchannel
By default source mac.
The question was about being sure One host will not saturate one link. Load balancing source and destination IP was the key ( or the mac)
1.4 Layer 2 protection Task
The task asked about making part of the topology unknow to CE routers. Sould be implemented in 2 manners :
- 2 devices sould interconnect on 1 vlans that sould not be propagated on the network -> QinQ
A new vlan is attibuted to encapsulate the forbidden network on trunks links.
-R4 should be connected at Cat4 on vlan X, there is a switch between R4 & Cat4, the switch sould not know vlan X. Easy just with access ports:
R4 vlanX ------- vlan Y Cat vlanY ------ vlanX Cat4
1.7 Load-Sharing
By default equal-costIP load-balancing is done by CEF on a per-dest basis.
Could be configured per-packet
int C
ip load-sharing per-packet
2.7 BGP redistribution as-path
When redistributing local, if you want them appear from an as
st origin egrp as-path
3.3 L2VPN AToM
The purpose was about L2VPN over MPLS .
- Use xconnect with encapsulation mpls. The destination is the remote PE device and the circuit is identified by an identical id on boths sides.
- Needs LDP
- Could be done under subinterfaces.
4.0 Multicast VPN
Steps for multicast vpn :
-Configure provide network with PIM
-If pim-ssm is used the address-family mdt should be activated between PE to share PE source of the mdt tunnels.
-Configure multicast for each vrf : activate, and choose a unique mdt group adress for each multicast domain
-activate pim on the client side interface of the PE
-configure the multicast domain client side as usual.
The provider network is seen as a lan.
5.0 Parser view
- enable secret
- aaa new-model
- Go into enable view root
- Configure authentication login and authorization exec
- Configure the view
parser view XXX
commands exec include ping
6.3 VRF Aware NAT
Performing nat between a vrf and the global outside table is pretty the same as normal nat except :
- ip nat inside source ... should use the vrf keyword specifying vrf is inside
- A route leak should be configured from the vrf to the global routing table
ip route vrf VPNA 0.0.0.0 0.0.0.0 10.0.0.1 global.
Indicate inside the vrf that to goes out use 10.0.0.1 that is in the global RIB
A sh vtp status output show transparent mode with vtp pruning enabled.
Need to configure pruning in server then switch to transparent. Be careful if extended vlan are configured !
1.2 Load Balancing method over etherchannel
By default source mac.
The question was about being sure One host will not saturate one link. Load balancing source and destination IP was the key ( or the mac)
1.4 Layer 2 protection Task
The task asked about making part of the topology unknow to CE routers. Sould be implemented in 2 manners :
- 2 devices sould interconnect on 1 vlans that sould not be propagated on the network -> QinQ
A new vlan is attibuted to encapsulate the forbidden network on trunks links.
-R4 should be connected at Cat4 on vlan X, there is a switch between R4 & Cat4, the switch sould not know vlan X. Easy just with access ports:
R4 vlanX ------- vlan Y Cat vlanY ------ vlanX Cat4
1.7 Load-Sharing
By default equal-costIP load-balancing is done by CEF on a per-dest basis.
Could be configured per-packet
int C
ip load-sharing per-packet
2.7 BGP redistribution as-path
When redistributing local, if you want them appear from an as
st origin egrp as-path
3.3 L2VPN AToM
The purpose was about L2VPN over MPLS .
- Use xconnect with encapsulation mpls. The destination is the remote PE device and the circuit is identified by an identical id on boths sides.
- Needs LDP
- Could be done under subinterfaces.
4.0 Multicast VPN
Steps for multicast vpn :
-Configure provide network with PIM
-If pim-ssm is used the address-family mdt should be activated between PE to share PE source of the mdt tunnels.
-Configure multicast for each vrf : activate, and choose a unique mdt group adress for each multicast domain
-activate pim on the client side interface of the PE
-configure the multicast domain client side as usual.
The provider network is seen as a lan.
5.0 Parser view
- enable secret
- aaa new-model
- Go into enable view root
- Configure authentication login and authorization exec
- Configure the view
parser view XXX
commands exec include ping
6.3 VRF Aware NAT
Performing nat between a vrf and the global outside table is pretty the same as normal nat except :
- ip nat inside source ... should use the vrf keyword specifying vrf is inside
- A route leak should be configured from the vrf to the global routing table
ip route vrf VPNA 0.0.0.0 0.0.0.0 10.0.0.1 global.
