Friday, March 27, 2015

OSPF LSA type


    1 .  type 1 LSA ( router link states ).
    • Tạo ra bởi chính router  trong area mô tả chính nó tạo ra , in interface và neighebor
    • Để kiểm tra :   “ show ip ospf database router ”
    • Note :
      • type 1 LSA không thể filter.
      • Giá trị maxage càng lớn thì càng được tin tưởng trong quá trình chọn routes khi load


    2. type 2 LSA ( network link states ).
    - tạo ra trong mạng môi trường mutilaccess khi DR được chọn
    • chỉ flood trong area bởi DR.
    - kiểm tra “show ip os da network”
    - note :
                + Type 2 LSAcó thể thể filter.   
              (ip ospf database-filter all out / neighbor  database-filter all : filter type              2 ,3,4,5, 7)
    + Để route đưa lên bảng định tuyến thì khi show phải thấy type 1 và 2 của route đó .
      
    3.  type 3 LSA ( summary in ABR )
    - tạo ra bởi ABR
    - summary thông tin type 1 và 2 qua area khác
    -  thông tin bao gồm :  subnet, the mask, và giá trị cost để tới  ABR.
    - kiểm tra  “ show ip os da summary ”
    - có thể filter bởi “ area range ….+ not advertise
    Note : If a network represented by a Type 3 LSA goes down, the ABR refloods the LSA with the OSPF infinite cost so that the route is quickly removed from all other routers which contain that LSA in their LSDB.  The alternative would be to simply stop sending that LSA, however the route would not be removed from the other routers until the LSA aged out (MaxAge – default 60 mintues)
    4 . type 4  LSA
    • Tạo ra bởi ABR khi có ASBR trong area  nhằm mô tả và tính cost tới ASBR
    • Router nằm khác area với ASBR sẽ thấy type 4 và 5 để tính cost tới external route
    Bởi vì nếu mỗi type 5 thì không đủ thông tin để tính tới external routes đó .
    • Kiểm tra “ show ip ospf da asbr-summary ”
    • Type không thuộc area nào

    5. type 5 LSA
    - giữ nguyên thông tin khi đi qua các area
    <khi show database lên thì không nằm trong một area nào >
    • “advertise router “ không thay đổi  ( advertise router được  chọn là RID)
    • Forwarding address = 0.0.0.0  
      • co truong hop khac 0.0.0.0  khi mang external chay them EIGRP ,RIP…(link multiaccess)
      • De chuyen FA = 0.0.0.0 thi :
        • cau hinh link point-to-point or point-to-multipoint.
        • summary routes tren ASBR.
        • prefix-suppression
    • Trong stub area , không có type 5 . ASBR sẽ advertise default route để thay thế
    •  Kiểm tra “ show ip os da ex “”

    • Filter type 5 : summary-address … not-adv (ASBR)
    • Type 5 không thuộc một area nào .
    Note :
    + khi giá trị forwarding address khác 0 thì router tìm routes đó ở địa chỉ của forwarding address , còn không thì advertise router .

    The forwarding address is set to 0.0.0.0 if the ASBR redistributes routes and OSPF is not enabled on the next hop interface for those routes.

    These conditions set the forwarding address field to a non-zero address:
    • OSPF is enabled on the ASBR's next hop interface AND
    • ASBR's next hop interface is non-passive under OSPF AND
    • ASBR's next hop interface is not point-to-point AND
    • ASBR's next hop interface is not point-to-multipoint AND
    • ASBR's next hop interface address falls under the network range specified in the router ospf command.

    Any other conditions besides these set the forwarding address to 0.0.0.0



    7.type 7 LSA
    - tạo ra khi area là NSSA
    - khi đi vào backboon thì type được  chuyển sang type 5 bởi router ABR (có RID cao nhất)
    - chuyen type 7 – 5 thi forwarding address khong thay doi ( là giá trị RID của ASBR )  .khi chuyen  chuyen doi su dung  suppress-fa  thi FD = 0.0.0.0 .
    -nếu E2 routes have the same external metric will OSPF check the internal cost to the advertising ASBR
    -When all else is equal between a Type-5 LSA and Type-7 LSA (metric type, external metric, internal cost) the OSPF router will prefer the Type-5 LSA.
    - Filter type 7 : summary-address … not-adv (ASBR)
    - kiểm tra " show ip os da nssa-external "



Thursday, March 26, 2015

PIM accept-register

  • Là Security feature được cấu hình trên RP trong PIM SM chỉ rõ source và group cho phép đăng kí với RP.
  • PIM DR router có nhiệm vụ gửi gói tin register tới RP chỉ rõ source IP và group đích.
  • Nếu RP deny registration, ngay lập tức nó sẽ gửi gói tin Register-Stop tới DR và không tạo cây SPT về phía source.

