ENSGRP

MPLS OSPF Loop Prevention

breakintheweb — Tue, 24 Apr 2012 16:13:24 +0000

The OSPF utilizes two methods of loop prevention when used as the PE-CE routing protocol.

OSPF Down-Bit (DN)
The DN bit is the most significant bit of the LSA options field. It’s use as the DN bit is specified in RFC 4576
The DN bit is set in type 3 LSAs sent from the PE router. Routers will not accept a Type 3, 5 or 7 LSA with the DN bit set. This effectively stops a Router from advertising a BGP learned route back in to BGP.

An issue can arise if you are using OSPF with a VRF on your CE router. Your CE router will learn prefixes from the PE router with the DN bit set and drop them. You can disable the loop prevention two ways. In newer IOSs, you can enable capability vrf-light under the ospf process on the CE router. This will disable the down bit checking.
router ospf 1 vrf [vrf_name] capability vrf-lite

If your CE device doesn’t support capability vrf-lite, you can change the domain-id on a PE router so they don’t match. This will cause the PE routers to generate type 5 LSA’s which don’t have the DN bit set. These LSA’s will instead have the domain-tag set which is identified below.

OSPF Domain-Tag
When OSPF is used as the PE-CE routing protocol, the OSPF utilizes a domain-tag for OSPF type 5 and 7 LSAs.

This tag is a 32 bit decimal value which is derived from the PE Routers BGP Autonomous System number(ASN). The 4 most significant are set to 1101 (RFC1745). You can read the RFC entry Here. The 16 least significant bits are set to the PE Routers ASN.

If a PE router learns a type 5 or 7 LSA with it’s own domain-tag, the route will be dropped.

The domain-tag can be manually set as follows.

router ospf [process_number] vrf [vrf_name] domain-tag [#] ! 32 bit value

You can see the domain tag by issuing the following:

PE2#sh ip ospf database | b External Type-5 AS External Link States Link ID ADV Router Age Seq# Checksum Tag 11.11.11.11 11.11.11.11 624 0x80000007 0x00FC7A 3489660941 11.11.11.11 22.22.22.22 651 0x80000007 0x00B199 3489660941 22.22.22.22 11.11.11.11 624 0x80000007 0x00014A 3489660941 22.22.22.22 22.22.22.22 651 0x80000007 0x00B569 3489660941
You can see the domain tag is set to 3489660941.

If you convert this number to binary you should get 11010000000000000000000000001101

Taking the 16 least significant bits you end up with 0000000000001101 which when converted to decimal gives you our ASN (13).

Note for 4byte asn numbers, the domain-tag will be set to the asn overlapping the 4 most significant bits if needed.

OSPF default route preference lab.

breakintheweb — Mon, 23 Apr 2012 01:10:28 +0000

The goal of this lab is for both BR1 and BR2 to both have an OSPF E2 default route learned from a HUB router.

BR1 should prefer the default from HUB 1 while BR2 will prefer the route via HUB 2. If either HUB is unreachable, the BR routers should have a OSPF E2 default route via the other hub.

The diagram is as follows (click to enlarge)

The issue with this design is the requirement for each branch to prefer a different hub default route. By default, they will learn equal cost paths to both hubs.

The base configurations are as follows.

BR1
interface FastEthernet0/0 bandwidth 100000 ip address 172.16.100.11 255.255.255.0 no shut end router ospf 1 log-adjacency-changes network 172.16.100.0 0.0.0.255 area 100

BR2
interface FastEthernet0/0 bandwidth 100000 ip address 172.16.100.12 255.255.255.0 no shut end router ospf 1 log-adjacency-changes network 172.16.100.0 0.0.0.255 area 100

HUB1
interface FastEthernet0/0 bandwidth 100000 ip address 172.16.100.1 255.255.255.0 not shut end router ospf 1 log-adjacency-changes network 172.16.100.0 0.0.0.255 area 100 default-information originate always

HUB2
interface FastEthernet0/0 bandwidth 100000 ip address 172.16.100.1 255.255.255.0 not shut end router ospf 1 log-adjacency-changes network 172.16.100.0 0.0.0.255 area 100 default-information originate always

At this point, you should have ospf neighbor associations between BR1<--->BR2 and HUB1<---->HUB2. If you don’t there is most likely a layer 2 issue, make sure you can ping Between these hosts.

Now for the layer 2 MPLS.

