5.16.2013

NTP

NTP (Network Time Protocol) , used to distribute and synchronize date and time information between clients and servers. NTP uses UDP port 123 for transport, but can also be configured for multicast and broadcast.

Depending on the ios version an unconfigured device will boot with a default date/time i.e. ...

00:00:00.000 UTC Fri Mar 1 2002 

1) When configuring a device for NTP is it advised to first set the clock manually, to avoid lengthy synchronization times.

R1#clock set 15:18:00 June 29 2011
R2#clock set 15:18:00 June 29 2011
R3#clock set 15:18:00 June 29 2011


2) Without an external NTP source for our closed lab environment at least one of our devices has to be an NTP master...


R1(config)#ntp master 2

R1(config)#do show ntp status

Clock is synchronized, stratum 2, reference is 127.127.7.1 (= with self)
nominal freq is 250.0000 Hz, actual freq is 250.0000 Hz, precision is 2**18
reference time is D1B63F9C.7E6AD6AC (00:19:40.493 UTC Thu Jun 30 2011)
clock offset is 0.0000 msec, root delay is 0.00 msec
root dispersion is 0.02 msec, peer dispersion is 0.02 msec

7.0.0.0/8


There are a number of allocated but unadvertised /8s, and 7.0.0.0/8 (AKA 7 net) happens to be one of them…

7.0.0.0/8 arin unadv
9.0.0.0/8 arin unadv
11.0.0.0/8 arin unadv

7.0.0.0/8 is assigned to the US Department of Defense
It is widely rumored that the 7 net is used by the Defense Department network infrastructure (black network) to communicate 'top secret' and sensitive information and will 'never' be advertised to the public internet. 

7.0.0.0./8 is commonly filtered at and ISPs edge due to it's spoofing potential by hackers.
! Dispute between ARIN and IANA over status of 7.0.0.0/8. This prefix
! is listed as being allocated to the following:
!   * OrgName: DoD Network Information Center
!   * OrgID:   DNIC
!
ip prefix-list ISP-Ingress-In-Loose SEQ 10000 permit 7.0.0.0/8 ge 9 le 24

----------------

DoD owns but does not announce 7.0.0.0/8, 11.0.0.0/8, 
30.0.0.0/8 and others. These networks are “free for the taking” without any impact on DoD.

7.0.0.0./8 is used to assigned subnets and end points on a number of VPN applications.

****** cable is reported to be using 7.0.0.0/8 for internal device allocation for a number of years.

MAC=00:14:f1:eb:57:de:08:00  SRC=7.8.12.1 DST=255.255.255.255 LEN=347
TOS=00 PREC=0x00 TTL=255 ID=16 PROTO=UDP SPT=67 DPT=68 LEN=327

IP (tos 0x0, ttl 255, id 15, offset 0, flags [none], proto UDP (17), length 355)
    7.8.12.1.67 > 255.255.255.255.68: [udp sum ok] BOOTP/DHCP, Reply,
length 327, xid 0x4, Flags [Broadcast] (0x8000)
          Your-IP 7.8.x.x
          Server-IP 7.8.x.1
          Gateway-IP 7.8.x.1


However, it is not wise to use IPv4 address space that is allocated to another organization.

Below is a breakdown of /assigned 8, the yellow column represents the number of addresses unadvertised, and shows many /8 advertising 0 addresses, including 7.0.0.0/8, which as many is assigned to the US DOD.


9.08.2011

Video Encryption using Cisco GETVPN OOO Issue

During encryption trials using Cisco's GETVPN on the ASR 1006 platform running IOS-XE  we experienced 'out of order' packets when removed (MPTS) video sourced from Harmonic Electra 8000 encoders however when remixed video (MPTS) forced from the Harmonic Prostream encoders the GETVPN encryption/decryption cycle did not produce any OOO packets....


Solution:


ESP40 module utilizes newer multicast replication algorithm AKA "MLRE" is enabled by default and provides enhanced multicast fan out performance but it slightly increases latency along with the encryption process also slightly increasing latency.


