NMC Lab 8

Took a day out of work today to see what I could get out of Lab 8.  Once again, the lab caught me unawares in several places.  Here are some of the lessons:

8.1.4. PPP over Frame Relay

I had not done a PPP over Frame Relay before.  It is an interesting technique involving configuring a Virtual-Template interface that then spawns a Virtual-Access interface when it connects.  Here for the Cisco Configuration guide.

One configuration “gotcha” caught me out.  I have tripped over so many “gotchas” in the past that I have decided to make a list of them (top right, under “pages”) and write a small posting on each.

It is interesting that the example in the Cisco doument has three levels of interface: a physical interface, a point-to-point subinterface that defines the DLCI, and the PPP Virtual-Template.  The NMC answer key has only two: they go straight from the physical interface to the Virtual-Template.  Pros and Cons of each approach? 

One thing I did not manage to do: to get R3 and R4 to ping their own addresses on the PPP link.  They could each ping their partner’s address, but not their own.  I spent a long time trying to get this to work before giving up and looking at the AK.  Then I find that their solution doesn’t reach those addresses either.  They might have said so!  I have asked the question on the DISCUSSiT forum, but there seems to be less and less activity there.

Redistribution into RIP

Beware any border router that has two interfaces in the RIP domain; there could be an internal loop within the RIP domain.  In particular, beware of injecting any external route that has an AD more than 120.  The injected route will go round the loop, and appear at the other interface with a greater hop count, but an AD of 120, where it will overwrite the original injected route.  The route can thrash.  Or not … if you are lucky, the updates will go both ways round the loop and meet on some other non-border router, where they are safe.  There is a similar lesson in Lab 23, but with a rather simpler loop.

8.7. BGP

I have already had a good rant about the apalling contradictory requirements of this section.  Now I must concentrate of what I can learn from this section:

• A BGP speaker, even if a route reflector, will not send a prefix to a neighbor that is in that same cluster as the one he learned it from.  The scenario leverages this behavior in an unusual way by deliberately using the feature to break reachability.
• A route reflector will not touch next-hop information.  Eeven if it has next-hop-self configured, that does not apply to reflected routes.  (The scenario was not intended to teach that but a screw-up in my topology led me down that path.)
• Interestingly, because next-hop is not touched as the route propagates along the AS 100 chain, the traffic itself takes a shortcut CAT1-R3-R4-CAT2.

I implemented the solution proposed in the AK, and it seemed to work OK.  Then, just to be perverse, I looked around for other solutions that ignored various bits of the requirements.  (Well, their solution ignores requirement 8.7.4., so I felt at liberty to keep 8.7.4 and to ignore something else instead.)  BTW, this section won’t make much sense unless you have the scenario in front of you.

I thought I would try peering R3-CAT2 and R4-CAT1.  That should inject the routes into AS 100 by two different ways, and is not expressly forbidden by the scenario.  My problem was which addresses to peer.  I had no luck peering the loopback addresses, because those have multiple paths, some going back the way you came.  I tried peering with the addresses on the 172.16.34.0/24 link, but had not luck with that either.  For some reason it does not like peering from a Virtual-Template address:

R3#
Feb 20 15:57:15.760: BGP: 172.16.46.20 active open failed - update-source Virtual-Template1
is not available, open active delayed 25730ms (35000ms max, 28% jitter)

So, I settled on these peerings:

• CAT1 (172.16.38.10) <–> R4 (172.16.46.4)
• CAT2 (172.16.46.20) <–> R3 (172.16.38.3)

Really perverse, I know.  It almost worked as well.  The only thing that didn’t work was that if I take down the peering R5<–>R3, then R5 can no longer reach 100.100.100.1.  Conversely, if I take down the peering R2<–>R4, then R2 can no longer reach 200.200.200.1.  R2 is rejecting the route to 200.200.200.0/24 because it has the same cluster-id.  Or maybe FRS is not sending it, I’m not sure.

I’ve had enough of this BGP scenario for now.  If I get time I shall try some other techniques.  I thought of making AS100 a confederation with a different AS on each router in the chain, and give R2 and R5 the same AS number.  That should do the 8.7.7. trick.  Another possiblity is to mark the route with a community that would make R2 / R5 drop it.  But that’s enough for now.

