New GNS3 1.0 Beta 1

It appears that there are some significant changes ongoing with GNS3:
 

 
As mentioned by the GNS3 CEO and co-founder Stephen Guppy on 11th of August 2014, the new GNS3 will be more polished and will migrate to a multi-vendor emulation platform. For those using this tool, it’s a well known fact that GNS3 was mainly focused to emulate Cisco platform, evolving to support vPC and VirtualBox virtual machines.
 
They have a new very polished website accessible at new.gns3.net where you can also download the GNS3 1.0 Beta 1 software.

I did grab a copy of the Beta 1 and installed on a Windows system (the only one which had right now on hands). You can see a screenshot below.
 
GNS3 1.0 Beta 1
 
To be honest, first impression is that not much did change, except some buttons / icons here and there. Of course this just after a quick look from my side. I will test the software in the next days and come back with an update.
 
If interested, you can check the press release from 26th of August 2014 for more details about upcoming changes in the GNS3 organisation.
 

EGP

Today I came across an old Cisco router with original IOS image. Big surprise (at least for me) when I did check what routing protocols are supported on this router:

EGP protocol

I was out of the game, or better not even yet had discover the networking games, when the EGP was still out there and available to be configured on the Cisco routers.

I hope to bring a smile on your face or some nostalgic memories when you’ll see this :)

Troubleshooting with Wireshark [Riverbed lab kit]

A while ago I attended a Wireshark webinar from Riverbed in which they presented the tool, some beginner and intermediate users troubleshooting scenarios and some lab kit.

Now I got an e-mail that they made it available for download at http://www.riverbed.com/wireshark-virtual-tour

Part of this Lab Kit were available in the Virtual World Tour 2014 webinar on Troubleshooting with Wireshark, held by Laura Chappell and Gerald Combs.

Kit is a free collection of Wireshark training, trace files and tips and tricks for troubleshooting your network. This lab kit contains the following:

  • Nine Network Analysis Training videos
  • Troubleshooting Checklist
  • Sample Network Analysis Report
  • Practice Trace Files
  • Laura’s Wireshark Troubleshooting Profile
  • Chapter Excerpts from Laura Chappell’s new book “Troubleshooting with Wireshark Locate the Source of Performance Problems”

  • If you are interested in troubleshooting with Wireshark, I think this would be a nice place to start. The presentation page of Wireshark Virtual Tour looks a little bit like comics marketing style, but the materials are pretty good.

    Live digital threats

    I wanted to bring these free tools to my blog to keep track of them, as most probably I will forget about, and to share with anybody interested in gathering information in the security areas.

    First tool was revealed to my in tweet from Greg Ferro:

    As usually I trust his words, I said to give it a try. I can tell that this tool is very interesting. According to the explanation found on http://www.digitalattackmap.com/faq/ :

    The Digital Attack Map presents data gathered and published by Arbor Networks ATLAS® global threat intelligence system. ATLAS sources its data worldwide from 270+ ISP customers who have agreed to share anonymous network traffic and attack statistics. Data is updated hourly and can also be found in Arbor’s ATLAS Threat Portal.

    Below you have an embedded version of this map, but better access the Digital Attack Map website.

    Second tool caught my attention from the Digital Attack Map explanation and it’s called Arbor’s ATLAS Threat Portal.

    Atlat Threat Portal

    This tool is explained as:

    The ATLAS portal today is a public resource that delivers a sub-set of the intelligence derived from the ATLAS sensor network on host/port scanning activity, zero-day exploits and worm propagation, security events, vulnerability disclosures and dynamic botnet and phishing infrastructures.

    If the first tool is related to network attacks, the second one is covering more topics like botnets, phishing, scans and more.
    You can access Arbor’s ATLAS Threat Portal here.


    Cisco switches and smartport macros

    Smartport macros are not more than some templates you can define on Cisco switches that will apply the same configuration on multiple ports. It’s not a subject that needs too many discussions, but it can be useful for your Cisco certification preparation or real life Cisco switch administration.

    Configuration is very simple and it goes something like this:

    macro name ACCESS-PORT
    switchport mode access
    switchport access vlan 6
    switchport voice vlan 7
    spanning-tree portfast
    spanning-tree bpdufilter enable
    @

    After this you apply the macro to a port or a range of ports:

    interface range fa0/1 - 6
    macro apply ACCESS-PORT

    That’s it :)

    A less known fact is that Cisco switches are having some predefined smartport macros, which can be really helpful. The smartport macros which you configure can be spotted with a simple “show running-config” command. This is not the case for the default smartport macros which cannot be seen in the running-config, so you may not be aware that they exist.

    The default smartport macros can be seen using the following commands:

    SW1#show parser macro brief
        default global   : cisco-global
        default interface: cisco-desktop
        default interface: cisco-phone
        default interface: cisco-switch
        default interface: cisco-router
        default interface: cisco-wireless

    This will show you only a summary of the default smartport macros. If you want to see what are they configure to do, check the following command:

    SW1# show parser macro
    Total number of macros = 7
    --------------------------------------------------------------
    Macro name : cisco-global
    Macro type : default global
    # Enable dynamic port error recovery for link state failures.
    errdisable recovery cause link-flap
    errdisable recovery interval 60
     
    # Config Cos to DSCP mappings
    mls qos map cos-dscp 0 8 16 24 32 46 46 56
     
    # Enable aggressive mode UDLD on all fiber uplinks
    udld aggressive
     
    # Enable Rapid PVST+ and Loopguard
    spanning-tree mode rapid-pvst
    spanning-tree loopguard default
    spanning-tree extend system-id
    --------------------------------------------------------------
    Macro name : cisco-desktop
    Macro type : default interface
    # macro keywords $access_vlan
    # Basic interface - Enable data VLAN only
    # Recommended value for access vlan should not be 1
    switchport access vlan $access_vlan
    switchport mode access
     
    # Enable port security limiting port to a single
    # MAC address -- that of desktop
    switchport port-security
    switchport port-security maximum 1
     
    # Ensure port-security age is greater than one minute
    # and use inactivity timer
    switchport port-security violation restrict
    switchport port-security aging time 2
    switchport port-security aging type inactivity
     
    # Configure port as an edge network port
    spanning-tree portfast
    spanning-tree bpduguard enable
    --------------------------------------------------------------
    Macro name : cisco-phone
    Macro type : default interface
    # Cisco IP phone + desktop template
     
    # macro keywords $access_vlan $voice_vlan
     
     
    # VoIP enabled interface - Enable data VLAN
    # and voice VLAN
    # Recommended value for access vlan should not be 1
    switchport access vlan $access_vlan
    switchport mode access
     
    # Update the Voice VLAN value which should be
    # different from data VLAN
    # Recommended value for voice vlan should not be 1
    switchport voice vlan $voice_vlan
     
    # Enable port security limiting port to a 2 MAC
    # addressess -- One for desktop on data vlan and
    # one for phone on voice vlan
    switchport port-security
    switchport port-security maximum 2
     
    # Ensure port-security age is greater than one minute
    # and use inactivity timer
    switchport port-security violation restrict
    switchport port-security aging time 2
    switchport port-security aging type inactivity
     
    # Enable auto-qos to extend trust to attached Cisco phone
    auto qos voip cisco-phone
     
    # Configure port as an edge network port
    spanning-tree portfast
    spanning-tree bpduguard enable
    --------------------------------------------------------------
    Macro name : cisco-switch
    Macro type : default interface
    # macro keywords $native_vlan
    # Access Uplink to Distribution
    # Do not apply to EtherChannel/Port Group
    switchport trunk encapsulation dot1q
     
