Dynamic ACL are very interesting. They provide temporary access at certain times for certain users. Basically, the user will telnet to the router. If the authentication passes, then router permits that IP to to access the internal parts of the network.
First, we need to create access-list, lets make the access
access-list 101 dynamic Mydyn permit ip any any
access-list 101 permit ip host x.x.x.x host x.x.x.x eq telnet
After that, we need to configure the vty lines to accept
line vty 0
autocommand access-enable host
lets not forget to configure the username and password.
username xxxx password xxxxx
lasty, apply the access list into the physical interface.
ip access-group 101
with that, the dynamic access list is created. As long as the session is open. when the session times out. the ACL entry will be deleted and a new authentication would be required access the protected networks by the router.
In this article, i will not go deeply into the issue of configuring MPLS-VPN. The steps were mentioned very clearly in an earlier post. MPLS-VPN Tutorial has all the required details. I would like to mention a mis-step that i did while doing another MPLS-VPN configuration. what resulted in routing updates to work properly. But no traffic was going from one end to another end. After countless of hours, i found the mistake. Before proceeding, the image below shows the sample network. Download the configurations. They can be used to simulate the network using GNS3.
While i was configuring the BGP VPN section i got the following error.
R6(config-router)# neighbor 184.108.40.206 remote-as 100
R6(config-router)# neighbor 220.127.116.11 update-source Loopback0
R6(config-router)# address-family vpnv4
R6(config-router-af)# neighbor 18.104.22.168 activate
R6(config-router-af)# neighbor 22.214.171.124 send-community extended
*Mar 1 02:08:59.455: %BGP-5-ADJCHANGE: neighbor 126.96.36.199 Up
*Mar 1 02:08:59.463: %BGP-4-VPNV4NH_MASK: Nexthop 188.8.131.52 may not be reachable from neigbor 184.108.40.206 – not /32 mask
Then, i did not mind the error (highlighted in bold) and carried on with configurations. At the end, i had a full working network with proper routing updates in the MPLS-VPN plan. But no traffic is going. I had to troubleshoot many things. Till the end, i decided to re-configure the routers all over. Then i noticed the error. decided to fix it. Changed the loopback address from /24 to /32. The moment i did that, the traffic started passing.
What i learned, is that “Don’t ignore any messages the IOS gives you while configuring”
This is one of the nice features that i just discovered yesterday. It is the ability to make sure an end-to-end frame-relay connectivity between Cisco routers.
In the local router, we can see the PVC status.
Rack1R3#show frame-relay pvc
PVC Statistics for interface Serial1/0 (Frame Relay DTE)
Active Inactive Deleted Static
Local 1 0 0 0
Switched 0 0 0 0
Unused 3 0 0 0
Rack1R3#conf tRack1R3(config)#map-class frame-relay END-ENDRack1R3(config-map-class)#frame-relay end-to-end keepalive mode bidirectionalRack1R3(config-map-class)#exitRack1R3(config)#int serial 1/0.1Rack1R3(config-subint)#frame-relay class END-ENDRack1R3(config-subint)#endRack1R3#
Rack1R3#show frame-relay end-to-end keepaliveEnd-to-end Keepalive Statistics for Interface Serial1/0 (Frame Relay DTE)DLCI = 305, DLCI USAGE = LOCAL, VC STATUS = ACTIVE (EEK UP)SEND SIDE STATISTICSSend Sequence Number: 34, Receive Sequence Number: 35Configured Event Window: 3, Configured Error Threshold: 2Total Observed Events: 37, Total Observed Errors: 0Monitored Events: 3, Monitored Errors: 0Successive Successes: 3, End-to-end VC Status: UPRECEIVE SIDE STATISTICSSend Sequence Number: 34, Receive Sequence Number: 33Configured Event Window: 3, Configured Error Threshold: 2Total Observed Events: 36, Total Observed Errors: 0Monitored Events: 3, Monitored Errors: 0Successive Successes: 3, End-to-end VC Status: UP
So, lets talk about how can we change the cost while distribution between routing protocols. Distribution between two routing domains should be done very carfully. It is easy when the there is single distribution router between the two domains. Things get slightly complicated when distributing between two domains and two routers. While extra efforts should be done when there are multiple domains with multipe routers. The image below shows these domains and routers.
When we have single router, it will apply the “split-Horizon” rule by itself. Which stats don’t redistirbute a route into the same domain learned from. For example, if the router learned a route x.x.x.x through RIP, it will distribute it into OSPF. When distributing OSPF routes into RIP, the router will filter the x.x.x.x router cause it was learned through RIP orginally.