Multicast leaf recycle elimination (MLRE) is a method to improve the multicast performance on ESP-40 by eliminating the recycle of the leaf node. QFP code detects the penultimate node in the OIF tree and serially replicates the packet using the leaf nodes information.


#set platform hardware qfp active feature multicast v4 lre off


#set platform hardware qfp active feature multicast v4 lre on

6.07.2011

MPLS L3 VPN with Internet Access

An MPLS Customer requires Internet access, in this scenario Internet access is provided via a separate link on one of the PE routers. The jist is to provide a default route to the CE routers via the IGP running between the PE and CE OSPF in this case.

As the CE router (R7) is part of a VRF 37 via the PE routers (R3) E0/2  interface...

On PE (R3)...
interface Ethernet0/2
 ip vrf forwarding 37
 ip address 10.0.37.3 255.255.255.0

1) Create a static default route within VRF 37 with the next hop to be resolved in the global routing table.

On PE (R3)...
ip route vrf 37 0.0.0.0 0.0.0.0 10.0.23.2 global

2) When running OPSF between the PE/CE routers this default route will not get advertised to the CE without the default-information originate command specified int the OPSF stanza for this VRF...

On PE (R3)...
router ospf 2 vrf 37
 router-id 3.3.37.3
 log-adjacency-changes
 redistribute bgp 1 subnets
 network 3.3.37.3 0.0.0.0 area 1
 network 10.0.37.3 0.0.0.0 area 1
 default-information originate

Verify default route on CE router (R7)...

R7(config-if)#do sh ip ro

Gateway of last resort is 10.0.37.3 to network 0.0.0.0

O*E2  0.0.0.0/0 [110/1] via 10.0.37.3, 01:18:16, Ethernet0/0



Now we need to share this default/Internet route to other CE's in the MPLS cloud...

3) In BGP AS 1 (within VRF 37) we have to 'redistribute' the static routes to our MP-BGP neighbors as well as originate the default route, which BGP does not do by default.

  address-family ipv4 vrf 37
  redistribute static
  redistribute ospf 2 vrf 37
  default-information originate
 exit-address-family

4) Verify default route ihad been learned and installed in PE router (R5) BGP/VRF table...

R5#sh ip ro vrf 59

Routing Table: 59

Gateway of last resort is 3.3.3.3 to network 0.0.0.0

B*    0.0.0.0/0 [200/0] via 3.3.3.3, 05:18:05

5) Under BGP of the MP-BGP peer router PE (R5) redistribute BGP (VRF 59) routes to OSPF routes (VRF 59)...

  address-family ipv4 vrf 59
  no synchronization
  redistribute ospf 2 vrf 59
 exit-address-family

6) Verify that default route installed in OSPF VRF 59 table on the PE router (R5)...

R5#sh ip ospf data

Type-5 AS External Link States

Link ID         ADV Router      Age         Seq#       Checksum Tag
0.0.0.0         5.5.59.5        1605        0x80000004 0x005F35 3489660929

7) Make sure we specify the origination of the defualt route via OSPF on the PE (R5)...

R5# sh ip run | b router

router ospf 2 vrf 59
 router-id 5.5.59.5
 log-adjacency-changes
 redistribute bgp 1 subnets
 network 5.5.59.5 0.0.0.0 area 1
 network 10.0.59.5 0.0.0.0 area 1
 default-information originate

8) Finally verify the CE router (R9) has recieved and install the default route in its routing table...

R9(config-if)#do sh ip ro

Gateway of last resort is 10.0.59.5 to network 0.0.0.0

O*E2  0.0.0.0/0 [110/1] via 10.0.59.5, 00:00:07, Ethernet0/0

5.30.2011

MPLS MP-BGP / PE-CE Routing with BGP

With SP customers using the same BGP AS number, BGP loop prevention mechanisms can prevent prefixes from being installed...


Below we see the debugging message on R10 rejecting the prefix 8.8.8.8 being advertised by R8 which is in the same AS 99.


