How to configure BFD?

Bi-directional Forwarding Detection (BFD) is the technology responsible to detect the link down in the milliseconds region. It is important to be used specially in Datacenter, where any link failure should be detected very fast so the network can converge. This of course requires a proper redundant network otherwise there would be not much of convergence going on.

The configurations are very simple.

interface Ethernet0/1
ip address 155.1.146.4 255.255.255.0
bfd interval 50 min_rx 50 multiplier 3
!
router eigrp 100
bfd interface Ethernet0/1
network 0.0.0.0
no auto-summary

First, create the instance of BFD in the interface, then associate that instance within the router process with the interface.

Hope this was informative.

How to add reliable default route with RIP?

Adding reliable default route with RIP

The command for distributing a default route into RIP process is very straight forward.  Lets go with the syntax straight away.

router rip
default-information originate route-map RELIABLE
!
route-map RELIABLE permit 10
match ip address prefix-list DUMMY_TRACKED
set interface Serial 1/0
!
ip prefix-list DUMMY_TRACKED seq 5 permit 10.10.10.10/32
!
ip route 10.10.10.10 255.255.255.255 null0 track 1

Here we have added a route map to the default-information command. This route map will match an ip address. This IP address is the Route. That means, IF that route (10.10.10.10) is in the routing table, then distribute the default route. This can be used with real routes, or as in our case with dummy route. Second is command “set” is telling the router on which interface advertise the default route.

So we have created a dummy route, and tracking it with IP SLA. The interesting twist here, is that the SLA is for real interface.

ip sla 1
icmp-echo 200.1.2.3. source-interface s1/1
frequency 1
timeout 50
!
ip sla schedual 1 start now life forever
!
track 1 ip sla 1

So, if the real route goes down, the dummy route will be out. Once that happened, the default-information command will cease to work.

How to filter routes in RIP?

Filtering routes in RIP

Although rip is not the best routing protocols, the mechanism of filtering routes can be applied to other routing protocols a well. My personal advice will be to stay away as much as possible from RIP. RIP is a routing loop magnet, you never know when you created a loop by yourself.

In this entry, I would like to mention two methods that i found interesting, cause it will be helpful even in later as we go on. Lets read the syntax below

Router rip
distribute-list 100 in serial 1/0
!
access-list 100 deny ip host 10.254.0.10 host 192.168.1.0
access-list 100 permit ip any any

in the rip process i have included a distribute-list. This list has to statements. The second one to permit all route updates to be installed in the routing table that are coming from Interface Serial 1/0. The first access list deny route to network 192.168.1.0 which is advertised by 10.254.0.10

Keep in mind that distribute-list can be used with BGP and it has different meaning! so lets summarize this

access list 100 deny ip host x.x.x.x (router) host y.y.y.y (Network) ————- IN IGB
access list 100 deny ip host x.x.x.x (network) host y.y.y.y (mask) ————– IN BGP

How to configure Frame-Relay Switching?

For some reason i thought that i have written an entry for Frame-Relay switching. But the records show none. So here it comes.

During studies of CCIE, you might need to configure a Router to act as a frame-relay switch. The configurations are very simple and straight forward. There is the old IOS way, where configurations are done on the interface command line. The new way is by using the command connect from the global

The network diagram is shown. It is simple yet enough to demonstrate the configurations for the purpose in hand.

To configure FR switch, use the following commands.

config t

frame-relay switching

interface Serial1/2
no ip address
encapsulation frame-relay
serial restart-delay 0
clock rate 64000
frame-relay intf-type dce
exit

interface Serial1/3
no ip address
encapsulation frame-relay
serial restart-delay 0
clock rate 64000
frame-relay intf-type dce
exit

connect R1_R2 serial 1/2 132 serial 231

Or alternatively, the old IOS commands can be used.

interface Serial1/2
no ip address
encapsulation frame-relay
serial restart-delay 0
clock rate 64000
frame-relay intf-type dce
frame-relay route 132 interface Serial1/3 231
exit

interface Serial1/3
no ip address
encapsulation frame-relay
serial restart-delay 0
clock rate 64000
frame-relay intf-type dce
frame-relay route 231 interface Serial1/2 132
exit

While the configurations for R1 and R2 are straight and simple.

