Shafagh.com

Xirrus

Shafagh — Mon, 19 Jul 2010 11:15:54 +0000

Perhaps you’ve heard about the Xirrus wireless vendor and its XN16 product: 16 Integrated Access Points in a single device which provides 4.8 Gbps total Wi-Fi bandwidth for up to thousand wireless clients. One array has 16 built-in AP with 48 integrated antennas, giving you 2 GigE ports as uplink to connect to your infrastructure.

What you might not be able to find easily, is how to configure them!!

I searched a lot to find what’s the console baud rate and found this:

Q: What is Xirrus console speed?

A: Use the following setting when establishing a serial connection:

Bits per second 115200

Databits 8

Parity None

Stopbits 1

Flow control None

Q: What is Xirrus default IP address?

A: If a DHCP server is not being used, you may connect using the Array’s default IP
addresses (10.0.2.1).

Q: What is Xirrus default username/password?

A: admin/admin

Sample Configuration?

administrator
reset
edit admin password admin read_write
exit
!
interface eth0
ip dhcp
up
exit
!
interface gig1
ip addr      192.168.0.10
ip mask      255.255.255.0
ip gateway
up
exit
!
interface gig2
up
exit
!
date-time
timezone      0 0
exit
!
ssid
reset
!
edit "xirrus"
    band        both broadcast
    vlan        none
    qos         2
    encryption none global_settings
    auth        open
    enable
exit
exit
!

Further Reference:

To configure XS4

www.xirrus.com/pdfs/array_quick_install_guide_XS4.pdf

To configure XS8 or XS16

www.xirrus.com/pdfs/array_quick_install_guide_XS8-16.pdf

To configure Xirrus Management System (Linux) – XMS

www.xirrus.com/pdfs/XMS_QuickStart_4.0-002B.pdf

ASA Second Internet

Shafagh — Sun, 25 Apr 2010 11:12:42 +0000

As you may or may not know, ASA does not support having two different default gateways through different interfaces, so you can not have two different internet links. As Internet is expensive in Dubai, our customer wants to use two internet ADSL links, One for browsing/emails and another link for VPN tunnels. VPN tunnels are IPsec – site to site tunnels, so we know where is the end-point. There’s a feature in ASA called tunneled route:

“Users will have the option to configure two default gateways, one with a "tunneled" option and one without. All traffic that arrives at the appliance and cannot be routed using learned routes or static routes will be routed through default gateways. If the traffic was encrypted when it initially arrived at the appliance, it will be routed through Default Tunnel Gateway (DTGW); otherwise, it will be routed through Default Gateway (DGW). A set of default gateways can be installed for each virtual context”
http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6586/ps6635/ps6659/prod_white_paper0900aecd805f0bd6.html

But we have to keep in mind that it is not related to our issue, it’s for ingress traffic from tunnel terminating on our ASA… so this feature won’t work for us.

… Not a big deal… we don’t need to configure second default gateway, as we can use static route pointing to that specific site through second outside interface… something like:
route outside2 x.x.x.x 255.255.255.255 217.x.x.x (providers IP)

After setting up a route to destination through the second link, we have to set our IPsec and ISAKMP packes to use the proper source address from second link using crypto identifiers, then check “show crypto isakmp/ipsec sa” to see if traffic is sourced/originated from second internet link’s IP address…

But there’s a small problem, I saw traffic is coming through tunnel endpoint and they are able to send and recieve packets using encrypt/decrypt counter of “show crypto ipsec sa” but we were not able to ping or create a connection to the other side.

Using “debug icmp trace” I figured out that ASA is sending traffic to outside interface (default gateway) instead of outside2, another static route was required for tunneled traffic.

route outside2 10.x.x.x 255.0.0.0 217.x.x.x (providers IP)

Extreme Networks Switches

Shafagh — Sun, 04 Apr 2010 15:41:19 +0000

Next month we are going to implement a campus area network for an American school using extreme switches, I attended 5 days extreme seminar to learn their command line interface and network management software. Here are some notes for those who like to know more about extreme switches portfolio:

Hardware

BlackDiamond: Chassis-based high-port density switches for Carrier-Ethernet service providers and enterprise core
Summit: Standalone switches from L2 100Mbps to L3 10Gig top-of-rack datacenter switches.
ReachNXT: Port Extender – Manageable by an access switch via XOS
SummitWM: Wireless controllers
Altitude: Wireless Access Points
Sentriant NG: Intrusion Protection System (IPS)
Sentriant AG: Network Access Controller (NAC)

Software

ExtremeWare is VxWorks based = first generation of Extreme networks operating system
ExtremeXOS = 2nd Generation OS based on Linux kernel and BusyBox
EPICenter = Network Management Tool

Configuration

Switch CLI prompt is driven from SNMP host name value

Space bar to go to BootROM: for return to factory default configuration: config none

Extreme FDB = Forwarding Database for MAC addresses – 300 Sec Aging timer per MAC

IP FDB (L3) for IP forwarding
    show iparp
    show fdb
    create fdbentry
    delete fdbentry
    disable learning
    enable learning

