Archive for January 2012
IP SLA

IP SLA

Ivan Varela 8:24 AM Add Comment
Ivan Varela
IP SLA is a mechanism of Cisco Routers that permits some dynamic behavior on static routes.
With IP SLA you can configure a ping, an HTML GET or other protocol to test the availability of a service, and if this service is offline erase the route from the routing table.

Configuration:


Deffining the ip sla with ICMP echo (ping)

r(config)#ip sla (ip_sla_number)
r(config-ip-sla)#icmp-echo (Destination_IP) source-ip (source_ip)
r(config-ip-sla-echo)#frequency (seconds)
r(config-ip-sla-echo)#timeout (milliseconds)
r(config-ip-sla-echo)#vrf (vrf_name)


Scheduling the ip sla

r(config)#ip sla schedule (ip_sla_number) start-time ( now | hh:mm:ss | after hh:mm:ss ) life ( time_in_seconds | forever ) 


Scheduling the ip sla

r(config)#ip sla schedule (ip_sla_number) start-time ( now | hh:mm:ss | after hh:mm:ss ) life ( time_in_seconds | forever ) 

Creating a track to trigger when the created ip sla changes the state from ok to down.

r(config)#track (sla_tracking number) ip sla (sla_number) state

Creating a route to be eliminated when the track is down.

ip route x.x.x.x y.y.y.y z.z.z.z  track (track_number)

Example:

r(config)#ip sla 1r(config-ip-sla)#icmp-echo 192.168.1.33 source-ip 192.168.1.1 
r(config-ip-sla-echo)#frequency 2 
r(config-ip-sla-echo)#timeout 8000

Make a ping to 192.168.1.33 with source 192.168.1.1, the frequency 2 seconds, with a timeout of 8s econds.

r(config)#ip sla schedule 1 start-time now life forever

The SLA is permanent.

r(config)#track 33 ip sla 1 state


The tracking is activated if the state change from OK to other state.

ip route 10.0.0.0 255.0.0.0 192.168.1.33 track 33
ip route 10.0.0.0 255.0.0.0 250 dialer 1 

We have a route using a dialer with a higher administrative distance using a dialer(ISDN).

If the ICMP don't reply to us the primary route is eliminated from the routing table, and the router start using the dialer route. When the ICMP works again we return to the primary route and the dialer goes down.


Related commands:

show ip route
show run | inc ip route
show ip sla
show ip sla statistics (sla_number)
debug track

Backup interfaces

Ivan Varela 3:27 PM Add Comment
Ivan Varela
Description:

Allow a router to put an interface in standby until the primary interface will have a link down event.

Only useful in point to point interfaces, it didn't works on ethernet links if you have a switch in the middle, and it also didn´t work on a point to multipoint interface.

Used frequently on ISDN to backup interfaces.

Configuration:

r(config-if)# backup interface fastethernetX/X 

Example:




R1:

interface Ethernet0/0 
 ip address 192.168.2.1 255.255.255.0  
interface Serial1/1 
 backup interface Ethernet0/0 
 ip address 192.168.1.1 255.255.255.0 

ip route 1.1.1.1 255.255.255.255 192.168.1.2 
ip route 1.1.1.1 255.255.255.255 192.168.2.2



R3:

interface Loopback1  
ip address 1.1.1.1 255.255.255.255 
interface Ethernet0/0 
 ip address 192.168.2.2 255.255.255.0  
interface Serial1/2 
 ip address 192.168.1.2 255.255.255.0  
clock rate 56000

Example of a ping shutting down active interface.

