Hi,

It’s been a while I have posted a blog entry. A simple tip from IOS 12.4(20) to 12.4(24) and above to use OID “.1.3.6.1.4.1.9.10.77.1.2.3.0” to graph your NAT translations :


R(conf)# ip nat service enable-mib
%NAT: Old NAT-MIB support enabled
R(conf)#

HTH
++Christophe

R.I.P Jieff

You will be for me the guy who wrote this kind of post and talk technology with Remy Card (ext2).

Path: bga.com!news.sprintlink.net!pipex!oleane!univ-lyon1.fr!ensta!itesec!frmug.fr.net!renux.frmug.fr.net!marouchka.gna.org!not-for-mail
From: ji...@marouchka.gna.org (Jean-Francois Monnet)
Newsgroups: fr.comp.os.linux
Subject: Re: LINUX ET E-IDE
Date: 23 Nov 1994 08:43:22 +0100
Organization: Marouchka, A Private Linux Site, France
Lines: 23
Distribution: world
Message-ID: <3aurqq$3mb@marouchka.gna.org>
References: <3asg5c$sp0@imag.imag.fr>
Reply-To: mon...@dir.univ-rouen.fr (Jean-Francois Monnet)
NNTP-Posting-Host: marouchka.gna.org
Mime-Version: 1.0
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 8bit
X-Newsreader: TIN [version 1.2 PL2]

Yves Arrouye (arr...@petole.imag.fr) ecrit:

> Tu vas peut-etre pouvoir m'aider : je veux mettre un 3e disque (sur un 2e
> controleur). Mon 2e controleur ne tourne que sur irq 14, mais on peut changer
> les adresses des disques (il en a deux plages). Je n'arrive pas a ce que le
> patch reconnaisse gentiment mon 3e disque, quelque soit la config. Au secours
> ! Help !

	Chez moi, le deuxieme controleur n'a ete bien reconnu qu'a partir
du moment ou j'ai pris le fer a souder et devie la piste IRQ 14 -> IRQ 15,
comme explique dans la doc de l'archive atdisk2-0.9.tgz (ancien patch pour
gerer deux cartes controleur IDE). Je crois que cette doc n'est plus
fournie avec les patches ide-x.x*. Je peux te l'envoyer si tu ne trouves
pas l'archive atdisk. Car, meme avec deux adresses I/O differentes pour les
cartes, l'utilisation de la meme IRQ avec plus de 2 disques peut poser des
problemes.

> (Linux 1.1.64 + ide-2.5.patch-64+)

	Je tourne en 1.1.61 + ide-2.01.patch.61+.gz et ca roule sans pbs pour
l'IDE.
-- 
Marouchka - 76 Rouen

And a great linux kernel programmer (Telsat Turbo), rock’n roll & Nina Hagen fan.



Have fun with luxman…

++Jieff :-/


~Christophe

Site to site IKEv2 tunnel

Hello guys,

Here it is a tips / reminder how to implement an site-ot-site IKEv2 tunnel :

crypto ikev2 proposal aes-cbc-256-proposal 
 encryption aes-cbc-256
 integrity sha1
 group 2
crypto ikev2 policy policy1 
 match address local x.x.x.x
 proposal aes-cbc-256-proposal
crypto ikev2 keyring v2-kr1
 peer abc
  address y.y.y.y
  pre-shared-key somesecretpass
 !
crypto ikev2 profile profile1
 description IKEv2 profile
 match address local x.x.x.x
 match identity remote address y.y.y.y 255.255.255.255 
 authentication local pre-share
 authentication remote pre-share
 keyring v2-kr1

crypto ipsec transform-set myset esp-des esp-md5-hmac 

crypto map mymap 20 ipsec-isakmp 
 set peer y.y.y.y
 set security-association lifetime seconds 27000
 set transform-set ESP-AES-SHA 
 set ikev2-profile profile1
 match address 120

With ACL 120 is your flows / SA and your implement your crypto map on your WAN interface.

