Posts Tagged ‘Cisco configuration’

Newer Entries »

3 Tips On How to Solve The Need for Network Redundancy

Saturday, October 4th, 2008

Take a look at these tips for solving redundancy in a Cisco based network!

HSRP is the Hot Standby Router Protocol.

Most client hosts do not run any dynamic routing, and is seemingly prone to a single point of failure in the event of a router failure.

With HSRP running on two routers, the actual gateway IP address is bound to a virtual MAC address. The active HSRP router will respond to frames destined for the virtual MAC address, and redundancy is provided.

Configuration of HSRP in Cisco IOS

Enter interface configuration

Router(config)# interface fastethernet 0/0

Set an IP address

Router(config-if)# ip address 10.0.0.3 255.255.255.0

The router will still need an IP address to communicate on, for example when not elected as active.

Activate HSRP for this interface

Router(config-if)# standby 1 ip 10.0.0.1

The IP address 10.0.0.1 is the redundant virtual IP address.
This is the command that enables the HSRP process on the interface.

Tweaking the priority

Router(config-if)# standby 1 priority 100
Router(config-if)# standby 1 preemt

The router with the higher priority will become the active HSRP router when the preemt command is enabled.

Verifying HSRP configuration

Router#sh standby
FastEthernet0/0 – Group 1
State is Active
2 state changes, last state change 00:00:59
Virtual IP address is 10.0.0.1
Active virtual MAC address is 0000.0c07.ac01
Local virtual MAC address is 0000.0c07.ac01 (v1 default)
Hello time 3 sec, hold time 10 sec
Next hello sent in 0.576 secs
Preemption enabled
Active router is local
Standby router is unknown
Priority 100 (default 100)
IP redundancy name is “hsrp-Fa0/0-1″ (default)

As you can see from this output, we are the active HSRP Router for HSRP standby group 1 – and the Standby router is unknown, this means the other side has not been configured.

There has been 2 state changes, because it will first automatically be in mode Speak, then it will eventually go through Standby to Active.

BGP
Using BGP is a must when it comes to redundancy, it will let you multihome with different upstream providers. I have written an article with an introduction and a Basic example BGP configuration in Cisco IOS.

If you need IPv4 addresses for your organization, you may qualify for a PI Network (Provider Independent). This will enable you to take part in the global routing and pick and choose among several upstream providers.

Rapid Spanning Tree Protocol
STP is a layer 2 protocol that detects and blocks layer 2 loops, with a very fast convergence time on link state changes. To configure spanning-tree you can use the following commands.

Enable spanning-tree

Switch(config)# spanning-tree mode rapid-pvst

This command enables the per vlan rapid spanning tree, this means one STP instance per vlan.
Be aware, there is a limit in at least Cisco 3560 and Cisco 3750 that limits it to 128 simultaneous spanning tree processes.

How STP Detects Loops and BPDU filters
The switch will flood BPDU’s (Bridge Protocol Data Units) out on all interfaces per default, and if it can see its own MAC address in an incoming BPDU it will know when a link have looped.

Switch(config)#interface GigabitEthernet 1/0/1
Switch(config-if)#spanning-tree bpdufilter enable

This will stop sending and receiving of BPDUs on the interface GigabitEthernet 1/0/1.

Switch(config-if)#spanning-tree bpduguard enable

This command will make the switch ignore BPDU’s received on the configured interface.

