7.07.2017

OpenStack Basic Notes

Download & Install Oracle VirtualBox on host..

https://www.virtualbox.org

Download & Install CentOS 7 minimal image

Use bridge with promiscuous mode, and static IP over DHCP (local environment dependent) not NAT mode.


systemctl status firewalld
systemctl stop firewalld
systemctl disable firewalld 

vi /etc/environment

LANG=en_US.utf-8

LC_ALL=en_US.utf-8 


cat /etc/sysconfig/network-scripts/ifcfg-enp0s3
TYPE="Ethernet"
BOOTPROTO=none
DEFROUTE="yes"
IPV4_FAILURE_FATAL="no"
IPV6INIT="yes"
IPV6_AUTOCONF="yes"
IPV6_DEFROUTE="yes"
IPV6_FAILURE_FATAL="no"
IPV6_ADDR_GEN_MODE="stable-privacy"
NAME="enp0s3"
UUID="8ec7fa7d-f73a-4df6-9bca-0ceb84ca2b4a"
DEVICE="enp0s3"
ONBOOT="yes"
IPADDR=10.11.110.9 (Wired Desk Network)
PREFIX=32
GATEWAY=10.11.110.1
DNS1=8.8.8.8
IPV6_PEERDNS=yes
IPV6_PEERROUTES=yes

IPV6_PRIVACY=no


use 'nmcli d' status and 'nmtui' to change network settings after installation of CentOS



5.16.2013

NTP

NTP (Network Time Protocol) , used to distribute and synchronize date and time information between clients and servers. NTP uses UDP port 123 for transport, but can also be configured for multicast and broadcast.

Depending on the ios version an unconfigured device will boot with a default date/time i.e. ...

00:00:00.000 UTC Fri Mar 1 2002 

1) When configuring a device for NTP is it advised to first set the clock manually, to avoid lengthy synchronization times.

R1#clock set 15:18:00 June 29 2011
R2#clock set 15:18:00 June 29 2011
R3#clock set 15:18:00 June 29 2011


2) Without an external NTP source for our closed lab environment at least one of our devices has to be an NTP master...


R1(config)#ntp master 2

R1(config)#do show ntp status

Clock is synchronized, stratum 2, reference is 127.127.7.1 (= with self)
nominal freq is 250.0000 Hz, actual freq is 250.0000 Hz, precision is 2**18
reference time is D1B63F9C.7E6AD6AC (00:19:40.493 UTC Thu Jun 30 2011)
clock offset is 0.0000 msec, root delay is 0.00 msec
root dispersion is 0.02 msec, peer dispersion is 0.02 msec

7.0.0.0/8


There are a number of allocated but unadvertised /8s, and 7.0.0.0/8 (AKA 7 net) happens to be one of them…

7.0.0.0/8 arin unadv
9.0.0.0/8 arin unadv
11.0.0.0/8 arin unadv

7.0.0.0/8 is assigned to the US Department of Defense
It is widely rumored that the 7 net is used by the Defense Department network infrastructure (black network) to communicate 'top secret' and sensitive information and will 'never' be advertised to the public internet. 

7.0.0.0./8 is commonly filtered at and ISPs edge due to it's spoofing potential by hackers.
! Dispute between ARIN and IANA over status of 7.0.0.0/8. This prefix
! is listed as being allocated to the following:
!   * OrgName: DoD Network Information Center
!   * OrgID:   DNIC
!
ip prefix-list ISP-Ingress-In-Loose SEQ 10000 permit 7.0.0.0/8 ge 9 le 24

----------------

DoD owns but does not announce 7.0.0.0/8, 11.0.0.0/8, 
30.0.0.0/8 and others. These networks are “free for the taking” without any impact on DoD.

7.0.0.0./8 is used to assigned subnets and end points on a number of VPN applications.

****** cable is reported to be using 7.0.0.0/8 for internal device allocation for a number of years.

MAC=00:14:f1:eb:57:de:08:00  SRC=7.8.12.1 DST=255.255.255.255 LEN=347
TOS=00 PREC=0x00 TTL=255 ID=16 PROTO=UDP SPT=67 DPT=68 LEN=327

IP (tos 0x0, ttl 255, id 15, offset 0, flags [none], proto UDP (17), length 355)
    7.8.12.1.67 > 255.255.255.255.68: [udp sum ok] BOOTP/DHCP, Reply,
length 327, xid 0x4, Flags [Broadcast] (0x8000)
          Your-IP 7.8.x.x
          Server-IP 7.8.x.1
          Gateway-IP 7.8.x.1


However, it is not wise to use IPv4 address space that is allocated to another organization.

Below is a breakdown of /assigned 8, the yellow column represents the number of addresses unadvertised, and shows many /8 advertising 0 addresses, including 7.0.0.0/8, which as many is assigned to the US DOD.


