Saturday, November 24, 2007

EIGRP Summarization

EIGRP support two types of summarization: auto-sum & manually sum on interface-mode.
- By default, auto summarization is enabled on interface
- To understand the behavior of EIGRP when auto-sum & manually sum is configured on Router, we will examine 2 cases:
Case1: summarized subnet (192.168.3.0) is different major from network between R1& R2 (192.168.1.0)

+ If auto-sum is enabled: R2 has 192.168.3.0/24 only
+ If auto-sum is enabled, manually sum network 192.168.3.0/30 on int s1/0 of R1 => R2 routing table contains both 192.168.3.0/30 & 192.168.3.0/24 routes
Case2: summarized subnet (192.168.1.0) belong to the same major from network between R1& R2 (192.168.1.0)

+ If auto-sum is enabled: R2 has 192.168.1.0/30. There is no network 192.168.1.0/24. In this case, auto-sum has no effect.
+ If auto-sum is enabled, manually sum network 192.168.1.0/28 on int s1/0 of R1 => R2 routing table contains that summarized route (192.168.1.0/28)

Wednesday, November 07, 2007

MPLS Label Stack in MPLS VPN, MPLS TE & AToM

+ In MPLS Layer 3 VPN, the top label in the label stack represents the IGP path to the next-hop Border Gateway Protocol (BGP) router, which is normally the PE router that originates the VPN routes. The bottom label represents a specific or aggregated VPN route.

+ In MPLS traffic engineering, the top label in the label stack represents the traffic-engineered path, and the bottom label represents the original Interior Gateway Protocol (IGP) path.

+ In Layer 2 VPN, the LDP top label usually represents the IGP path to the peering PE router, and the bottom label represents a Layer 2 VPN forwarder on the peering PE router.

Tuesday, October 30, 2007

Restrictions for the EtherSwitch Network Module

The following functions are not supported by the EtherSwitch network module:

• CGMP client, CGMP fast-leave

• Dynamic ports

• Dynamic access ports

• Secure ports

• Dynamic trunk protocol

• Dynamic VLANs

• GARP, GMRP, and GVRP

• ISL tagging (The chip does not support ISL.)

• Layer 3 switching onboard

• Monitoring of VLANs

• Multi-VLAN ports Network Port

• Shared STP instances

• STP uplink fast for clusters

• VLAN-based SPAN

• VLAN Query Protocol

• VTP Pruning Protocol

• Web-based management interface

Source: http://www.cisco.com/univercd/cc/td/doc/product/software/ios124/124cg/hif_c/ch05/h1636nm.htm#wp1043334

Wednesday, October 24, 2007

Vlan & Trunking

Tip about creating VLAN:
Tip about VTP:
Cisco switches default to use VTP server mode, but they do not start sending VTP updates until
the switch has been configured with a VTP domain name.
If VTP domain is not configured on client, the client will assume it should use the VTP domain name in the first received VTP update.Tip about Trunking

Duplex Mode

Default duplex mode is
- For 10Mbps & 100Mbps port: half-duplex
- For 1Gbps port: Full-duplex
On a 100Mbps ports, if we configure full duplex on one-end and leave the other end as default, duplex mismatch happens & we can see large number of "Collision" by show interface.

What is the difference between VLSM & CIDR?

VLSM: is kind of dividing a major network into multiple subnets with different subnet masks. For example, major network 172.16.1.0 can be divided into subnet 172.16.1.0/25, 172.16.1.128/26, 172.16.1.192/26. But remember the mask bits number of the each subnet must be greater than the classful mask bits (i.e. In this case, 25 or 26 are all greater than 16 so it is acceptable)
CIDR: it does not care about classful network. The mask bit number of subnet can either smaller or greater than the classful mask bits number. For example, using CIDR, we can have 192.32.0.0/13, 192.64.0.0/13 (i.e, 13 <24)
RIPv2 supports VLSM but does NOT support CIDR

