Blog Posts in November 2007
If you're not a Cisco partner, you can buy the same labs from our web site.
The neighbor loss detection has improved dramatically in 12.3T and 12.0S with the introduction of the fast session deactivation, where a BGP session is dropped as soon as the route to the BGP neighbor is lost. You can configure this feature with the ominous-sounding neighbor fall-over configuration command. Obviously, this feature does not work well if you use default routing (or summaries), since the path to the BGP neighbor is never completely lost. In that case, you can use a route-map option of the neighbor fall-over command (introduced in 12.4(4)T) to select which less specific route is still a valid route to the BGP neighbor.
When the traffic is switched from the primary to the backup ISP, I therefore also need to switch the DNS servers. Fortunately, this is quite easy to do on a router; you just need to configure ppp ipcp dns request on the dialer interface and the router starts asking for the DNS server address as part of the IPCP negotiation.
It's amazing how many options (most of them still undocumented) the show interfaces command accepts in IOS release 12.4T (I won't even start guessing when each one was introduced, if you're running old IOS releases, please feel free to comment):
- show interfaces description displays interface names, L1 and L2 status (line and line-protocol status) and interface description. Extremely handy if you want to check which interfaces are up/down.
- show interfaces counters protocol status displays the L3 protocols active on each interface.
- show interfaces summary displays the state of various interface queues and related drop counters in a nice tabular format.
- show interfaces accounting displays per-protocol in/out counters.
Here are a few sample printouts:
When I've been describing the limitations of kron, ??? quickly asked an interesting question: “as I cannot insert extra input keystrokes with EEM applet, can I run a Tcl script from it with the action sequence cli command "tclsh script" command and use the typeahead function call to get around the limitation?” The only answer I could give at that time was “maybe” … and obviously it was time for a more thorough test. The short result is: YES, you can do it (at least in IOS release 12.4(15)T1).
The major problem of MPLS TE is that it's complex and that networking engineers usually lack the hands-on skills, and this is where we can help you: we've just rolled out the revised MPLS TE lab exercises. Compared to remote lab offerings from other sources, these lab exercises are very focused: you get step-by-step instructions (but no recipes, that would spoil the learning process), preconfigured equipment (so you don't have to configure IP addresses or IP routing protocols to get the job done) and detailed solutions explaining which task is achieved using a specific set of configuration commands.
I was able to get a discount for my readers: if you click this link and type in the promotion code 42B078 (expires on January 15th, 2008), you'll get a one week subscription to the MPLS TE remote lab bundle for €56. As this is a subscription offering, you can run the lab exercises as often as you like within a week of the purchasing date. And if you need one more argument to be persuaded, check the lab topology; you can experiment in a preconfigured nine router network :)
Obviously, the easy stopgap measure would be to change the feed format from full to short, which would only pass the first few lines of every blog post into the feed, resulting in a bit more effort on your end, as you'd have to click on the post link in the feed reader to view the whole text. Would this be a major nuisance for anyone?
When two groups within Cisco needed time-based command execution in Cisco IOS, they (in a typical big-corporation fashion) decided to implement the same wheel from two different sets of spokes and rims. One group built the Embedded Event Manager with its event timer cron command (introduced in 12.2(25)S and 12.3(14)T), the other group created the more limited kron command set (introduced in 12.3(1)).
In my home office, I'm using DSL access to the Internet with ISDN backup to another ISP, as shown on the next figure:
Obviously, I would like the ISDN backup to kick in whenever the primary connection goes down; two static default routes and reliable static routing on the primary default seem like a perfect solution.
- Type-7 encryption used in enable password has been broken. Source code for the decrypt program and cracker programs are available online, or you could use a router to do it for you.
- The type-7 encryption is reversible (and easily breakable due to a weak algorithm), whereas type-5 encryption is a one-way encryption that probably requires a dictionary attack to break.
- Based on the previous two facts, you should never use enable password. Use enable secret.
