Nov
25

Have you ever been on your GradedLabs rack of equipment and wanted to test a particular feature or set of configurations, but you certainly do not want to keep these changes on the rack? Perhaps this is because you are right in the middle of solving a Volume 2 lab and you certainly cannot have that configuration impacted.

Thanks to the very handy config replace command, you can easily rollback almost instantly to your previous saved configuration after your experimenting. Here is a demonstration of just how simple this is. Enjoy, and let us give thanks for all there is to learn on blog.ine.com! :-) I also want to thank my good friend Keith Barker for first showing me this one.

Rack29R1#configure terminal
Enter configuration commands, one per line.  End with CNTL/Z.
Rack29R1(config)#hostname TEST
TEST(config)#interface fastethernet0/0
TEST(config-if)#ip address 1.2.3.4 255.0.0.0
TEST(config-if)#no shut
TEST(config-if)#end
TEST#
Nov 25 09:09:58.856: %LINK-3-UPDOWN: Interface FastEthernet0/0, changed state to
up
Nov 25 09:09:59.173: %SYS-5-CONFIG_I: Configured from console by console
TEST#configure terminal
Nov 25 09:10:01.404: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEtherne
t0/0, changed state to up
TEST#config replace nvram:startup-config force
Total number of passes: 1
Rollback Done
Rack29R1#
Nov 25 09:10:08.644: Rollback:Acquired Configuration lock.
Nov 25 09:10:17.827: %LINK-5-CHANGED: Interface FastEthernet0/0, changed state t
o administratively down
Nov 25 09:10:18.829: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEtherne
t0/0, changed state to down
Rack29R1#
Nov 25 09:10:22.727: %PARSER-3-CONFIGNOTLOCKED: Unlock requested by process '3'.
Configuration not locked.
Rack29R1#
Rack29R1#configure terminal
Enter configuration commands, one per line.  End with CNTL/Z.
Rack29R1(config)#hostname TEST
TEST(config)#interface fastethernet0/0
TEST(config-if)#ip address 1.2.3.4 255.0.0.0
TEST(config-if)#no shut
TEST(config-if)#end
TEST#
TEST#config replace nvram:startup-config force
Total number of passes: 1
Rollback Done
Rack29R1#
Rack29R1#show run interface fa0/0
Building configuration...
Current configuration : 83 bytes
!
interface FastEthernet0/0

no ip address
shutdown
duplex auto
speed auto
end

Rack29R1#

Apr
08

One of our students in the INE RS bootcamp today, asked about an OSPF sham-link. I thought it would make a beneficial addition to our blog, and here it is.  Thanks for the request Christian!

Reader's Digest version: MPLS networks aren't free. If a customers is using OSPF to peer between the CE and PE routers, and also has an OSPF CE to CE neighborship, the CE's will prefer the Intra-Area CE to CE routes (sometimes called the "backdoor" route in this situation), instead of using the Inter-Area CE to PE learned routes that use the MPLS network as a transit path. OSPF sham-links correct this behavior.

This blog post walks through the problem and the solution, including the configuration steps to create and verify a sham-link.

To begin, MPLS is set up in the network as shown with R2 and R4 acting as Provider Edge (PE) routers, and MPLS is enabled throughout R2-R3-R4.

R1 and R5 are Customer Edge (CE) routers, and the Serial0/1.15 interfaces of R1 and R5 are temporarily shut down, (this means the backdoor route isn't in place yet, and at the moment, there is no problem).

mpls-ospf sham

Currently, R1 and R5 see the routes to each others local networks through the VPNv4 MPLS network, and the routes show up as Inter-Area OSPF routes with the PE routers as the next hop.

Let’s do some testing and verification of what is currently in place. Notice that R1 and R5 can see each others Fa0/0 and Fa0/1 connected networks. These routes show up as Inter-Area (IA) routes.

