Topoplogy used in this scenario:
R4 (S0/0/1) ---------------------(S0/0/1) R5
Requirement for scenario:
Use AAA to auth PPP using radius and if radius is not available use local Authorization. R4 Should do the Authorization
R4 Config:
aaa new-model
!
!
aaa authentication ppp TEST group radius local
username R5 password 0 cisco
interface Serial0/0/1
ip address 192.168.1.4 255.255.255.0
encapsulation ppp
ppp authentication chap TEST
radius-server host 2.2.2.2 auth-port 1645 acct-port 1646
radius-server key test
R5:
username R4 password 0 cisco
interface Serial0/0/1
ip address 192.168.1.5 255.255.255.0
encapsulation ppp
clock rate 2000000
ppp chap password 0 cisco
Testing to see if it works, using debugs to make sure radius is tried first, then local used.
debug ppp negotiation
debug radius authentication
debug aaa authentication
R4(config-if)#no shut
R4(config-if)#
*Apr 27 16:12:06.291: Se0/0/1 PPP: Outbound cdp packet dropped
*Apr 27 16:12:08.287: %LINK-3-UPDOWN: Interface Serial0/0/1, changed state to up
*Apr 27 16:12:08.291: Se0/0/1 LCP: I CONFREQ [Closed] id 24 len 10
*Apr 27 16:12:08.291: Se0/0/1 LCP: MagicNumber 0x2A99F38C (0x05062A99F38C)
*Apr 27 16:12:08.291: Se0/0/1 LCP LCP: Missed a Link-Up transition, starting PPP
*Apr 27 16:12:08.291: AAA/BIND(0000879B): Bind i/f Serial0/0/1
*Apr 27 16:12:08.291: Se0/0/1 PPP: Using default call direction
*Apr 27 16:12:08.291: Se0/0/1 PPP: Treating connection as a dedicated line
*Apr 27 16:12:08.291: Se0/0/1 PPP: Session handle[9A0006E2] Session id[682]
*Apr 27 16:12:08.291: Se0/0/1 PPP: Phase is ESTABLISHING, Active Open
*Apr 27 16:12:08.291: Se0/0/1 PPP: Authorization NOT required
*Apr 27 16:12:08.291: Se0/0/1 LCP: O CONFREQ [Closed] id 222 len 15
*Apr 27 16:12:08.291: Se0/0/1 LCP: AuthProto CHAP (0x0305C22305)
*Apr 27 16:12:08.291: Se0/0/1 LCP: MagicNumber 0x2A40E8CA (0x05062A40E8CA)
*Apr 27 16:12:08.291: Se0/0/1 LCP: O CONFACK [REQsent] id 24 len 10
*Apr 27 16:12:08.295: Se0/0/1 LCP: MagicNumber 0x2A99F38C (0x05062A99F38C)
*Apr 27 16:12:08.295: Se0/0/1 LCP: I CONFACK [ACKsent] id 222 len 15
*Apr 27 16:12:08.295: Se0/0/1 LCP: AuthProto CHAP (0x0305C22305)
*Apr 27 16:12:08.295: Se0/0/1 LCP: MagicNumber 0x2A40E8CA (0x05062A40E8CA)
*Apr 27 16:12:08.295: Se0/0/1 LCP: State is Open
*Apr 27 16:12:08.295: Se0/0/1 PPP: Phase is AUTHENTICATING, by this end
*Apr 27 16:12:08.295: Se0/0/1 CHAP: O CHALLENGE id 132 len 23 from "R4"
*Apr 27 16:12:08.295: Se0/0/1 PPP: Outbound cdp packet dropped
*Apr 27 16:12:08.299: Se0/0/1 CHAP: I RESPONSE id 132 len 23 from "R5"
*Apr 27 16:12:08.299: Se0/0/1 PPP: Phase is FORWARDING, Attempting Forward
*Apr 27 16:12:08.299: Se0/0/1 PPP: Phase is AUTHENTICATING, Unauthenticated User
*Apr 27 16:12:08.299: AAA/AUTHEN/PPP (0000879B): Pick method list 'TEST'
*Apr 27 16:12:08.299: Se0/0/1 PPP: Sent CHAP LOGIN Request
*Apr 27 16:12:08.299: RADIUS/ENCODE(0000879B):Orig. component type = PPP
*Apr 27 16:12:08.299: RADIUS: AAA Unsupported Attr: interface [175] 11
*Apr 27 16:12:08.299: RADIUS: 53 65 72 69 61 6C 30 2F 30 [Serial0/0]
*Apr 27 16:12:08.303: RADIUS(0000879B): Config NAS IP: 0.0.0.0
*Apr 27 16:12:08.303: RADIUS/ENCODE(0000879B): acct_session_id: 1430
*Apr 27 16:12:08.303: RADIUS(0000879B): sending
*Apr 27 16:12:08.303: RADIUS/ENCODE: Best Local IP-Address 172.16.24.4 for Radius-Server 2.2.2.2
*Apr 27 16:12:08.303: RADIUS(0000879B): Send Access-Request to 2.2.2.2:1645 id 1645/31, len 86
*Apr 27 16:12:08.303: RADIUS: authenticator 47 FB E2 F2 D4 D7 92 4D - 87 17 CE 4D 5B 54 CE 81
*Apr 27 16:12:08.303: RADIUS: Framed-Protocol [7] 6 PPP [1]
*Apr 27 16:12:08.303: RADIUS: User-Name [1] 4 "R5"
*Apr 27 16:12:08.303: RADIUS: CHAP-Password [3] 19 *
*Apr 27 16:12:08.303: RADIUS: NAS-Port [5] 6 10001
*Apr 27 16:12:08.303: RADIUS: NAS-Port-Id [87] 13 "Serial0/0/1"
*Apr 27 16:12:08.303: RADIUS: NAS-Port-Type [61] 6 Sync [1]
*Apr 27 16:12:08.303: RADIUS: Service-Type [6] 6 Framed [2]
*Apr 27 16:12:08.303: RADIUS: NAS-IP-Address [4] 6 172.16.24.4
*Apr 27 16:12:12.943: RADIUS: Retransmit to (2.2.2.2:1645,1646) for id 1645/31
*Apr 27 16:12:17.263: %RADIUS-4-RADIUS_DEAD: RADIUS server 2.2.2.2:1645,1646 is not responding.