!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!...............*Mar  1 00:23:53.203: %LINEPROTO-5-UPDOWN: Line protocol on Interface Serial1/1, changed state to down*Mar  1 00:23:53.211: BACKUP(Serial1/1): event = primary interface went down*Mar  1 00:23:53.215: BACKUP(Serial1/1): changed state to "waiting to backup"*Mar  1 00:23:53.231: BACKUP(Serial1/1): event = timer expired on primary*Mar  1 00:23:53.239: BACKUP(Serial1/1): secondary interface (Ethernet0/0) made active*Mar  1 00:23:53.243: BACKUP(Serial1/1): changed state to "backup mode".*Mar  1 00:23:55.231: %LINK-3-UPDOWN: Interface Ethernet0/0, changed state to up*Mar  1 00:23:56.231: %LINEPROTO-5-UPDOWN: Line protocol on Interface Ethernet0/0, changed state to up.!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!*Mar  1 00:23:56.235: BACKUP(Ethernet0/0): event = secondary interface came up!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
Frame relay end to end keepalives

Frame relay end to end keepalives

Ivan Varela 4:57 AM Add Comment
Ivan Varela
Frame relay end to end keepalives is a feature on frame relay who allows to monitor if a complete pvc is online, monitoring the circuit from one edge to the other.

Without this freature, you only test the connectivity of the PVC against the local frame relay switch using LMI.

Configuration:

R(config)# map-class frame-relay map_class_name
R(config-map-class)# frame-relay end-to-end keepalive mode {bidirectiona | request | reply | passive-reply}
R(config-if)# frame relay class map class name
If one of the edges uses request, the other must have reply activated. Using bidirectional in both edges the protocol works fine.

Another important point, is that end to end keepalives could be activated for some dlci an not to other, using subinterfaces.


Example:

r1(config)# map-class frame-relay eek1
r1(config-map-class)# frame-relay end-to-end keepalive mode bidirectional
r1(config) interface serial 1/0.1 point-to-point
r1(config-if) ip address 192.168.1.1 255.255.255.0
r1(config-if) frame-relay interface-dlci 102
r1(config-if) frame-relay class eek1

r2(config)# map-class frame-relay eek1
r2(config-map-class)# frame-relay end-to-end keepalive mode bidirectional
r2(config) interface serial 1/1.1 point-to-point
r2(config-if) ip address 192.168.1.2 255.255.255.0
r2(config-if) frame-relay interface-dlci 201
r2(config-if) frame-relay class eek1
PPPoE with dialers configuration

PPPoE with dialers configuration

Ivan Varela 5:00 PM Add Comment
Ivan Varela
One task that could be required int CCIE R&S lab exam, is the using of dialers for pppoe. In the past the lab had ISDN interfaces with dialers, but ISDN is almost dead, and currently is only used as backup interface in some old networks.

Configure pppoe with dialers is quite simple, but you can do harder labs using ppp authentication, and other technologies published in previous posts.

When we are using pppoe with dialers we have two different roles, a server who accepts incoming ppp sessions, and client, who configure a dialer, and start a ppp session against our server. You can use authentication also, and dhcp in the server to configure dynamic client ip address.

Server:

1 - Create a ppoe group, and assign a virtual template interface to the ppp group.


bba-group pppoe group_1
virtual template 1

2 - Create the virtual template interface, assign an IP address to the interface, or use unnumbered ip address linking the interface with a loopback interface


int virtual-template 1
ip add x.x.x.x y.y.y.y OR ip unnumbered Loopback X
3 - Assign the pppoe group to the server ethernet interface.


int fa0/0
ppp  enable group group_1

Client:


1- Create a Dialer interface, assign an ip addres(or learn it using DHCP), asociate the dialer to a pool.  I use persistent dialers because I would like to have the dialer always connected.


interface Dialer1
ip address 192.168.0.2 255.255.255.0
encapsulation ppp
dialer pool 1
dialer persistent
Enable pppoe in a client ethernet interface, and link it to the previous dialer pool.
 int fa0/0
no ip address
ppoe enable
pppoe-client dial-pool-number 1
 Tips: As ppp over p2p links, the client, and the server are not needed that they are in the same subnet, because ppp learn the route of the other side of the link, including a route in the routing table of both devices.