# configure ports 1 vlan accounting unlimited-learnings
# configure ports 1 vlan accounting learning-limit 3 (use aging timer also) (only for dynamic entries)

Lock-learning (sticky mac)
# configure ports 1 vlan VLAN1 lock-learning
# configure ports 1 vlan VLAN1 unlock-learning
show vlan default security

ELSM (Extreme Link Status monitoring)
gets link status from other-end
   enable elsm ports
    disable elsm ports
    configure elsm ports
    clear elsm ports

VLANs

Port-based
802.1Q Tagged VLAN
Protocol-based VLAN
        create vlan vlan_name
        delete vlan vlan_name
        configure vlan vlan_name add ports
        configure vlan vlan_name delete ports
        disable vlan vlan_name
        enable vlan vlan_name
        configure vlan vlan_name tag
        configure vlan default delete port 7
        configure vlan ENGINEERING add port 7 untagged
        configure vlan ENGINEERING add ports 2,3 tagged
        show vlan ENGINEERING
        BPDU –> vlan0

Port Sharing (Aggregation) LAG
enable sharing 1 grouping 1-4 algorithm address-based lacp
show port sharing

Port Settings

   enable lldp port all
   show ports configuration no-refresh
   enable jumbo-frame ports all
   show vlan VLAN1 security

spanning-tree is disabled by default
EMI-STP Encapsulation – Extreme Multi Instance Spanning Tree – VST+ additional header

EAPS – Ethernet Automatic Protection Switching (Ring)

Ring Topology
L2 Protocol – Multicast MAC
EAPS version 2 (advanced feature – EAPS shared port for preventing superloop)
50 ms failover
Device Roles: Master node, Transit nodes
Primary/secondary port on each switch
Master blocks its secondary port
Control VLAN and Protected VLAN (one Control VLAN per EAPS domain)
EAPS flush FDB when there’s a topology change

        create vlan control_vlan_name
   configure vlan control_vlan_name tag vlan_tag
   configure vlan control_vlan_name add port tagged
        create eaps
        configure eaps mode master|transit
        configure eaps primary port
        configure eaps secondary port
        configure eaps add control vlan control_vlan_name
        configure eaps add protect vlan
        enable eaps
        enable eaps
        configure eaps fast-convergence [off|on] -> additional 250ms
        configure eaps name failtime expiry-action open secondary-port > by default sends alert!

EAPS with a Shared Port

Configure partner
Configure controller port
link-id must be same on both switches

SummitStack

Should have same image:
download image slot
40Gbps full duplex capacity per switch
MAX: 8 devices
        enable stacking
        show stacking
        show stacking configuration
        configure stacking easy-setup

IP Routing

By default is disabled
    enable ipforwarding
    configure iproute add x.x.x.x/x y.y.y.y
    show ipconfig
In new vlan ip forwarding might be disabled make sure to check.
show iproute
show ipstats
icmp is enabled by default

OSPF

    enable ipforwarding
    configure ospf routerid 1.1.1.1
    enable loopback vlanname (if you want to have loopback)
    configure ospf address VLAN1 area 0.0.0.0
    configure ospf address VLAN2 area 0.0.0.0
    enable ospf
    show ospf
    show ospf area 0.0.0.0
    show ospf neighbors
    show ospf lsdb

Redistribution is disabled and is configurable by policy files.
Core license required for OSPF DR/BDR function.
on edge / advanced edge license: we can not have DRs so priority:0

ESRP

Extreme Standby Routing Protocol – ESRP is extreme protocol for redundancy something like VRRP

QOS

No much QOS support
Traffic shaping is called metering
8 queue per interface
Queue 1 and 8 are used by default (2q)

Catalyst to ProCurve

Shafagh — Fri, 27 Nov 2009 10:05:47 +0000

Two months ago, as I blogged about it I passed HP ProCurve AIS exam and shared a summary of my preparation notes, Last week I passed Master ASE – HP ProCurve Campus LANs [2010] online exam (HP2-Z04) and became HP Master ASE – MASE, so I thought to share parts of my study notes as some customers are buying ProCurve instead of Cisco Catalyst (Budget reasons) it’s good to know equivalent terminologies and commands. Do I recommend HP ProCurve over Cisco Catalyst? No.

Cisco vs. HP terminology

Trunk Port = Tagged Port
Port Channel Interface = Trunk Port
Access port = Untagged Port
Auxiliary VLAN (voice) = tagged/untagged
Access port with Auxiliary = tagged (voice) + untagged (data)
                     vlan11
            untagged a1
        vlan12
            voice
            tagged a1
Interface Gigabitethernet0/1 = interface 1
Modular switches = interface a1 "Module name: a,b,c… from top left"
HP does not send CDP (can receive) – HP speaks LLDP – IEEE802.1AB
BPDU Guard = BPDU protection
Keepalive = Loop protection
SPAN = traffic mirroring

HP ProCurve software license

Edge License Features:

IPv4 RIP + Static Routes
IGMP
ACLs
QoS
Bandwidth Control
Edge Security
Basic IPv6

Premium Features:

OSPF + ECMP
PIM
IPv6 RIP + OSPFv3
VRRP
QinQ VLANs

WLAN Evolution

1st Gen: Standalone Access Points
2nd Gen: Centralized WLAN Management with Thin APs
3rd Gen: Multiservice Controller
4th Gen: Unified WLAN Architecture (Controller Blades) Mobility Controller
- Multi-Service Mobility Solution (MSM7xx)
  - Mobility License: Guest Roaming
- Mobility Manager Software (on top of ProCurve Manager – PCM)
  - Software updates
  - WLAN Security settings
  - Radio settings
  - Rogue detection
  - Monitoring and Troubleshooting
- ProCurve Guest Management Software
  - Authentication
  - Temporary Credentials + expiration + Printable Vouchers
- RF Manager
  - IDS/IPS
- RF Planner
  - Windows based WLAN planning software

PoE Devices

PD – Powered Device
PSE – Power Sourcing Equipment
- IEEE802.3af
- IEEE802.3at (PoE+) up to 24W
- Keep higher priority ports on lower port numbers
- We can use power shelf (zl switch) or RPS for additional power

LLDP vs. LLDP-MED

LLDP
- Network Management + Inventory data + IP/speed/duplex
LLDP-MED
- Voice VLAN, QoS, Location services, advanced PoE. detailed inventory management:
  - Class I IP communications controller
  - Class II IP phones, end user IP communication
  - Class III media streams, conference bridges

Quality of Service

Queues per port: 8
Rate limits: ingress & egress
GMB (guaranteed minimum bandwidth): egress only
Classification
- CoS
- DSCP/IPP
- VLAN
- Interface
- L2 Protocol
- IP Address/port
Marking
- 802.1p
- DSCP

Configurations

CLI
Menu Interface
GUI (HTTP/HTTPS)
PCM/PCM+
User Level:
- Operator Level
- Manager Level
  #password operator user-name operator plaintext password
  #password manager user-name manager plaintext password
  #include-credentials > to include security hashed texts in configuration views (Passwords/SSH key/RADIUS key, etc)
  show front-panel-security > to check reset/clear button setting

Port Configurations
#speed-duplex 1000-full

Aggregated Port (Trunk)
    #trunk 47-48 trunk1 trunk
    #trunk 47-48 trunk1 lacp
    #vlan 11 tagged trunk1
    #interface 47 name ‘link to other switch’
    show trunk
        Once the trunk is configured ports will become "untagged vlan1"

Spanning Tree
    #spanning tree
    #spanning tree 1-3 admin-edge-port (default is auto-edge-port which will wait for 3 seconds to see if there’s any BPDU)
    #no spanning tree 4 edge-port
    #spanning tree protocol-version mstp
    reload
    #spanning tree config-name "name"
    #spanning tree config-revision 1
    #spanning tree instance 1 vlan 1,2
    #spanning tree instance 2 vlan 3,4
    show spanning tree mst-config
    #spanning tree priority 0 (on root switch)
    #spanning tree priority 1 (on secondary root switch)
    #spanning tree instance 1 priority 0 (on root switch)
    #spanning tree instance 2 priority 1 (on secondary root/instance)

PoE
    show power-management
    show power-management brief
    #power threshold n (1-99) to alert if power usage raises

DHCP
    #dhcp-snooping
    #dhcp-snooping vlan 2
    #dhcp-snooping trust a1 (trusted port)
    #dhcp-snooping authorized-server 1.1.1.1 (DHCP server)

Traffic Mirroring
    #interface a1 monitor all both mirror 1
    #vlan 2 monitor ip access-group acl1 mirror 1
    #mirror 1 port a2
    show monitor

VLAN sample
    vlan 11
        name "VLAN11"
        untagged a9-a12
        ip helper-address 10.10.10.10
        ip address 10.11.11.11 255.255.255.0
        exit

IP Routing
    #ip routing
    #interface loopback 1 ip address 10.1.1.1
    #ip route 10.0.0.0/24 10.1.1.254

    router ospf
        area backbone
    vlan 2
        ip address 10.1.1.1 255.255.255.0
        ip ospf 10.1.1.1 passive
        ip ospf 10.1.1.1 area backbone
        ip ospf cost 10

Internet Through MPLS – Default Route Propagation

Shafagh — Mon, 09 Nov 2009 22:27:33 +0000

Yesterday we had a customer network migration from IPsec VPN to MPLS. Customer’s headquarter network wanted to be the point of internet sharing so that all branch offices use that point for internet browsing. OSPF was chosen to be the dynamic routing protocol between CE and PE, as ASA is deaf to BGP. We configured everything on CE side and contacted customer’s service provider to check their configuration, everything was fine, but the default route. We had injected a default route at HQ but the branch offices were unable to get that particular 0.0.0.0/0 route through MPLS.

