Reliable policy based routing

August 31, 2008 at 5:16 pm | Posted in Protocol independent, Routing | 1 Comment

Policy based routing with next hop reachability verification via CDP and via enhanced object tracking.

Sample Configuration:

!
!
!
! Track next hop R4 reachibility
ip sla monitor 4
 type echo protocol ipIcmpEcho 155.1.146.4 source-ipaddr 155.1.146.1
 timeout 2000
 frequency 5
ip sla monitor schedule 4 start-time now
!
track 4 rtr 4
!
!
!
interface FastEthernet0/0
 ip address 155.1.146.1 255.255.255.0
!
interface Serial0/0
 ip address 155.1.0.1 255.255.255.0
 encapsulation frame-relay
! enable CDP to check if R5 is availble.
 cdp enable
 frame-relay map ip 155.1.0.5 105 broadcast
 no frame-relay inverse-arp
!
interface Serial0/1
 ip address 155.1.13.1 255.255.255.0
 ip policy route-map POLICY
 clock rate 56000
!
!
ip access-list extended TO_R4
 permit ip any 150.1.4.0 0.0.0.255
ip access-list extended TO_R5
 permit ip any 150.1.5.0 0.0.0.255
!
! By default CDP is sent every 60sec, and neighbor only decleared
! dead after a holdtime of 180sec. Setting CDP timers to quicken convergence
cdp timer 5
cdp holdtime 15
!
!
! This first statement shows tracking via CDP
route-map POLICY permit 10
 match ip address TO_R4
 set ip next-hop 155.1.0.5
 set ip next-hop verify-availability
 set ip default next-hop 155.1.146.4
!
! This second statement shows tracking via enhanced object
route-map POLICY permit 20
 match ip address TO_R5
 set ip next-hop verify-availability 155.1.146.4 1 track 4
 set ip default next-hop 155.1.0.5
!

Verification:
Rack1R3#ping 150.1.4.4 rep 1

Rack1R1#debug track
Rack1R1#debug ip policy
Rack1R1#
*Mar  1 01:19:58.887: IP: s=155.1.13.3 (Serial0/1), d=150.1.4.4, len 100, FIB policy match
*Mar  1 01:19:58.887: IP: s=155.1.13.3 (Serial0/1), d=150.1.4.4, g=155.1.0.5, len 100, FIB policy routed

! Shutdown R5 Serial0 frame interface.

Rack1R1#sh cdp nei | in R5
Rack1R1#

*Mar  1 01:21:47.071: IP: s=155.1.13.3 (Serial0/1), d=150.1.4.4, len 100, FIB policy match
*Mar  1 01:21:47.071: IP: s=155.1.13.3 (Serial0/1), d=150.1.4.4, g=155.1.146.4, len 100, FIB policy routed

! Bringback R5 Serial0 frame interface
Rack1R1#sh cdp nei | in R5
Rack1R5          Ser 0/0            14          R S       1721      Ser 0

Rack1R3#ping 150.1.5.5 rep 1

Rack1R1#
*Mar  1 01:23:06.019: IP: s=155.1.13.3 (Serial0/1), d=150.1.5.5, len 100, FIB policy match
*Mar  1 01:23:06.019: IP: s=155.1.13.3 (Serial0/1), d=150.1.5.5, g=155.1.146.4, len 100, FIB policy routed

! Shutdown R4 ethernet interface.

Rack1R1#
*Mar  1 01:25:41.151: Track: 4 Change #2 rtr 4, state Up->Down

*Mar  1 01:25:55.471: IP: s=155.1.13.3 (Serial0/1), d=150.1.5.5, len 100, FIB policy match
*Mar  1 01:25:55.471: IP: s=155.1.13.3 (Serial0/1), d=150.1.5.5, g=155.1.0.5, len 100, FIB policy routed
Doc CD Navigation

  • Cisco IOS IP Routing Protocols Configuration Guide, Release 12.4
  • Part 6: Protocol-Independent Routing
  • PBR Support for Multiple Tracking Options