*Apr 27 16:12:17.263: %RADIUS-4-RADIUS_ALIVE: RADIUS server 2.2.2.2:1645,1646 is being marked alive.
*Apr 27 16:12:17.263: RADIUS: Retransmit to (2.2.2.2:1645,1646) for id 1645/31
*Apr 27 16:12:18.287: Se0/0/1 CHAP: I RESPONSE id 132 len 23 from "R5"
*Apr 27 16:12:18.287: Se0/0/1 CHAP: Ignoring Additional Response
*Apr 27 16:12:18.303: Se0/0/1 AUTH: Timeout 1
*Apr 27 16:12:22.003: RADIUS: Retransmit to (2.2.2.2:1645,1646) for id 1645/31
*Apr 27 16:12:26.867: RADIUS: No response from (2.2.2.2:1645,1646) for id 1645/31
*Apr 27 16:12:26.867: RADIUS/DECODE: No response from radius-server; parse response; FAIL
*Apr 27 16:12:26.867: RADIUS/DECODE: Case error(no response/ bad packet/ op decode);parse response; FAIL
*Apr 27 16:12:26.867: Se0/0/1 PPP: Received LOGIN Response PASS
*Apr 27 16:12:26.867: Se0/0/1 PPP: Phase is FORWARDING, Attempting Forward
*Apr 27 16:12:26.867: Se0/0/1 PPP: Phase is AUTHENTICATING, Authenticated User
*Apr 27 16:12:26.867: Se0/0/1 CHAP: O SUCCESS id 132 len 4
*Apr 27 16:12:26.871: Se0/0/1 PPP: Phase is UP
*Apr 27 16:12:26.871: Se0/0/1 IPCP: O CONFREQ [Closed] id 1 len 10
*Apr 27 16:12:26.871: Se0/0/1 IPCP: Address 192.168.1.4 (0x0306C0A80104)
*Apr 27 16:12:26.871: Se0/0/1 CDPCP: O CONFREQ [Closed] id 1 len 4
*Apr 27 16:12:26.871: Se0/0/1 PPP: Process pending ncp packets
*Apr 27 16:12:26.871: Se0/0/1 IPCP: I CONFREQ [REQsent] id 1 len 10
*Apr 27 16:12:26.871: Se0/0/1 IPCP: Address 192.168.1.5 (0x0306C0A80105)
*Apr 27 16:12:26.871: Se0/0/1 IPCP: O CONFACK [REQsent] id 1 len 10
*Apr 27 16:12:26.871: Se0/0/1 IPCP: Address 192.168.1.5 (0x0306C0A80105)
*Apr 27 16:12:26.875: Se0/0/1 IPCP: I CONFACK [ACKsent] id 1 len 10
*Apr 27 16:12:26.875: Se0/0/1 IPCP: Address 192.168.1.4 (0x0306C0A80104)
*Apr 27 16:12:26.875: Se0/0/1 IPCP: State is Open
*Apr 27 16:12:26.875: Se0/0/1 CDPCP: I CONFREQ [REQsent] id 1 len 4
*Apr 27 16:12:26.875: Se0/0/1 CDPCP: O CONFACK [REQsent] id 1 len 4
*Apr 27 16:12:26.875: Se0/0/1 CDPCP: I CONFACK [ACKsent] id 1 len 4
*Apr 27 16:12:26.875: Se0/0/1 CDPCP: State is Open
*Apr 27 16:12:26.879: Se0/0/1 IPCP: Install route to 192.168.1.5
*Apr 27 16:12:27.871: %LINEPROTO-5-UPDOWN: Line protocol on Interface Serial0/0/1, changed state to up
R5 debugs showing its only sending the challenge response:
*Apr 27 16:00:58.935: Se0/0/1 PPP: Using default call direction
*Apr 27 16:00:58.935: Se0/0/1 PPP: Treating connection as a dedicated line
*Apr 27 16:00:58.935: Se0/0/1 PPP: Session handle[73000966] Session id[682]
*Apr 27 16:00:58.935: Se0/0/1 PPP: Authorization required
*Apr 27 16:00:58.939: Se0/0/1 PPP: No authorization without authentication
*Apr 27 16:00:59.939: %LINEPROTO-5-UPDOWN: Line protocol on Interface Serial0/0/1, changed state to up
*Apr 27 16:02:38.899: Se0/0/1 PPP: Authorization required
*Apr 27 16:02:38.907: Se0/0/1 PPP: No authorization without authentication
*Apr 27 16:02:38.907: Se0/0/1 CHAP: I CHALLENGE id 130 len 23 from "R4"
*Apr 27 16:02:38.907: Se0/0/1 CHAP: Using hostname from unknown source
*Apr 27 16:02:38.907: Se0/0/1 CHAP: Using password from AAA
*Apr 27 16:02:38.907: Se0/0/1 CHAP: O RESPONSE id 130 len 23 from "R5"
*Apr 27 16:02:48.883: Se0/0/1 AUTH: Timeout 1
*Apr 27 16:02:48.883: Se0/0/1 CHAP: Using hostname from unknown source
*Apr 27 16:02:48.883: Se0/0/1 CHAP: Using password from AAA
*Apr 27 16:02:48.883: Se0/0/1 CHAP: O RESPONSE id 130 len 23 from "R5"
*Apr 27 16:02:57.131: Se0/0/1 CHAP: I SUCCESS id 130 len 4
*Apr 27 16:03:38.515: %LINK-3-UPDOWN: Interface Serial0/0/1, changed state to down