    # Define unique Native VLAN on trunk ports
    # Recommended value for native vlan should not be 1
    switchport trunk native vlan $native_vlan
     
    # Update the allowed VLAN range such that it
    # includes data, voice and native VLANs
    switchport trunk allowed vlan ALL
     
    # Hardcode trunk
    switchport mode trunk
     
    # Configure qos to trust this interface
    auto qos voip trust
     
    # 802.1w defines the link as pt-pt for rapid convergence
    spanning-tree link-type point-to-point
    --------------------------------------------------------------
    Macro name : cisco-router
    Macro type : default interface
    # macro keywords $native_vlan
    # Access Uplink to Distribution
    switchport trunk encapsulation dot1q
     
    # Define unique Native VLAN on trunk ports
    # Recommended value for native vlan should not be 1
    switchport trunk native vlan $native_vlan
     
    # Update the allowed VLAN range such that it
    # includes data, voice and native VLANs
    switchport trunk allowed vlan ALL
     
    # Hardcode trunk
    switchport mode trunk
     
    # Configure qos to trust this interface
    auto qos voip trust
    mls qos trust dscp
     
    # Ensure fast access to the network when enabling the interface.
    # Ensure that switch devices cannot become active on the interface.
    spanning-tree portfast trunk
    spanning-tree bpduguard enable
    --------------------------------------------------------------
    Macro name : cisco-wireless
    Macro type : default interface
    # macro keywords $native_vlan
    # Access Uplink to Distribution
    switchport trunk encapsulation dot1q
     
    # Define unique Native VLAN on trunk ports
    # Recommended native vlan should NOT be 1
    switchport trunk native vlan $native_vlan
     
    # Update the allowed VLAN range such that it
    # includes data, voice and native VLANs
    switchport trunk allowed vlan ALL
     
    # Hardcode trunk and disable negotiation to speed up convergence
    switchport mode trunk
    switchport nonegotiate
     
    # Configure qos to trust this interface
    auto qos voip trust
    mls qos trust cos
     
    # Ensure that switch devices cannot become active on the interface.
    spanning-tree bpduguard enable
    --------------------------------------------------------------
    Macro name : VLAN_146
    Macro type : customizable
    switchport mode access
    switchport access vlan 146
    spanning-tree bpdufilter enable
    --------------------------------------------------------------

    To be honest I never used them like this, but they were a pretty good starting point to customize new smartport macros.

    If you are rather interested in the Cisco switch interface macro command, I did write a post on this topic some years ago and you can read it here.


    Cisco STP forward-time command trick

    This is more a topic for exams, like Cisco CCIE, but also it can appear in real-world environments.

    Consider the following simple topology:
    Simple L2 topology

    SW1 is the spanning-tree root bridge for all VLANs. Imagine that you have a request which ask you that when a port becomes active, no matter of VLAN, it should wait 10 seconds until it transition to forwarding state.

    You look into configuration mode and spot the “spanning-tree .. forward-time..” command. OK, simple enough, you go there and type:

    spanning-tree vlan 1-4094 forward-time 10

    Task completed. This is what I also thought. Looks pretty straight forward, but it’s a mistake which I learned from and I hope you will read this before doing it.
    Lucky for me it was just a test lab not the real CCIE lab, but if I don’t teach this kind of things or spend the entire day fine-tuning STP, I tend to forget.

    Back to this example, let’s see on the SW2 what’s happening after I did configure the above command on SW1. By the way, you need to configure this command only on the STP root bridge because the downstream devices will inherit the values.

    On the SW2 I shutdown the root interface to force the alternate interface (which is in blocking state) to transition to forward state and check the output of “debug spanning-tree events” :

    00:55:15: STP: VLAN0001 new root port Fa0/2, cost 19
    00:55:15: STP: VLAN0001 Fa0/2 -> listening
    ...
    00:55:25: STP: VLAN0001 Fa0/2 -> learning
    ...
    00:55:35: STP: VLAN0001 sent Topology Change Notice on Fa0/2
    00:55:35: STP: VLAN0001 Fa0/2 -> forwarding

    From :15 seconds when the port entered Listening state until :35 seconds when it went into Forwarding state there are 20 seconds. We were required to have 10 seconds not 20. That’s not good.

    Going back and checking the parameters of a STP for a particular VLAN did not give me too much information to clarify the issue:

    show spanning-tree vlan 1 | i Forward
    Hello Time   3 sec  Max Age 10 sec  Forward Delay 10 sec

    OK, after reading again carefully the documentation I came to the understanding that value added to this command is applied to each state towards the forwarding state.
    The STP Port States are: Blocking, Listening, Learning, Forwarding and Disabled.

    When I did shutdown the root port, the alternate port when immediately to Listening state then waited for 10 seconds until it transition to Learning state and again 10 Seconds to achieve Forwarding state.

    The correct solution was obvious now to decrease the forward-time to 5 seconds.

    spanning-tree vlan 1-4094 forward-time 5

    Let’s check again:

    01:11:55: STP: VLAN0001 new root port Fa0/2, cost 19
    01:11:55: STP: VLAN0001 Fa0/2 -> listening
    ...
    01:12:00: STP: VLAN0001 Fa0/2 -> learning
    ...
    01:12:05: STP: VLAN0001 sent Topology Change Notice on Fa0/2
    01:12:05: STP: VLAN0001 Fa0/2 -> forwarding

    Now the total time is 10 second.

    I hope this will help others to avoid my mistakes.


    EtherChannel over 802.1q Tunneling

    Consider the following topology:
    EtherChannel over 802.1q Tunneling Topology

    We have one Customer with two distributed locations (SW1, R1 and SW2, R2) connected over Provider backbone. What we want to create is something like this:

    EtherChannel over Provider L2 cloud

    If Provider support 802.1q and L2 tunneling we can achieve a nice Etherchannel between our 2 remote locations with direct CDP visibility. Also STP and VTP is supported, just like when these SW1 and SW2 switches are directly connected.

    First, lets configure SW1 and SW2 Customer devices.

    On the three interfaces connected to provider devices we want to configure LACP Etherchannel:

    SW1 / SW2 Customer

    interface FastEthernet0/1
     switchport trunk encapsulation dot1q
     switchport mode trunk
     channel-group 1 mode active
    !
    interface FastEthernet0/2
     switchport trunk encapsulation dot1q
     switchport mode trunk
     channel-group 1 mode active
    !
    interface FastEthernet0/3
     switchport trunk encapsulation dot1q
     switchport mode trunk
     channel-group 1 mode active

    Next we will configure the SW1 and SW2 ports connected to R1 and R2 devices:

    SW1 / SW2 Customer

    vtp mode transparent
    vtp domain Customer
    vlan 100
     name End2End
    !
    interface Fa0/10
    switchport mode access
    switchport access vlan 100

    Of course another approach can be taken in terms of VTP, like having Server / Client configuration, but this was the simplest one to illustrate here.

    Let’s add some IP addresses on the two routers R1 and R2:

    R1 Customer

    interface fa0/0
    ip address 10.0.0.1 255.255.255.0

    R2 Customer

    interface fa0/0
    ip address 10.0.0.2 255.255.255.0

    Our job, as Customer, is done. What about the Provider configuration? Here is where “the magic” happens.

    To provide our Customer with three end to end 802.1q tunnels, we need to create three VLANs, assign them to the interfaces pointing to Customer SW1 and SW2 and enable the 802.1q tunnels.

