Narbik + Scott 12-day CCIE RS Bootcamp in Sydney

Posted on by
2

Considering that the Lab exam date is approaching and I’m having difficulty to cram all of those information in one brain (and keeping it there), I’m planning to join a bootcamp. The good news is, Narbik Kocharians and Scott Morris are coming to Sydney on April 11 – 22, 2011 to teach CCIE RS 12-day bootcamp. At least, based on this announcement by Eman.

This is still a plan considering few things that I need to clarify with CCIE Flyer and Narbik. Hopefully, this training can boost my study to gain the tech level I need on the 31 May 2011.

Anyone joining this Sydney Bootcamp? feel free to email me – davidsudjiman (at) gmail (dot) com

Cisco IOS BGP Path Selection

Posted on by
Reply

Specifically in Cisco IOS, BGP chooses the best routes available using these few steps.

1. Next Hop.

NEXT_HOP attribute is a BGP well-known mandatory attribute. This attribute is included in any BGP updates. When seeing a route the router checks whether the NEXT_HOP attribute is reachable. This NEXT_HOP is not necessarily a directly connection but can also be several hops away which can be reach via IGP. If the NEXT_HOP is not reachable, then the route will not be considered to be the best route candidate.

2. Highest WEIGHT.

This attribute is Cisco-specific BGP Parameter and is not advertised to other peering.

If 1 router has two exit points for the same route, the router will check which one of these exit points has the highest WEIGHT. The WEIGHT number is between 0 – 65535. By default, all routes learned from a peer will have WEIGHT of 0 and all routes generated by local router have a WEIGHT of 32,768

3. Highest LOCAL PREFERENCE.

LOCAL_PREF is short for LOCAL PREFERENCE. This is a BGP well-known discretionary attribute and used only in updates between internal BGP peers. It is not passed to other autonomous systems. The routers in the same autonomous system will get all of the routes with LOCAL_PREF attribute value and choose one of the highest LOCAL_PREF attribute value to the best route. A path without LOCAL_PREF is considered to have had the value set with the bgp default local-preference command, or to have a value of 100 by default. LOCAL_PREF attribute affects only for traffic leaving the AS

4. Locally originated prefixes.

The router will look for route that is locally generated. That is, prefer the route that was learned from an IGP on the same router using network, aggregate, or redistribute. In Cisco, locally generated routes have WEIGHT of 32,768. Therefore making this selection superfluous.

5. Shorter AS_PATH.

AS_PATH is a BGP well-know mandatory attribute that uses a sequence os AS numbers to describe the inter-AS path, or route, to the destination . This attribute is included in all BGP updates. The router checks the routes which has the shorter AS_PATH sequence and use it as the best path.

6. Lowest numerical value of the Origin code (IGP<EGP<Imcomplete).

The router chosses the route with the lowest origin code. That is, IGP has lower (better) value than EGP, EGP has lower (better) value than INCOMPLETE.

IGP means the routes are generated using network or aggregate command. This appears as “i” in BGP table output.

EGP means the routes were received from EGP peers.

“INCOMPLETE” means the source could not be determined

7. Lowest MED.

MED, also know as MULTI_EXIT_DISC (Multi Exit Discriminator) is a BGP optional-nontransitive attribute. This attribute is not necesarrily known by peers. BGP peers can ignore the update in which it is included and not advertise the path to its other peers.

To influence incoming traffic, the MED is used to inform another AS of its preferred ingress point. MED works by modifying the outgoing updates to another AS. Once received, the next AS will see that there is a recommended path based on its MED. This MED would only be included in the local receiving AS and would not go beyond its AS.

Router will choose to use the lowest MED value (also known as METRIC) between available routes.

8. Prefer eBGP over iBGP.

Router will choose eBGP routes over iBGP. If there are more than one eBGP routes then go to step 8b. However, if non eBGP routes were available and there are more than one iBGP routes then go to step 8a.

8a. Smallest IGP metric to reach the NEXT_HOP IP Addr
8b. When more than 1 routes are external, prefer the oldest path
9. Path originated from the routers with the lowest BGP Router ID

Note about path attributes.

