Category Archives: Technology

vCSA Web Management Network error

A few days ago I installed two additional NICs in my server that handle the virtual machine for vCenter Server Appliance (vCSA).

After the NICs installation, the Management web interface for vCSA was showing some strange error (see image below).

Safari:

vCenter Server Appliance

Firefox:

vCenter Server Appliance

I added two images to show you that the error is almost the same and not browser related.

Next I went online and tried to find a way to fix this issue. Among other stuff I also updated the vCSA, but unfortunately nothing helped.

Finally after a lot of research I found the trouble to be caused not by the VMware code, but something in SUSE Linux OS (on which vCSA is built on). Apparently I had to manually add the new NICs configuration in SUSE:

vi /etc/sysconfig/networking/devices/ifcfg-eth2

Add the follwing lines:

DEVICE=eth2
BOOTPROTO='static'
STARTMODE='auto'
TYPE=Ethernet
USERCONTROL='no'
IPADDR='10.0.0.35'
NETMASK='255.255.255.0'
BROADCAST='10.0.0.255'

Then add a symbolic link in the right place:

ln -s /etc/sysconfig/networking/devices/ifcfg-eth2 /etc/sysconfig/network/ifcfg-eth2

You need this configuration for each one of your NICs. Of course you need to adapt the configuration for your NICs (eth1, eth2…)

It looks better now:

vCenter Server Appliance

There may be an easier way to fix this problem, but for me, the above solution worked just fine. If you encounter this error and fix it in another way, please feel free to let me know.

IPv6 transport over IPv4 MPLS

Cisco: IPv6 over IPv4 MPLS (6PE)

Let’s assume that you have an IPv4 core backbone on which you did enable MPLS. Your customers are connected to your PE routers and they need to have IPv6 reachability between their sites. To have things more clear, please have a look to the following network topology:
IPv6 transport over IPv4 MPLS

As you can see in the above image, customers have the IPv6 addresses 2001::1/128 and 2001::2/128. Actually in this topology, “my customers” are two Loopback addresses (Lo200) configured under PE routers, to minimize the used resources (routers).

We have a typical MPLS (LDP) construction with following characteristics:
- OSPF is used for IGP
- each router has a L0 interface advertised into IGP
- L0 of each router is configured as MPLS LDP router-id
- PE routers have an additional L100 interface advertised into IGP
- iBGP on the PE routers is configured using L100 interface as neighbour peer points

You can find below some output of iBGP and MPLS configuration:

PE1

router bgp 65300
 no bgp default ipv4-unicast
 bgp log-neighbor-changes
 neighbor 22.22.22.22 remote-as 65300
 neighbor 22.22.22.22 update-source Loopback0
 neighbor 22.22.22.22 timers 1 4
 !
 address-family vpnv4
  neighbor 22.22.22.22 activate
  neighbor 22.22.22.22 send-community extended
 exit-address-family
!
!
PE1#sh bgp vpnv4 unicast all sum | i 65300
BGP router identifier 11.11.11.11, local AS number 65300
22.22.22.22     4 65300    7374    7376       19    0    0 00:04:11        1
!
!
PE1#show mpls forwarding-table 
Local  Outgoing    Prefix            Bytes tag  Outgoing   Next Hop    
tag    tag or VC   or Tunnel Id      switched   interface              
16     16          22.22.22.22/32    0          Fa0/0      10.10.11.1   
17     18          10.10.22.0/24     0          Fa0/0      10.10.11.1   
18     Pop tag     10.10.12.0/24     0          Fa0/0      10.10.11.1    
20     Pop tag     1.1.1.1/32        0          Fa0/0      10.10.11.1   
21     19          2.2.2.2/32        0          Fa0/0      10.10.11.1

PE2

router bgp 65300
 no bgp default ipv4-unicast
 bgp log-neighbor-changes
 neighbor 11.11.11.11 remote-as 65300
 neighbor 11.11.11.11 update-source Loopback0
 neighbor 11.11.11.11 timers 1 4
 !
 address-family vpnv4
  neighbor 11.11.11.11 activate
  neighbor 11.11.11.11 send-community extended
 exit-address-family
!
!
PE2#show bgp vpnv4 unicast all summary | i 65300
BGP router identifier 22.22.22.22, local AS number 65300
11.11.11.11     4 65300    7518    7516       19    0    0 00:06:33        1
!
!
PE2#show mpls forwarding-table 
Local  Outgoing    Prefix            Bytes tag  Outgoing   Next Hop    
tag    tag or VC   or Tunnel Id      switched   interface              
16     17          11.11.11.11/32    0          Fa0/0      10.10.22.1   
17     Pop tag     10.10.12.0/24     0          Fa0/0      10.10.22.1   
18     18          10.10.11.0/24     0          Fa0/0      10.10.22.1                                
20     19          1.1.1.1/32        0          Fa0/0      10.10.22.1   
21     Pop tag     2.2.2.2/32        0          Fa0/0      10.10.22.1