Change spanning tree priority

Switch(config)#interface GigabitEthernet 1/0/1
Switch(config-if)#spanning-tree vlan 100 cost 200

This will apply a cost of 200 to vlan 100 traversing over GigabitEthernet 1/0/1

Verify Spanning Tree

Switch#show spanning-tree vlan 2000

VLAN2000
Spanning tree enabled protocol rstp
Root ID Priority 27223
Address 0012.5555.0000
This bridge is the root
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec

Bridge ID Priority 27223 (priority 24576 sys-id-ext 2000)
Address 0012.55555.0000
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
Aging Time 300

Interface Role Sts Cost Prio.Nbr Type
—————- —- — ——— ——– ——————————–
Gi1/0/2 Desg FWD 4 128.2 P2p Peer(STP)
Gi1/0/3 Desg FWD 4 128.3 P2p Peer(STP)
Gi1/0/5 Desg FWD 4 128.5 P2p
Gi1/0/15 Desg FWD 4 128.15 P2p

This is output from the root bridge, all ports the vlan exists on are in Forwarding mode.
The protocol output in the top verifies that we are running rapid STP.

Output from Neighbor STP Switch

Switch2#show spanning-tree vlan 2000

VLAN100
Spanning tree enabled protocol rstp
Root ID Priority 27223
Address 0012.55555.0000
Cost 4
Port 1 (GigabitEthernet0/1)
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec

Bridge ID Priority 35415 (priority 32768 sys-id-ext 2000)
Address 0012.0007.dddd
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
Aging Time 300

Interface Role Sts Cost Prio.Nbr Type
—————- —- — ——— ——– ——————————–
Gi0/1 Root FWD 4 128.1 P2p
Gi0/4 Desg FWD 4 128.4 P2p
Gi0/8 Desg FWD 4 128.8 P2p Peer(STP)

We are not the root bridge, the output shows that ‘Switch’ is the root bridge for this spanning tree.

Tags: , , , , ,
Posted in Cisco configuration | No Comments »

Understanding and Configuring IPv6 Routing on a Cisco Router

Saturday, September 27th, 2008

You do have a backup plan for IP addressing, now that we are running out of IPv4 space, right?

IPv6 isn’t something awfully new, but some of the ideas can be hard to grasp.
To understand IPv6 routing, I had to learn how to do subnetting of IPv6 address space.

Subnetting basics
To understand IPv6 subnetting, I took it from what I had learned about the basics of subnetting IPv4 addresses.

IPv4: The number 192.168.0.1 only represents a 32-bit number, split into 4 ‘octets’, which are groupings of 8 bits (256 combinations 0 – 255), each octet is separated with a dot ‘.’.
The network mask represents the subnet size, because the network mask eventuallyl decides who you can talk to (for example 255.255.255.0 means that all bits in the last octet can be freely manipulated, hence a subnet mask of 255.255.0.0 means you can change the tweak last octets to your hearts content.

IPv6 addresses and subnetting
This is basically just the same as for IPv4, except the address is now 128 bits compared to 32.
This makes room for 2^128 addresses while IP version 4 was limited to 2^32.
Just a little calculation, for the fun of it:

(2^128)-(2^32) = 340282366920938463463374607427473244160

This is how many MORE addresses the IP version 6 will give us.

In IPv6 the octets we all know from IPv4 are 8 groupings of 16 bits, and instead of being written in decimal format – they are written in hex.
So a valid IPv6 address could be 3ffe:1000:0000:0000:0000:0000:0000:0001/126.
How does this work?
/126 indicates that 2 bits left from the mask for host addressing, this will give four host addresses.

One thing you should notice is that while it can feel natural, it will not work to use addresses such as ::9, ::10, ::11, and ::12 for the same subnet.

The key here is hex, which ranges from 0 – 9 and a – f, so it’s counted like 1, 2, 3, 4, 5, 6, 7, 8, 9, a, b, c, d,e and f.

To be certain, use the Online IPv4 and IPv6 calculator, it will calculate the subnets for you.
Just enter an IPv6 or IPv4 address with the corresponding CIDR (for example /24) and it will return the network range.

Enable forwarding of IPv6 Unicast Packets in Cisco IOS

Router(config)# ipv6 unicast-routing

Configure a static IPv6 default gateway/route

Router(config)# ipv6 route ::/0 3ffe:1::1

This would configure a default route to 3ffe:1::1.