*Apr 27 16:03:39.515: %LINEPROTO-5-UPDOWN: Line protocol on Interface Serial0/0/1, changed state to down
*Apr 27 16:03:43.823: %LINK-3-UPDOWN: Interface Serial0/0/1, changed state to up
*Apr 27 16:03:43.823: Se0/0/1 PPP: Using default call direction
*Apr 27 16:03:43.823: Se0/0/1 PPP: Treating connection as a dedicated line
*Apr 27 16:03:43.823: Se0/0/1 PPP: Session handle[69000967] Session id[684]
*Apr 27 16:03:43.823: Se0/0/1 PPP: Authorization required
*Apr 27 16:03:43.827: Se0/0/1 PPP: No authorization without authentication
*Apr 27 16:03:43.831: Se0/0/1 CHAP: I CHALLENGE id 131 len 23 from "R4"
*Apr 27 16:03:43.831: Se0/0/1 CHAP: Using hostname from unknown source
*Apr 27 16:03:43.831: Se0/0/1 CHAP: Using password from AAA
*Apr 27 16:03:43.831: Se0/0/1 CHAP: O RESPONSE id 131 len 23 from "R5"
*Apr 27 16:03:53.843: Se0/0/1 AUTH: Timeout 1
*Apr 27 16:03:53.843: Se0/0/1 CHAP: Using hostname from unknown source
*Apr 27 16:03:53.843: Se0/0/1 CHAP: Using password from AAA
*Apr 27 16:03:53.843: Se0/0/1 CHAP: O RESPONSE id 131 len 23 from "R5"
*Apr 27 16:04:02.463: Se0/0/1 CHAP: I SUCCESS id 131 len 4
*Apr 27 16:04:03.467: %LINEPROTO-5-UPDOWN: Line protocol on Interface Serial0/0/1, changed state to up
*Apr 27 16:05:15.587: %LINK-3-UPDOWN: Interface Serial0/0/1, changed state to down
*Apr 27 16:05:16.587: %LINEPROTO-5-UPDOWN: Line protocol on Interface Serial0/0/1, changed state to down
*Apr 27 16:05:21.475: %LINK-3-UPDOWN: Interface Serial0/0/1, changed state to up
*Apr 27 16:05:21.475: Se0/0/1 PPP: Using default call direction
*Apr 27 16:05:21.475: Se0/0/1 PPP: Treating connection as a dedicated line
*Apr 27 16:05:21.475: Se0/0/1 PPP: Session handle[A3000968] Session id[685]
*Apr 27 16:05:21.475: Se0/0/1 PPP: Authorization required
*Apr 27 16:05:21.483: Se0/0/1 PPP: No authorization without authentication
*Apr 27 16:05:21.483: Se0/0/1 CHAP: I CHALLENGE id 132 len 23 from "R4"
*Apr 27 16:05:21.483: Se0/0/1 CHAP: Using hostname from unknown source
*Apr 27 16:05:21.483: Se0/0/1 CHAP: Using password from AAA
*Apr 27 16:05:21.487: Se0/0/1 CHAP: O RESPONSE id 132 len 23 from "R5"
*Apr 27 16:05:31.475: Se0/0/1 AUTH: Timeout 1
*Apr 27 16:05:31.475: Se0/0/1 CHAP: Using hostname from unknown source
*Apr 27 16:05:31.475: Se0/0/1 CHAP: Using password from AAA
*Apr 27 16:05:31.475: Se0/0/1 CHAP: O RESPONSE id 132 len 23 from "R5"
*Apr 27 16:05:40.059: Se0/0/1 CHAP: I SUCCESS id 132 len 4
*Apr 27 16:05:41.059: %LINEPROTO-5-UPDOWN: Line protocol on Interface Serial0/0/1, changed state to up
**********************************************************************************
CHAP I = Chap input
CHAP: 0 = Chap output
Friday, April 27, 2012
Thursday, April 26, 2012
MQC FRTS w / LLQ
I failed my lab and had a bad couple days to say the last. There is nothing more humbling then setting out to do something, putting your heart into it and coming up short.
One of the areas I realized I needed help in is QoS, and this post is related to MQC FRTS
I was totally lost on how to do this before tonight.
So lets say we were given a requirement to:
1) prioritize DSCP 46(voice) traffic
2)give bandwidth remaining 10 % to web traffic, coming in marked with dscp 32
3)shape on our DLCI 402 to 512k or 512000
I am no wizard, I referred to http://www.cisco.com/en/US/docs/ios-xml/ios/wan_frly/configuration/12-4t/wan-mqc-fr-tfshp.html#GUID-4FD565D0-CE2D-4066-B803-580EC0F6017B and INE's video on MQC FRTS before attempting this.