At this point we have a functional IPv4 MPLS. Now, let’s use the MPLS to transport IPv6 networks. First, on the PE routers we have to enable IPv6 routing support and CEF:

ipv6 unicast-routing
ipv6 cef

Next, I’ll have the L200 interface configured:

PE1#show ipv6 int lo200
Loopback200 is up, line protocol is up
  IPv6 is enabled, link-local address is FE80::C002:15FF:FE10:0 
  No Virtual link-local address(es):
  Global unicast address(es):
    2001::1, subnet is 2001::1/128 
  Joined group address(es):
    FF02::1
    FF02::2
    FF02::1:FF00:1
    FF02::1:FF10:0
  MTU is 1514 bytes
  ICMP error messages limited to one every 100 milliseconds
  ICMP redirects are enabled
  ICMP unreachables are sent
  ND DAD is not supported
  ND reachable time is 30000 milliseconds
  Hosts use stateless autoconfig for addresses.
PE2#sh ipv6 int lo200
Loopback200 is up, line protocol is up
  IPv6 is enabled, link-local address is FE80::C003:15FF:FE10:0 
  No Virtual link-local address(es):
  Global unicast address(es):
    2001::2, subnet is 2001::2/128 
  Joined group address(es):
    FF02::1
    FF02::2
    FF02::1:FF00:2
    FF02::1:FF10:0
  MTU is 1514 bytes
  ICMP error messages limited to one every 100 milliseconds
  ICMP redirects are enabled
  ICMP unreachables are sent
  ND DAD is not supported
  ND reachable time is 30000 milliseconds
  Hosts use stateless autoconfig for addresses.

Now let’s make the magic and configure the PE routers so that the IPv6 networks are reachable. We will make this by using the 6PE method. This solution include that the Provider edge routers (PE) are IPv6 capable and it enables IPv6 sites to communicate with each other over an MPLS IPv4 core network using MPLS label switched paths (LSPs). To make it clear the Provider routers (P) inside MPLS have not idea about any IPv6 addressing or routing.

The 6PE routers are configured to be dual-stack using IPv4 and IPv6, and use the IPv4 mapped IPv6 address for IPv6 prefix reachability exchange. The 6PE uses multiprotocol internal BGP (MP-iBGP) to distribute IPv6 routes over the MPLS IPv4 core network and to attach an MPLS label to each route.

Let’s enable this. The BGP configuration looks like this:

PE1#
router bgp 65300
 !
 address-family ipv6 
  neighbor 22.22.22.22 activate 
  neighbor 22.22.22.22 send-label 
  network 2001::1/128 
  no synchronization 
 exit-address-family
PE2#
router bgp 65300
 !
 address-family ipv6
  neighbor 11.11.11.11 activate
  neighbor 11.11.11.11 send-label
  network 2001::2/128
  no synchronization
 exit-address-family

I did enable the BGP neighbour under IPv6 address family using the IPv4 addresses. The IPv4 addresses are already know in MPLS using the IPv4 IGP protocol (OSPF). Very important here is the send-label option as it enables binding and advertisement of aggregate labels when advertising IPv6 prefixes in BGP.

Let’s check on the PE routers if we receive properly the IPv6 addresses:

PE1#show bgp ipv6 unicast 2001::2/128
BGP routing table entry for 2001::2/128, version 16
Paths: (1 available, best #1, table Global-IPv6-Table)
  Not advertised to any peer
  Local
    ::FFFF:22.22.22.22 (metric 31) from 22.22.22.22 (22.22.22.22)
      Origin IGP, metric 0, localpref 100, valid, internal, best
      mpls labels in/out nolabel/22
!
!
PE1#show ipv6 route 2001::2/128 | b 2001::2
B   2001::2/128 [200/0]
     via ::FFFF:22.22.22.22, IPv6-mpls
PE2#show bgp ipv6 unicast 2001::1/128
BGP routing table entry for 2001::1/128, version 14
Paths: (1 available, best #1, table Global-IPv6-Table)
  Not advertised to any peer
  Local
    ::FFFF:11.11.11.11 (metric 31) from 11.11.11.11 (11.11.11.11)
      Origin IGP, metric 0, localpref 100, valid, internal, best
      mpls labels in/out nolabel/23
!
!
PE2#show ipv6 route 2001::1/128 | b 2001
B   2001::1/128 [200/0]
     via ::FFFF:11.11.11.11, IPv6-mpls

And the last test:

PE2#ping ipv6 2001::1 source 2001::2
 
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 2001::1, timeout is 2 seconds:
Packet sent with a source address of 2001::2
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 12/17/24 ms

If you have questions or there is something which is not clear please let me know by using the Comments section below.


MSFC, PFC and DFC on Cisco 6500 series

If you are in routing and switching industry, it’s almost impossible not to hear words like MSFC, PFC and DFC in relation with Cisco Catalyst 6500 series, chassis, supervisor and modules. If you didn’t yet, you’re not almost there, working with large enterprise environments.

