Sunday, December 28, 2008

IP Routing technology Q&A

scoot to here for excellent routing Q&A from Cisco.....

Ahh finally RIP happened

I generally don't like the christmas holidays much - everything's too unreal, synthetic,commercial, hurried, I prefer working and taking easter off...so I worked over christmas, hopefully that kept your data flowing:-)....

I however welcome the time it allows me to do 'my own stuff', I can take control of time and pace myself. For instance, I have managed to go through Doyle's Routing TCP-IP (both Volumes) - this was more of a refresher. managed to cover the switching and frame relay parts on the cisco blueprint, familairized myself with the cisco documentation site and listened to albums I had bought but not had a chance to fully listen to (coldplay-viva la vida, travis - the boy with no name, and I found a foreigner - greatest hits, not sure thats mine but it did make for a good listening to on Sunday morning) .....

Aaanyway I started on routing protocols beginning with RIP; since I may never work on it apart from the ccie, a lab was required to cement some of the concepts:

RIP Concepts:
http://www.faqs.org/rfcs/rfc1723.html
http://www.faqs.org/rfcs/rfc2453.html
http://www.faqs.org/rfcs/rfc1058.html

  • Rip comes in two versions 1 and 2. Generally you use version 2 unless you're a dinosaur stuck in 1993 or thereabouts:-) heck using any version of RIP almost makes you one but thats neither here nor there but we need this for the exam. I wonder if there's any circumstance under which you might be required to run RIPv1
  • Its distance-vector protocol same as IGRP. The simple requirement for this kind of protocol is that a router informs its neighbors of topology changes periodically.
  • Uses 224.0.0.9 for neighbor discovery. This can be changed to use unicast neighor statements. I however didn't get this to work. I think a broadcast can also be used but i never tested this either.
  • RIP uses SPLIT-HORIZON with POISON REVERSE - this is a technique to ensure loops never form. Google for expandend eplanations.
  • classful for version 1, version 2 can carry subnet mask information on its updates.
  • Version2 supports authentication
  • umm please send me other key features I might have missed.
The topology:
I use GNS3 for any topology that doesn't require advanced switching. So what I'll do is upload all the files used for the LAB in case you feel like replaying it.

R0: Loopback : 172.20.1.1/32
R1: : 172.20.2.1/32

Network Addresses:
R0: Serial1/0 : 192.168.10.1/30
R1: Serial1/0 : 192.168.10.2/30

ffr Addresses:
R0: Serial1/1.105 : 192.168.20.1/30
R1: Serial1/1.501 : 192.168.20.2/30

Ethernet interfaces:
R0: Fastethernet0/0: 20.20.20.1/24
r1: FastEthernet0/0: 10.10.10.1/24

The lab uses cisco 3660 routers - get the legal IOS . The dlci's correspond to the frame relay sub interfaces:

R0




!the loopback and fastethernet are not really required but we'll use their addresses to confirm !routing updates.
interface Loopback0
ip address 172.20.1.1 255.255.255.255

interface FastEthernet0/0
ip address 20.20.20.1 255.255.255.0
duplex auto
speed auto

! used for the point to point
interface Serial1/0
ip address 192.168.10.1 255.255.255.252
serial restart-delay 0
no dce-terminal-timing-enable

! used for frame relay to R1
interface Serial1/1.105 point-to-point
ip address 192.168.20.1 255.255.255.252
frame-relay interface-dlci 105

!Note: we are sending routing updates through all our interfaces. you can do uncomment !the commented lines to ensure updates go !out the two connected interfaces:
router rip
version 2
!passive-interface default
!no passive-interface Serial1/0
!no passive-interface Serial1/1.105
network 20.0.0.0 !the ethernet network
network 172.20.0.0 !the loopback
network 192.168.10.0 ! the ffr network
network 192.168.20.0 ! the serial network I had thought removing this last two networks and ! establishing unicast neighbors using neighbor statemtnes would work but something didn't ! work out. I'll revisit this some day.
no auto-summary