bwping patch (catching signals)

diff -urpN bwping/bwping.c bwping-patched/bwping.c
--- bwping/bwping.c     2012-10-11 19:23:17.000000000 +0200
+++ bwping-patched/bwping.c     2017-04-20 09:06:23.449540033 +0200
@@ -26,6 +26,7 @@
 #include 
 #include 
 #include 
+#include 
 
 #ifdef __CYGWIN__
 #include "cygwin.h"
@@ -224,21 +225,39 @@ static int recv_ping (int sock, int iden
         return 0;
     }
 }
+unsigned int   transmitted_number, received_number;
+unsigned long  int received_volume;
+struct timeval begin, end;
+
+void sig_handler(int signo)
+{
+       if (signo == SIGUSR1) {
+                printf("Total: pkts sent/rcvd: %u/%u, volume rcvd: %lu bytes, time: %d sec, speed: %lu kbps, rtt min/max/average: %llu/%llu/%llu ms\n",
+                               transmitted_number, received_number, received_volume, (int)(end.tv_sec - begin.tv_sec),
+                               end.tv_sec - begin.tv_sec?((received_volume / (end.tv_sec - begin.tv_sec)) * 8) / 1000:(received_volume * 8) / 1000,
+                               min_rtt==DEF_MIN_RTT?0:min_rtt, max_rtt, average_rtt);
+               exit(255);
+       }
+}
 
 int main (int argc, char **argv)
 {
     int                    sock, exitval, ch, ident, finish, pktburst, i, n;
-    unsigned int           bufsize, tos, transmitted_number, received_number;
-    unsigned long int      kbps, pktsize, volume, rperiod, received_volume;
+    unsigned int           bufsize, tos;
+    unsigned long int      kbps, pktsize, volume, rperiod;
     unsigned long long int min_interval, interval, current_interval, integral_error;
     char                   *ep, *bind_addr, *target;
     fd_set                 fds;
     struct sockaddr_in     bind_to, to;
     struct hostent         *hp;
-    struct timeval         begin, end, report, start, now, seltimeout;
+    struct timeval         report, start, now, seltimeout;
 
     sock = socket(AF_INET, SOCK_RAW, IPPROTO_ICMP);
 
+       if (signal(SIGUSR1, sig_handler) == SIG_ERR)
+               printf("\ncan't catch SIGUSR1\n");
+
+
     if (sock==-1) {
         perror("bwping: socket(AF_INET, SOCK_RAW, IPPROTO_ICMP) failed");

Download : patch-bwping-sig.diff

IPv6 prefix delegation feature

We will dive into IPv6 prefix delegation prefix.

First of all, we will make a real simple topology :

ipv6-delegation-simple

R1 acts as a DHCP server and use the prefix delegation feature. But how it works ? How it is configured ?

R1 :

ipv6 unicast-routing
ipv6 cef
ipv6 dhcp pool POOLv6
 prefix-delegation pool p lifetime 180 120
 domain-name lucas.fr.eu.org

ipv6 local pool p 2001:DB8::/40 48

interface FastEthernet0/0
 ip address 10.0.0.1 255.255.255.0
 duplex half
 ipv6 address 2A02::1/48
 ipv6 enable
 ipv6 dhcp server POOLv6


R1#   show ipv6 dhcp interface 
FastEthernet0/0 is in server mode
  Using pool: POOLv6
  Preference value: 0
  Hint from client: ignored
  Rapid-Commit: disabled
R1#

R2 :

interface FastEthernet0/0
 duplex half
 ipv6 address autoconfig default
 ipv6 enable
 ipv6 dhcp client pd prefix-from-provider

interface FastEthernet1/1
 no ip address
 duplex auto
 speed auto
 ipv6 address prefix-from-provider ::1:0:0:0:1/64
 ipv6 enable

