The Journey of a Network Engineer


October 19, 2011  3:27 AM

How to configure Lock-and-Key (dynamic ACL)?

Sulaiman Syed Profile: Sulaiman Syed

Dynamic ACL are very interesting. They provide temporary access at certain times for certain users. Basically, the user will telnet to the router. If the authentication passes, then router permits that IP to to access the internal parts of the network.

First, we need to create access-list, lets make the access

access-list 101 dynamic Mydyn permit ip any any

access-list 101 permit ip host x.x.x.x host x.x.x.x eq telnet

After that, we need to configure the vty lines to accept

line vty 0

login local

autocommand  access-enable host

lets not forget to configure the username and password.

username xxxx password xxxxx

lasty, apply the access list into the physical interface.

Interface f0/1

ip access-group 101

with that, the dynamic access list is created. As long as the session is open. when the session times out. the ACL entry will be deleted and a new authentication would be required access the protected networks by the router.

October 17, 2011  12:32 AM

Loopback address and MPLS-VPN!

Sulaiman Syed Profile: Sulaiman Syed

In this article, i will not go deeply into the issue of configuring MPLS-VPN. The steps were mentioned very clearly in an earlier post. MPLS-VPN Tutorial has all the required details.  I would like to mention a mis-step that i did while doing another MPLS-VPN configuration. what resulted in routing updates to work properly. But no traffic was going from one end to another end. After countless of hours, i found the mistake. Before proceeding, the image below shows the sample network. Download the configurations. They can be used to simulate the network using GNS3.

MPLS-VPN

While i was configuring the BGP VPN section i got the following error.

R6(config-router)# neighbor 150.1.4.4 remote-as 100

R6(config-router)# neighbor 150.1.4.4 update-source Loopback0

R6(config-router)# address-family vpnv4

R6(config-router-af)#  neighbor 150.1.4.4 activate

R6(config-router-af)#  neighbor 150.1.4.4 send-community extended

R6(config-router-af)# exit-address-family

*Mar  1 02:08:59.455: %BGP-5-ADJCHANGE: neighbor 150.1.4.4 Up

*Mar  1 02:08:59.463: %BGP-4-VPNV4NH_MASK: Nexthop 150.1.6.6 may not be reachable from neigbor 150.1.4.4 – not /32 mask

Then, i did not mind the error (highlighted in bold) and carried on with configurations. At the end, i had a full working network with proper routing updates in the MPLS-VPN plan. But no traffic is going. I had to troubleshoot many things. Till the end, i decided to re-configure the routers all over. Then i noticed the error. decided to fix it. Changed the loopback address from /24 to /32. The moment i did that, the traffic started passing.

What i learned, is that “Don’t ignore any messages the IOS gives you while configuring”


October 12, 2011  12:31 AM

How to Insure End to end connectivity in Frame-Relay

Sulaiman Syed Profile: Sulaiman Syed

This is one of the nice features that i just discovered yesterday. It is the ability to make sure an end-to-end frame-relay connectivity between Cisco routers.

In the local router, we can see the PVC status.

Rack1R3#show frame-relay pvc

PVC Statistics for interface Serial1/0 (Frame Relay DTE)

Active     Inactive      Deleted       Static

Local          1            0            0            0

Switched       0            0            0            0

Unused         3            0            0            0

Now, although it is showing active in this side. It doesn’t really mean it is active at the other end. Multiple ISP, or networks can be between the two routers. So, let’s see how to insure the end to end frame relay connectivity. Do the following configurations as shown…
Rack1R3#conf t
Rack1R3(config)#map-class frame-relay END-END
Rack1R3(config-map-class)#frame-relay end-to-end keepalive mode bidirectional
Rack1R3(config-map-class)#exit
Rack1R3(config)#int serial 1/0.1
Rack1R3(config-subint)#frame-relay class END-END
Rack1R3(config-subint)#end
Rack1R3#
Now, a similar configurations should be done on the other end. What we are doing is creating a map-class for frame-relay. Enabling keepalive in bidirectional mode. Then applying this map-class into the required interface, or sub-interface. Lets see the out put of this command.
Rack1R3#show frame-relay end-to-end keepalive
End-to-end Keepalive Statistics for Interface Serial1/0 (Frame Relay DTE)
DLCI = 305, DLCI USAGE = LOCAL, VC STATUS = ACTIVE (EEK UP)
SEND SIDE STATISTICS
Send Sequence Number: 34,       Receive Sequence Number: 35
Configured Event Window: 3,     Configured Error Threshold: 2
Total Observed Events: 37,      Total Observed Errors: 0
Monitored Events: 3,            Monitored Errors: 0
Successive Successes: 3,        End-to-end VC Status: UP
RECEIVE SIDE STATISTICS
Send Sequence Number: 34,       Receive Sequence Number: 33
Configured Event Window: 3,     Configured Error Threshold: 2
Total Observed Events: 36,      Total Observed Errors: 0
Monitored Events: 3,            Monitored Errors: 0
Successive Successes: 3,        End-to-end VC Status: UP
From the output. it is seen that the end to end status of VC is UP.