Even if I see an increasing use of Nexus switches, C65k are and will still play an important role in next few years. I know that there will be voices out there standing that 6500 series is almost EoL. Nevertheless, this rumors where there also 4-5 years ago. My point is that you should know something about this platform and MSFC, PFC and DFC are playing an important role.

Anyway what are this acronyms?

MSFC (Multilayer Switch Feature Card)

Multilayer Switch Feature Card is the Layer 3 switching engine that sites on the Catalyst Supervisor as a daughter card. The MSFC is an integral part of the Supervisor Engine, providing high performance, multilayer switching and routing intelligence

PFC (Policy Feature Card)

The PFC provides the necessary ASICs to perform hardware-based Layer 3 switching, quality of service (QoS) classification, and access control list (ACL) filtering.

DFC (Distributed Feature Card)

The Distributed Feature Card (DFC) allows fabric-enabled line cards to make L3 forwarding decisions locally without requiring the L3 switching engine located on the Supervisor PFC. The DFC consists of the same components as the PFC located on the Supervisor module, however it does not contain the MSFC routing engine

This is the basic explanation for those three words, but it does not say to much, isn’t it? For more details please see the article of Sunil Khanna on Understanding MSFC, PFC and DFC roles in Catalyst 6500 Series Switch. It’s very short, comprehensive and give you a very good starting point to understand what each component does inside a C6500 series.


[Solution] Speed / Duplex auto-negotiation fails between Cisco and Tandberg

In the last weeks I was working closely with a Cisco Telepresence team to identify a issue regarding poor performance of the video systems. We did find pretty quickly the issue as being the failure of auto-negotiation of Speed and Duplex on the connection between Cisco switch port and Tandberg endpoint devices.

This was the easy part. We though it will be fixed in minutes, but after a few days we did recognized that there is something we do not understand. We did change the settings everywhere to have auto-negotiation on, but we still had problems. For example with Cisco and Tandberg ports set on auto-negotiation on both sides, I’ve seen the most uncommon results:
- Cisco 1000Mbps – Tandberg 1000Mbps = negotiation 1000Mbps / Full
- Cisco 1000Mbps – Tandberg 100Mbps = negotiation 1000Mbps / Full on Cisco + 100Mbps / Full on Tandberg
- Cisco 100Mbps – Tandberg 100Mbps = negotiation 100Mbps / Half on Cisco + 100Mbps / Full on Tandberg

These are just a few of the strange results that we got. Myself as part of the network team I turn my attention to search bugs in IOS, configuration issues, faulty hardware. The Telepresence team was doing their job to search on their systems. Nothing was working.

We turn our attention to TAC engineers. They did try to simulate in a lab environment our problems, but failed. Their system were not having this kind of issue. Internet, search engines and boards could not help as well. I was about to think that we are somewhere in the Bermuda triangle and we are the only one with this kind of problem.

Then the solution came from a Cisco engineer when we least expect it. I quote from his e-mail in which he gave us some suggestion to try:

Are you aware that Tandberg endpoints running newer versions of software 
need to be rebooted before changes to speed settings take effect? 
This can sometimes cause confusion.

We stopped for a second and ask “Did we reload any Tandberg device during troubleshooting sessions?” The answer was “No”. After reload all devices, one by one, everything was working expect a few devices.

We discovered that these Tandberg devices didn’t want to auto-negotiate because of lack of a Cat6 cabling. It seems that all 8 wires need to be there and connected. So, if you have a cable that is patched to transport data and telephony for example to spare some wires, then you may be in trouble.

Why did I add this thing here? For sure it will bring some ironic smile on some faces, but I like to learn from my mistakes or from not paying close attention to some small line in the documentation. OK, if I made you laugh it’s fine, but the reason of this article is different. When I did search Internet for possible solution, I could not find anywhere a line with “reload the damn Tandberg device after you modify Speed / Duplex” settings.


Juniper, first steps after power-on the device

As you know from my previous posts, I’m trying to find time to gain some Juniper knowledge. During this “quest” I will add here some basic things about how to start working with Juniper devices. For now I know only the basics of Juniper configuration, but I hope that soon you’ll find here some more challenging scenarios.

I have a basic topology that you’ll find below. The scenario is already prepare to have some tasks which suppose integration between Juniper and Cisco environment.

