Posts

Showing posts from November, 2013

BGP CONDITIONAL Advertisements - Advertise Maps

This is a pretty complex BGP issue because you really need to know the BGP philosophy and maybe even have some basic experience in programming. The trick is to change the behaviour of the BGP advertisements depending on the routes that are being learned.

Step 1:
Configure 2 Route Maps, one for the CHECK condition, and another for PREFIXES you will advertise if CHECK passes.
For example we want to CHECK if the 2.0.0.0 is learned:
(config)#access-list 2 permit 2.0.0.0
(config)#route-map CHECK permit 10
(config-rmap)#match ip address 2

And ONLY if it's NOT in the routing table, we want to advertise 1.0.0.0
(config)#access-list 1 permit 1.0.0.0
(config)#route-map ADVERTISE permit 10
(config-rmap)#match ip address 1

Step 2:
Configure the advertise map and the condition in the BGP routing process:
(config)#router bgp 65545
(config-router)#neighbor 10.1.12.2 advertise-map ADVERTISE ?
  exist-map      advertise prefix only if prefix is in the condition exists <- CHECK THESE OPTIONS
  non…

Advanced BGP Features: Route Dampening

When you check the BGP prefixes using the "show ip bgp", besides the arguments that appeared so far (*, >, r) there
is another "Tag" that can appear, and it's a letter "d", which stends for DAMPENING.
#show ip bgp
BGP table version is 5, local router ID is 192.168.2.2
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal <- CHECK THIS LINE
              r RIB-failure, S Stale

From Cisco Docs: "Route dampening is a BGP feature designed to minimize the propagation of flapping routes across
an internetwork. A route is considered to be flapping when its availability alternates repeatedly"

If you're configuring it without any parameter tuning, there is an enable command under the BGP process:
(config-router)#bgp dampening

If you want to use this feature - make sure you understand the concept of PENALTIES being "rewarded" to a route
every time it FLAPS, and make sure you're familiar with the PARA…

BGP Peer-Session Templates

Another way to make the BGP configuration easier by avoiding configuring the same command set on every router. It makes your life easier if you have various neighbors to which you'd like to apply a common set of attributes.

Step 1: Define the peer-session and give it a name:
(config-router)#template peer-session MYBGP

Step 2: Assign the attributes to the peer-session:
(config-router-stmp)#version 4
(config-router-stmp)#update-source lo0
(config-router-stmp)#password Cisqueros

Step 3: If you have more groups of neighbors, and they all have some commmon settings (for example the ones defined
in the template IBGP), and some different ones. Then create another template, and inherit the first template:
(config-router)#template peer-session GROUP_1 <- FOR AS 100
(config-router-stmp)#inherit peer-session MYBGP
(config-router-stmp)#remote-as 100

(config-router)#template peer-session GROUP_2 <- FOR AS 200
(config-router-stmp)#inherit peer-session MYBGP
(config-router-stmp)#remote-as 200

Convert MAC to Link Local IPv6 Address

Check how the Link Local address has been generated using the interface MAC address using the following command:

#sh int fa0/0 | i Hard
  Hardware is Gt96k FE, address is 001e.be5d.27f0 (bia 001e.be5d.27f0)

  IPv6: FE80::21E:BEFF:FE5D:27F0

Step 1: Start with the Link-Local "Signature", which is FE80:: - For Link Local IPv6 Addresses

Step 2: First two 0s from MAC are replaced with a HEX 2, to fill up MACs 48 bits up to the 64 bits that we need

Step 3:  Then the "1e.be" part is COPIED and PASTED - 2|1E:BE|FF:FE|5D:27F0

Step 4:  FFFE is Added after this, in the MIDDLE of the MAC address

Step 5:  The rest of MAC follows
  So - 2 + 4HEXofMAC + FFEE + 6HEXofMAC


Now check the complete IPv6 configuration of the interface:

#sh ipv6 int fa0/0
FastEthernet0/0 is up, line protocol is up
  IPv6 is enabled, link-local address is FE80::21E:BEFF:FE5D:27F0
  No global unicast address is configured

  Joined group address(es):
    FF02::1 <- 0 after F means the IPv6 is PERMANENT (if it were …

IPv6 Basics

Loopback: ::1/128
Multicast: FF00::/8
Link Local: FE80::/10 - used for stateless auto-configuration, Neighbor discovery, Router discovery
FC00::/7 Unique Local, Unicast (equivalent to the IPv4 private addresses), not routable via global BGP
EUI-64 - always use the /64 addresses for all the INTERFACES
!!!(MAC can be converted into EUI-64 format to get the interface address)

ARP has been replaced with ICMPv6 Neighbor Discovery.
Inverse ARP has been removed, so for NBMA networks we need to provide a static L2-L3 mapping