October 10, 2011  2:36 AM

How to change the Administrative Distance when redistributing?

Sulaiman Syed Profile: Sulaiman Syed

So, lets talk about how can we change the cost while distribution between routing protocols. Distribution between two routing domains should be done very carfully. It is easy when the there is single distribution router between the two domains. Things get slightly complicated when distributing between two domains and two routers. While extra efforts should be done when there are multiple domains with multipe routers. The image below shows these domains and routers.

Single-Router
Single Router

Dual-Router

Dual Routers

Multiple-Router

Multiple Routers

When we have single router, it will apply the “split-Horizon” rule by itself. Which stats don’t redistirbute a route into the same domain learned from. For example, if the router learned a route x.x.x.x through RIP, it will distribute it into OSPF. When distributing OSPF routes into RIP, the router will filter the x.x.x.x router cause it was learned through RIP orginally.

Given that, most realistic scenarios would have multpile routers, so changing the cost of routes will be a trick that should be mastered. Lets redistribute from OSPF the route 66.66.66.0 into RIP. First we would need to learn the OSPF database.

R1(config-router)#do show ip os data
OSPF Router with ID (150.1.1.1) (Process ID 1)
Router Link States (Area 0)
Link ID         ADV Router      Age         Seq#       Checksum Link count
150.1.1.1       150.1.1.1       1408        0×80000004 0×000989 2
150.1.4.4       150.1.4.4       922         0×80000004 0x00D254 2
150.1.5.5       150.1.5.5       1155        0×80000008 0x008C67 5
Type-5 AS External Link States
Link ID         ADV Router      Age         Seq#       Checksum Tag
66.66.66.0      150.1.4.4       706         0×80000001 0x000F2B 0
155.1.13.0      150.1.4.4       922         0×80000001 0x00DD79 0
155.1.67.0      150.1.4.4       922         0×80000001 0×008997 0
155.1.146.0     150.1.4.4       922         0×80000001 0x0021B0 0
We can note from the output that 66.66.66.0 is external route (redisributed into OSPF domain by the router with ID – 150.1.4.4. lets create access list to match this route.
ip Access-list standard 10 permit 66.66.66.0 0.0.0.255
Now lets have a look at the syntax would be
distance metric router access-list (RIP and EIGRP would use the neigbour IP, and OSPF would use Router-ID). for our example, to make our redistributed route into rip to be more disatractive than the origianl RIP (AD of 120)
To configure the router follow the commands
router ospf 1
distance 121 150.1.4.4 0.0.0.0 10
This is how the Administrative distance can be changed for particular route. It is very simple and straight forward, just needs some practicing.


October 7, 2011  1:39 AM

How to change metrics in RIP?

Sulaiman Syed Profile: Sulaiman Syed

RIP is really undesired protocol. It has a slow convergence by default, and generates lot of traffic. On the positive side, it is one of the easiest routing protocols to configure. One network statement command, and you are done.

Generally, using RIP is not recommended. There are better alternative, from OSPF to EIGRP. These are more robust, and faster routing protocols. But in case someone used RIP, then how to change metrics in RIP?

The metric is calculated based on the number of hops. Maximum hop count is 16 (which means infinity). We can change the hop count (metric) by using the “Offset-list”. First, lets examine the syntax of this command.

“R3(config-router)#offset-list number in|out offset,” number is the access list number, 0 means all routes. in/out are the direction of route to change, and lastly offset is value between 0-16.

Here is an example, before and after the changes.