In order to accomplish we will need multiple policy-maps, as well as a map-class frame-relay class :)
See my below setup to test this out to learn
class-map match-all web (-------IOS decided to put in cs4 when i put dscp 32 automatically)
match ip dscp cs4
class-map match-all voice
match ip dscp ef
!
!
policy-map LLQ
class voice
priority 32
class web
bandwidth remaining percent 10
policy-map QOS-MQC
class class-default
shape average 512000
service-policy LLQ
map-class frame-relay FRTS
service-policy output QOS-MQC
interface Serial0/0/0.200 multipoint
ip address 172.16.200.4 255.255.255.0
ipv6 address FE80::4 link-local
ipv6 address 200:123::4/64
ipv6 ospf network non-broadcast
ipv6 ospf 1 area 0
frame-relay map ip 172.16.200.1 401 broadcast
frame-relay map ip 172.16.200.2 402 broadcast
frame-relay map ipv6 FE80::1 401 broadcast
frame-relay interface-dlci 402
class FRTS
So.. reference the above config..., now lets talk about it.
First I created a Parent policy-map named QOS-MQC
-Inside of class-default , I configured shaping to 512000 - nothing under this frame-relay interface dlci 402 will be able to trasfer more then 512000
-I also called my child policy named LLQ - which references class-voice and class web to take care of the matching dscp 46 and dscp 32 for web
-Next, I configured map-class frame-relay FRTS and call our Parent policy-map
-Apply service policy to the interface DLCI
Next and most important thing I am learning, is we can't just configure something and then not test it, I think I went wrong here in the lab the 1st go around.
So I was thinking ok how can I test voice traffic or traffic with a specific DSCP value, without having the traffic sending to me by a device or traffic generator?
I learned there is a way to do an extended ping , set the TOS byte in the IP header. We need to covert our known DSCP value, to a decimal #
To do so, I saw online in a quick google search you can take your dscp value and multiply by 4, this will be your value to put in the TOS byte in the ping.
Ok, while it works, I wanted a better understanding. Here is I the way that helped me understand and most importantly verify I met the requirements of the task.
DSCP value 46 (used for voice in my lab)
DSCP value 32 (used for web traffic in my lab)
DSCP is the first 6 most significant bits
normal binary 128 64 32 16 8 4 2 1 = 8 bits
DSCP 6 most significant bits = 32 16 8 4 2 1
DO DSCP 46 would have these bits 101110 or 32+8+4+2 = 46
now write the number out in binary (remember to add the last two zero's)
10111000 = 128+32+16+8 or 184
Now lets test !!
R4#ping
Protocol [ip]:
Target IP address:
% Bad IP address
R4#ping
Protocol [ip]:
Target IP address: 172.16.200.2
Repeat count [5]:
Datagram size [100]:
Timeout in seconds [2]:
Extended commands [n]: y
Source address or interface:
Type of service [0]: 184 <-------------------DSCP 46 TOS in binary
Set DF bit in IP header? [no]:
Validate reply data? [no]:
Data pattern [0xABCD]:
Loose, Strict, Record, Timestamp, Verbose[none]:
Sweep range of sizes [n]:
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.200.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 4/4/4 ms
R4#show poi
R4#
R4#
R4#|| now test web
^
% Invalid input detected at '^' marker.
R4#ping
Protocol [ip]:
Target IP address: 172.16.200.2
Repeat count [5]:
Datagram size [100]:
Timeout in seconds [2]:
Extended commands [n]: y
Source address or interface:
Type of service [0]: 128 <--------------------------DSCP 32 TOS BYTE in binary
Set DF bit in IP header? [no]:
Validate reply data? [no]:
Data pattern [0xABCD]:
Loose, Strict, Record, Timestamp, Verbose[none]:
Sweep range of sizes [n]:
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.200.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 4/4/4 ms
Serial0/0/0.200: DLCI 402 - ( notice how this is only applied on dlci 402 on the interface
Service-policy output: QOS-MQC
Class-map: class-default (match-any)
140 packets, 14560 bytes
5 minute offered rate 0 bps, drop rate 0 bps
Match: any
Queueing
queue limit 64 packets
(queue depth/total drops/no-buffer drops) 0/0/0
(pkts output/bytes output) 140/14560
shape (average) cir 512000, bc 2048, be 2048
target shape rate 512000
lower bound cir 0, adapt to fecn 0
Service-policy : LLQ
queue stats for all priority classes:
Queueing
queue limit 64 packets
(queue depth/total drops/no-buffer drops) 0/0/0
(pkts output/bytes output) 110/11440
Class-map: voice (match-all)
110 packets, 11440 bytes <----------Hits on simulated voice traffic, score!
5 minute offered rate 0 bps, drop rate 0 bps
Match: ip dscp ef (46)
Priority: 32 kbps, burst bytes 1500, b/w exceed drops: 0
Class-map: web (match-all)
10 packets, 1040 bytes <--------------Hits on simulated web traffic score!
5 minute offered rate 0 bps, drop rate 0 bps
Match: ip dscp cs4 (32)
Queueing
queue limit 64 packets
(queue depth/total drops/no-buffer drops) 0/0/0
(pkts output/bytes output) 10/1040
bandwidth remaining 10% (48 kbps)
Class-map: class-default (match-any)
20 packets, 2080 bytes
5 minute offered rate 0 bps, drop rate 0 bps
Match: any
queue limit 64 packets
(queue depth/total drops/no-buffer drops) 0/0/0
(pkts output/bytes output) 20/2080
One of the areas I realized I needed help in is QoS, and this post is related to MQC FRTS
I was totally lost on how to do this before tonight.