Regular Expression

August 29, 2008 at 4:37 pm | Posted in Blogroll | Leave a comment

Doc CD navigation

  • Cisco IOS Configuration Fundamentals Configuration Guide, Release 12.4
  • Part 1: Using the Cisco IOS Command-Line Interface (CLI)
  • Using the Cisco IOS Command-Line Interface
  • Searching and Filtering CLI Output
  • Understanding Regular Expressions

Used to be extensive info, and example for using Regexp with BGP AS path which is under:

  • Cisco IOS Terminal Services Configuration Guide, Release 12.4
  • Appendixes
  • Regular Expressions

Web-caching WCCP

August 28, 2008 at 11:56 pm | Posted in IP Services | Leave a comment

Enable webcaching, and securing only WCCP server from certain IP

access-list 99 remark Web-cache server
access-list 99 permit 129.1.3.33

access-list 100 remark Host on the subnet to bypass web-caching
access-list 100 deny   tcp host 129.1.3.100 any eq www
access-list 100 permit ip any any

ip wccp web-cache group-list 99 redirect-list 100

! Alternatively if we just want to enable web-caching without specifying ACL
ip wccp web-cache

interface FastEthernet 0/0
ip wccp web-cache redirect in

! The following to exclude an interface from webcaching.

interface FastEthernet 0/1
 ip wccp redirect exclude in

! Excluding an interface from webcasing should be used
! when we specify an interface e.g. S0/0 for redirecting
! traffic going out of that interface, comming from any interfaces

interface Serial0/0
 ip wccp web-cache redirect out
WCCP Outbound ACL Check

The following configuration example shows that the access list prevents traffic from network 10.0.0.0 leaving Fast Ethernet interface 0/0. Because the outbound ACL check is enabled, WCCP does not redirect that traffic. WCCP checks packets against the ACL before they are redirected.

ip wccp web-cache

ip wccp check acl outbound

interface fastethernet0/0

ip access-group 10 out

exit

ip wccp web-cache redirect-list redirect-out

access-list 10 deny 10.0.0.0 0.255.255.255

access-list 10 permit any

If the outbound ACL check is disabled, the HTTP packets from network 10.0.0.0 would be redirected to a web cache. Users with that network address could retrieve web pages even though the network administrator wanted to prevent it.

Doc CD Navigation

  • Cisco IOS IP Application Services Configuration Guide, Release 12.4

  • Configuring WCCP

  • Configuration Examples for WCCP

TCP Customization

August 28, 2008 at 8:25 pm | Posted in IP Services | Leave a comment
Rack1R3(config)#ip tcp ?
  async-mobility      Configure async-mobility
  chunk-size          TCP chunk size (to change max of characters that 
                      TCP reads from the input queue for Telnet and rlogin)
  ecn                 Enable Explicit Congestion Notification
  intercept           Enable TCP intercepting
  mss                 TCP initial maximum segment size 
  path-mtu-discovery  Enable path-MTU discovery on new TCP connections
  queuemax            Maximum queue of outgoing TCP packets
  selective-ack       Enable TCP selective-ACK
  synwait-time        Set time to wait on new TCP connections
  timestamp           Enable TCP timestamp option
  window-size         TCP window size

Doc CD Navigation

  • Cisco IOS IP Application Services Configuration Guide, Release 12.4
  • Configuring TCP

New Cisco Documentation homepage

August 27, 2008 at 5:40 pm | Posted in Blogroll | Leave a comment

New Cisco Documentation homepage

http://www.cisco.com/web/psa/products/index.html

This is not clearly stated in the announcement, but we found it was referred to in the CCIE recommended books and references.

i.e. for example R&S

http://www.cisco.com/web/learning/le3/ccie/rs/index.html

and then to the Book List which is linked on the right side of the page

http://www.cisco.com/web/learning/le3/ccie/rs/book_list.html

on the bottom part there is the chapter other publications, Cisco
Documentation:

http://www.cisco.com/web/psa/products/index.html

If we go directly from Cisco homepage,

cisco.com -> support -> Select a Product

TCP Connection Establishment (Three-way handshake)

August 27, 2008 at 5:13 pm | Posted in IP Services | 1 Comment

To use reliable transport services, TCP hosts must establish a connection-oriented session with one another. Connection establishment is performed by using a “three-way handshake” mechanism.

