Networking, Security & Cloud Knowledge

Tuesday, June 28, 2011

[ Topics ]

For all the topic list in this site please click below.

>>> CLICK HERE <<<

021- IP SLA boolean


---------------------------------------------------------------------------------------------------------
hostname R1
!
interface FastEthernet0/0
 ip address 10.10.10.1 255.255.255.0
----------------------------------------------------------

hostname R2
!
interface FastEthernet0/0
 ip address 20.20.20.1 255.255.255.0
 ---------------------------------------------------------


hostname R3
!
interface FastEthernet0/0
 ip address 10.10.10.2 255.255.255.0
!
interface FastEthernet0/1
 ip address 20.20.20.2 255.255.255.0
!
!
ip sla 1
 icmp-echo 10.10.10.1
 frequency 10
ip sla schedule 1 life forever start-time now
!
ip sla 2
 icmp-echo 20.20.20.1
 frequency 10
ip sla schedule 2 life forever start-time now
!
track 1 rtr 1 reachability
!
track 2 rtr 2 reachability
!
track 3 list boolean and
 object 1
 object 2
!
------------------------------------------------------------------------------------------
R3#sh ip sla statistics

Round Trip Time (RTT) for       Index 1
        Latest RTT: 144 milliseconds
Latest operation start time: *00:18:35.835 UTC Fri Mar 1 2002
Latest operation return code: OK
Number of successes: 30
Number of failures: 50
Operation time to live: Forever



Round Trip Time (RTT) for       Index 2
        Latest RTT: 100 milliseconds
Latest operation start time: *00:18:30.851 UTC Fri Mar 1 2002
Latest operation return code: OK
Number of successes: 75
Number of failures: 1
Operation time to live: Forever
-----------------------------------------------------------------------------------------------
R3#sh track 1
Track 1
  Response Time Reporter 1 reachability
  Reachability is Up
    3 changes, last change 00:00:26
  Latest operation return code: OK
  Latest RTT (millisecs) 144
  Tracked by:
     Track-list 3
----------------------------------------------------------------------------
R3#sh trac 2
Track 2
  Response Time Reporter 2 reachability
  Reachability is Up
    1 change, last change 00:10:12
  Latest operation return code: OK
  Latest RTT (millisecs) 108
  Tracked by:
    Track-list 3
----------------------------------------------------------------------
R3#sh trac 3
Track 3
  List boolean and
  Boolean AND is Up
    4 changes, last change 00:00:42
    object 1 Up
    object 2 Up

Sunday, June 26, 2011

020 IP SLA Tracking

IP SLA based tracking.

Router(config) # ip sla 1
Router(config-ip-sla) # icmp-echo Y.Y.Y.Y
Router(config-ip-sla-echo) # frequency 10
Router(config-ip-sla-echo) # timeout 7000
Router(config-ip-sla-echo) # threshold 5000

Router(config) # ip sla schedule 1 life forever start-time now

Router(config) # track 2 rtr 1

Router(config) # interface GigabitEthernet0/0
Router(config-if) #  standby 1 ip x.x.x.x
Router(config-if) #  standby 1 priority 125
Router(config-if) #  standby 1 preempt
Router(config-if) #  standby 1 track 2 decrement 50





Note:
  • IP SLA probes simulate specific types of traffic & send it to a receiver, called as a responder.
  • Y.Y.Y.Y = ip address of responder
  • Timers
1.      Frequency: (Unit: Sec)
2.      Timeout: maximum time required for SLA operation to complete. (Unit: mSec)
3.      Threshold: Time to activate a response to IP SLA violation (Unit: mSec)

Frequency > Timeout > Threshold.