Let’s assume that I did power on the two boxes J1 and J2 and now I’m connected to J1 through a console cable. After the boot sequence I’m left with something like this:

Tue Jun 12 11:46:06 UTC 2012
 
Amnesiac (ttyd0)
 
login:

All platforms running the Junos OS have only the root user configured by default, without any password. Let’s introduce that username and see what’s happening:

login: root
Password:
 
--- JUNOS 9.4R2.9 built 2009-03-25 07:50:02 UTC
root@%

What I have now in front is actually the shell of the FreeBSD OS. JunOS is based on the FreeBSD OS. If you ever interacted with a Linux based system, then you can run here specific linux commands. For example:

root@% ls
.snap           boot            jail            modules         sbin
COPYRIGHT       config          kernel          opt             staging
altconfig       data            libexec         packages        tmp
altroot         dev             mfs             proc            usr
bin             etc             mnt             root            var
root@% 
root@% 
root@% 
root@% ps u
USER   PID %CPU %MEM   VSZ   RSS  TT  STAT STARTED      TIME COMMAND
root  1153  0.0  0.2  1492   936  v0  Is+  11:46AM   0:00.02 /usr/libexec/getty
root   941  0.0  0.4  2636  2176  d0- S    11:46AM   0:00.14 /usr/sbin/eventd -
root  1264  0.0  0.2  1676  1252  d0  Is   11:50AM   0:00.05 login [pam] (login
root  1265  0.0  0.5  3872  2744  d0  S    11:51AM   0:00.21 -csh (csh)
root  1289  0.0  0.2  1612   996  d0  R+   11:54AM   0:00.01 ps u

OK, you got my point. To get from the FreeBSD shell to JunOS CLI, you need to enter the following:

root@% cli
root>

What you see now is the Operational Mode. In this mode the user can run basic and troubleshooting commands (like traceroute, ping…). You can get a list of commands using the ? (question mark):

root> ?
Possible completions:
  clear                Clear information in the system
  configure            Manipulate software configuration information
  file                 Perform file operations
  help                 Provide help information
  monitor              Show real-time debugging information
  mtrace               Trace multicast path from source to receiver
  op                   Invoke an operation script
  ping                 Ping remote target
  quit                 Exit the management session
  request              Make system-level requests
  restart              Restart software process
  set                  Set CLI properties, date/time, craft interface message
  show                 Show system information
  ssh                  Start secure shell on another host
  start                Start shell
  telnet               Telnet to another host
  test                 Perform diagnostic debugging
  traceroute           Trace route to remote host

If you want to compare the Operational Mode is somehow like Privilege level 1 under Cisco CLI. Still I have the feeling that Operational Mode offer a wider area of commands and more powerful than Cisco CLI Privilege level 1. I may be mistaken.

All platforms running the Junos OS come with a factory-default configuration. All factory-default configurations
allow access using the root account without any password. Nevertheless to activate a configuration you have first to set the password root password.Factory-default configurations can vary from one platform family to another or even between the different models
within the same platform family.
My default configuration looks like:

root> show configuration 
version 9.4R2.9;
system {
    syslog {
        user * {
            any emergency;
        }
        file messages {
            any notice;
            authorization info;
        }
        file interactive-commands {
            interactive-commands any;
        }
    }
}

I this first post my target is to set the hostname of the Juniper devices. To accomplish this step, I need to go first into configuration mode:

root> configure 
Entering configuration mode
The configuration has been changed but not committed
 
[edit]
root#

and then set the hostname:

root# set system host-name J1 
 
[edit]

If I look at the system prompt, it still shows root#, so it doesn’t quite seems to work. This is because I have to commit to activate the configuration:

root# commit 
[edit]
  'system'
    Missing mandatory statement: 'root-authentication'
error: commit failed: (missing statements)
 
[edit]
root#

Well, this didn’t work as expected. The most important thing that I learned when I started with Juniper is that before I can activate any configuration (commit) I need to set the password for the root user:

root# set system root-authentication plain-text-password              
New password:
Retype new password:
 
[edit]
root#

Let me try to commit one more time, after setting the root password:

root# commit 
commit complete
 
[edit]
root@J1#

You can see that the prompt did change into root@HOSTNAME# (in my case this is root@J1#). If you look again to the system configuration. I will exist the Configuration Mode and have another look at my config file:

root@J1> show configuration 
## Last commit: 2012-06-12 12:38:22 UTC by root
version 9.4R2.9;
system {
    host-name J1;
    root-authentication {
        encrypted-password "$1$DKpYj/Nd$TVFTars5T2.oM3y5eyp520"; ## SECRET-DATA
    }
    syslog {
        user * {
            any emergency;
        }
        file messages {
            any notice;
            authorization info;
        }
        file interactive-commands {
            interactive-commands any;
        }
    }
}
 
root@J1>

The host-name and root password appears now in the active configuration.

That’s it for today. Until next post, I will add the basic configuration for J2 and the Cisco, so I can go to basic interface configuration and connectivity check.


TCP Slow Start And Wan Optimization Compression

This video looks like a good joke, but to be honest it explain in the most simple way how TCP Slow Start and Wan Optimization work. If you have problems explaining networks concepts, than for sure when somebody ask you about TCP Slow Start and Wan Optimization, you’ll remember the two guys running with oranges.

Combine the video below with some technical explanation and you can put together a nice presentation:

Virtual WAN Optimization – Blue Coat presentation

Chris Webber from Blue Coat Systems describe the concept of virtualing WAN Optimization and WAN Acceleration systems. Of course that, since Blue Coat Systems is involved, you can consider this video presentation a little bit of marketing strategy, but if you think to this subject, all companies out there do the same. It’s somehow normal.