R1 will utilize the inverse ARP. R2 will disable inverse ARP and use static ARP mapping.

R1
conf t
interface Serial1/1
ip address 155.1.12.1 255.255.255.0
encapsulation frame-relay
serial restart-delay 0
end

R2
conf t
interface Serial1/1
ip address 155.1.12.2 255.255.255.0
encapsulation frame-relay
serial restart-delay 0
frame-relay map ip 155.1.12.1 231
no frame-relay inverse-arp
end

With this, the configurations are done. Simple yet important to be ready for CCIE lab exam.

How to Configure PPPoE?

This is one of the interesting things i have learned in past week. PPP over Ethernet (PPPoE). It is simple, yet tricky. It also has a limitation that network engineers might not know which will bring their network down.

Lets see a sample configuration of how to do it. First, configure one Router to be the client (dialer) that will ask for ip address through DHCP. We have configured Chap Authentication as well. Remember, that since we are running PPPoE, a virtual Dialer (interface) has to be configured with all the details, and lastly applied to the Ethernet interface.

R4(config)#interface Dialer1

R4(config-if)# ip address dhcp

R4(config-if)# encapsulation ppp

R4(config-if)# dialer pool 6

R4(config-if)# ppp chap hostname R4

R4(config-if)# ppp chap password 0 cisco

R4(config-if)#exit

R4(config)#interface Ethernet0/1

R4(config-if)# no ip address

R4(config-if)# pppoe enable

R4(config-if)# pppoe-client dial-pool-number 6

Second, we would configure the other Router with DCHP scope, and to be the server for PPPoE. We would also configure local username and password for chap authentication.

R6(config)#interface Virtual-Template1

R6(config-if)# ip address 155.1.146.6 255.255.255.0

R6(config-if)# peer default ip address dhcp-pool VLAN146

R6(config-if)# ppp authentication chap

R6(config-if)# exit

R6(config)#ip dhcp pool VLAN146

R6(dhcp-config)#   network 155.1.146.0 255.255.255.0

R6(dhcp-config)#exit

R6(config)#bba-group pppoe MYPPP

R6(config-bba-group)# virtual-template 1

R6(config-bba-group)#exit

R6(config)#interface Ethernet0/1

R6(config-if)# no ip address

R6(config-if)# pppoe enable group MYPPP

Lets try some pings

R6(config)#bba-group pppoe MYPPP

R6(config-bba-group)# virtual-template 1

R6(config-bba-group)#e

*Sep 22 18:30:41.911: %LINK-3-UPDOWN: Interface Virtual-Access2, changed state to up

*Sep 22 18:30:42.923: %LINEPROTO-5-UPDOWN: Line protocol on Interface Virtual-Access2, changed state to up

R6(config-bba-group)#exit

We notice that the ping command for size 1500 failed. Lets find out why.

R6#show int virtual-access 2.1

Virtual-Access2.1 is up, line protocol is up

Hardware is Virtual Access interface

Internet address is 155.1.146.6/24

MTU 1492 bytes, BW 100000 Kbit/sec, DLY 100000 usec,

reliability 255/255, txload 1/255, rxload 1/255

Encapsulation PPP, LCP Open

Open: IPCP

PPPoE vaccess, cloned from Virtual-Template1

Vaccess status 0×0

Keepalive set (10 sec)

72 packets input, 11972 bytes

70 packets output, 9604 bytes

Last clearing of “show interface” counters never

While at R4 we have.