A three-way handshake synchronizes both ends of a connection by allowing both sides to agree upon initial sequence numbers. This mechanism also guarantees that both sides are ready to transmit data and know that the other side is ready to transmit as well. The three-way handshake is necessary so that packets are not transmitted or retransmitted during session establishment or after session termination.

Each host randomly chooses a sequence number used to track bytes within the stream it is sending. Then, the three-way handshake proceeds in the following manner:

The first host (Host A) initiates a connection by sending a packet with the initial sequence number (X) and synchronize/start (SYN) bit set to indicate a connection request.

The second host (Host B) receives the SYN, records the sequence number X, and replies by acknowledging the SYN (with an ACK = X + 1). Host B includes its own initial sequence number (SEQ = Y). An ACK = 20 means the host has received bytes 0 through 19 and expects byte 20 next. This technique is called forward acknowledgment.

Host A acknowledges all bytes Host B sent with a forward acknowledgment indicating the next byte Host A expects to receive (ACK = Y + 1). Data transfer then can begin.

Doc CD Navigation

  • Cisco IOS IP Application Services Configuration Guide, Release 12.4

  • Configuring TCP

  • Information About TCP

  • TCP Connection Establishment

Generate log message only after a certain number of ACL hits

August 27, 2008 at 12:44 pm | Posted in Blogroll | Leave a comment

By default, the log messages are sent at the first matching packet and after that, identical messages are accumulated for 5-minute intervals, with a single message being sent with the number of packets permitted and denied during that interval.

However, you can use the ip access-list log-update command to set the number of packets that, when match an access list (and are permitted or denied), cause the system to generate a log message. You might want to do this to receive log messages more frequently than at 5-minute intervals.

Configuration

Rack1R6#sh run | in access|vty
ip access-list log-update threshold 10
access-list 99 permit 129.1.46.100
access-list 99 deny   any log
line vty 0 4
 access-class 99 in

Verification

Default behavior (without the “ip access-list log-update threshold 10”

Rack1R6#
! First message generated when first hit (for a new IP) occurs
Aug 27 18:26:49.606: %SEC-6-IPACCESSLOGNP: list 99 denied 0 150.1.5.5 -> 0.0.0.0, 1 packet 
Aug 27 18:27:50.103: %SEC-6-IPACCESSLOGNP: list 99 denied 0 129.1.54.5 -> 0.0.0.0, 1 packet 
! Then the following hits for the known IP is cumulative in the next log message
Aug 27 18:31:49.872: %SEC-6-IPACCESSLOGNP: list 99 denied 0 150.1.5.5 -> 0.0.0.0, 25 packets 
Aug 27 18:33:49.872: %SEC-6-IPACCESSLOGNP: list 99 denied 0 129.1.54.5 -> 0.0.0.0, 15 packets  

After "ip access-list log-update threshold 10"
OLD IP, (need 10 hits, and does not need to wait for 5 min interval)
Aug 27 18:37:42.893: %SEC-6-IPACCESSLOGNP: list 99 denied 0 129.1.54.5 -> 0.0.0.0, 10 packets 
Aug 27 18:37:55.701: %SEC-6-IPACCESSLOGNP: list 99 denied 0 129.1.54.5 -> 0.0.0.0, 10 packets 
Aug 27 18:38:10.569: %SEC-6-IPACCESSLOGNP: list 99 denied 0 150.1.5.5 -> 0.0.0.0, 10 packets 
NEW IP
Aug 27 18:38:49.873: %SEC-6-IPACCESSLOGNP: list 99 denied 0 129.1.46.4 -> 0.0.0.0, 1 packet 
Aug 27 18:38:51.257: %SEC-6-IPACCESSLOGNP: list 99 denied 0 150.1.4.4 -> 0.0.0.0, 1 packet 
Aug 27 18:39:04.045: %SEC-6-IPACCESSLOGNP: list 99 denied 0 150.1.4.4 -> 0.0.0.0, 10 packets

Doc CD Navigation

  • Cisco IOS IP Command Reference, Volume 1 of 3: Addressing and Services, Release 12.2
  • IP Services Commands: access-class Through ip mask-reply
  • ip access-list log-update

Multicast/Broadcast conversion

August 23, 2008 at 3:25 pm | Posted in Multicast | Leave a comment

Lab12 Task 6.2

SW1 —–R1——-R3——-R2——SW2

SW1 is the multicast source. Segment btw R3 & R2 is broadcast only.