Well-known mandatory attribute. Must be included in all BGP updates.

Well-know discretionary attribute. May or may not be sent in a specific updates.

Optional transitive. BGP implementation is not required to support this attribute. a BGP process should accept the path in which it is included, even if ti doesn’t support the attribute, and it should pass the path on to its peers.

Optional nontransitive. BGP implementation is not required to support this attribute. a BGP process that doesn not recognize the attribute can quitely ignore the Update in which it is included and not advertise the path to its other peers.

ORIGIN – Well-known mandatory

AS_PATH – Well-known mandatory

NEXT_HOP – Well-known mandatory

LOCAL_PREF – Well-known discretionary

ATOMIC_AGGREGATE – Well-known discretionary

AGGREGATOR – Optional transitive

COMMUNITY – Optional transitive

MULTI_EXIT_DISC (MED) – Optional nontransitive

ORIGINATOR_ID – Optional nontransitive

CLUSTER_LIST – Optional nontransitive

Resources.

BGP Best Path Selection Algorithm

Routing TCP/IP, Volume II (CCIE Professional Development)

How BGP Selects Paths

Lab Exam Date, Booked!

Posted on by
4

It is really surprising to feel the difference given that I’ve booked my CCIE RS Lab exam for 31 May 2011. This is the 18th month since I passed my CCIE RS Written and I cannot postpone this anymore.

Previously I kept saying that I would take my exam, one day. That’s actually the sign that I was not really ready to tackle this. Having the lab date set makes you cannot back off anymore for any reason.

Spending my Christmas and Year-end 2010 was really giving the traction to get this thing out of my way. There was actually some moments that I doubted myself and question the purpose of this long and dreading journey.

I was so frustrated to start INE WB2 lab1 and spend a week to finish that. What the hell was wrong with me, this lab was the easiest and I had to finish that in less than 8 hours. Hence my WB1 preparation that took 2 years didn’t actually give me the technical confidence as I keep forgetting things, or did it?

I was wrong! I was quite surprised that I could do my 30 OSPF labs within 3 days while it took me months just to make those OSPF labs sane. I do remember, not the most of it, but I do remember.

Yeah, been there done that. I’ve done enough excuses to justify why I should not move on and given up. Hey, CCIE is just not for anybody. I guess I just need to do it and give all my best to it. There’s just too much at stake and I’ve invested a lot of money and time. I would be a fool If I gave up knowing that I’m not that far behind. Everybody who passed this exam have the story of their life and I need to have my own story. I will have my own story.

I’m starting to enjoy my rhythm by spending at least 6 hours for study each day and taking a break every now and then spending time with my wife.

From this point forward, I’ll try my best to keep the rhythm steady and would need to advertise to all of my friends for the 100th times that I need to skip that dinner. Well, sorry mate!

This time, I’m following INE suggestion and see whether I can advancing more.

Nothing fancy, I just need to do it. No questions asked!

All right! This is it! Now you all know me, so I’m going to say this as simply as I can. If it’s our time to die, it’s our time. All I ask is, if we have to give these bastards our lives… WE GIVE ‘EM HELL BEFORE WE DO! – Matrix Revolutions

Why GRE is needed for IPSec VPN?

Posted on by
Reply

I paused a bit during my QoS study and hitting this qos pre-classify command. My question is, why would we need GRE/Tunnelling to create IPSec VPN? I managed to get my IPSec VPN working without GRE/Tunnelling and it keeps me even wondering why.

I’d been searching everywhere but I guess I didn’t get the right keyword to match. Apparently, multicast ipsec were the keywords as I found it on Cisco Doco.

IPsec Deployment with Point-to-Point GRE

Generic Routing Encapsulation (GRE) is often deployed with IPsec for several reasons, including the following:

  • IPsec Direct Encapsulation supports unicast IP only. If network layer protocols other than IP are to be supported, an IP encapsulation method must be chosen so that those protocols can be transported in IP packets.
  • IPmc [IP Multicast] is not supported with IPsec Direct Encapsulation. IPsec was created to be a security protocol between two and only two devices, so a service such as multicast is problematic. An IPsec peer encrypts a packet so that only one other IPsec peer can successfully perform the de-encryption. IPmc is not compatible with this mode of operation.