Friday, October 19, 2007

MPLS notes

Here is some MPLS notes
- In frame mode, MPLS uses a 32-bit label that is inserted between the Layer 2 and Layer 3 headers
- PHP (Penultimate Hop Popping): is performed in MPLS-based networks where the router upstream to the Edge LSR removes the top label in the label stack and forwards only the resulting packet (either labeled IP or IP packet) for a particular FEC
- Reserved Labels: Labels 0 through 15 are reserved labels. An LSR cannot use them in the normal case for forwarding packets. An LSR assigns a specific function to each of these labels. Label 0 is the explicit NULL label, whereas label 3 is the implicit NULL label. Label 1 is the router alert label, whereas label 14 is the OAM alert label. The other reserved labels between 0 and 15 have not been assigned yet.
+ Implicit Null (value =3): An egress LSR assigns the implicit NULL label to a FEC if it does not want to assign a label to that FEC, thus requesting the upstream LSR to perform a pop operation. Although the label value 3 signals the use of the implicit NULL label, the label 3 will never be seen as a label in the label stack of an MPLS packet. That is why it is called the implicit NULL label.
+ Explicit Null (value=0): In case of using EXP bit in MPLS header for QoS, the implicit Null cannot reserved this value since the last label is removed one-hop before (i.e.PHP). The Explicit Null has the same meaning with Implicit Null but it reserves the EXP value for QoS. If a LSR propagates an explicit-null label, the upstream LSR does not POP the label but assigns a label value of 0 and sends a labeled packet to that LSR.

Monday, October 15, 2007

Dynamips - Current HW supported

A great post that guide how to connect card/module on Dynamips Router (http://7200emu.hacki.at/viewtopic.php?t=1831&highlight=current++supported)

7200 (7206 only)
Chassis type:
- STD
- VXR
NPE:
- npe-100
- npe-150
- npe-175
- npe-200
- npe-225
- npe-300
- npe-400
- npe-g1
- npe-g2
Cards:
- C7200-IO-FE (FastEthernet, slot 0 only)
- C7200-IO-2FE (FastEthernet, 2 ports, slot 0 only)
- C7200-IO-GE (GigabitEthernet, slot 0 only)
- PA-FE-TX (FastEthernet)
- PA-2FE-TX (FastEthernet, 2 ports)
- PA-4E (Ethernet, 4 ports)
- PA-8E (Ethernet, 8 ports)
- PA-4T+ (Serial, 4 ports)
- PA-8T (Serial, 8 ports)
- PA-A1 (ATM)
- PA-POS-OC3 (POS)
- PA-GE (GigabitEthernet)

===========
3660
3640
3620
Cards:
- NM-1E (Ethernet, 1 port)
- NM-4E (Ethernet, 4 ports)
- NM-1FE-TX (FastEthernet, 1 port)
- NM-16ESW (Ethernet switch module, 16 ports)
- NM-4T (Serial, 4 ports)
- Leopard-2FE (Cisco 3660 FastEthernet in slot 0, automatically used)

===========
2691
3725
3745
Cards:
- NM-1FE-TX (FastEthernet, 1 port)
- NM-4T (Serial, 4 ports)
- NM-16ESW (Ethernet switch module, 16 ports)
- GT96100-FE (2 integrated ports, automatically used)

===========
2610
2611
2620
2621
2610XM
2620XM
2621XM
2650XM
2651XM
Cards:
- NM-1E (Ethernet, 1 port)
- NM-4E (Ethernet, 4 ports)
- NM-1FE-TX (FastEthernet, 1 port)
- NM-16ESW (Ethernet switch module, 16 ports)

Tuesday, October 09, 2007

BGP-FAQs

This document contains frequently asked questions (FAQs) about Border Gateway Protocol (BGP) from Cisco website (http://www.cisco.com/warp/public/459/bgpfaq_5816.shtml)

Q. How do I configure BGP?

A. Refer to these documents for information on how to configure BGP and BGP functioning:

Q. How do I configure BGP with the use of a loopback address?

A. The use of a loopback interface ensures that the neighbor stays up and is not affected by malfunctioning hardware.

BGP uses the IP address configured on the physical interface directly connected to the BGP peer as the source address when it establishes the BGP peering session, by default. Issue the neighbor update-source command in order to change this behavior and configure the BGP that speaks to the router to establish peering with the use of a loopback address as the source address.