So lets say we were given a requirement to:
1) prioritize DSCP 46(voice) traffic
2)give bandwidth remaining 10 % to web traffic, coming in marked with dscp 32
3)shape on our DLCI 402 to 512k or 512000
I am no wizard, I referred to http://www.cisco.com/en/US/docs/ios-xml/ios/wan_frly/configuration/12-4t/wan-mqc-fr-tfshp.html#GUID-4FD565D0-CE2D-4066-B803-580EC0F6017B and INE's video on MQC FRTS before attempting this.
In order to accomplish we will need multiple policy-maps, as well as a map-class frame-relay class :)
See my below setup to test this out to learn
class-map match-all web (-------IOS decided to put in cs4 when i put dscp 32 automatically)
match ip dscp cs4
class-map match-all voice
match ip dscp ef
!
!
policy-map LLQ
class voice
priority 32
class web
bandwidth remaining percent 10
policy-map QOS-MQC
class class-default
shape average 512000
service-policy LLQ
map-class frame-relay FRTS
service-policy output QOS-MQC
interface Serial0/0/0.200 multipoint
ip address 172.16.200.4 255.255.255.0
ipv6 address FE80::4 link-local
ipv6 address 200:123::4/64
ipv6 ospf network non-broadcast
ipv6 ospf 1 area 0
frame-relay map ip 172.16.200.1 401 broadcast
frame-relay map ip 172.16.200.2 402 broadcast
frame-relay map ipv6 FE80::1 401 broadcast
frame-relay interface-dlci 402
class FRTS
So.. reference the above config..., now lets talk about it.
First I created a Parent policy-map named QOS-MQC
-Inside of class-default , I configured shaping to 512000 - nothing under this frame-relay interface dlci 402 will be able to trasfer more then 512000
-I also called my child policy named LLQ - which references class-voice and class web to take care of the matching dscp 46 and dscp 32 for web
-Next, I configured map-class frame-relay FRTS and call our Parent policy-map
-Apply service policy to the interface DLCI
Next and most important thing I am learning, is we can't just configure something and then not test it, I think I went wrong here in the lab the 1st go around.
So I was thinking ok how can I test voice traffic or traffic with a specific DSCP value, without having the traffic sending to me by a device or traffic generator?
I learned there is a way to do an extended ping , set the TOS byte in the IP header. We need to covert our known DSCP value, to a decimal #
To do so, I saw online in a quick google search you can take your dscp value and multiply by 4, this will be your value to put in the TOS byte in the ping.
Ok, while it works, I wanted a better understanding. Here is I the way that helped me understand and most importantly verify I met the requirements of the task.
DSCP value 46 (used for voice in my lab)
DSCP value 32 (used for web traffic in my lab)
DSCP is the first 6 most significant bits
normal binary 128 64 32 16 8 4 2 1 = 8 bits
DSCP 6 most significant bits = 32 16 8 4 2 1
DO DSCP 46 would have these bits 101110 or 32+8+4+2 = 46
now write the number out in binary (remember to add the last two zero's)
10111000 = 128+32+16+8 or 184
Now lets test !!
R4#ping
Protocol [ip]:
Target IP address:
% Bad IP address
R4#ping
Protocol [ip]:
Target IP address: 172.16.200.2
Repeat count [5]:
Datagram size [100]:
Timeout in seconds [2]:
Extended commands [n]: y
Source address or interface:
Type of service [0]: 184 <-------------------DSCP 46 TOS in binary
Set DF bit in IP header? [no]:
Validate reply data? [no]:
Data pattern [0xABCD]:
Loose, Strict, Record, Timestamp, Verbose[none]:
Sweep range of sizes [n]:
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.200.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 4/4/4 ms
R4#show poi
R4#
R4#
R4#|| now test web
^
% Invalid input detected at '^' marker.
R4#ping
Protocol [ip]:
Target IP address: 172.16.200.2
Repeat count [5]:
Datagram size [100]:
Timeout in seconds [2]:
Extended commands [n]: y
Source address or interface:
Type of service [0]: 128 <--------------------------DSCP 32 TOS BYTE in binary
Set DF bit in IP header? [no]:
Validate reply data? [no]:
Data pattern [0xABCD]:
Loose, Strict, Record, Timestamp, Verbose[none]:
Sweep range of sizes [n]:
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.200.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 4/4/4 ms
Serial0/0/0.200: DLCI 402 - ( notice how this is only applied on dlci 402 on the interface
Service-policy output: QOS-MQC
Class-map: class-default (match-any)
140 packets, 14560 bytes
5 minute offered rate 0 bps, drop rate 0 bps
Match: any
Queueing
queue limit 64 packets
(queue depth/total drops/no-buffer drops) 0/0/0
(pkts output/bytes output) 140/14560
shape (average) cir 512000, bc 2048, be 2048
target shape rate 512000
lower bound cir 0, adapt to fecn 0
Service-policy : LLQ
queue stats for all priority classes:
Queueing
queue limit 64 packets
(queue depth/total drops/no-buffer drops) 0/0/0
(pkts output/bytes output) 110/11440
Class-map: voice (match-all)
110 packets, 11440 bytes <----------Hits on simulated voice traffic, score!
5 minute offered rate 0 bps, drop rate 0 bps
Match: ip dscp ef (46)
Priority: 32 kbps, burst bytes 1500, b/w exceed drops: 0
Class-map: web (match-all)
10 packets, 1040 bytes <--------------Hits on simulated web traffic score!
