Archive for the ‘Uncategorized’ Category

Multiple Area OSPF Networks on Cisco – Part 1 of 2

Sunday, January 18th, 2009

Multi-area OSPF networks are widely used, in this article I am going to show some of the logic behind multi-area OSPF Networks. I will write a series of all 2 (yey!) posts about multiple area OSPF the next couple of weeks. Stay tuned in!

Single areas can be considered subsets of a larger autonomous system.

What are the benefits of splitting networks up in multiple areas?

You can solve situations like

  1. Every time a route flaps, it initiates shortest-path-first algorithm calculations on all routers in that area.
    This causes high CPU utilization that could be used for something more productive.
  2. The routing table is getting too large and equipment that can handle less IPv4 routes will have trouble operating.
  3. The Link-state Topology table (we will get back to this) is getting unmanageable.

Terms and definitions
There are some terms and definitions that you should know:

  1. Backbone area / Transit area / area 0
    This refers to the area with area id 0, which can be a group of routers acting as the main path for traffic between OSPF areas.
  2. ABR
    Area Border Router, technically – a router that is connected to area 0 and at least another area, and therefore maintains two link-state databases are considered ABRs.
  3. ASBR
    Autonomous System Border Router is a router that are between the OSPF network and another routing protocol network, for example BGP or IGRP.
  4. IR
    Internal router, this type have all its interfaces connected to a single area.

You should be familiar with terms like LSU, LSA and the different types.

This IMPORTANT rule applies to multiarea OSPF networks:
All areas needs to be connected to area 0, if it is impossible to physically connect an area directly to area 0, you can utilize a virtual-link to create a logical path for the traffic from this area to reach the backbone area.

Different area types

  1. Standard/normal area
    A default route (0/0) is generally not generated by routers in a normal area, but it can be forced with this command under router ospf

    Router( config-router)# default-information originate always

    Normal areas (like in single area setups) can receive external route information, link updates and route summaries.

  2. Stub area
    While stub areas can’t receive external routes, they can receive inter-area routes, intra-area routes and default routes.

  3. Totally stubby area
    This area does not receive summary routes from other areas in the network, and it does not receive external routes. To reach networks outside the area it will always use the default route (0/0)
  4. Not So Stubby Area (NSSA)
    This is a stubby area which can receive a part of external routes from outside the AS.
    The LSA it can receive is Type 7 LSA.

  5. Backbone area
    ..or “transit area” always has the area id 0, every other area must have a link to area 0. Either physically or via a logical ‘virtual-link’.
  6. That was the area types, these are defined under the router ospf configuration.
    So, every 30 minute all the OSPF routers floods the area with so called LSU (Link state updates) just to make sure that every router in that area agree about the link state database. These LSUs are received by the other routers and flooded across the area until all the routers agree about the current link-state database.

    Network events and LSA flooding
    When an event happens, for example an interface goes down; the router will send a LSA and a LSU packet to 224.0.0.6 – the multicast address for the BR and BDR – which in turn will flood this packet out on all their active interfaces on the multicast address 224.0.0.5 – which is the multicast address that all routers should listen on, and they will then do the same until the network agrees about the topology and is so called ‘converged’.

    In my next post I will cover the configuration and route summarization and LSA types.

    Have a nice OSPF Sunday!

A Word About BGP Bogons Filtering

Tuesday, December 9th, 2008

BGP4 filtering is important, but how can you keep track of the prefixes and do active filtering on them?

It has been a while since my last blog post now, it’s partly because I have been (honestly) pretty lazy lately, yes, I have been trying to cool down on all my working because I started to get some problems with keeping track of my own feelings.
..and also because I have been trying to spend a little more time with the girl that actually can stand living with such a busy internet lunatic, we went to see the Norwegian setup of the musical Grease and also a Norwegian talk show named Senkveld, and along with all the xmas preparations and that it has been kind of hectic, but very very nice.
While I am still talking freely here, why is it that while I can see people reading around, I never see any comments from you guys?

Anyways, enough with the excuses and all that – on with the show, right?
[*APPLAUSE*]

The point about this post is to inform about the problems with bogon IPv4 (and probably IPv6 too, I haven’t looked at that yet) prefixes being announced into the Internet, and the problem about Internet Service Providers accepting these prefixes and adds them to their routing table. The worst case scenario would be like spam from 127.0.0.1

But, what are bogons.. or bogon prefixes?
I am glad to be asked that question sometimes, it is good – it shows that someone paid attention.
Bogon prefixes are for example unassigned prefixes, or RFC1918 networks and there are also other reserved ranges.