  • Command:
 ip access-list REGISTER permit ip <source-ip> <source-wildcard> <group-address> <group-      wildcard>
          route-map ACCEPT_REGISTER deny 10
           match ip address REGISTER
  route-map ACCEPT_REGISTER permit 100
  ip pim accept-register route-map ACCEPT_REGISTER

  • Nếu như RP chính là DR thì filtering sẽ không thực hiện được


Cho topology:
+ R1 là source group 224.1.1.1
+ R2 là DR router
+ RP-address: 3.3.3.3/24
+ R4 nhận gói tin multicast địa chỉ 224.1.1.1
Cấu hình R3 filter source multicast từ R1 và group 224.1.1.1

R3#
ip pim accept-register route-map ACCEPT_REGISTER
!
ip access-list extended REGISTER_FILTER
 permit ip any host 224.1.1.1
!
route-map ACCEPT_REGISTER deny 10
 match ip address REGISTER_FILTER
!
route-map ACCEPT_REGISTER permit 100
------------------------------------------------------------------------------------------------
R1#ping 224.1.1.1 re 10
Type escape sequence to abort.
Sending 10, 100-byte ICMP Echos to 224.1.1.1, timeout is 2 seconds:
..........
R1#

R3# debug ip pim
*Mar  1 00:30:08.399: PIM(0): Received v2 Register on FastEthernet0/0 from 10.1.23.2
*Mar  1 00:30:08.403:      for 10.1.12.1, group 224.1.1.1
*Mar  1 00:30:08.407: PIM(0): Check RP 3.3.3.3 into the (*, 224.1.1.1) entry
*Mar  1 00:30:08.411: PIM(0): Send v2 Register-Stop to 10.1.23.2 for 10.1.12.1, group 224.1.1.1

Wednesday, March 25, 2015

How to setup ASDM in GNS3



Create Keymap in Secure CRT


How to create shortcut key on Secure CRT software.
Example: Create shortcut key using to clear console screen.


Step 1: Openning console screen and selection
                                    Tools -> Keymap Editor...


Step 2: On Keymap Editor select shorcut key by chose symbol on Keymap Editor Windows
                               Example: I chose "Ctrl x" using to clear console screen

Step 3: Click Map Selected Key....


On Function:             chose Menu Function
On Menu Function:  chose MENU_CLEAR_SCREEN
                                   click OK when  finish

Step 4: Save and do the same with other Tab

                                    Press Ctrl + x in your keyboard, the screen will be clear.

Tuesday, March 17, 2015

MPLS TE Attribute flag

Tunnel Affinity là mt thuc tính ca Tunnel đưc dùng đ xác đnh xem đưng đi ca Tunnel đó có th đi qua 1 link nào đó không. Thông thưng Tunnel s đưc khai báo 2 thuc tính là AFFINITY và MASK, còn link thì đưc khai báo thuc tính FLAGS


Khai báo thuc tính AFFINITY cho tunnel
Router(config)#interface tunnel 0.
Router(config-if)#tunnel mpls traffic-eng affinity AFFINITY MASK

Trong đó AFFINITY và MASK là nhng giá tr nh phân 32 bit nhn giá tr 0x0 0xFFFFFFFF

Khai báo thuc tính FLAGS cho interface (link)
Router(config-if)#mpls traffic-eng attribute flags attribute
Trong đó attribute là mt giá tr nh phân 32 bit nhn giá tr t 0x0 0xFFFFFFFF

Nếu
AFFINITY & MASK = FLAGS & MASK thì tunnel có th đi qua link
AFFINITY & MASK ≠ FLAGS & MASK thì tunnel không th đi qua link
Nếu không cấu hình default mask = 0xFFFF