R2#show ipv6 dhcp interface 
FastEthernet0/0 is in client mode
  Prefix State is OPEN
  Renew will be sent in 00:00:04
  Address State is IDLE
  List of known servers:
    Reachable via address: FE80::C805:ADFF:FE80:0
    DUID: 00030001CA05AD800000
    Preference: 0
    Configuration parameters:
      IA PD: IA ID 0x00040001, T1 60, T2 120
        Prefix: 2001:DB8::/48
                preferred lifetime 120, valid lifetime 180
                expires at May 03 2016 10:53 PM (125 seconds)
      Domain name: lucas.fr.eu.org
      Information refresh time: 0
  Prefix name: prefix-from-provider
  Prefix Rapid-Commit: disabled
  Address Rapid-Commit: disabled
R2#

Debug trace on R2 (debug ipv6 dhcp) :

*May  3 22:36:11.859: IPv6 DHCP: Sending RENEW to FF02::1:2 on FastEthernet0/0
*May  3 22:36:11.859: IPv6 DHCP: DHCPv6 changes state from OPEN to RENEW (TIMEOUT) on FastEthernet0/0
*May  3 22:36:11.879: IPv6 DHCP: Received REPLY from FE80::C805:ADFF:FE80:0 on FastEthernet0/0
*May  3 22:36:11.879: IPv6 DHCP: Processing options
*May  3 22:36:11.879: IPv6 DHCP: Adding prefix 2001:DB8::/48 to prefix-from-provider
*May  3 22:36:11.883: IPv6 DHCP: T1 set to expire in 60 seconds
*May  3 22:36:11.883: IPv6 DHCP: T2 set to expire in 120 seconds
*May  3 22:36:11.883: IPv6 DHCP: DHCPv6 changes state from RENEW to OPEN (REPLY_RECEIVED) on FastEthernet0/0

We have acquired the prefix via PD aka Prefix Delegation feature :

R2#show ipv6 general-prefix 
IPv6 Prefix prefix-from-provider, acquired via DHCP PD
  2001:DB8::/48 Valid lifetime 158, preferred lifetime 98
   FastEthernet1/1 (Address command)
R2#

On R3 or R4 :

interface FastEthernet0/0
 no ip address
 duplex half
 ipv6 address autoconfig default
 ipv6 enable
end


2#show ipv6 dhcp interface 
FastEthernet0/0 is in client mode
  Prefix State is OPEN
  Renew will be sent in 00:00:04
  Address State is IDLE
  List of known servers:
    Reachable via address: FE80::C805:ADFF:FE80:0
    DUID: 00030001CA05AD800000
    Preference: 0
    Configuration parameters:
      IA PD: IA ID 0x00040001, T1 60, T2 120
        Prefix: 2001:DB8::/48
                preferred lifetime 120, valid lifetime 180
                expires at May 03 2016 10:53 PM (125 seconds)
      Domain name: lucas.fr.eu.org
      Information refresh time: 0
  Prefix name: prefix-from-provider
  Prefix Rapid-Commit: disabled
  Address Rapid-Commit: disabled
R2#

If we debug we will see (debug ipv6 interface, debug ipv6 dhcp, debug ipv6 nd) :