Until the introduction of IPsec Virtual Tunnel Interface (VTI), IPsec tunnels were not logical tunnel interfaces for routing purposes. A point-to-point (p2p) GRE tunnel, on the other hand, is a logical router interface for purposes of forwarding IP (or any other network protocol) traffic. A tunnel interface can appear as a next-hop interface in the routing table.

http://www.cisco.com/en/US/docs/solutions/Enterprise/WAN_and_MAN/V3PNIPmc.html#wp349808

MLP LFI on Serial Link; Configuration Example

Posted on by
Reply 
!!! R4
interface Multilink1
 bandwidth 128
 ip address 155.13.45.4 255.255.255.0
 ip rip advertise 10
 fair-queue
 ppp multilink
 ppp multilink interleave
 ppp multilink group 1
 ppp multilink fragment delay 10
end

interface Serial0/1/0
 bandwidth 128
 no ip address
 encapsulation ppp
 ip tcp header-compression
 load-interval 30
 no fair-queue
 clock rate 128000
 ppp multilink
 ppp multilink group 1
end

!!! R5

interface Multilink1
 ip address 155.13.45.5 255.255.255.0
 ip rip advertise 10
 fair-queue
 ppp multilink
 ppp multilink interleave
 ppp multilink group 1
 ppp multilink fragment delay 10
end

interface Serial0/1/0
 bandwidth 128
 no ip address
 encapsulation ppp
 no fair-queue
 ppp multilink
 ppp multilink group 1
end

Verification

!!! R4

R4#sh ppp multilink
Multilink1
  Bundle name: R5
  Remote Endpoint Discriminator: [1] R5
  Local Endpoint Discriminator: [1] R4
  Bundle up for 00:15:12, total bandwidth 128, load 33/255
  Receive buffer limit 12000 bytes, frag timeout 1000 ms
  Interleaving enabled
    0/0 fragments/bytes in reassembly list
    0 lost fragments, 0 reordered
    0/0 discarded fragments/bytes, 0 lost received
    0x5DE9 received sequence, 0x8244 sent sequence
  Member links: 1 active, 0 inactive (max not set, min not set)
    Se0/1/0, since 00:15:12, 160 weight, 152 frag size
No inactive multilink interfaces

R4#sh int s0/1/0
Serial0/1/0 is up, line protocol is up
  Hardware is GT96K Serial
  MTU 1500 bytes, BW 128 Kbit/sec, DLY 20000 usec,
     reliability 255/255, txload 13/255, rxload 11/255
  Encapsulation PPP, LCP Open, multilink Open
  Link is a member of Multilink bundle Multilink1, loopback not set
  Keepalive set (10 sec)
  CRC checking enabled
  Last input 00:00:09, output 00:00:04, output hang never
  Last clearing of "show interface" counters 01:37:19
  Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0
  Queueing strategy: fifo
  Output queue: 0/40 (size/max)
  30 second input rate 6000 bits/sec, 11 packets/sec
  30 second output rate 7000 bits/sec, 11 packets/sec
     74352 packets input, 5015177 bytes, 0 no buffer
     Received 0 broadcasts, 0 runts, 0 giants, 0 throttles
     0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
     85309 packets output, 7605592 bytes, 0 underruns
     0 output errors, 0 collisions, 9 interface resets
     1 unknown protocol drops
     1 unknown protocol drops
     0 output buffer failures, 0 output buffers swapped out
     19 carrier transitions
     DCD=up  DSR=up  DTR=up  RTS=up  CTS=up