Refer to Sample Configuration for iBGP and eBGP With or Without a Loopback Address for more information.

Q. What is the order of preference of attributes when some or all are applied to one neighbor in BGP?

A. The order of preference varies based on whether the attributes are applied for inbound updates or outbound updates.

For inbound updates the order of preference is:

  1. route-map
  2. filter-list
  3. prefix-list, distribute-list

For outbound updates the order of preference is:

  1. prefix-list, distribute-list
  2. filter-list
  3. route-map

Note: The attributes prefix-list and distribute-list are mutually exclusive, and only one command (neighbor prefix-list or neighbor distribute-list) can be applied to each inbound or outbound direction for a particular neighbor.

Q. What does a next hop of 0.0.0.0 mean in the show ip bgp command output?

A. A network in the BGP table with a next hop address of 0.0.0.0 means that the network is locally originated via redistribution of Interior Gateway Protocol (IGP) into BGP, or via a network or aggregate command in the BGP configuration.

Q. What are the well known communities of the BGP community attribute?

A. The community attribute is a transitive, optional attribute designed to group destinations in a certain community and apply certain policies (such as accept, prefer, or redistribute). This table shows the well known BGP communities.

Community Description
Local-AS Use in confederation scenarios to prevent sending packets outside the local autonomous system (AS).
no-export Do not advertise to external BGP (eBGP) peers. Keep this route within an AS.
no-advertise Do not advertise this route to any peer, internal or external.
none Apply no community attribute when you want to clear the communities associated with a route.
internet Advertise this route to the internet community, and any router that belongs to it.

Refer to the Configuring BGP Community Filtering section of Configuring BGP for more information about configuring communities.

Q. What formats can I use to configure the BGP community attribute?

A. In Cisco IOS® Software release 12.0 and later, you can configure communities in three different formats called decimal, hexadecimal, and AA:NN. By default, IOS uses the older decimal format. In order to configure and display in AA:NN, where the first part is the AS number and the second part is a 2-byte number, use the ip bgp new-format global configuration command.

Note: Although the community attribute can be represented in decimal, hexadecimal, or AA:NN, it is still a 32-bit number. For example, any of these three configuration commands specify the community 30:20 (AS 30, number 20):

Regardless of which command you use, the community displayed in the router configuration file and the BGP table is 30:20.

Refer to the Community Attribute section of BGP Case Studies, and Using BGP Community Values to Control Routing Policy in Upstream Provider Network for more information.

Q. How does BGP behave differently with auto-summary enabled or disabled?

A. Auto-summary behavior has changed across Cisco IOS releases. Initially, auto-summary was enabled by default. However, with Cisco bug ID CSCdu81680 ( registered customers only) this behavior has changed. In the latest Cisco IOS, auto-summary is disabled by default. When auto-summary is enabled, it summarizes the locally originated BGP networks to their classfull boundaries. (Auto-summary is enabled by default in BGP). When auto-summary is disabled, the routes introduced locally into the BGP table are not summarized to their classfull boundaries. When a subnet exists in the routing table and the following three conditions are satisfied, then any subnet of that classfull network in the local routing table will prompt BGP to install the classfull network into the BGP table.

  • Classfull network statement for a network in the routing table
  • Classfull mask on that network statement
  • Auto-summary enabled

For example, if the subnet in the routing table is 75.75.75.0 mask 255.255.255.0, and you configure network 75.0.0.0 under the router bgp command, and auto-summary is enabled, BGP introduces the classfull network 75.0.0.0 mask 255.0.0.0 in the BGP table.

If these three conditions are not all met, then BGP does not install any entry in the BGP table unless there is an exact match in the local routing table.

Note: If the AS that performs BGP does not own the complete classfull network, Cisco recommends that you disable auto-summary using the no auto-summary command under router bgp.

Q. How can I verify if a BGP router announces its BGP networks and propagates them to the global BGP mesh?

A. Use these commands to check if the IP blocks are announced to the directly connected ISP:

Note: The show ip bgp neighbors [address] advertise-routes command does not take into account any outbound policies you may have applied. In future Cisco IOS versions the command output will be changed to reflect the outbound policies.