R1:
interface Tunnel1
 ip unnumbered Loopback0
 mpls traffic-eng tunnels
 tunnel destination 2.2.2.2
 tunnel mode mpls traffic-eng
 tunnel mpls traffic-eng autoroute announce
 tunnel mpls traffic-eng priority 6 6
 tunnel mpls traffic-eng bandwidth  100
 tunnel mpls traffic-eng affinity 0x2 mask 0x3
 tunnel mpls traffic-eng path-option 1 explicit name WAN1 lockdown
!
ip explicit-path name WAN1 enable
 next-address 10.1.12.2
R1
interface FastEthernet0/0
 ip address 10.1.12.1 255.255.255.0
 ip ospf 1 area 0
 duplex auto
 speed auto
 mpls traffic-eng tunnels
 mpls traffic-eng attribute-flags 0x2
 ip rsvp bandwidth 500

AFFINITY & MASK  
Affinity
00000010
Mask
00000011
AND
00000010

FLAGS & MASK
Flag
00000010
Mask
00000011
AND
00000010

=> match vậy tunnel có thể đi qua link

Monday, March 16, 2015

ISIS Adjacencies filtration


Configure all router running ISIS protocol

R1#
interface Loopback0
 ip address 1.1.1.1 255.255.255.0
 ip router isis 1
!
interface FastEthernet0/0
 ip address 10.1.12.1 255.255.255.0
 ip router isis 1
!
router isis 1
 net 49.0001.0000.0000.1111.00
R2#
interface Loopback0
 ip address 2.2.2.2 255.255.255.0
!
interface FastEthernet0/0
 ip address 10.1.12.2 255.255.255.0
 ip router isis 1
!
interface FastEthernet0/1
 ip address 10.1.23.2 255.255.255.0
 ip router isis 1
!
router isis 1
 net 49.0023.0000.0000.2222.00
R3#
interface Loopback0
 ip address 3.3.3.3 255.255.255.0
 ip router isis 1
!
interface FastEthernet0/0
 ip address 10.1.23.3 255.255.255.0
 ip router isis 1
!
router isis 1
 net 49.0023.0000.0000.3333.00

Let's check neigbhor in R2:

R2#show isis ne
System Id      Type Interface   IP Address      State Holdtime Circuit Id
R1             L2   Fa0/0       10.1.12.1       UP    27       R2.01             
R3             L1   Fa0/1       10.1.23.3       UP    8        R3.01             
R3             L2   Fa0/1       10.1.23.3       UP    7        R3.01   

We can see R2 establish neighbor to R1 and R3.

Let’s config on R2, which remove neighbor to R3.

R2#
 clns filter-set AF deny 49.0023.0000.0000.3333.00          //deny only this NET address
 clns filter-set AF permit default                                            // allows any other neighbor
!
interface FastEthernet0/1
 ip address 10.1.23.2 255.255.255.0
 ip router isis 1
 isis adjacency-filter AF

Verify:

R2#show isis ne
System Id      Type Interface   IP Address      State Holdtime Circuit Id
R1             L2   Fa0/0       10.1.12.1       UP    27       R2.01             

It only establish neighbor with R1.

See debug:
R2#debug isis adj-packets
IS-IS Adjacency related packets debugging is on
*Mar  1 00:21:14.751: ISIS-Adj: Rec L2 IIH from c200.0704.0000 (FastEthernet0/0), cir type L1L2, cir id 0000.0000.2222.01, length 1497
*Mar  1 00:21:15.299: ISIS-Adj: Sending L2 LAN IIH on FastEthernet0/0, length 1497
*Mar  1 00:21:15.391: ISIS-Adj: Rec L2 IIH from c203.0bc8.0000 (FastEthernet0/1), cir type L1L2, cir id 0000.0000.3333.01, length 1497
*Mar  1 00:21:15.395: ISIS-Adj: Adjacency disallowed by filter
*Mar  1 00:21:16.775: ISIS-Adj: Rec L1 IIH from c200.0704.0000 (FastEthernet0/0), cir type L1L2, cir id 0000.0000.1111.01, length 1497
*Mar  1 00:21:16.779: ISIS-Adj: Area mismatch, level 1 IIH on FastEthernet0/0
*Mar  1 00:21:16.959: ISIS-Adj: Rec L1 IIH from c203.0bc8.0000 (FastEthernet0/1), cir type L1L2, cir id 0000.0000.3333.01, length 1497