R1#show ip route ospf
10.0.0.0/24 is subnetted, 2 subnets
O IA 10.45.0.0 [110/2] via 10.12.0.2, 00:00:58, FastEthernet0/0 O IA 192.168.1.0/24 [110/3] via 10.12.0.2, 00:00:43, FastEthernet0/0

R5#show ip route ospf
172.16.0.0/24 is subnetted, 1 subnets
O IA 172.16.0.0 [110/3] via 10.45.0.4, 00:01:49, FastEthernet0/1
10.0.0.0/24 is subnetted, 2 subnets
O IA 10.12.0.0 [110/2] via 10.45.0.4, 00:01:49, FastEthernet0/1

Next, we will enable the Serial0/1.15 interfaces of R1 and R5. When we enable these interfaces, R1 and R5 will become neighbors, and see each others routes to the Fa0/0 and Fa0/1 networks as Intra-Area routes. Even though the OSPF cost will be worse via the serial interfaces, take a close look at what happens and which routes end up in the routing table.

R1(config)#int ser 0/1.15
R1(config-subif)#no shut

R5(config)#int ser 0/1.15
R5(config-subif)#no shut

We’ll wait a few moments, to give the network  time to converge, then take a look at the OSPF routes on the CE routers R1 and R5, just as we did earlier, and see if the routes are different.

R1#show ip route ospf
10.0.0.0/24 is subnetted, 3 subnets
O 10.45.0.0 [110/65] via 10.15.0.5, 00:02:52, Serial0/1.15 O 192.168.1.0/24 [110/65] via 10.15.0.5, 00:02:52, Serial0/1.15

R5#show ip route ospf
172.16.0.0/24 is subnetted, 1 subnets
O 172.16.0.0 [110/65] via 10.15.0.1, 00:03:19, Serial0/1.15
10.0.0.0/24 is subnetted, 3 subnets
O 10.12.0.0 [110/65] via 10.15.0.1, 00:03:19, Serial0/1.15

Notice, that the remote customer networks attached to Fa0/0 and Fa0/1 are now reachable via the serial 0/1.15 interface, and they appear as Intra-Area routes. Even though the metric of 65 is worse than before, and using the slower serial link, the routers prefer these routes instead of using the PE learned routes, because Intra-Area routes are preferred over  Inter-Area routes. Now the Service Provider’s MPLS network will only be used as a backup in the event the serial connection fails. (I don’t think they will be providing a price break either). ;)

To train the network to use the MPLS network as the primary transit path, we need to make the remote Ethernet customer networks look like Intra-Area routes via the PE routers, with a better metric than the serial interfaces, so they can be used instead of the slower serial link. We are actually going to pull a fast one, or a “sham”, on OSPF because the MPLS network is really acting as a “superbackbone” for OSPF, and therefore routes between the CEs are indeed Inter-Area by default. To create the illusion of the CEs not being separated by a backbone, we will create an OSPF sham-link. We will create a couple loopback interfaces in the VRFs on both PEs, and make sure those loopbacks are originated and advertised via BGP. We will use those loopbacks as the source/destination of the OSPF sham-link.

Because the sham-link is seen as an Intra-Area link between PE routers (R2 and R4), an OSPF adjacency is created and database exchange takes place across the sham-link. The two PE routers can then flood LSAs between sites from across the MPLS VPN backbone. As a result, the desired Intra-Area routes are created.

Enough chat, lets create this sham-link!

R2(config)#int loop 100
R2(config-if)#ip vrf forwarding Vrf1
R2(config-if)#ip address 11.11.11.2 255.255.255.255
R2(config-if)#router bgp 24
R2(config-router)#address-family ipv4 vrf Vrf1
R2(config-router-af)#network 11.11.11.2 mask 255.255.255.255
R2(config-router-af)#exit
R2(config-router)#router ospf 1 vrf Vrf1
R2(config-router)#area 1 sham-link 11.11.11.2 11.11.11.4 cost 5

R4(config)#int loop 100
R4(config-if)#ip vrf forwarding Vrf1
R4(config-if)#ip address 11.11.11.4 255.255.255.255
R4(config-if)#router bgp 24
R4(config-router)#address-family ipv4 vrf Vrf1
R4(config-router-af)#network 11.11.11.4 mask 255.255.255.255
R4(config-router-af)#exit
R4(config-router)#router ospf 1 vrf Vrf1
R4(config-router)#area 1 sham-link 11.11.11.4 11.11.11.2 cost 5
%OSPF-5-ADJCHG: Process 1, Nbr 10.12.0.2 on OSPF_SL0 from LOADING to FULL, Loading Done

Looks like the sham-link came up.  Let’s take a closer look at the sham link with a show command made just for that purpose.