Configuring an IPv6 address on an interface

Router(config-if)# ipv6 address 3ffe:1::1/64

Verifying configuration
Verify IPv6 Routing Table

Router# show ipv6 route

Pinging over IPv6 from Cisco IOS

Router# ping ipv6

Also check out these featured articles
Configuring IPv6 OSPF Routing In Cisco IOS

Get Support for IPv6 Rouing on the 3750 Platform

Tags: , , ,
Posted in Cisco configuration | 1 Comment »

BGP Configuration: Basic example in Cisco IOS

Tuesday, September 23rd, 2008

A lot of people are looking for bgp configuration information for cisco and foundry, so I’ll explain a bit about the different statements and also post a couple of configuration examples.

Cisco

01: ip route 10.0.0.0 255.0.0.0 null 0
02: router bgp 65000
03: network 10.0.0.0 mask 255.0.0.0
04: neighbor 192.168.0.1 remote-as 65001

  1. Line 01 adds a route to 10.0.0.0/8 to null, this will make BGP announce this prefix as it will per default on cisco not announce networks it does not reach.
  2. Line 02 starts a BGP process with a local AS number of 65000.
  3. Line 03 adds the network 10.0.0.0/8 to the local BGP table, the router will now announce this network into BGP.
  4. Line 04 sets up a peering session with 192.168.0.1 with their AS number defined as 65001.

Security issues in peering
I wrote a rant about this in August when the news papers put up their big posters about the Internet dying (again.) ;)
Peering sessions should have a password and it might also be wise to filter the outbound announcements with a prefix-list, to make sure not to announce full transit to every peering partner.
Also, you do not want this to happen to you either, so you should at least configure a maximum prefix count.

Cisco, more BGP configuration statements (beginning in global config)

ip prefix-list AS65000 seq 5 permit 10.0.0.0/8
ip prefix-list AS65000 seq 1000 deny 0.0.0.0/0 le 32
router bgp 65000
neighbor 192.168.0.1 password oursecret
neighbor 192.168.0.1 prefix-list AS65000 out
neighbor 192.168.0.1 maximum-prefix 5

The first two lines will define a prefix list which will match only 10.0.0.0/8
The third line enters BGP configuration while the fourth line sets a password, the same password has to be configured on the other end (for AS65000 on the remote peer) for the peering session to become active.
Line number 5 will apply a prefix-list and the last line will make the router accept NO MORE than 5 prefixes from this peering partner.

Foundry BGP Configuration
This is mostly the same, but the dry basics is as follows:

ip route 10.0.0.0/8 null0
router bgp
local-as 65000
neighbor 192.168.0.1 remote-as 65001
network 10.0.0.0 255.0.0.0

And the filtering BGP4 statements for Foundry

ip prefix-list AS65000 seq 5 permit 10.0.0.0/8
ip prefix-list AS65000 seq 1000 deny 0.0.0.0/0 le 32
router bgp
neighbor 192.168.0.1 password oursecret
neighbor 192.168.0.1 prefix-list AS65000 out
neighbor 192.168.0.1 maximum-prefix 5

So as you can see, the BGP configuration is mostly the same for both routers, so lets focus our attention to more BGP configurations on Cisco IOS.

BGP Peering From a Loopback Interface
Per default routers always use the IP address on interface directly connected to the peer as the source address for the peering session. Sometimes this is prefered configurable, for example not to drop peerings due to hardware failure, or when doing eBGP multihop peering.

This is very configurable in BGP configuration in Cisco IOS

neighbor 192.168.0.1 update-source Loopback0

Verification
At last, we need to verify the peering session. I usually use this command:

show ip bgp sum | i REMOTEAS

Substitute ‘REMOTEAS’ with the AS number of which you want to check, for example it will show this for AS65001 from our lab. (I will include the header also because it is usefull in this example, even though it won’t show up in your show command.)