5 minute offered rate 0 bps, drop rate 0 bps
Match: ip dscp cs4 (32)
Queueing
queue limit 64 packets
(queue depth/total drops/no-buffer drops) 0/0/0
(pkts output/bytes output) 10/1040
bandwidth remaining 10% (48 kbps)
Class-map: class-default (match-any)
20 packets, 2080 bytes
5 minute offered rate 0 bps, drop rate 0 bps
Match: any
queue limit 64 packets
(queue depth/total drops/no-buffer drops) 0/0/0
(pkts output/bytes output) 20/2080
Wednesday, February 29, 2012
MPLS L3VPN
Today I did a lab focused on MPLS L3 VPN. Today was the first day actually configuring this from scratch so it was fun and a great learning experience. I ran into several snags along the way but that's ok.(sample topology attached)
First Task is to get the core(PE1, PE2, PE3, PE4) up and running. First thing to decide on is which protocol do we want to use to distribute the MPLS labels. By default I believe LDP is enabled now on recent versions of IOS. So on each of the PE routers I enabled LDP, configured the LDP router id as the loopback of each router. Once I got that up, I figured ok, time to check my LDP neighbor relationships come up. They did not !!!!
Took a trip to the good Doc CD and saw that when using Loopbacks for LDP distibution, we need to advertise that loopback in the network but as a /32 host route only.
http://www.cisco.com/en/US/docs/ios-xml/ios/mp_ldp/configuration/12-4t/mp-ldp-overview.html#GUID-C5755CFC-818B-4A02-B35C-741A15E422EC
So now that I advertised the loopbacks, all of my LDP neighbor relationships were established. Next, configured BGP As # 1 for the core, and configured iBGP full mesh in the core. Activated each of the neighbors in the the vpnv4 address family, and enabled the send community extended, so that the attributes could be exchanged across the MPLS cloud. When I enabled the neighbors in vpnv4 AF, you no longer can see them when using the sh ip bgp sum command. At first I thought what happened to my neighbors? I ran show tcp brief and still saw the BGP sessions established(179) and my LDP session(646). Learned when you have the neighbors configured in vpnv4, you need to use the command sh bgp vpnv4 unicast all summary commmand, and they show up phew!
Next I configured the VRF CustomerA and CustomerB(along with the appropriate RD's and route-target imports/exports and assigned then as per the diagram. Then I enabled the PE-CE routing which was pretty straightforward. On the PE side, we need to redistribution from OPSF to BGP under the ipv4 address-family VRF config mode, so that the CE routes, can transit the MPLS, and the remote Customer site, can import the route-target and get the routes in its routing table transparently.
Next was enabling BGP as the PE-CE, and this screwed me up big time. I had it all configured perfect except one commmand. For some reason, The 10.10.x.x routes were not making it across the VPN. I found after 2 hours that I needed to enable as-override. Essentially, for example, when SW4 sends an update to PE4, its an eBGP update, When that traveres the mpls, and tries to export import to SW2, SW2 denies it as it sees its own AS100. So on R1 and R4, need to configure neigbor x.x.x.x as-override, and then routes were now exchanging. Painful lesson for sure, but now I will most likely remember it ;)
Monday, February 27, 2012
First graded lab 360 completed & Passed
Today I took my first graded lab in the Cisco 360. This was good, because now I was up against the clock as I would be in the real lab. I was able to pass with a 83/100, and still, redistribution is tripping me up. For some reason I can't get my mind wrapped around it.
Most of the items in the lab I was able to complete without issue. There were a few times when I messed myself up. For example, one section in for RIP, it asked to make sure that there were only unicast updates being sent between the neighbors. I did everything right: 1. I made sure that the interfaces were passived in RIP process . 2. Configured the neighbor statement on each side. I messed up on # 2 because I configured the wrong IP address on one of the neighbor statements. Thank God I actually ran the debug ip rip events to see one side was still sending multicast updates to 224.0.0.9, or else I would have lost points.
There was one BGP task that messed me up for a minute as well. It asked me to configure a summary address for 4 prefixes learned via my iBGP neighbor, which came from an external AS. The catch is, they wanted me to advertise this to a neighboring BGP AS, but it said to make it appear as if the routes came from the Originating AS, and to do this with only a summary route, no specific subnets. At first I was getting crazy thinking ok, how Can I send an eBGP update, and make that AS thing that the orignating AS sent it. As you can imagine, that wasn't going to well. I took a quick glance at the Doc CD config guide, and command reference and quickly saw the BGP AS-SET option. This is what I needed. The as-set command when used with an aggregate address will list the path in the eBGP update, showing the AS's that the update came through, and of course starting with the AS that sent it. So in the end aggreate-address x.x.x.x mask y.y.y.y as-set summary-only, did the trick.
I new this was the last task and according to my calculations of other tasks, I needed to get these 4 points to pass the lab. Sure enough, when I get the lab results , I got 83/1000. Without these 4 points I would not have passed.
I am happy to have passed, but not satisified. I need to be better, quicker, and not make some of the silly mistakes I am making.
Until next time :)
Most of the items in the lab I was able to complete without issue. There were a few times when I messed myself up. For example, one section in for RIP, it asked to make sure that there were only unicast updates being sent between the neighbors. I did everything right: 1. I made sure that the interfaces were passived in RIP process . 2. Configured the neighbor statement on each side. I messed up on # 2 because I configured the wrong IP address on one of the neighbor statements. Thank God I actually ran the debug ip rip events to see one side was still sending multicast updates to 224.0.0.9, or else I would have lost points.
There was one BGP task that messed me up for a minute as well. It asked me to configure a summary address for 4 prefixes learned via my iBGP neighbor, which came from an external AS. The catch is, they wanted me to advertise this to a neighboring BGP AS, but it said to make it appear as if the routes came from the Originating AS, and to do this with only a summary route, no specific subnets. At first I was getting crazy thinking ok, how Can I send an eBGP update, and make that AS thing that the orignating AS sent it. As you can imagine, that wasn't going to well. I took a quick glance at the Doc CD config guide, and command reference and quickly saw the BGP AS-SET option. This is what I needed. The as-set command when used with an aggregate address will list the path in the eBGP update, showing the AS's that the update came through, and of course starting with the AS that sent it. So in the end aggreate-address x.x.x.x mask y.y.y.y as-set summary-only, did the trick.
I new this was the last task and according to my calculations of other tasks, I needed to get these 4 points to pass the lab. Sure enough, when I get the lab results , I got 83/1000. Without these 4 points I would not have passed.
I am happy to have passed, but not satisified. I need to be better, quicker, and not make some of the silly mistakes I am making.
Until next time :)
Sunday, February 5, 2012
360 link layer labs
Today I did a 360 LAB. All was ok until the last portion where they wanted to obtain reachability from R1 to SW4 on the 172.16.100.x subnet, which as you see in the Pic, it looks directly connected, but its not.
The requirement was to configure the subinterface of R1 F0/0.1 to encapsulate in VLAN 999, and have reachability to the SW4 VLAN 1144 SVI.
The actual L2 Flow is R1(F0/1.1) --------SW2 F0/1 --------L2 trunk-------SW4 (SVI VLAN 1144)
I configured R1 like so:
interface FastEthernet0/1
no ip address
duplex auto
speed auto
!
interface FastEthernet0/1.1
encapsulation dot1Q 999 native
ip address 172.16.100.1 255.255.255.0
SW2 confi f0/2
interface FastEthernet0/1
description R1 port 0/1
switchport access vlan 1144
switchport mode access
I did it this way because when encapsulating on a sub-interface on a router in Native VLAN, frames are sent untagged. My IP on the router is in the same VLAN as the SW4 SVI.
SW2 f0/2 is expecting only untagged frames(which we are sending due to the native command on R1), and will set the access VLAN to VLAn 1144,(same vlan/broadcast domain as SW4), and we see that everything works.
The first ping failure is due to SW2 f0/2 not being configured just yet.
R1#ping 172.16.100.44
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.100.44, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
R1#ping 172.16.100.44
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.100.44, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms
Good learning, I saw a similar VoD on 360 program that talked about this, and had some doubts, but this clears it up
Monday, January 30, 2012
360 pre-assessment learning :(
Well, there were quite a few areas left for improvement after the pre-assessment.
I failed misrably in route summarization for all routing protocols :)
So, I figured since that stuck out so badly, I should focus on it.
So today I turned on GNS3, and played with it. On Router 5 (R5) I created 4 networks using loopback addresses.
20.20.1.1 /24
20.20.2.1/24
20.20.4.1/24
20.20.8.1/24
Advertised these networks into OSPF
router ospf 1
network 20.20.1.0 0.0.0.255 area 1
network 20.20.2.0 0.0.0.255 area 1
network 20.20.4.0 0.0.0.255 area 1
network 20.20.8.0 0.0.0.255 area 1
Now the fun part. I thought ok, time to summarize, do the math:
as the 3rd octet is the focus, I just did the math there.
20.20.1.1 00000001
20.20.1.2 00000010
20.20.1.4 00000100
20.20.1.8 00001000
as we are already using 16 bits, (20.20.x.x) we count the remaining like bits to determine the mask to use for the summary. So we see we can use 4 bits, as the 5th bit in this octet changed. This leaves us with a 255.255.240.0 or / 20 Mask (16 bits used for the 20.20 part of the network + 4 bits in our 3rd octet)
So the summary would be 20.20.0.0 /20.
Next I applied the command using the summary-address command under the RIP process. THis did not work, But I was like how , I just did the same test in RIP.
A good friend reminded me summary-address is used for sending to an external AS.
SO i changed the to use the area range command.
Router ospf 1
area 1 range 20.20.0.0 255.255.240.0
Ah.. yes it worked. I apologize for not providing the working output, I closed GNS3 to quickly.
What I did find was interesting. When testing show ip route for my subnets, I found this summary also encompassed networks , that I am not currently using. I did show ip route 20.20.9.0 all the way up to 20.20.15.0 and my summary worked for these addresses even though I was not using them. Interesting huh?
Ok So i was thinking how is this happening? In reading more on this, you can summarize any address as long as ONE of the addresses is in the current routing table. Ah! ok. but why did the summary work for all of my addresses up to non-existing address fo 20.20.15.0, but not work for 20.20.16.x ?
Still Was not sure until I looked at the binary.
20.20.1.1 00000001
20.20.1.2 00000010
20.20.1.4 00000100
20.20.1.8 00001000
It only summarized up to 16 because of the subnet Mask boundary defined in by my mask
The 1st 4 bits, help define our mask, leaving our remaing 4 to be covered in the summary. If you add 1111(15) it equals to 15, hence not being able to encompass subnet 20.20.16.0 in the summary as its across the bit boundary by one bit as I defined in my mask.
I failed misrably in route summarization for all routing protocols :)
So, I figured since that stuck out so badly, I should focus on it.