In order to verify how the IP blocks get propagated to the global BGP mesh via the directly connected ISP, log onto a route server leavingcisco.com on the Internet and look for the BGP entries of the prefix in the route server.

Q. When and how should I reset a BGP session?

A. Clear a BGP session when you change the inbound/outbound policy for this session. Use the clear ip bgp x.x.x.x soft out command to clear a BGP session in order to bring outbound policy changes into effect. Use the clear ip bgp x.x.x.x command in order to clear a BGP session to bring inbound policy changes into effect. If the neighbor has the soft reconfiguration capability, you can use the clear ip bgp x.x.x.x soft in command.

Note: With Cisco IOS Software Release 12.0 and later, a new BGP Soft Reset Enhancement feature is introduced. Refer to BGP Soft Reset Enhancement for more information.

Q. When I perform MD5 Authentication for BGP through a PIX, is there anything special that needs to be done on the PIX?

A. Yes. When a BGP 'neighbor ... password ...' is configured, MD5 authentication is used on the TCP psuedo-IP header, TCP header, and data (refer to RFC 2385 leavingcisco.com). TCP uses this data, which includes the TCP sequence and ACK numbers, and the BGP neighbor password, to create a 128-bit hash number. The hash number is included in the packet in a TCP header option field. By default, the PIX offsets the sequence number by a random value per TCP flow. On the sending BGP peer, TCP uses the original sequence number to create the 128-bit MD5 hash number and includes this hash number in the packet. When the receiving BGP peer gets the packet, TCP uses the PIX modified sequence number to create a 128-bit MD5 hash number and compares it to the hash number included in the packet. Because the TCP sequence value was changed by the PIX, the hash is different—TCP on the BGP neighbor drops the packet and logs an MD5 failed message similar to this:

%TCP-6-BADAUTH: Invalid MD5 digest from 10.28.0.9:1778 to 10.156.50.10:179

Use the norandomseq keyword to solve this problem and stop the PIX from offsetting the TCP sequence number with this command:

static (inside,DMZ-ICE) 10.0.0.0 10.0.0.0 netmask 255.0.0.0 norandomseq 

Q. What is an autonomous system (AS) number and how do I obtain one?

A. AS numbers are globally unique numbers that are used to identify ASes, and which enable an AS to exchange exterior routing information between neighboring ASes. An AS is a connected group of IP networks that adhere to a single and clearly defined routing policy.

There are a limited number of available AS numbers. Therefore, it is important to determine which sites require unique AS numbers and which do not. Sites that do not require a unique AS number should use one or more of the AS numbers reserved for private use, which are in the range from 64512 to 65535. Access the AS Number Registration Services leavingcisco.com Website to obtain an AS number.

Q. What is the BGP path selection criteria?

A. BGP path selection criteria is documented in BGP Best Path Selection Algorithm.

Q. What is the difference between always-compare-med and deterministic-med?

A. A complete explanation of the differences between these commands is documented in How the bgp deterministic-med Command Differs from the bgp always-compare-med Command.

Q. Do internal BGP sessions modify the next hop?

A. Internal BGP (iBGP) sessions preserve the next hop attribute learned from eBGP peers. This is why it is important to have an internal route to the next hop. The BGP route is otherwise unreachable. In order to make sure you can reach the eBGP next hop, include the network that the next hop belongs to in the IGP or use the next-hop-self neighbor command to force the router to advertise itself, rather than the external peer, as the next hop. Refer to the BGP Nexthop Attribute section of BGP Case Studies for a more detailed explanation.

Q. Do eBGP sessions between confederations modify the next hop?

A. No, eBGP sessions between confederation sub-ASes does not modify the next hop attribute. All iBGP rules still apply to have the whole AS behave as a single entity. The metric and local preference values also remain unaltered among confederation eBGP peers. Refer to the BGP Confederation section of BGP Case Studies for more information about confederations.