Skipping the marketing part, this is a good explanation about virtualized WAN Optimization and you can have an overall view of what this means and how it can be implemented. Information is always welcome, not matter from which source, so I would recommend you to spend 10 minutes and watch this video.


Brought to you by NetworkWorld.tv and FirstDigest

The difference between 3G and 4G

2diggsdigg

Excellent explanation about what is 3G and 4G, speed of the download  and different generation of wireless technologies by Craig Mathias.


Brought to you by NetworkWorld.tv and FirstDigest

Manage VirtualBox over Web Interface

A while ago, I wrote an article about How to integrate GNS3 with VirtualBox in which I have shown how you can easily create a guest machine with its own Operating System and attach it with GNS3.  Everything is working fine when you have the system in front of you, and if you have a graphical interface, but what if you have a powerful server somewhere and you want to use it for virtualization with VirtualBox? Of course, you can use CLI to manage VirtualBox, create new machines, tune settings and so on, but it’s more likely to you would like to see something graphic and use the point and click method to achieve results.


One of the differences between VMware and VirtualBox, is that VMware is including a Web Interface for remote management and VirtualBox is, in fact, a desktop application. This keep me for using sometimes VMware instead of VirtualBox on remote machines. As you probably observed I’m not a big fan of VMware due to the fact the it’s integration with Ubuntu (my favourite Linux flavour) is not running all the time as expected. For example, in case of a kernel upgrade  you’ll have to patch again the source to obtain working VMware modules.

OK, enough with talking, the news is that now you can easily manage VirtualBox over Web Interface due to phpVirtualBox. What is phpVirtualBox? According to it’s developers phpVirtualBox, “is an open source, AJAX implementation of the VirtualBox user interface written in PHP with a modern web interface that allows you to access and control remote VirtualBox instances.”

phpVirtualBox interface, open in a browser, looks something like this:

Almost like the VirtualBox application on your desktop.

Installation is very simple and you can do it following the steps below (for Ubuntu 9.10).

As any web interface, phpVirtualBox require some mandatory software to be installed on your machine. In this case is Apache + PHP >= 5.2.0. I assume that you have them already installed. If not, please check this tutorial.

1. Add in your /etc/apt/source.list

deb http://download.virtualbox.org/virtualbox/debian karmic non-free

2. Update your repository

apt-get update

3. Install VirtualBox

apt-get install virtualbox-3.2

if you have problems finding it, then try to search for virtualbox:

apt-cache search virtualbox

4.phpVirtualBox requires you to start vboxwebsrv (a program distributed with VirtualBox).

Optional step – Create a user that will run vboxwebsrv or you may run it with your existing user

Then start vboxwebsrv

su vbox -c ‘/usr/bin/vboxwebsrv -b –logfile /home/vbox/vb.log –host 1.1.1.1 –port 18083′

vbox – user that I have created to run vboxwebsrc
-b – run in background
–logfile – where you want to keep your log file
–host – IP address where the process to listen; useful if you keep your VirtualBox on one machine and the phpVirtualBox web interface on another one;  if you don’t specify this paramter it will default to 127.0.0.1 and you can access it over web interface only if the phpVirtualBox script is on the same machine with VirtualBox software
–port – on which port this daemon will listen

5. Download phpVirtualBox

wget http://phpvirtualbox.googlecode.com/files/phpvirtualbox-0.5.zip

This is the last release now, but in the future it may be deprecated, so please check phpVirtualBox downloads for the latest version

6. Unpack the phpVirtualBox archive in a directory that is accessible from Web and edit config.php file

unzip phpvirtualbox-0.5.zip

cd phpvirtualbox-0.5

nano config.php

You’ll need to edit the following mandatory parameters:

/* Username / Password for system user that runs VirutalBox */
var $username = ‘vbox’;
var $password = ‘your-password’;
var $location = ‘http://1.1.1.1:18083/’;

Now you should be able to access phpVirtualBox using your customized URL in web browser.

Below you have some screen shots, just to get an idea about this excellent piece of software. The rest I’ll let you discover by your own.

Add new machine. Easy as that:

Fine tune machine settings:

Import VirtualBox appliance:

XenServer

New XenServer (Midnight Ride beta) is here!

Citrix launched today the new XenServer with code name Midnight Ride. This version is still a beta one and Citrix decided to make it available for download and testing through it’s Beta Program.  As a participant in the Beta Program, you’ll play a critical role in helping the XenServer product team develop and deliver the next edition of the product and provide valuable insight for enhancements in future releases.
This new version of XenServer—the industry’s only fully capable, free virtual infrastructure solution—and Essentials for XenServer boasts many significant enhancements, including:

  • Granular role-based access controls within XenCenter
  • Dynamic memory control and overcommit
  • Enhanced snapshots, including full system state and one-click revert
  • Administrative logging and audit reports
  • Automation for workload balancing
  • Host power management
  • StorageLink site recovery for business continuity
  • Enhanced CPU compatibility for XenMotion

You can download the Midnight Ride beta now or if you feel that you need to know more about the Citrix’s newest product please register for the On-demand webcast

You can also evaluate the advanced management capabilities in Essentials for XenServer by downloading the Evaluation Virtual Appliance to enable Dynamic Workload Balancing, Provisioning Services and StorageLink in a single, pre-configured environment and utilize all the added features include in Essentials for XenServer, Enterprise Edition.