Given that, most realistic scenarios would have multpile routers, so changing the cost of routes will be a trick that should be mastered. Lets redistribute from OSPF the route 220.127.116.11 into RIP. First we would need to learn the OSPF database.
R1(config-router)#do show ip os dataOSPF Router with ID (18.104.22.168) (Process ID 1)Router Link States (Area 0)Link ID ADV Router Age Seq# Checksum Link count22.214.171.124 126.96.36.199 1408 0x80000004 0x000989 2188.8.131.52 184.108.40.206 922 0x80000004 0x00D254 2220.127.116.11 18.104.22.168 1155 0x80000008 0x008C67 5Type-5 AS External Link StatesLink ID ADV Router Age Seq# Checksum Tag22.214.171.124 126.96.36.199 706 0x80000001 0x000F2B 0188.8.131.52 184.108.40.206 922 0x80000001 0x00DD79 0220.127.116.11 18.104.22.168 922 0x80000001 0x008997 022.214.171.124 126.96.36.199 922 0x80000001 0x0021B0 0
distance metric router access-list (RIP and EIGRP would use the neigbour IP, and OSPF would use Router-ID). for our example, to make our redistributed route into rip to be more disatractive than the origianl RIP (AD of 120)
router ospf 1distance 121 188.8.131.52 0.0.0.0 10
RIP is really undesired protocol. It has a slow convergence by default, and generates lot of traffic. On the positive side, it is one of the easiest routing protocols to configure. One network statement command, and you are done.
Generally, using RIP is not recommended. There are better alternative, from OSPF to EIGRP. These are more robust, and faster routing protocols. But in case someone used RIP, then how to change metrics in RIP?
The metric is calculated based on the number of hops. Maximum hop count is 16 (which means infinity). We can change the hop count (metric) by using the “Offset-list”. First, lets examine the syntax of this command.
“R3(config-router)#offset-list number in|out offset,” number is the access list number, 0 means all routes. in/out are the direction of route to change, and lastly offset is value between 0-16.
Here is an example, before and after the changes.
R5(config)#do show ip route rip
184.108.40.206/16 is variably subnetted, 11 subnets, 2 masks
R 220.127.116.11/24 [120/1] via 18.104.22.168, 00:00:27, Serial1/0
R 22.214.171.124/24 [120/1] via 126.96.36.199, 00:00:27, Serial1/0
R 188.8.131.52/24 [120/1] via 184.108.40.206, 00:00:27, Serial1/0
R5(config)#access-list 5 permit 220.127.116.11 0.0.0.255
R5(config-router)#offset-list 5 in 5
R5(config-router)#do show ip route rip
18.104.22.168/16 is variably subnetted, 11 subnets, 2 masks
R 22.214.171.124/24 [120/1] via 126.96.36.199, 00:00:18, Serial1/0
R 188.8.131.52/24 [120/1] via 184.108.40.206, 00:00:18, Serial1/0
R 220.127.116.11/24 [120/6] via 18.104.22.168, 00:00:18, Serial1/0
Well, that was very simple and straight forward. we have increased the hop count by 5. Thus, we can manipulate the routing table. of course, there is the possibility of using route-filtering as well.
This is a utility which I got to know few days ago. It was one of those things that made my life really really good. Since the preperation for CCIE R&S Lab exam started, i wanted a platform to practice the concepts. Although we do have latest technology in our production environment, i can’t really practice much on that. So, a virtual lab was the way to go. GNS3 is a good tool as well, specially that INE themselves do provide a GNS3 network topology for their Workbook II.
First, get the IOU, and Google is your best friend my friend. Once you found it. you are almost done! not really, hehee.
Install the VMware Machine using the IOS you downloaded after googling. Make sure that the VM has enough ram to run the IOU.
Although I’m not sure if im doing it wrong or right. But it worked fine for me, and i managed to do some quite loads of configurations. Please follow the steps shown below
Once installed, follow the steps provided. It gets really simple. Hope this post was useful for everyone who wants to practice Routing and Switching, specially CCIE candidates.
Well, I felt motivated to do my CCIE out of no where. Since then, i have passed my CCIE written exam (two weeks ago). I have started working on my CCIE R&S Lab exam.
I would be posting various topics, how to, configuration of new things that i learn. Things that i find intriguing.
Bookmark this blog, cause you would be filled with knowledge. specially if you are looking to prepare for CCIE R&S lab exam.