R4#show ip ospf sham-links
Sham Link OSPF_SL0 to address 11.11.11.2 is up
Area 1 source address 11.11.11.4
Run as demand circuit
DoNotAge LSA allowed. Cost of using 5 State POINT_TO_POINT,
Timer intervals configured, Hello 10, Dead 40, Wait 40,
Hello due in 00:00:06
Adjacency State FULL (Hello suppressed)
Index 2/2, retransmission queue length 0, number of retransmission 0
First 0x0(0)/0x0(0) Next 0x0(0)/0x0(0)
Last retransmission scan length is 0, maximum is 0
Last retransmission scan time is 0 msec, maximum is 0 msec

Looks like it is in place, but is it creating the desired result, of having the CE routers R1 and R5 see the Ethernet remote networks as reachable through the PE routers R2 and R4? Let’s go to R1 and see!

R1#show ip route ospf
10.0.0.0/24 is subnetted, 3 subnets
O 10.45.0.0 [110/7] via 10.12.0.2, 00:06:02, FastEthernet0/0
11.0.0.0/32 is subnetted, 2 subnets
O E2 11.11.11.2 [110/1] via 10.12.0.2, 00:06:43, FastEthernet0/0
O E2 11.11.11.4 [110/1] via 10.12.0.2, 00:06:13, FastEthernet0/0
O 192.168.1.0/24 [110/8] via 10.12.0.2, 00:06:02, FastEthernet0/0

That looks perfect! How about R5?

R5#show ip route ospf
172.16.0.0/24 is subnetted, 1 subnets
O 172.16.0.0 [110/8] via 10.45.0.4, 00:06:27, FastEthernet0/1
10.0.0.0/24 is subnetted, 3 subnets
O 10.12.0.0 [110/7] via 10.45.0.4, 00:06:27, FastEthernet0/1
11.0.0.0/32 is subnetted, 2 subnets
O E2 11.11.11.2 [110/1] via 10.45.0.4, 00:07:05, FastEthernet0/1
O E2 11.11.11.4 [110/1] via 10.45.0.4, 00:06:45, FastEthernet0/1

And just to be sure, a ping to verify connectivity. We will ping the remote Fa0/1 interface of CE router R1 from CE router R5.

R5#ping 172.16.0.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.0.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 120/130/148 ms

That’s cool, so we know we have connectivity, and based on the routing table output, we believe it is going through the SP MPLS network. Let’s do one more test to prove that as well. A traceroute.

R5#trace 172.16.0.1

Type escape sequence to abort.
Tracing the route to 172.16.0.1

1 10.45.0.4 48 msec 92 msec 12 msec 2 10.34.0.3 [MPLS: Labels 16/24 Exp 0] 136 msec 180 msec 228 msec 3 10.12.0.2 [MPLS: Label 24 Exp 0] 124 msec 80 msec 88 msec 4 10.12.0.1 112 msec * 176 msec

Tags and all!  I still love it when a plan comes together.   Now our transit traffic is moving through the MPLS network, and the serial 0/1.15 interfaces are available as a backup.

More fun times regarding MPLS, OSPF and MPBGP can be found in our workbooks for RS and SP.

Best wishes, and enjoy the journey!

Jan
16

Hello everyone. We have posted the following updated chapters of our Volume 1 self-paced workbook:

  • IPv6 (including IPv6 Multicast)
  • MPLS
  • IP Routing

We are not done with IP Routing chapter improvements, but the purpose of this update was to redesign the OER section to function with the latest Graded Labs topology.

Enjoy the updates and thanks for choosing INE!

