Blog Posts in June 2007
Every now and then I'm getting questions from my readers regarding the suitability of my MPLS books for the CCIP exam, for example:
I'm pursuing my CCIP and have a hard time finding the right MPLS study guide. I know you have the CCIP edition that was written in 2002, but I think the exam topics have changed. Can you recommend what book or books are best for the CCIP MPLS exam?
Are MPLS VPN Architectures Volume 1 & 2 two completely separate books or is Volume 2 a newer release. I was thinking of going for the CCIP and wanted to know if I should get both books or just the more recent one.
Here is the full story: MPLS and VPN Architectures Volume I and II are completely separate books with only slight overlap. Volume I was written when MPLS and MPLS VPNs were an emerging technology, thus the coverage of some solutions (like Carrier's Carrier architecture) was scarce (as they were mostly on the drawing board at that time). We've later released CCIP edition of Volume I, which includes a few bug fixes and two chapters on troubleshooting to match the requirements of the early version of Cisco's MPLS course.
The Volume II covers advanced MPLS topics, including remote access, inter-AS MPLS VPN, Carrier's carrier architecture, IP Multicast in MPLS VPN etc. Reading Volume II without having sound foundations from Volume I does not make sense.
The current MPLS course that's part of the CCIP curriculum has been significantly redesigned from the original one (primarily shifting the focus from baseline MPLS + MPLS VPN to “a bit about everything MPLS has become”), but at the moment Cisco Press has no plans to release another CCIP edition book to cover the changes. The new course (Implementing Cisco MPLS 2.2) has dropped any ATM-specific information (finally) and includes a chapter on MPLS TE. While Cisco's web site claims MPLS TE is included, it's not listed in their Course Outline section. The information on our web is more accurate, as we build the course outline from student materials, not from supplementary documents.
I would definitely recommend CCIP edition of Volume I (you can still get it as an on-line book) as the basis of your learning efforts, with a few topics from Volume II (EIGRP as PE-CE routing protocol, more in-depth troubleshooting information) also being applicable. MPLS TE is not covered in any of my books, but as Peter Dob suggested, you can get enough information from the MPLS Fundamentals book.
“Which one is better: default-information originate or default-information originate always?”
As always, the answer is it depends. If your OSPF edge routers have external default routes (for example, static default routes toward the Internet, see the next diagram), you'd want them to announce the default route only when they have a default themselves (otherwise they would attract the traffic and then blackhole it). In this case, you'd use default-information originate.
If you use something else than OSPF as the core routing protocol of your network (as shown in the next diagram), then you'd want the core routers to announce the default route into OSPF to attract the traffic from the edges regardless of whether they have the default route themselves or not. In this scenario, you'd use default-information originate always.
BGP is almost always the core routing protocol of Service Provider networks. You can also use it to make a large enterprise network scalable.
Last but not least, in OSPF+BGP scenario, you might want a core router to announce a default route only if it has at least some non-OSPF routes (to prevent an isolated core router from attracting and blackholing the traffic). The command to use is default-information originate always route-map name, which would generate a default route into OSPF only if at least one prefix from the IP routing table matches the specified route map.
Similarly, if you configure default-information originate always, the router will inject the type 5 LSA for the default route into the OSPF topology database even if the router itself does not have a default route (or gateway of last resort).
router#show processes memory sortedUsually the top entry is the *Init* process, which allocates all shared buffers, but routing processes could also exhibit significant memory utilization in large networks.
Total: 13734272, Used: 6372068, Free: 7362204
PID TTY Allocated Freed Holding Getbufs Retbufs Process
0 0 135340 1864 4734916 0 0 *Init*
55 0 242388 188 249076 0 0 URL filter proc
69 0 317996 143308 182184 0 0 IPSEC key engine
62 2 277048 124752 165172 0 0 Virtual Exec
68 0 762828 657056 109896 0 0 Crypto IKMP
80 0 74556 1100 73772 0 0 CEF process
91 0 25704 188 28776 0 0 NTP
67 0 3116 51368 27904 0 0 Crypto ACL
83 0 184 0 25060 0 0 traffic_shape
30 0 89900 0 24700 0 0 IP Input
46 0 32248 1776 23596 0 0 DHCPD Receive
35 0 10236 540 16572 0 0 PPPOE discovery
48 0 95344 51488 14724 0 0 HTTP CORE
To use it, download it and store it into the flash memory of your router. Configure alias exec ipconfig tclsh flash:ipInterfaces.tcl and you can use ipconfig or ipconfig active to display interface IP addresses.
