Build the Next-Generation Data Center
6 week online course starting in spring 2017

TCAM on Catalyst switches

Catalyst switches have an interesting internal architecture that uses a Ternary Content Addressable Memory (TCAM) to perform a variety of lookups. For example:

  • If a CAM entry matches on destination MAC address, it performs L2 switching (aka bridging)
  • If it matches on destination IP address, it performs L3 switching (aka routing)
  • If it matches on a combination of source/destination IP addresses and ports, it can be used to implement access lists, QoS mechanisms or policy routing

To make things even more interesting, multiple TCAM entries use the same mask (don't care bits) as explained in the Understanding ACL on Catalyst 6500 Series Switches white paper. Most of that information also applies to the Catalyst 3750 platform, more details are available in the Understanding and Configuring Switching Database Manager on Catalyst 3750 Series Switches document (here is the corresponding document for Catalyst 3550). As the TCAM size on Catalyst 3750 might not be large enough, you can split it in various ways with the SDM templates.

Redistributing customer routes into BGP

I'm often promoting the idea of separating customer routing from core routing in the design articles I write. The only viable solution (unless you want to implement MPLS VPN and migrate customer routing into VPNv4) is to carry customer routes in BGP, redistributing them into BGP from other routing sources. On the other hand, I’m telling you that you should advertise only static IP prefixes into the public Internet. Obviously there’s a seeming disconnect between the two advices.

However, the dilemma is easily solved with the no-export BGP community that prevents an IP prefix from being advertised over EBGP sessions. Whenever you redistribute customer routes into BGP, you should attach the no-export community to them, ensuring that only the statically advertised IP prefixes will be propagated outside of your AS boundaries.

Important: for this design to work, you have to configure BGP community propagation with the neighbor send-community router configuration command on all IBGP sessions in your network, preferably with a peer template. Otherwise, the BGP communities will be lost on IBGP updates and the IP prefixes will leak to your EBGP neighbors.

For example, if you use static routing with your customers and want to redistribute the static routes into BGP, use the following configuration (I’ve used tag 123 to tag static routes that should get inserted into BGP).

router bgp 65001
redistribute static route-map StaticToBGP
!
route-map StaticToBGP permit 10
match tag 123
set community no-export additive

When you configure a static route toward the IP subnet 10.1.2.0/24 …

ip route 10.1.2.0 255.255.255.0 Null0 tag 123

… it’s automatically inserted in the BGP table and marked with the no-export community:

R1#show ip bgp 10.1.2.0
BGP routing table entry for 10.1.2.0/24, version 3
Advertised to update-groups:
1
Local
0.0.0.0 from 0.0.0.0 (10.0.1.1)
Origin incomplete, metric 0, localpref 100, weight 32768, valid, sourced, best
Community: no-export

If you're looking for more in-depth BGP knowledge, try our Configuring BGP on Cisco Routers e-learning solution. If you just need to enhance your hands-on skill, the BGP Remote Lab Bundle is the perfect choice.

BGP Essentials: Peer Session Templates

Configuring a large number of similar BGP peers on a router and ensuring that the changes in your routing policy or BGP design are applied to all of them can be a management nightmare. BGP peer groups were the only scalability tool available on Cisco IOS until the IOS release 12.3T and they had significant limitations as they were also used as a performance improvement tool.

IOS releases 12.0S and 12.3T introduced peer templates, a scalable hierarchical way of configuring BGP session parameters and inbound/outbound policies. For example, to configure the session parameters for all your IBGP sessions, use the following session template:

router bgp 65001
 template peer-session IBGP
  remote-as 65001
  description IBGP peers
  password s3cr3t
  update-source Loopback0

After the session template has been configured, adding a new IBGP peer takes just a single configuration command (two if you want to add neighbor description):

router bgp 65001
 neighbor 10.0.1.2 inherit peer-session IBGP
 neighbor 10.0.1.2 description R2

If you're looking for more in-depth BGP knowledge, try our Configuring BGP on Cisco Routers e-learning solution. If you just need to enhance your hands-on skill, the BGP Remote Lab Bundle is the perfect choice.