Doc CD Navigation

  • Cisco IOS IP Multicast Configuration Guide, Release 12.4
  • Configuring an Intermediate IP Multicast Helper Between Broadcast-Only Networks
  • Configuration Examples for an Intermediate IP Multicast Helper Between Broadcast-Only Networks
  • Configuring an Intermediate IP Multicast Helper Between Broadcast-Only Networks: Example

Configuration

R1#
ip multicast-routing

interface Serial0/1
ip address 129.1.13.1 255.255.255.0
ip pim dense-mode

interface FastEthernet0/0
ip address 129.1.17.1 255.255.255.0
ip pim dense-mode

R3#

ip multicast-routing

interface Serial1/0
ip address 129.1.13.3 255.255.255.0
ip pim dense-mode
ip multicast helper-map 225.25.25.25 129.1.23.255 125

interface Serial1/1
ip address 129.1.23.3 255.255.255.0
ip directed-broadcast

ip forward-protocol udp 31337
access-list 125 permit udp any any eq 31337

R2#

interface FastEthernet0/0
ip address 192.10.1.2 255.255.255.0
ip pim dense-mode

interface Serial0/1
ip address 129.1.23.2 255.255.255.0
ip pim dense-mode
ip multicast helper-map broadcast 225.25.25.25 125

ip forward-protocol udp 31337
access-list 125 permit udp any any eq 31337

Verification:

SW1#
ip sla 1
udp-echo 225.25.25.25 31337 source-ip 129.1.17.7 source-port 31337 control disable
timeout 1
frequency 5
ip sla schedule 1 start-time now

Rack1R1#sh ip mroute
IP Multicast Routing Table
Flags: D – Dense, S – Sparse, B – Bidir Group, s – SSM Group, C – Connected,
L – Local, P – Pruned, R – RP-bit set, F – Register flag,
T – SPT-bit set, J – Join SPT, M – MSDP created entry,
X – Proxy Join Timer Running, A – Candidate for MSDP Advertisement,
U – URD, I – Received Source Specific Host Report,
Z – Multicast Tunnel, z – MDT-data group sender,
Y – Joined MDT-data group, y – Sending to MDT-data group
Outgoing interface flags: H – Hardware switched, A – Assert winner
Timers: Uptime/Expires
Interface state: Interface, Next-Hop or VCD, State/Mode

(*, 225.25.25.25), 00:27:02/stopped, RP 0.0.0.0, flags: D
Incoming interface: Null, RPF nbr 0.0.0.0
Outgoing interface list:
Serial0/1, Forward/Dense, 00:27:02/00:00:00

(129.1.17.7, 225.25.25.25), 00:27:02/00:02:57, flags: T
Incoming interface: FastEthernet0/0, RPF nbr 0.0.0.0
Outgoing interface list:
Serial0/1, Forward/Dense, 00:27:02/00:00:00

(*, 224.0.1.40), 01:00:19/00:02:25, RP 0.0.0.0, flags: DCL
Incoming interface: Null, RPF nbr 0.0.0.0
Outgoing interface list:
Serial0/1, Forward/Dense, 00:59:36/00:00:00
FastEthernet0/0, Forward/Dense, 01:00:19/00:00:00

R1#
int fa0/0
no ip mroute-cache

Rack1R1#deb ip mpacket
IP multicast packets debugging is on
*Mar  1 03:40:20.887: IP(0): s=129.1.17.7 (FastEthernet0/0) d=225.25.25.25 (Serial0/1) id=0, ttl=254, prot=17, len=44(44), mforward
*Mar  1 03:40:25.887: IP(0): s=129.1.17.7 (FastEthernet0/0) d=225.25.25.25 (Serial0/1) id=0, ttl=254, prot=17, len=44(44), mforward