    SW1 / SW2 Provider

    vlan 10
    vlan 20
    vlan 30
    !
    interface FastEthernet0/1
     switchport access vlan 10
     switchport mode dot1q-tunnel
    !
    interface FastEthernet0/2
     switchport access vlan 20
     switchport mode dot1q-tunnel
    !
    interface FastEthernet0/3
     switchport access vlan 30
     switchport mode dot1q-tunnel

    Of course SW1 and SW2 from Provider should have 802.1q trunk enable and allow the tranport of VLANs 10, 20 and 30:

    SW1 / SW2 Provider

    int fa0/4
    switchport trunk mode dot1q
    switchport mode trunk
    switchport trunk allowed vlan 10,20,30

    OK, we have the dot1q tunneling enabled now:

    SW1 / SW2 Provider

    show dot1q-tunnel
     
    dot1q-tunnel mode LAN Port(s)
    -----------------------------
    Fa0/1
    Fa0/2
    Fa0/3

    Still, the Customer wants Etherchannel functionality, CDP visibility and the ability to transport own VLAN information (remember we did configure Vlan 100 on the interface of SW1 / SW2 Customer pointing to R1 / R2). Let’s enable also these ones:

    SW1 / SW2 Provider

    interface FastEthernet0/1
    l2protocol-tunnel point-to-point lacp
    l2protocol-tunnel cdp
    l2protocol-tunnel stp
    no cdp enable
    !
    interface FastEthernet0/2
    l2protocol-tunnel point-to-point lacp
    l2protocol-tunnel cdp
    l2protocol-tunnel stp
    no cdp enable
    !
    interface FastEthernet0/3
    l2protocol-tunnel point-to-point lacp
    l2protocol-tunnel cdp
    l2protocol-tunnel stp
    no cdp enable

    Perfect, now let’s do some “show” commands to see that everything is working.

    SW1 / SW2 Customer

    show etherchannel 1 summary | b Group
    Group  Port-channel  Protocol    Ports
    ------+-------------+-----------+-----------------------------------------------
    1      Po1(SU)         LACP      Fa0/1(P)   Fa0/2(P)   Fa0/3(P)
    show spanning-tree vlan 100
     
    VLAN0100
      Spanning tree enabled protocol ieee
      Root ID    Priority    32868
                 Address     0011.20ab.6180
                 Cost        9
                 Port        56 (Port-channel1)
                 Hello Time   2 sec  Max Age 20 sec  Forward Delay 15 sec
     
      Bridge ID  Priority    32868  (priority 32768 sys-id-ext 100)
                 Address     0014.a86b.f600
                 Hello Time   2 sec  Max Age 20 sec  Forward Delay 15 sec
                 Aging Time 300
     
    Interface           Role Sts Cost      Prio.Nbr Type
    ------------------- ---- --- --------- -------- --------------------------------
    Fa0/10              Desg FWD 19        128.3    P2p
    Po1                 Root FWD 9         128.56   P2p

    OK, the Etherchannel is UP and the STP is showing correct values. Let’s see if we can do a simple “ping” from R1 to R2

    R1#ping 10.0.0.2
     
    Type escape sequence to abort.
    Sending 5, 100-byte ICMP Echos to 10.0.0.2, timeout is 2 seconds:
    !!!!!
    Success rate is 100 percent (5/5), round-trip min/avg/max = 16/20/24 ms

    The Customer is happy, but what about the Provider, what does it see on the L2 infrastructure?

    SW1 / SW2 Provider

    show spanning-tree vlan 100
    Spanning tree instance(s) for vlan 100 does not exist.

    So, the Provider has no idea about Vlan 100 used by the Customer. This is because STP BPDUs from SW1 / SW2 Customer are tunneled inside dot1q-tunnel and hidden by the metro tags 10, 20 and 30.

    One note for real life example, the Provider needs to support at least MTU 1504 so that Customer does not deal with packet fragmentation.


    Ubuntu OVF images for download

    Lately I’m playing a lot with virtualization features and for this I needed a rapid way to deploy from scratch new instances. First I had the virtual machines converted to templates, but then I had to rebuild from zero the entire ESXi environment and those images were gone.

    I realized then it was more easier to have OVF images saved on a distributed storage and deploy them as soon as I need them. I start looking around Internet and I could not find something that suit my needs.
    Don’t get me wrong, there are plenty of OVF images around, but mostly have GUI and a lot of packages already installed that I do not need.

    I wanted to have OVF files with low-end hardware and only CLI interface. Why should I download and deploy a 20 or 30 GB instance if the only things I need is CLI? From this I could customize it everytime exactly the way I wanted.

    I started to create my OVF files and I’m pretty satisfied with them. Then I said why not to share them with the community?

    I did chose Sourceforge to host my files because of their CDN and because it is free. On this blog I have to think how to organize them, because I don’t know if “post” format is the best idea. Until then, please find below the first two OVF images for Ubuntu 12.04 LTS.

    All archives contain a text files with details about distro, user/passwd and services enabled. There may be other services enabled like postfix, but the listed ones are mandatory if you want network functionality and remote connection.

    Here are the details for the below listed downloads:

    Server images 32/64 bits

    username: notroot
    passwd: 123qweASD!

    username: root
    passwd: firstdigest
    HDD: 8GB, ext4, 1 partition, thin provision
    RAM: 256 CPU Core: 1

    Services enabled:
    SSHd
    DHCP client

    Downloads

    Ubuntu 12.04 Server (i386) OVF

    Ubuntu 12.04 Server (x86_64) OVF

    If you encounter problems with these images please let me know here in Comments or on Sourceforge Project Discussions page.

    In the upcoming days I will add here more images from different distros.

    MAC address tracking with NMS

    Let’s assume that I have a port open in my Cisco switch for guest users and I would like to keep track of the new mac-addresses that are added or existing mac-addresses that are removed from that port.

    I have a NMS (Network Management System), capable of receiving SNMP, traps that will send me an e-mail alert whenever one of the above mentioned situations happens.

    For this test I did use the following IP addresses:
    - Cisco switch L3 interface from where the SNMP traps will be send: Lo10, 1.1.1.1 /32
    - Cisco switch L2 port where I want to track the mac-address change: Fa0/10
    - NMS IP address: 172.31.82.254
    - SNMP community string: Cisco

    OK, this is a simple example, but it can be useful in some situation or for Cisco exam preparation.

    First let’s bring the Lo10 interface UP and configure the IP address. Please keep in mind that without a L3 interface the SNMP configuration will raise an alarm and the system will not work.

    interface Loopback10
     ip address 2.2.2.2 255.255.255.255

    Next, I’ll configure the SNMP part:

    SW(config)#snmp-server host 172.31.82.254 traps Cisco
    SW(config)#snmp-server enable traps mac-notification

    Following is the actual configuration for mac-address change notification:

    SW(config-if)#snmp trap mac-notification change ?
      added    Enable Mac Address added notification for this port
      removed  Enable Mac Address removed notification for this port

    The above lines show the possible options. You can use them both if you want to receive notification for adding and removing of the mac-address or any of these options separately. I did use both for this test.

    Let’s verify if the configuration is applied correctly:

    SW#show mac address-table notification change interface fa0/10
    MAC Notification Feature is Disabled on the switch
    Interface            MAC Added Trap MAC Removed Trap
    ---------            -------------- ----------------
    FastEthernet0/10     Enabled        Enabled

    I find this helpful if you have open ports which require special attention and for some reason you cannot use some technique like dot1x or lock them on static mac-address.


    Cisco 2600: How many IPv4 prefixes can fit in BGP table

    Today I wanted to try and see how many IPv4 prefixes can a Cisco 2600 accommodate in BGP table both global and in VRF table. I have lying around a Cisco 2621XM with 64MB of RAM, so I said to stress it a bit like in the old days when it was productive.