Q. In eBGP sessions, which IP address is sent as the next hop?

A. In eBGP peering, the next hop is the IP address of the neighbor that announces the route. However, when the route is advertised on a multi-access media (such as Ethernet or Frame Relay), the next hop is usually the IP address of the router interface connected to that media, which originated the route. Refer to the BGP Nexthop Attribute of BGP Case Studies for a more detailed explanation.

Q. Does the route reflector change the next hop attribute of a reflected prefix?

A. By default, the next hop attribute is not changed when a prefix is reflected by route reflector. However, you can use the neighbor next-hop-self command to change the attribute of the next hop for prefixes reflected from an eBGP peer to any route reflector client.

Q. How can I announce a prefix conditionally to one ISP only when I lose the connection to my primary ISP?

A. BGP advertises routes from its BGP table to external peers by default. The BGP conditional advertisement feature provides additional control of route advertisement depending on the existence of other prefixes in the BGP table. Normally, routes are propagated regardless of the existence of a different path. The BGP conditional advertisement feature uses the non-exist-map and advertise-map configuration commands to track routes by the route prefix. If a route prefix is not present in the non-exist-map command, the route specified by the advertise-map command is announced. Refer to the Configuring BGP Conditional Advertisement section of Configuring BGP for more information.

Q. How can I configure BGP to provide load sharing and redundancy in my network?

A. Use these documents for detailed configuration information:

Q. How much memory should I have in my router to receive the complete BGP routing table from my ISP?

A. The amount of memory required to store BGP routes depends on many factors, such as the router, the number of alternate paths available, route dampening, community, the number of maximum paths configured, BGP attributes, and VPN configurations. Without knowledge of these parameters it is difficult to calculate the amount of memory required to store a certain number of BGP routes. Cisco typically recommends a minimum of 128 MB of RAM in the router to store a complete global BGP routing table from one BGP peer. However, it is important to understand ways to reduce memory consumption and achieve optimal routing without the need to receive the complete Internet routing table. Refer to Achieve Optimal Routing and Reduce BGP Memory Consumption for more detailed information.

Q. What are the benefits of configuring BGP peer groups?

A. The major benefit of specifying a BGP peer group is that it reduces the amount of system resources (CPU and memory) used in an update generation. It also simplifies BGP configuration since it allows the routing table to be checked only once, and updates to be replicated to all other in-sync peer group members. Depending on the number of peer group members, the number of prefixes in the table, and the number of prefixes advertised, this can significantly reduce the load. Cisco recommends that you group together peers with identical outbound announcement policies. Refer to BGP Peer Groups for more detailed information.

Q. What is synchronization, and how does it influence BGP routes installed in the IP routing table?

A. If your AS passes traffic from another AS to a third AS, BGP should not advertise a route before all routers in your AS learn about the route via IGP. BGP waits until IGP propagates the route within the AS and then advertises it to external peers. A BGP router with synchronization enabled does not install iBGP learned routes into its routing table if it is not able to validate those routes in its IGP. Disabling synchronization using the no synchronization command under router bgp prevents BGP from validating iBGP routes in IGP. Refer to BGP Case Studies: Synchronization for a more detailed explanation.

Q. How do I know which Cisco IOS software release supports a particular BGP feature?

A. Use the Cisco IOS Software Advisor ( registered customers only) to quickly find which Cisco IOS software release supports your feature.

Q. How can I set the Multi Exit Discriminator (MED) value on prefixes advertised to eBGP neighbors to match the IGP next hop metric?

A. The set metric-type internal route-map configuration command causes BGP to advertise a MED that corresponds to the IGP metric associated with the next hop of the route. This command is available in Cisco IOS Software Release 10.3 and later. Refer to BGP Commands for more information.

Q. What is the default BGP ConnectRetry timer, and is it possible to tune the BGP ConnectRetry timer?

A. The default BGP ConnectRetry timer is 120 seconds. Only after this time passes does the BGP process check to see if the passive TCP session is established. If the passive TCP session is not established, then the BGP process starts a new active TCP attempt to connect to the remote BGP speaker. During this idle 120 seconds of the ConnectRetry timer, the remote BGP peer can establish a BGP session to it. Presently the Cisco IOS ConnectRetry timer cannot be changed from its default of 120 seconds.