Rack1R3#sh ip mroute
IP Multicast Routing Table
Flags: D – Dense, S – Sparse, B – Bidir Group, s – SSM Group, C – Connected,
L – Local, P – Pruned, R – RP-bit set, F – Register flag,
T – SPT-bit set, J – Join SPT, M – MSDP created entry,
X – Proxy Join Timer Running, A – Candidate for MSDP Advertisement,
U – URD, I – Received Source Specific Host Report,
Z – Multicast Tunnel, z – MDT-data group sender,
Y – Joined MDT-data group, y – Sending to MDT-data group
Outgoing interface flags: H – Hardware switched, A – Assert winner
Timers: Uptime/Expires
Interface state: Interface, Next-Hop or VCD, State/Mode

(*, 225.25.25.25), 00:51:15/stopped, RP 0.0.0.0, flags: DCL
Incoming interface: Null, RPF nbr 0.0.0.0
Outgoing interface list:
Serial1/0, Forward/Dense, 00:51:15/00:00:00

(129.1.17.7, 225.25.25.25), 00:28:30/00:02:59, flags: PLTX
Incoming interface: Serial1/0, RPF nbr 129.1.13.1
Outgoing interface list: Null

(*, 224.0.1.40), 01:01:03/stopped, RP 0.0.0.0, flags: DCL
Incoming interface: Null, RPF nbr 0.0.0.0
Outgoing interface list:
Serial1/0, Forward/Dense, 01:01:04/00:00:00

Rack1R2#debug ip mpacket
IP multicast packets debugging is on
Rack1R2#debug ip packet detail 125
IP packet debugging is on (detailed) for access list 125

*Mar  1 03:44:15.127: IP: s=129.1.17.7 (Serial0/1), d=255.255.255.255, len 44, rcvd 2
*Mar  1 03:44:15.127:     UDP src=31337, dst=31337
*Mar  1 03:44:15.127: IP(0): s=129.1.17.7 (Serial0/1) d=225.25.25.25 (FastEthernet0/0) id=0, ttl=252, prot=17, len=44(44), mforward
*Mar  1 03:44:20.127: IP: s=129.1.17.7 (Serial0/1), d=255.255.255.255, len 44, rcvd 2
*Mar  1 03:44:20.127:     UDP src=31337, dst=31337
*Mar  1 03:44:20.127: IP(0): s=129.1.17.7 (Serial0/1) d=225.25.25.25 (FastEthernet0/0) id=0, ttl=252, prot=17, len=44(44), mforward

NAT with load-balancing

August 22, 2008 at 3:27 pm | Posted in NAT | 1 Comment

If we want telnet /http traffic from outside to a virtual IP address (or WAN IP) be load-balanced on a multiple physical servers, we can do inside destination nat translation. Normally the physical IP range is consecutive, but we can also do load-balance over non-consecutive IP range as well.

Configuration

SW1
|
|
|— R1 ——-(R3)Internet
|
|
SW2

ip nat pool SERVERS prefix-length 24 type rotary
address 10.1.1.11 10.1.1.11
address 10.1.1.22 10.1.1.22
ip nat inside destination list TELNET pool SERVERS
!
ip access-list extended TELNET
permit tcp any host 13.0.0.1 eq telnet
!

interface Serial1/1
ip address negotiated
ip nat outside

interface FastEthernet0/0
ip address 10.1.1.1 255.255.255.0
ip nat inside

Verification

R3#telnet 13.0.0.1
Trying 13.0.0.1 … Open

SW1>exit

[Connection to 13.0.0.1 closed by foreign host]
R3#telnet 13.0.0.1
Trying 13.0.0.1 … Open

SW2>exit

[Connection to 13.0.0.1 closed by foreign host]
R3#

R1#sh ip nat translation
Pro Inside global      Inside local       Outside local      Outside global
tcp 13.0.0.1:23        10.1.1.11:23       13.0.0.3:37754     13.0.0.3:37754
tcp 13.0.0.1:23        10.1.1.22:23       13.0.0.3:35071     13.0.0.3:35071

Doc CD Navigation

  • Cisco IOS IP Addressing Services Configuration Guide, Release 12.4
  • Part 6: NAT
  • Configuring NAT for IP Address Conservation
  • Configuration Examples for Configuring NAT for IP Address Conservation
  • Avoiding Server Overload Using Load Balancing: Example

Tracking ip routing instead of interface line protocol

August 22, 2008 at 2:39 pm | Posted in IP Services | Leave a comment

When the WAN interface are virtual one, such as Dialer, Tunnel, the interface does not go down even if the WAN status actually inactive (i.e. physical interface down, or PPP session is down).