The assignment process for IPv4 is somewhat like this:

  1. IANA allocates a block of IPv4 addresses to a Regional Internet Registry (usually /8 to i.e. RIPE)
  2. The RIR then makes suballocations of this block to a LIR, a LIR is a Local Internet Registry (i.e. your ISP)

The ISP can then announce this IPv4 prefix in the BGP table on the Internet.
All these IANA to RIR assignments are public information, you can find it at cymru.com, they have regular updates.

The problem with bogons
The problem exists when networks listed as RESERVED or UNALLOCATED in this list are being announced and produces internet traffic.
For example, if you want to send out totally anonymous spam, what could you possibly do to ISPs without proper filtering?
Yeah, you could see someone announcing 192.168.0.0/22 and start spamming from 192.168.1.0.

Do you keep track of every announcement ever done to you? (In that case, how do you do it?)
I run a quagga router which also sees all announcements to our network and logs these to a logfile, and I am insterested to hear about other solutions – I know there are some java based applications.

To be consistent; you do not want bogons announced to you, you do not want to accept bogon networks and start routing traffic to them.

How to fix?
There’s a bogons prefix-list that Team Cymru creates that is very useful for Cisco enthusiasts like me.
They have constructed a secure BGP template.

So let us hope maybe there’s at least one extra bogon filter in place tomorrow, and let me know about it!

Usefull and Free Network Management and Monitoring Software

Monday, September 29th, 2008

Thought I would take a quick look at popular and good software for networking personel.

Graphing

  1. RRDtool is widely deployed for graphing usage. It can be used to make graphs like the ones I have at www.arpa.no, a lot of software takes use of RRDtool to perform their graphing job, like Munin.
  2. MRTG is often used for simple graphing, but it can also be configured to take use of RRDtool to make nicer graphs.
  3. SmokePing is also written by Tobias Oetiker, and it is used to make pretty cool graphs of roundtrip times.
  4. Cacti is a whole graphing frontend for RRDtool, it is very powerfull, but I also often find it very complex for small simple tasks.
  5. Munin is very nice for simple graphing tasks, and it is what I use to make the graphs on arpa.no, it of course uses RRDtool. It is a Norwegian project, developed by Linpro.

Monitoring

  1. Naigos is widely deployed for monitoring puposes, it can be very hard to get working, but when it works it monitors for outages, TCP ports down, and any other suspect half-states things can end up in. I have found Nagios very reliable, and I even developed a plugin for doing a handshake with RTMP servers like Wowza or Red5, because my workplace sells those kind of services.
  2. Snort can be used to monitor for suspect network activity, it can recognize DDoS, port scans, etc.

    Analyze

  1. flow-tools can be used to receive and analyze netflow data from Cisco and Juniper routers.
  2. FlowScan can be used to make pretty graphs from Netflow data collected by the cflowd tool.

Other cool utilities

  • MTR is an interactive traceroute application, very usefull.
  • I am currently developing a new Network Management System, and I am hoping that it will be released in 2008. It will be open source, so I guess it might be of interest!

    Which ones did I forget, which tools do you use?

    Using ‘archive’ to archive working cisco configurations

    Saturday, September 20th, 2008

    Do you have backups of your working configurations?

    Just a short weekend post, now that you have time to go over your configuration backups.
    You can use the Cisco ‘archive’ command in global configuration mode to let the Cisco switch or router automatically save backups of your configuration file to a TFTP, FTP, HTTP HTTPS, SCP or RCP filesystem.

    To configure automatic backup on to for example a TFTP server on write-memory just do this:

    Switch(config)# archive
    Switch(config-archive)# path tftp://10.0.0.1/ciscobackups/Switch
    Switch(config-archive)# write-memory

    The switch or router will now automatically archive a copy of your running configuration on 10.0.0.1

    You can use show archive to verify backups.

    Switch# show archive
    The next archive file will be named tftp://10.0.0.1/ciscobackups/Switch-3
    Archive # Name
    0 tftp://10.0.0.1/ciscobackups/Switch-1
    1 tftp://10.0.0.1/ciscobackups/Switch-2 <- Most Recent

    And you can also use the EXEC command ‘configure replace‘ to take use of archived configuration files and rollback on to one of them.

    Have a nice weekend punching out archives!