“After all of the pieces (network, applications, OS, etc.) are done, do you have enough people with enough knowledge to manage and design things? Now may be a good time for some training!”
Cisco has already included IPv6 in its mainstream BSCI course (so IPv6 is now officially part of CCNP certification). Apart from visiting the BSCI classroom course, you also have a few other options to get your hands on IPv6 training material:
- Get the BSCI 3.0 blended solution that includes student guide and access to on-line lab exercises (real routers, no simulations :).
- If you're a Cisco partner, you can get the BSCI lab exercises from Partner E-learning Connection. To help you get past the site complex navigation, click this link after logging into PEC.
- You can also get the full set of BSCI remote lab exercises from NIL Data Communications.
ro#trace ip 126.96.36.199The MPLS ping and traceroute commands, introduced in IOS release 12.0(27)S and integrated in mainstream IOS release 12.4(6)T (at least five years too late in my humble opinion) address this problem: they both use IP packets that are not capable of being IP-switched and thus report the exact failure spot.
Tracing the route to 188.8.131.52
1 192.168.201.1 [MPLS: Label 22 Exp 0] 204 msec 200 msec 212 msec
2 192.168.201.6 [MPLS: Label 16 Exp 0] 112 msec 112 msec 116 msec
3 192.168.0.6 56 msec * 60 msec
ro#trace ip 184.108.40.206
Tracing the route to 220.127.116.11
1 192.168.201.1 [MPLS: Label 22 Exp 0] 56 msec 60 msec 56 msec
2 192.168.201.6 56 msec 56 msec 56 msec
3 192.168.0.6 56 msec * 56 msec
Sometimes (it depends on the application you're protecting) you can configure application-layer protection in Cisco IOS. For example, you can protect HTTP server with ip http access-class global configuration command or the Telnet server with the access-class in line configuration command (and BGP will not accept incoming TCP SYN packets unless you've configured a BGP neighbor). The access-class configuration causes the incoming request to be rejected within application (in control plane after the TCP stack), resulting in TCP RST packet being sent back. The port scanner thus reports the protected TCP port as closed.
As you might already know, you can use the /etc/hosts file (or its Windows equivalent) to kill unwanted browser ads - just list all the banner-serving sites in you hosts file and set their IP addresses to 127.0.0.1. In my June IP Corner article, Cisco Router: the Swiss Army Knife of Network Services (section Stop the browser ads and banners), I'm describing how you can do the same thing network-wide with a router acting as a DNS server.
access-list 102 deny ip any any logUnfortunately, the port numbers in the logging printout were always zero:
%SEC-6-IPACCESSLOGP: list 102 denied udp 10.0.0.1(0) -> 192.168.1.3(0), 1 packetThe reason for this behavior is very simple: unless a line in the IP ACL matches on the layer-4 port numbers, the router does not inspect them; the log action thus has no port number to show in the syslog printout.
To fix the printout, you have to force the router to inspect the layer-4 port numbers. If you still want to block-and-log all traffic, the minimum access-list achieving this goal is the following:
access-list 102 deny udp any gt 0 any gt 0 log
access-list 102 deny tcp any gt 0 any gt 0 log
access-list 102 deny ip any any
In a previous post I've been writing about the inability to clean the ARP cache due to cached CEF adjacencies. As it turns out, this behavior has another side effect: the router will automatically refresh all ARP entries (and CEF adjacencies) as they expire from the ARP cache. This might become a problem on high-end devices with a lot of directly connected hosts if you set the arp timeout to a low value.
- If a packet is intercepted by a router's access-list, the router sends back an ICMP administratively prohibited packet. This is reported as filtered port by Nmap (and probably as stealth port by some other scanners).
- If you do a TCP SYN scan of a router and the scanned port is not active, the router sends back TCP RST packet. This is reported as closed port.
- If you perform a UDP scan of a router, the router sends back ICMP port unreachable message if the UDP application is not active. This is reported by Nmap as filtered port (even though in most cases it should be equivalent to closed TCP port).