May  3 22:05:01.335: ICMPv6-ND: Neighbour FE80::C806:ADFF:FE81:1D on FastEthernet0/0 : LLA ca06.ad81.001d
*May  3 22:05:01.335: ICMPv6-ND: INCMP -> STALE: FE80::C806:ADFF:FE81:1D
*May  3 22:05:01.335: IPv6-Address: intfid_algo is notactive on intf 4
*May  3 22:05:01.339: IPv6-Address: intfid_algo is active on intf 4
*May  3 22:05:01.339: IPv6-Address: Generating IntfID rc 0, prefix: 2001:DB8:0:1::/64, address 2001:DB8:0:1:C808:ADFF:FE85:0
*May  3 22:05:01.343: IPv6-Address: Prefix Information change for 2001:DB8:0:1::/64, 0x0 -> 0x1E0
*May  3 22:05:01.343: IPv6-Address: Adding prefix 2001:DB8:0:1::/64 to FastEthernet0/0
*May  3 22:05:01.343: IPv6-Address: Adding operating owner prefix configured on FastEthernet0/0
*May  3 22:05:01.347: IPv6-Address: Adding operating owner address configured on FastEthernet0/0
*May  3 22:05:01.347: IPv6-Address: Address 2001:DB8:0:1:C808:ADFF:FE85:0 configured on FastEthernet0/0
*May  3 22:05:01.347: IPv6-Addrmgr-
R4(config-if)#ND: DAD request for 2001:DB8:0:1:C808:ADFF:FE85:0 on FastEthernet0/0
*May  3 22:05:01.347: ICMPv6-ND: Sending NS for 2001:DB8:0:1:C808:ADFF:FE85:0 on FastEthernet0/0
*May  3 22:05:01.351: ICMPv6-ND: Autoconfiguring 2001:DB8:0:1:C808:ADFF:FE85:0 on FastEthernet0/0
*May  3 22:05:02.351: IPv6-Addrmgr-ND: DAD: 2001:DB8:0:1:C808:ADFF:FE85:0 is unique.
*May  3 22:05:02.351: ICMPv6-ND: Sending NA for 2001:DB8:0:1:C808:ADFF:FE85:0 on FastEthernet0/0
*May  3 22:05:02.355: IPv6-Address: Address 2001:DB8:0:1:C808:ADFF:FE85:0/64 is up on FastEthernet0/0

Finally, we are able to ping the DHCPv6 server :

R4#ping ipv6 2A02::1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 2A02::1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 32/45/96 ms
R4#traceroute 2A02::1

Type escape sequence to abort.
Tracing the route to 2A02::1

  1 2001:DB8:0:1::1 12 msec 36 msec 12 msec
  2 2A02::1 8 msec 56 msec 36 msec
R4#

IP SLA operation

IP SLA is a great tool to automation some treatment. You could do great things with it. We will work on IP SLA Reaction here.

What is it ? You could launch some action on some state of an IP SLA. Such as (Even if it is not a good example) : some nested ping.

ip-sla-reaction

 

 

 

 

 

 

 

The job here, is to check R4 – R3 and R4 – R2 if IP SLA beetween R1 – R4 is awful.

We could do this such as :
R4 :

ip sla 1
 udp-jitter 10.1.12.1 3200 source-ip 10.1.43.4 source-port 6565 codec g711ulaw codec-size 128
 frequency 5
ip sla schedule 1 start now life forever 

ip sla 43 
 icmp-echo 10.1.43.3 source-ip 10.1.43.4
 frequency 5
ip sla schedule 43 start pending life 60

ip sla 42 
 icmp-echo 10.1.32.2 source-ip 10.1.43.4
 frequency 5
ip sla schedule 42 start pending life 60

ip sla reaction-trigger 1 43
ip sla reaction-trigger 43 42
ip sla reaction-configuration 1 react MOS threshold-type consecutive 4 threshold-value 390 220 action-type trapAndTrigger
ip sla reaction-configuration 43 react rtt threshold-value 100 50 threshold-type immediate action-type trapAndTrigger
ip sla reaction-configuration 42 react rtt threshold-value 100 50 threshold-type immediate action-type trapOnly

snmp-server host 10.1.1.1
snmp-server enable traps syslog

We do an analyze on each segment of path and if it fails on our condition, it traps it.

Obvisouly on R1 :

ip sla responder

CCIE R&S studies planner

I don’t know if it will really help someone but you can download here my CCIE planner spreadsheet : CCIE_Planner

It will provide you :

  • Monthly review based on CCIEv5 R&S blueprint ;
  • Planner from beginning point to your deadline lab attempt : it calculates how to organize your studies based on your initial self assessment ;
  • Daily organization ;
  • Weekly organization ;
  • Monthly organization ;
  • Yearly organization ;
  • Calculate your study time ;
  • IpExpert vol1 lab & topics ;
  • Logistics ;

It is provided as is and under GPLv2.

Have fun with your studies.