Dec
17

Using an IPS Sensor, we can dynamically apply rate limiting/policing on a router interface, based on a signature match or an event action over-ride, which is generated on the sensor appliance.   Ok, I know there is no Sensor Appliance in the RS lab, but what if we need to trigger a rate limit of specific traffic, destined to a router, based on current conditions on that router, such as transmit or receive loads on an interface.

This is a job for, da dada dahhh: Embedded Event Manager (EEM).  In this example we will create a service policy which we will apply to the control plane based on a interface threshold being exceeded.  Full labs on Embedded Event Manager can be found in our RS v5 Vol1 workbook in  "System Management".  Let's break down the individual steps, first for the control plane policing policy, and then the EEM to apply it.

We will first create a policy map, which calls on a class map, which calls on an ACL. In this class map, we are going to identify ICMP, by referencing an access list. So first we create the access list, and we will name it ICMP.

ip access-list extended ICMP
permit icmp any any

Now that the access list is created, we will create the class map called ICMP which will be referencing the access list of the same name.

class-map match-all ICMP
match access-group name ICMP
exit

Next we will create the policy map, and for convenience we will name it ICMP (as well). This policy map will reference the class map, and specify  policing at 8000 bits per second with a burst rate of 1000 bytes.

policy-map ICMP
class ICMP
police 8000 1000

Ok, so now for the EEM part of the configuration.  First, we will create our event manager applet. In this applet we will be referencing serial 0/0, and we will be looking for the received load to be greater than 25. The 25 refers to 25 out of a possible 255 as reported by the interface. Once the ~10% is exceeded, the CLI commands implemented in our applet will be executed. The CLI commands will simply apply the service policy to the logical control plane host interface on the router. By doing this, any ICMP traffic destined TO the router, will be policed, regardless of which interface the traffic is received on.   The EEM policy will also generate a syslog message. There are additional options which we could include, such as sending SNMP traps, e-mail messages and so forth.

event manager applet LOAD
event interface name Serial0/0 parameter rxload entry-val 25 entry-op gt entry-val-is-increment false poll-interval 60
action 0.0 cli command "enable"
action 1.0 cli command "configure terminal"
action 2.0 cli command "control-plane host"
action 3.0 cli command "service-policy input ICMP"
action 4.0 syslog msg "Just Applied Control Plane Policy to Limit ICMP"
exit

At the interface level we will specify a bandwidth statement of 64, which will allow us to trigger the 25/255 much quicker. We will also set the load interval to a lower value than the default of five minutes so that the average will increase faster.

interface ser 0/0
bandwidth 64
load-interval 30
end

The following debug, will give us the Howard Cosell play-by-play of exactly what's happening.

R2#debug event manager action cli
Debug EEM action cli debugging is on

To view the details of the interfaces that are registered with an event manager policy, we would use the following show command.

R2#show event manager policy registered event-type interface
No. Class Type Event Type Trap Time Registered Name
1 applet user interface Off Thu Feb 28 18:51:41 2002 LOAD
name {Serial0/0} parameter {rxload} entry_op gt entry_val 25 entry_val_is_increment FALSE poll_interval 60.000
maxrun 20.000
action 0.0 cli command "enable"
action 1.0 cli command "configure terminal"
action 2.0 cli command "control-plane host"
action 3.0 cli command "service-policy input ICMP"
action 4.0 syslog msg "Just Applied Control Plane Policy to Limit ICMP"

To verify what the current load is on the interface, we can use the command below.

R2#show int ser 0/0 | inc rxload
reliability 255/255, txload 1/255, rxload 1/255

Once the control plane policy has been applied, the actual details of how many packets have been permitted and denied by that policy will be shown by the command below.

R2#show policy-map control-plane host
R2#

From the commands above, you'll notice that the current load is at one, and there is no policy currently applied to the control plane. Let's go to the neighboring router and generate some traffic to trigger event manager and the applet that we just created.