The service provider (DU) told me that OSPF is not able to inject default route from one CE to another CE… and you have to migrate to BGP! what!? It’s not true… I’ve sent them a sample configuration to set on their PE LSRs, now it’s time to explain the problem in detail:

Customer 1 is injecting default-information via OSPF by “default-information originate” command to the service provider’s PE router.
Service provider receives LSA type 5 and should “redistribute ospf x vrf Customer1 match external” into MP-BGP to other PE.
BGP will not redistribute default-information unless we configure “default-information originate” under bgp address-family ipv4 vrf Customer1 (Tricky)
The other PE receives 0.0.0.0/0 via BGP from the first PE and should redistribute it to OSPF but it won’t unless we configure “default-information originate” under OSPF process.

In our example R7 is connected to internet using a static route. R7 injects internet to PE (R3) by “redistribute static subnets”. R3 redistribute that to BGP by “default-information originate” to the other PE (R2). Now R2 has 0.0.0.0/0 in the BGP and should redistribute it into OSPF and use “default-information originate” to send it to its own connected CE.

So I sent the following diagram to the provider for their reference:

Example (based on the first topology):

R7 (CE-Internet):
router ospf 1
redistribute static subnets
network 172.16.37.7 0.0.0.0 area 0
default-information originate
!
ip route 0.0.0.0 0.0.0.0 172.16.69.68
!

R3 (PE):
router ospf 147 vrf VPN1
redistribute bgp 666 subnets
network 0.0.0.0 255.255.255.255 area 0
!
router bgp 666
no synchronization
bgp log-neighbor-changes
neighbor 2.2.2.2 remote-as 666
neighbor 2.2.2.2 update-source Loopback0
no auto-summary
!
address-family vpnv4
neighbor 2.2.2.2 activate
neighbor 2.2.2.2 send-community extended
exit-address-family
!
address-family ipv4 vrf VPN1
redistribute ospf 147 vrf VPN1 match internal external 1 external 2
default-information originate
no synchronization
exit-address-family
!

R2 (PE):

router ospf 147 vrf VPN1
redistribute bgp 666 subnets
network 0.0.0.0 255.255.255.255 area 0
default-information originate
!
router bgp 666
no synchronization
bgp log-neighbor-changes
neighbor 3.3.3.3 remote-as 666
neighbor 3.3.3.3 update-source Loopback0
no auto-summary
!
address-family vpnv4
neighbor 3.3.3.3 activate
neighbor 3.3.3.3 send-community extended
exit-address-family
!
address-family ipv4 vrf VPN1
redistribute ospf 147 vrf VPN1 match internal external 1 external 2
no synchronization
exit-address-family

Verification:

R3#show ip ospf 147 database

OSPF Router with ID (172.16.37.3) (Process ID 147)

Router Link States (Area 0)

Link ID         ADV Router      Age         Seq#
172.16.37.3     172.16.37.3     1047        0×8000
172.16.37.7     172.16.37.7     1021        0×8000

Net Link States (Area 0)

Link ID ADV Router Age Seq#
172.16.37.3 172.16.37.3 1047 0×8000

Summary Net Link States (Area 0)

Link ID ADV Router Age Seq#
172.16.24.0 172.16.37.3 1047 0×8000

Type-5 AS External Link States

Link ID         ADV Router      Age         Seq#
0.0.0.0         172.16.37.7     482         0×8000
47.47.47.4      172.16.37.3     1047        0×8000
47.47.47.7      172.16.37.7     1021        0×8000

R3#show ip route vrf VPN1

Routing Table: VPN1
Gateway of last resort is 172.16.37.7 to network 0.0.0.0

     172.16.0.0/24 is subnetted, 2 subnets
C       172.16.37.0 is directly connected, Ethernet0/2
B       172.16.24.0 [200/0] via 2.2.2.2, 01:27:35
     47.0.0.0/32 is subnetted, 2 subnets
O E2    47.47.47.7 [110/20] via 172.16.37.7, 01:24:49, Ethernet0/2
B       47.47.47.4 [200/20] via 2.2.2.2, 01:27:35
O*E2 0.0.0.0/0 [110/1] via 172.16.37.7, 00:09:39, Ethernet0/2

R2#show ip bgp vpnv4 vrf VPN1
BGP table version is 41, local router ID is 2.2.2.2
   Network          Next Hop            Metric LocPrf Weight Path
Route Distinguisher: 172.16.12.2:1 (default for vrf VPN1)
*>i0.0.0.0          3.3.3.3                  1    100      0 ?
*> 47.47.47.4/32    172.16.24.4             20         32768 ?
*>i47.47.47.7/32    3.3.3.3                 20    100      0 ?
*> 172.16.24.0/24   0.0.0.0                  0         32768 ?
*>i172.16.37.0/24   3.3.3.3                  0    100      0 ?