Commands for troubleshooting

Router# sh ip sla configuration
IP SLAs Infrastructure Engine-II
Entry number: 1
Owner:
Tag:
Type of operation to perform: icmp-echo
Target address/Source address: Y.Y.Y.Y/0.0.0.0
Operation timeout (milliseconds): 7000
Type Of Service parameters: 0x0
Vrf Name:
Request size (ARR data portion): 28
Verify data: No
Schedule:
   Operation frequency (seconds): 10  (not considered if randomly scheduled)
   Next Scheduled Start Time: Start Time already passed
   Group Scheduled : FALSE
   Randomly Scheduled : FALSE
   Life (seconds): Forever
   Entry Ageout (seconds): never
   Recurring (Starting Everyday): FALSE
   Status of entry (SNMP RowStatus): Active
Threshold (milliseconds): 5000
Distribution Statistics:
   Number of statistic hours kept: 2
   Number of statistic distribution buckets kept: 1
   Statistic distribution interval (milliseconds): 4294967295
History Statistics:
   Number of history Lives kept: 0
   Number of history Buckets kept: 15
   History Filter Type: None
Enhanced History:
----------------------------------------------------------------------------------------------------------------------

Router # sh track 2
Track 2
  Response Time Reporter 1 state
  State is Up
    91 changes, last change 3d00h
  Latest operation return code: OK
  Latest RTT (millisecs) 36
  Tracked by:
    HSRP GigabitEthernet0/0 1
------------------------------------------------------------------------------------------------------------------------

Router #sh ip sla statistics

Round Trip Time (RTT) for       Index 1
        Latest RTT: 44 milliseconds
Latest operation start time: 09:27:30.566 gmt Thu May 12 2011
Latest operation return code: OK
Number of successes: 159
Number of failures: 0
Operation time to live: Forever

018- IP SLA based Tracking for HSRP

Device detail:

R3 = Primary ISP R4 = Secondary ISP
R1 = Primary WAN router R2 = Secondary WAN router
R5 = Host

• R3 and R4 advertises subnet 200.200.200.200/32 and 100.100.0.0/16 (summary for 100.100.10.1, 100.100.20.1, 100.100.30.1) to R1 and R2 respectively.
• AS path prepanding is configured on R2 for advertised route from R4, so that R3 is preferred over R4 for all outgoing traffic.

Objective:
Configure PBR on R1 so that traffic destined to only 100.100.20.1 subnet is sent to R4 via R2 only if R4 is reachable.


Configuration on R1
!
ip route 20.20.20.2 255.255.255.255 192.168.1.3
!
ip sla 1
icmp-echo 20.20.20.2 << ip address of R4 (backup isp)
threshold 200
frequency 5
!
ip sla schedule 1 life forever start-time now
!
track 3 rtr 1 << track 3 mapped to ipsla 1
!
route-map test permit 10
match ip address 101
set ip next-hop verify-availability 192.168.1.3 1 track 3 << conditional set command


Configuration on R2
!
ip route 100.100.20.0 255.255.255.0 20.20.20.2

019- Private Vlan

Step 1: Setting device to VTP TRANSPARENT mode

Switch(config)# vtp mode transparent

Step 2: Creating VLANs [Secondary vlans / Private Vlan]
vlan 101 = isolated vlan
vlan 102 = community vlan

Primary vlans (Secondary VLANs are associate to primary VLANs)
vlan 100 = primary vlan

Switch(config)# vlan 101
Switch(config-vlan)# private-vlan isolated

Switch(config)# vlan 102
Switch(config-vlan)# private-vlan community

Switch(config)# vlan 100
Switch(config-vlan)# private-vlan primary
Switch(config-vlan)# private-vlan association 101,102


Step 3: Assigning port to vlan
Port Fa0/1 = Promiscuous ( For Router / Firewalls)
Port Fa0/3, Fa0/5, Fa0/6 = Host Ports ( For Hosts)

Switch(config)# interface f0/1
Switch(config-if)# switchport mode private-vlan promiscuous
Switch(config-if)# switchport private-vlan mapping 100 add 101 102

Our two server ports will be configured in host mode:
Switch(config)# interface f0/3
Switch(config-if)# switchport mode private-vlan host
Switch(config-if)# switchport private-vlan host-association 100 101