    I did use the bgp_simple tool to test with the latest full Internet prefixes table (dated 2013.03.09). For those of you not familiar with bgp_simple, it’s a script capable of BGP peering and route injection. I would recommend to check the script webpage as it’s an awesome tool.

    First, I did use the Global table to store all BGP prefixes. The router issued a %SYS-2-MALLOCFAIL error after receiving 44791 prefixes and few seconds later it dropped the BGP neighborship peering.

    BB1#sh ip bgp sum | b Nei
    Neighbor        V    AS MsgRcvd MsgSent   TblVer  InQ OutQ Up/Down  State/PfxRcd
    192.168.182.1   4 65000 1194845      95  1181910  360    0 00:10:57    44791
     
    BB1#
    *Feb 10 21:22:49.383: %SYS-2-MALLOCFAIL: Memory allocation of 65536 bytes failed from 0x8006A11C, alignment 0 
    Pool: Processor  Free: 64176  Cause: Not enough free memory 
    Alternate Pool: None  Free: 0  Cause: No Alternate pool 
     -Process= "BGP Router", ipl= 0, pid= 32 -Traceback= 0x8119EA40 0x80057D14 0x80059F18 0x8005A75C 0x8006A120 0x8006AE9C 0x8192D52C 0x80DFDD34 0x80DFE708 0x80DFF60C 0x82BA5A60 0x80DFF6E4 0x80DD8694 0x802435AC 0x80246CB0
    *Feb 10 21:23:00.395: %BGP-5-ADJCHANGE: neighbor 192.168.182.1 Down No memory
    *Feb 10 21:23:00.515: %BGP-3-NOTIFICATION: sent to neighbor 192.168.182.1 3/1 (update malformed) 0 bytes 
    BB1# FFFF FFFF FFFF FFFF FFFF FFFF FFFF FFFF 0037 0200 0000 1C40 0101 0040 020E 0206 FDE8 9465 12EC 1D31 00D1 5821 4003 04C0 A8B6 0117 433F E0

    For second test I did create VRF A and the BGP neighborship was established over an interface in that VRF, so all prefixes injected by bgp_simple arrived in the VRF table. This time it took only 33321 prefixes for the router to spit an error and drop the BGP connection.

    BB1#sh ip bgp vpnv4 vrf A sum | b Nei
    Neighbor        V    AS MsgRcvd MsgSent   TblVer  InQ OutQ Up/Down  State/PfxRcd
    192.168.182.1   4 65000  439682      31   323732  534    0 00:09:24    33321
     
    *Feb 10 21:37:22.323: %SYS-2-MALLOCFAIL: Memory allocation of 2920 bytes failed from 0x8006A11C, alignment 0 
    Pool: Processor  Free: 8584  Cause: Memory fragmentation 
    Alternate Pool: None  Free: 0  Cause: No Alternate pool 
     -Process= "BGP Router", ipl= 0, pid= 32 -Traceback= 0x8119EA40 0x80057D14 0x80059F18 0x8005A75C 0x8006A120 0x8006AE9C 0x80DEB7B0 0x80DCC800 0x80E3DCC8 0x80E3B62C 0x80E2A244 0x80E2AE30 0x80DD0B14 0x80DD7F08 0x802435AC
    *Feb 10 21:37:31.011: %BGP-5-ADJCHANGE: neighbor 192.168.182.1 vpn vrf A Down No memory
    *Feb 10 21:37:31.251: %BGP-3-NOTIFICATION: sent to neighbor 192.168.182.1 3/1 (update malformed) 0 bytes 
    BB1#sh ip bgp vpnv4 vrf A sum | b Nei FFFF FFFF FFFF FFFF FFFF FFFF FFFF FFFF 0052 0200 0000 3740 0101 0040 020A 0204 FDE8 2236 1AAE 18B7 4003 04C0 A8B6 01C0 081C 18B7 03E9 18B7 A028 1AAE 3E80 1AAE 3F6A 1AAE 59D9 1AAE 89EA 2236 1AAE 1440 3B90

    For those of you curious about why it took less prefixes to exhaust memory in VRF vs non-VRF, the reason is that in VRF you have more memory consumption per IPv4 prefix. Ivan Pepelnjak explained it very well in his blog post about running Internet in VRF.

    I’ll check what other old Cisco routers I have around to see their BGP table limit.


    MicronicsTraining

    CCIE Home Lab, what to do when your router has too little Flash space for IOS

    I already explained in an older post my home lab for CCIE preparation. My BB1-BB3 routers are Cisco 2600 series and the rest of R1-R6 are emulated with Dynamips. The only problem is that one of the C2600 has too little Flash space to hold the required IOS. Memory is sufficient, but Flash not.

    The only workaround I have is to load the IOS image from a TFTP server. I will explain here my procedure, maybe it’s useful for somebody else out there.

    First, I recently upgrade to Ubuntu 12.04 and for some reason the TFTPD (default tftp server) was not working properly. I found TFTPD-HPA to be a good alernative, so I did install it:

    sudo apt-get install tftpd-hpa

    After installation you may want to check /etc/default/tftpd-hpa. On my system it looks like this:

    # /etc/default/tftpd-hpa
     
    TFTP_USERNAME="tftp"
    TFTP_DIRECTORY="/var/lib/tftpboot"
    TFTP_ADDRESS="0.0.0.0:69"
    TFTP_OPTIONS="--secure"

    Next step is to get a IOS image and copy it under /var/lib/tftpboot. If you need a hint, I’m using c2600-adventerprisek9-mz.124-25d.bin which needs only a small amount of memory to be installed on the Cisco 2600 platform and it’s enough for testing.

    Now we need to get the IOS image on the C2600 using TFTP. Depending on your topology used for CCIE exam practice, this can be done in different ways.

    Currently I’m using the workbooks from Micronicstraining (Narbik’s workbooks, if this sounds more familiar). Previously I used the ones from Internetwork Expert. The idea is that topology is pretty similar and it looks something like this:

    MicronicsTraining
    Narbik’s workbook topology

    My problematic router is the BB3. Somehow I need that BB3 is communicating with my Ubuntu server, as simple as possible, without changing ethernet cables all the time.
    You noticed int the above diagram that BB3 has an interface on the SW1 (Fa0/13) and SW1 has F0/1 connected to my Ubuntu server as explained in this post. What I need is to have Fa0/13 and Fa0/1 on the SW1 on the same VLAN for proper communication. Usually I just default the interface and then everything is fine.

    On the Ubuntu box, I can have an IP address on the physical card (this will not influence in any way the Dynamips emulated router attached to this interface):

    eth1      Link encap:Ethernet  HWaddr 00:e0:b6:06:a6:3b
              inet addr:192.168.182.1  Bcast:192.168.182.255  Mask:255.255.255.0
              inet6 addr: fe80::2e0:b6ff:fe06:a63b/64 Scope:Link
              UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
              RX packets:0 errors:0 dropped:0 overruns:0 frame:0
              TX packets:64 errors:0 dropped:0 overruns:0 carrier:0
              collisions:0 txqueuelen:1000
              RX bytes:0 (0.0 B)  TX bytes:14100 (14.1 KB)

    By default on the BB3 router I have an IOS image that can fit the Flash size (c2600-i-mz.123-26.bin) and in case that for some reasons the TFTP Server is not reachable, it will boot that image.