Telnet/SSH session cannot be started from EEM applet

The chances that you would be able to start SSH or Telnet session from an EEM applet were pretty slim, but the comment from melwong triggered my curiosity and I simply had to try it. After all, as the action cli command uses a VTY line (like a regular user session), you might be able to use the pattern option of the action cli command to write something similar to an expect script. This was my best shot at getting it done:

event manager applet SSH
event none
action 0.9 cli command "enable"
action 1.0 cli command "ssh -l ssUser R2" pattern "word:"
action 1.1 cli command "ssPassword" pattern "#"
action 2.0 cli command "clear ip route *" pattern "#"
action 3.0 cli command "exit" pattern "#"

My applet got past the SSH authentication (debugging on R2 confirmed that the SSH session was started) but could not send data through the session itself (it hung on the clear ip route command).

This article is part of You've asked for it series.

The short story of the “ip default-network” command

Brian Dennis wrote a long post about the unexpected side effects of the ip default-network command. The Cisco documentation describes the “side effects” but in an even more obscure manner.

What's really happening is this:

  • If the parameter of the ip default-network command is a major network, it specifies the default route (how it gets inserted into the routing protocol you're using is a completely different story).
  • If the parameter is a subnet of a major network, it specifies the default subnet for the network.

In any case, it's an obscure leftover from the classful days that should probably never be used today outside of a CCIE lab.

Hyperlinked RFCs

If you're too young to remember the days of IBM mainframes, punched cards and 132-column printouts, you could get a feeling for what we had to cope with by looking at the original RFC texts. Even the latest RFCs are published in text-only fixed-font format with no extra formatting, making it a nightmare to quote a section of the RFC in a post or an article (not to mention the very real danger of falling asleep just by looking at an RFC).

A variety of third-party web sites have tried to fill the gap by providing RFCs in hyperlinked or PDF format. I've tried a few of them and usually got turned away by inconsistent or broken links.

Finally, IETF recognized that we live in the third millenium and started offering IETF documents (including RFCs) with HTML markup. To get hyperlinked versions of the RFCs, go to IETF tools web site and enter RFC number or use Google to search the IETF repository.

Five reasons you need BGP in a Service Provider network

If you're a regular reader of my blog, I probably don't have to persuade you that BGP is one of the cornerstone technologies of modern Service Provider networks. However, if you ever find yourself in a situation where someone needs a nudge in the right direction, the article “5 essential reasons for BGP in your IP network” I wrote for SearchTelecom might come handy.

The list of all articles I wrote for SearchTelecom is available in the CT3 wiki.

OSPF default route based on IP SLA

Olivier Guillemain has asked an interesting question: “how could I originate a default route into OSPF based on IP SLA (for example, based on pinging a remote IP address)?

This is very easy to do when the router originating the default route into OSPF needs an SLA-based default route itself:

  1. Configure IP SLA and a corresponding track object;
  2. Configure a default route using reliable static routing
  3. Advertise the default route into OSPF with the default-information originate router configuration command

The solution is a bit more complex when the router originating the default route into OSPF should not have a default route. In this case, you could use a routing trick:

  1. Configure IP SLA and a corresponding track object as before;
  2. Use reliable static routing to configure a static host route for a bogus IP address (for example, 10.0.0.1/32) pointing to null0 (for example, ip route 10.0.0.1 255.255.255.255 null 0 track 100). Obviously this host route should not be redistributed into any routing protocol.
  3. Conditionally advertise default route into OSPF based on presence of the static host route.

Note: This article is part of You've asked for it series.

BGP Essentials: Advertising public IP prefixes into the Internet

The routing information you source into the public Internet with BGP should be as accurate and stable as possible. The best way to achieve this goal is to statically configure the IP prefixes you’ve been allocated on your core routers and advertise them into BGP:

  • BGP will only advertise an IP prefix if a matching entry is found in the IP routing table. To ensure the IP prefix you want to advertise is always present, configure an IP static route to null interface, unless you're advertising a connected interface (example: Internet edge router on a DMZ segment).
  • Most public IP prefixes advertised today do not fall on the classful network boundary. To advertise a classless prefix, you have to configure the prefix and the mask in the BGP routing process.