R1




interface Loopback0
ip address 172.20.2.1 255.255.255.255

interface FastEthernet0/0
ip address 10.10.10.1 255.255.255.0
duplex auto
speed auto

interface Serial1/0
ip address 192.168.10.2 255.255.255.252
serial restart-delay 0
no dce-terminal-timing-enable

interface Serial1/1.501 point-to-point
ip address 192.168.20.2 255.255.255.252
frame-relay interface-dlci 501

router rip
version 2
! just to show you how you can filter out outgoing updates, I used the reverse of the rip !configuration above (R0) on the passive-interface statement. The one below suppresses !messages going out the fastethernet and loopback interfaces --Loopback??

! passive-interface FastEthernet0/0
! passive-interface Loopback0
network 10.0.0.0
network 172.20.0.0
network 192.168.10.0
network 192.168.20.0
no auto-summary


Thats the basic configuration that got my RIP running.

verification:
R1




R1#sh ip int br | exclude una
Interface IP-Address OK? Method Status Protocol
FastEthernet0/0 10.10.10.1 YES manual up up
Serial1/0 192.168.10.2 YES manual up up
Serial1/1.501 192.168.20.2 YES manual up up
Loopback0 172.20.2.1 YES manual up up


R1#conf t
Enter configuration commands, one per line. End with CNTL/Z.
R1(config)#router rip
R1(config-router)#no offset-list 0 out 14 Serial1/0
R1(config-router)#no offset-list 1 in 2 Serial1/1.501
R1(config-router)#
R1(config-router)#^Z
R1#clear ip ro
*Mar 1 00:11:17.931: %SYS-5-CONFIG_I: Configured from console by console*

R1#sh ip protocols
Routing Protocol is "rip" ! The running Protocol
Outgoing update filter list for all interfaces is not set
Incoming update filter list for all interfaces is not set
Sending updates every 30 seconds, next due in 15 seconds !This is the interval Between updates
Invalid after 180 seconds, hold down 180, flushed after 240 !'invalid after' - after 180 seconds, the route will be declared invalid
Redistributing: rip ! redistributed for protocols
Default version control: send version 2, receive version 2 ! version
Interface Send Recv Triggered RIP Key-chain
FastEthernet0/0 2 2
Serial1/0 2 2
Serial1/1.501 2 2
Loopback0 2 2 !Interfaces RIP is running on. You can change this using the passive-interface command
Automatic network summarization is not in effect
Maximum path: 4 !This is the number as seen under interfaces above. Note the loopback interface is counted :-)
Routing for Networks:
10.0.0.0
172.20.0.0
192.168.10.0
192.168.20.0 ! Networks being RIP is operationg/routing for. I had always assumed using unicast neighbors would negate the need for putting in networks for point to point links. I'll test this again and probably revert later on.
Routing Information Sources:
Gateway Distance Last Update
192.168.10.1 120 00:00:18
192.168.20.1 120 00:00:13
Distance: (default is 120)

*Important, enable 'debug ip rip' and 'debug ip rip events' for a clearer visibility of whats going on.....


R0




R0(config-router)#do sh ip int br
Interface IP-Address OK? Method Status Protocol
FastEthernet0/0 20.20.20.1 YES manual up up
Serial1/0 192.168.10.1 YES manual up up
Serial1/1.105 192.168.20.1 YES manual up up
Loopback0 172.20.1.1 YES manual up up

to verify reachability: ping all the other router's addresses. I use tcl both for dempnstration and to make life easier - I assume for the lab I'll have many many 'places' to ping and a script will come in handy:

R0#tclsh
R0(tcl)#
R0(tcl)#!