R4#show int dialer 1

Dialer1 is up, line protocol is up (spoofing)

Hardware is Unknown

Internet address is 155.1.146.2/24

MTU 1500 bytes, BW 56 Kbit/sec, DLY 20000 usec,

reliability 255/255, txload 1/255, rxload 1/255

Encapsulation PPP, LCP Closed, loopback not set

Keepalive set (10 sec)

DTR is pulsed for 1 seconds on reset

Interface is bound to Vi1

Last input never, output never, output hang never

Last clearing of “show interface” counters 00:09:56

Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0

Queueing strategy: weighted fair

Output queue: 0/1000/64/0 (size/max total/threshold/drops)

Conversations  0/0/16 (active/max active/max total)

Reserved Conversations 0/0 (allocated/max allocated)

Available Bandwidth 42 kilobits/sec

5 minute input rate 0 bits/sec, 0 packets/sec

5 minute output rate 0 bits/sec, 0 packets/sec

18 packets input, 8890 bytes

77 packets output, 27485 bytes

Bound to:

Virtual-Access1 is up, line protocol is up

Hardware is Virtual Access interface

MTU 1500 bytes, BW 56 Kbit/sec, DLY 20000 usec,

reliability 255/255, txload 1/255, rxload 1/255

Encapsulation PPP, LCP Open

Stopped: CDPCP

Open: IPCP

PPPoE vaccess, cloned from Dialer1

Vaccess status 0×44, loopback not set

Keepalive set (10 sec)

DTR is pulsed for 5 seconds on reset

Interface is bound to Di1 (Encapsulation PPP)

Last input 00:00:08, output never, output hang never

Last clearing of “show interface” counters 00:04:29

Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0

Queueing strategy: fifo

Output queue: 0/40 (size/max)

5 minute input rate 0 bits/sec, 0 packets/sec

5 minute output rate 0 bits/sec, 0 packets/sec

76 packets input, 9688 bytes, 0 no buffer

Received 0 broadcasts, 0 runts, 0 giants, 0 throttles

0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort

88 packets output, 27611 bytes, 0 underruns

0 output errors, 0 collisions, 0 interface resets

It is shown that the MTU is 1492. Lets configure the MTU size at the dialer interface.

R4(config)#interface Dialer1

R4(config-if)# ip mtu 1492

Test ping again…

4#ping 155.1.146.6 size 2000

Type escape sequence to abort.

Sending 5, 2000-byte ICMP Echos to 155.1.146.6, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 8/12/16 ms

R4#

And it is working. Well, this is how PPPoE is configured, i hope this will help you when you configuring it.

How to configure Lock-and-Key (dynamic ACL)?

Dynamic ACL are very interesting. They provide temporary access at certain times for certain users. Basically, the user will telnet to the router. If the authentication passes, then router permits that IP to to access the internal parts of the network.

First, we need to create access-list, lets make the access

access-list 101 dynamic Mydyn permit ip any any

access-list 101 permit ip host x.x.x.x host x.x.x.x eq telnet

After that, we need to configure the vty lines to accept

line vty 0

login local

autocommand  access-enable host

lets not forget to configure the username and password.

username xxxx password xxxxx

lasty, apply the access list into the physical interface.

Interface f0/1

ip access-group 101

with that, the dynamic access list is created. As long as the session is open. when the session times out. the ACL entry will be deleted and a new authentication would be required access the protected networks by the router.

Loopback address and MPLS-VPN!

In this article, i will not go deeply into the issue of configuring MPLS-VPN. The steps were mentioned very clearly in an earlier post. MPLS-VPN Tutorial has all the required details.  I would like to mention a mis-step that i did while doing another MPLS-VPN configuration. what resulted in routing updates to work properly. But no traffic was going from one end to another end. After countless of hours, i found the mistake. Before proceeding, the image below shows the sample network. Download the configurations. They can be used to simulate the network using GNS3.

While i was configuring the BGP VPN section i got the following error.

R6(config-router)# neighbor 150.1.4.4 remote-as 100

R6(config-router)# neighbor 150.1.4.4 update-source Loopback0

R6(config-router)# address-family vpnv4

R6(config-router-af)#  neighbor 150.1.4.4 activate

R6(config-router-af)#  neighbor 150.1.4.4 send-community extended

R6(config-router-af)# exit-address-family

*Mar  1 02:08:59.455: %BGP-5-ADJCHANGE: neighbor 150.1.4.4 Up

*Mar  1 02:08:59.463: %BGP-4-VPNV4NH_MASK: Nexthop 150.1.6.6 may not be reachable from neigbor 150.1.4.4 – not /32 mask

Then, i did not mind the error (highlighted in bold) and carried on with configurations. At the end, i had a full working network with proper routing updates in the MPLS-VPN plan. But no traffic is going. I had to troubleshoot many things. Till the end, i decided to re-configure the routers all over. Then i noticed the error. decided to fix it. Changed the loopback address from /24 to /32. The moment i did that, the traffic started passing.