9.08.2011

Video Encryption using Cisco GETVPN OOO Issue

During encryption trials using Cisco's GETVPN on the ASR 1006 platform running IOS-XE  we experienced 'out of order' packets when removed (MPTS) video sourced from Harmonic Electra 8000 encoders however when remixed video (MPTS) forced from the Harmonic Prostream encoders the GETVPN encryption/decryption cycle did not produce any OOO packets....


Solution:


ESP40 module utilizes newer multicast replication algorithm AKA "MLRE" is enabled by default and provides enhanced multicast fan out performance but it slightly increases latency along with the encryption process also slightly increasing latency.


Multicast leaf recycle elimination (MLRE) is a method to improve the multicast performance on ESP-40 by eliminating the recycle of the leaf node. QFP code detects the penultimate node in the OIF tree and serially replicates the packet using the leaf nodes information.


#set platform hardware qfp active feature multicast v4 lre off


#set platform hardware qfp active feature multicast v4 lre on

6.07.2011

MPLS L3 VPN with Internet Access

An MPLS Customer requires Internet access, in this scenario Internet access is provided via a separate link on one of the PE routers. The jist is to provide a default route to the CE routers via the IGP running between the PE and CE OSPF in this case.

As the CE router (R7) is part of a VRF 37 via the PE routers (R3) E0/2  interface...

On PE (R3)...
interface Ethernet0/2
 ip vrf forwarding 37
 ip address 10.0.37.3 255.255.255.0

1) Create a static default route within VRF 37 with the next hop to be resolved in the global routing table.

On PE (R3)...
ip route vrf 37 0.0.0.0 0.0.0.0 10.0.23.2 global

2) When running OPSF between the PE/CE routers this default route will not get advertised to the CE without the default-information originate command specified int the OPSF stanza for this VRF...

On PE (R3)...
router ospf 2 vrf 37
 router-id 3.3.37.3
 log-adjacency-changes
 redistribute bgp 1 subnets
 network 3.3.37.3 0.0.0.0 area 1
 network 10.0.37.3 0.0.0.0 area 1
 default-information originate

Verify default route on CE router (R7)...

R7(config-if)#do sh ip ro

Gateway of last resort is 10.0.37.3 to network 0.0.0.0

O*E2  0.0.0.0/0 [110/1] via 10.0.37.3, 01:18:16, Ethernet0/0



Now we need to share this default/Internet route to other CE's in the MPLS cloud...

3) In BGP AS 1 (within VRF 37) we have to 'redistribute' the static routes to our MP-BGP neighbors as well as originate the default route, which BGP does not do by default.

  address-family ipv4 vrf 37
  redistribute static
  redistribute ospf 2 vrf 37
  default-information originate
 exit-address-family

4) Verify default route ihad been learned and installed in PE router (R5) BGP/VRF table...

R5#sh ip ro vrf 59

Routing Table: 59

Gateway of last resort is 3.3.3.3 to network 0.0.0.0

B*    0.0.0.0/0 [200/0] via 3.3.3.3, 05:18:05

5) Under BGP of the MP-BGP peer router PE (R5) redistribute BGP (VRF 59) routes to OSPF routes (VRF 59)...

  address-family ipv4 vrf 59
  no synchronization
  redistribute ospf 2 vrf 59
 exit-address-family

6) Verify that default route installed in OSPF VRF 59 table on the PE router (R5)...

R5#sh ip ospf data

Type-5 AS External Link States

Link ID         ADV Router      Age         Seq#       Checksum Tag
0.0.0.0         5.5.59.5        1605        0x80000004 0x005F35 3489660929

7) Make sure we specify the origination of the defualt route via OSPF on the PE (R5)...

R5# sh ip run | b router

router ospf 2 vrf 59
 router-id 5.5.59.5
 log-adjacency-changes
 redistribute bgp 1 subnets
 network 5.5.59.5 0.0.0.0 area 1
 network 10.0.59.5 0.0.0.0 area 1
 default-information originate

8) Finally verify the CE router (R9) has recieved and install the default route in its routing table...

R9(config-if)#do sh ip ro

Gateway of last resort is 10.0.59.5 to network 0.0.0.0

O*E2  0.0.0.0/0 [110/1] via 10.0.59.5, 00:00:07, Ethernet0/0

5.30.2011

MPLS MP-BGP / PE-CE Routing with BGP

With SP customers using the same BGP AS number, BGP loop prevention mechanisms can prevent prefixes from being installed...


Below we see the debugging message on R10 rejecting the prefix 8.8.8.8 being advertised by R8 which is in the same AS 99.


BGP(0): 10.0.106.6 rcv UPDATE about 8.8.8.8/32 -- DENIED due to: AS-PATH contains our own AS

On CE Router (R10)... *must enable this on both CE routers*

router bgp 99
 no synchronization
 bgp router-id 10.10.10.10
 bgp log-neighbor-changes
 network 10.10.10.10 mask 255.255.255.255
 neighbor 10.0.106.6 remote-as 1
 neighbor 10.0.106.6 allowas-in
 no auto-summary


After adding the 'allowas-in" command we see R10 install 8.8.8.8 even though it is in its own AS.