8.8. VPN

Got this bit OK, but 20 minutes was a little longer than I should have taken over it.  I must be geting tired.  The issue was to keep the infrastructure RIP routes seperate form the VPN RIP routes in R3.  (I thought they were going to implement virtual routers at some point?)  They defined the infrastructure routes as everything except the sepcific VPN routes.  I defined the infrastructure as 172.16.0.0/16 and the VPN as 10.10.0.0/16.  Six of one and half-a dozen of the other I suppose.

 

 

NMC Lab 8

Set up the initial conditions for NMC lab 8 yesterday (Sunday) evening.  Each time I finish a lab, I save the configs of each router in flash (e.g. flash:Lab07.R4.cfg) so that I can go back to it with a copy Lab07.R4.cfg start.  On the switches, I save a copy of the vlan.dat as well.  Just for good measure, I also save the configs on my PC.  It takes me about 20 to 30 minutes to save the old lab and set up the initial configs for the new one.

Read through Lab 8 in the lobby of the Conservatoire de Musique de Luxembourg while my 11-year-old son was in his bass guitar lesson.  Got quite annoyed with the BGP scenario because I could not work it out.  Found out from the answer key that the solution involves breaking one of the requirements.  What is that? I hope there are no incompatible requirements like that in the real exam, otherwise I might as well give up now. Ranted about it on the DISCUSSiT forum.

No time to do any lab work this evening – busy all evening with a scout leaders’ meeting.

NMC Lab 7.17 Multicast

So, to the multicast.  Accompanied by Gordon Giltrap’s excellent album “Fear of the Dark”.

Configured it all up according to the requirements, configuring static RP all over just to be quick-and-dirty.  (I shall play with BSR later.)  Pinged 227.7.7.7 from 172.16.31.1 on R1. Nothing.  Enabled debug ip mpacket on R3 and tried again.

Feb 17 16:27:38.106: IP(0): s=172.16.31.1 (FastEthernet0/0.10) d=227.7.7.7 id=2, ttl=254,
 prot=1, len=114(100), RPF lookup failed for source or RP[OK]

So, an RPF failure. It is not expecting multicast packets form 172.16.31.1 to arrive on FastEthernet0/0.10.  So where is it expecting them to arrive?

R3#show ip route 172.16.31.1
Routing entry for 172.16.31.0/24
  Known via "connected", distance 0, metric 0 (connected, via interface)
  Advertised by bgp 300
  Routing Descriptor Blocks:
  * directly connected, via FastEthernet0/0.10
      Route metric is 0, traffic share count is 1

 Huh?  Scratches head.  RPF failure when the packet arrives on Fa0/0.10, but the route to the source is via Fa0/0.10.  What is going on?  Must be that strange secondary addressing that is upsetting it.  Tried reversing primary and secondary addresses on R3 – no change.  ???  Aagh, another misconf:

interface FastEthernet0/0.20
 ip pim sparse-mode

No! VLAN 20 is not on Fa0/0.20, it’s on Fa0/1.  So R3 could not see the RP, even if it was configured statically. But what a cryptic error message!  It was the RP that was failing the RPF check, not the source.  Not only that, but I did it on R2 as well. Perhaps I would do well to keep a note of the interfaces I am using.  Or use the show ip int brief command more often.  Perhaps I should do an alias exec ship show ip interface brief | exclude unassigned on all routers.  That would be useful, and would help avoid such mistakes.

What it does illustrate is the advantage of distributing RP information dynamically, either with autoRP or with BSR.  You can see whether or not you are talking to the RP.  So, reconfigured everything to use BSR, and watched the RP turning up in each router in turn. Great!  Except R6.  What is the problem there?  Let us take the hint from the mistake we made before: let’s check the RPF back to the RP:

R6#show ip route 172.16.120.1
Routing entry for 172.16.120.0/24
  Known via "eigrp 30", distance 170, metric 40960
  Tag 110, type external
  Redistributing via eigrp 30
  Last update from 172.16.46.4 on FastEthernet0/0.40, 01:21:12 ago
  Routing Descriptor Blocks:
  * 172.16.46.4, from 172.16.46.4, 01:21:12 ago, via FastEthernet0/0.40
      Route metric is 40960, traffic share count is 1
      Total delay is 600 microseconds, minimum bandwidth is 100000 Kbit
      Reliability 255/255, minimum MTU 1500 bytes
      Loading 1/255, Hops 1
      Route tag 110

OK, it is not the way the multicast topology is drawn.  So, let’s try and fix it with a static mroute:

R6#conf t
R6(config)#ip mroute 172.16.120.0 255.255.255.0 172.16.36.3
R6(config)#^Z

Have we got the RP now?