Router#sh ip bgp sum | i 65001
Neighbor V AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down State/PfxRcd
192.168.0.1 4 65001 28 27 3 0 0 00:24:15 2

This session is now established and I receive two prefixes from the remote peer.
If you enable ‘neighbor 192.168.0.1 soft-reconfiguration inbound‘ you will also be able to check announcements.

Router#show ip bgp neighbors 192.168.0.1 routes
BGP table version is 3, local router ID is 192.168.0.2
Status codes: s suppressed, d damped, h history, * valid, > best, i – internal,
r RIB-failure, S Stale
Origin codes: i – IGP, e – EGP, ? – incomplete

Network Next Hop Metric LocPrf Weight Path
*> 10.0.0.0 192.168.0.1 0 0 65001 ?
*> 192.168.0.0 192.168.0.1 0 0 65001 ?

Total number of prefixes 2

Two prefixes received from 192.168.0.1, and you can also use the command show ip bgp neighbors 192.168.0.1 advertised-routes to check what your router is announcing to the remote peer.

That was it for today, hopefully the newer ones out there will have a better understanding of the BGP configuration.

Tags: , , , , ,
Posted in Cisco configuration, foundry configuration | 2 Comments »

5 Magic Cisco tips & tricks aka magic IOS commands

Monday, September 15th, 2008

I have been working a lot for several years, and now I want to share some of my best tips for working faster and more efficient on Cisco routers in Cisco IOS.

I posted earlier about the ‘do’ command, but I am going to include it here because it is so darn practical.

So with no further mess – here is the list, not sorted after any specific order.

  1. ‘do’ in config mode
    This is one of the most time saving ones that few people seem to know about, use it!
    It lets you run exec commands in global configuration mode.
  2. include, exclude and begin
    Ever wanted to find something in the configuration? Or maybe you want to see some info, and not some?
    Use include or exclude, for example you can do

    Router1(config)# do show running-config | include ip_address

    This will include every occurance of ‘ip address’ in your running configuration file, the underscore works for spaces, and as such you can also do

    Router1(config)# do show running-config | exclude password

    This will exclude every line that has the word ‘password’ in it, can be usefull if you are listing the configuration file to someone, or you can even do

    Router1(config)# do show running-config | exclude (password|secret)

    This will exclude every line containing EITHER password or secret, and you can use regular expressions here.
    This means that even show interfaces | include (^Vlan|Internet_address|packets\/sec) is valid, which will give you a list of your Vlan interfaces.

  3. alias ps
    Use aliases, do you ever run the same commands a thousand times?
    I have at least these aliases in place on all my equipment:

    alias exec sb show ip int brief
    alias exec ps sh proc cpu | excl 0.00%__0.00%__0.00%

  4. time-range command

    time-range Workhours
    periodic weekdays 8:00 to 16:00
    !
    ip access-list extended permit Permission-To-Internal-Server-In-Work-Hours
    permit tcp any host 10.0.0.5 eq www time-range Workhours
    deny tcp any host 10.0.0.5 eq www
    permit ip any any

    This will allow access to 10.0.0.5 within 8am and 4pm

  5. Redistribute default gateway route into OSPF
    A lot of people are wondering about this one too.

    Router1(config-rtr)# default-information originate always

    This is done under the ‘router ospf’ in global configuration.

Tags: , , , , , ,
Posted in Cisco configuration | 1 Comment »

Configuring IPv6 OSPF routing in Cisco IOS

Wednesday, September 10th, 2008

Hi guys! it’s time for me to write about configuration of OSPF IPv6 routing in Cisco IOS.
I will use example addresses from my workplace for this tutorial.
This is really simple, first configure the IPv6 addresses on the interfaces.