R5(config)#do show ip route rip

155.1.0.0/16 is variably subnetted, 11 subnets, 2 masks

R        155.1.13.0/24 [120/1] via 155.1.0.3, 00:00:27, Serial1/0

R        155.1.23.0/24 [120/1] via 155.1.0.3, 00:00:27, Serial1/0

R        155.1.37.0/24 [120/1] via 155.1.0.3, 00:00:27, Serial1/0

R5(config)#access-list 5 permit 155.1.37.0 0.0.0.255

R5(config-router)#offset-list 5 in 5

R5(config-router)#do show ip route rip

155.1.0.0/16 is variably subnetted, 11 subnets, 2 masks

R        155.1.13.0/24 [120/1] via 155.1.0.3, 00:00:18, Serial1/0

R        155.1.23.0/24 [120/1] via 155.1.0.3, 00:00:18, Serial1/0

R        155.1.37.0/24 [120/6] via 155.1.0.3, 00:00:18, Serial1/0

Well, that was very simple and straight forward. we have increased the hop count by 5. Thus, we can manipulate the routing table. of course, there is the possibility of using route-filtering as well.


October 3, 2011  1:59 PM

How to run INE CCIE Routing and Switching Lab on IOU?

Sulaiman Syed Profile: Sulaiman Syed

This is a utility which I got to know few days ago. It was one of those things that made my life really really good. Since the preperation for CCIE R&S Lab exam started, i wanted a platform to practice the concepts. Although we do have latest technology in our production environment, i can’t really practice much on that. So, a virtual lab was the way to go. GNS3 is a good tool as well, specially that INE themselves do provide a GNS3 network topology for their Workbook II.

First, get the IOU, and Google is your best friend my friend. Once you found it. you are almost done! not really, hehee.

Second, get VMware Player. It is free. Third, and lastly, you would need a program to telnet. I suggest using SecureCRT, since you would be using that program during the actual CCIE Lab exam.

Install the VMware Machine using the IOS you downloaded after googling. Make sure that the VM has enough ram to run the IOU.

Although I’m not sure if im doing it wrong or right. But it worked fine for me, and i managed to do some quite loads of configurations. Please follow the steps shown below

VMware-1 />

VMware-2

Once installed, follow the steps provided. It gets really simple. Hope this post was useful for everyone who wants to practice Routing and Switching, specially CCIE candidates.


October 1, 2011  5:02 AM

Journey Toward CCIE

Sulaiman Syed Profile: Sulaiman Syed

Well, I felt motivated to do my CCIE out of no where. Since then, i have passed my CCIE written exam (two weeks ago). I have started working on my CCIE R&S Lab exam.

I would be posting various topics, how to, configuration of new things that i learn. Things that i find intriguing.

Bookmark this blog, cause you would be filled with knowledge. specially if you are looking to prepare for CCIE R&S lab exam.


August 23, 2011  7:23 AM

How to Configure Citrix NetScaler for Hosted Microsoft Exchange 2010?

Sulaiman Syed Profile: Sulaiman Syed

Microsoft Exchange 2010 is one of these products that being used in almost every organization. It seems that getting familiarize with it is the best thing a system engineer could do right now. Most big organizations will want to have redundant servers running the Exchange. For that, there is a need to use Load Balancers.

In this series, i would explain and show how to configure Citrix NetScaler for hosted Microsoft Exchange 2010. It breaks into four parts as following:

  1. Part 1: The basics of load balancing.
  2. Part 2: Features required for NetScaler and Certificate import.
  3. Part 3: Load Balancing CAS
  4. Part 4: Load Balancing HUB
This series do cover all the basic knowledge to load balance. It has a detailed configuration with full screenshots on how to do the full implementation. It could not get more comprehensive.
Email me for any comments. :)


August 21, 2011  4:51 AM

How to Configure Citrix NetScaler for Hosted Microsoft Exchange 2010? Part-4

Sulaiman Syed Profile: Sulaiman Syed

In the previous entry, i have spoken how to Load Balance CAS using Citrix NetScaler. To finalize the series, i would like to show how to configure Citrix NetScaler for HUB Transport Server. If you have read the previous blog entry, you would realize it is pretty simple. Since they are very similar. I will go about it very briefly and concise.