Switch(config-if)# interface f0/5
Switch(config-if)# switchport mode private-vlan host
Switch(config-if)# switchport private-vlan host-association 100 102

Switch(config-if)# interface f0/6
Switch(config-if)# switchport mode private-vlan host
Switch(config-if)# switchport private-vlan host-association 100 102

017 MPLS configuration on Cisco ios

router(config)# ip vrp


================================================
router(config-vrf)# rd

RD format ASN:nn 16 bit: 32 bit
ip:nn 32 bit: 16 bit
--------------------------------------------------

router(config-vrf)# route-target export
router(config-vrf)# route-target import
router(config-vrf)# route-target both

Note:in case where the export and import RTs are same

RT is in same format as RDs
==================================================
ip cef

interface fa0/0
ip vrf forwarding

Note: existing ip is removed once we configure vrf interface config command. so it has to be added again.
--------------------------------------
PE router
for internet routing

router bgp


for vpnv4
address-family vpnv4


for CE-PE
address-family ipv4 vrp < vrf-name>
---------------------------------------

for MP-BGP PE-PE router

router bgp
neighbor remote-as
neighbor update-source

address-family vpn4
neighbor activate

neighbor send-community [extened both]

no bgp default ipv4 unicast > to stop ipv4 bgp

016 Configuring cisco 1300 wireless device

Configuring 1300 as Non-Root Bridge

This examples sets a LEAP user name and passsword for the SSID test:
     bridge# configure terminal
     bridge(config)# configure interface dot1radio0
     bridge(config)# station role non-root
     bridge(config)# ssid test

Following command configure username and password for Leap authentication:
     bridge(config-ssid)# authentication client username admin password p@ssw0rd
     bridge(config-ssid)# end

-------------------------------------------------------------------------
Following command enable the local radius server on the bridge and ensure that local radius
server is used for authentication


      bridge(config)#aaa new-model
      bridge(config)# aaa group server radius rad_eap server 10.10.10.10 auth-port 1812 acct-port 1813
      bridge(config)# aaa authentication login esp_methods group rad_eap

      bridge(config)# station role root
      bridge(config)# distance 1

following command enters the bridge into the local server config mode:
      bridge(config)# radius-server local

By default LEAP, EAPFAST, & MAC authentication are supported. Using the no form for other 2 types
ensures that LEAP is used for authentication.

        bridge(config)# no authentication eapfast
        bridge(config)# no authentication mac

        bridge(config)# interface dot11radio 0
        bridge(config-if) # ssid bridge

Following command enable EAP authentication for the SSID
       bridge(config-if-ssid)# authentication network-eap rad_eap

This step is optional. This value seeds the initial key for use with broadcast [255.255.255.255] traffic.
If more than one VLAN is used, then keys must be set for each VLAN,

      bridge(config-if)# encryption vlan 1 key 1 size 128bit 1234567890123456789 transmit-

This defines the policy for the use of Wired Equivalent Privacy (WEP). If more than one VLAN is used,
the policy must be set to mandatory for each VLAN.
      
          bridge(config-if )# encryption vlan 1  mode wep mandatory
 
          bridge(config)# user admin password p@ssw0rd





















015 Cisco IOS naming standard



Cisco IOS naming format.


HARDWARE:
The first part is quite self explanatory, hardware is the hardware supported by the IOS.

FEATURE SET:
  • This is where you can find out the features supported by the IOS.
  • the new naming convention of Cisco IOS uses word e.g. Entbase,advipserive etc, some older version still use letters to describe the features.
  • The "Legacy naming convention" can be quite confusing as compared to new naming convention.
  • Cisco distributes IOS packages according their features as show in diagram below.

Note: The higher the features set, the more features it has. You can check the features of Cisco IOS image with the tool provided by Cisco.
Access the tool at cisco site, and you can search by features, IOS image name, platform, product code, and you can even compare features between images.