MPLS1
ip cef ! should already be enabled. This is just to make sure it is since mpls requires it int fa0/1 mpls ip int lo0 ip address 3.3.3.3 255.255.255.255 router eigrp 100 ! any routing protocol will do network 3.3.3.3 0.0.0.0 network 10.0.0.0 0.0.0.255 no auto-summary mpls ip mpls label protocol ldp ! should be the default. Again just to make sure.

MPLS2
ip cef ! should already be enabled. This is just to make sure it is since mpls requires it int fa0/1 mpls ip int lo0 ip address 4.4.4.4 255.255.255.255 router eigrp 100 ! any routing protocol will do network 3.3.3.3 0.0.0.0 network 10.0.0.0 0.0.0.255 no auto-summary mpls ip mpls label protocol ldp ! should be the default. Again just to make sure.
You should see see a log message showing ldp is up.

Now that LDP is up and we are exchanging labels, we need to configure layer 2 MPLS.

We need to first define a pseudo-wire class and then configure the cross connect under the interface using this pseudo-wire class.
MPLS1
pseudowire-class MPLS encapsulation mpls int fa0/0 xconnect 4.4.4.4 100 pw-class MPLS

MPLS2
pseudowire-class MPLS encapsulation mpls int fa0/0 xconnect 3.3.3.3 100 pw-class MPLS

You should see the xconnect as up/up.

At this point you should have full connectivity between both hubs and both branches.

Show the ospf routes for both branches.

So now we have the initial configurations done. Both routers are learning equal cost paths and installing them both in the routing table. The issue is, we want BR1 to only install the HUB1 default and BR2 to install the HUB2 default. We also want to ensure that if either HUB1 or HUB2 fails, the BRANCH routers will be able to install the default from the other HUB.

Think about how you would accomplish this task before scrolling to the solution below.

If we shut down HUB1′s fa0/0. We should see the default route to HUB2 on both routers.

————————————————————————————–

The solution is to use point-to-multipoint non-broadcast. When using point-to-multipoint, you can configure a neighbor and a cost to each neighbor on the branch routers. We use the Cisco proprietary point-to-multipoint non-broadcast mode to ensure the spokes don’t connect to each other.

The solution is as follows.

BR1
interface FastEthernet0/0 ip ospf network point-to-multipoint non-broadcast ip ospf hello-interval 1 ! we set the hello interval to speed up convergence router ospf 1 neighbor 172.16.100.1 cost 1 ! lower cost is preferred neighbor 172.16.100.2 cost 2
BR2
interface FastEthernet0/0 ip ospf network point-to-multipoint non-broadcast router ospf 1 neighbor 172.16.100.1 cost 2 neighbor 172.16.100.2 cost 1
HUB1
interface FastEthernet0/0 ip ospf network point-to-multipoint non-broadcast
HUB2
interface FastEthernet0/0 ip ospf network point-to-multipoint non-broadcast
You should see the ospf sessions reset. When they return, you should now only have one route on each branch.

If we shut down the fa0/0 interface on HUB1, you will see that BR1 now has a default route to HUB2.

Windows 7 802.1q Trunking

breakintheweb — Tue, 21 Feb 2012 15:04:34 +0000

Before you start reading a disclaimer.
This post is network adapter specific. I’m using a Dell E6420 Running Windows 7 with an Intel 82579LM wired adapter.

In lieu of having multiple pc’s to test, I thought it easier to use one workstation for my CCIE training.

My CCIE lab is local which makes this easier. I’m using wireless for my internet connection. My wired connection will be a trunk in to one of my lab switch ports. The wired link will be configured as a trunk which will allow multiple Virtual interfaces with different vlans.

By default, windows 7 uses an automatic interface metric which will usually prefer wired over wireless connections since wired speeds are higher. I want to set the wireless connection metric lower than the wired so my wireless connection is always preferred. This will ensure i don’t lose my internet connection if a gateway is received across the wired connection.

The metric is set under Control Panel\Network and Internet\Network Connections. Right click on your wireless adapter and click properties. Select Internet Protocol Version 4 and click properties. Almost there; now click the advanced button. Uncheck the automatic metric button and type 1 in the box. Here is an image showing the dialog windows.

The wireless metric can be verfied with the cmd command “netsh interface ip show interfaces”

The next step is to set the wired interface to trunking mode. You will need to go under device manager(click start and type “device manager”), under network adapters, double click your wired adapter. Under the adavanced tab you will see the following screen, ensure the Vlan setting is enabled. For my device, both Vlan and priority are set which is fine.

Next, click the vlan tab in the same dialog window. I’m going to enable vlan 6 on this trunk.

Click Okay and you will see a configuring screen. The computer is setting the vlan on the trunk and creating a virtual interface during this configuring screen.