Cisco: Frame-Relay back-to-back routers in simple steps

In one of my earlier posts I have presented how to connect 3 routers in a Hub and Spoke Frame-Relay topology. Now I want to show you how to connect 2 routers back to back, in a Frame Relay topology. With a back to back connection and without any FR switch, things are a little bit different than in the Hub and Spooke topology.

First let’s have a look to the topology:


We have 2 routers, connected back to back. The interface status on both routers:

sh run int s0/0
!
interface Serial0/0
no ip address
shutdown

First let set up the encapsulation to Frame-Relay and to bring the interfaces UP:

conf t
interface S0/0
encapsulation frame-relay
no shutdown

Everything should be fine now, but it’s not, as if you check your interfaces you will see that they are in a Up/Down status on both routers:

sh int s0/0
Serial0/0 is up, line protocol is down

Even this is messing up a little bit with our brains, the Up/Down status is normal in this phase. Why? Remember that we do not have a FR switch, both interface consider themselved DTE side and LMI is not working. You can check if LMI like this:

R1#sh frame-relay lmi

LMI Statistics for interface Serial0/0 (Frame Relay DTE) LMI TYPE = CISCO
Invalid Unnumbered info 0             Invalid Prot Disc 0
Invalid dummy Call Ref 0              Invalid Msg Type 0
Invalid Status Message 0              Invalid Lock Shift 0
Invalid Information ID 0              Invalid Report IE Len 0
Invalid Report Request 0              Invalid Keep IE Len 0
Num Status Enq. Sent 6                Num Status msgs Rcvd 0
Num Update Status Rcvd 0              Num Status Timeouts 5
Last Full Status Req 00:00:04         Last Full Status Rcvd never

You will see Sent packages on both routers, but nothing received as there is no FR switch. In this conditions we have to disable LMI and to assign DLCIs manually. To disable LMI, issue the following command under Frame-Relay interface:

interface S0/0
no keepalive

Now interfaces should be in a Up/Up status:

sh int s0/0
Serial0/0 is up, line protocol is up

As in this moment everything looks fine, let’s start to configure the Frame-Relay back to back connections. Obvious, at least for me, when you have a back to back connection, first things that comes into your mind is a point-to-point interface. Let’s start with this configuration (we will use from diagram the black line connection with subnet 100.100.100.0 /24) . I will show only the configuration on the primary router, but it’s the same on the secondary one, just with a different IP address in the 4th octet.

interface S0/0.100 point-to-point
ip address 100.100.100.1 255.255.255.0
frame-relay interface-dlci 100

Remember DLCIs are only local significant so you can define whatever number you want there, but of course the same DLCI number on both sides. Let’s check if everything is fine:

R1#show frame-relay map
Serial0/0.100 (up): point-to-point dlci, dlci 100(0×64,0×1840), broadcast

R1#show frame-relay pvc | i STATUS
DLCI = 100, DLCI USAGE = LOCAL, PVC STATUS = STATIC, INTERFACE = Serial0/0.100

We can see a point-to-point dlci in frame-relay map, and a static defined PVC. If you ping from R1 to R2 and viceversa it should work.

This was the straight forward solution, but going a little bit more into details, you can be required in some situations that you have to use a multipoint Frame-Relay interface. Actually what is a multipoint interface more than multiple point-to-point interfaces. Let’s take the sencond line (red one, with subnet 110.110.110.0 /24 in the topology) and configure this back to back connection using multipoint interfaces:

interface s0/0.110 multipoint
ip address 110.110.110.1 255.255.255.0
frame-relay map ip 110.110.110.2 110 broadcast
frame-relay map ip 110.110.110.1 110

As you see the configuration is different from the point-to-point interface. Actually under multipoint interface you can issue the frame-relay interface-dlci 110 command, but this will not help too much. Remember that we have disable LMI in the first steps because we do not have a FR switch. No FR switch means no automatic L3 to L2 mapping. In other words even if you specify the interface-dlci, the interface being a multipoint will not know where to forward packets. Why this didn’t happen in the point-to-point scenario, you may ask. Well, because there the keyword is interface sx/x point-to-point, so by it’s nature the interface knows that there is only one destination possible, meaning the other end (or point if you want).

In this scenario we had to manually map L3 to L2 with the command frame-relay map. Actually you only need the first frame-relay map, pointing to the other router IP address, but I add the last command just in case you want to ping your own interface.