BGP(0): 10.0.106.6 rcvd UPDATE w/ attr: nexthop 10.0.106.6, origin i, merged path 1 99, AS_PATH
BGP(0): 10.0.106.6 rcvd 8.8.8.8/32
BGP(0): Revise route installing 1 of 1 routes for 8.8.8.8/32 -> 10.0.106.6(global) to main IP table

R10(config)#do sh ip bgp              
BGP table version is 3, local router ID is 10.10.10.10
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
              r RIB-failure, S Stale
Origin codes: i - IGP, e - EGP, ? - incomplete

   Network          Next Hop            Metric LocPrf Weight Path
*> 8.8.8.8/32       10.0.106.6                             0 1 99 i          *** notice the AS_PATH ***
*> 10.10.10.10/32   0.0.0.0                  0         32768 i



An alternate solution we can modify the AS_PATH at the PE router before passing the prefix to the CE with "as-overide" option...

On the PE router R6... *must enable this option n both PE routers*

address-family ipv4 vrf 48
  no synchronization
  neighbor 10.0.106.10 remote-as 99
  neighbor 10.0.106.10 activate
  neighbor 10.0.106.10 as-override
 exit-address-family

R10(config-router)#do sh ip bgp
BGP table version is 5, local router ID is 10.10.10.10
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
              r RIB-failure, S Stale
Origin codes: i - IGP, e - EGP, ? - incomplete

   Network          Next Hop            Metric LocPrf Weight Path
*> 8.8.8.8/32       10.0.106.6                             0 1 1 i           *** notice the AS_PATH ***
*> 10.10.10.10/32   0.0.0.0                  0         32768 i

Site of Origin (SoO) EIGRP/BGP

SoO is an extended community attribute used to prevent routing loops in multi-honed MPLS customer sites by tagging and filtering prefixes before being redistributed into the domain of origin.

R4 will redistribute a prefix vie MP-BGP to R6 and R6 will pass it to R10, the prefix will stop at R8 by SoO filtering and will never loopback to R4.



1) Create Route Map that sets soo...

route-map SOO permit 10
 set extcommunity soo 48:1

2) Apply routemap to PE/CE facing interfaces...

interface Ethernet0/2
 ip vrf forwarding 48
 ip vrf sitemap SOO
 ip address 10.0.106.6 255.255.255.0

3) Verify...

R4(config)#do sh bgp vpnv4 unicast all 10.0.106.0
BGP routing table entry for 48:1:10.0.106.0/24, version 12
Paths: (1 available, best #1, table 48)
  Not advertised to any peer
  Local
    6.6.6.6 (metric 21) from 6.6.6.6 (6.6.6.6)
      Origin incomplete, metric 0, localpref 100, valid, internal, best
      Extended Community: SoO:48:1 RT:48:1 Cost:pre-bestpath:128:281600
        0x8800:32768:0 0x8801:100:25600 0x8802:65280:256000 0x8803:65281:1500
      mpls labels in/out nolabel/31

----------------

Site or Origin, utilizes the same tag and filter method with BGP, SoO with BGP has 2 options...

Option 1 Per Neignbor...

1) Enable SoO at the PE

 address-family ipv4 vrf 48
  no synchronization
  neighbor 10.0.48.8 remote-as 99
  neighbor 10.0.48.8 activate
  neighbor 10.0.48.8 as-override
  neighbor 10.0.48.8 soo 48:4
 exit-address-family

2) Verify on other PE router (R6)...

R6(config)#do sh ip bgp vpnv4 vrf 48 8.8.8.8
BGP routing table entry for 48:1:8.8.8.8/32, version 27
Paths: (2 available, best #2, table 48)
  Advertised to update-groups:
     15       
  99
    4.4.4.4 (metric 21) from 4.4.4.4 (4.4.4.4)
      Origin IGP, metric 0, localpref 100, valid, internal
      Extended Community: SoO:48:4 RT:48:1
      mpls labels in/out 29/28


Option 2 Route-Map method...

1) Create route-map to set SoO

route-map SOO permit 10
 set extcommunity soo 48:48

2) Apply to BGP neighbor statement of CE peer on PE router...

  address-family ipv4 vrf 48
  no synchronization
  neighbor 10.0.48.8 remote-as 99
  neighbor 10.0.48.8 activate
  neighbor 10.0.48.8 as-override
  neighbor 10.0.48.8 route-map SOO in
 exit-address-family

3) Verify SoO...

R6#sh ip bgp vpnv4 vrf 48 8.8.8.8
BGP routing table entry for 48:1:8.8.8.8/32, version 31
Paths: (2 available, best #2, table 48)
  Advertised to update-groups:
     15       
  99
    4.4.4.4 (metric 21) from 4.4.4.4 (4.4.4.4)
      Origin IGP, metric 0, localpref 100, valid, internal
      Extended Community: SoO:48:48 RT:48:1
      mpls labels in/out 27/27