Example:



Router 1:

bba-group pppoe group_1
virtual template 1 
int virtual-template 1
ip add 192.168.0.1 255.255.255.0 
int fa0/0
no ip add
ppp  enable group group_1

Router 2: 
interface Dialer1
ip address 192.168.0.2 255.255.255.0
encapsulation pp
dialer pool 1
dialer idle-timeout 0
dialer persistent
end

int fa0/0
no ip address
ppoe enable
pppoe-client dial-pool-number 1

PPP encapsulation PAP and CHAP authentication

PPP encapsulation PAP and CHAP authentication

Ivan Varela 5:24 AM Add Comment
Ivan Varela
You can enable PPP encapsulation over serial interfaces:
R1(config-if)#encapsulation ppp

When a ppp session is stablished the neighbors exchange their L3 addresses. Allowing connectivity between devices L2 connected but in different subnets.

If you want to avoid of learning the neighbor route:
R1(config-if)#no peer neighbor-route

 PPP Pap authentication:

Uses clear text authentication that could be sniffed .



Inside the interface
ppp authentication pap  <----- in the side who initializate the communication, not needed in both sides
username X password Y   <-----the username and password that the other side must send.

In the other side
Configure the username:
ppp  pap sent-username X password Y
PAP example:


R1:
R1(configure)#interface Serial3/1
R1(configure-if)# ip address 192.168.1.1 255.255.255.0
R1(configure-if)# encapsulation ppp
R1(configure-if)# serial restart-delay 0
R1(configure-if)# ppp authentication pap
end
R1(configure)#username Paquito password 0 Chocolatero

R3:

R3(configure)#interface Serial3/3
R3(configure-if)# ip address 10.0.0.1 255.255.255.0
R3(configure-if)# encapsulation ppp
R3(configure-if)# serial restart-delay 0
R3(configure-if)# ppp pap sent-username Paquito password 0 Chocolatero
end


PPP Chap authentication:


Uses challenges MD5, not plain text password, it is a secure authentication.

Configuration:

R1(configure)#ppp authentication chap   <----who iniciates the authentication
R1(configure-if)#username x  password password y

In the other side:

R1(configure)#username z password y

x= the name of the router of the other side
y= the password, that must match
z= the name of the router of the other side

The password allowed could be in clear( username x password y), using type 7(username x password7 y) but not using secret(username x secret y).

At interface level:
ppp chap hostname w

default password   <---never used in the side with ppp authentication chap

ppp chap password X    <----default for all the sessions

It also could be configured at interface level.

CHAP example:


R3:
R3(config)#interface Serial3/3
R3(config-if)# ip address 10.0.0.1 255.255.255.0
R3(config-if)# encapsulation ppp
R3(config-if)# serial restart-delay 0
end
R3(config)#username R2 password 0 Tomatito
R2:
R2(config)#interface Serial3/1
R2(config-if)# ip unnumbered Loopback0
R2(config-if)# encapsulation ppp
R2(config-if)# serial restart-delay 0
R2(config-if)# ppp authentication chap
end
R2(config)#username R3 password 0 Tomatito

Back to back frame relay

Back to back frame relay

Ivan Varela 4:32 PM Add Comment
Ivan Varela
Back to back frame relay is a technology who uses frame relay encapsulation for links between two devices connected using a serial cable without any frame relay switch in the middle.

It is similar that the typical HDLC scenario, but using frame relay.

The only special requisite is that you must disable keepalives.

With this technology you also can use pvc's, but the selected dlci is representative in both edges.

As in HDLC p2p links one of  the edges must be the DCE and the other DTE.