R4#sh int multilink 1
Multilink1 is up, line protocol is up
  Hardware is multilink group interface
  Internet address is 155.13.45.4/24
  MTU 1500 bytes, BW 128 Kbit/sec, DLY 100000 usec,
     reliability 255/255, txload 1/255, rxload 1/255
  Encapsulation PPP, LCP Open, multilink Open
  Open: IPCP, CDPCP, loopback not set
  Keepalive set (10 sec)
  DTR is pulsed for 2 seconds on reset
  Last input 00:00:01, output never, output hang never
  Last clearing of "show interface" counters 01:37:46
  Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 539
  Queueing strategy: weighted fair
  Output queue: 0/1000/64/539 (size/max total/threshold/drops)
     Conversations  0/3/32 (active/max active/max total)
     Reserved Conversations 0/0 (allocated/max allocated)
     Available Bandwidth 96 kilobits/sec
  5 minute input rate 0 bits/sec, 6 packets/sec
  5 minute output rate 1000 bits/sec, 0 packets/sec
     27574 packets input, 1624852 bytes, 0 no buffer
     Received 0 broadcasts, 0 runts, 0 giants, 0 throttles
     0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
     23371 packets output, 4200099 bytes, 0 underruns
     0 output errors, 0 collisions, 3 interface resets
     0 unknown protocol drops
     0 unknown protocol drops
     0 output buffer failures, 0 output buffers swapped out
     0 carrier transitions

!!! R5

R5#sh ppp multilink
Multilink1
  Bundle name: R4
  Remote Endpoint Discriminator: [1] R4
  Local Endpoint Discriminator: [1] R5
  Bundle up for 00:16:40, total bandwidth 128, load 1/255
  Receive buffer limit 12000 bytes, frag timeout 1000 ms
  Interleaving enabled
    0/0 fragments/bytes in reassembly list
    0 lost fragments, 0 reordered
    0/0 discarded fragments/bytes, 0 lost received
    0x8666 received sequence, 0x61E7 sent sequence
  Member links: 1 active, 0 inactive (max not set, min not set)
    Se0/1/0, since 00:16:40, 160 weight, 152 frag size
No inactive multilink interfaces

R5#sh int s0/1/0
Serial0/1/0 is up, line protocol is up
  Hardware is GT96K Serial
  MTU 1500 bytes, BW 128 Kbit/sec, DLY 20000 usec,
     reliability 255/255, txload 1/255, rxload 3/255
  Encapsulation PPP, LCP Open, multilink Open
  Link is a member of Multilink bundle Multilink1, loopback not set
  Keepalive set (10 sec)
  CRC checking enabled
  Last input 00:00:00, output 00:00:00, output hang never
  Last clearing of "show interface" counters 01:38:33
  Input queue: 0/75/1/0 (size/max/drops/flushes); Total output drops: 0
  Queueing strategy: fifo
  Output queue: 0/40 (size/max)
  5 minute input rate 2000 bits/sec, 5 packets/sec
  5 minute output rate 1000 bits/sec, 1 packets/sec
     86437 packets input, 7687360 bytes, 0 no buffer
     Received 0 broadcasts, 0 runts, 0 giants, 0 throttles
     1 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
     75447 packets output, 5091445 bytes, 0 underruns
     0 output errors, 0 collisions, 6 interface resets
     0 unknown protocol drops
     0 unknown protocol drops
     0 output buffer failures, 0 output buffers swapped out
     14 carrier transitions
     DCD=up  DSR=up  DTR=up  RTS=up  CTS=up

R5#sh int multilink 1
Multilink1 is up, line protocol is up
  Hardware is multilink group interface
  Internet address is 155.13.45.5/24
  MTU 1500 bytes, BW 128 Kbit/sec, DLY 100000 usec,
     reliability 255/255, txload 5/255, rxload 7/255
  Encapsulation PPP, LCP Open, multilink Open
  Open: IPCP, CDPCP, loopback not set
  Keepalive set (10 sec)
  DTR is pulsed for 2 seconds on reset
  Last input 00:00:00, output never, output hang never
  Last clearing of "show interface" counters 01:39:01
  Input queue: 1/75/0/0 (size/max/drops/flushes); Total output drops: 0
  Queueing strategy: weighted fair
  Output queue: 0/1000/64/0 (size/max total/threshold/drops)
     Conversations  0/1/32 (active/max active/max total)
     Reserved Conversations 0/0 (allocated/max allocated)
     Available Bandwidth 96 kilobits/sec
  5 minute input rate 4000 bits/sec, 3 packets/sec
  5 minute output rate 3000 bits/sec, 3 packets/sec
     25132 packets input, 4064849 bytes, 0 no buffer
     Received 0 broadcasts, 0 runts, 0 giants, 0 throttles
     0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
     29325 packets output, 1916796 bytes, 0 underruns
     0 output errors, 0 collisions, 3 interface resets
     0 unknown protocol drops
     0 unknown protocol drops
     0 output buffer failures, 0 output buffers swapped out
     0 carrier transitions