Important: In large networks you should advertise your IP prefixes from your core routers, not from the edges of your network. If an edge router loses its upstream link to the network core but still advertises your IP address space, all the traffic attracted by it will be blackholed. In enterprise networks using BGP for Internet multihoming, it might be safe to advertise directly connected interfaces on Internet edge routers.

You can set additional BGP attributes on the IP prefix you’re advertising with a route-map attached to the network statement. For example, the following configuration could be used on one of your core routers to advertise IP prefix 172.16.128.0/18 and attach a BGP community to it:

ip route 172.16.128.0 255.255.192.0 Null0
!
router bgp 65001
 network 172.16.128.0 mask 255.255.192.0 route-map SetCommunity
!
route-map SetCommunity permit 10
 set community 65001:101 additive

If you're looking for more in-depth BGP knowledge, try our Configuring BGP on Cisco Routers e-learning solution. If you just need to enhance your hands-on skill, the BGP Remote Lab Bundle is the perfect choice.

BGP Essentials: Configuring Internal BGP Sessions

Internal BGP (IBGP) sessions (BGP sessions within your autonomous system) are identified by the neighbor’s AS number being identical to your AS number. While the external BGP (EBGP) sessions are usually established between directly-connected routers, IBGP sessions are expected to be configured across the network.

The current best practice is to configure IBGP sessions between the loopback interfaces of the BGP neighbors, ensuring that the TCP session between them (and the BGP adjacency using the TCP session) will not be disrupted after a physical link failure as long as there is an alternate path toward the adjacent router.

To configure IBGP session on a Cisco router, specify the neighbor’s loopback address in all neighbor commands and use the neighbor update-source command to specify the source IP address of the TCP session. Without the neighbor update-source configuration command, the TCP session will use the IP address of the outgoing physical interface and the neighbor will reject the incoming TCP SYN packet as it’s not coming from a recognized BGP neighbor.

The following table shows the configuration commands necessary to configure an IBGP session between loopback interfaces of two routers:

R1R2
interface Loopback 0
ip address 10.0.0.1
!
router bgp 65001
neighbor 10.0.0.2 remote-as 65001
neighbor 10.0.0.2 update-source loopback 0
interface Loopback 0
ip address 10.0.0.2
!
router bgp 65001
neighbor 10.0.0.1 remote-as 65001
neighbor 10.0.0.1 update-source loopback 0

If you're looking for more in-depth BGP knowledge, try our Configuring BGP on Cisco Routers e-learning solution. If you just need to enhance your hands-on skill, the BGP Remote Lab Bundle is the perfect choice.

Search IOS documentation with Google

If you like to use Google as your primary search engine, this trick could help you get better search results when you're looking up IOS configuration commands:

  • Use the site:cisco.com in your query to make sure you're not getting hits from mirror sites or people writing about Cisco IOS (like myself)
  • Use inurl:ios124 query term (or whichever IOS release you're interested in) to get UniverCD results relevant to the desired IOS release

For example, if you want to look up the show control-plane command, use the query "show control-plane" site:cisco.com inurl:ios124 to get four highly relevant hits.

The history of Cisco CLI

Terry Slattery took time (after 15 years) and wrote a short history of Cisco CLI. I've been involved with Cisco's software (it was remarketed as IOS in mid-nineties) for a few years and for me the CLI as we know it today was one of the best features introduced in IOS release 9.21 (I was ecstatic when I've got my hands on the first code during the beta tests). So now that I know who's responsible, I can only say “Thanks, Terry!”

Tabular display of OSPF external routes

I was testing OSPF external routes recently and wanted to have a comprehensive display of OSPF type-5 LSAs (not the too-verbose information IOS generates), so I created a Tcl script that displays type-5 (external) LSAs from the OSPF database in a tabular format. You can download it from my web site (installation instructions are included in the Tcl source).Here is a sample printout from one of my lab routers:

S1#ospfExternal
 
External OSPF routes for OSPF process ID 1
 
  Prefix Cost Tag ASBR Forward addr
==================================================================
> 10.1.0.1/32 10 E1 1 10.0.0.3
  10.1.0.1/32 2000 E1 1 10.0.0.11
> 10.1.0.2/32 5 E2 2 10.0.0.3
  10.1.0.2/32 200 E2 2 10.0.0.11
You can find more Tclsh-related information in the Tclsh on Cisco IOS tutorial. Sample Tclsh scripts are available in the Tclsh script library. If you need expert help in planning, developing or deploying Tclsh scripts in your network, contact the author.

