Using IP SLA Delay Feature to Safely Monitor Lossy Links
IP SLA is a great feature if you want to add some automation and intelligence into the network. SLA is no SDN/OpenFlow, but it can be very useful. It can also take down a network. Let’s say you are using DMVPN for a number of spoke locations in your network. You have a primary Internet […]
Author information
The post Using IP SLA Delay Feature to Safely Monitor Lossy Links appeared first on Packet Pushers Podcast and was written by Charles Galler.
Compiling Firmware for Opengear ACM5000
Opengear gave me two ACM5000 units as a part of my attendance at Network Field Day 4 in October of last year. The gift has not influenced my opinion of the company nor their product: I continue to think they're a bunch of amazingly clever people, and that they make the best out-of-band access equipment on the market. I recommend them without hesitation nor reservation.I've been waiting anxiously for the release of the Custom Development Kit (CDK) based on release 3.6 code, and it's finally out. The README that comes with the CDK is a bit dated, and not super easy to follow, so I'm sharing my notes on rolling custom firmware here.
I started with Ubuntu 12.04.2 Server i386 installed inside VMware Fusion on my MacBook. I pretty much took the defaults, allowing VMware to manage the install for me (how cool is this feature?)
Remote Access
Pretty soon I was looking at an Ubuntu login prompt in the VMware console, I logged in and then did:
sudo apt-get -y update
sudo apt-get -y upgrade
sudo apt-get -y install openssh-server
ifconfig eth0
Downloads
Now I could log in via SSH, so I was done Continue reading
Weird NX-OS stuff
Some weird NX-OS stuff!
For enabling 'FEX' feature on the Nexus 7K switches, following steps are required:
config t
vdc Production
install feature-set fex
feature-set fex
Wonder why FEX cannot be enabled by entering feature fex or feature-set fex on the switch.
When you do a 'show feature', FEX shows up as disabled. On a 'show feature-set', FEX shows up as enabled.
After configuring an interface as a fex-fabric mode,
Cisco developed two commands on NX-OS to do the same thing. Define a hostname for the switch. 'switchname' and 'hostname'.
No feedback really required here. Boring post. I could just delete it. Naah I'll keep it. Peace m/.
Nexus 7000 vPC configuration
vPC configuration on a pair of NX7K switches
For a pair of Nexus 7009 switches running NX-OS 6.0(4), configuring vPC (virtual Port Channel) was an easy breezy task. In a few minutes and less than 15 commands, the two switches stood up as a vPC pair. There are 3 non default VDCs and each VDC has its own vPC domain, vpc peer-links and vpc peer-keepalive links. Cisco recommends each VDC has its own unique vPC domain ID. The port-channel ID need not be unique across the VDCs. Also, vPC will not work if port-channel members are interfaces allocated to separate VDCs.
On the CLI, switch to the non default VDC.
Each feature needs to be enabled on individual VDCs. Simply enabling it on the admin VDC does not propagate the features to the non default VDCs. For vPC, we need link aggregation control protocol for port-channel load-balancing (LACP) and the vPC feature.
feature lacp
feature vpc
The two switches need to exchange heartbeats to maintain a vPC role over the vPC keep alive links. Cisco recommends this traffic must be isolated to a VRF. If we do not specify a VRF for the keep alive link, by default Continue reading
VPN-IPSEC
Its been a while but I am going to try to post weekly.Here is a sample configuration for IPSEC VPN between in 2 routers.
Note: 172.16.1.X/32 are loopback interfaces.