- In some cases, the router simply doesn't reply to UDP scans (for example, if you scan the discard service). This is reported as Open¦Filtered (as the scanner cannot reliably determine whether the probe was dropped due to a filter or simply not replied to).
Note: In any case, UDP scans are way more unreliable than TCP scans due to connectionless nature of UDP.
interface Serial0/0/0... and have erase all interface-specific configuration, the ...
no ip address
interface Serial0/0/0.100 point-to-point
ip address 172.16.1.1 255.255.255.252
ip load-sharing per-packet
ip ospf cost 50
frame-relay interface-dlci 100
... gets you there. As you can see, after the configuration change, the main interface has no IP address and the subinterface is deleted.
rtr(config)#default interface serial 0/0/0
Interface Serial0/0/0 set to default configuration
a1#show ip interfaces brief
Interface IP-Address OK? Method Status Protocol
... non-relevant lines deleted ...
Serial0/0/0 unassigned YES TFTP up up
Serial0/0/0.100 unassigned YES manual deleted down
The answer was quite interesting: he's running NTP on his firewall router and thus needs to accept incoming NTP responses from an external NTP server. While that could be easily achieved with the following configuration (only the relevant bits-and-pieces are shown), he didn't want to make the access-list too generic (allowing NTP from the external server to any IP address).
ip inspect name DEFAULT100 tcpThis problem nicely illustrates a broader issues: the router does not inspect it's own traffic and thus does not prepare conduits for the return packets; you have to specify all the return traffic you're expecting in the incoming access list. This drawback has been fixed in IOS release 12.3(14)T with the introduction of the Inspection of Router-Generated Traffic feature. In our scenario you only need to change the inspect rules:
ip inspect name DEFAULT100 udp
ip access-group 102 in
ip inspect DEFAULT100 out
access-list 102 remark #### Dialer0 incoming ####
access-list 102 remark #### non-relevant lines deleted
access-list 102 permit udp host 18.104.22.168 eq ntp any eq ntp
ip inspect name DEFAULT100 tcp router-traffic... and the router synchronizes to an external NTP server:
ip inspect name DEFAULT100 udp router-traffic
sp#show ip inspect sessionsNote: This article is part of You've asked for it series.
Session 474032B4 (192.168.1.3:123)=>(10.0.0.1:123) udp SIS_OPEN
01:04:34: %NTP-5-PEERSYNC: NTP synced to peer 10.0.0.1
01:04:34: %NTP-6-PEERREACH: Peer 10.0.0.1 is reachable
It makes perfect sense in hindsight, but I was nonetheless pleasantly surprised: when the router acting as a DHCP client (configured with the ip address dhcp interface configuration command) receives the DHCP reply packet containing the default gateway option (option #3), it installs a static default route toward that next-hop. Even better, the default route is installed with the administrative distance 254 (floating static route), making sure that the default route you've configured manually or the default route received via a routing protocol are not overwritten.
If you want to block HTTP requests during the quiet mode, you can use EEM applets to change the HTTP server configuration when the quiet mode is started and completed.
First you need to configure a standard numbered IP access list that will be used to block HTTP requests during the quiet mode (the ip http access-class command accepts only numbered ACLs), for example:
access-list 95 deny any logThen you define two EEM applets: one that triggers when the router enters the quiet mode (matching the SEC_LOGIN-1-QUIET_MODE_ON syslog message) and another that runs when the quiet mode is finished (triggered with the SEC_LOGIN-5-QUIET_MODE_OFF). Both applets modify the router configuration, changing the access-list used in ip http access-class configuration command.
event manager applet EnterQuietMode
event syslog occurs 1 pattern "SEC_LOGIN-1-QUIET_MODE_ON" period 1
action 1.0 cli command "configure terminal"
action 1.1 cli command "ip http access-class 95"
action 2.0 syslog msg "Entered Quiet mode on HTTP server"
event manager applet ExitQuietMode
event syslog occurs 1 pattern "SEC_LOGIN-5-QUIET_MODE_OFF" period 1
action 1.0 cli command "configure terminal"
action 1.1 cli command "ip http access-class 70"
action 2.0 syslog msg "Exiting Quiet mode on HTTP server"