TIP: before enabling IPv6 on a router and configuring the interfaces male sure there is a IPv4 connectivity

IPv6 is not enabled by default, so first enable IPv6 globally on the Router/Switch:
(config)#ipv6 unicast-routing

On a ROUTER you should enable IPv6 on an interface:
(config-if)#ipv6 enable
!!!LINK-LOCAL address is generated based on the interfaces MAC Address by doing "ipv6 enable"

Assign the UNICAST IPv6 address:
(config)#no switchport <--- DONT FORGET…

OSPF Forward Address Suppression

The aim is to SUPRESS the address of the router that originated the Prefix. When the area is NSSA, and you want to CONTROL the remap process of the LSA7 to LSA5, but use 0.0.0.0 as the forwarding address instead of the one specified in the LSA7:
(config-router)#area 1 nssa translate type7 suppress-fa ?
  default-information-originate  Originate Type 7 default into NSSA area
  no-redistribution              No redistribution into this NSSA area
  no-summary                     Do not send summary LSA into NSSA
  <cr>

Before the command has been applied the external (LSA5) subnet within the area 0 is seen as:
#sh ip ospf database external  6.0.0.0
            OSPF Router with ID (1.1.1.1) (Process ID 1)
                Type-5 AS External Link States
  LS age: 557
  Options: (No TOS-capability, DC)
  LS Type: AS External Link
  Link State ID: 6.0.0.0 (External Network Number )
  Advertising Router: 3.3.3.3
  LS Seq Number: 80000003
  Checksum: 0x1286
  Length: 36
  Network Mask: /8

NTP - Network Time Protocol

First there is an "old school" method of setting time on your IOS Device, which is fine if you're one of those :)
#clock set 16:50:00 15 NOVEMBER 2013
*Nov 15 16:50:00.000: %SYS-6-CLOCKUPDATE: System clock has been updated from 15:50:31 UTC Fri Nov 15 2013 to 16:50:00 UTC
Fri Nov 15 2013, configured from console by console.

Now if you set this time really good, and the Switch is new generation and you really trust it, then in order to have
an entire network to be synchronized (and absolutely no external NTP available), set the most awesome switch to be
a NTP Server:
(config)#ntp master ?
  <1-15>  Stratum number <- STRATUM Number, all DOWNFLOW routers shall have SERVER + Number of HOPS

Check what's happening:
#show ntp status
Clock is synchronized, stratum 2, reference is 127.127.7.1
nominal freq is 250.0000 Hz, actual freq is 250.0000 Hz, precision is 2**18
reference time is D630D0D3.99A45AAB (16:56:51.600 UTC Fri Nov 15 2013)
clock offset is 0.0000 msec, r…

IRDP - ICMP Router Discovery Protocol

IRDP enables Routers to automatically discover the IP of their potential Default Gateway. It uses ICMP and Solicitation Messages.

Potential GW Routers periodically announce the IP address of their IRDP configured interface to a roadcast destination. IRDP Preference value is advertised with these messages, along with the IP Address.

Step 1:
The configuration is pretty straight-forward. First you MUST turn the Routing off on the router that you want to discover it's own GW:
(config)#no ip routing

Step 2:
IRDP Needs to be enabled on the Router:
(config)#ip gdp ?
  eigrp  Discover routers transmitting EIGRP router updates
irdp   Discover routers transmitting IRDP router updates <- THIS ONE is the one we want here
  rip    Discover routers transmitting RIP router updates

Step 3:
Here is what needs to be defined on the interface:
 (config-if)#ip irdp <- ENABLE IRDP ON THE INTERFACE
 (config-if)#ip irdp maxadvertinterval 5 <- DEFINE THE ADVERTISING TIMERS
 (config-if)#ip irdp minadv…

GLBP - Configure the Global Load Balancing Protocol

GLBP is different from HSRP and GLBP, as in - it's more complex and gives more possibilities, such as LoadBalancing
It's got 1 VIRTUAL IP, and VARIOUS MACs

!!!You can have UP TO 4 ROUTERS IN A GLBP GROUP!!!

