Entries Tagged as ''

Extended ACLs Different Application

Extended ACLs allow the router to analyse source/destination IP addresses and source/destination ports and Protocol type (such as ip, tcp and icmp). We can defined the traffic flow by this five factors. This poster focus on different application of extended ACLs.

1. Commonly Used

The following is commonly used statement for TCP access-list

ip access-list {extended|standard} name
permit|deny tcp source source-wildcard [operator [port]]
destination destination-wildcard [operator [port]] [established]
[precedence precedence] [tos tos] [log] [time-range time-range-name]

2. For Distribute-List

When extended access-lists called as a distribute-list in IGP, the “source” field in the ACL matches the update source of the route, and the “destination field represents the network address. For example,

access-list 101 deny ip host 192.168.50.4 host 10.2.106.0

The configuration is basically meaning that, deny 10.2.106.0 network which is advertised from 192.168.50.4 route.

3. For Redistribution

When extended access-lists called as a redistribution or as in BGP, the “source” field in the ACL represents the network address, and the “destination” field represents the subnet mask. For example,

ip access-list extended RIP-IN
permit ip 192.168.0.0 0.0.255.255 host 255.255.255.0
!
route-map RIP->OSPF
match ip address RIP-IN
!
router ospf 1
redistribute rip subnets route-map RIP->OSPF

The configuration is meaning that, when redistribute RIP into OSPF, only allow “192.168.0.0 network which has 255.255.255.0 subnet mask” in.

Another simple case is like this: Allow only 10.0.0.0 from host 1.2.3.4

- prefix gateway

ip prefix ROUTE permit 10.0.0.0/8
ip prefix SOURCE permit 1.2.3.4/32
distribute-list prefix ROUTE gateway SOURCE in

- Exteded access-list

access-list 101 permit ip host 1.2.3.4 host 10.0.0.0
distribute-list 101 in

Tags: IP Service, Networks by hengdu
No Comments »

Life as Summer Flower

A good friend of mine, who lived in Melbourn, sent me off-line message from MSN.

he is leaving
towarding his next station
took a part of life from each of us
in return, his glory
on his child’s heart

When asking people, at the time the Beatles disbanded, that do you still remember them, people always said, yes, forever, because we grew up when they grew up, we were matured when they were matured.

Yes, MJ is part of my younth life, as well as John Lennon.

Tags: So we travel by hengdu
No Comments »

BGP Best Route Trouble Shooting

When we show ip bgp and observe some routes are not best route (not greater sign in the front), we should first check if next hop is reachable, then, we should check if iBGP synchronization is enabled.

BGP will put learned prefix to Adj-RIB-in. All learned route will pass Input Policy Engine. A path selection algorithm is then performed to determine the best path for each prefix. The resulting best paths are stored in the local BGP RIB (Loc-RIB) and then are submittted to the local IP routing table (IP-RIB) for installation consideration. To make next hop reachable, we can either change next hop by next-hop-self when eBGP peer advertise the prefix to its neighbor, or redistribute BGP to IGP, which we don’t recommend because two manys prefixes injected in to IGP.

If iBGP synchronization is enabled, the router will not use or advertise the prefixes learned from iBGP neighbor until the matching prefixes learned from an IGP. Prefix synchronization between iBGP and IGP to prevent routing loops and black-holing of traffic. Prefix synchronization means that a prefix learned via iBGP is not included in the best-path selection unless that same prefix exists in the IGP. If the IGP is OSPF, the router ID for the prefix in the IGP must also match the router ID of the BGP peer advertising the prefix. Synchronization may be disabled if this AS does not provide transit for another AS or if all routers in the transit path are running BGP. It is generally a good practice to disable prefix synchronization.

Tags: BGP, Networks by hengdu
No Comments »

UDP Broadcast Traffic Forwarding

Layer 3 device will terminate Broadcast traffic. However, sometimes we need to forward those broadcast traffic to somewhere bypass several layer 3 devices. The first example is one host send DHCPDISCOVERY broadcast traffic to DHCP server on the other broadcast domain. The other example is some UDP broadcast application talk to server or client on remote site. Both cases should use some ways to carry those broadcast traffic. Cisco provides two ways to carry those traffic.

  • By Unicast: ip helper-address <unicast-addr>
  • By Multicast: ingress: ip helper-map <mcast-addr> <ACL>; egress: ip helper-map <mcast-addr> <destination-unicast-addr> <ACL>

The diagram demonstrate two ways network and the configuration should follow steps below:

picture-22

Step 1: enable forward protocol globally.

ip forward-protocol udp <port # | protocol name>

Step 2: On the ingress interface, enable helper address or helper map. Note, it doesn’t need to enable ip directed-broadcast under ingress interface.

ip helper-addr <destination-unicast-addr>
ip helper-map <multicast-addr-group> <ACL>

Step 3: On the egress interface, we only care about multicast carrier since unicast carry broadcast directly to the destination.

ip helper-map <multicast-addr-group> <destination-unicast-addr> <ACL>
ip directed-broadcast

Note: Enable directed broadcasts on the interface connected to the receiving segment using the command ip directed-broadcast. This is needed to successfully send broadcasts out of this segment.

Tags: IP Service, Networks by hengdu
No Comments »

HSRP and VRRP Hello Package

I am always interesting in how protocol communicated. That’s why I will leave a note in here for HSRP and VRRP.