 R6#show ip pim rp mapping
PIM Group-to-RP Mappings Group(s) 227.7.7.7/32
  RP 172.16.120.1 (?), v2
    Info source: 172.16.120.1 (?), via bootstrap, priority 0, holdtime 194
         Uptime: 00:01:13, expires: 00:02:55
Group(s) 227.8.8.8/32
  RP 172.16.120.1 (?), v2
    Info source: 172.16.120.1 (?), via bootstrap, priority 0, holdtime 195
         Uptime: 00:01:13, expires: 00:03:00

How are we doing at R1?

R1#ping 227.7.7.7 Type escape sequence to abort.
Sending 1, 100-byte ICMP Echos to 227.7.7.7, timeout is 2 seconds: Reply to request 0 from 172.16.13.3, 5 ms
Reply to request 0 from 172.16.234.4, 45 ms
Reply to request 0 from 172.16.25.5, 29 ms
Reply to request 0 from 172.16.36.6, 13 ms
Reply to request 0 from 172.16.23.2, 9 ms
R1#

OK, all but CAT2.  I had added a join-group on CAT2, but I don’t know whether that was required.  One sure way to find out is to look at the SHOWiT.  No, Lo120 doesn’t join the group.  Nevertheless, I wonder why I am not getting a ping off it.  It’s on the OIL for the group on CAT2.  Lets look at the RPF for the source 172.16.31.1:

CAT2#show ip route 172.16.31.1
Routing entry for 172.16.31.0/24
  Known via "ospf 7", distance 110, metric 20
  Tag 120, type extern 2, forward metric 1
  Last update from 172.16.23.2 on Vlan20, 01:41:14 ago
  Routing Descriptor Blocks:
  * 172.16.23.2, from 172.16.122.1, 01:41:14 ago, via Vlan20
      Route metric is 20, traffic share count is 1

OK, it is expecting that source to come from 172.16.23.2, i.e. R2, but it is coming from R3.  How it knows it is coming from R3 instead of R2, I’m not really sure.  But let’s put in a static mroute and see if it works:

CAT2#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
CAT2(config)#ip mroute 172.16.31.1 255.255.255.255 172.16.23.3
CAT2(config)#^Z
CAT2#

Try pinging from R1 again:

R1#ping
Protocol [ip]:
Target IP address: 227.7.7.7
Repeat count [1]: 10
Datagram size [100]:
Timeout in seconds [2]:
Extended commands [n]: y
Interface [All]: FastEthernet0/0
Time to live [255]:
Source address:
Type of service [0]:
Set DF bit in IP header? [no]:
Validate reply data? [no]:
Data pattern [0xABCD]:
Loose, Strict, Record, Timestamp, Verbose[none]:
Sweep range of sizes [n]:
Type escape sequence to abort.
Sending 10, 100-byte ICMP Echos to 227.7.7.7, timeout is 2 seconds: Reply to request 0 from 172.16.13.3, 8 ms
Reply to request 0 from 172.16.234.4, 48 ms
Reply to request 0 from 172.16.25.5, 28 ms
Reply to request 0 from 172.16.36.6, 12 ms
Reply to request 0 from 172.16.23.2, 12 ms
Reply to request 1 from 172.16.13.3, 4 ms
Reply to request 1 from 172.16.234.4, 64 ms
Reply to request 1 from 172.16.234.4, 48 ms
Reply to request 1 from 172.16.25.5, 32 ms
Reply to request 1 from 172.16.25.5, 24 ms
Reply to request 1 from 172.16.36.6, 12 ms
Reply to request 1 from 172.16.23.2, 8 ms
Reply to request 1 from 172.16.23.20, 8 ms
Reply to request 1 from 172.16.23.2, 4 ms
Reply to request 2 from 172.16.13.3, 4 ms
Reply to request 2 from 172.16.234.4, 40 ms
Reply to request 2 from 172.16.25.5, 24 ms
Reply to request 2 from 172.16.36.6, 8 ms
Reply to request 2 from 172.16.23.2, 8 ms
Reply to request 2 from 172.16.23.20, 8 ms
Reply to request 3 from 172.16.13.3, 4 ms
Reply to request 3 from 172.16.234.4, 45 ms
Reply to request 3 from 172.16.25.5, 24 ms
Reply to request 3 from 172.16.36.6, 12 ms
Reply to request 3 from 172.16.23.2, 8 ms
Reply to request 3 from 172.16.23.20, 8 ms
:
:

Not first time, but OK once the shortest-path tree cuts in.  That was hard work!