Source Using Multilink PPP over Serial Interface Links

Cannot use next-hop-self as a route-reflector?

Posted on by
1

http://www.cisco.com/en/US/docs/ios/12_2s/feature/guide/fs_bgpnh.html#wp1043334

Do not use the neighbor next-hop-self command to modify the next hop attribute for a route reflector when this feature is enabled for a route reflector client. Using the neighbor next-hop-self command on the route reflector will modify next hop attributes only for routes that are learned from eBGP peers and not the intended routes that are being reflected from the route reflector clients. To modify the next hop attribute when reflecting a route, use an outbound route map.

Loopback interface in OSPF

Posted on by
Reply

What is so special about a loopback interface in OSPF? For example that we create a loopback9 – 9.9.9.9/32 and lo99 – 99.99.99.99/24 and make these addresses available throughout the OSPF domain.

There are two ways to make these addresses available throughout the OSPF domain.

The first one is to include this to the OSPF process as below

int lo9
 ip addr 9.9.9.9 255.255.255.255
 ip ospf 1 a 2
int lo99
 ip addr 99.99.99.99 255.255.255.0
 ip ospf 1 a 2
exit

or you can use the good-old network command

int lo9
 ip addr 9.9.9.9 255.255.255.255
int lo99
 ip addr 99.99.99.99 255.255.255.0
exit

router ospf 1
 net 9.9.9.9 0.0.0.0 a 2
 net 99.99.99.99 0.0.0.0 a 2
exit

Interestingly, we’re seeing a network type as LOOPBACK and it is treated as a stub host.

Rack1SW3#sh ip ospf int lo9
Loopback9 is up, line protocol is up
  Internet Address 9.9.9.9/32, Area 2
  Process ID 1, Router ID 150.1.9.9, Network Type LOOPBACK, Cost: 1
  Enabled by interface config, including secondary ip addresses
  Loopback interface is treated as a stub Host
Rack1SW3#sh ip ospf int lo99
Loopback99 is up, line protocol is up
  Internet Address 99.99.99.99/24, Area 2
  Process ID 1, Router ID 150.1.9.9, Network Type LOOPBACK, Cost: 1
  Enabled by interface config, including secondary ip addresses
  Loopback interface is treated as a stub Host

More interestingly, as we know that those addresses are advertised as stub, therefore we should see those addresses were advertised as /32 subnet.

Rack1R5(config-router)#do sh ip route 9.9.9.9
Routing entry for 9.9.9.9/32
  Known via "ospf 1", distance 110, metric 67, type inter area
  Last update from 155.1.0.3 on Serial0/0, 00:00:18 ago
  Routing Descriptor Blocks:
  * 155.1.0.3, from 150.1.3.3, 00:00:18 ago, via Serial0/0
      Route metric is 67, traffic share count is 1

Rack1R5(config-router)#do sh ip route 99.99.99.99
Routing entry for 99.99.99.99/32
  Known via "ospf 1", distance 110, metric 67, type inter area
  Last update from 155.1.0.3 on Serial0/0, 00:03:45 ago
  Routing Descriptor Blocks:
  * 155.1.0.3, from 150.1.3.3, 00:03:45 ago, via Serial0/0
      Route metric is 67, traffic share count is 1

NOTE. We can actually make 99.99.99.99/24 advertised as /24 by changing the OSPF network type as below

int lo99
 ip addr 99.99.99.99 255.255.255.0
 ip ospf network-type point-to-point
exit