HSRP is Cisco propertary. The Hello Package between active router and standby router is sent to 224.0.0.2 UDP port 1985. (Do you remember the movie Back to the Future?)

VRRP is open standard. They use their own protocol to transport Hello package to 224.0.0.18. The protocol number is 112.

GLBP members communicate each other every 3 seconds by sending hello message to 224.0.0.102 UDP port 3222 (both source and destination).

Tags: IP Service, Networks by hengdu
No Comments »

NTP Authentication Configuration

NTP Authentication is server client mode authentication. However, instead of normal authentication, which is always server authenticate client, NTP authentication is NTP client to authenticate NTP server.

Therefore, for NTP server, the configuration is simple

ntp authentication-key 1 md5 14141B180F0B 7
ntp source Loopback0

For NTP client, we need configure to enable authentication, assign trust key, assign NTP server.

ntp authentication-key 1 md5 110A1016141D 7
ntp authenticate
ntp trusted-key 1
ntp server 192.168.3.3 source Loopback0

The server doesn’t need “ntp authenticate” command since NTP server does not need to authenticate NTP client.

The verify command is “show ntp associate detail

Tags: IP Service, Networks by hengdu
2 Comments »

PVLAN Configuration

Design wise, we may need divide one single VLAN (Broadcast Domain) to several sub-VLANs. That’s how PVLAN technology comes. Cisco 3550 doesn’t support this feature, but Cisco 3560 does. The detailed documentation is in here. This article focus on generic PVLAN configuration.

The requirement may be like this. On VLAN 100, there are 6 hosts. Host 1 and Host 2 can talk to each other. Host 3 and Host 4 can talke to each other. All four hosts cannot directly talk to host 5 in the layer 2. All 5 hosts can talk to Host 0 connected interface fa0/1.

First before first, VTP mode has to be transperant mode.

!
vtp mode transperant
!

First, we need to assign PVLAN type for each VLAN and sub-VLAN. There are three types: Primary, Community and Isolated.

vlan 100
private-vlan primary
private-vlan association 1000 1100 1200
!
vlan 1000
private-vlan community
!
vlan 1100
private-vlan community
!
vlan 1200
private-vlan isolated

Second, we need to vlan and port (physical interface) relationship. Normally, port will be promiscuous mode with primary VLAN. Also, this port should map primary VLAN to sub-VLANs. Otherwise, port will be host mode with host-association primary VLAN and sub-VLANs.

interface fa0/1
switchport private-vlan mapping 100 1000 1100 1200
switchport private-vlan mode promiscuous
!
!Connect to Host 1
!
interface fa0/2
switchport private-vlan host-association 100 1000
switchport mode private-vlan host
!
!Connect to Host 2
!
interface fa0/3
switchport private-vlan host-association 100 1000
switchport mode private-vlan host
!
!Connect to Host 3
!
interface fa0/4
switchport private-vlan host-association 100 1100
switchport mode private-vlan host
!
!Connect to Host 4
!
interface fa0/5
switchport private-vlan host-association 100 1100
switchport mode private-vlan host
!
!Connect to Host 5
!
interface fa0/6
switchport private-vlan host-association 100 1200
switchport mode private-vlan host
!

Also, some caveats should be noted

  • The VLAN database mode configuration is not support for Private VLAN.
  • Private VLAN is not propagated via VTP.
  • Isolated and community VLAN do not run their own instance of spanning tree. Tunning spanning tree has to be applied to Primary VLAN.
  • Private VLAN is broadcast restriction on Layer 2. There are still be able to communicate on Layer 3 if routed.

Tags: Networks, Switching by hengdu
No Comments »

Keepalive Interface Level Command

Keepalive command is default on Interface Level. It does a lookback testing for every 10 seconds. it is called the “Configuration Test Protocol.” It is not part of the IEEE 802.3 standard, but it is part of the original Ethernet Standard. We can look the reference for details.

If we type “no keepalive” on interface level, we basically disable loopback testing for the link. Therefore, “no keepalive” is used to prevent the Cisco switch from disabling its uplinks due to “Loopback” cause.

Tags: Networks, Switching by hengdu
No Comments »

RIPv2 Timers

There are four type of timers in Cisco implementation, three of them is coming from RFC2453, one of them is Cisco standard.

  • Update
  • Invalid (Gabage Collection Timer)
  • Flush
  • Hold Down (Cisco Standard)

picture-1

  1. Update Timer

    2. The update timer specifies the frequency of the periodic broadcasts. By default, the update timer is set to 30 seconds. Each route has a timeout value associated with it. The timeout gets reset every time the router receives a routing update containing the route.

  2. Invalid Timer

    3. When the timeout value expires, the route is marked as unreachable because it is marked invalid. The router marks the route invalid by setting the metric to 16. The route is retained in the routing table. By default, the invalid timer is 180 seconds, or six updates periods (30 x 6 = 180).

  3. Flush Timer

    4. A route entry marked as invalid is retained in the routing table until the flush timer expires. By default, the flush timer is 240 seconds, which is 60 seconds longer than the invalid timer.

  4. Hold-down Timer

    5. Cisco implements an additional timer for RIP, the holddown timer. The holddown timer stabilizes routes by setting an allowed time for which routing information regarding different paths is suppressed. After the metric for a route entry changes, the router accepts no updates for the route until the holddown timer expires. By default, the holddown timer is 180 seconds.

Tags: IGP, Networks by hengdu
No Comments »