Now, I wonder why the SHOWiT has configured bidir on R3 and R4?

At the end of the day, what are the lessons to be learned?

1. Don’t configure the wrong interface!  Check show ip int brief regularly to make sure you configure the right one.  Do a show run int after each interface is configured.
2. Check the PIM neighbor relationships one at a time as you build up the tree.
3. Check the RPF back to the RP from every destination router.  This can be done by pinging the group from the RP interface of the RP router itself.  Any router that does not reply is likely either to have missed the join-group, or to have an RPF issue with the RP.
4. Check for  FR multipoint interfaces.  If it is a sparse-mode secenario, put ip pim nbma-mode on the multipoint interface.  If it is dense-mode, build some tunnels so that there is a different logical interface to each neighbor.
5. Ping from the source as specified in the scenario.  Several times.  One the PIM has settled down (after the second ping), check every router responds, and no router responds more than once.

NMC Lab 7.15 – Catalyst Specialties (VTP)

The Answer Key (page 46) makes the statement:

NOTE: Make sure that client device don’t have VLAN.DAT with vlan information on  its flash, since this will prevent VTP domain from correct synchronisation.

AFAIK, this simply is not true.  So let’s try it.  Let us start with CAT1 as server and CAT2 as client, just like in the book.  We currently have a VLAN.DAT on the flash of CAT2.  BTW, don’t worry about  the fact that the last updater is 192.168.42.1; I keep an address on VLAN 1 at all times so I can synchronise to the NTP clock on my home network.

CAT1#show vtp status
VTP Version                     : 2
Configuration Revision          : 4
Maximum VLANs supported locally : 1005
Number of existing VLANs        : 12
VTP Operating Mode              : Server
VTP Domain Name                 : NMC
VTP Pruning Mode                : Enabled
VTP V2 Mode                     : Enabled
VTP Traps Generation            : Disabled
MD5 digest                      : 0xBD 0xAF 0xE2 0xB8 0x8A 0x8E 0xD4 0x90
Configuration last modified by 192.168.42.110 at 2-12-08 05:51:22
Local updater ID is 192.168.42.110 on interface Vl1 (lowest numbered VLAN interface found)
CAT1#

Here is CAT2’s view: 

CAT2#show vtp status
VTP Version                     : 2
Configuration Revision          : 4
Maximum VLANs supported locally : 1005
Number of existing VLANs        : 12
VTP Operating Mode              : Client
VTP Domain Name                 : NMC
VTP Pruning Mode                : Enabled
VTP V2 Mode                     : Enabled
VTP Traps Generation            : Disabled
MD5 digest                      : 0xBD 0xAF 0xE2 0xB8 0x8A 0x8E 0xD4 0x90
Configuration last modified by 192.168.42.110 at 2-12-08 05:51:22
CAT2#

CAT2 has a VLAN.DAT in its flash at the moment. 

CAT2#show flash Directory of flash:/  

  :
  414  drwx         128  Mar 01 1993 06:34:20 +01:00  Lab06
  413  -rwx         984  Mar 01 1993 01:13:21 +01:00  vlan.dat
  418  drwx         128  Mar 01 1993 01:39:18 +01:00  Lab04
  415  drwx         128  Mar 01 1993 02:52:21 +01:00  Lab25
  425  drwx         128  Mar 01 1993 10:08:23 +01:00  Lab03
  428  drwx         128  Feb 03 2008 16:16:54 +01:00  Lab05
  431  -rwx        4248  Mar 01 1993 01:16:10 +01:00  config.text
  434  -rwx        1092  Mar 01 1993 01:16:10 +01:00  private-config.text
  437  -rwx        1048  Mar 01 1993 01:16:10 +01:00  multiple-fs 15998976 bytes total (2173952 bytes free)
CAT2#

 Now let us try adding a VLAN at CAT1:

CAT1#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
CAT1(config)#vlan 42
CAT1(config-vlan)#name Test
CAT1(config-vlan)#exit
CAT1(config)#exit
CAT1#
Feb 17 03:20:58.967: %SYS-5-CONFIG_I: Configured from console by console