Neighbor-R3#ping 150.1.2.2 size 500 repeat 1000 timeout 0

Type escape sequence to abort.
Sending 1000, 500-byte ICMP Echos to 150.1.2.2, timeout is 0 seconds:
......................................................................
......................................................................
......................................................................
.......................................................!.!............
......................................................................
.............................................!........................
......................................................................
......................................................................
......................................................................
......................................................................
......................................................................
......................................................................
......................................................................
......................................................................
....................
Success rate is 0 percent (3/1000), round-trip min/avg/max = 4/6/8 ms
Neighbor-R3#

Cool, we got 3 back, even with a timeout of 0 seconds.  Now lets go back to R2, and look at some results.

R2#show int ser 0/0 | inc rxload
reliability 255/255, txload 58/255, rxload 58/255
R2#
! Note: It may take a few moments for the policy as polling occurs every 60 seconds ! ! Patience is a virtue, and I want mine NOW ;-) !

%HA_EM-6-LOG: LOAD : DEBUG(cli_lib) : : CTL : cli_open called.
%HA_EM-6-LOG: LOAD : DEBUG(cli_lib) : : OUT : R2#
%HA_EM-6-LOG: LOAD : DEBUG(cli_lib) : : IN : R2#enable
%HA_EM-6-LOG: LOAD : DEBUG(cli_lib) : : OUT : R2#
%HA_EM-6-LOG: LOAD : DEBUG(cli_lib) : : IN : R2#configure terminal
%HA_EM-6-LOG: LOAD : DEBUG(cli_lib) : : OUT : Enter configuration commands, one per line. End with CNTL/Z.
%HA_EM-6-LOG: LOAD : DEBUG(cli_lib) : : OUT : R2(config)#
%HA_EM-6-LOG: LOAD : DEBUG(cli_lib) : : IN : R2(config)#control-plane host
%HA_EM-6-LOG: LOAD : DEBUG(cli_lib) : : OUT : R2(config-cp-host)#
%HA_EM-6-LOG: LOAD : DEBUG(cli_lib) : : IN : R2(config-cp-host)#service-policy input ICMP
%CP-5-FEATURE: Control-plane Policing feature enabled on Control plane host path

%HA_EM-6-LOG: LOAD : DEBUG(cli_lib) : : OUT : R2(config-cp-host)#
%HA_EM-6-LOG: LOAD: Just Applied Control Plane Policy to Limit ICMP
%HA_EM-6-LOG: LOAD : DEBUG(cli_lib) : : CTL : cli_close called.
R2#
%SYS-5-CONFIG_I: Configured from console by vty0
R2#

Back to the neighbor router, R3 to see how the policing of ICMP looks from the outside.

Neighbor-R3#ping 150.1.2.2 size 500 repeat 20         

Type escape sequence to abort.
Sending 20, 500-byte ICMP Echos to 150.1.2.2, timeout is 2 seconds:
!!.!!.!!.!!.!!.!!.!.
Success rate is 65 percent (13/20), round-trip min/avg/max = 4/12/24 ms
Neighbor-R3#

Back to R2 to view the output of the service policy.

R2#show policy-map control-plane host
Control Plane Host

Service-policy input: ICMP

Class-map: ICMP (match-all)
20 packets, 10080 bytes
5 minute offered rate 1000 bps, drop rate 0 bps
Match: access-group name ICMP
police:
cir 8000 bps, bc 1000 bytes
conformed 13 packets, 6552 bytes; actions:
transmit
exceeded 7 packets, 3528 bytes; actions:
drop
conformed 0 bps, exceed 0 bps

Class-map: class-default (match-any)
3 packets, 268 bytes
5 minute offered rate 0 bps, drop rate 0 bps
Match: any
R2#

Based on results, the service policy is now applied to the control-plane host sub-interface, and is limiting ICMP.  This example of EEM is like a single ice-cube, compared to a titanic sized iceberg of possibilities.   My intention is to introduce the topic, and encourage you to study it further.

I configured this demonstration using IOS Version 12.4(15)T10

Enjoy your studies, and have fun exploring the world of EEM.

Jun
29

Hello all! Writing to you from the 2009 Networkers Conference in San Fran. I hope all readers around the world are well today and feeling the buzz about Cisco technologies.

We have many of the CCIE R/S Written Bootcamp students testing this week at the Networkers Conference. As such, we made Practice Exam 1 a priority and completed it last night. It is now posted and available in all Member's Sites.