GLBP Group Members communicate using HELLOs 224.0.0.102, UDP/3222, by default Hello Timer = 3 sec

Basically there are 2 roles:
- AVG (Active Virtual Gateway) MASTER Router in charge of Assigning Virtual MAC Addresses to other Routers
and it has to know ALL the MACs of the AVFs
- AVFs (Active Virtual Forwarders) the rest of the Routers, which take AVG function if AVG dies.

sh glbp br
Interface   Grp  Fwd Pri State    Address         Active router   Standby route
Fa0/0       1    -   100 Standby  10.1.1.100      10.1.1.2        local
Fa0/0       1    1   7   Active   0007.b400.0101  local           -
Fa0/0       1    2   7   Listen   0007.b400.0102  10.1.1.2        -

You can tune GLBP as you like, which means that (besides all the stuff you can also do in HSRP and VRRP) you can
c…

VRRP - Configure the Virtual Routing Redundancy Protocol

The VRRP configuration is similar to the HSRP, with a few slight differences. For example, there are no
ACTIVE and STANDBU, but MASTER and BACKUP router, as shown below:
#show vrrp brief
Interface          Grp Pri Time  Own Pre State   Master addr     Group addr
Fa0/0              1   200 3218       Y  Master  172.25.12.1      172.25.12.22
Fa0/0              2   100 3609       Y  Backup  172.25.12.2      172.25.12.11

TIMERS are a bit different to configure. You need to tell Master to ADVERTISE the Hello Timer value to the Backup,
and tell the Backup to LEARN the Hello Timer from the Master:
(config-if)#vrrp 1 timers advertise 10
(config-if)#vrrp 2 timers learn
*Router is Mater for VRRP Group 1, and Backup for VRRP Group 2

VRRP Authentication is configured PER GROUP using the command "vrrp X authentication text PASSWORD", and the debug
on the VRRP Pair router is as follows (before the authentication is configured on BOTH):
ES-MAT-AES-SR02#debug vrrp
*Nov 13 15:04:37.585: VRRP…

HSRP - Configure the Hot Standby Routing Protocol

Redundancy Protocol, Cisco Proprietary.
Configuration is quite straight-forward, but there are many ways to tune it, in accordance with your needs:
interface FastEthernet0/0
 ip address 172.25.25.2 255.255.255.0
 standby 1 ip 172.25.25.22 <- Group 1 VIRTUAL IP Address
 standby 1 timers 5 15 <- Can also be done in miliseconds using "standby 1 timers msec 250 800"
 standby 1 priority 150 <- Default it 100, Default
 standby 1 preempt
 standby 1 authentication Cisco
 standby 1 name R2-Act
 standby 2 ip 172.25.25.55
 standby 2 timers 5 15
 standby 2 authentication Cisco
 standby 2 name R5-Act

"07-ac" is the SIGNARURE part of Virtual MAC Address of the HSRP:
#sh standby | i 07
  Active virtual MAC address is 0000.0c07.ac01
    Local virtual MAC address is 0000.0c07.ac01 (v1 default)


To check the current configuration, including the HSRP Status and whether
preempt is configured:
#sh standby brief
                     P indicates configured to preempt.
           …

Configuring the DHCP Server

Using the DHCP Pool configured on a IOS device is somewhat obsolete, but in cases of smaller companies where this solution is inevitable (or in a case such as mine, preparations for a CCIE exam) - you should know how to configure a full DSCP on a Cisco Router:

Step 1: Enable DHCP Server on a Device:
(config)#service dhcp

Step 2: Configure global DHCP options:
(config)#ip dhcp pool Cisco
(config-dhcp)#network 172.25.185.0 255.255.255.0 <- Network Range
(config-dhcp)#netbios-note-type h-node <- If you're using WINS, set the HYBRID TYPE
(config-dhcp)#netbios-name-server 172.25.185.253 <- WINS Server IP
(config-dhcp)#dns-server 172.25.185.200 172.25.185.201 <- Primary and Secondary IPs
(config-dhcp)#lease 3 5 <- The duration of the DHCP Lease (3 days 5 hours)

Step 3: Configure the IP Exclusions (IPs) you do not want to lease, in the Global Config mode:
(config)#ip dhcp excluded-address 172.25.185.252 172.25.185.254

Step 4: Disable the DSCP Logging of the Conflicts, because …

Scalability for Stateful NAT (SNAT)

Scalability for Stateful NAT feature allows Stateful Network Address Translation (SNAT) to control the Hot Standby Router Protocol (HSRP) state change until the NAT information is completely exchanged. Reference:
http://www.cisco.com/en/US/docs/ios/12_4/12_4_mainline/snatsca.html

Step 1:
You need to create the SNAT group, and assign a unique identifier to each router within the group:
(config)#ip nat stateful id 1

Step 2:
In order to configure the Stateful Failover, you need to have the HSRP previously configured. Within the stateful
nat group configurarion, assign the HSRP redundancy name to the router:
(config-ipnat-snat)#redundancy HSRP-1

Step 3:
The Active HSRP Router sends the NAT Translation to the Standby Routers. This translation is assigned an ID,
which is called "mapping-id" and it MUST BE THE SAME ON THE ENTIRE GROUP.
(config-ipnat-snat-red)#mapping-id 1