BGP(0): 10.0.106.6 rcv UPDATE about 8.8.8.8/32 -- DENIED due to: AS-PATH contains our own AS

On CE Router (R10)... *must enable this on both CE routers*

router bgp 99
 no synchronization
 bgp router-id 10.10.10.10
 bgp log-neighbor-changes
 network 10.10.10.10 mask 255.255.255.255
 neighbor 10.0.106.6 remote-as 1
 neighbor 10.0.106.6 allowas-in
 no auto-summary


After adding the 'allowas-in" command we see R10 install 8.8.8.8 even though it is in its own AS.

BGP(0): 10.0.106.6 rcvd UPDATE w/ attr: nexthop 10.0.106.6, origin i, merged path 1 99, AS_PATH
BGP(0): 10.0.106.6 rcvd 8.8.8.8/32
BGP(0): Revise route installing 1 of 1 routes for 8.8.8.8/32 -> 10.0.106.6(global) to main IP table

R10(config)#do sh ip bgp              
BGP table version is 3, local router ID is 10.10.10.10
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
              r RIB-failure, S Stale
Origin codes: i - IGP, e - EGP, ? - incomplete

   Network          Next Hop            Metric LocPrf Weight Path
*> 8.8.8.8/32       10.0.106.6                             0 1 99 i          *** notice the AS_PATH ***
*> 10.10.10.10/32   0.0.0.0                  0         32768 i



An alternate solution we can modify the AS_PATH at the PE router before passing the prefix to the CE with "as-overide" option...

On the PE router R6... *must enable this option n both PE routers*

address-family ipv4 vrf 48
  no synchronization
  neighbor 10.0.106.10 remote-as 99
  neighbor 10.0.106.10 activate
  neighbor 10.0.106.10 as-override
 exit-address-family

R10(config-router)#do sh ip bgp
BGP table version is 5, local router ID is 10.10.10.10
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
              r RIB-failure, S Stale
Origin codes: i - IGP, e - EGP, ? - incomplete

   Network          Next Hop            Metric LocPrf Weight Path
*> 8.8.8.8/32       10.0.106.6                             0 1 1 i           *** notice the AS_PATH ***
*> 10.10.10.10/32   0.0.0.0                  0         32768 i

Site of Origin (SoO) EIGRP/BGP

SoO is an extended community attribute used to prevent routing loops in multi-honed MPLS customer sites by tagging and filtering prefixes before being redistributed into the domain of origin.

R4 will redistribute a prefix vie MP-BGP to R6 and R6 will pass it to R10, the prefix will stop at R8 by SoO filtering and will never loopback to R4.



1) Create Route Map that sets soo...

route-map SOO permit 10
 set extcommunity soo 48:1

2) Apply routemap to PE/CE facing interfaces...

interface Ethernet0/2
 ip vrf forwarding 48
 ip vrf sitemap SOO
 ip address 10.0.106.6 255.255.255.0

3) Verify...

R4(config)#do sh bgp vpnv4 unicast all 10.0.106.0
BGP routing table entry for 48:1:10.0.106.0/24, version 12
Paths: (1 available, best #1, table 48)
  Not advertised to any peer
  Local
    6.6.6.6 (metric 21) from 6.6.6.6 (6.6.6.6)
      Origin incomplete, metric 0, localpref 100, valid, internal, best
      Extended Community: SoO:48:1 RT:48:1 Cost:pre-bestpath:128:281600
        0x8800:32768:0 0x8801:100:25600 0x8802:65280:256000 0x8803:65281:1500
      mpls labels in/out nolabel/31

----------------

Site or Origin, utilizes the same tag and filter method with BGP, SoO with BGP has 2 options...

Option 1 Per Neignbor...

1) Enable SoO at the PE

 address-family ipv4 vrf 48
  no synchronization
  neighbor 10.0.48.8 remote-as 99
  neighbor 10.0.48.8 activate
  neighbor 10.0.48.8 as-override
  neighbor 10.0.48.8 soo 48:4
 exit-address-family

2) Verify on other PE router (R6)...