Image 1 shows the services required to run HUB. we would like one service with protocol TCP and port 25, while the second will be protocol HTTP and port 80.
Hub Services

Image 1

Once that is done, creating the virtual servers is logical step. We would create one HUB-VIP server that uses protocol TCP and port 25, and second HUB-VIP-Return-HTTP with protocol HTTP and port 80. lastly, we would create HUP-VIP-Return with protocol SSL and port 443. Since the last server using SSL, we would need to do SSL offloading. This will require to use the certificate that was imported. We have used one certificate for all ports, so we will use the same certificate used in previous blog entry. Please note that we don’t any persistence method, while we used Least Connection throughout.

HUP VIP

Image 2

HUB VIP Return

Image 3

HUB VIP HTTP Return

Image 4

HUB VIP SSL Certificate

Image 5

Once that is done. The required configurations are done. Image 6 is showing how your virtual servers tap should look like.

Virtual Servers

Image 6

With that, we have finalized the series of how to configure Citrix NetScaler for Hosted Microsoft Exchange 2010.


August 17, 2011  5:59 AM

How to Configure Citrix NetScaler for Hosted Microsoft Exchange 2010? Part-3

Sulaiman Syed Profile: Sulaiman Syed

In previous Entry I have shown how to import certificates, and do the re-write policy. Well, in this entry. I would like to add the the virtual Servers for OWA, then i would show the required settings to add the other applications (IMAP4, RPC, POP3, and OA).

As for the Load Balancing Method, Microsoft has its own recommendation, I would suggest to go with “Least Connection”, “Round Robin” is really not a good way, since one server can be loaded unequally by longer connection session. Persistence for OWP is Cookieinsert,  while AS, OA is Source IP. Since our CAS is handling all the three applications, we used cookieInsert for all. Some users, mentioned issues with cookieinsert, and used Source IP. We would like to do our own testing before deciding with Persistence method to choose.

We start by creating virtual Server for OWA. Before adding anything, first we need to add the real servers. This will ease the process when we want to associate the service (ports) with the real servers.  In the image below, click on add. Then just follow the procedure shown.

Server Menu

Figure 1: Servers Menu


Server Add

Figure 2 : Adding Real Server

Once we have added the servers, it is best to add all the required servers running the various applications. It can be seen from above that we have added 3 CAS, 3 HUB servers. Since Citrix NetScaler is being used to load balance CAS and HUB only.

Now, Adding the service is next step. as seen in First Entry, we would like to create the services of the real server. Since we are creating OWA, HTTP with port 80 is the real service. click on Add as shown in the services Menu.

Service Menu

Figure 3 : Service Menu

Service Add

Figure 4 : Adding Service

to Add the service, Write the name of your choice. Pick the real Server, Protocol, and Port number. Please note that you would need to do this for all the OWA application servers. In our case we have done 3 of them. Figure 3 shows that we created services for OWA, POP3, IMAP4 and RPC. Since, the RPC uses random port numbers. Use the following settings, Service name (add the name), Server (add real server), Protocol pick TCP, and port pick *.

Now, lets create the Virtual Server. Since we are going to offload SSL from real servers. The Virtual Server will run on port 443, with SSL certificate added and persistence enabled. Please click on Add at the Virtual Servers menu as shown below.

Virtual Servers

Figure 5 : Virtual Servers Menu

Virtual Server Add

Figure 6 : Adding Virtual Server

In figure 6, we are adding the virtual server by Naming it, Giving it Virtual IP address, Selecting Protocol SSL, and port number 443. We have selected the Services that we want to associate this Virtual IP with. Figure 7 shows that we have picked the Method of load balancing as Least Connection, while Persistence mode is cookiesinsert.
Persistence Method in Virtual Server

Figure 7 : Configuring Method for Virtual Server

Virtual Server Certificate Add

Figure 8 : Adding SSL Certificate to Virtual Server

Figure 8 shows that we have added the certificate we created earlier here. With this, configuration of the Load Balancer is done. Although there is one small detail that should be looked at. Since NetScaler will Send traffic from SSL to HTTP (from 443 to 80). The CAS server will reply with port 80 (HTTP). We would like to configure NetScaler to Intercept this traffic. So we create a virtual server for protocol HTTP, port 80, and we don’t associate any service with it. Figure 9 shows the configuration for the Return-OWA traffic.
OWA Return Vserver

Figure 9 : Virtual Server to Intercept Return Traffic

Figure 5 shows all the virtual servers that we have created for various applications running in the hosted Microsoft Exchange Server 2010. With this, we have finalized the configuration of NetScaler for the CAS. In our next Entry, i would Configure the Load Balancer for HUB.


Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to: