R.I.P Jieff

You will be for me the guy who wrote this kind of post and talk technology with Remy Card (ext2).

Path: bga.com!news.sprintlink.net!pipex!oleane!univ-lyon1.fr!ensta!itesec!frmug.fr.net!renux.frmug.fr.net!marouchka.gna.org!not-for-mail
From: ji...@marouchka.gna.org (Jean-Francois Monnet)
Newsgroups: fr.comp.os.linux
Subject: Re: LINUX ET E-IDE
Date: 23 Nov 1994 08:43:22 +0100
Organization: Marouchka, A Private Linux Site, France
Lines: 23
Distribution: world
Message-ID: <3aurqq$3mb@marouchka.gna.org>
References: <3asg5c$sp0@imag.imag.fr>
Reply-To: mon...@dir.univ-rouen.fr (Jean-Francois Monnet)
NNTP-Posting-Host: marouchka.gna.org
Mime-Version: 1.0
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 8bit
X-Newsreader: TIN [version 1.2 PL2]

Yves Arrouye (arr...@petole.imag.fr) ecrit:

> Tu vas peut-etre pouvoir m'aider : je veux mettre un 3e disque (sur un 2e
> controleur). Mon 2e controleur ne tourne que sur irq 14, mais on peut changer
> les adresses des disques (il en a deux plages). Je n'arrive pas a ce que le
> patch reconnaisse gentiment mon 3e disque, quelque soit la config. Au secours
> ! Help !

	Chez moi, le deuxieme controleur n'a ete bien reconnu qu'a partir
du moment ou j'ai pris le fer a souder et devie la piste IRQ 14 -> IRQ 15,
comme explique dans la doc de l'archive atdisk2-0.9.tgz (ancien patch pour
gerer deux cartes controleur IDE). Je crois que cette doc n'est plus
fournie avec les patches ide-x.x*. Je peux te l'envoyer si tu ne trouves
pas l'archive atdisk. Car, meme avec deux adresses I/O differentes pour les
cartes, l'utilisation de la meme IRQ avec plus de 2 disques peut poser des
problemes.

> (Linux 1.1.64 + ide-2.5.patch-64+)

	Je tourne en 1.1.61 + ide-2.01.patch.61+.gz et ca roule sans pbs pour
l'IDE.
-- 
Marouchka - 76 Rouen

And a great linux kernel programmer (Telsat Turbo), rock’n roll & Nina Hagen fan.



Have fun with luxman…

++Jieff :-/


~Christophe

Site to site IKEv2 tunnel

Hello guys,

Here it is a tips / reminder how to implement an site-ot-site IKEv2 tunnel :

crypto ikev2 proposal aes-cbc-256-proposal 
 encryption aes-cbc-256
 integrity sha1
 group 2
crypto ikev2 policy policy1 
 match address local x.x.x.x
 proposal aes-cbc-256-proposal
crypto ikev2 keyring v2-kr1
 peer abc
  address y.y.y.y
  pre-shared-key somesecretpass
 !
crypto ikev2 profile profile1
 description IKEv2 profile
 match address local x.x.x.x
 match identity remote address y.y.y.y 255.255.255.255 
 authentication local pre-share
 authentication remote pre-share
 keyring v2-kr1

crypto ipsec transform-set myset esp-des esp-md5-hmac 

crypto map mymap 20 ipsec-isakmp 
 set peer y.y.y.y
 set security-association lifetime seconds 27000
 set transform-set ESP-AES-SHA 
 set ikev2-profile profile1
 match address 120

With ACL 120 is your flows / SA and your implement your crypto map on your WAN interface.

bwping patch (catching signals)

diff -urpN bwping/bwping.c bwping-patched/bwping.c
--- bwping/bwping.c     2012-10-11 19:23:17.000000000 +0200
+++ bwping-patched/bwping.c     2017-04-20 09:06:23.449540033 +0200
@@ -26,6 +26,7 @@
 #include 
 #include 
 #include 
+#include 
 
 #ifdef __CYGWIN__
 #include "cygwin.h"
@@ -224,21 +225,39 @@ static int recv_ping (int sock, int iden
         return 0;
     }
 }
+unsigned int   transmitted_number, received_number;
+unsigned long  int received_volume;
+struct timeval begin, end;
+
+void sig_handler(int signo)
+{
+       if (signo == SIGUSR1) {
+                printf("Total: pkts sent/rcvd: %u/%u, volume rcvd: %lu bytes, time: %d sec, speed: %lu kbps, rtt min/max/average: %llu/%llu/%llu ms\n",
+                               transmitted_number, received_number, received_volume, (int)(end.tv_sec - begin.tv_sec),
+                               end.tv_sec - begin.tv_sec?((received_volume / (end.tv_sec - begin.tv_sec)) * 8) / 1000:(received_volume * 8) / 1000,
+                               min_rtt==DEF_MIN_RTT?0:min_rtt, max_rtt, average_rtt);
+               exit(255);
+       }
+}
 
 int main (int argc, char **argv)
 {
     int                    sock, exitval, ch, ident, finish, pktburst, i, n;
-    unsigned int           bufsize, tos, transmitted_number, received_number;
-    unsigned long int      kbps, pktsize, volume, rperiod, received_volume;
+    unsigned int           bufsize, tos;
+    unsigned long int      kbps, pktsize, volume, rperiod;
     unsigned long long int min_interval, interval, current_interval, integral_error;
     char                   *ep, *bind_addr, *target;
     fd_set                 fds;
     struct sockaddr_in     bind_to, to;
     struct hostent         *hp;
-    struct timeval         begin, end, report, start, now, seltimeout;
+    struct timeval         report, start, now, seltimeout;
 
     sock = socket(AF_INET, SOCK_RAW, IPPROTO_ICMP);
 
+       if (signal(SIGUSR1, sig_handler) == SIG_ERR)
+               printf("\ncan't catch SIGUSR1\n");
+
+
     if (sock==-1) {
         perror("bwping: socket(AF_INET, SOCK_RAW, IPPROTO_ICMP) failed");

Download : patch-bwping-sig.diff

IPv6 prefix delegation feature

We will dive into IPv6 prefix delegation prefix.

First of all, we will make a real simple topology :

ipv6-delegation-simple

R1 acts as a DHCP server and use the prefix delegation feature. But how it works ? How it is configured ?

R1 :

ipv6 unicast-routing
ipv6 cef
ipv6 dhcp pool POOLv6
 prefix-delegation pool p lifetime 180 120
 domain-name lucas.fr.eu.org

ipv6 local pool p 2001:DB8::/40 48

interface FastEthernet0/0
 ip address 10.0.0.1 255.255.255.0
 duplex half
 ipv6 address 2A02::1/48
 ipv6 enable
 ipv6 dhcp server POOLv6


R1#   show ipv6 dhcp interface 
FastEthernet0/0 is in server mode
  Using pool: POOLv6
  Preference value: 0
  Hint from client: ignored
  Rapid-Commit: disabled
R1#

R2 :

interface FastEthernet0/0
 duplex half
 ipv6 address autoconfig default
 ipv6 enable
 ipv6 dhcp client pd prefix-from-provider

interface FastEthernet1/1
 no ip address
 duplex auto
 speed auto
 ipv6 address prefix-from-provider ::1:0:0:0:1/64
 ipv6 enable

R2#show ipv6 dhcp interface 
FastEthernet0/0 is in client mode
  Prefix State is OPEN
  Renew will be sent in 00:00:04
  Address State is IDLE
  List of known servers:
    Reachable via address: FE80::C805:ADFF:FE80:0
    DUID: 00030001CA05AD800000
    Preference: 0
    Configuration parameters:
      IA PD: IA ID 0x00040001, T1 60, T2 120
        Prefix: 2001:DB8::/48
                preferred lifetime 120, valid lifetime 180
                expires at May 03 2016 10:53 PM (125 seconds)
      Domain name: lucas.fr.eu.org
      Information refresh time: 0
  Prefix name: prefix-from-provider
  Prefix Rapid-Commit: disabled
  Address Rapid-Commit: disabled
R2#

Debug trace on R2 (debug ipv6 dhcp) :

*May  3 22:36:11.859: IPv6 DHCP: Sending RENEW to FF02::1:2 on FastEthernet0/0
*May  3 22:36:11.859: IPv6 DHCP: DHCPv6 changes state from OPEN to RENEW (TIMEOUT) on FastEthernet0/0
*May  3 22:36:11.879: IPv6 DHCP: Received REPLY from FE80::C805:ADFF:FE80:0 on FastEthernet0/0
*May  3 22:36:11.879: IPv6 DHCP: Processing options
*May  3 22:36:11.879: IPv6 DHCP: Adding prefix 2001:DB8::/48 to prefix-from-provider
*May  3 22:36:11.883: IPv6 DHCP: T1 set to expire in 60 seconds
*May  3 22:36:11.883: IPv6 DHCP: T2 set to expire in 120 seconds
*May  3 22:36:11.883: IPv6 DHCP: DHCPv6 changes state from RENEW to OPEN (REPLY_RECEIVED) on FastEthernet0/0

We have acquired the prefix via PD aka Prefix Delegation feature :

R2#show ipv6 general-prefix 
IPv6 Prefix prefix-from-provider, acquired via DHCP PD
  2001:DB8::/48 Valid lifetime 158, preferred lifetime 98
   FastEthernet1/1 (Address command)
R2#

On R3 or R4 :

interface FastEthernet0/0
 no ip address
 duplex half
 ipv6 address autoconfig default
 ipv6 enable
end


2#show ipv6 dhcp interface 
FastEthernet0/0 is in client mode
  Prefix State is OPEN
  Renew will be sent in 00:00:04
  Address State is IDLE
  List of known servers:
    Reachable via address: FE80::C805:ADFF:FE80:0
    DUID: 00030001CA05AD800000
    Preference: 0
    Configuration parameters:
      IA PD: IA ID 0x00040001, T1 60, T2 120
        Prefix: 2001:DB8::/48
                preferred lifetime 120, valid lifetime 180
                expires at May 03 2016 10:53 PM (125 seconds)
      Domain name: lucas.fr.eu.org
      Information refresh time: 0
  Prefix name: prefix-from-provider
  Prefix Rapid-Commit: disabled
  Address Rapid-Commit: disabled
R2#

If we debug we will see (debug ipv6 interface, debug ipv6 dhcp, debug ipv6 nd) :

May  3 22:05:01.335: ICMPv6-ND: Neighbour FE80::C806:ADFF:FE81:1D on FastEthernet0/0 : LLA ca06.ad81.001d
*May  3 22:05:01.335: ICMPv6-ND: INCMP -> STALE: FE80::C806:ADFF:FE81:1D
*May  3 22:05:01.335: IPv6-Address: intfid_algo is notactive on intf 4
*May  3 22:05:01.339: IPv6-Address: intfid_algo is active on intf 4
*May  3 22:05:01.339: IPv6-Address: Generating IntfID rc 0, prefix: 2001:DB8:0:1::/64, address 2001:DB8:0:1:C808:ADFF:FE85:0
*May  3 22:05:01.343: IPv6-Address: Prefix Information change for 2001:DB8:0:1::/64, 0x0 -> 0x1E0
*May  3 22:05:01.343: IPv6-Address: Adding prefix 2001:DB8:0:1::/64 to FastEthernet0/0
*May  3 22:05:01.343: IPv6-Address: Adding operating owner prefix configured on FastEthernet0/0
*May  3 22:05:01.347: IPv6-Address: Adding operating owner address configured on FastEthernet0/0
*May  3 22:05:01.347: IPv6-Address: Address 2001:DB8:0:1:C808:ADFF:FE85:0 configured on FastEthernet0/0
*May  3 22:05:01.347: IPv6-Addrmgr-
R4(config-if)#ND: DAD request for 2001:DB8:0:1:C808:ADFF:FE85:0 on FastEthernet0/0
*May  3 22:05:01.347: ICMPv6-ND: Sending NS for 2001:DB8:0:1:C808:ADFF:FE85:0 on FastEthernet0/0
*May  3 22:05:01.351: ICMPv6-ND: Autoconfiguring 2001:DB8:0:1:C808:ADFF:FE85:0 on FastEthernet0/0
*May  3 22:05:02.351: IPv6-Addrmgr-ND: DAD: 2001:DB8:0:1:C808:ADFF:FE85:0 is unique.
*May  3 22:05:02.351: ICMPv6-ND: Sending NA for 2001:DB8:0:1:C808:ADFF:FE85:0 on FastEthernet0/0
*May  3 22:05:02.355: IPv6-Address: Address 2001:DB8:0:1:C808:ADFF:FE85:0/64 is up on FastEthernet0/0

Finally, we are able to ping the DHCPv6 server :

R4#ping ipv6 2A02::1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 2A02::1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 32/45/96 ms
R4#traceroute 2A02::1

Type escape sequence to abort.
Tracing the route to 2A02::1

  1 2001:DB8:0:1::1 12 msec 36 msec 12 msec
  2 2A02::1 8 msec 56 msec 36 msec
R4#

IP SLA operation

IP SLA is a great tool to automation some treatment. You could do great things with it. We will work on IP SLA Reaction here.

What is it ? You could launch some action on some state of an IP SLA. Such as (Even if it is not a good example) : some nested ping.

ip-sla-reaction

 

 

 

 

 

 

 

The job here, is to check R4 – R3 and R4 – R2 if IP SLA beetween R1 – R4 is awful.

We could do this such as :
R4 :

ip sla 1
 udp-jitter 10.1.12.1 3200 source-ip 10.1.43.4 source-port 6565 codec g711ulaw codec-size 128
 frequency 5
ip sla schedule 1 start now life forever 

ip sla 43 
 icmp-echo 10.1.43.3 source-ip 10.1.43.4
 frequency 5
ip sla schedule 43 start pending life 60

ip sla 42 
 icmp-echo 10.1.32.2 source-ip 10.1.43.4
 frequency 5
ip sla schedule 42 start pending life 60

ip sla reaction-trigger 1 43
ip sla reaction-trigger 43 42
ip sla reaction-configuration 1 react MOS threshold-type consecutive 4 threshold-value 390 220 action-type trapAndTrigger
ip sla reaction-configuration 43 react rtt threshold-value 100 50 threshold-type immediate action-type trapAndTrigger
ip sla reaction-configuration 42 react rtt threshold-value 100 50 threshold-type immediate action-type trapOnly

snmp-server host 10.1.1.1
snmp-server enable traps syslog

We do an analyze on each segment of path and if it fails on our condition, it traps it.

Obvisouly on R1 :

ip sla responder

CCIE R&S studies planner

I don’t know if it will really help someone but you can download here my CCIE planner spreadsheet : CCIE_Planner

It will provide you :

  • Monthly review based on CCIEv5 R&S blueprint ;
  • Planner from beginning point to your deadline lab attempt : it calculates how to organize your studies based on your initial self assessment ;
  • Daily organization ;
  • Weekly organization ;
  • Monthly organization ;
  • Yearly organization ;
  • Calculate your study time ;
  • IpExpert vol1 lab & topics ;
  • Logistics ;

It is provided as is and under GPLv2.

Have fun with your studies.

BGP rib-failure

I think everyone now what is a RIB-Failure in BGP context. It sounds obviously as an exact same route with a lowest AD as {e|i}BGP. We have VRF-Lite on R1 here :

Capture d’écran 2016-02-01 à 22.29.40

We have :

1#show ip bg vpnv4 vrf CUST
BGP table version is 11, local router ID is 1.1.1.1
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
              r RIB-failure, S Stale, m multipath, b backup-path, f RT-Filter,
              x best-external, a additional-path, c RIB-compressed,
Origin codes: i - IGP, e - EGP, ? - incomplete
RPKI validation codes: V valid, I invalid, N Not found

     Network          Next Hop            Metric LocPrf Weight Path
Route Distinguisher: 65001:1 (default for vrf CUST)
 *>  10.1.1.1/32      12.0.0.2                 0             0 65002 ?
 *>  10.2.2.1/32      12.0.0.2                 0             0 65002 ?
 r>  10.3.3.1/32      12.0.0.2                 0             0 65002 ?
 r>  10.4.4.1/32      12.0.0.2                 0             0 65002 ?
 r>  10.5.5.1/32      12.0.0.2                 0             0 65002 ?
 r>  10.5.5.5/32      12.0.0.2                 0             0 65002 ?
 r>  10.6.6.6/32      12.0.0.2                 0             0 65002 ?
 r>  12.0.0.0/24      12.0.0.2                 0             0 65002 ?
R1#
R1#show ip route vrf CUST

Routing Table: CUST

Gateway of last resort is not set

      10.0.0.0/32 is subnetted, 2 subnets
B        10.1.1.1 [20/0] via 12.0.0.2, 00:37:49
B        10.2.2.1 [20/0] via 12.0.0.2, 00:37:49
      12.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
C        12.0.0.0/24 is directly connected, Ethernet0/0
L        12.0.0.1/32 is directly connected, Ethernet0/0
R1#

So the only route we can have a RIB-Failure due to lowest AD is : 12.0.0.0/24. What is the problem with others ?
We can know this by using :

R1#show ip bg vpnv4 vrf CUST rib-failure
  Network            Next Hop                      RIB-failure   RIB-NH Matches
Route Distinguisher: 65001:1 (default for vrf CUST)
10.3.3.1/32        12.0.0.2                      Route limit              n/a
10.4.4.1/32        12.0.0.2                      Route limit              n/a
10.5.5.1/32        12.0.0.2                      Route limit              n/a
10.5.5.5/32        12.0.0.2                      Route limit              n/a
10.6.6.6/32        12.0.0.2                      Route limit              n/a
12.0.0.0/24        12.0.0.2            Higher admin distance              n/a
R1#

The problem is :

ip vrf CUST
 rd 65001:1
 maximum routes 4 80
!

You know surely now why it is in ‘RIB-Failure’ state…

BGP review – ‘received-only’ prefix state

Today a little review :

edge12.bor03>show ip bg 37.8.8.8
BGP routing table entry for 37.8.0.0/20, version 47221703
Paths: (3 available, best #2, table Default-IP-Routing-Table)
  Advertised to update-groups:
     1
  15975, (received-only)
    17.69.240.117 from 17.69.240.117 (17.69.255.1)
      Origin IGP, metric 16, localpref 500, valid, internal
  12671 15975 15975 15975 15975, (received & used)
    46.218.1.1 from 46.218.1.1 (172.17.1.6)
      Origin IGP, localpref 100, valid, external, best
  12671 15975 15975 15975 15975, (received & used)
    46.218.1.1 from 46.218.1.1 (172.17.1.2)
      Origin IGP, localpref 100, valid, external
edge12.bor03>

Why the path through 17.69.240.117 is not used, although it is the a better path to 37.8.0.0/20 ?
Why is it marked as “received-only”

“Received-only” means as it says that this prefix is received, stored in Adj-IN, but cannot be selected for a valid prefix. Why ?

Lot of reasons. Commons are : route-maps, NEXTHOP not reachable…

http://www.cisco.com/c/en/us/support/docs/ip/border-gateway-protocol-bgp/13753-25.html

In my example, the problem is here : a route-map without an explicit permit.

Je dis aime, la haine je la jette… Bonne écoute Daesh ;)

Sorry, but this time it will be a french article.

Ce qu’il faut que la France reste :

  • Amour ;
  • Diversité culturelle ;
  • Fête ;
  • Liberté !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! ;
  • Laïcité ;
  • Passions et liberté de les exprimer par toutes les manières que se soit dans le respect des autres ;

J'ai les méninges nomades 
J'ai le miroir maussade 
Tantôt mobile 
Tantôt tranquille
Je moissonne sans bousculade

Je dis Aime
Et je le sème
Sur ma planète
Je dis M
Comme un emblème
La haine je la jette

Je dis AIME, AIME, AIME

Du Sphinx dans mon rimeur
Paris au fil du cœur
Du Nil dans mes veines
Dans mes artères coule la Seine

Je dis Aime
Et je le sème
Sur ma planète
Je dis M
Comme un emblème
La haine je la jette

Je dis AIME, AIME, AIME

Pour le dehors le dedans
Pour l'après pour l'avant

Je dis Aime
Et je le sème
Sur ma planète
Je dis M
Comme un emblème
La haine je la jette

Je dis AIME, AIME, AIME