BGP rib-failure

I think everyone now what is a RIB-Failure in BGP context. It sounds obviously as an exact same route with a lowest AD as {e|i}BGP. We have VRF-Lite on R1 here :

Capture d’écran 2016-02-01 à 22.29.40

We have :

1#show ip bg vpnv4 vrf CUST
BGP table version is 11, local router ID is 1.1.1.1
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
              r RIB-failure, S Stale, m multipath, b backup-path, f RT-Filter,
              x best-external, a additional-path, c RIB-compressed,
Origin codes: i - IGP, e - EGP, ? - incomplete
RPKI validation codes: V valid, I invalid, N Not found

     Network          Next Hop            Metric LocPrf Weight Path
Route Distinguisher: 65001:1 (default for vrf CUST)
 *>  10.1.1.1/32      12.0.0.2                 0             0 65002 ?
 *>  10.2.2.1/32      12.0.0.2                 0             0 65002 ?
 r>  10.3.3.1/32      12.0.0.2                 0             0 65002 ?
 r>  10.4.4.1/32      12.0.0.2                 0             0 65002 ?
 r>  10.5.5.1/32      12.0.0.2                 0             0 65002 ?
 r>  10.5.5.5/32      12.0.0.2                 0             0 65002 ?
 r>  10.6.6.6/32      12.0.0.2                 0             0 65002 ?
 r>  12.0.0.0/24      12.0.0.2                 0             0 65002 ?
R1#
R1#show ip route vrf CUST

Routing Table: CUST

Gateway of last resort is not set

      10.0.0.0/32 is subnetted, 2 subnets
B        10.1.1.1 [20/0] via 12.0.0.2, 00:37:49
B        10.2.2.1 [20/0] via 12.0.0.2, 00:37:49
      12.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
C        12.0.0.0/24 is directly connected, Ethernet0/0
L        12.0.0.1/32 is directly connected, Ethernet0/0
R1#

So the only route we can have a RIB-Failure due to lowest AD is : 12.0.0.0/24. What is the problem with others ?
We can know this by using :

R1#show ip bg vpnv4 vrf CUST rib-failure
  Network            Next Hop                      RIB-failure   RIB-NH Matches
Route Distinguisher: 65001:1 (default for vrf CUST)
10.3.3.1/32        12.0.0.2                      Route limit              n/a
10.4.4.1/32        12.0.0.2                      Route limit              n/a
10.5.5.1/32        12.0.0.2                      Route limit              n/a
10.5.5.5/32        12.0.0.2                      Route limit              n/a
10.6.6.6/32        12.0.0.2                      Route limit              n/a
12.0.0.0/24        12.0.0.2            Higher admin distance              n/a
R1#

The problem is :

ip vrf CUST
 rd 65001:1
 maximum routes 4 80
!

You know surely now why it is in ‘RIB-Failure’ state…

BGP review – ‘received-only’ prefix state

Today a little review :

edge12.bor03>show ip bg 37.8.8.8
BGP routing table entry for 37.8.0.0/20, version 47221703
Paths: (3 available, best #2, table Default-IP-Routing-Table)
  Advertised to update-groups:
     1
  15975, (received-only)
    17.69.240.117 from 17.69.240.117 (17.69.255.1)
      Origin IGP, metric 16, localpref 500, valid, internal
  12671 15975 15975 15975 15975, (received & used)
    46.218.1.1 from 46.218.1.1 (172.17.1.6)
      Origin IGP, localpref 100, valid, external, best
  12671 15975 15975 15975 15975, (received & used)
    46.218.1.1 from 46.218.1.1 (172.17.1.2)
      Origin IGP, localpref 100, valid, external
edge12.bor03>

Why the path through 17.69.240.117 is not used, although it is the a better path to 37.8.0.0/20 ?
Why is it marked as “received-only”

“Received-only” means as it says that this prefix is received, stored in Adj-IN, but cannot be selected for a valid prefix. Why ?

Lot of reasons. Commons are : route-maps, NEXTHOP not reachable…

http://www.cisco.com/c/en/us/support/docs/ip/border-gateway-protocol-bgp/13753-25.html

In my example, the problem is here : a route-map without an explicit permit.