*Mar  1 00:21:16.963: ISIS-Adj: Adjacency disallowed by filter

Saturday, March 14, 2015

ISIS basic config



root@test# show
## Last changed: 2015-03-14 16:34:05 UTC
version 8.5R1.14;
interfaces {
    em0 {
        unit 0 {
            family inet {
                address 10.1.13.3/24;
            }
            family iso;
        }
    }
    lo0 {
        unit 0 {
            family inet {
                address 3.3.3.3/24;
            }
            family iso {
                address 49.0001.0000.0000.3333.00;
            }
        }
    }
}
protocols {
    isis {
        interface em0.0;
        interface lo0.0;
    }
}
R1#show run
interface Loopback0
 ip address 1.1.1.1 255.255.255.0
 ip router isis 1
!
interface FastEthernet0/0
 ip address 10.1.12.1 255.255.255.0
 ip router isis 1
 duplex auto
 speed auto
!
interface FastEthernet0/1
 ip address 10.1.13.1 255.255.255.0
 ip router isis 1
 duplex auto
 speed auto
!
router isis 1
 net 49.0001.0000.0000.1111.00
RP/0/0/CPU0:ios#show run router isis
Sat Mar 14 23:39:11.758 UTC
router isis 1
 net 49.0001.0000.0000.2222.00
 interface Loopback0
  address-family ipv4 unicast
  !
 !
 interface GigabitEthernet0/0/0/2
  address-family ipv4 unicast
  !
 !
!


Let's verify:
-----------------------------------------------------------------------------------------
root@test# run show isis adjacency
Interface             System         L State        Hold (secs) SNPA
em0.0                      R1             Up                    8  c2:0:11:64:0:1
em0.0                      R1             Up                    9  c2:0:11:64:0:1

root@test# run show route protocol isis
inet.0: 7 destinations, 7 routes (7 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both

1.1.1.0/24         *[IS-IS/15] 00:04:20, metric 20
                    > to 10.1.13.1 via em0.0
2.2.2.0/24         *[IS-IS/15] 00:04:19, metric 30
                    > to 10.1.13.1 via em0.0
10.1.12.0/24       *[IS-IS/15] 00:04:20, metric 20
                    > to 10.1.13.1 via em0.0

__juniper_private2__.inet.0: 1 destinations, 1 routes (0 active, 0 holddown, 1 hidden)

iso.0: 1 destinations, 1 routes (1 active, 0 holddown, 0 hidden)

[edit]
 root@test# run show isis database
IS-IS level 1 link-state database:
LSP ID                      Sequence Checksum Lifetime Attributes
R1.00-00                         0x6   0x6b3a      615 L1 L2
R1.01-00                         0x2   0x8a42      790 L1 L2
R1.03-00                         0x1   0xc2e6      611 L1 L2
0000.0000.2222.00-00             0x5    0x6f1      802 L1 L2
test.00-00                       0x2    0xab5      611 L1 L2
  5 LSPs

IS-IS level 2 link-state database:
LSP ID                      Sequence Checksum Lifetime Attributes
R1.00-00                         0x9   0x4571      619 L1 L2
R1.01-00                         0x2   0x1a3b      787 L1 L2
R1.03-00                         0x1   0x52df      611 L1 L2
0000.0000.2222.00-00             0x8   0x63da      613 L1 L2
test.00-00                       0x4   0x3daa      618 L1 L2
  5 LSPs

[edit]

-----------------------------------------------------------------------------------------
R1#show isis ne
Area 1:
System Id      Type Interface   IP Address      State Holdtime Circuit Id
0000.0000.2222 L1   Fa0/0       10.1.12.2       UP    28       R1.01
0000.0000.2222 L2   Fa0/0       10.1.12.2       UP    26       R1.01
test                       L1   Fa0/1       10.1.13.3       UP    25       R1.03
test                       L2   Fa0/1       10.1.13.3       UP    21       R1.03
R1#show ip route isis
     2.0.0.0/24 is subnetted, 1 subnets
i L1    2.2.2.0 [115/20] via 10.1.12.2, FastEthernet0/0
     3.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
i L1    3.3.3.3/32 [115/10] via 10.1.13.3, FastEthernet0/1
i L1    3.3.3.0/24 [115/10] via 10.1.13.3, FastEthernet0/1