Q. What does r RIB-Failure mean in the show ip bgp command output?

R1> show ip bgp
BGP table version is 5, local router ID is 200.200.200.1
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
r RIB-failure
Origin codes: i - IGP, e - EGP, ? - incomplete

Network Next Hop Metric LocPrf Weight Path
r> 6.6.6.0/24 10.10.13.3 0 130 0 30 i
*> 7.7.7.0/24 10.10.13.3 0 125 0 30 i

When BGP tries to install the bestpath prefix into Routing Information Base (RIB) (for example, the IP Routing table), RIB might reject the BGP route due to any of these reasons:

  • Route with better administrative distance already present in IGP. For example, if a static route already exists in IP Routing table.
  • Memory failure.
  • The number of routes in VPN routing/forwarding (VRF) exceeds the route-limit configured under the VRF instance.

In such cases, the prefixes that are rejected for these reasons are identified by r RIB Failure in the show ip bgp command output and are not advertised to the peers. This feature was first made available in Cisco IOS Software Release 12.2(08.05)T.

Q. How can I redistribute internal BGP (iBGP) learned default-route (0.0.0.0/0) route into EIGRP/OSPF/IS-IS?

A. The redistribution of iBGP routes into Interior Gateway Protocol (IGP)—Enhanced Interior Gateway Routing Protocol/Open Shortest Path First/Intermediate System-to-Intermediate System (EIGRP/OSPF/IS-IS)—can cause routing loops within the Autonomous System, which is not recommended. By default, iBGP redistribution into IGP is disabled. Use the bgp redistribute-internal command to enable redistribution of iBGP routes into IGP. Precautions should be taken to redistribute specific routes using route-maps into IGP. A sample configuration for redistributing a iBGP learned default route 0.0.0.0/0 into EIGRP is shown in this output. Configurations for OSPF/IS-IS are similar.

router bgp 65345
[...]
bgp redistribute-internal
!
router eigrp 10
[...]
redistribute bgp 65345 route-map check-def
!
ip prefix-list def-route seq 5 permit 0.0.0.0/0
!
route-map check-def permit 10
match ip address prefix-list def-route

Access-List vs Prefix-List

What is the difference between an access-list & a prefix-list ?

The ip prefix-list command is used to configure IP prefix filtering. Prefix lists are configured with permit or deny keywords to either permit or deny the prefix based on the matching condition. A prefix list consists of an IP address and a bit mask. The IP address can be a classful network, a subnet, or a single host route. The bit mask is entered as a number from 1 to 32. An implicit deny is applied to traffic that does match any prefix-list entry.

Prefix lists are configured to match an exact prefix length or a prefix range. The ge and le keywords are used to specify a range of the prefix lengths to match, providing more flexible configuration than can be configured with just the network/length argument. The prefix list is processed using an exact match when neither the ge nor le keyword is entered. If only the ge value is entered, the range is the value entered for the ge ge-length argument to a full 32-bit length. If only the le value is entered, the range is from value entered for the network/length argument to the le le-length argument. If both the ge ge-length and le le-length keywords and arguments are entered, the range falls between the values used for the ge-length and le-length arguments. The following formula shows this behavior:

network/length < ge ge-length < le le-length <= 32

A prefix list is configured with a name and/or sequence number. One or the other must be entered when configuring this command. If a sequence number is not entered, a default sequence number of 5 is applied to the prefix list, and subsequent prefix list entries will be increment by 5 (for example, 5, 10, 15, and onwards). If a sequence number is entered for the first prefix list entry but not subsequent entries, then the subsequent entries will also be incremented by 5 (For example, if the first configured sequence number is 3, then subsequent entries will be 8, 13, 18, and onwards). Default sequence numbers can be suppressed by entering the no form of this command with the seq keyword.

Prefix lists are evaluated starting with the lowest sequence number and continues down the list until a match is made. Once a match is made that covers the network the permit or deny statement is applied to that network and the rest of the list is not evaluated.