    Routing – Understanding And Tweaking the CAM

    Thursday, September 18th, 2008

    If you don’t pay attention to the CAM, your network could face serious problems.

    What is the CAM and Why is it important?
    The CAM is short for Content-Adressable Memory and is a type of memory for high speed searching applications. Other names are associative memory or when programming; associative arrays.

    The CAM makes it possible to make routing decisions in hardware instead of bothering the CPU, routes are placed in the CAM so that the linecard ASIC or FPGA hardware can look up which interface to send the packet out on somewhat directly from the memory. This decreases routing latency drastically and makes wirespeed performance possible.

    Imagine how your router would perform without this now..

    OK, Why is it important?
    Because every router have a limited amount of physical memory, and this memory space has to contain IPv4 routes, IPv6 routes and everything you are (or want to do) in hardware.
    This makes partitioning of this memory important.

    You have different ways of doing this, but it mostly involves a reload of the router.

    CAM Profiles
    On Foundry routers it’s called CAM profiles, here are the basics:

    The Internet Routing table now have about 260K prefixes, so you should worry.

    To check my CAM usage I use:

    show cam-partition usage

    On a Cisco 6500/7600 switch, you could use

    show tcam details

    When there are no more CAM space for a route, it will become unreachable.
    So pay attention to your CAM/TCAM. :-)

    Restrict SNMP Access With Views in Cisco IOS

    Wednesday, September 17th, 2008

    Would you ever let your customers pull SNMP from you?

    Short but hopefully interesting post today, I’ve been at a night course and I am pretty tired.
    I found this by accident once, and it is very handy!
    For example from stopping the smart technicians to snmpwalk your BGP router and go to lunch!

    You can restrict access to certain MIBs with SNMP views.
    This is a quick and dirty example of SNMP view usage…

    snmp-server community secret ro view secretview

    Clients using the community ‘secret’ will now be using the secretview;

    snmp-server view secret ifMIB excluded

    These are just the basics of snmp views in IOS! Play around with it!

    Route overlaps, it’s dangerous!

    Sunday, September 14th, 2008

    Just wanted to tell you that I added a new page, it’s aIP subnet calculator tool.

    It works with IPv4 and IPv6 addresses, just remember to add the network length in the end (/24) for a 255.255.255.0

    The danger with dynamic routing is the possibility of route overlaps, by this I mean having the same subnet defined on two routers announcing it in a dynamic routing protocol like for example OSPF.

    Let us say you have configured a customer as 10.0.0.48/28 and he uses 10.0.0.49 and 10.0.0.50

    Then you get a new customer and configure for example a new subnet 10.0.0.48/30, which is a more specific route (CIDR wise).

    You might end up effectively blackholing the old customers traffic, this is something one should consider.

    Use my IP subnet calculator tool to be sure not to overlap networks!

    Configuring HSRP on Cisco

    Friday, September 5th, 2008

    These simple steps will establish HSRP on cisco:

    router1(config)# interface gig 2/1
    router1(config-if)# ip address 10.0.0.2 255.255.255.0
    router1(config-if)# standby 1 ip 10.0.0.1

    router2(config)# interface gig 2/1
    router2(config-if)# ip address 10.0.0.3 255.255.255.0
    router2(config-if)# standby 1 ip 10.0.0.1

    When these ports are connected to a switch, the routers will decide for an active router for 10.0.0.1, and the other router will go into standby.  You can adjust election by issuing the ‘standby 1 priority‘ command on the interface.

    Configuring BGP4 with filtering on Foundry NetIron

    Thursday, September 4th, 2008

    This is the environment in this example:
    YOUR ASN is 65400
    YOUR IP address is 10.0.0.1
    Your UPSTREAMS ASN is 65500
    Your UPSTREAMS IP address is 10.0.0.2

    You want to announce 192.168.0.0/16, the router will automatically exchange all the routes that it holds in its BGP table, so it might be wise to shutdown the peer while configuring it.
    router# conf t
    router(config)# ip prefix-list announceAS65400 permit 192.168.0.0/16
    router(config)# router bgp
    router(config-bgp)# local-as 65400
    router(config-bgp)# neighbor 10.0.0.2 remote-as 65500
    router(config-bgp)# neighbor 10.0.0.2 shutdown
    router(config-bgp)# neighbor 10.0.0.2 prefix-list announceAS65400 out
    router(config-bgp)# clear ip bgp neighbor 10.0.0.2
    router(config-bgp)# no neighbor 10.0.0.2 shutdown