Let us check it on CAT1: 

CAT1#show vtp status
VTP Version                     : 2
Configuration Revision          : 5
Maximum VLANs supported locally : 1005
Number of existing VLANs        : 13
VTP Operating Mode              : Server
VTP Domain Name                 : NMC
VTP Pruning Mode                : Enabled
VTP V2 Mode                     : Enabled
VTP Traps Generation            : Disabled
MD5 digest                      : 0xC7 0xD4 0x08 0x2D 0xB6 0xC9 0xB0 0x15
Configuration last modified by 192.168.42.110 at 2-17-08 03:20:57
Local updater ID is 192.168.42.110 on interface Vl1 (lowest numbered VLAN interface found)
CAT1#

Let us check it on CAT2:

CAT2#show vtp status
VTP Version                     : 2
Configuration Revision          : 5
Maximum VLANs supported locally : 1005
Number of existing VLANs        : 13
VTP Operating Mode              : Client
VTP Domain Name                 : NMC
VTP Pruning Mode                : Enabled
VTP V2 Mode                     : Enabled
VTP Traps Generation            : Disabled
MD5 digest                      : 0xC7 0xD4 0x08 0x2D 0xB6 0xC9 0xB0 0x15
Configuration last modified by 192.168.42.110 at 2-17-08 03:20:57
CAT2#

Well, CAT2 seems to have updated OK despite having a VLAN.DAT in the flash.  Let us see what happens if we delete the VLAN.DAT:

CAT2#delete vlan.dat
Delete filename [vlan.dat]?
Delete flash:vlan.dat? [confirm]

Check it is gone: 

CAT2#show flash Directory of flash:/  

    2  -rwx     4968676  Mar 01 1993 01:11:43 +01:00  c3550-i5k2l2q3-mz.121-22.EA4.bin
    3  drwx         192  Mar 01 1993 05:03:30 +01:00  Lab01
    4  drwx          64  Mar 01 1993 02:54:02 +01:00  Lab24
  412  drwx         128  Mar 01 1993 01:35:11 +01:00  Lab02
    8  drwx         128  Aug 30 2007 14:00:06 +02:00  c3550-ipbasek9-mz.122-40.SE
    6  -rwx           0  Mar 01 1993 01:14:32 +01:00  env_vars
    7  -rwx          44  Mar 01 1993 01:14:32 +01:00  system_env_vars
  411  -rwx        2637  Mar 01 1993 01:03:15 +01:00  default.cfg
  414  drwx         128  Mar 01 1993 06:34:20 +01:00  Lab06
  418  drwx         128  Mar 01 1993 01:39:18 +01:00  Lab04
  415  drwx         128  Mar 01 1993 02:52:21 +01:00  Lab25
  425  drwx         128  Mar 01 1993 10:08:23 +01:00  Lab03
  428  drwx         128  Feb 03 2008 16:16:54 +01:00  Lab05
  431  -rwx        4248  Mar 01 1993 01:16:10 +01:00  config.text
  434  -rwx        1092  Mar 01 1993 01:16:10 +01:00  private-config.text
  437  -rwx        1048  Mar 01 1993 01:16:10 +01:00  multiple-fs 15998976 bytes total (2174976 bytes free)

Now let us try updating the domain again on CAT1: 

CAT1#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
CAT1(config)#no vlan 42
CAT1(config)#^Z
CAT1#
Feb 17 03:23:40.846: %SYS-5-CONFIG_I: Configured from console by console

The change has propagated to CAT2: 

CAT2#show vtp status
VTP Version                     : 2
Configuration Revision          : 6
Maximum VLANs supported locally : 1005
Number of existing VLANs        : 12
VTP Operating Mode              : Client
VTP Domain Name                 : NMC
VTP Pruning Mode                : Enabled
VTP V2 Mode                     : Enabled
VTP Traps Generation            : Disabled
MD5 digest                      : 0x7E 0xCC 0x4B 0x16 0x85 0x92 0xD5 0xF7
Configuration last modified by 192.168.42.110 at 2-17-08 03:23:39