R0(tcl)#foreach address {
+>(tcl)#10.10.10.1
+>(tcl)#192.168.10.2
+>(tcl)#192.168.20.2
+>(tcl)#172.20.2.1
+>(tcl)#} {
+>(tcl)#Ping $address
+>(tcl)#}

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.10.10.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 108/156/248 ms
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.10.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 92/130/188 ms
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.20.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 68/148/212 ms
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.20.2.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 100/123/164 ms
R0(tcl)#tclquit


R0#sh ip route rip
172.20.0.0/32 is subnetted, 2 subnets
R 172.20.2.1 [120/1] via 192.168.20.2, 00:00:11, Serial1/1.105
[120/1] via 192.168.10.2, 00:00:11, Serial1/0
10.0.0.0/24 is subnetted, 1 subnets
R 10.10.10.0 [120/1] via 192.168.20.2, 00:00:11, Serial1/1.105
[120/1] via 192.168.10.2, 00:00:11, Serial1/0




Did you notice the offset-list 0 out 14 Serial1/0 command on R1?, this if sent outbound can help you ensure a router you dont have control over doesn't send your routes to any of its neighbors via RIP. The HOP count will be 15 in my case so R1 can't send out that route.*They could choose to redistribute via another protocol and ignore the metric. you could also use the offset to decide which Interface should receive what network.

An offset list is the mechanism for increasing incoming and outgoing metrics to routes learned via RIP. Alternatively prefix lists and extended access lists can also be used.

eg :
Test route filtering eg allow 20.0.0.0 from 2.3.4.5

ip prefix-list FILTER permit 10.0.0.0/8 !(thats what will appear on routing table.
ip prefix-list SOURCE permit 2.3.4.5
distribute-list prefix FILTER gatewat SOURCE in

or use an extended access-list:

access-list 100 permit ip host 2.3.4.5 host 10.0.0.0
distribute-list 100 in

*this second method here is not really documented but it works

Thats it for RIP for now.
http://www.cisco.com/en/US/docs/ios/12_0/np1/configuration/guide/1crip.html#wp4653

*A few un-related questions:
1 : I edited and fixed the tables and their width. i like th enew width size now!

2: How do i upload zipped files? I had said I'd send out the dynamips .net and nvram files....I can't see a quick way to do this on blogger. --- Please note I found a workable soution and uploaded the files, you can pick and play here! in .zip format

Sunday, December 14, 2008

Wireshark is 1.0.5 released

Ahh imagine my delight when I found wireshark's new release out. Now better still I was quite excited to find support for ANSI MAP & BSSGP....anyway go get it here....
http://www.wireshark.org/download.html

Tuesday, December 9, 2008

How to Configure the 3G Wireless HWIC (HWIC-3G-GSM)

The 3G/GSM/HSPDA etc etc market has really opened my life up to many many equipment vendors. One of the most popular terminals is the Huawei E220 (I found an interesting write up on its Linux drivers here, but if that doesn't work for you please give me a shout; I can help you get your internet up and running on natively un-supported OS's) and then you of course have Sarian systems. Both of them have excellent local support and don't have as many quirks as the rest of them - the rest of them could be any other terminal you can think of....

Anyway of late Cisco (though vendor support highly depends on how you came across the equipment ie if you bought it in Dubai through some back channel then you might be on your own:-) and maybe me:--)) have been making some headway with their Third-Generation Wireless WAN High-Speed WAN Interface Cards . Its mainly sold by cisco at least from their website as a backup solution, but with proper coverage you can get to do a lot more than backup solution. Infact Im yet to find someone using it as a backup solution in this part of the world.

My friend got one of those modules off ebay and wanted a basic configuration to get it to work without anything fancy on the router, promised I'd post it and here goes:

Please note this is config is made and tested on the safaricom network;
It would also be wise to confirm the firmware you're running before setting off. Cisco might also say that this is a 3G/gsm modem but on gprs/edge the performance on this router is a bit dicey, but its better than nothing if used as a backup..