This 100 question practice exam covers all topics within scope and should defintely pinpoint any of your weak areas. Enjoy!

NOTE: The actual CCIE R/S Written is currently 105 questions, but only 100 of the questions are graded.

Jun
18

I have all three parts of this for everyone now in the on-demand format - enjoy!

Part 1 Core Knowledge Discussion

Part 2 OSPF Review

Part 3 OSPF Review Continued

Jun
05

One of community members found this great subnetting practice page. Enjoy!

Subnetting Practice Page

May
30

Module 4 IP Routing - Lesson 3 OSPF Adjacencies and Troubleshooting of the CCIE R/S Written Bootcamp has been updated to include an interactive demonstration of the configuration of NBMA mode in a hub and spoke Frame Relay environment. The interactive demonstration occurs just after the discussion of the various OSPF Network Types. Remember, you can use the Class On Demand controls at the bottom of the interface to fast forward to this new content if you prefer.

As always, enjoy your studies!

May
24

Some things never change. CCENT and CCNA candidates still have the roughest time in the curriculum with the topic of subnetting.

Hey! No problem! We have all been there. Just remain patient, remain calm, and keep working through examples and practice problems.

Do you want a quick quiz to see if your skills are up to speed? Check out this blog post:

Subnetting Practice Quiz 1

Let's walkthrough a common subnetting question type in this blog entry. Here is the question, followed by how I would solve it in the written exam on my scratch paper.


"You run the ipconfig command and discover your IP address and subnet mask are: 172.16.129.180/255.255.255.128. What is your network address?"

I immediately think about the analogy in the CCENT course about street address and house number here. They are asking for the street address (network portion) of this address. The host ID is my house number.

Well, the contiguous bits in the mask identify the network portion of the IP address. I can see from the 255.255.255 portion of the mask that my street address definitely begins as follows:

172.16.129.?

The real question here is what value is in the forth octet?

To solve this, I create my "cheat sheet" conversion table on the scratch paper:

2^7  2^6  2^5    2^4     2^3     2^2    2^1     2^0
128   64    32       16         8        4           2          1

Converting 180 to decimal and 128 to binary produces the following:

IP Address - Forth Octet:        10110100
Subnet Mask - Forth Octet:   10000000

When you AND (multiply) each IP address bit position against the subnet mask, you end up with the network identifier. Here the result is simple - 10000000

Our street address is:

172.16.129.128

Let's have you try one!


"You run the ipconfig command and discover your IP address and subnet mask are: 10.12.100.20/255.255.224.0. What is your network address?"

Have fun working though it. Post your solution, and your solution approach, in the comments below.

May
16

The latest track to receive a Core Knowledge Section is Security.

The new section arrives Jun 15, 2009. INE hopes to have the new CCIE Security Core Knowledge Simulation released on May 20, 2009.

Here is the official Cisco link (which does not say much):

Official Cisco Announcement

Here is some facts about this new section:

  • You must complete this portion of the exam before you start the traditional configuration portion.
  • You have a total of 30 minutes to complete this section, you may finish early if you like and immediately begin your configuration section.
  • You will receive 4 questions via the computer and you must provide short answers using the computer interface. The questions are not oral in nature. Typical responses require 4 to 5 words at most.
  • Spelling and/or grammar does not count against you.
  • The questions are manually graded by a proctor. If you purchase an exam re-read, they will re-grade your question responses.
  • You may not return to the short answer questions once you have begun the configuration portion of the lab exam.
  • You will not receive a score when you complete this section, but you must pass this portion to pass the CCIE. You will receive your score in the open-ended section if you fail the exam. The score is reported as 0% or 100% (pass or fail). You may only miss one question in the section in order to pass.
  • Most students finish the 4 to 5 questions in approximately 12 minutes.
  • The configuration portion of the exam has been reduced to accommodate this initial 30 minutes.
  • You still have a total of 8 hours that makeup the open-ended questions and the configuration portion.
  • You may not access the DOC-CD to answer these questions.

Subscribe to INE Blog Updates