For the legacy naming convention, you can find it formated as yyyy, where the y can be replaced by the following letters:
  • b - For Apple talk support
  • c - For CommServer lite (CiscoPro)
  • g - For ISDN subset (SNMP, IP, Bridging, ISDN, PPP, IPX, and AppleTalk)
  • i - For IP sebset (SNMP, IP, Bridging, WAN, Remote Node, and Terminal Services)
  • n - For IPX support
  • q - For asynchronous support
  • t - For Telco return (12.0)
  • y - For reduced IP (SNMP, IP RIP/IGRP/EIGRP, Bridging, ISDN, and PPP)
  • (c1003 or c1004)
  • z - For managed modems
  • 40 - For 40 bit encryption
  • 50 - For 50 bit encryption

MEMORY LOCATION and COMPRESSION FORMAT
This section tells you from which memory location the IOS and what format of compression it uses. Check the following for the formats:
  • f - flash
  • m - RAM
  • r - ROM
  • l - the image will be relocated at run time

And these are the compression types:
  • z - zip compression
  • x - mzip compression
  • w - “STAC” compression


MAINTENANCE RELEASE and INDIVIDUAL RELEASE
These shows the release version number of the IOS image.

RELEASE
The last part shows whether the image is T Release (new feature release identifier), S (individual release), or XR (modular packages).
 
You need also consider the amount of DRAM of the device. The higher the version and features of an IOS, the more DRAM you need.

K9 is the software feature code.
The K means "kitchen sink" (enterprise for high−end) (same as BX). Not used after Cisco IOS Software Release 10.3
K9 -Greater than 64−bit encryption. On Cisco IOS Software Release 12.2 and up.

There is a Safe Harbour release for each of the products which is essentially a Cisco validated release.  Below is the link:

Safe Harbour Release

IOS Release Naming
http://www.cisco.com/en/US/products/sw/iosswrel/ps1818/products_tech_note09186a0080101cda.shtml


014 BGP soft-reconfiguaration


BGP soft reconfiguration inbound
    Whenever we do some changes in the BGP policy, the BGP session has to be cleared for the new policy to take effect. Clearing a BGP session causes cache invalidation and results in a tremendous impact on the operation of networks.
     Soft reconfiguration allows policies to be configured and activated without clearing the BGP session. Soft reconfiguration can be done on a per-neighbor basis.
    There are two types of soft reconfiguration
  1. inbound soft reconfiguration
  2. outbound soft reconfiguration
Inbound soft reconfiguration:
  • Soft reconfiguration can be used to generate inbound updates from a neighbor.
  • Performing inbound reconfiguration enables the new inbound policy to take effect.
  • In order to generate new inbound updates without resetting the BGP session, the local BGP speaker should store all the received updates without modification, regardless of whether it is accepted or denied by the current inbound policy. This is memory intensive.
  • To allow inbound reconfiguration, BGP should be configured to store all received updates.
Outbound soft reconfiguration:
  • Soft reconfiguration can be used to send a new set of updates to a neighbor.
  • Performing outbound reconfiguration causes the new local outbound policy take effect without resetting the BGP session. As a new set of updates is sent during outbound policy reconfiguration, a new inbound policy of the neighbor can also take effect.
  • Outbound soft reconfiguration does not have any memory overhead. One could trigger an outbound reconfiguration in the other side of the BGP session to make the new inbound policy take effect. Outbound reconfiguration does not require pre-configuration.
     


If you specify a BGP peer group by using the peer-group-name argument, all members of the peer group will inherit the characteristic configured with this command.

BGP Peer – Soft Reconfiguration
Router(config-router)# neighbor X.X.X.X soft-reconfiguration inbound
  • Use to configure BGP soft configuration.
  • Use this command in router configuration mode.
  • The X.X.X.X stands for ip-address.
Verification
show ip bgp neighbor X.X.X.X received-routes
  • Use to display all received routes (both accepted and rejected) from the specified neighbor.
  • Displays information only about IPv4 address-family sessions unless the all keyword is entered.
  • Prefix activity is displayed based on the number of prefixes that are advertised and withdrawn.
  • Policy denials display the number of routes that were advertised but then ignored based the function or