Basic configuration to get you browsing quick with NAT:
!Create a profile, upto 16 profiles can be created:
cellular gsm profile create 1 safaricom chap saf saf

ip cef

chat-script safaricom "" "ATDT*99***1#" TIMEOUT 60 "CONNECT"
!Defines the ATDT commands when the dialer is initiated. This one dials Safaricom.

interface Cellular0/0/0
ip address negotiated
!The IP address for a particular interface is obtained via PPP address negotiation.

ip nat outside
!You may or may not require NAT

encapsulation ppp
!Specifies PPP encapsulation for an interface configured for dedicated asynchronous mode or !dial-on-demand routing (DDR).

dialer in-band
!Enables DDR and configures the specified serial interface to use in-band dialing.

ip nat outside
dialer string safaricom
!Specifies the number or string to dial.

dialer-group 1
!Specifies the number of the dialer access group to which the specific interface belongs. This is !visible further down referenced by access-list 1
async mode interactive
ppp chap hostname saf
ppp chap password 0 saf
ppp ipcp dns request
!

access-list 1 permit any
dialer-list 1 protocol ip list 1

ip route 0.0.0.0 0.0.0.0 Cellular0/0/0

ip dhcp pool jg
network 30.10.1.0 255.255.255.0
default-router 30.10.1.254
dns-server 196.201.208.2

int f0/0
ip address 30.10.1.254 255.255.255.0
ip nat inside
no shut

line 0/0/0
exec-timeout 0 0
script dialer safaricom
login
modem InOut
no exec

ip nat inside source list 10 interface Cellular0/0/0 overload
!
!create access list 10
access-list 10 permit ip 30.10.1.0 0.0.0.255

Others:
Tunnel over Cellular Interface Configuration - This is also proving to be a very popular configuration. Basically to get this working:

!DataCenter side connected via some leased line, a cellular interface would also work but I don't !recommend it:

interface Tunnel1
description Client_1
ip unnumbered FastEthernet0/0
keepalive 10 3
tunnel source FastEthernet0/0
tunnel destination 172.2x.x.1
!this will be the address assigned to the cellular interface on the other end.
!end

ip route 30.10.1.0 255.255.255.0 tunnel 1 name Client_1

client_ end
interface Tunnel1
description Client_1
ip unnumbered FastEthernet0/0
keepalive 10 3
!--leave this in - it happens sometimes that a cellular interface goes down but the tunnel !remains on
tunnel source Cellular0/0/0
tunnel destination 196.x.x.x
!This will be the address the HQ site's interface or the cellular interface.

other applications like NAT with IPSEC, backup services can also be done with this module.
You can upgrade your firmware with instructions and firmware found here:
Modem Firmware Upgrade.

The full configuration guide can be found here:
Configuring the 3G Wireless High-Speed WAN Interface Card

Happy holidays....

Certifications

It was a happy surprise to find a topic I find quite interesting: Certifications .... around here one of the biggest issues is getting 'good anything'... good books take ages to get delivered and are expensive for most of us, good labs are non existent, good training schools and trainers are arguably the biggest barrier to quality techies and certifications. I had to travel to Dubai for my mpls class, cisco trainers/training schools don't exist here for professional level certs and MPLS was too new for me at the time to start going through books...I needed things explained...

The internet,PDF's, torrents and travelling friends have to some extent filled a gap by bringing in the materials necessary, dynamips has sort of filled the lab gap, some companies like the one I work for actually allow you to order books for a library/resource center that you can then borrow from, and as luck would have it I can whip up a rack on short notice in the office and to some extent at home.... but the demand is still quite high, and not everyone has the same privileges. Every once in a while I run prospective certificate holders through technologies they might find difficult to understand that I do, It makes me feel better especially if they go on to achieve whatever they wanted.

