Monday, November 25, 2013

OSPF Database Reminder in the same area

This is a reminder in order to interpret an ospf database on a Cisco router. I have created the following lab to test the 'show ip ospf datase':























In red, the router ID:

R3#show ip ospf database

            OSPF Router with ID (3.3.3.3) (Process ID 1)

The list of all routers in the area:

                Router Link States (Area 0)

Link ID         ADV Router      Age         Seq#       Checksum Link count
1.1.1.1         1.1.1.1         129         0x80000002 0x0057AC 1
2.2.2.2         2.2.2.2         25          0x80000003 0x00536B 2
3.3.3.3         3.3.3.3         24          0x80000002 0x0016B6 2

All the network segments in the area and the DR for each segment. Here, 10.1.2.2 is the IP address of the DR on the segment and 2.2.2.2 is the router id:

                Net Link States (Area 0)

Link ID         ADV Router      Age         Seq#       Checksum
10.1.2.2        2.2.2.2         103         0x80000001 0x0021F5
10.1.4.2        2.2.2.2         25          0x80000001 0x006F9D

Each subnet, even if there is no OSPF neighbor:

R1#show ip ospf database internal

            OSPF Router with ID (1.1.1.1) (Process ID 1)

                Stub Link States (Area 0)

Link ID         ADV Router      Age         Seq#       Checksum Mask
10.1.2.255      1.1.1.1         355         0x0        0x006D69 /24
10.1.3.255      2.2.2.2         98          0x0        0x00448D /24
10.1.4.255      2.2.2.2         315         0x0        0x003997 /24
10.1.5.255      3.3.3.3         230         0x0        0x0010BB /24

Posted by at No comments:
Labels: , , ,

CCIE Routing & Switching v5 !!

https://www.ciscolivemilan.com/connect/sessionDetail.ww?SESSION_ID=3480

WAIT and SEE!
Posted by at No comments:
Labels: ,

Friday, November 22, 2013

Reflexive ACLs

Introduction:

By default, an ACL is not stateful. When an 'inside' client open a session to an 'outside' host you have to create 2 ACLs:
- Client to Server
- Server to Client
In our case, we would like open everything coming from the client side and going to the server side. We also deny each session coming from server side. With traditional ACLs it will be really difficult to realize this configuration. It's why, we will use reflexive ACLs. This kind of ACL record session open from the client side and open the necessary port and IP source for the traffic coming back from the specific server.

In our case, we are using a simple test infrastructure as can be seen in the following diagram:


The traffic coming from the client side and going to server side is authorized. Only the response to a session open by a client is authorized (handle dynamically by a recursive ACL). Any other traffic coming from the server side is denied.

Configuration:

In a first step, we create an ACL to reflect outgoing packets:

ip access-list extended OUTBOUND
  permit ip any any reflect MIRROR
!
interface FastEthernet0/1
  ip access-group OUTBOUND out

When the client initiates a session, a reflected ACL is created in MIRROR.
Router#show ip access-lists MIRROR
Reflexive IP access list MIRROR
  permit tcp host 10.1.3.10 eq telnet host 10.1.1.10 eq 27797 (27 matches) (time left 159)

In a second step, we create an ACL which uses the MIRROR entry to authorize the traffic.
ip access-list extended INBOUND
  evaluate MIRROR
!
interface FastEthernet0/1
  ip access-group INBOUND in
 
Results:

Connexion coming from the server side are denied:
SERVER#telnet 10.1.1.10
Trying 10.1.1.10 ...
% Destination unreachable; gateway or host down

Connexion coming from the client side are authorized:
client#telnet 10.1.3.10
 Trying 10.1.3.10 ... Open
 User Access Verification
 Password:
 SERVER>en
As you can see below, a 'reflexive' session is authorized from the server to the client:
Router#show ip access-lists
Extended IP access list INBOUND
  10 evaluate Mirror
Reflexive IP access list Mirror
  permit tcp host 10.1.3.10 eq telnet host 10.1.1.10 eq 27797 (27 matches) (time left 159)
Extended IP access list OUTBOUND
10 permit ip any any reflect Mirror (27 matches)
 
Remarks:
 
By default the timeout for a reflexive ACL is 300sec.


Posted by at No comments:
Labels: ,

Tuesday, November 19, 2013

Change phpmyadmin well-know url

In order to access to the web interface of phpmyadmin, by default you have to use the well-know url: mywebsite.com/phpmyadmin.
If you want to change this default url, you can use the following procedure:
  • Open the apache.conf file, this file is located in /etc/phpmyadmin (for many Linux servers).
By default, this file looks like:
# phpMyAdmin default Apache configuration
Alias /phpmyadmin /usr/share/phpmyadmin
  • Edit the file apache.conf by changing the alias
# phpMyAdmin default Apache configuration

Alias /urlsecret /usr/share/phpmyadmin
  • Restart the apache service:
sudo /etc/init.d/apache2 restart
Posted by at No comments:
Labels: , , ,

Monday, November 18, 2013

TACACs Attributes

You will find below a compilation of attributes used for authenticate several components with an ACS server. The ACS returns this attribute to the server in order to be authenticated with the good shell privilege.

Nexus:
  • Attribute: cisco-avp-pair
  • Requirement: Mandatory
  • Value: shell:roles*"network-admin vdc-admin"

Riverbed (Steelhead):
  • Attribute: local-user-name
  • Requirement: Mandatory
  • Value: admin
WLC (Cisco Wireless Controller):
  • Attribute: role1
  • Requirement: Mandatory
  • Value: ALL

These equipment have been tested with an ACS 5.4. Don't hesitate to add your remarks.
Posted by at No comments:
Labels: , , , ,

Tuesday, October 22, 2013

EIGRP Summary and Leak Map

Route leaking can be used when you have summarized a subnet but at the same time, you also want to announce a more specific subnet. For my lab, I have used the following design:


  • In a first step, I have configured my network without summarization:
R1:

interface Loopback10
 ip address 10.1.0.1 255.255.255.0
!
interface Loopback20
 ip address 10.1.1.1 255.255.255.0
!
interface Loopback30
 ip address 10.1.2.1 255.255.255.0
!
interface FastEthernet0/0
 ip address 192.168.1.1 255.255.255.0
!
router eigrp 1
 network 10.0.0.0
 network 192.168.1.0

R2:

interface Loopback10
 ip address 192.168.2.2 255.255.255.0
!
interface FastEthernet0/1
 ip address 192.168.1.2 255.255.255.0
!
router eigrp 1
 network 192.168.0.0 0.0.255.255
 
Results (on R2):

R2# show ip route eigrp
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
       + - replicated route, % - next hop override

Gateway of last resort is not set

      10.0.0.0/24 is subnetted, 3 subnets
D        10.1.0.0 [90/409600] via 192.168.1.1, 00:01:11, FastEthernet0/1
D        10.1.1.0 [90/409600] via 192.168.1.1, 00:01:11, FastEthernet0/1
D        10.1.2.0 [90/409600] via 192.168.1.1, 00:01:11, FastEthernet0/1

As you can see, 3 subnets are seen in the routing table of R2.
  • Now, I have configured summary network on R1:
R1:

interface FastEthernet0/0
 ip address 192.168.1.1 255.255.255.0
 ip summary-address eigrp 1 10.1.0.0 255.255.252.0

Results (on R2):

R2#show ip route eigrp
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
       + - replicated route, % - next hop override

Gateway of last resort is not set

      10.0.0.0/22 is subnetted, 1 subnets
D        10.1.0.0 [90/409600] via 192.168.1.1, 00:00:39, FastEthernet0/1

Only one summarized subnet is seen on R2.
  • The final step is to configure the route leaking on R1:
R1:

ip access-list standard LEAK-MAP
 permit 10.1.1.0 0.0.0.255
!
route-map LEAK-MAP permit 10
 match ip address LEAK-MAP
!
interface FastEthernet0/0
 ip address 192.168.1.1 255.255.255.0
 ip summary-address eigrp 1 10.1.0.0 255.255.252.0 100 leak-map LEAK-MAP

Results (on R2):

R2#show ip route eigrp
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
       + - replicated route, % - next hop override

Gateway of last resort is not set

      10.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
D        10.1.0.0/22 [90/409600] via 192.168.1.1, 00:06:10, FastEthernet0/1
D        10.1.1.0/24 [90/409600] via 192.168.1.1, 00:00:34, FastEthernet0/1
 
Both subnet are seen on R2:
  • Summarized (10.1.0.0/22)
  • Specific (10.1.1.0/24)
 
For me, it's impossible to realize an equivalent configuration with OSPF.
Don't hesitate to leave a comment if you have already seen this configuration for OSPF.



 

Posted by at 3 comments:
Labels: ,

Friday, October 18, 2013

MAC Flapping detection

By default, the command mac address-table notification mac-move is not configured on a 4k5. This command permits to detect a MAC flapping with a log message (see below generated logs):

#mac address-table notification mac-move

Jul  9 08:12:26.707: %C4K_EBM-4-HOSTFLAPPING: Host A4:CA:DB:48:05:B0 in vlan 50 is moving from port Gi2/16 to port Gi2/18
Jul  9 08:12:28.111: %C4K_EBM-4-HOSTFLAPPING: Host A4:CA:DB:48:05:B0 in vlan 50 is moving from port Gi2/18 to port Gi2/16
Jul  9 08:12:28.499: %C4K_EBM-4-HOSTFLAPPING: Host A4:CA:DB:48:05:B0 in vlan 50 is moving from port Gi2/16 to port Gi2/18
Jul  9 08:12:28.519: %C4K_EBM-4-HOSTFLAPPING: Host A4:CA:DB:48:05:B0 in vlan 50 is moving from port Gi2/18 to port Gi2/16

If this command is not configured you will certainly detect the MAC flapping with a high CPU (if it's monitored!). When you detect a CPU peak, it's not trivial to detect the root cause. To determine whether it's a MAC flapping you can use the following command


C4510#show platform health
                                     %CPU   %CPU    RunTimeMax   Priority  Average %CPU  Total
                                     Target    Actual  Target Actual    Fg   Bg 5Sec Min Hour  CPU
RkiosObflMan                     0.50   0.00      4      0  100  500    0   0    0  51:24
GalChassisVp-review           3.00   0.11     10     40  100  500    0   0    0  1260:27
S2w-JobEventSchedule      10.00   0.90     10      8  100  500    1   1    1  15025:10
...
K5L3Unicast Adj Chan         2.00   0.00     15      1  100  500    0   0    0  12:14
K5L3Unicast Adj Tabl         2.00  11.07     15     11  100  500    6   7    5  55618:52
K5L3AdjStatsMan Revi        2.00   0.15     10     11  100  500    0   0    0  3972:07
...
K5 L2 Unicast Addres          2.00   0.00     20     10  100  500    0   0    0  0:18
K5 L2 Multicast Addr           2.00   0.00     20      0  100  500    0   0    0  0:08
K5 L2 Hardware Addre       2.00  15.06     20     14  100  500   11  12    7  88117:09

As seen above, 2 variables are abnormally high:
  • K5L3Unicast Adj Tabl: due to the ARP table refresh. a new MAC address is permanently associated to an IP address.
  • K5 L2 Hardware Addre : the relation MAC/physical interface is also permanently refreshed.

To be sure, enter the command mac address-table notification mac-move and check the logs messages.
Posted by at 1 comment:
Labels: , , ,
Subscribe to: Posts (Atom)