These are some notes to install Cisco VIRL version 0.9.17 (file virl.0.9.17.pc.ova) on VMware Fusion Professional Version 7.1.1 on MAC OSX Mavericks version 10.9.5. If you happen to hit this page, I’m sure you’re also having an issue with it. So, I thought I should write down some notes here.
Cisco ISE can be quite challenging for some and here are some notes when I was testing an ISE for upgrade.
I had been using Samsonite laptop backpack since 2008. It’s just this little problem that it does not have padding on its bottom corner on the laptop compartment. It’s not really a big deal, quite happy so far, until I dropped it exactly on the corner of it. See the photo below and you’ll know how bad it was.
If you’re tasked to configure an Internet router, what features/services you would usually put in? You most definitely require NAT for LAN to Internet IP address translation, ACL for blocking unnecessary traffics from Internet to LAN, and might be a bit of router hardening by locking down some unnecessary services and management/control plane.
A note to myself.
It’s been a little more than a year since I wrote a post to my blog. Quite a few things happened in my life and priorities change.
I decided to postpone my CCIE RS lab for sometime after several failed attempts. No, I’m not giving up yet, It’s just better for myself and my family that I take a pause for it until we’re sure I can dedicate myself into it.
Just a little note for SVI Access-List (or Cisco calls it Router ACL on SVI).
Three routers configured as below.
! R1 int f0/0 ip addr 126.96.36.199 255.255.255.0 no shut router ospf 1 net 0.0.0.0 0.0.0.0 a 0 ! R2 int vlan 100 ip addr 188.8.131.52 255.255.255.0 int f1/0 switchport mode access switchport access vlan 100 int f0/0 ip addr 184.108.40.206 255.255.255.0 router ospf 1 net 0.0.0.0 0.0.0.0 a 0 ! R3 int f0/0 ip addr 220.127.116.11 255.255.255.0 no shut router ospf 1 net 0.0.0.0 0.0.0.0 a 0 ip http server
I’m testing the Access-list on SVI and testing it by ICMP and HTTP from R1 (18.104.22.168) to R3 (22.214.171.124) and check the matches on the ACL. I’m expecting that the HTTP access will be denied and ICMP will be allowed.
The direction of the access-list and the SVI (inbound or outbound) tested as below.
! R2 Extended IP access list ACL 10 deny tcp host 126.96.36.199 host 188.8.131.52 eq www 20 permit ip any any (1 match) int vlan 100 ip access-group ACL out ! RESULT. ICMP and HTTP access are both OK
! R2 Extended IP access list ACL 10 deny tcp host 184.108.40.206 eq www host 220.127.116.11 20 permit ip any any (5 matches) int vlan 100 ip access-group ACL in ! RESULT. ICMP and HTTP access are both OK
! R2 Extended IP access list ACL 10 deny tcp host 18.104.22.168 eq www host 22.214.171.124 (6 matches) 20 permit ip any any interface Vlan100 ip access-group ACL out ! RESULT. ICMP OK, HTTP access is opened then timed-out.
! R2 Extended IP access list ACL 10 deny tcp host 126.96.36.199 host 188.8.131.52 eq www (3 matches) 20 permit ip any any interface Vlan100 ip access-group ACL in ! RESULT. ICMP OK, HTTP access is UNREACHABLE
Summary. The rule of thumb for the direction of the ACL on SVI above are:
ACL always have the form of
- If it’s INBOUND (“ip access-group ACL out”), then it means “It’s going OUT TO the VLAN100 access ports.”
- If it’s OUTBOUND (“ip access-group ACL in”), then it means “It’s going AWAY from the VLAN100”
As much as it’s confusing as it can be, I prefer to use VLAN ACCESS-MAP.
For the egress queue, router interface uses two queues. The first queue is, like Input queue, Output queue is a software queue. The default queuing mechanism is FIFO and it can be change to WFQ or CBWFQ. The default value for this queue is 40 packets.
Rack1R1#sh int e0/0 | i queue Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0 Output queue: 0/40 (size/max) Rack1R1# sh int e0/0 | i Queueing Queueing strategy: fifo
We know that Router interfaces uses CEF switching on all of its interfaces. When the CPU is too busy to switch the new incoming packets, these packets will be stored in the Input Queue. There is only 1 Input queue and the queuing mechanism is always FIFO. By default the maximum packets can fill up this queue are 75 packets. This value can be change with
hold-queue <value> in under the interface command. If the input queue is full and the CPU still not able to switch the packets. New incoming packets will be dropped.
R1#sh int f0/0 Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0 Queueing strategy: fifo R1#conf t R1(config)#int f0/0 R1(config-if)#hold-queue 100 in R1(config-if)#^Z R1#sh int f0/0 Input queue: 0/100/0/0 (size/max/drops/flushes); Total output drops: 0 Queueing strategy: fifo ! This is OUTPUT Queuing mechanism.
By default, IPv6 addresses configured on an interface are advertised in Router Advertisement (RA). The command
ipv6 nd prefix will block the RA for the specified prefix. Command
ipv6 nd prefix <IPv6> 14400 14400 no-autoconfig will advertise the prefix with A-bit (AUTOCONFIG) bit cleared.
This will work for scenario where you want to block the RA for specific address (no-advertise) or just want to block the specific address from being used for stateless auto-configuration (no-autoconfig).
In addition to that, by default, RA is automatically advertised on Ethernet or FDDI interface (but not other type of interface).
ipv6 nd ra suppress will supress periodic unsolicited RA, but it does not suppress RAs in response to a Router Solicitation (RS). Use
ipv6 nda ra suppress all to suppress all.
- Higher priority value (0-255) is better.
- Default value is 1
- Can be set via neighbor command or interface command.
- Neighbor command sets neighbor priority while interface command sets its own interface priority. Thus, both commands will not interfere each other. Again, one is for neighbor and other is for its own interface.
- If the local interface priority is set and the other router uses neighbor priority command, then interface priority will take precedence.