Indicate inside the vrf that to goes out use 10.0.0.1 that is in the global RIB
mercredi 8 septembre 2010
IPExpert V2 Lab20
1.2 IRB
IP is the same on both vlan -> consider IRB.
Don't forget to active both commands to make the BVI up :
bridge 1 protocol ieeee
bridge 1 route ip
3.4 Default-Route in NSSA
NSSA -> default route is Type7 with area 40 nssa default-originate
Totally NSSA -> default-metric is Type 3
On the first case the metric could be defined adding a metric command after default-originate
On the second the metric used is the defined default-cost for stub/nssa default : 1
Could be changed with
area 40 default-cost X
6.2 Redistribution
Task to redistribute all Loopback to relevant protocol. As there redistribution is not transitive, we have to redistribute loopback on all the protocols used on a given router.
Don't forget when route-map is used on redistribute connected for only redistributing loopback, it will prevent any connected interface activated for a protocol A to be redistributed on protocol B. Route-map should be modified to also accept this interface.
7.3 BGP AS filtering
AS50 permits only directly connected clients of 102 to transit :
Understood that AS102 could use AS50 as transit and othe learned route from 102 could be learned but no used AS50 as transit. Match all other route than coming from 102 and tag as no-export.
Proctor solution was to accept 102 or 102 + 1AS and filter all other. regexp to match 102 + directly 102 connected AS
^102(_[0-9]+)?$
8.4 PBR + Tunnel
The task ask for a certain traffic between 2 BB to transit transparently :
-Create a GRE between egress and ingress tunnel
-Match the traffic
-PBR it to tunnel interface
9.2 Modifying COS to DSCP value.
Default values ares found on the doccd
mls qos map cos-dscp ....
11.2 prevent access to telnet to R2 except from R6. No config R2
I configured ACL on neighbor routers.
Solution guide configured Vlan ACL, wich is wrong as R2 as 2 serials.
Anyway VACL is a good way to think of it in other cases.
IP is the same on both vlan -> consider IRB.
Don't forget to active both commands to make the BVI up :
bridge 1 protocol ieeee
bridge 1 route ip
3.4 Default-Route in NSSA
NSSA -> default route is Type7 with area 40 nssa default-originate
Totally NSSA -> default-metric is Type 3
On the first case the metric could be defined adding a metric command after default-originate
On the second the metric used is the defined default-cost for stub/nssa default : 1
Could be changed with
area 40 default-cost X
6.2 Redistribution
Task to redistribute all Loopback to relevant protocol. As there redistribution is not transitive, we have to redistribute loopback on all the protocols used on a given router.
Don't forget when route-map is used on redistribute connected for only redistributing loopback, it will prevent any connected interface activated for a protocol A to be redistributed on protocol B. Route-map should be modified to also accept this interface.
7.3 BGP AS filtering
AS50 permits only directly connected clients of 102 to transit :
Understood that AS102 could use AS50 as transit and othe learned route from 102 could be learned but no used AS50 as transit. Match all other route than coming from 102 and tag as no-export.
Proctor solution was to accept 102 or 102 + 1AS and filter all other. regexp to match 102 + directly 102 connected AS
^102(_[0-9]+)?$
8.4 PBR + Tunnel
The task ask for a certain traffic between 2 BB to transit transparently :
-Create a GRE between egress and ingress tunnel
-Match the traffic
-PBR it to tunnel interface
9.2 Modifying COS to DSCP value.
Default values ares found on the doccd
mls qos map cos-dscp ....
11.2 prevent access to telnet to R2 except from R6. No config R2
I configured ACL on neighbor routers.
Solution guide configured Vlan ACL, wich is wrong as R2 as 2 serials.
Anyway VACL is a good way to think of it in other cases.
lundi 6 septembre 2010
IPExpert V2 Lab18
5.3 EIGRP Timer
The task was to make eigrp warn about neighbor down half the default time.
That means hold-time of 7.5 s, but don't forget to change the hello time because the default 5s can cause instability.