Step 4:
Consider adding features such Asymetric queuing, or define a specific protocol for the redundancy group:
IP…

Static NAT redundancy with HSRP

This approach is used when you want to configure NAT and integrate it with HSRP (enable the same NAT on all the
routers that form the HSRP group). In order to do this, it's necessary to NAME each of the HSRP groups:

Step 1: Name the already configured HSRP group:
(config-if)#standby name HSRP-1 <- HSRP Group Name is HSRP-1

Step 2: Congigure NAT on the relevant interfaces
(config-if)#ip nat inside <- NAT inside interface

Step 3: Static NAT redundancy with HSRP
After you've named the HSRP group, configure the Redundancy NAT:
(config)#ip nat inside source static 10.185.117.1 152.168.13.9 redundancy HSRP-1

This means that the traffic originated from the IP 10.185.117.1 will be NAT-ed into 152.168.13.9

Tests:
In this example the router 10.185.117.1 is pinging the IP 200.1.1.4. The final router (232.32.32.4) does have the route back to 152.168.13.9
When the DEBUG is done on the router, the PING done from 10.185.117.1 gives the following display:
*Nov  7 11:34:02.606: NAT*: s=10.18…

PAR - When you need to implement traffic redirections using NAT

You can define the traffic redirection using Static Entries, but there is a trick.
For example you want all the http traffic DESTINED FOR s0/0.5 to be REDIRECTED to the IP 10.1.123.3 instead.
You can configure this by defining the static NAT:
R1(config)#ip nat inside source static tcp 10.1.123.3 80 int s0/0.5 80

Make sure you understand how this command works, because it´s quite a complicated principle because it works a bit "upside down".

So when you try to telnet R1s IP using the port 80, from the router on the s0/0.5 side (R4):
R4#telnet 131.1.14.1 80
Trying 131.1.14.1, 80 ... Open

You see the following debug:

*Nov  6 15:54:48.703: NAT*: s=131.1.14.4, d=131.1.14.1->10.1.123.3 [23053] <- 131.1.14.4: Router from where we telnet
*Nov  6 15:54:48.707: NAT*: s=10.1.123.3->131.1.14.1, d=131.1.14.4 [31747] <- NATed and FWD-ed to to 10.1.123.3
*Nov  6 15:54:48.735: NAT*: s=131.1.14.4, d=131.1.14.1->10.1.123.3 [23054]
*Nov  6 15:54:48.739: NAT*: s=131.1.14.4, d=131.…

PAT (NAT Overload)

Port Address Translation (PAT) means using PORTS in order to NAT various Inside Local IPs to 1 Inside Global IP.

Step 1: Create an ACL with all the Inside Local addresses:
 (config)#access-list 1 permit 10.2.2.0 0.0.0.7

Step 2: There are 2 ways to configure PAT, described in Steps 2.1 and 2.2:

Step 2.1: 
- Create the Inside Global IP Pool of any addresses from the Link towards the other Router:
 (config)#ip nat pool OVERLOAD 10.1.1.2 10.1.1.2 prefix-length 24

- Configure the NAT Overload with the defined pool:
 (config)#ip nat inside source list 1 pool TASK2 overload

Step 2.2:
Configure the NAT to point to the Interface you need the traffic to go out from:
 (config)#ip nat inside source list 1 interface s0/1/0.21

!!! The system adds "overload" argument:
 (config)#do sh run | i nat inside
  ip nat inside
  ip nat inside source list 1 interface Serial0/1/0.21 overload

Load Balancing using NAT

This is a configuration that I´ve never implemented in any production environment, but I see quite a few cases where it can be usefull.

Step 1: Create a POOL of all the INSIDE IPs, and define the pool type: "type rotary":
 (config)#ip nat pool TASK1 10.2.2.1 10.2.2.5 prefix-length 24 type rotary

Step 2: Define an ACL with the Inside Global IP (the one we´re NAT-ing into):
 (config)#access-list 1 permit 200.2.2.2

Step 3: Do the inside NAT with the ACL 1 as the DESTINATION list, and the POOL or LOCAL IPs:
 (config)#ip nat inside destination list 1 pool ?
   WORD  Pool name for local addresses

Step 4: Define the NAT inside and outside interfaces, exactly like in case of Static/Dynamic NAT:
 (config)#int lo0
 (config-if)#ip nat inside
 (config-if)#
 (config-if)#int s0/1/0.21
 (config-subif)#ip nat outside

!!!Be sure that the routing is in place (both, go and return path towards the NAT-ed IP, 200.2.2.2)!!!

Step 5: Make sure that the IP NAT Translations are correct, and that the sourc…