The five hottest topics on SearchTelecom

I've just stumbled across the article The 5 hottest topics on SearchTelecom. Not surprisingly, MPLS is the top one, with Routers and Switches being the second. It's interesting to see that MPLS is still a very hot topic more than seven years after we've written the MPLS and VPN Architectures book … and I'm pretty proud that two of my articles in that category made it to the Editor's picks :).

The list of all articles I wrote for SearchTelecom is available in the CT3 wiki.

SNPA labs available on Partner Education Connection

Our new remote lab exercises covering the Securing Networks with PIX and ASA v5.0 course have been made available free of charge to Cisco partners on
Partner Education Connection. To start them, just click this link, log in and select the desired exercise.

If you're not a Cisco partner, you can buy the same exercises on our web site.

Restart IOS DHCP server after a change in DHCP pools

I've stumbled across an interesting problem recently:

  • I've added a Linux box to my home network;
  • It used my Cisco router to get a dynamic DHCP address;
  • I've inspected the DHCP bindings on the Cisco router to find the new MAC address and configured a host DHCP pool as I'm using the Linux box as a server;
  • Even after multiple configuration changes, the IOS would fail to use the host DHCP pool.

The only solution I've found was to restart the IOS DHCP server with the no service dhcp followed by service dhcp configuration commands. Obviously, you lose all DHCP bindings when you restart the DHCP server (which could be a problem if you use conflict logging) unless you've configured the router to store them in an external file.

Setup DNS server in your lab

If you do a lot of telnetting in your lab, you could set up an internal DNS server to be able to use router names instead of IP addresses.

Select a router that will act as the DNS server and configure it on all other routers in your lab. For example, if your DNS server has IP address 10.0.0.1, use the following configuration commands:

ip domain-lookup
ip name-server 10.0.0.1

On the DNS server, disable DNS lookup and DNS forwarding (it has nowhere else to go) and define all the routers as IP host names:

no ip domain lookup
!
ip dns view default
 no dns forwarding
!
ip dns server
!
ip host Core-1 10.0.0.1
ip host Core-2 10.0.0.2
ip host POP 192.168.2.1
ip host Ext 192.168.1.5
ip name-server 10.0.0.1

If you also define IP addresses for the WAN links, for example:

ip host serial-1-0.X1 10.0.1.6
ip host serial-1-0.Core-1 10.0.1.1
… you'll get correct hop-by-hop information from the traceroute command:
POP#trace Ext
Translating "Ext"...domain server (10.0.0.1) [OK]
Type escape sequence to abort.
Tracing the route to Ext (192.168.1.5)
  1 serial-1-0.Core-1 (10.0.1.1) 36 msec 24 msec 16 msec
  2 serial-1-0.X1 (10.0.1.6) 24 msec 28 msec 4 msec
  3 Ext (192.168.1.5) 20 msec * 24 msec

Generate terminal escape sequences from Tcl

One of my readers (who unfortunately prefered to stay anonymous, so I cannot give credit where it's due) figured out how to output escape sequences from IOS Tclsh: you have execute terminal international command first.

For example, to clear the screen and display red heading text, use the following commands:

exec terminal international;
puts "\033\[2J\033\[H\033\[1;31mHeader text\033\[m"
Obviously, you could easily use this functionality to build a nice full-screen menu system.
Notes
  • To output the ESC character, use the \033 code within the double quotes;
  • To output the left angle bracket, you have to use the \[ sequences, otherwise Tcl interprets the bracket as start of an expression;
  • The ANSI escape sequences (recognized by most terminal emulators) are documented on Wikipedia;
You can find more Tclsh-related information in the Tclsh on Cisco IOS tutorial. Sample Tclsh scripts are available in the Tclsh script library. If you need expert help in planning, developing or deploying Tclsh scripts in your network, contact the author.

Copy the text files into router's flash through a Telnet session

Were you ever in a situation where a file that would have to be on the router was sitting on your laptop, but you couldn't store it into the router's flash across the Telnet session or through the console port?