R6(config)#do sh ip bgp vpnv4 vrf 48 8.8.8.8
BGP routing table entry for 48:1:8.8.8.8/32, version 27
Paths: (2 available, best #2, table 48)
  Advertised to update-groups:
     15       
  99
    4.4.4.4 (metric 21) from 4.4.4.4 (4.4.4.4)
      Origin IGP, metric 0, localpref 100, valid, internal
      Extended Community: SoO:48:4 RT:48:1
      mpls labels in/out 29/28


Option 2 Route-Map method...

1) Create route-map to set SoO

route-map SOO permit 10
 set extcommunity soo 48:48

2) Apply to BGP neighbor statement of CE peer on PE router...

  address-family ipv4 vrf 48
  no synchronization
  neighbor 10.0.48.8 remote-as 99
  neighbor 10.0.48.8 activate
  neighbor 10.0.48.8 as-override
  neighbor 10.0.48.8 route-map SOO in
 exit-address-family

3) Verify SoO...

R6#sh ip bgp vpnv4 vrf 48 8.8.8.8
BGP routing table entry for 48:1:8.8.8.8/32, version 31
Paths: (2 available, best #2, table 48)
  Advertised to update-groups:
     15       
  99
    4.4.4.4 (metric 21) from 4.4.4.4 (4.4.4.4)
      Origin IGP, metric 0, localpref 100, valid, internal
      Extended Community: SoO:48:48 RT:48:1
      mpls labels in/out 27/27

5.27.2011

OSPF SHAM-LINK


A Service Provider customer has installed a backup link between its CE routers, which is being advertised in OSPF as an intra-area route which is preferred by OSPF over the MPLS learned inter-area routes, there by bypassing the SP MPLS cloud. The SP creates an OSPF SHAM-LINK to 'fool' OSPF into thinking that the routes learned between CE routers across the MPLS cloud are intra-area routes and not inter-area routes per the default behavior.

R7's RIB with backup link shut down all CE to CE routes are preferred via the MPLS cloud and are Inter-Area routes (O IA)...

R7(config-if)#do sh ip ro

      3.0.0.0/32 is subnetted, 1 subnets
O        3.3.37.3 [110/11] via 10.0.37.3, 00:00:04, Ethernet0/0
      5.0.0.0/32 is subnetted, 1 subnets
O IA     5.5.59.5 [110/11] via 10.0.37.3, 00:00:04, Ethernet0/0
      7.0.0.0/32 is subnetted, 1 subnets
C        7.7.7.7 is directly connected, Loopback0
      9.0.0.0/32 is subnetted, 1 subnets
O IA     9.9.9.9 [110/21] via 10.0.37.3, 00:00:04, Ethernet0/0
      10.0.0.0/8 is variably subnetted, 4 subnets, 2 masks
C        10.0.37.0/24 is directly connected, Ethernet0/0
L        10.0.37.7/32 is directly connected, Ethernet0/0
O IA     10.0.59.0/24 [110/11] via 10.0.37.3, 00:00:04, Ethernet0/0
O IA     10.0.79.0/24 [110/30] via 10.0.37.3, 00:00:04, Ethernet0/0

R7's RIB with the ackup link enabled, all CE to CE router are preferred via the intra-area (O) route via the backup link...

R7(config-if)#do sh ip ro

      3.0.0.0/32 is subnetted, 1 subnets
O        3.3.37.3 [110/11] via 10.0.37.3, 20:20:03, Ethernet0/0
      5.0.0.0/32 is subnetted, 1 subnets
O        5.5.59.5 [110/21] via 10.0.79.9, 00:00:01, Ethernet0/1
      7.0.0.0/32 is subnetted, 1 subnets
C        7.7.7.7 is directly connected, Loopback0
      9.0.0.0/32 is subnetted, 1 subnets
O        9.9.9.9 [110/11] via 10.0.79.9, 00:00:01, Ethernet0/1
      10.0.0.0/8 is variably subnetted, 5 subnets, 2 masks
C        10.0.37.0/24 is directly connected, Ethernet0/0
L        10.0.37.7/32 is directly connected, Ethernet0/0
O        10.0.59.0/24 [110/20] via 10.0.79.9, 00:00:01, Ethernet0/1
C        10.0.79.0/24 is directly connected, Ethernet0/1
L        10.0.79.7/32 is directly connected, Ethernet0/1

R7's RIB with the SHAM-LINK installed on the PE routers, all CE to CE traffic is preferred via the MPLS cloud, and the router are now intra-area (O) routes...