In this case, we should use object tracking instead of interface tracking, to track not only the line protocol status (up/down), but also whether routing can be done via that interface (i.e should there be a connected route via that interface when we do “show ip route connected”). For a more accurate reachability status via that interface, we can do IP SLA to track ping reachibility to backbone.

In a specific scenario of SHDSL and ADSL using PPP over dialer interface, tracking ip routing is good enough. Here’s the sample config (need to replace Serial interface with Dialer)

Configuration

R1#

interface Serial1/1
ip address negotiated
encapsulation ppp

track 100 interface Serial1/1 ip routing

interface FastEthernet0/0
ip address 10.1.1.1 255.255.255.0
standby 1 ip 10.1.1.254
standby 1 priority 105
standby 1 preempt
standby 1 track 100

standby 2 ip 10.1.1.253
standby 2 preempt
standby 2 track 100

R2#

interface Serial1/1
ip address 23.0.0.2 255.255.255.0
encapsulation ppp

track 100 interface Serial1/1 ip routing

interface FastEthernet0/0
ip address 10.1.1.2 255.255.255.0
standby 1 ip 10.1.1.254
standby 1 preempt
standby 1 track 100

standby 2 ip 10.1.1.253
standby 2 priority 105
standby 2 preempt
standby 2 track 100

R3#

interface Serial1/2
ip address 13.0.0.3 255.255.255.0
encapsulation ppp
! to assign IP address to PPP peer dynamically
peer default ip address 13.0.0.1

interface Serial1/3
ip address 23.0.0.3 255.255.255.0
encapsulation ppp

Verification:

We simulate PPP negotiation failure, by removing WAN IP dynamically via PPP. Note that the interface is still up, but object tracking already kicks in! Interface tracking will not overcome this situation

R1#sh ip int brief | ex unass
Interface                  IP-Address      OK? Method Status                Protocol
FastEthernet0/0            10.1.1.1        YES manual up                    up
R1#sh ip int brief | in up
FastEthernet0/0            10.1.1.1        YES manual up                    up
Serial1/1                  unassigned      YES IPCP   up                    up

R1#show track 100
Track 100
Interface Serial1/1 ip routing
IP routing is Down (no ip addr)
4 changes, last change 00:16:06
Tracked by:
HSRP FastEthernet0/0 1
HSRP FastEthernet0/0 2

R1#show standby
FastEthernet0/0 – Group 1
State is Standby
6 state changes, last state change 00:16:14
Virtual IP address is 10.1.1.254
Active virtual MAC address is 0000.0c07.ac01
Local virtual MAC address is 0000.0c07.ac01 (v1 default)
Hello time 3 sec, hold time 10 sec
Next hello sent in 0.604 secs
Preemption enabled
Active router is 10.1.1.2, priority 100 (expires in 9.440 sec)
Standby router is local
Priority 95 (configured 105)
Track interface Serial1/1 state Up decrement 10
Track object 100 state Down decrement 10
IP redundancy name is “hsrp-Fa0/0-1” (default)
FastEthernet0/0 – Group 2
State is Standby
4 state changes, last state change 00:23:06
Virtual IP address is 10.1.1.253
Active virtual MAC address is 0000.0c07.ac02
Local virtual MAC address is 0000.0c07.ac02 (v1 default)
Hello time 3 sec, hold time 10 sec
Next hello sent in 0.516 secs
Preemption enabled
Active router is 10.1.1.2, priority 105 (expires in 7.968 sec)
Standby router is local
Priority 90 (default 100)
Track object 100 state Down decrement 10
IP redundancy name is “hsrp-Fa0/0-2” (default)

Next Page »

Create a free website or blog at WordPress.com.
Entries and comments feeds.