Microsoft Exchange 2010 is one of these products that being used in almost every organization. It seems that getting familiarize with it is the best thing a system engineer could do right now. Most big organizations will want to have redundant servers running the Exchange. For that, there is a need to use Load Balancers.
In this series, i would explain and show how to configure Citrix NetScaler for hosted Microsoft Exchange 2010. It breaks into four parts as following:
- Part 1: The basics of load balancing.
- Part 2: Features required for NetScaler and Certificate import.
- Part 3: Load Balancing CAS
- Part 4: Load Balancing HUB
In the previous entry, i have spoken how to Load Balance CAS using Citrix NetScaler. To finalize the series, i would like to show how to configure Citrix NetScaler for HUB Transport Server. If you have read the previous blog entry, you would realize it is pretty simple. Since they are very similar. I will go about it very briefly and concise.
Once that is done, creating the virtual servers is logical step. We would create one HUB-VIP server that uses protocol TCP and port 25, and second HUB-VIP-Return-HTTP with protocol HTTP and port 80. lastly, we would create HUP-VIP-Return with protocol SSL and port 443. Since the last server using SSL, we would need to do SSL offloading. This will require to use the certificate that was imported. We have used one certificate for all ports, so we will use the same certificate used in previous blog entry. Please note that we don’t any persistence method, while we used Least Connection throughout.
Once that is done. The required configurations are done. Image 6 is showing how your virtual servers tap should look like.
With that, we have finalized the series of how to configure Citrix NetScaler for Hosted Microsoft Exchange 2010.
In previous Entry I have shown how to import certificates, and do the re-write policy. Well, in this entry. I would like to add the the virtual Servers for OWA, then i would show the required settings to add the other applications (IMAP4, RPC, POP3, and OA).
As for the Load Balancing Method, Microsoft has its own recommendation, I would suggest to go with “Least Connection”, “Round Robin” is really not a good way, since one server can be loaded unequally by longer connection session. Persistence for OWP is Cookieinsert, while AS, OA is Source IP. Since our CAS is handling all the three applications, we used cookieInsert for all. Some users, mentioned issues with cookieinsert, and used Source IP. We would like to do our own testing before deciding with Persistence method to choose.
We start by creating virtual Server for OWA. Before adding anything, first we need to add the real servers. This will ease the process when we want to associate the service (ports) with the real servers. In the image below, click on add. Then just follow the procedure shown.
Figure 1: Servers Menu
Figure 2 : Adding Real Server
Once we have added the servers, it is best to add all the required servers running the various applications. It can be seen from above that we have added 3 CAS, 3 HUB servers. Since Citrix NetScaler is being used to load balance CAS and HUB only.
Now, Adding the service is next step. as seen in First Entry, we would like to create the services of the real server. Since we are creating OWA, HTTP with port 80 is the real service. click on Add as shown in the services Menu.
Figure 3 : Service Menu
Figure 4 : Adding Service
to Add the service, Write the name of your choice. Pick the real Server, Protocol, and Port number. Please note that you would need to do this for all the OWA application servers. In our case we have done 3 of them. Figure 3 shows that we created services for OWA, POP3, IMAP4 and RPC. Since, the RPC uses random port numbers. Use the following settings, Service name (add the name), Server (add real server), Protocol pick TCP, and port pick *.
Now, lets create the Virtual Server. Since we are going to offload SSL from real servers. The Virtual Server will run on port 443, with SSL certificate added and persistence enabled. Please click on Add at the Virtual Servers menu as shown below.
In figure 6, we are adding the virtual server by Naming it, Giving it Virtual IP address, Selecting Protocol SSL, and port number 443. We have selected the Services that we want to associate this Virtual IP with. Figure 7 shows that we have picked the Method of load balancing as Least Connection, while Persistence mode is cookiesinsert.
Figure 8 : Adding SSL Certificate to Virtual Server
Figure 8 shows that we have added the certificate we created earlier here. With this, configuration of the Load Balancer is done. Although there is one small detail that should be looked at. Since NetScaler will Send traffic from SSL to HTTP (from 443 to 80). The CAS server will reply with port 80 (HTTP). We would like to configure NetScaler to Intercept this traffic. So we create a virtual server for protocol HTTP, port 80, and we don’t associate any service with it. Figure 9 shows the configuration for the Return-OWA traffic.
Figure 9 : Virtual Server to Intercept Return Traffic
Figure 5 shows all the virtual servers that we have created for various applications running in the hosted Microsoft Exchange Server 2010. With this, we have finalized the configuration of NetScaler for the CAS. In our next Entry, i would Configure the Load Balancer for HUB.