    The BB3 startup-configuration looks like this:

    interface FastEthernet0/0
     ip address 192.168.182.13 255.255.255.0
    !
    boot system tftp c2600-adventerprisek9-mz.124-25d.bin 192.168.182.1

    What you have to remember:
    1. Start your TFTP server and assure that it has the correct IP address on the interface where you will server IOS files
    2. Start your switch (if you have one in between Cisco router and the TFTP server) and be sure that the interfaces are able to exchange packet (same VLAN, etc)
    3. Start your Router

    In case you did miss any of the above steps, you’ll see something like this:

    %SYS-4-CONFIG_NEWER: Configuration from version 12.4 may not be correctly understood
     Slot is empty or does not support clock participate
     WIC slot is empty or does not support clock participate
    %SYS-6-READ_BOOTFILE_FAIL: tftp://192.168.182.1/c2600-adventerprisek9-mz.124-25d.bin File read failed -- Timed out.
     
     Hello from IFS_TYPE_ROM successful type-check
     
    %SYS-6-BOOT_MESSAGES: Messages above this line are from the boot loader.
    boot of "tftp:c2600-adventerprisek9-mz.124-25d.bin 192.168.182.1" using boot helper "flash:c2600-i-mz.123-26.bin" failed
    error returned: File read failed -- Timed out
    loadprog: error - on file open
    boot: cannot load "tftp:c2600-adventerprisek9-mz.124-25d.bin 192.168.182.1"

    and the router will boot your image stored locally on Flash.

    Instead of doing all this work, which may generate some headache, I could just buy another router with enough Flash (and Memory). Currently I don’t want to make this investment, so I’ll stick with the above scenario.


    Overlay MPLS over provider backbone

    Imagine that you have two or more sites which you want to connect together using MPLS technology. You cannot afford dark fiber and your Service Provider cannot offer you L2 connections of any kind. The only thing your SP can offer is L3 transport. Still, you want to build your own MPLS environment and there is no way to convince your SP to enable CsC.

    I will use the following topology to demonstrate one of the possibilities to build an overlay MPLS over SP backbone.

    Overlay MPLS over SP

    The provider has already his MPLS backbone configured (P1, PE1, PE2 and PE3) and it’s offering you, as customer, IP transport over it’s backbone. Usually, from customer perspective, you don’t get to see the SP backbone, but just for reference, it is using ISIS for IGP, MP-BGP and MPLS VPN to transport our prefixes.

    From IP prefixes allocation I’m using “xy” in the third octet (x – lower router number, y – higher router number) and “z” in the last octet (router number) with a /24 mask.

    We have three locations named CPE1, CPE2 and CPE3. Currently between my CPE and provider PE I have enabled BGP, but you can use any protocol (even static) if your SP is able to route your IP prefixes over its backbone. On each CPE device I have a Loopback interface and its IP address will be the only prefix you announce (through BGP in this demonstration) to SP.

    Let’s establish the BGP connection from our CPE to SP PE. As I’m playing the role of customer here, only the CPE exhibits will be shown:

    CPE5

    interface Loopback0
     ip address 5.5.5.5 255.255.255.255
    !
    router bgp 65001
     bgp router-id 5.5.5.5
     bgp log-neighbor-changes
     neighbor 10.0.35.3 remote-as 65000
     neighbor 10.0.35.3 description R3PE3
     neighbor 10.0.35.3 timers 5 20
     !
     address-family ipv4
      neighbor 10.0.35.3 activate
      no auto-summary
      no synchronization
      network 5.5.5.5 mask 255.255.255.255
     exit-address-family

    CPE6

    interface Loopback0
     ip address 6.6.6.6 255.255.255.255
    !
    router bgp 65001
     bgp router-id 6.6.6.6
     bgp log-neighbor-changes
     neighbor 10.0.26.2 remote-as 65000
     neighbor 10.0.26.2 description R2PE2
     neighbor 10.0.26.2 timers 5 20
     !
     address-family ipv4
      neighbor 10.0.26.2 activate
      no auto-summary
      no synchronization
      network 6.6.6.6 mask 255.255.255.255
     exit-address-family

    CPE7

    interface Loopback0
     ip address 7.7.7.7 255.255.255.255
    !
    router bgp 65001
     bgp router-id 7.7.7.7
     bgp log-neighbor-changes
     neighbor 10.0.47.4 remote-as 65000
     neighbor 10.0.47.4 description R4PE4
     neighbor 10.0.47.4 timers 5 20
     !
     address-family ipv4
      neighbor 10.0.47.4 activate
      no auto-summary
      no synchronization
      network 7.7.7.7 mask 255.255.255.255
     exit-address-family

    BGP neighborship suppose to be up now and on each CPE I should receive the Loopback prefixes of the other two CPE devices.

    R5CPE5#sh ip bgp sum | b Nei
    Neighbor        V    AS MsgRcvd MsgSent   TblVer  InQ OutQ Up/Down  State/PfxRcd
    10.0.35.3       4 65000     126     125        2    0    0 00:10:04        0
    !
    R6CPE6#sh ip bgp sum | b Nei
    Neighbor        V    AS MsgRcvd MsgSent   TblVer  InQ OutQ Up/Down  State/PfxRcd
    10.0.26.2       4 65000     136     135        2    0    0 00:10:50        0
    !
    R7CPE7#sh ip bgp sum | b Nei
    Neighbor        V    AS MsgRcvd MsgSent   TblVer  InQ OutQ Up/Down  State/PfxRcd
    10.0.47.4       4 65000     134     134        4    0    0 00:10:46        0

    BGP neighborship is up alright, but where are my prefixes? State/PfxRcd is 0, when it should show 2.
    I did that on purpose.

    Notice that we are using the same AS number on all our sites. I think you already know that the rule in BGP is that if our own ASN is seen in the AS-Path of a particular IP prefix, BGP will not install that prefix in BGP table. This is fixable:
    1. We ask our provider to have a little “as-override” command in its BGP configuration for our neighbor
    2. We use different ASN on each site (assuming that we are using private ASN)
    3. We configure “allowas-in” on BGP neighborship with SP

    Basically you may use any of the three methods (or other if you can think of any other), but in my case I don’t want to ask the SP nor I want to change my ASN scheme. I’ll go with the third option and be careful not run into loop issues (consider this is an Enterprise environment I think it’s doable).

    CPE5

    router bgp 65001
      neighbor 10.0.35.3 allowas-in

    CPE6

    router bgp 65001
      neighbor 10.0.26.2 allowas-in

    CPE7

    router bgp 65001
      neighbor 10.0.47.4 allowas-in

    Let’s check again and do some testing. I will use CPE5

    R5CPE5#sh ip route bgp
         6.0.0.0/32 is subnetted, 1 subnets
    B       6.6.6.6 [20/0] via 10.0.35.3, 00:04:02
         7.0.0.0/32 is subnetted, 1 subnets
    B       7.7.7.7 [20/0] via 10.0.35.3, 00:04:02
    !
    R5CPE5#ping 6.6.6.6 source 5.5.5.5
     
    Type escape sequence to abort.
    Sending 5, 100-byte ICMP Echos to 6.6.6.6, timeout is 2 seconds:
    Packet sent with a source address of 5.5.5.5 
    !!!!!
    Success rate is 100 percent (5/5), round-trip min/avg/max = 32/44/64 ms
     
    R5CPE5#ping 7.7.7.7 source 5.5.5.5
     
    Type escape sequence to abort.
    Sending 5, 100-byte ICMP Echos to 7.7.7.7, timeout is 2 seconds:
    Packet sent with a source address of 5.5.5.5 
    !!!!!
    Success rate is 100 percent (5/5), round-trip min/avg/max = 28/52/96 ms

    Next part involves the creation of Tunnels interfaces, to have a full mesh connection between the three sites, enable of IGP / MPLS and creation of a second Loopback interface which we will use later for the iBGP configuration. I did chose IS-IS for IGP and LDP for MPLS. The new Loopback interface will be routed using the IS-IS protocol.

    A note from my side. Since I had limited number of routers, my CPE devices will be kind of P / PE / CE router in my overlay MPLS demonstration.

    CPE5

    int Tun56
    tunnel source lo0
    tunnel destination 6.6.6.6
    ip address 192.168.56.5 255.255.255.0
    mpls ip
    ip router isis
    !
    int Tun57
    tunnel source lo0
    tunnel destination 7.7.7.7
    ip address 192.168.57.5 255.255.255.0
    mpls ip
    ip router isis
    !
    int Lo1
    ip address 55.55.55.55 255.255.255.255
    !
    router isis
    net 47.0005.0005.0005.0005.00
    passive-interface lo1
    is-type level-2-only

    CPE6

    int Tun56
    tunnel source lo0
    tunnel destination 5.5.5.5
    ip address 192.168.56.6 255.255.255.0
    mpls ip
    ip router isis
    !
    int Tun67
    tunnel source lo0
    tunnel destination 7.7.7.7
    ip address 192.168.67.6 255.255.255.0
    mpls ip
    ip router isis
    !
    int Lo1
    ip address 66.66.66.66 255.255.255.255
    !
    router isis
    net 47.0006.0006.0006.0006.00
    passive-interface lo1
    is-type level-2-only

    CPE7

    int Tun57
    tunnel source lo0
    tunnel destination 5.5.5.5
    ip address 192.168.57.7 255.255.255.0
    mpls ip
    ip router isis
    !
    int Tun67
    tunnel source lo0
    tunnel destination 6.6.6.6
    ip address 192.168.67.7 255.255.255.0
    mpls ip
    ip router isis
    !
    int Lo1
    ip address 77.77.77.77 255.255.255.255
    !
    router isis
    net 47.0007.0007.0007.0007.00
    is-type level-2-only
    passive-interface lo1

    I will use CPE5 for some show commands output and to check that everything is running fine:

    R5CPE5#ping 192.168.56.6
     
    Type escape sequence to abort.
    Sending 5, 100-byte ICMP Echos to 192.168.56.6, timeout is 2 seconds:
    !!!!!
    Success rate is 100 percent (5/5), round-trip min/avg/max = 44/48/52 ms
     
    R5CPE5#ping 192.168.57.7
     
    Type escape sequence to abort.
    Sending 5, 100-byte ICMP Echos to 192.168.57.7, timeout is 2 seconds:
    !!!!!
    Success rate is 100 percent (5/5), round-trip min/avg/max = 32/40/52 ms
     
    !
    R5CPE5#sh isis topology
     
    IS-IS paths to level-2 routers
    System Id            Metric     Next-Hop             Interface   SNPA
    R5CPE5               --
    R6CPE6               10         R6CPE6               Tu56        *Tunnel*       
    R7CPE7               10         R7CPE7               Tu57        *Tunnel* 
    !
    R5CPE5#show mpls interfaces 
    Interface              IP            Tunnel   Operational
    Tunnel56               Yes (ldp)     No       Yes         
    Tunnel57               Yes (ldp)     No       Yes 
    !
    R5CPE5#show mpls ldp neighbor 
        Peer LDP Ident: 6.6.6.6:0; Local LDP Ident 5.5.5.5:0
    	TCP connection: 6.6.6.6.64820 - 5.5.5.5.646
    	State: Oper; Msgs sent/rcvd: 16/16; Downstream
    	Up time: 00:07:47
    	LDP discovery sources:
    	  Tunnel56, Src IP addr: 192.168.56.6
            Addresses bound to peer LDP Ident:
              10.0.26.6       6.6.6.6         192.168.56.6    192.168.67.6    
        Peer LDP Ident: 7.7.7.7:0; Local LDP Ident 5.5.5.5:0
    	TCP connection: 7.7.7.7.11545 - 5.5.5.5.646
    	State: Oper; Msgs sent/rcvd: 16/16; Downstream
    	Up time: 00:07:26
    	LDP discovery sources:
    	  Tunnel57, Src IP addr: 192.168.57.7
            Addresses bound to peer LDP Ident:
              10.0.47.7       7.7.7.7         192.168.57.7    192.168.67.7

    I will create now two VRF instances as I want to separate Financial department traffic from the Technical one.

    On all three CPE devices:

    ip vrf FIN
    rd 65001:1
    route-target import 65001:1
    route-target export 65001:1
    !
    ip vrf TEK
    rd 65001:2
    route-target import 65001:2
    route-target export 65001:2

    Configuration of iBGP depends on the previous Loopback1 interfaces, so be sure that you have that interfaces reachable through IS-IS. Because it’s an iBGP and I don’t want to type the same command over and over, I will use peer-groups.

    CPE5

    router bgp 65001
    !
    neighbor OM peer-group
    neighbor OM remote-as 65001
    neighbor OM timers 5 20
    neighbor OM description Overlay-MPLS
    neighbor OM update-source lo0
    !
    address-family vpnv4
    neighbor 66.66.66.66 peer-group OM
    neighbor 77.77.77.77 peer-group OM

    CPE6

    router bgp 65001
    neighbor OM peer-group
    neighbor OM remote-as 65001
    neighbor OM timers 5 20
    neighbor OM description Overlay-MPLS
    neighbor OM update-source lo1
    !
    address-family vpnv4
    neighbor 55.55.55.55 peer-group OM
    neighbor 77.77.77.77 peer-group OM

    CPE7

    router bgp 65001
    neighbor OM peer-group
    neighbor OM remote-as 65001
    neighbor OM timers 5 20
    neighbor OM description Overlay-MPLS
    neighbor OM update-source lo1
    !
    address-family vpnv4
    neighbor 55.55.55.55 peer-group OM
    neighbor 66.66.66.66 peer-group OM

    We should check that everything is up. I will use again CPE5:

    R5CPE5#show ip bgp vpnv4 all sum | b Nei
    Neighbor        V    AS MsgRcvd MsgSent   TblVer  InQ OutQ Up/Down  State/PfxRcd
    66.66.66.66     4 65001      46      46        1    0    0 00:03:30        0
    77.77.77.77     4 65001      31      31        1    0    0 00:02:18        0

    Finally we are getting somewhere. In real world you will have the CPE routers connected to downstream devices, using subinterfaces in particular VRF and so on. I’m short on devices, so I will use some additional Loopback interfaces and add them to VRF FIN and TEK for testing.

    CPE5

    int Lo51
    ip vrf forwarding FIN
    ip address 10.51.51.51 255.255.255.255
    !
    int Lo52
    ip vrf forwarding TEK
    ip address 10.52.52.52 255.255.255.255
    !
    router bgp 65001
    !
    address-family ipv4 vrf FIN
    network 10.51.51.51 mask 255.255.255.255
    !
    address-family ipv4 vrf TEK
    network 10.52.52.52 mask 255.255.255.255

    CPE6

    int Lo61
    ip vrf forwarding FIN
    ip address 10.61.61.61 255.255.255.255
    !
    int Lo62
    ip vrf forwarding TEK
    ip address 10.62.62.62 255.255.255.255
    !
    router bgp 65001
    !
    address-family ipv4 vrf FIN
    network 10.61.61.61 mask 255.255.255.255
    !
    address-family ipv4 vrf TEK
    network 10.62.62.62 mask 255.255.255.255

    CPE7

    int Lo71
    ip vrf forwarding FIN
    ip address 10.71.71.71 255.255.255.255
    !
    int Lo72
    ip vrf forwarding TEK
    ip address 10.72.72.72 255.255.255.255
    !
    router bgp 65001
    !
    address-family ipv4 vrf FIN
    network 10.71.71.71 mask 255.255.255.255
    !
    address-family ipv4 vrf TEK
    network 10.72.72.72 mask 255.255.255.255

    To check if everything is working fine, I will use CPE5 for some tests:

    R5CPE5#sh ip route vrf FIN | b Ga
    Gateway of last resort is not set
     
         10.0.0.0/32 is subnetted, 3 subnets
    B       10.61.61.61 [200/0] via 66.66.66.66, 00:04:42
    C       10.51.51.51 is directly connected, Loopback51
    B       10.71.71.71 [200/0] via 77.77.77.77, 00:02:46
    !
    R5CPE5#sh ip route vrf TEK | b Ga
    Gateway of last resort is not set
     
         10.0.0.0/32 is subnetted, 3 subnets
    B       10.62.62.62 [200/0] via 66.66.66.66, 00:04:59
    C       10.52.52.52 is directly connected, Loopback52
    B       10.72.72.72 [200/0] via 77.77.77.77, 00:03:04
    !
    R5CPE5#ping vrf FIN 10.71.71.71 source 10.51.51.51
     
    Type escape sequence to abort.
    Sending 5, 100-byte ICMP Echos to 10.71.71.71, timeout is 2 seconds:
    Packet sent with a source address of 10.51.51.51 
    !!!!!
    Success rate is 100 percent (5/5), round-trip min/avg/max = 40/44/48 ms
    !
    R5CPE5#ping vrf TEK 10.62.62.62 source 10.52.52.52
     
    Type escape sequence to abort.
    Sending 5, 100-byte ICMP Echos to 10.62.62.62, timeout is 2 seconds:
    Packet sent with a source address of 10.52.52.52 
    !!!!!
    Success rate is 100 percent (5/5), round-trip min/avg/max = 40/47/52 ms
    !
    R5CPE5#show mpls forwarding-table 
    Local  Outgoing    Prefix            Bytes tag  Outgoing   Next Hop    
    tag    tag or VC   or Tunnel Id      switched   interface              
    16     Pop tag     192.168.67.0/24   0          Tu57       point2point  
           Pop tag     192.168.67.0/24   0          Tu56       point2point  
    17     Pop tag     66.66.66.66/32    0          Tu56       point2point  
    18     Pop tag     77.77.77.77/32    0          Tu57       point2point  
    19     Aggregate   10.51.51.51/32[V] 1040                               
    20     Aggregate   10.52.52.52/32[V] 520

    You may wonder why somebody would put together such a complex configuration. There may be multiple reasons, beyond the scope of this example, but I would like to add MPLS TE, Encrypted Site-to-Site traffic with route manipulation, independent configuration from the SP, learning purposes and many more.

    Can we encounter problems with this configuration? Well, yes.
    If the provider has a very low MTU size support, you may get a lot of fragmentation. Also maintenance and operation of Tunnels may be tricky for a very large environment, but there are solutions to limit the number of tunnels. Still the benefits exit.

    To enumerate one benefit from real world. Applying this configuration in Enterprise environment, you have the possibility to change your SP without too much of a dazzle as long as your new provider can transport the IP address of your primary Loopback interface. The rest, stays the same.

    Please let me know if you have questions or if something in my explanation is wrong.


    vCSA Web Management Network error

    A few days ago I installed two additional NICs in my server that handle the virtual machine for vCenter Server Appliance (vCSA).

    After the NICs installation, the Management web interface for vCSA was showing some strange error (see image below).

    Safari:

    vCenter Server Appliance

    Firefox:

    vCenter Server Appliance

    I added two images to show you that the error is almost the same and not browser related.

    Next I went online and tried to find a way to fix this issue. Among other stuff I also updated the vCSA, but unfortunately nothing helped.

    Finally after a lot of research I found the trouble to be caused not by the VMware code, but something in SUSE Linux OS (on which vCSA is built on). Apparently I had to manually add the new NICs configuration in SUSE:

    vi /etc/sysconfig/networking/devices/ifcfg-eth2

    Add the follwing lines:

    DEVICE=eth2
    BOOTPROTO='static'
    STARTMODE='auto'
    TYPE=Ethernet
    USERCONTROL='no'
    IPADDR='10.0.0.35'
    NETMASK='255.255.255.0'
    BROADCAST='10.0.0.255'

    Then add a symbolic link in the right place:

    ln -s /etc/sysconfig/networking/devices/ifcfg-eth2 /etc/sysconfig/network/ifcfg-eth2

    You need this configuration for each one of your NICs. Of course you need to adapt the configuration for your NICs (eth1, eth2…)

    It looks better now:

    vCenter Server Appliance

    There may be an easier way to fix this problem, but for me, the above solution worked just fine. If you encounter this error and fix it in another way, please feel free to let me know.

    IPv6 transport over IPv4 MPLS

    Cisco: IPv6 over IPv4 MPLS (6PE)

    Let’s assume that you have an IPv4 core backbone on which you did enable MPLS. Your customers are connected to your PE routers and they need to have IPv6 reachability between their sites. To have things more clear, please have a look to the following network topology:
    IPv6 transport over IPv4 MPLS

    As you can see in the above image, customers have the IPv6 addresses 2001::1/128 and 2001::2/128. Actually in this topology, “my customers” are two Loopback addresses (Lo200) configured under PE routers, to minimize the used resources (routers).

    We have a typical MPLS (LDP) construction with following characteristics:
    - OSPF is used for IGP
    - each router has a L0 interface advertised into IGP
    - L0 of each router is configured as MPLS LDP router-id
    - PE routers have an additional L100 interface advertised into IGP
    - iBGP on the PE routers is configured using L100 interface as neighbour peer points

    You can find below some output of iBGP and MPLS configuration:

    PE1

    router bgp 65300
     no bgp default ipv4-unicast
     bgp log-neighbor-changes
     neighbor 22.22.22.22 remote-as 65300
     neighbor 22.22.22.22 update-source Loopback0
     neighbor 22.22.22.22 timers 1 4
     !
     address-family vpnv4
      neighbor 22.22.22.22 activate
      neighbor 22.22.22.22 send-community extended
     exit-address-family
    !
    !
    PE1#sh bgp vpnv4 unicast all sum | i 65300
    BGP router identifier 11.11.11.11, local AS number 65300
    22.22.22.22     4 65300    7374    7376       19    0    0 00:04:11        1
    !
    !
    PE1#show mpls forwarding-table 
    Local  Outgoing    Prefix            Bytes tag  Outgoing   Next Hop    
    tag    tag or VC   or Tunnel Id      switched   interface              
    16     16          22.22.22.22/32    0          Fa0/0      10.10.11.1   
    17     18          10.10.22.0/24     0          Fa0/0      10.10.11.1   
    18     Pop tag     10.10.12.0/24     0          Fa0/0      10.10.11.1    
    20     Pop tag     1.1.1.1/32        0          Fa0/0      10.10.11.1   
    21     19          2.2.2.2/32        0          Fa0/0      10.10.11.1

    PE2

    router bgp 65300
     no bgp default ipv4-unicast
     bgp log-neighbor-changes
     neighbor 11.11.11.11 remote-as 65300
     neighbor 11.11.11.11 update-source Loopback0
     neighbor 11.11.11.11 timers 1 4
     !
     address-family vpnv4
      neighbor 11.11.11.11 activate
      neighbor 11.11.11.11 send-community extended
     exit-address-family
    !
    !
    PE2#show bgp vpnv4 unicast all summary | i 65300
    BGP router identifier 22.22.22.22, local AS number 65300
    11.11.11.11     4 65300    7518    7516       19    0    0 00:06:33        1
    !
    !
    PE2#show mpls forwarding-table 
    Local  Outgoing    Prefix            Bytes tag  Outgoing   Next Hop    
    tag    tag or VC   or Tunnel Id      switched   interface              
    16     17          11.11.11.11/32    0          Fa0/0      10.10.22.1   
    17     Pop tag     10.10.12.0/24     0          Fa0/0      10.10.22.1   
    18     18          10.10.11.0/24     0          Fa0/0      10.10.22.1                                
    20     19          1.1.1.1/32        0          Fa0/0      10.10.22.1   
    21     Pop tag     2.2.2.2/32        0          Fa0/0      10.10.22.1

    At this point we have a functional IPv4 MPLS. Now, let’s use the MPLS to transport IPv6 networks. First, on the PE routers we have to enable IPv6 routing support and CEF:

    ipv6 unicast-routing
    ipv6 cef

    Next, I’ll have the L200 interface configured:

    PE1#show ipv6 int lo200
    Loopback200 is up, line protocol is up
      IPv6 is enabled, link-local address is FE80::C002:15FF:FE10:0 
      No Virtual link-local address(es):
      Global unicast address(es):
        2001::1, subnet is 2001::1/128 
      Joined group address(es):
        FF02::1
        FF02::2
        FF02::1:FF00:1
        FF02::1:FF10:0
      MTU is 1514 bytes
      ICMP error messages limited to one every 100 milliseconds
      ICMP redirects are enabled
      ICMP unreachables are sent
      ND DAD is not supported
      ND reachable time is 30000 milliseconds
      Hosts use stateless autoconfig for addresses.
    PE2#sh ipv6 int lo200
    Loopback200 is up, line protocol is up
      IPv6 is enabled, link-local address is FE80::C003:15FF:FE10:0 
      No Virtual link-local address(es):
      Global unicast address(es):
        2001::2, subnet is 2001::2/128 
      Joined group address(es):
        FF02::1
        FF02::2
        FF02::1:FF00:2
        FF02::1:FF10:0
      MTU is 1514 bytes
      ICMP error messages limited to one every 100 milliseconds
      ICMP redirects are enabled
      ICMP unreachables are sent
      ND DAD is not supported
      ND reachable time is 30000 milliseconds
      Hosts use stateless autoconfig for addresses.

    Now let’s make the magic and configure the PE routers so that the IPv6 networks are reachable. We will make this by using the 6PE method. This solution include that the Provider edge routers (PE) are IPv6 capable and it enables IPv6 sites to communicate with each other over an MPLS IPv4 core network using MPLS label switched paths (LSPs). To make it clear the Provider routers (P) inside MPLS have not idea about any IPv6 addressing or routing.

    The 6PE routers are configured to be dual-stack using IPv4 and IPv6, and use the IPv4 mapped IPv6 address for IPv6 prefix reachability exchange. The 6PE uses multiprotocol internal BGP (MP-iBGP) to distribute IPv6 routes over the MPLS IPv4 core network and to attach an MPLS label to each route.

    Let’s enable this. The BGP configuration looks like this:

    PE1#
    router bgp 65300
     !
     address-family ipv6 
      neighbor 22.22.22.22 activate 
      neighbor 22.22.22.22 send-label 
      network 2001::1/128 
      no synchronization 
     exit-address-family
    PE2#
    router bgp 65300
     !
     address-family ipv6
      neighbor 11.11.11.11 activate
      neighbor 11.11.11.11 send-label
      network 2001::2/128
      no synchronization
     exit-address-family

    I did enable the BGP neighbour under IPv6 address family using the IPv4 addresses. The IPv4 addresses are already know in MPLS using the IPv4 IGP protocol (OSPF). Very important here is the send-label option as it enables binding and advertisement of aggregate labels when advertising IPv6 prefixes in BGP.

    Let’s check on the PE routers if we receive properly the IPv6 addresses:

    PE1#show bgp ipv6 unicast 2001::2/128
    BGP routing table entry for 2001::2/128, version 16
    Paths: (1 available, best #1, table Global-IPv6-Table)
      Not advertised to any peer
      Local
        ::FFFF:22.22.22.22 (metric 31) from 22.22.22.22 (22.22.22.22)
          Origin IGP, metric 0, localpref 100, valid, internal, best
          mpls labels in/out nolabel/22
    !
    !
    PE1#show ipv6 route 2001::2/128 | b 2001::2
    B   2001::2/128 [200/0]
         via ::FFFF:22.22.22.22, IPv6-mpls
    PE2#show bgp ipv6 unicast 2001::1/128
    BGP routing table entry for 2001::1/128, version 14
    Paths: (1 available, best #1, table Global-IPv6-Table)
      Not advertised to any peer
      Local
        ::FFFF:11.11.11.11 (metric 31) from 11.11.11.11 (11.11.11.11)
          Origin IGP, metric 0, localpref 100, valid, internal, best
          mpls labels in/out nolabel/23
    !
    !
    PE2#show ipv6 route 2001::1/128 | b 2001
    B   2001::1/128 [200/0]
         via ::FFFF:11.11.11.11, IPv6-mpls

    And the last test:

    PE2#ping ipv6 2001::1 source 2001::2
     
    Type escape sequence to abort.
    Sending 5, 100-byte ICMP Echos to 2001::1, timeout is 2 seconds:
    Packet sent with a source address of 2001::2
    !!!!!
    Success rate is 100 percent (5/5), round-trip min/avg/max = 12/17/24 ms

    If you have questions or there is something which is not clear please let me know by using the Comments section below.


    MSFC, PFC and DFC on Cisco 6500 series

    If you are in routing and switching industry, it’s almost impossible not to hear words like MSFC, PFC and DFC in relation with Cisco Catalyst 6500 series, chassis, supervisor and modules. If you didn’t yet, you’re not almost there, working with large enterprise environments.

    Even if I see an increasing use of Nexus switches, C65k are and will still play an important role in next few years. I know that there will be voices out there standing that 6500 series is almost EoL. Nevertheless, this rumors where there also 4-5 years ago. My point is that you should know something about this platform and MSFC, PFC and DFC are playing an important role.

    Anyway what are this acronyms?

    MSFC (Multilayer Switch Feature Card)

    Multilayer Switch Feature Card is the Layer 3 switching engine that sites on the Catalyst Supervisor as a daughter card. The MSFC is an integral part of the Supervisor Engine, providing high performance, multilayer switching and routing intelligence

    PFC (Policy Feature Card)

    The PFC provides the necessary ASICs to perform hardware-based Layer 3 switching, quality of service (QoS) classification, and access control list (ACL) filtering.

    DFC (Distributed Feature Card)

    The Distributed Feature Card (DFC) allows fabric-enabled line cards to make L3 forwarding decisions locally without requiring the L3 switching engine located on the Supervisor PFC. The DFC consists of the same components as the PFC located on the Supervisor module, however it does not contain the MSFC routing engine

    This is the basic explanation for those three words, but it does not say to much, isn’t it? For more details please see the article of Sunil Khanna on Understanding MSFC, PFC and DFC roles in Catalyst 6500 Series Switch. It’s very short, comprehensive and give you a very good starting point to understand what each component does inside a C6500 series.