Now maybe you ask which is the third scenario (blue line). Well, this is not very common in the real environment, but maybe you have to deal with it in a special condition like lab environment, Cisco exam and so on. Let’s say that you have a request that you need to have 3 virtual PVC connections, but only 2 subinterface. Now, you already have 2 subinterface configured, so how can you achieve the third PVC connection. The answer is that you configure the main interface with the same configuration like in multipoint subinterface scenario. By it’s nature and interface is described point to multipoint, so in a Frame Relay scenario like this you have to manually map L3 to L2:

interface Serial0/0
ip address 120.120.120.1 255.255.255.0
encapsulation frame-relay
no keepalive
frame-relay map ip 120.120.120.1 120
frame-relay map ip 120.120.120.2 120 broadcast

If you followed this tutorial, at the end you should have reachability over the 3 subnets.

Cisco: How to configure Frame-Relay Hub and Spoke in simple steps

Some days ago, during my preparation for CCIE RS I had to configure Frame-Relay Hub and Spoke environment. Since I already did it, I said that is good to have it here also, maybe somebody will find it useful. Even if it sounds quite complicate as title, FR hub and spoke. This post assume that you are somehow familiar with Frame-Relay concept and you know basic stuff. If you need to refresh your knowledge there is good topic about Frame-Relay on Ciscopress page.

So, what is this FR hub and spoke anyway? A basic example is with 3 device (can be more) in which on of them connect the other ones in a central point. This is the opposite to (full or circular) mesh in which every router is connected with at least another 2 devices. For things to be more clear please have a look to this topology file.

As you can see in the topology provided, R1 is connecting the other 2 routers in a central point. R1 device is the Hub and R2, R3 are the Spokes. Like explained in the topology, the green lines represent PVC circuit and red ones the physical connection. The communication between R2 and R3 will be done only through R1 since there is no PVC that connect this 2 devices. You can be tempted to say that the communication is direct, because red lines have a common point in the FR switch, but the things are not like this. This is not Ethernet, so for L3 to work you need a map from L2 to L3. Since there is no PVC define in FR switch for R2 to R3 communication, everything is passing through R1.

To configure Frame-Relay Hub and Spoke is not very difficult. The most hard part is regarding FR switch, but luckily you don’t have to deal with it, as this is usually a provider equipment, and they will do the L2 to L3 frame-relay routing, providing you with the need DLCI information. From this point you only have to be careful to details (IP, DLCI, interface) when configuring frame-relay map on your devices.

In a future post I will extend this topic and show how you can configure OSPF in a Frame-Relay Hub and Spoke environment. For now please check this topic presented in the tutorial below:

Frame-Relay Hub and Spoke

If Flash movie is not available for you, then please check this text file which contains the configuration.

Cisco: Quick IOS check in 4 simple steps

This post is rather for the beginners in Cisco’s world than for advance professionals, but still I encounter situation when IOS image was corrupted even if it was uploaded to the device by a network guru. Why? It’s quite simple! Because you can be the master of the Cisco networking,  but still sometime you cannot control the device behavior or the transport of the packets to destination.

The problems is that in case of a corrupted IOS image being uploaded on a Cisco device, and having that device reloaded you can run into situation when it will not boot up anymore. When the device is in front of you, or on your desk, there is not a problem, because you can troubleshoot, find the issue (e.g wrong or corrupted IOS image) and solve it! But, what if your device is at 5000 km distance, it is 3:00 AM and you have no professional help on that location?! That’s one ugly situation and the reason for which I always insist to verify the IOS image after it is uploaded and ready to go into production.

For those of you who are dealing with this stuff everyday, this post may seem like a joke, but I bet that there are out there IT’s which never check this stuff or they are beginners and don’t know how to do it. It’s more simple that you may think it is, make you spend about 4-5 minutes for a full check, but can spare you for bigger problems in the future.

So, what are the 4 steps:
1. Check what Cisco device you have (to know what IOS image you need)
2. Check what IOS image Cisco device has (to know what IOS release to download)
3. Verify the IOS image
4. Check the results of your verification
As simplest as it can get.

Please check the tutorial by clicking the image below:

IOS check

For those who cannot see a Flash movie, please read this text file, that consist of the command you should perform for IOS checking.

Cisco: OSPFv3 point-to-point network configuration

In the previous post I explained some basic stuff about IPv6 and how to configure IPv6 addresses on Cisco’s interfaces. Following this subject, I want to explain now how you can configure unicast dynamic routing protocols for IPv6 networks. The same as IPv4, the v6 generation of IP addresses supports routing protocol like OSPF, RIP and EIGRP, just that their names has been adapted to the v6 generation meaning OSPFv3, RIPng and EIGRP for IPv6.