R1
Define IKE Phase 1 Policy (ISAKMP)
(config)#crytpo isakmp policy 10
(config-isakmp)#encryption aes 256
(config-isakmp)#authentication pre-share
(config-isakmp)#hash sha
(config-isakmp)#group 2
Define pre-shared key
(config)#crypto isakmp key 0 $pass@word$ address 192.168.1.2
Define IKE Phase 2 Policy (IPSEC)
(config)#crypto ipsec transform-set TRANS-R1-R2 esp-aes 256 esp-sha-hmac
Create ACL to match interesting traffic
(config)#access-list 150 permit ip 172.16.1.1 0.0.0.0 172.16.1.2 0.0.0.0
Create Crypto Map
(config)#crypto map VPN-MAP-R1-R2 10 ipsec-isakmp
(config-crypto-map)#set peer 192.168.1.2
(config-crypto-map)#set transform-set TRANS-R1-R2
(config-crypto-map)#match address 150
Apply Cypto Map to Interface
(config)#interface fas0
(config-if)#crypto map VPN-MAP-R1-R2
Create a route
(config)#ip route 172.16.1.2 255.255.255.255 fas0
R2
Define IKE Phase 1 Policy (ISAKMP)
(config)#crytpo isakmp policy 10
(config-isakmp)#encryption aes 256
(config-isakmp)#authentication pre-share
(config-isakmp)#hash sha
(config-isakmp)#group 2
Define pre-shared key
(config)#crypto isakmp kep 0 $pass@word$ address 192.168.1.1
Define IKE Phase 2 Policy (IPSEC)
(config)#crypto ipsec transform-set TRANS-R1-R2 esp-aes 256 esp-sha-hmac
Create ACL to match interesting Continue reading
IPv6 Next-Hop Best Practices
The concept of a link-local address is new to some, seeing as the term is not widely talked about in IPv4 circles, despite the fact that some folks see them daily. In IPv4, the range 169.254.1.0 through 169.254.254.255 has been reserved for this purpose. You may see this in the “ipconfig” output of a windows host that failed to pull a DHCP address. In IPv6, fe80::/10 is reserved for this purpose, though link-local addresses are always configured with a fe80::/64 prefix.IPv6 Next-Hop Best Practices
The concept of a link-local address is new to some, seeing as the term is not widely talked about in IPv4 circles, despite the fact that some folks see them daily. In IPv4, the range 169.254.1.0 through 169.254.254.255 has been reserved for this purpose. You may see this in the “ipconfig” output of a windows host that failed to pull a DHCP address. In IPv6, fe80::/10 is reserved for this purpose, though link-local addresses are always configured with a fe80::/64 prefix.Surprised by Spam
I attended my first in person meeting of the ISOC Advisory Council this last week — I’m a newly minted co-chair, and already haven’t been participating as much as I should (just like I don’t blog here as much as I should, a situation I’m undertaking to resolve!). We had a long discussion on the […]
Author information
The post Surprised by Spam appeared first on Packet Pushers Podcast and was written by Russ White.
IPv6 Host Networking and Insomnia
I’ve been running IPv6 on my home network for a while. The solution in place has evolved over time, from terminating tunnels to a linux VM using gogo6 all the way to front-ending with a Cisco ISR using Hurricane Electric, the goal has always been the same - to practice what I preach. Running IPv6 at home and REFUSING to turn it off when problems arise is one of the best ways to learn the protocol.IPv6 Host Networking and Insomnia
I’ve been running IPv6 on my home network for a while. The solution in place has evolved over time, from terminating tunnels to a linux VM using gogo6 all the way to front-ending with a Cisco ISR using Hurricane Electric, the goal has always been the same - to practice what I preach. Running IPv6 at home and REFUSING to turn it off when problems arise is one of the best ways to learn the protocol.Juniper PTX3000 – thin is in…
Juniper just launched the PTX3000, which has some nice features – such as being small enough to be installed by one technician, and pushing 0.5Gbps per cubic inch. The thing is, we still can’t work out who is going to buy these things…
Anywhoo, here’s the info on the Juniper website, with a nice side-view so you can marvel at its 10 inches:
Six Things About F5 BIGIP v11 iApps
F5 Networks’ Local Traffic Manager (LTM) is my load balancer – okay, Application Delivery Controller, if you insist – of choice. The LTM platform is as feature-rich and well-supported as they come, with all sorts of customizability as well as the iRule scripting language (a superset of TCL) that lets you do fancy transaction manipulation. […]
Author information
The post Six Things About F5 BIGIP v11 iApps appeared first on Packet Pushers Podcast and was written by Ethan Banks.
Administrative Distance, prefix length, metric… Who is the winner?
The Concept Procedural tasks Result table Conclusion The concept The idea of the lab is to test the RIB best route election criteria of a border router. To do so, four overlapping subnets are configured in different parts of the network and available to a border router through different routing protocols. One of them is […]
Packet Design Acquired by Private Equity Firm; Appoints New CEO
Leader in IP Network Route Analytics Receives Cash Infusion to Accelerate Growth
SANTA CLARA, CA — March 19, 2013 — Packet Design, the leading provider of IP network route analytics software announced today that it has been acquired by Lone Rock Technology Group, an Austin-based private equity firm specializing in enterprise software. S3 Ventures, an early stage venture firm with a focus on information technology and also based in Austin, joins Lone Rock as a major investor in the company. With the deal, Packet Design announced it has appointed Scott Sherwood, a network and systems management industry veteran, as its new CEO.