R1#show isis da

Area 1:
IS-IS Level-1 Link State Database:
LSPID                 LSP Seq Num  LSP Checksum  LSP Holdtime      ATT/P/OL
R1.00-00            * 0x00000006   0x6B3A        585               0/0/0
R1.01-00            * 0x00000002   0x8A42        762               0/0/0
R1.03-00            * 0x00000001   0xC2E6        581               0/0/0
0000.0000.2222.00-00  0x00000005   0x06F1        774               0/0/0
test.00-00            0x00000002   0x0AB5        577               0/0/0
IS-IS Level-2 Link State Database:
LSPID                 LSP Seq Num  LSP Checksum  LSP Holdtime      ATT/P/OL
R1.00-00            * 0x00000009   0x4571        589               0/0/0
R1.01-00            * 0x00000002   0x1A3B        759               0/0/0
R1.03-00            * 0x00000001   0x52DF        581               0/0/0
0000.0000.2222.00-00  0x00000008   0x63DA        583               0/0/0
test.00-00            0x00000004   0x3DAA        584               0/0/0
Area null:
Area [1:

-----------------------------------------------------------------------------------------
RP/0/0/CPU0:ios#show isis adjacency
Sat Mar 14 23:43:14.751 UTC

IS-IS 1 Level-1 adjacencies:
System Id      Interface        SNPA           State Hold Changed  NSF IPv4 IPv6
                                                                       BFD  BFD
R1             Gi0/0/0/2        c200.1164.0000 Up    8    00:18:10 Yes None None

Total adjacency count: 1

IS-IS 1 Level-2 adjacencies:
System Id      Interface        SNPA           State Hold Changed  NSF IPv4 IPv6
                                                                       BFD  BFD
R1             Gi0/0/0/2        c200.1164.0000 Up    8    00:18:10 Yes None None

Total adjacency count: 1

RP/0/0/CPU0:ios#show ip route isis
Sat Mar 14 23:41:19.649 UTC

i L1 1.1.1.0/24 [115/20] via 10.1.12.1, 00:15:58, GigabitEthernet0/0/0/2
i L1 3.3.3.0/24 [115/20] via 10.1.12.1, 00:04:54, GigabitEthernet0/0/0/2
i L1 3.3.3.3/32 [115/20] via 10.1.12.1, 00:04:54, GigabitEthernet0/0/0/2

i L1 10.1.13.0/24 [115/20] via 10.1.12.1, 00:04:59, GigabitEthernet0/0/0/2


RP/0/0/CPU0:ios#show isis da
Sat Mar 14 23:47:05.595 UTC

IS-IS 1 (Level-1) Link State Database
LSPID                 LSP Seq Num  LSP Checksum  LSP Holdtime  ATT/P/OL
R1.00-00              0x00000006   0x6b3a        558             0/0/0
R1.01-00              0x00000002   0x8a42        734             0/0/0
R1.03-00              0x00000001   0xc2e6        554             0/0/0
0000.0000.2222.00-00* 0x00000005   0x06f1        749             0/0/0
test.00-00            0x00000002   0x0ab5        550             0/0/0

 Total Level-1 LSP count: 5     Local Level-1 LSP count: 1

IS-IS 1 (Level-2) Link State Database
LSPID                 LSP Seq Num  LSP Checksum  LSP Holdtime  ATT/P/OL
R1.00-00              0x00000009   0x4571        562             0/0/0
R1.01-00              0x00000002   0x1a3b        731             0/0/0
R1.03-00              0x00000001   0x52df        554             0/0/0
0000.0000.2222.00-00* 0x00000008   0x63da        559             0/0/0
test.00-00            0x00000004   0x3daa        557             0/0/0

 Total Level-2 LSP count: 5     Local Level-2 LSP count: 1
RP/0/0/CPU0:ios#

RIP basic config on JunOS, IOS, IOS-XR

topology:

  1. Configure rip protocol in JunOS1, R1, IOS-XR.

root@test# top show
protocols {
    rip {
        group RIP {
            export PERMIT;
            neighbor em0.0;
        }
    }
}
policy-options {
    policy-statement PERMIT {
        then accept;

R1#show run | se router
router rip
 version 2
 network 1.0.0.0
 network 10.0.0.0
 no auto-summary
RP/0/0/CPU0:ios#show run router rip
Sat Mar 14 20:57:47.301 UTC
router rip
 interface Loopback0
 !
 interface GigabitEthernet0/0/0/2
 !
!


root@test# run show route protocol rip

inet.0: 8 destinations, 8 routes (8 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both

1.1.1.0/24         *[RIP/100] 00:07:18, metric 2, tag 0
                    > to 10.1.13.1 via em0.0
2.2.2.0/24         *[RIP/100] 00:06:24, metric 3, tag 0
                    > to 10.1.13.1 via em0.0
10.1.12.0/24       *[RIP/100] 00:07:18, metric 2, tag 0
                    > to 10.1.13.1 via em0.0
224.0.0.9/32       *[RIP/100] 00:03:22, metric 1
                      MultiRecv

__juniper_private2__.inet.0: 1 destinations, 1 routes (0 active, 0 holddown, 1 hidden)

---------------------------------------------------------------------------------------------------------

RP/0/0/CPU0:ios#show route rip
Sat Mar 14 21:14:00.045 UTC

R    1.1.1.0/24 [120/1] via 10.1.12.1, 00:20:59, GigabitEthernet0/0/0/2
R    3.3.3.0/24 [120/2] via 10.1.12.1, 00:01:26, GigabitEthernet0/0/0/2
R    3.3.3.3/32 [120/2] via 10.1.12.1, 00:01:26, GigabitEthernet0/0/0/2
R    10.1.13.0/24 [120/1] via 10.1.12.1, 00:20:59, GigabitEthernet0/0/0/2
RP/0/0/CPU0:ios#

  1. Config filtering network 1.1.1.0/24 in routing table JunOS and IOS-XR

root@test# top show
protocols {
    rip {
        group RIP {
            export PERMIT;
            import DENY_NETWORK_LO;
            neighbor em0.0;
        }
    }
}
policy-options {
    prefix-list DENY_L0_R1 {
        1.1.1.0/24;
    }
    policy-statement DENY_NETWORK_LO {
        term TERM1 {
            from {
                prefix-list DENY_L0_R1;
            }
            then reject;
        }
        term TERM2 {
            then accept;
        }
    }
}
RP/0/0/CPU0:ios#show running-config
prefix-set DENY_L0_R1
  1.1.1.0/24
end-set
!
route-policy DENY_NETWORK_LO
  if destination in DENY_L0_R1 then
    drop
  endif
  pass
end-policy
!
router rip
 interface Loopback0
 !
 interface GigabitEthernet0/0/0/2
 !
 route-policy DENY_NETWORK_LO in
!

Let's verify routing table:

root@test# run show route protocol rip

inet.0: 7 destinations, 7 routes (7 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both

2.2.2.0/24         *[RIP/100] 01:13:24, metric 3, tag 0
                    > to 10.1.13.1 via em0.0
10.1.12.0/24       *[RIP/100] 01:14:18, metric 2, tag 0
                    > to 10.1.13.1 via em0.0
224.0.0.9/32       *[RIP/100] 00:11:37, metric 1
                      MultiRecv

__juniper_private2__.inet.0: 1 destinations, 1 routes (0 active, 0 holddown, 1 hidden)

[edit protocols rip group RIP]


RP/0/0/CPU0:ios#show ip route rip
Sat Mar 14 22:07:21.555 UTC

R    3.3.3.0/24 [120/2] via 10.1.12.1, 00:21:11, GigabitEthernet0/0/0/2
R    3.3.3.3/32 [120/2] via 10.1.12.1, 00:21:11, GigabitEthernet0/0/0/2
R    10.1.13.0/24 [120/1] via 10.1.12.1, 00:21:11, GigabitEthernet0/0/0/2


=> Network 1.1.1.0/24 had been filter in JunOS and IOS-XR