Important things : in eigrp, hold-time could be different on each side because waht we configure on R1 for example means "Hello i'm R1, if you neighbor don't hear about me in X seconds i'm dead'
In ospf timers should be the same and changing hello will automatically change dead-time to x4
6.1 OSPF Loopback
Bonehead error : Forgot about what the guidelines asked " the prefix should apperas in RIB with original mask". I dumbly advertised loopback being /32 :
- change the ip ospf network type of lo0
- redistribute connected
- put lo0 on another area and summarize to the regular mask.
7.3 BGP Prefix length route filtering
The task was about filtering all prefixes having /24 or more prefix.
I've done the more but let go the /24 itself. As all routes were /24 I missed the point to find a way of summarize to /23 to let them enter !!
8.1 Time to wait before timeout a output telnet session
Play with syn timeout :
ip tcp synwait-time 5
8.2 default NTP stratum
Is 8 not 16. So 2 less than the default is 6. stupid error.
10.2 Policing on subinterface
MQC policing on subinterface is permitted. The other way the design guide choose is too apply on interface and match the subinterface vlan.
A simple recall it's queueing techniques that are not allowed on subinterace (LLQ and CBWFQ). To make this works you need to apply shaping on a default-class and nest a LLQ OR CBWF policy-map on it
11.3 Rate-limit Mcast
I configured it with mqc. Can also use ip multicast rate-limit
The task was to make eigrp warn about neighbor down half the default time.
That means hold-time of 7.5 s, but don't forget to change the hello time because the default 5s can cause instability.
Important things : in eigrp, hold-time could be different on each side because waht we configure on R1 for example means "Hello i'm R1, if you neighbor don't hear about me in X seconds i'm dead'
In ospf timers should be the same and changing hello will automatically change dead-time to x4
6.1 OSPF Loopback
Bonehead error : Forgot about what the guidelines asked " the prefix should apperas in RIB with original mask". I dumbly advertised loopback being /32 :
- change the ip ospf network type of lo0
- redistribute connected
- put lo0 on another area and summarize to the regular mask.
7.3 BGP Prefix length route filtering
The task was about filtering all prefixes having /24 or more prefix.
I've done the more but let go the /24 itself. As all routes were /24 I missed the point to find a way of summarize to /23 to let them enter !!
8.1 Time to wait before timeout a output telnet session
Play with syn timeout :
ip tcp synwait-time 5
8.2 default NTP stratum
Is 8 not 16. So 2 less than the default is 6. stupid error.
10.2 Policing on subinterface
MQC policing on subinterface is permitted. The other way the design guide choose is too apply on interface and match the subinterface vlan.
A simple recall it's queueing techniques that are not allowed on subinterace (LLQ and CBWFQ). To make this works you need to apply shaping on a default-class and nest a LLQ OR CBWF policy-map on it
11.3 Rate-limit Mcast
I configured it with mqc. Can also use ip multicast rate-limit
dimanche 5 septembre 2010
IPExpert V2 Lab19
2.2 OSPF Max LSA
Only configured max-lsa 1000 wich will by default stop adjacency for a certain amout of time whereas only warning was asked when 1000 is reached :
max-lsa 1000 warning-only 100
5.1 IPv6 Multicast
A simple rp static ipv6 multicast task, BUT the joined group was a non-ipv6 interface ! Have to enable ipv6 on mcast joined group even if no ip is configured
int f0/0.21
ipv6 enable
ipv6 mld join FF15::2
5.2 SSM Multicast
- As the joined-group is set on the vlan, we need to enable igmp on the downstream router interface to process the join message. (remember there is no RP to report the source)
- Doesn't seems to work with IGMP v3lite need IGMP version 3
8.3 3560 Queue-set configuration
Only configured max-lsa 1000 wich will by default stop adjacency for a certain amout of time whereas only warning was asked when 1000 is reached :
max-lsa 1000 warning-only 100
5.1 IPv6 Multicast
A simple rp static ipv6 multicast task, BUT the joined group was a non-ipv6 interface ! Have to enable ipv6 on mcast joined group even if no ip is configured
int f0/0.21
ipv6 enable
ipv6 mld join FF15::2
5.2 SSM Multicast
- As the joined-group is set on the vlan, we need to enable igmp on the downstream router interface to process the join message. (remember there is no RP to report the source)
- Doesn't seems to work with IGMP v3lite need IGMP version 3
8.3 3560 Queue-set configuration
mercredi 1 septembre 2010
IPExpert V3 Lab8
Troubleshooting
Ticket 6
Classical EIGRP<->OSPF loop :
- Filter with tagging
brings with suboptimal that could be resolved by
- increasing ospf distance for other 'mutual redistribution router' to somethig more than external eigrp.