R4#show ip route
Gateway of last resort is 172.16.24.2 to network 0.0.0.0

     172.16.0.0/24 is subnetted, 2 subnets
O IA    172.16.37.0 [110/11] via 172.16.24.2, 03:32:41, Ethernet0/0
C       172.16.24.0 is directly connected, Ethernet0/0
     47.0.0.0/32 is subnetted, 2 subnets
O E2    47.47.47.7 [110/20] via 172.16.24.2, 01:27:21, Ethernet0/0
C       47.47.47.4 is directly connected, Loopback0
O*E2 0.0.0.0/0 [110/1] via 172.16.24.2, 00:12:15, Ethernet0/0

Note that branch offices still have their own internet as backup, so whenever MPLS goes down, they can use their own internet with IPsec capability to connect to the headquarter automatically, if I would use “default-information originate always” then CE would always advertise default route regardless of it’s existence in the routing table but in our case we have IP SLA monitored static route to the internet, and whenever it goes down OSPF will take back default-route advertisement (default-information originate – without always!) and branch office will use the higher administrative distance static route to its own internet (floating route). Then it will use IPsec to HQ as the crypto-map on internet interface will be triggered.

CCIE SP – MPLS Traffic Engineering

Shafagh — Sun, 01 Nov 2009 19:45:52 +0000

TE was the main driver and reason for MPLS invention. To utilize bandwidth of unused links, to have flexibility in path selection just like previous WAN switching technologies. To create Virtual circuits on top of IP networks. IP Routing is performed hop by hop and you can not dictate a policy to other hops. TE is configured on Head-End LSR and gets/uses a particular label for a particular path. (Explicit Routing/Source-based routing)

RSVP is used to prepare a path and create a tunnel and label to route packets through the network. Link State routing protocols are required as well to report available bandwidth on each link and also other extra information such as Maximum reserve-able bandwidth and so on. Extensions were made to RSVP (Carry Label, Record Route), OSPF and ISIS (Constrained Metric) to be able to do Traffic Engineering. So once that we want to enable Traffic Engineering on our SP backbone, we have to enable specific technologies in order to run TE, such as:

Enable TE (mpls traffic-engineering tunnels) on routers and ports.
Adjust reversable bandwidth with “ip rsvp bandwidth” on ports.
Tune your link state routing protocol to deliver TE attributes.
Create your tunnel on the head-end LSR (uni-directional) and send packets through it.

Example:

In our example, we will configure a TE tunnel from R3 to R4, and from R4 to R3 (reverse direction) to transit our traffic through R3 – R1 – R2 – R4.

Configuration

R3:

mpls traffic-eng tunnels
!
interface Tunnel1000
ip unnumbered Loopback0
tunnel destination 10.10.4.4
tunnel mode mpls traffic-eng
tunnel mpls traffic-eng autoroute announce
tunnel mpls traffic-eng priority 7 7
tunnel mpls traffic-eng bandwidth 100
tunnel mpls traffic-eng path-option 5 explicit name myway
!
interface Loopback0
ip address 10.10.3.3 255.255.255.255
!
interface FastEthernet0/0
ip address 10.10.35.3 255.255.255.0
mpls ip
!
interface FastEthernet0/1
ip address 10.10.34.3 255.255.255.0
mpls traffic-eng tunnels
mpls ip
ip rsvp bandwidth 1000
!
interface ATM2/0
ip address 10.10.13.3 255.255.255.0
ip ospf network point-to-point
mpls traffic-eng tunnels
mpls ip
ip rsvp bandwidth 1000
pvc 100/0
protocol ip 10.10.13.1 broadcast
!
!
router ospf 10
network 10.10.0.0 0.0.255.255 area 0
mpls traffic-eng router-id Loopback0
mpls traffic-eng area 0
!
ip explicit-path name myway enable
next-address 10.10.1.1
next-address 10.10.12.2
next-address 10.10.24.4
!

R1:

mpls traffic-eng tunnels
!
interface Loopback0
ip address 10.10.1.1 255.255.255.255
!
interface FastEthernet0/0
ip address 10.10.12.1 255.255.255.0
mpls traffic-eng tunnels
mpls ip
ip rsvp bandwidth 1000
!
interface ATM2/0
ip address 10.10.13.1 255.255.255.0
ip ospf network point-to-point
mpls traffic-eng tunnels
mpls ip
ip rsvp bandwidth 1000
pvc 100/0
protocol ip 10.10.13.3 broadcast
!
!
router ospf 10
network 0.0.0.0 255.255.255.255 area 0
mpls traffic-eng router-id Loopback0
mpls traffic-eng area 0
!

R2:

mpls traffic-eng tunnels
!
interface Loopback0
ip address 10.10.2.2 255.255.255.255
!
interface Ethernet0/0
ip address 10.10.12.2 255.255.255.0
mpls label protocol ldp
mpls ip
mpls traffic-eng tunnels
ip rsvp bandwidth 1000
!
interface Serial1/0
ip address 10.10.24.2 255.255.255.0
encapsulation frame-relay
ip ospf network point-to-point
mpls ip
mpls traffic-eng tunnels
frame-relay map ip 10.10.24.2 204
frame-relay map ip 10.10.24.4 204 broadcast
no frame-relay inverse-arp
ip rsvp bandwidth 1000
!
router ospf 10
mpls traffic-eng router-id Loopback0
mpls traffic-eng area 0
network 0.0.0.0 255.255.255.255 area 0
!