R7(config-if)#do sh ip ro    

      3.0.0.0/32 is subnetted, 1 subnets
O        3.3.37.3 [110/11] via 10.0.37.3, 21:06:15, Ethernet0/0
      5.0.0.0/32 is subnetted, 1 subnets
O        5.5.59.5 [110/16] via 10.0.37.3, 00:02:09, Ethernet0/0
      7.0.0.0/32 is subnetted, 1 subnets
C        7.7.7.7 is directly connected, Loopback0
      9.0.0.0/32 is subnetted, 1 subnets
O        9.9.9.9 [110/26] via 10.0.37.3, 00:00:12, Ethernet0/0
      10.0.0.0/8 is variably subnetted, 5 subnets, 2 masks
C        10.0.37.0/24 is directly connected, Ethernet0/0
L        10.0.37.7/32 is directly connected, Ethernet0/0
O        10.0.59.0/24 [110/25] via 10.0.37.3, 00:00:12, Ethernet0/0
C        10.0.79.0/24 is directly connected, Ethernet0/1
L        10.0.79.7/32 is directly connected, Ethernet0/1
      99.0.0.0/32 is subnetted, 2 subnets
O E2     99.99.35.3 [110/1] via 10.0.37.3, 00:04:18, Ethernet0/0
O E2     99.99.35.5 [110/1] via 10.0.37.3, 00:05:14, Ethernet0/0


SHAM LINK Configuration steps...

1) Create new loopback interfaces on the PE routers (R3 and R5), and place them in the VRF used between the PE and CE routers...

On R3...
interface Loopback999
 ip vrf forwarding 37
 ip address 99.99.35.3 255.255.255.255

On R5...
interface Loopback999
 ip vrf forwarding 59
 ip address 99.99.35.5 255.255.255.255

2) Advertise the new loopback in BGP on the VPNV4 enabled PE routers (R3 and R5)...

On R3...
address-family ipv4 vrf 37
  no synchronization
  network 99.99.35.3 mask 255.255.255.255

On R5...
address-family ipv4 vrf 59
  no synchronization
  network 99.99.35.5 mask 255.255.255.255

3) Create the sham link within the OSPF VRF instance on the PE routers (R3 and R5) and assign it a low cost to ensure its lower than the CE to CE backup link.

On R3...
router ospf 2 vrf 37
 area 1 sham-link 99.99.35.3 99.99.35.5 cost 5

On R5...
 router ospf 2 vrf 59
 area 1 sham-link 99.99.35.5 99.99.35.3 cost 5


4) If necessary increase the cost of the CE to CE backup link on R7 and R9...

On R7 and R9...
interface Ethernet0/1
 ip ospf cost 100


Verify sham-link on PE routers R3 and R5...

R3(config)#do sh ip ospf sham-link
Sham Link OSPF_SL1 to address 99.99.35.5 is up
Area 1 source address 99.99.35.3
  Run as demand circuit
  DoNotAge LSA allowed. Cost of using 5 State POINT_TO_POINT,
  Timer intervals configured, Hello 10, Dead 40, Wait 40,
    Hello due in 00:00:06
    Adjacency State FULL (Hello suppressed)
    Index 2/2, retransmission queue length 0, number of retransmission 0
    First 0x0(0)/0x0(0) Next 0x0(0)/0x0(0)
    Last retransmission scan length is 0, maximum is 0
    Last retransmission scan time is 0 msec, maximum is 0 msec


R3(config)#do sh ip ospf nei

Neighbor ID     Pri   State           Dead Time   Address         Interface
2.2.2.2           1   FULL/BDR        00:00:32    10.0.23.2       Ethernet0/1
5.5.59.5          0   FULL/  -           -        99.99.35.5      OSPF_SL1
7.7.7.7           1   FULL/BDR        00:00:37    10.0.37.7       Ethernet0/2