But here is an interesting thing: CAT2 has recreated the VLAN.DAT

CAT2#show flash Directory of flash:/
    2  -rwx     4968676  Mar 01 1993 01:11:43 +01:00  c3550-i5k2l2q3-mz.121-22.EA4.bin
    3  drwx         192  Mar 01 1993 05:03:30 +01:00  Lab01
    4  drwx          64  Mar 01 1993 02:54:02 +01:00  Lab24
  412  drwx         128  Mar 01 1993 01:35:11 +01:00  Lab02
    8  drwx         128  Aug 30 2007 14:00:06 +02:00  c3550-ipbasek9-mz.122-40.SE
    6  -rwx           0  Mar 01 1993 01:14:32 +01:00  env_vars
    7  -rwx          44  Mar 01 1993 01:14:32 +01:00  system_env_vars
  411  -rwx        2637  Mar 01 1993 01:03:15 +01:00  default.cfg
  414  drwx         128  Mar 01 1993 06:34:20 +01:00  Lab06
  413  -rwx         984  Feb 17 2008 04:23:39 +01:00  vlan.dat
  418  drwx         128  Mar 01 1993 01:39:18 +01:00  Lab04
  415  drwx         128  Mar 01 1993 02:52:21 +01:00  Lab25
  425  drwx         128  Mar 01 1993 10:08:23 +01:00  Lab03
  428  drwx         128  Feb 03 2008 16:16:54 +01:00  Lab05
  431  -rwx        4248  Mar 01 1993 01:16:10 +01:00  config.text
  434  -rwx        1092  Mar 01 1993 01:16:10 +01:00  private-config.text
  437  -rwx        1048  Mar 01 1993 01:16:10 +01:00  multiple-fs 15998976 bytes total (2173952 bytes free)
CAT2#

Now that is interesting.  We deleted the VLAN.DAT from CAT2.  But as soon as we went back to CAT1 and modified the domain (deleting the extra VLAN we created), the VLAN.DAT was recreated on CAT2.

It is logical that a client should keep a copy of the VLAN.DAT.  Suppose the client got isolated from the rest of the network and then rebooted.  If it didn’t have a copy of the VLAN.DAT, then it would lose all its VLANs.

CAT2#show vtp status
VTP Version                     : 2
Configuration Revision          : 0
Maximum VLANs supported locally : 1005
Number of existing VLANs        : 5
VTP Operating Mode              : Server
VTP Domain Name                 :
VTP Pruning Mode                : Disabled
VTP V2 Mode                     : Disabled
VTP Traps Generation            : Disabled
MD5 digest                      : 0x57 0xCD 0x40 0x65 0x63 0x59 0x47 0xBD
Configuration last modified by 0.0.0.0 at 0-0-00 00:00:00
Local updater ID is 192.168.42.120 on interface Vl1 (lowest numbered VLAN interface found)
CAT2#

Not only that, but it would not know the VTP password any more.  That means that it would not be able to connect to the VTP server any more.

NMC Lab 7.16 – Address Administration

I cannot get the NAT requirement working at all, even with the same config as in the SHOWiT. R4 or R6 may well be doing the translation of the source from 172.16.110.1 to 172.16.104.10 for the outgoing packet, and in reverse for the echo response, but then where does R4 send the response? It has no route to 172.16.110.1 does it?

CAT1#ping
Protocol [ip]:
Target IP address: 172.16.101.1
Repeat count [5]:
Datagram size [100]:
Timeout in seconds [2]:
Extended commands [n]: y
Source address or interface: 172.16.110.1
Type of service [0]:
Set DF bit in IP header? [no]:
Validate reply data? [no]:
Data pattern [0xABCD]:
Loose, Strict, Record, Timestamp, Verbose[none]:
Sweep range of sizes [n]:  

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.101.1, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
CAT1#

If we have debug ip icmp on R1 during this operation, this is what we see:

R1#
*Jan 6 02:30:56.168: ICMP: echo reply sent, src 172.16.101.1, dst 172.16.104.10
*Jan 6 02:30:56.196: ICMP: dst (172.16.101.1) host unreachable rcv from 172.16.234.4
R1#
*Jan 6 02:30:58.163: ICMP: echo reply sent, src 172.16.101.1, dst 172.16.104.10
*Jan 6 02:30:58.195: ICMP: dst (172.16.101.1) host unreachable rcv from 172.16.234.4
R1#
*Jan 6 02:31:00.451: ICMP: echo reply sent, src 172.16.101.1, dst 172.16.104.10
*Jan 6 02:31:00.483: ICMP: dst (172.16.101.1) host unreachable rcv from 172.16.234.4
R1#
*Jan 6 02:31:02.165: ICMP: echo reply sent, src 172.16.101.1, dst 172.16.104.10
*Jan 6 02:31:02.193: ICMP: dst (172.16.101.1) host unreachable rcv from 172.16.234.4
R1#
*Jan 6 02:31:04.165: ICMP: echo reply sent, src 172.16.101.1, dst 172.16.104.10
*Jan 6 02:31:04.193: ICMP: dst (172.16.101.1) host unreachable rcv from 172.16.234.4
R1#