What i learned, is that “Don’t ignore any messages the IOS gives you while configuring”

How to Insure End to end connectivity in Frame-Relay

How to change the Administrative Distance when redistributing?

So, lets talk about how can we change the cost while distribution between routing protocols. Distribution between two routing domains should be done very carfully. It is easy when the there is single distribution router between the two domains. Things get slightly complicated when distributing between two domains and two routers. While extra efforts should be done when there are multiple domains with multipe routers. The image below shows these domains and routers.

Dual Routers

Multiple Routers

When we have single router, it will apply the “split-Horizon” rule by itself. Which stats don’t redistirbute a route into the same domain learned from. For example, if the router learned a route x.x.x.x through RIP, it will distribute it into OSPF. When distributing OSPF routes into RIP, the router will filter the x.x.x.x router cause it was learned through RIP orginally.

Given that, most realistic scenarios would have multpile routers, so changing the cost of routes will be a trick that should be mastered. Lets redistribute from OSPF the route 66.66.66.0 into RIP. First we would need to learn the OSPF database.

R1(config-router)#do show ip os data

OSPF Router with ID (150.1.1.1) (Process ID 1)

Router Link States (Area 0)

Link ID         ADV Router      Age         Seq#       Checksum Link count

150.1.1.1       150.1.1.1       1408        0×80000004 0×000989 2

150.1.4.4       150.1.4.4       922         0×80000004 0x00D254 2

150.1.5.5       150.1.5.5       1155        0×80000008 0x008C67 5

Type-5 AS External Link States

Link ID         ADV Router      Age         Seq#       Checksum Tag

66.66.66.0      150.1.4.4       706         0×80000001 0x000F2B 0

155.1.13.0      150.1.4.4       922         0×80000001 0x00DD79 0

155.1.67.0      150.1.4.4       922         0×80000001 0×008997 0

155.1.146.0     150.1.4.4       922         0×80000001 0x0021B0 0

How to change metrics in RIP?

RIP is really undesired protocol. It has a slow convergence by default, and generates lot of traffic. On the positive side, it is one of the easiest routing protocols to configure. One network statement command, and you are done.

Generally, using RIP is not recommended. There are better alternative, from OSPF to EIGRP. These are more robust, and faster routing protocols. But in case someone used RIP, then how to change metrics in RIP?

The metric is calculated based on the number of hops. Maximum hop count is 16 (which means infinity). We can change the hop count (metric) by using the “Offset-list”. First, lets examine the syntax of this command.

“R3(config-router)#offset-list number in|out offset,” number is the access list number, 0 means all routes. in/out are the direction of route to change, and lastly offset is value between 0-16.

Here is an example, before and after the changes.

R5(config)#do show ip route rip

155.1.0.0/16 is variably subnetted, 11 subnets, 2 masks

R        155.1.13.0/24 [120/1] via 155.1.0.3, 00:00:27, Serial1/0

R        155.1.23.0/24 [120/1] via 155.1.0.3, 00:00:27, Serial1/0

R        155.1.37.0/24 [120/1] via 155.1.0.3, 00:00:27, Serial1/0

R5(config)#access-list 5 permit 155.1.37.0 0.0.0.255

R5(config-router)#offset-list 5 in 5

R5(config-router)#do show ip route rip

155.1.0.0/16 is variably subnetted, 11 subnets, 2 masks

R        155.1.13.0/24 [120/1] via 155.1.0.3, 00:00:18, Serial1/0

R        155.1.23.0/24 [120/1] via 155.1.0.3, 00:00:18, Serial1/0

R        155.1.37.0/24 [120/6] via 155.1.0.3, 00:00:18, Serial1/0

Well, that was very simple and straight forward. we have increased the hop count by 5. Thus, we can manipulate the routing table. of course, there is the possibility of using route-filtering as well.