From the routing protocols above I chose for today OSPFv3, because it is quite easy to understand and, why not, it is one my preferred routing protocols. OSPFv2 and OSPFv3 share the same key concepts, so if you understand the version for IPv4 you will have no problems to understand the one for IPv6. However, you should understand the most significant differences as well:
– to enable OSPFv3, you will have to use interface subcommands compared with the “network” statement under “router ospf” process in OSPFv2
– if there are multiple IPv6 addresses configured on a OSPFv3 enabled interface, then OPSFv3 advertise all the related networks
– OSPFv3 router-id (RID) has to be set in order to enable the routing protocol; this can be set automatically like in the OSPFv2 or manually
– OSPFv3 uses IPv4 for RID; if no IPv4 address is present on the router to be used as RID, than the OSPFv3 process cannot choose it’s RID
– OSPFv3 does not provide natively authentication like OSPFv2 does; for OSPFv3, the IPv6 structure covers this with its internal support for AH and ESP.
That’s about enough for you to configure a basic OSPFv3 routing protocol. If you are interested in more details about OSPFv3, you can check OSPFv3 documentation by Jeff Doyle and Jennifer Carroll on NetworkWorld.com

I will use the same topology like in the previous post. You can check here the IPv6 configuration of the routers. Please click below to see the tutorial:

OSPFv3 p2p network configuration

If for some reasons the tutorial above is not available for you, please check this text file which present in text mode everything  needed to enable OSPFv3 point-to-point network configuration between 2 Cisco devices.

Cisco: IPv6 basics and configuration how-to

Today, I had to deal with IPv6 configuration for my CCIE preparation and I said to write a small tutorial about IPv6 for it’s basic stuff. First of all IPv6 is not more complicated that IPv4, it just look like it is. Second, and this is my personal opinion, I think that as long as IPv4 will be on the market and things like NAT can overcome the problem of  IP addresses being exhausted, IPv6 will not be implemented on a large scale. Let’s be honest, I’m more OK in a discussion saying that I had a problem with the IP address 192.168.100.100 than to say 2001:128:1F:633:207:85FF:FE80:71B8 (IPv6).

But what we like and what we have to know as network engineer, that’s a different story. For this reason I said that some information about IPv6 and how to configure it and test a point-to-point connection on a Cisco device, would not hurt anyone.

Some essential points about IPv6 (if you want more there is a lot of information on Internet):
-use of 128 bits compared with 32bits )IPv4
-IPv4 are represented in hexadecimal rather than decimal
-use colon-separated field of 16bits rather than 8 bits decimal points separator
The IPv6 can be write down in different formats. Let’s take:
2001:0001:0000:0000:00A1:0CC0:01AB:397A
this can look like:
2001:1:0:0:A1:CC0:1AB:397A – leading zero in each 16bits group can be eliminated
2001:0001::00A1:0CC0:01AB:397A – two or more 16bits “0000″ groups can be write like :: (double colons) one time in the IPv6 address
2001:1::A1:CC0:1AB:397A-the simplest form to write the IPv6 address
A small, but very important hint. Take care of the following common mistake when you are writing IPv6 in short format. Let’s say that we have 2001:0000:0000:0000:00A1:0000:0000:397A and you want to write it in short format with the rule that 2 or more “0000″ groups can be write like :: , and you write 2001::A1::397A which is wrong, because after this nobody or no device will know where it was 2  groups of zero and where 3. Taking the wrong format, you want to write the long format back and you can write it as: 2001:0000:0000:00A1:0000:0000:0000:397A, and obvious you can see the mistake.
There are more types of IPv6 address which you can find in the table below:
IPv6 addresses type

There are 3 ways in which you can assign an IPv6 to a Cisco device:
-manual =  just like in the IPv4
-stateful autoconfiguration = you use a DHCP server that will assign and IPv6 address to the interface
-stateless autoconfiguration = the interface ID in IPv6 is configured locally by the host to be globally unique using the EUI-64 procedure

In short terms the EUI-64 procedure is used to autoconfigure the last 64bits of the 128bits IPv6 address, which is the interface ID portion. EUI-64 method take the MAC address of the interface (48 bits) which is unique and derives the interface ID (64bits). You’ll ask probably how come 48bits become 64bits. EUI-64 insert in the middle of the MAC address a 16bits portion equal to FFFE and set the universal/local bit (7th bit) to indicate global scope. More clearly, let’s say that the interface has the MAC address 00:07:88:80:71:b9 and IPv6 apply the EUI-64 method this will become 0207:88FF:FE80:71b9 (last 64bits = interface ID).

After this short information (trust me it is short compared to detailed books) I hope that the things look a little bit more clear to you regarding IPv6 and you understood that this is not an IT network monster of any kind. Let me show you a small example of how you can configure the Cisco interfaces for IPv6 connectivity. Routing and more advanced stuff in a future post maybe.

For this tutorial I will use the same topology like in the previous post, please have a look to it here, but for the IPv6 configuration will only focus on the LAN side, the connection between R1 and R2. There is already a working IPv4 link between this 2 devices. Please click below to see the example:

IPv6 Cisco interface config

If for some reasons the tutorial above is not available for you, please check this text file which consist of the configuration needed to enable IPv6 configuration between 2 Cisco devices.