Ticket 9 L3 VPN
The Workbook comes with a problem I don't have because I corrected suboptimal routing :
A PE loopback is learned from ospf on a partial-mesh NBMA network hub which prevent label switching for it because the next-hop is the spoke and the ldp neighbor advertising the label is the hub router.
show ip cef, show no label for the PE loopbakc prefix.
Make the prefix learn by eigrp is a workaround.
Another if we want it work on NBMA : goes with point-to-multipoin ospf type network. The hub will be the next-hop, so it will match the ldp neighbor address.
Ticket 10 RP
The BSR/RP is not learned. Still a problem of RPF. The pim enabled interface is not the RPF interface for the RP address. Change it by advertising the RP in EIGRP or play with distance to make eigrp prefered for the RP address.
Configuration
1.6 IPhones
The purpose was to configure both access vlan and voice vlan in one command.
This was a good time to use pre-defined cisco macro command listed with
sh parser macro
The one to use is cisco-phone :
sh parser macro name cisco-phone to discover how to use it :
And to apply on it do :
macro apply cisco-phone $access_vlan X $voice_vlan Y
1.7 Private vlan
Don't forget to map secondary vlans on SVI and to set routers on the vlan as promiscious :
vlan P
private-vlan primary
vlan I
private-vlan isolated
vlan C
private-vlan community
vlan P
private-vlan association C,I
int vlan P
private-vlan mapping C,I
int I
sw mode private-vlan host
sw private-vlan host-association P I
int C
sw mode private-vlan host
sw private-vlan host-association P C
Int R
sw mode private-vlan promiscious
sw private-vlan mapping P add C,I
2.0 MPPPoFR
A Reminder on all kind of Multilink :
MLPPP with Multilink interface
Multilink frame Relay FR16
Permits to use multiple physical link as one Frame-relay bundle
MPPPoFR with virtual-interface
permits to use multiple DLCI on one interface
Information of Bandwidth for routing protocol will goes on physical if Multilink interface is used or on virtual-template, the bundle will be the addition of the physical or the vi interface.
IP on a virtual-link could prevent OSPF to make adjacency or exchange routes, use unnumbered on the VI and the real IP on a loopback.
3.2 Interconnecting 2 EIGRP AS
Easy task but missed it : Gre tunnel
3.5 redistribution
- Mutual redistribution between OSPF and EIGRP, make one router better for output and other for input. Play on redistribution metric on both. Be carefull a router also learn route by RIP making it better than external eigrp. need to change metric of external eigrp to 109.
5.1 BGP Redistribution of ospf.
- Redistribute only our network into bgp by filtering with ACL on the RR. Be carefull to also include external routes
- Border router will summarize to external neighbor (preventing to redistribute also connected routes of border). Those summarization should be filtered back to inside.
- Border router will import external routes with no-export community.
- To choose default prefered route. Set local-preference in order of preference and make distance of BGP for default prefered over others protocols.
7.0 NAT
Nat task Was ok, but forget to redistribute the Pool into IGP for the return routes be knonw by neighbor.
Ticket 6
Classical EIGRP<->OSPF loop :
- Filter with tagging
brings with suboptimal that could be resolved by
- increasing ospf distance for other 'mutual redistribution router' to somethig more than external eigrp.
Ticket 9 L3 VPN
The Workbook comes with a problem I don't have because I corrected suboptimal routing :
A PE loopback is learned from ospf on a partial-mesh NBMA network hub which prevent label switching for it because the next-hop is the spoke and the ldp neighbor advertising the label is the hub router.
show ip cef, show no label for the PE loopbakc prefix.
Make the prefix learn by eigrp is a workaround.