I’m only configuring one vlan here for brevity. You can configure additional vlans. A virtual interface will be created for each vlan.

Going back under “Control Panel\Network and Internet\Network Connections” you will see a new Local Area Connection. This is the interface which represents our newly created Vlan6.

Right click and go to properties. You can see the name Ends with Vlan6.

Now click on configure which will open a new dialog. Click the settings tab and you can see VLAN6 is set for this virtual interface.

The switchport you plugin to will need to be set to trunking mode on. I’m using port 1/0/24 of my wired connection

interface GigabitEthernet1/0/24
switchport trunk encapsulation dot1q
switchport mode trunk
end

Embedded Event Manager and TCL

breakintheweb — Thu, 26 Jan 2012 13:26:54 +0000

Recently ine ran a challenge for EEM INE BLOG

I have yet to here anything from ine so I’m posting my code below.

############################################################################################
# CISCO TCL EEM syslog config autowrite
# Version 0.3
# 1/13/2012
# Justin Guagliata
# Copyright 2012 @ ensgrp.com
#
# Copy the script to Flash and enter the following two commands in config mode
# event manager directory user policy “flash:/”
# event manager policy SYSLOG_CONFIG.tcl
#
############################################################################################

############################################################################################
# Monitor SYSLOG output for the “SYS-5-CONFIG.*” pattern
# run with a low priority and nice
# Set a max execution time of 60 seconds

::cisco::eem::event_register_syslog occurs 1 pattern “SYS-5-CONFIG.*” maxrun 60 queue_priority low nice 1

############################################################################################
# Import the EEM Libraries to use in this TCL scipt

namespace import ::cisco::eem::*
namespace import ::cisco::lib::*

############################################################################################
# Set FTP server

set FTP_SERVER “10.0.0.1″

############################################################################################
# System variables

set ROUTER_NAME [info hostname]
set CUR_TIME_DATE [clock format [clock seconds] -format “%Y-%m-%d-%H%M%S”]

############################################################################################
# EEM – Opens a connection to the CLI

if [catch {cli_open} result] {
error $result $errorInfo
} else {
array set cli1 $result
}

############################################################################################
# EEM – Run CLI Commands

if [catch {cli_exec $cli1(fd) "enable"} result] {
error $result $errorInfo
}

############################################################################################
# Get Last user to change config.

if [catch {cli_exec $cli1(fd) "sh configuration id detail | inc Changed by user"} result] {
error $result $errorInfo
} else {
set cmd_output $result

set prompt [format "(.*\n)(%s)(\$config\[^\n\]*\$)?(#|>)” $ROUTER_NAME]
if [regexp "[set prompt]” $result dummy cmd_output] {
# do nothing, match will be in $cmd_output
} else {
# did not match router prompt so use original output
set cmd_output $result
}

# remove white space from output
set cmd_output [regexp -inline -all -- {\S+} $cmd_output]
# Remove the leading description by stripping the first 17 characters
# this leaves us just the username
set CURRENT_USER [string replace $cmd_output 0 17 ""]
}

############################################################################################
# If CURRENT_USER returns empty we know that the config was last written by this script
# For tacacs enviroments this will be changed to the eem user

if {$CURRENT_USER != “”} {
if [catch {cli_exec $cli1(fd) "config t"} result] {
error $result $errorInfo
}

if [catch {cli_exec $cli1(fd) "file prompt quiet"} result] {
error $result $errorInfo
}

if [catch {cli_exec $cli1(fd) "end"} result] {
error $result $errorInfo
}

if [catch {cli_exec $cli1(fd) "copy running-config tftp://$FTP_SERVER/$ROUTER_NAME.$CUR_TIME_DATE.$CURRENT_USER.working.cfg"} result] {
error $result $errorInfo
}
}
# Close open cli before exit.
if [catch {cli_close $cli1(fd) $cli1(tty_id)} result] {
error $result $errorInfo
} else {
exit 1
}

############################################################################################
# CISCO TCL EEM autowrite
# Version 0.4
# 1/13/2012
# Justin Guagliata
# Copyright 2012 @ ensgrp.com
#
# Copy the script to Flash and enter the following two commands in config mode
# event manager directory user policy “flash:/”
# event manager policy autowrite.tcl
#
############################################################################################

############################################################################################
# Register EEM for the following patterns “wr.*|wr.* mem.*|copy ru.* st.*”
# This policy is run
# Set a max execution time of 60 seconds

::cisco::eem::event_register_cli pattern “wr.*|wr.* mem.*|copy ru.* st.*” sync yes maxrun 60