If the file in question is a text file, and the router supports Tcl shell, danshtr documented an interesting trick: you create the file in Tclsh interpreter, cut-and-paste the text through the telnet session into a Tcl string and write the string to the file. If you want to have a more cryptic solution here it is:

  • Start tclsh;
  • Enter puts [open "flash:filename" w+] {. Do not hit the ENTER key at the end of the line
  • Copy-paste the file contents. The contents should not include unmatched curly right brackets (every curly right bracket has to be preceded by a matching curly left bracket).
  • After the file contents have been pasted, enter } and press ENTER.
  • End the tclsh session with tclquit.

WAN emulation toolkit

In one of his posts, Joe Harris describes a great Linux-based WAN emulation toolkit that you can use to introduce latency, bandwidth constraints or packet loss in your lab environment.

The never-ending story of IP fragmentation

In the last few months I've run across a number of IP fragmentation issues, as you've probably noticed through my blog posts. I've also encountered a lot of misconceptions about IP fragmentation, its impact on GRE and IPSec as well as the fragmentation-related mechanisms, for example MTU Path Discovery. I hope that you'll find my January IP Corner article The Never-Ending Story of IP Fragmentation a good summary of the subject.

Any idea how to generate binary output from Tclsh?

I've tried to port a simple Tcl full-screen editor to IOS and failed completely as IOS tclsh escapes control characters written by the puts command. For example, the following escape sequence should clear the screen, but as the ESCAPE character is displayed as ^[, it doesn't work:

router(tcl)#puts "\033\[2J"
^[[2J
router(tcl)#
Any ideas how to persuade the router to display raw binary data?

DHCP conflict between a Cisco router and Windows DHCP server

In a response to my post Redundant DHCP Server I've speculated that a Cisco router should coexist with a Windows-based DHCP server if you configure them with non-overlapping address ranges. I was wrong, Edgar Cahuana discovered that Microsoft's DHCP server wants to have complete control over the LAN it's serving and shuts down if it detects another DHCP server on the same LAN.

To make the two DHCP servers coexist, you have to disable rogue DHCP server detection in Windows DHCP server, as explained in this article.

The difference between rogue server detection in Windows 2000/2003 and SBS 2003 is explained in this TechNet chat.

Fix a BGP AS number mismatch

Sometimes you end up having wrong BGP AS number throughout your network. It could be a result of an unexpected merger or split or you could have started using a private BGP AS number and realized you have to connect to the Internet using a real AS number. The proper solution would be a total reconfiguration of the whole network, but of course not many engineers have the time and courage to do it ;), so it's time to introduce another kludge: the neighbor local-as configuration command.For example, let's assume your AS number should be 20, but you're using a private AS 65001, as shown in the following figure:To retain the AS 65001 internally but appear as AS 20 to the outside world, you could use the following configuration on R1:

router bgp 65001
 neighbor 10.0.0.18 remote-as 65001
 neighbor 10.0.0.18 description IBGP to R2
 neighbor 10.1.0.2 remote-as 10
 neighbor 10.1.0.2 local-as 20
 neighbor 10.1.0.2 description EBGP to AS 10
This configuration would ensure that the EBGP session with AS 10 is established (R1 pretends that it belongs to AS 20 on this session), but the AS path propagated to AS 30 is somewhat odd …
AS30#show ip bgp | include 20
*> 172.16.0.0 10.1.0.5 0 20 65001 20 10 i
… making your network appear as a set of nested autonomous systems:There are two reasons for the weird AS path:
  • R1 inserts local-as into inbound EBGP updates
  • R2 (configured like R1) inserts local-as as well as its real AS (65001) in outbound EBGRP update
To fix the AS path, you need the BGP Support for Dual AS Configuration introduced in IOS release 12.3T. This feature adds two options to the local-as configuration command:
  • no-prepend disables local-as prepending on incoming EBGP updates;
  • replace-as replaces router's own AS with local-as on outgoing EBGP updates.
When the configuration on R1 and R2 includes these two keywords …:
router bgp 65001
 neighbor 10.1.0.2 remote-as 10
 neighbor 10.1.0.2 local-as 20 no-prepend replace-as
 neighbor 10.1.0.2 description EBGP to AS 10
… the path propagated through AS 65001/AS 20 looks as expected:
AS30#show ip bgp | include 20
*> 172.16.0.0 10.1.0.5 0 20 10 i