Futhermore, I seem to have a problem with my R6.  As soon as I try to enter an NAT commands on it, it just dies.  Definitively.  No response from the console, and all its adjacencies start timing out.  I suspect an IOS bug.  I wonder what is doing it.  NAT with  HSRP in standby?  NAT on a subinterface?  All three together?  Who knows.

NMC Lab 7.12 – Security

I racked my brains about where to activate this access list.  Logically, I would put it as an incoming access-list on the Internet connection.  It would be definitely a question for the proctor: “Which interface will be connected to the Internet?”  I applied it to Fa0/0, which happens to be the same as the SHOWiT.

What did they mean “”Packets destined for the default network”?  The nearest entry they have in their access-list for that is deny ip any host 0.0.0.0.  Is that what they were referring to.  For me, that was one of the two entries I put in for “broadcast packets”.  So I went one stage further and guessed deny ip any 0.0.0.0 0.255.255.255.  I wonder whether I would have been marked down for that.

They also wanted to block multicast packets.  I blocked just the multicast range deny ip any 224.0.0.0 15.255.255.255.  That is what they do in the AK, but the SHOWiT has deny ip any 224.0.0.0 31.255.255.255.  I hope either would be accepted.

There are so many questions here that I am bound to have fallen foul of one of them, so “Nil points”, which is depressing.

NMC Lab 7.7 – BGP (Part 2)

Well, I put the question about the BGP dampening in NetPro, and I go three answers back.  Isn’t NetPro marvellous!  Anyway, it seems that if you are using a route-map to specify the dampening, then you have to specify the dampening parameters with a “set” in the route-map.  It will not assume the defaults.  So, my  route map should have looked like this:

route-map BGP-damped permit 10
 match ip address prefix-list BGP-damped
 set dampening 15 750 2000 60

The default parameters for bgp dampening are:

• half-life = 15 mins
• re-use = 750 seconds
• suppress = 2000
• max-suppress = 60 mins

That is, if you are applying dampening across the board, you can specify just bgp dampening and it will take those values.  Or you can supply your own values.

If, on the other hand, you want to apply dampening selectively, you must supply a route-map instead, but you must specify the values in the route-map.  There are no defaults.

BTW, you cannot dampen a locally generated aggregate.  Even if it flapping because the prefixes making it up are flapping, it does not appear in the show ip bgp dampening flap-statistics.

NMC Lab 7.7 – BGP

So on to the BGP, and this presented some real challenges.   So much so that it took up most of the afternoon.

7.7.1 – The first challenge was to peer AS100 on R1 and AS300 on R3 through VLAN 10.  This VLAN had two subnets; each router had a primary address and a secondary address with the rôles reversed at each end.  The peering was not allowed to refer to the secondary address.  This was actually a straightforward matter of each router connecting the other router’s primary, while sourcing from its own primary address.  In my usual manner I tried to make it a lot more complicated by using the loopback addresses, which of course were in different routing domains, so the connection went twice around the houses to get there.  ”Keep It Simple Stupid”.

I’m proud to say I eventually did hit on the correct solution without looking it up in the AK.  What still I don’t understand is why the AK suggests you need ebgp-multihop for this peering.  Each router has only one hop to get to the partner’s primary address.  I have asked that on the DISCUSSiT forum, but no reply yet.  But several other people have commented on it in the past.  It rather makes 7.8.1. a null-requirement.

7.7.4. I didn’t understand how VLAN 21 and 22 should “destabilize” the BGP domain.  Even single link flapping gets added and taken away continuously, but that is hardly ”destabilize”, especially with the delays inherent in BGP.  The solution I would have gone for was the dampening – I wouldn’t have thought of the aggregate.  In any case, the aggregate doesn’t protect you from both flapping together, which is what the question seemed to imply.