R1(config)#interface Serial1/0
R1(config-if)# no ip address
R1(config-if)# encapsulation frame-relay
R1(config-if)# no keepalive
R1(config-if)#clock rate 64000

R1(config-if)#interface Serial1/0.1 point-to-point
R1(config-subif)#ip address 172.16.120.2 255.255.255.0
R1(config-subif)#frame-relay interface-dlci 101 

R2(config)#interface Serial1/0
R2(config-if)# no ip address
R2(config-if)# encapsulation frame-relay
R2(config-if)# no keepalive  

R2(config-if)#interface Serial1/0.1 point-to-point
R2(config-subif)#ip address 172.16.120.1 255.255.255.0
R2(config-subif)#frame-relay interface-dlci 101 

Frame relay switching

Ivan Varela 4:12 PM Add Comment
Ivan Varela
Frame relay switching allow a router to work as a level 2 frame relay device, creating DLCI's routing traffic at layer 2.

When you are working as layer 2 frame relay switch you must be the side of the link who sets the clock rate.

Here is an easy example of frame-relay switching.

We are going to configure the frame relay switch to use a number x in the interface s1/0 and another different Y in s2/1, routing the traffic from one DLCI to the other.


1 - Router(config)# frame-relay switching
2 - Router(config)#interface s1/0
3 - Router(config-if)#encapsulation frame-relay
4 - Router(config-if)#clock rate 56000
5 - Router(config-if)#frame-relay intf-type dce
6 - Router(config-if)#frame-relay route X interface Serial2/1 Y            x=local DLCI interface Y= dlci of the other interface
7 - Router(config-if)#interface s2/1
8 - Router(config-if)#encapsulation frame-relay
9 - Router(config-if)#clock rate 56000
10 - Router(config-if)#frame-relay intf-type dce
11 - Router(config-if)#frame-relay route Y interface Serial1/0 X

Frame Relay

Ivan Varela 12:36 PM Add Comment
Ivan Varela
Why are we learning frame relay for CCIE?

I think it is because is an easy layer 2 technology who uses packet commutation, uses PVC, and it is a NBMA network. It is evident that it is an end of life technology, but at least is a easy to emulate technology.

Basic frame relay configuration:

The basic frame relay is two routers using full serial interfaces, you don't need to care about DLCI, inverse ARP, subinterfaces, or anything else.

R1(config)# int s1/0
R1(config-if)#encapsulation frame-relay
R1(config-if)#ip add 10.0.0.1 255.255.255.0
R1(config-if)#no shut

R2(config)# int s1/0
R2(config-if)#encapsulation frame-relay
R2(config-if)#ip add 10.0.0.2 255.255.255.0
R2(config-if)#no shut

Inverse ARP is enabled by default, and you are able to ping one router to the other.

Inverse ARP

It is a layer 3 to layer 2 conversion mechanism. Inverse ARP communicates the router with the FR switch and gives to you the DLCI numer automatically and allowing your interface to send frames using the right DLCI number.

Life without Inverse ARP

You must use static frame relay maps.
R1(config-if)#frame-relay map ip 10.0.0.2 102 broadcast
 The broadcast command allows the interface send broadcast, and multicast traffic using this DLCI, an important detail for CCIE lab.

Test Broadcast traffic over frame relay:
Configure a frame relay map with broadcast in both sides and make a ping to 255.255.255.255, the other side must reply.

Configure a frame relay multipoint subinterface:
R1(config)#int s1/0.X multi    <--- Select the number that you want
R1(config-if)#frame-relay interface-dlci X   <----the number of the DLCI, like vlans in router on a stick, but only if you use inverse arp, not required for static mapings.

Point to point subinterfaces:
R1(config)#int s1/0.X point       <--- Select the number that you want
R1(config-if)#frame-relay interface-dlci X    <----the number of the DLCI, like vlans in router on a stick



Useful commands:


show frame-relay map
clear frame-relay inarp
show frame-relay pvc
show frame-relay pvc X <-shows you where is configurated a pvc(the subinterface)
no frame-relay inverse-arp
no frame-relay inverse-arp ip x <----- the number of the DLCI

Subscribe to: Posts (Atom)