Simplify your lab work

If you do a lot of tests in a router lab, you're probably getting upset when you have to retype the login and enable password whenever you log into a router. What I do in my labs is to disable VTY login, set the default privilege level to 15 and disable exec timeout (to stop the router from terminating my session).

line con 0
 exec-timeout 0 0
 privilege level 15
line vty 0 4
 exec-timeout 0 0
 privilege level 15
 no login

Obviously, this would not bring you additional points on the CCIE lab exam :)

Configure the default route based on the presence of a BGP session

You've probably already heard the phrase "When the only tool you have is a hammer, everything looks like a nail" (and seen people acting according to it). Likewise, if you have an IOS release with EEM support, a lot of things that would require smart design could be solved in a brute-force way with a few EEM applets. For example, the problem of the BGP default route could be solved “easily” with a few applets that track syslog messages reporting when the BGP neighbors go up/down.I've set up the following scenario:

  • My router has two BGP neighbors: 10.0.7.2 and 10.0.7.6;
  • Internet access through10.0.7.2 is the primary path;
  • The default route through 10.0.7.6 should be used as a backup only.

The solution shown below is probably a bit over-engineered, as it would be sufficient to track solely the availability of the primary BGP peer and insert/remove the primary static default route (leaving the floating one intact) … or you could use yet another floating default route as the backup-of-last-resort. It's important, though, that you remove the default routes when the router is restarted, as there will be no BGP-related syslog messages if the BGP neighbor is not available after the reload.

event manager applet BGP_A_Up
 event syslog pattern "BGP-5-ADJCHANGE.*10.0.7.2 Up"
 action 1.0 cli command "enable"
 action 1.1 cli command "configure terminal"
 action 1.2 cli command "ip route 0.0.0.0 0.0.0.0 10.0.7.2"
 action 2.0 syslog msg "Primary BGP peer available"
event manager applet BGP_A_Down
 event syslog pattern "BGP-5-ADJCHANGE.*10.0.7.2 Down"
 action 1.0 cli command "enable"
 action 1.1 cli command "configure terminal"
 action 1.2 cli command "no ip route 0.0.0.0 0.0.0.0 10.0.7.2"
 action 2.0 syslog msg "Primary BGP peer lost"
event manager applet BGP_B_Up
 event syslog occurs 1 pattern "BGP-5-ADJCHANGE.*10.0.7.6 Up" period 20
 action 1.0 cli command "enable"
 action 1.1 cli command "configure terminal"
 action 1.2 cli command "ip route 0.0.0.0 0.0.0.0 10.0.7.6 250"
 action 2.0 syslog msg "Alternate BGP peer available"
event manager applet BGP_B_Down
 event syslog pattern "BGP-5-ADJCHANGE.*10.0.7.6 Down"
 action 1.0 cli command "enable"
 action 1.1 cli command "configure terminal"
 action 1.2 cli command "no ip route 0.0.0.0 0.0.0.0 10.0.7.6 250"
 action 2.0 syslog msg "Alternate BGP peer lost"
event manager applet BGP_Restart
 event syslog pattern "SYS-5-RESTART"
 action 1.0 cli command "enable"
 action 1.1 cli command "configure terminal"
 action 1.2 cli command "no ip route 0.0.0.0 0.0.0.0 10.0.7.2"
 action 1.3 cli command "no ip route 0.0.0.0 0.0.0.0 10.0.7.6 250"
 action 2.0 syslog msg "Default routes removed following the system restart"

Define new IOS commands with the alias functionality

Cisco IOS allows you to define aliases for the commands you commonly use with the alias global configuration command. The alias command accepts the CLI mode (exec, configuration ...) for the new command and the string that replaces the command name. If you specify additional parameters in the new command, they are appended to the alias string.

For example, if want to have the ipconfig command that displays interface IP configuration, you can configure alias exec ipconfig show ip interface. When you execute ipconfig ifname the alias is expanded into show ip interface ifname and displays the IP configuration of a single interface.