But as everyone goes chasing certifications, here are a few posts that might be worth looking through, I especially like the ones asking you to push on, persevere, share the knowledge you learn and best of all enjoy your certification journey:

Most if not all come from Ivan Pepelnjak's blog:
  1. How much knowledge will I gain by studying for a certification?
  2. Knowledge or recipes?
  3. Certifications: A new barrier to entry?
  4. How well does Cisco’s certification training map to my actual network?

and before I forget we have Greg Ferro 's certification matters : This was a series of articles that helped pass a really dull morning at work and was for me quite thought provoking...

here's all the links
  1. certification matters -- grab some coffee, start from the first one, go through them all.
  2. Musing: On Permananent and Ephemeral Knowledge and Exam Study
  3. Musing: On Reading and Learning From a Computer Screen
well for me, I've really enjoyed my journey thus far, and I decided to take one more cisco cert next year and a juniper one (if the discounted offer carries on:-)) for reasons outlined earlier....happy holidays....




Wednesday, December 3, 2008

Almost decided....

Yes I almost have a concrete course of action:....

December will be used to prepare for the written exam to be taken in January as posted earlier; having come from a CCIP should make some topics easier. having an old ccnp won't help much in some areas: So to borrow cisco's tips:

My weakest areas from the exam blueprint are as follows (Top is weakest):

IP Multicast

  • Not used much here (kenya) yet and at work so apart from my small lab and probably in small ways used for redundancy for some equipment/databases, I have not delved into any multicast technologies deeply. I'll probably work on it sometime in January so its still fresh for the exam. practice labs should be interesting.


Bridging and Switching

  • Frame relay
  • Catalyst configuration: VLANs, VTP, STP, MSTP, RSTP, Trunk, Etherchannel, management, features, advanced configuration, Layer 3
  • Tunneling
  • Frame relay is a technology I havent touched for more than 3 years now. I however doubt the theory has changed so. The labs will definately kick my ass...

IP IGP Routing

  • Comes a close third in due to the fact that IPV6 is not a very strong point for me. However the theory/written RS exam doesn't worry me much. Im pretty sure I can hold my own in an exam situation. I'll however have to spend more time on the rack for this. Kenya is making slow progress towards IPV6 and I think it will be good knowledge to practice and archive for when the time comes.
  • The rest OSPF,EIGRP,RIPv2,GRE,ODR,Filtering, redistribution, summarization and other advanced features will be brushed on. Im not worried much.


IP and IOS Features
  • I see alot of new features. The doccd will probably help here. I need to confirm which IOS is used in the labs.


Security
QOS
BGP

Thats the list......

I'll start with switching and bridging today and concurrently start affiliating myself with the IOS features....so hopefully I get some notes in today.....

Tuesday, December 2, 2008

What is this about?

Well I just completed a ccip, I did this mainly to renew my ccnp/na. Having worked on cisco gear for well over 5 years now, I figured its about time I pursued a ccie. - there's the added fact that one of my friends just cleared his ccie a few months back so the motivation could be just trying to match my skill in a lab. BTW Kenya by my last count has just 3 CCIE's, I know one; I'd really like to know the other two and when they certified. I'll need tips. Im taking a few days to collect as much info as I can and make a clear plan and put together some materials....

The one advantage I have apart from the experience is the fact that I have a ready rack and dynamips will more than make up for anything I can't get. No i don't have concrete exam dates, but I should be done with the written by end of January '09, (Im shockingly with some time to spare and dedicate to reading this december and january) - the lab depends, if the company i work for agrees to sponsor me then May/June is my timeline, otherwise slowly saving towards the exam/travel etc etc will probably push me to October....more on this later

No the posts won't be all cisco, or ccie ... I tend to do alot of work on ggsn's, sgsn's, 3G, HSDPA, cycling, biking,living etc etc some system administration and anything I feel might be of help to someone else will definately show up here but hte mainthing will probably be note taking :-)

Comparisons and posts on how things work here vs there will be quite welcome. we for instance still rely on satellite for 'internet', a small network in North America would probably be the biggest here....so for instance dimensioning for a network is a bit different especially if done by consultants remotely....