R4:

mpls traffic-eng tunnels
!
interface Loopback0
ip address 10.10.4.4 255.255.255.255
!
interface Tunnel1000
ip unnumbered Loopback0
tunnel destination 10.10.3.3
tunnel mode mpls traffic-eng
tunnel mpls traffic-eng autoroute announce
tunnel mpls traffic-eng path-option 5 explicit name myway
no routing dynamic
!
interface Ethernet0/0
ip address 10.10.46.4 255.255.255.0
mpls ip
!
interface Ethernet0/1
ip address 10.10.34.4 255.255.255.0
mpls ip
mpls traffic-eng tunnels
ip rsvp bandwidth 1000
!
interface Serial1/0
ip address 10.10.24.4 255.255.255.0
encapsulation frame-relay
ip ospf network point-to-point
mpls ip
mpls traffic-eng tunnels
frame-relay map ip 10.10.24.2 402 broadcast
frame-relay map ip 10.10.24.4 402
no frame-relay inverse-arp
ip rsvp bandwidth 1000
!
router ospf 10
mpls traffic-eng router-id Loopback0
mpls traffic-eng area 0
log-adjacency-changes
network 10.10.0.0 0.0.255.255 area 0
!
ip explicit-path name myway enable
next-address 10.10.24.2
next-address 10.10.12.1
next-address 10.10.13.3
!

R3#show mpls traffic tunnel

Name: R3_t1000 (Tunnel1000) Destination: 10.10.4.4

Status: Admin: up Oper: up Path: valid Signalling: connected

path option 5, type explicit myway (Basis for Setup, path weight 66)

Config Parameters:
Bandwidth: 100   kbps (Global) Priority: 7 7   Affinity: 0×0/0xFFFF
    Metric Type: TE (default)
    AutoRoute: enabled   LockDown: disabled Loadshare: 100   bw-based
    auto-bw: disabled

InLabel : –
OutLabel : ATM2/0, 26
RSVP Signalling Info:
Src 10.10.3.3, Dst 10.10.4.4, Tun_Id 1000, Tun_Instance 176
RSVP Path Info:
My Address: 10.10.13.3
Explicit Route: 10.10.13.1 10.10.12.1 10.10.12.2 10.10.24.4 10.10.4.4
      Record   Route:   NONE
      Tspec: ave rate=100 kbits, burst=1000 bytes, peak rate=100 kbits
    RSVP Resv Info:
      Record   Route:   NONE
      Fspec: ave rate=100 kbits, burst=1000 bytes, peak rate=100 kbits

LSP Tunnel R4_t1000 is signalled, connection is up
InLabel : ATM2/0, implicit-null
OutLabel : –
RSVP Signalling Info:
Src 10.10.4.4, Dst 10.10.3.3, Tun_Id 1000, Tun_Instance 131

Verification

Before:

R5#trace 10.10.6.6

Type escape sequence to abort.
Tracing the route to 10.10.6.6

1 10.10.35.3 [MPLS: Label 23 Exp 0]
2 10.10.34.4 [MPLS: Label 17 Exp 0]
3 10.10.46.6

After:

R5#trace 10.10.6.6

Type escape sequence to abort.
Tracing the route to 10.10.6.6

1 10.10.35.3 [MPLS: Labels 23 Exp 0]
2 10.10.13.1 [MPLS: Label 26 Exp 0]
3 10.10.12.2 [MPLS: Label 25 Exp 0]
4 10.10.24.4
5 10.10.46.6

Dynamic Path Configuration:

interface Tunnel1000
ip unnumbered Loopback0
tunnel destination 10.10.4.4
tunnel mode mpls traffic-eng
tunnel mpls traffic-eng autoroute announce
tunnel mpls traffic-eng priority 7 7
tunnel mpls traffic-eng bandwidth 100
tunnel mpls traffic-eng path-option 10 dynamic
!

R3(config-if)#do sh mpls traf tu

Name: R3_t1000 (Tunnel1000) Destination: 10.10.4.4
Status:
Admin: up Oper: up Path: valid Signalling: connected

path option 10, type dynamic (Basis for Setup, path weight 1)

Config Parameters:
    Bandwidth: 100 kbps (Global) Priority: 7 7   Affinity: 0×0/0xFFFF
    Metric Type: TE (default)
    AutoRoute: enabled   LockDown: disabled Loadshare: 100 bw-based
    auto-bw: disabled

InLabel : –
OutLabel : FastEthernet0/1, implicit-null
RSVP Signalling Info:
       Src 10.10.3.3, Dst 10.10.4.4, Tun_Id 1000, Tun_Instance 178
    RSVP Path Info:
      My Address: 10.10.34.3
      Explicit Route: 10.10.34.4 10.10.4.4
      Record   Route:   NONE

R5#trace 10.10.6.6

Type escape sequence to abort.
Tracing the route to 10.10.6.6

1 10.10.35.3 [MPLS: Labels 23 Exp 0]
2 10.10.34.4
3 10.10.46.6

R3(config-if)#int fa 0/1
R3(config-if)#no mpls tra tun

R3#sh mpls tra tun

Name: R3_t1000 (Tunnel1000) Destination: 10.10.4.4
Status:
Admin: up Oper: up Path: valid Signalling: connected

path option 10, type dynamic (Basis for Setup, path weight 66)

Config Parameters:
    Bandwidth: 100 kbps (Global) Priority: 7 7   Affinity: 0×0/0xFFFF
    Metric Type: TE (default)
    AutoRoute: enabled   LockDown: disabled Loadshare: 100   bw-based
    auto-bw: disabled

InLabel : –
OutLabel : ATM2/0, 26
RSVP Signalling Info:
       Src 10.10.3.3, Dst 10.10.4.4, Tun_Id 1000, Tun_Instance 180
    RSVP Path Info:
      My Address: 10.10.13.3
      Explicit Route: 10.10.13.1 10.10.12.1 10.10.12.2 10.10.24.4
                      10.10.4.4
      Record   Route:   NONE
      Tspec: ave rate=100 kbits, burst=1000 bytes, peak rate=100 kbits
    RSVP Resv Info:
      Record   Route:   NONE
      Fspec: ave rate=100 kbits, burst=1000 bytes, peak rate=100 kbits
History:
    Tunnel:
      Time since created: 2 hours, 42 minutes
      Time since path change: 12 seconds
    Current LSP:
      Uptime: 12 seconds
    Prior LSP:
      ID: path option 10 [179]
      Removal Trigger: tunnel shutdown

LSP Tunnel R4_t1000 is signalled, connection is up
InLabel : ATM2/0, implicit-null
OutLabel : –
RSVP Signalling Info:
Src 10.10.4.4, Dst 10.10.3.3, Tun_Id 1000, Tun_Instance 136

CCIE Magazine

Shafagh — Thu, 29 Oct 2009 14:22:50 +0000

For those of you who haven’t heard about CCIE flyer magazine, is not a bad idea to check their website: http://www.ccieflyer.com. They have CCIE related stories, interviews, CCIE training boot camps with special pricing and also workbook promotions. CCIE Agent, Eman (Emmanuel Conde) is a CCIE recruiter promoted by Worldwide Channels of Cisco Systems.

Cisco VPN Client for Windows 7

Shafagh — Sat, 24 Oct 2009 07:58:28 +0000

October 2009 seems to be a super active month for Cisco, after introducing IOS 15, ISR 2nd Generation and the new version of CCIE, (and rumors of new catalysts), it’s time for Windows 7 and MacOS Snow Leopard to have Cisco VPN Client and Cisco SSL AnyConnect VPN Client versions, available to download. Here are some cool new features:

Split DNS Fallback: AnyConnect tunnels only DNS queries that match specific domains, sending other request to a public DNS server.
Log-on/off Scripting
Proxy Support Enhancements
Trusted Network Detection: AnyConnect automatically disconnect a VPN connection inside the trusted network.

Cisco VPN Client 5.0.06

vpnclient-win-msi-5.0.06.0110-k9.exe

Release Date: 19/Oct/2009

VPN Client Software for x86 version of 2000/XP/Vista/Windows 7 – Microsoft Installer

Note:

Win7 64bit and Vista 64bit are still not supported by Cisco VPN Client (IPsec), Cisco is pushing customers toward SSL VPN solution.

Cisco AnyConnect VPN Client 2.4

anyconnect-dart-win-2.4.0202-k9.pkg for Windows platforms.

anyconnect-linux-2.4.0202-k9.tar.gz tarball package for Linux platforms.

anyconnect-wince-ARMv4I-2.4.0202-k9.cab for Windows Mobile platforms.

anyconnect-macosx-i386-2.4.0202-k9.dmg for Mac OS X “Intel” platforms.

CCIE SP – L2TPv3

Shafagh — Thu, 22 Oct 2009 00:31:17 +0000

Layer2 Tunneling protocol version 3 (L2TPv3) has the capability to tunnel any Layer 2 payload over IP networks. L2TPv3 uses IP as transport so it can be used in any IP-aware network including MPLS. L2TPv3 tunnels are point to point.

Pseudowire = like a wire, but not really, emulates Layer2 over a packet switched network.
No IP or VRF configuration is required between PE-CE.

Example:

In this example R5 and R6 are provider’s PE routers. R7 and R8 are CE routers connected to R5 and R6. Using psudeowire R7 can connect to R8 just like a regular point-to-point ethernet connection.

R5:
!
pseudowire-class Customer1
encapsulation l2tpv3
ip local interface Loopback0
!
interface Loopback0
ip address 10.10.5.5 255.255.255.255
!
interface Ethernet0/3
no ip address
xconnect 10.10.6.6 1 pw-class Customer1
!

R6:
!
pseudowire-class Customer1
encapsulation l2tpv3
ip local interface Loopback0
!
interface Loopback0
ip address 10.10.6.6 255.255.255.255
!
interface Ethernet0/3
no ip address
xconnect 10.10.5.5 1 pw-class Customer1
!