So today I turned on GNS3, and played with it. On Router 5 (R5) I created 4 networks using loopback addresses.
20.20.1.1 /24
20.20.2.1/24
20.20.4.1/24
20.20.8.1/24
Advertised these networks into OSPF
router ospf 1
network 20.20.1.0 0.0.0.255 area 1
network 20.20.2.0 0.0.0.255 area 1
network 20.20.4.0 0.0.0.255 area 1
network 20.20.8.0 0.0.0.255 area 1
Now the fun part. I thought ok, time to summarize, do the math:
as the 3rd octet is the focus, I just did the math there.
20.20.1.1 00000001
20.20.1.2 00000010
20.20.1.4 00000100
20.20.1.8 00001000
as we are already using 16 bits, (20.20.x.x) we count the remaining like bits to determine the mask to use for the summary. So we see we can use 4 bits, as the 5th bit in this octet changed. This leaves us with a 255.255.240.0 or / 20 Mask (16 bits used for the 20.20 part of the network + 4 bits in our 3rd octet)
So the summary would be 20.20.0.0 /20.
Next I applied the command using the summary-address command under the RIP process. THis did not work, But I was like how , I just did the same test in RIP.
A good friend reminded me summary-address is used for sending to an external AS.
SO i changed the to use the area range command.
Router ospf 1
area 1 range 20.20.0.0 255.255.240.0
Ah.. yes it worked. I apologize for not providing the working output, I closed GNS3 to quickly.
What I did find was interesting. When testing show ip route for my subnets, I found this summary also encompassed networks , that I am not currently using. I did show ip route 20.20.9.0 all the way up to 20.20.15.0 and my summary worked for these addresses even though I was not using them. Interesting huh?
Ok So i was thinking how is this happening? In reading more on this, you can summarize any address as long as ONE of the addresses is in the current routing table. Ah! ok. but why did the summary work for all of my addresses up to non-existing address fo 20.20.15.0, but not work for 20.20.16.x ?
Still Was not sure until I looked at the binary.
20.20.1.1 00000001
20.20.1.2 00000010
20.20.1.4 00000100
20.20.1.8 00001000
It only summarized up to 16 because of the subnet Mask boundary defined in by my mask
The 1st 4 bits, help define our mask, leaving our remaing 4 to be covered in the summary. If you add 1111(15) it equals to 15, hence not being able to encompass subnet 20.20.16.0 in the summary as its across the bit boundary by one bit as I defined in my mask.
Friday, January 27, 2012
Let's try this again
January 2012, really? I thoughd I'd be done with getting my CCIE by now, but as everyone knows, life never goes as we brilliantly planned :)
Alot has changed in the last two years. I am now working at Cisco in TAC and have had enjoyed the experience. I have the ability to work on so many different platforms and learn so much. My primary area of focus at work though is LAN switching so I like to think that helps me in my preperation for the CCIE R&S Lab exam.
I have recently been approved by my manager to attend an internal CCIE 360 program. It is not a 100 % instructlor led class, in fact I here its not very often is there ILT. So I will get as much as I put into the program. I intend to immerse myself in this opportunity that is coming free of costs , thanks Cisco.
To brush up on my rusty CCIE level lab skills, I decided last night to rent some time on Internetwork expert's rack rental. I opted to work on Volume 3 Core lab 3, which is essentially everything L2 including (STP, VTP, VLAN, Frame-relay,) L3(RIPv2, EIGRP,OSPF, BGP) and then the dreaded Route redistribution. Yes, that's right, I admit where I suck... lol.. and right now that is route redistribution. I did everything just fine up to this point, and on the last task It killed me. I realized this morning, I forgot one command that would have made last night a total succcess. Oh well, It was still a success considering the learning experience I can take from it.
Tomorrow night I have my first CCIE 360 pre-assessment lab. This will include everything I did on the INE lab, but also include IPv6, QoS, and Security. I hope after removing the dust off my brain last night that this goes smooth. This is not a pass/fail, its more to see what areas I am strong in, and some areas that can use some improvement which I'm sure are many.
Alot has changed in the last two years. I am now working at Cisco in TAC and have had enjoyed the experience. I have the ability to work on so many different platforms and learn so much. My primary area of focus at work though is LAN switching so I like to think that helps me in my preperation for the CCIE R&S Lab exam.
I have recently been approved by my manager to attend an internal CCIE 360 program. It is not a 100 % instructlor led class, in fact I here its not very often is there ILT. So I will get as much as I put into the program. I intend to immerse myself in this opportunity that is coming free of costs , thanks Cisco.
To brush up on my rusty CCIE level lab skills, I decided last night to rent some time on Internetwork expert's rack rental. I opted to work on Volume 3 Core lab 3, which is essentially everything L2 including (STP, VTP, VLAN, Frame-relay,) L3(RIPv2, EIGRP,OSPF, BGP) and then the dreaded Route redistribution. Yes, that's right, I admit where I suck... lol.. and right now that is route redistribution. I did everything just fine up to this point, and on the last task It killed me. I realized this morning, I forgot one command that would have made last night a total succcess. Oh well, It was still a success considering the learning experience I can take from it.
Tomorrow night I have my first CCIE 360 pre-assessment lab. This will include everything I did on the INE lab, but also include IPv6, QoS, and Security. I hope after removing the dust off my brain last night that this goes smooth. This is not a pass/fail, its more to see what areas I am strong in, and some areas that can use some improvement which I'm sure are many.
Subscribe to:
Posts (Atom)