Another if we want it work on NBMA : goes with point-to-multipoin ospf type network. The hub will be the next-hop, so it will match the ldp neighbor address.
Ticket 10 RP
The BSR/RP is not learned. Still a problem of RPF. The pim enabled interface is not the RPF interface for the RP address. Change it by advertising the RP in EIGRP or play with distance to make eigrp prefered for the RP address.
Configuration
1.6 IPhones
The purpose was to configure both access vlan and voice vlan in one command.
This was a good time to use pre-defined cisco macro command listed with
sh parser macro
The one to use is cisco-phone :
sh parser macro name cisco-phone to discover how to use it :
And to apply on it do :
macro apply cisco-phone $access_vlan X $voice_vlan Y
1.7 Private vlan
Don't forget to map secondary vlans on SVI and to set routers on the vlan as promiscious :
vlan P
private-vlan primary
vlan I
private-vlan isolated
vlan C
private-vlan community
vlan P
private-vlan association C,I
int vlan P
private-vlan mapping C,I
int I
sw mode private-vlan host
sw private-vlan host-association P I
int C
sw mode private-vlan host
sw private-vlan host-association P C
Int R
sw mode private-vlan promiscious
sw private-vlan mapping P add C,I
2.0 MPPPoFR
A Reminder on all kind of Multilink :
MLPPP with Multilink interface
int s0/0MLPPP with Virtual-template
encap ppp
ppp multilink group 1
int s0/0
encap ppp
ppp multilink group 1
Int Multilink 1
encap ppp
ppp multilink group 1
Where goes IP and stuff.
multilink virtual-template 1
int s0/0
encap ppp
ppp multilink
int s0/0
encap ppp
ppp multilink
Int virtual-template
encap ppp
ppp multilink
Where goes IP and stuff.
The difference with Multilink is that virtual-template will be cloned in virtual-access and can create multiple bundle all with same IP !!! a kind of multipoint PPP.
Example 2x2 serials arriving on a router, the 4 serial on the hub router call one VI interface, the 3 routers will use one subnet between them.
PPP will installed a /32 for each peer.
Multilink frame Relay FR16
Permits to use multiple physical link as one Frame-relay bundle
int mfr1
IP stuffs and frame-relay mapping goes there
int s0/0
encap frame mfr 1
int s0/1
encap frame mfr 1
MPPPoFR with virtual-interface
permits to use multiple DLCI on one interface
Like for PPP with virtual-interface but the VI is called withMPPPoFR with multilink
frame-relay interface-dlci DLCIx ppp virtual-template 1
frame-relay interface-dlci DLCIy ppp virtual-template 1
Point-to-multipoin is still available as the IP of the VI will be replicated on each bundle.
int virtual-template 1
encap ppp
Where ip stuff goes
WRONG WAY :
Not very interesting as configuration is much the same as for Vi but only permits point-to-point :
frame-relay interface-dlci DLCIx ppp virtual-template 1
frame-relay interface-dlci DLCIy ppp virtual-template 1
int virtual-template 1
encap ppp
ppp multilink group X
Where ip stuff goes
Information of Bandwidth for routing protocol will goes on physical if Multilink interface is used or on virtual-template, the bundle will be the addition of the physical or the vi interface.
IP on a virtual-link could prevent OSPF to make adjacency or exchange routes, use unnumbered on the VI and the real IP on a loopback.
3.2 Interconnecting 2 EIGRP AS
Easy task but missed it : Gre tunnel
3.5 redistribution
- Mutual redistribution between OSPF and EIGRP, make one router better for output and other for input. Play on redistribution metric on both. Be carefull a router also learn route by RIP making it better than external eigrp. need to change metric of external eigrp to 109.
5.1 BGP Redistribution of ospf.
- Redistribute only our network into bgp by filtering with ACL on the RR. Be carefull to also include external routes
- Border router will summarize to external neighbor (preventing to redistribute also connected routes of border). Those summarization should be filtered back to inside.
- Border router will import external routes with no-export community.
- To choose default prefered route. Set local-preference in order of preference and make distance of BGP for default prefered over others protocols.
7.0 NAT
Nat task Was ok, but forget to redistribute the Pool into IGP for the return routes be knonw by neighbor.
Inscription à :
Articles (Atom)