Since it was founded in 2003, Packet Design has pioneered the complex science of route analytics. Its patented technology provides unique visibility into routing and traffic behavior across the entire cloud. Network managers at hundreds of the largest service providers, mobile operators, cable and broadband providers, enterprises and government agencies spanning five continents rely on the intelligence Packet Design provides to optimize the performance and control of their networks.
“We believe Packet Design’s technology, world-class talent, and marquee customers position it extremely well in a market growing over 12% CAGR, and we are excited by the Continue reading
My Tools for Studying
Anyway, I thought it would be neat to document the tools I'm using today. It'll be interesting to read this in a couple of years to see how things have changed again and maybe it'll give a fellow cert-chaser some ideas for today.
A Contest of Protocols: EIGRP or OSPF?
Ah, the age old question that nearly every CCNA and CCNP candidate asks of themselves and others at some point. We see a minimum of 4 routing protocols in our networking studies, more if you decide to take on the Service Provider track. What makes one routing protocol better than another? I think it’s clear why (at least mostly) these particular two protocols are different, keeping in mind that one is distance vector (yes, distance vector, not hybrid distance vector) and the other is link state.A Contest of Protocols: EIGRP or OSPF?
Ah, the age old question that nearly every CCNA and CCNP candidate asks of themselves and others at some point. We see a minimum of 4 routing protocols in our networking studies, more if you decide to take on the Service Provider track. What makes one routing protocol better than another? I think it’s clear why (at least mostly) these particular two protocols are different, keeping in mind that one is distance vector (yes, distance vector, not hybrid distance vector) and the other is link state.Triple CCIE now – so what?
http://www.bhatkoti.com/tripleccie
Broadview Networks Deploys Packet Design’s VPN Explorer to Manage Converged Services Network
IP Routing and MPLS VPN Visibility Increases Network Operations Efficiency, Reduces Mean-Time-to-Repair
SANTA CLARA, Calif., December 20, 2010 – Broadview Networks, a business communications service provider, has deployed VPN Explorer, an IP/MPLS VPN routing analysis solution from Packet Design, Inc. Broadview will use VPN Explorer to manage their IP network, which provides business customers with VoIP, Internet, VPN and MPLS-enabled data communications.
Broadview Networks installed VPN Explorer earlier this year to monitor its large router network, which runs the Open Shortest Path First (OSPF), Border Gateway Protocol (BGP) and Multi-Protocol BGP (MP-BGP) MPLS VPN routing protocols. VPN Explorer uses a technology known as ‘route analytics’ that lets the company's network engineering staff look at otherwise hidden aspects of routing behavior – undetectable by conventional SNMP-based management tools – and understand its impact on network reliability, redundancy, and customer service delivery.
George Carey, managing director of ISP Operations for Broadview Networks, said the need for more visibility into IP and MPLS VPN routing has increased with the growth of Broadview’s service portfolio and the expansion of the network. “Our IP backbone network has grown to support many diverse services, including more than 50,000 OfficeSuite™ hosted IP phone stations, SIP trunking, Continue reading
Packet Design’s Route Explorer Integrated with Juniper Networks Junosphere Lab
SANTA CLARA, Calif., October 4, 2011 – Packet Design has integrated its Route Explorer route analytics solution with the Juniper Networks® Junosphere™ Lab cloud-based service, giving Juniper customers a way to visualize and analyze complex Layer 3 routed networks created in the Junosphere virtual environment.
Route Explorer provides real-time, network-wide Layer 3 visibility across an enterprise or service provider's IP/MPLS/VPN network, delivering an intuitive graphical view of control plane operation, including IP forwarding paths, RSVP-TE tunnels and Layer 3 VPN services. Integration with Junosphere will allow users to see a real-time topology map of their virtual network, monitor routing changes, perform in-depth analyses, including the ability to rewind network event history, and graphically depict what-if scenarios for failure analysis or to understand the impact of changes before they are deployed. Route Explorer functionality is provided free of charge to Junosphere Lab users.
Judy Beningson, vice president and general manager, Virtual Junos Business Unit at Juniper Networks , said, “We are excited to expand our partnership with Packet Design, and to bring Route Explorer’s powerful network visualization and analysis capabilities to Junosphere Lab users. Route Explorer will give users of our ground-breaking cloud-based service additional flexibility, allowing our customers to Continue reading