But I am having some problems configuring the dampening.  I keep getting an error message, and I cannot work out where if have gone wrong:

router bgp 300
 no synchronization
 bgp router-id 172.16.103.1
 bgp log-neighbor-changes
 bgp dampening route-map BGP-damped
 network 172.16.13.0 mask 255.255.255.0
 network 172.16.31.0 mask 255.255.255.0
 neighbor 172.16.31.1 remote-as 100
 neighbor 172.16.31.1 transport connection-mode active
 neighbor 172.16.31.1 update-source FastEthernet0/0.10
 neighbor 172.16.36.6 remote-as 600
 neighbor 172.16.102.1 remote-as 300
 neighbor 172.16.102.1 update-source Loopback103
 neighbor 172.16.105.1 remote-as 300
 neighbor 172.16.105.1 update-source Loopback103
 no auto-summary
:
ip prefix-list BGP-damped seq 5 permit 172.16.21.0/24
ip prefix-list BGP-damped seq 10 permit 172.16.22.0/24
:
route-map BGP-damped permit 10
 match ip address prefix-list BGP-damped      

:      

Jan  5 23:49:54.144: %BGP-3-BADROUTEMAP: Bad parameters in the route-map BGP-damped applied for Dampening

7.7.6. For some reason I wasn’t aware of the command bgp default local-preference.  Some time I’m going to have to read the BGP command reference from cover to cover; there are so many geek-knobs.  there seems to be a slight difference between using this command and setting the local-preference in a route-map on the incoming EBGP routes: the local router does not see the local-preference.  That is, the command applies to the routes outgoing to the IBGP peers.

7.8.2. is about using a peer-session template.  I included the remote-as command in the template as well, and it seems to work OK.  I wonder why the SHOWiT does not do that.

By the way, where does it say in the scenario that CAT1 Lo110 does not have to be reachable from the other routers?

NMC Lab 07 Redistribution

I was reading Ethan’s posting about Lab 07 and his useful work on redistribution, and was gratified to find that there was someone else was taking the same path as me, although I think Ethan’s ideas are a bit further down the path than mine.  I rather like the diagrams in the NMC Answer Key, but I really don’t think I would have time to draw anything so sophisticated in a lab test.

Here is my version of the diagram for lab 7 – compare it with Ethan’s.  The idea I shall steal from Ethan from now on is to mark the AD on each circle, perhaps next to its intersection with a router.

(Not sure I shall get the size right here.)

What strikes me about this scenario is there are no redistribution loops, but there are two redistribution “kisses” on R1 and R3.  That makes life easier because we don’t need to think too much about filtering.  But we might need to think about the AD’s of the various alternate routes at R1 and R3.

I think we are OK at R1.  EIGRP has an AD of 90 for internal routes, lower than RIP, while it has an AD of 170 for external routes, higher than RIP.  So R1 will prefer the EIGRP side for native EIGRP routes, and RIP for everything else.  Unfortunately “everthing else” includes the two loopback interfaces that came from EIGRP 103 and EIGRP 106.  Clearly the optimal routing for those is through EIGRP.  So we might have to give EIGRP a distance command just to treat those two prefixes with AD 90 as if they were internal to EIGRP 30.

The other kiss point is R3, which touches both OSPF and EIGRP 30.  (We can ignore EIGRP 103, because that was just a cheap trick to inject a remote external into EIGRP and OSPF.)  R3 will route all native EIGRP 30 prefixes through EIGRP because of the AD 90.  If we want the EIGRP 106 prefix to be optimally routed, we might want to distance that at 90 too.

I have still a way to go on this thought process, and I shall probably post-edit this posting.

It takes for ever to boot my lab

I was wondering why, whenever I have an odd half-hour to spend in the lab, I don’t seem to get much done.  So I decided to measure the time it takes just to get going.

It took just over 5 minutes for my PC to boot.  That’s ever since I made the mistake of believing Symantec’s recommendation of an “upgrade” from Norton Security to Norton 360.  I don’t know what it is doing, but it sure impacts the performance of the machine.  Apart from not providing any useful logging any more.  Also, for some reason, if I boot the PC and get to the screen with the family logins, I have to wait about a minute before logging in.  If I don’t do that, then my desktop comes up with half the processes missing.

But the routers were the worst.  A 2611XM running 12.4(2)T took just over 7 minutes to reach “Press RETURN to get started!” from cold, and a further 1 minute 30 seconds to converge.