Router1
Router1(config)# interface fastethernet 0/0
Router1(config-if)#ipv6 address 2001:1ad8::1/126

Router2
Router2(config)#int fa 0/0
Router2(config-if)#ipv6 address 2001:1ad8::2/126

Verify the IPv6 connectivity with ping:
Router2#ping ipv6 2001:1ad8::1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 2001:1AD8::1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 8/10/20 ms

Set a nullroute to redistribute to IPv6 OSPF, and configure IPv6 OSPF routing on Router1:
Router1(config)#ipv6 route 2001:1ad8:500::/64 null 0
Router1(config)# interface fa 0/0
Router1(config-if)#ipv6 ospf 1 area 0
Router1(config-if)#ipv6 router ospf 1
Router1(config-rtr)#redistribute static

Do the same thing on Router2, except for the static route and redistribution.
Router2(config)#int fastethernet 0/0
Router2(config-if)#ipv6 ospf 1 area 0

Now verify the IPv6 OSPF router neighborship
Router2#show ipv6 ospf neighbor
Neighbor ID     Pri   State           Dead Time   Interface ID    Interface
172.16.1.1        1   FULL/BDR        00:00:31    4               FastEthernet0/0

Check for the route
Router2#sh ipv6 route ospf  | include ^O
OE2  2001:1AD8:500::/64 [110/20]

As always, seems like you are afraid of the comment box, I know you’re there, now speak! ;)

Tags: , ,
Posted in Cisco configuration | 2 Comments »

Configuring Cisco redistribution of OSPF to BGP with community filtering route-map

Tuesday, September 9th, 2008

I was wondering about something to write about, and I hope this is an interesting subject.
If there is anything you want me to write about, or something you wonder about or think I am mistaking about – please don’t be shy.. Just use the comment box! :-)

Quick overlook:

Router1
ASN: 1
Prefix from OSPF: 192.168.0.0/24
IP for BGP: 172.16.1.1/24

Router2
ASN: 2
IP for BGP: 172.16.1.200/24

Verify OSPF route
Router1#sh ip route | include ^O
O E2 192.168.0.0/24 [110/20] via 10.0.10.2, 00:02:10, FastEthernet0/0

Redistribute OSPF route to BGP table with a community
I created a prefix-list to match the prefixes in the route-map:
ip prefix-list ourPrefixes seq 5 permit 192.168.0.0/24

Then I went on and created the route-map that matches this prefix-list and set the community 1:150 (65686)
route-map ospfTag permit 10
match ip address prefix-list ourPrefixes
set community 65686

Then I did redistribution of OSPF into BGP with this command (in config-router (bgp configuration)):
redistribute ospf 1 route-map ospfTag

So I go on and verify the prefix is in the BGP table with the right community:
Router1#sh ip bgp 192.168.0.0/24 | i Comm
Community: 65686

Perfect!  Now I went on to create a community list for matching the communities in a route-map
ip community-list 1 permit 1:150

As you can see, the router converted this number to the long format number again for me:
Router1(config)#do sh run | i community-list
ip community-list 1 permit 65686

Current announcement to Router2:
Router2(config)#do sh ip bgp | i \*\>
*> 10.20.30.0/24    172.16.1.1               0             0 1 ?
*> 192.168.0.0      172.16.1.1               0             0 1 ?

So far, so good!   The 10.20.30.0/24 network is added as a twist, and it should disappear when the route-map outbound is working!  It is my test to see if things got applied.
Then I went on to create a route-map to match with this community list:
Router1(config)#route-map communityFilter permit 10
Router1(config-route-map)# match community 1

Then I applied the route map on to the BGP peer
Router1(config-route-map)#router bgp 1
Router1(config-router)#neighbor 172.16.1.200 route-map communityFilter out

Okay, after clearing the peer, do we have one less address in BGP then?
Router2#sh ip bgp | i \*\>
*> 192.168.0.0      172.16.1.1              20             0 1 ?
Router2#

Voila!  Please use the comment box if you spot errors, this tutorial was written kind of in a jiffy!

Tags: , , , , ,
Posted in Cisco configuration | No Comments »

Newer Entries »