R7#sh cdp neighbor

Device ID Local Intrfce Holdtme Capability Platform Port ID
R8 Eth 0/0 161 R S I 3640 Eth 0/0

CCIE SP – Multicast for MPLS VPNs (MVPN)

Shafagh — Sun, 18 Oct 2009 20:17:09 +0000

The MPLS VPN network needs to be carefully designed and the service provider core must be configured for native multicast service: PIM-SM, Source specific multicast (PIM-SSM), or Bidirectional PIM (PIM-BIDIR) are required at core. PIM-DM is not supported as core protocol for MVPN services, but all multicast protocols are supported within multicast VRF for customers (CE).

Note: Dense mode PIM (PIM-DM) is not supported as core protocol in MVPN configurations.

An MDT default configuration is mandatory for MVPN to work (Multicast Distribution Tree).
Configuring data MDT is optional.
The IP address of the default MDT determines which multicast domain VRF belongs to (to share multicast packets with other VRFs)
Multicast needs to be enabled on MBGP peers loopbacks (between PEs)

Reference:

http://www.cisco.com/en/US/tech/tk436/tk428/
technologies_configuration_example09186a0080242aa8.shtml

Example:

Configuration

R5:

ip vrf A
rd 10.10.5.5:1
route-target export 666:1
route-target import 666:1
mdt default 232.10.10.10
!
ip multicast-routing
ip multicast-routing vrf A
!
interface Loopback0
ip address 10.10.5.5 255.255.255.255
ip pim sparse-dense-mode
!
interface Ethernet0/0
ip address 10.10.35.5 255.255.255.0
ip pim sparse-mode
!
interface Ethernet0/3
ip vrf forwarding A
ip address 10.10.57.5 255.255.255.0
ip pim dense-mode
!
router ospf 1
mpls ldp autoconfig area 0
log-adjacency-changes
network 10.10.0.0 0.0.255.255 area 0
!
router bgp 666
bgp log-neighbor-changes
neighbor 10.10.6.6 remote-as 666
neighbor 10.10.6.6 update-source Loopback0
!
address-family ipv4
neighbor 10.10.6.6 activate
no auto-summary
no synchronization
exit-address-family
!
address-family vpnv4
neighbor 10.10.6.6 activate
neighbor 10.10.6.6 send-community extended
exit-address-family
!
address-family ipv4 vrf A
redistribute connected
no synchronization
exit-address-family
!

R6:

ip vrf A
rd 10.10.6.6:1
route-target export 666:1
route-target import 666:1
mdt default 232.10.10.10
!
ip multicast-routing
ip multicast-routing vrf A
!
interface Loopback0
ip address 10.10.6.6 255.255.255.255
ip pim sparse-dense-mode
!
interface Ethernet0/0
ip address 10.10.46.6 255.255.255.0
ip pim sparse-mode
!
interface Ethernet0/3
ip vrf forwarding A
ip address 10.10.68.6 255.255.255.0
ip pim dense-mode
!
router ospf 1
mpls ldp autoconfig area 0
log-adjacency-changes
network 10.10.0.0 0.0.255.255 area 0
!
router bgp 666
bgp log-neighbor-changes
neighbor 10.10.5.5 remote-as 666
neighbor 10.10.5.5 update-source Loopback0
!
address-family ipv4
neighbor 10.10.5.5 activate
no auto-summary
no synchronization
exit-address-family
!
address-family vpnv4
neighbor 10.10.5.5 activate
neighbor 10.10.5.5 send-community extended
exit-address-family
!
address-family ipv4 vrf A
redistribute connected
no synchronization
exit-address-family
!

Verification

R5#deb ip mpacket

IP(1): s=10.10.57.7 (Ethernet0/3) d=224.69.69.69 (Tunnel0) id=820, ttl=254, prot=1, len=100(100), mforward

IP(0): s=10.10.5.5 (Loopback0) d=232.10.10.10 (Ethernet0/0) id=563, ttl=255, prot=47, len=124(124), mforward

R5#sh ip mroute
IP Multicast Routing Table
Flags: D – Dense, S – Sparse, C – Connected,
L – Local, T – SPT-bit set, Z – Multicast Tunnel,
z – MDT-data group sender…

(10.10.5.5, 232.10.10.10), 00:28:22/00:03:23, flags: sT
Incoming interface: Loopback0, RPF nbr 0.0.0.0
Outgoing interface list:
Ethernet0/0, Forward/Sparse, 00:01:04/00:02:26

(10.10.6.6, 232.10.10.10), 01:25:37/00:02:53, flags: sTIZ
Incoming interface: Ethernet0/0, RPF nbr 10.10.35.3
Outgoing interface list:
MVRF A, Forward/Sparse-Dense, 01:22:53/00:00:00

(*, 224.0.1.40), 12:23:16/00:02:34, RP 0.0.0.0, flags: DCL
Incoming interface: Null, RPF nbr 0.0.0.0
Outgoing interface list:
Ethernet0/0, Forward/Sparse, 12:23:16/00:00:00

R5#sh ip pim mdt
* implies group is the MDT default group
MDT Group Interface Source VRF
* 232.10.10.10 Tunnel0 Loopback0 A

R5#sh ip pim mdt bgp
Peer (Route Distinguisher + IPv4) Next Hop
MDT group 232.10.10.10
2:2570:101056513:10.10.6.6 10.10.6.6