Also, from the above result, we can see that the area type is Inter Area, which mean it is advertised as OSPF Inter Area

Rack1R5(config-router)#do sh ip route | i _9.
     99.0.0.0/32 is subnetted, 1 subnets
O IA    99.99.99.99 [110/67] via 155.1.0.3, 00:17:19, Serial0/0
     9.0.0.0/32 is subnetted, 1 subnets
O IA    9.9.9.9 [110/67] via 155.1.0.3, 00:13:57, Serial0/0

From the above examples, we know that:
1. OSPF network type loopback will be advertised as stub (/32), and
2. will have route type as inter area.

The second example to make these addresses available throughout the OSPF domain is to redistribute these addresses into OSPF process.

int lo9
 ip addr 9.9.9.9 255.255.255.255
int lo99
 ip addr 99.99.99.99 255.255.255.0
exit

router ospf 1
 redistribute connected subnets
exit

If we try to see whether these interfaces are in the OSPF process, that’s just not possible. The reason is that these two addresses is not actually included int the OSPF process yet we only redistribute it into OSPF process. Just like any other routing protocol that we redistribute into OSPF domain. Check out the example below.

Rack1SW3#sh ip ospf int lo9
%OSPF: OSPF not enabled on Loopback9
Rack1SW3#sh ip ospf int lo99
%OSPF: OSPF not enabled on Loopback99

However, remember that when we redistribute something into OSPF it will have:
1. LSA type 7, which will be injected by ASBR, and which eventually will be translated to 

Rack1SW3#sh ip ospf d self-originate

            OSPF Router with ID (150.1.9.9) (Process ID 1)
<ommitted>…
		Type-7 AS External Link States (Area 2)

Link ID         ADV Router      Age         Seq#       Checksum Tag
9.9.9.9         150.1.9.9       434         0x80000001 0x0063BB 0
99.99.99.0      150.1.9.9       434         0x80000001 0x000910 0
<ommitted>...

2. LSA type 5 by ABR.

Rack1R5#sh ip ospf d          

            OSPF Router with ID (150.1.5.5) (Process ID 1)
<ommitted>...
                Type-5 AS External Link States

Link ID         ADV Router      Age         Seq#       Checksum Tag
9.9.9.9         150.1.6.6       588         0x80000001 0x001F10 0
99.99.99.0      150.1.6.6       599         0x80000001 0x00C464 0
<ommitted>...

3. Route type as External type 2 (E2), and it maintains its subnet information and metric (by default is 20).

Rack1R5#sh ip route 9.9.9.9
Routing entry for 9.9.9.9/32
  Known via "ospf 1", distance 110, metric 20, type extern 2, forward metric 67
  Last update from 155.1.0.3 on Serial0/0, 00:14:36 ago
  Routing Descriptor Blocks:
  * 155.1.0.3, from 150.1.6.6, 00:14:36 ago, via Serial0/0
      Route metric is 20, traffic share count is 1

Rack1R5#sh ip route 99.99.99.99
Routing entry for 99.99.99.0/24
  Known via "ospf 1", distance 110, metric 20, type extern 2, forward metric 67
  Last update from 155.1.0.3 on Serial0/0, 00:14:42 ago
  Routing Descriptor Blocks:
  * 155.1.0.3, from 150.1.6.6, 00:14:42 ago, via Serial0/0
      Route metric is 20, traffic share count is 1

Note. We can change this default behaviour E2 with command redistribute connected subnets metric-type 1 which, unlike E2, E1 will change its metric information every time it passes L3 device.

Is it hard?

Posted on by
Reply

I’m not trying to diminish the effort that we’re, mere mortal, trying to get our CCIE. I should be ashamed to myself If I can even think that getting and being a CCIE is hard.

Bart Bunting, right, of Australia, and his guide, Nathan Chivers, ski in the men’s giant slalom visually impaired event during the Winter Paralympic Games in Whistler, British Columbia on March 16, 2010. (AP Photo/The Canadian Press, Jonathan Hayward)

More about Bart Bunting.

Picture taken from here