- The service password-encryption encodes passwords attached to local usernames with type-7 encryption. The usage of type-7 encryption is necessary as you might need the cleartext passwords in some authentication mechanisms (for example, CHAP). However, it's still better to have scrambled passwords than cleartext ones; at least a casual observer will not be able to read them. Conclusion: use service password-encryption.
- If your authentication methods don't need cleartext passwords (examples: local username/password authentication, local AAA authentication or PAP authentication), use username secret configuration command (available from IOS releases 12.2T, 12.3 and 12.0S).
interface Serial1/0… and this is the “server”-side configuration:
ip address negotiated
ppp authentication pap optional
ppp pap sent-username client password 0 client
interface Serial1/0To trigger PPP negotiations, shut down and re-enable the serial interface on either side.
ip address 10.0.0.33 255.255.255.252
peer default ip address 10.0.0.34
ppp authentication pap callin
username client password client
Note: As I'm using PAP authentication, I could use the more secure username secret configuration command, which would not work with CHAP.
You need the Net::SMTP::Server module on top of the standard Perl distribution to make it work.
A while ago I was asked to write an article about IPv6 training. I could just cover the training aspect, like what's offered (answer: not much) and whether someone can train the whole operations team like you could in the IPv4 or MPLS/VPN world (answer: no), but I wanted to understand whether anyone is really using IPv6 in a production network. I found a few academic networks (after all, there are about 2000 IPv6 prefixes assigned and someone should be doing something with them), but not much of what I would call a real production environment, which is a bad thing, as it looks like the IPv4 address space will get saturated in a few years.
Update 2010-03-12: Numerous commercial ISPs now offer native IPv6 connectivity, but they also face significant deployment challenges. You will find an overview of those in my Market trends in Service Provider networks workshop (register for the online webinar). Advanced backbone designs and configurations are explained in the Building IPv6 Service Provider core workshop (register for the online webinar).
Update 2011-12-07: You might also want to read the Responsible generation of BGP default route article describing the ISP side of the solution.
Update 2008-08-10: IOS behavior has changed; fixed the article.
Martin Kluge sent me an interesting BGP question: he has two upstream links and runs BGP on both. Since his router is low on RAM, he cannot accept full routing, so he's just announcing his IP prefix and using static default routing toward upstream ISPs.
The relevant configuration on the GW router is somewhat similar to the configuration I've used as a staring point in my lab:
We'll turn on type-7 encryption for local passwords and generate a test username
R1(config)#username test password t35t:pa55w0rd
Next we'll inspect the generated username with the show running command
R1(config)#do show run | include username
username test password 7 08351F1B1D431516475E1B54382F
Now we'll create a key chain and enter the type-7 encrypted password as the key string …
R1(config)#key chain decrypt
R1(config-keychain-key)#key-string 7 08351F1B1D431516475E1B54382F
… and the show command does the decryption for us.
R1(config-keychain-key)#do show key chain decrypt
key 1 -- text "t35t:pa55w0rd"
accept lifetime (always valid) - (always valid) [valid now]
send lifetime (always valid) - (always valid) [valid now]
- The [0-9.]+% pattern will match any non-zero percentage;
- The 0.00% pattern will obviously match the zero-percentage display;
- As the percentage figures are separated by various amounts of whitespace characters, we have to use the ' +' pattern to match those;
The real solution is based on the appl_setinfo and appl_reqinfo calls. They work, but like many other Tcl-related IOS features they are … well … weird.
Of course I wanted to test this phenomenon immediately. I needed real equipment with low-speed serial links (that would make the difference more pronounced and less dependent on other intra-router delays), so I started one of the BGP lab exercises; Basic BGP Setup looked like a perfect choice. We're using 64 kbps Frame Relay links in the lab with a Frame Relay switch in the middle (makes the task of designing an arbitrary WAN topology quite simple), so it's a perfect environment to test this thing. And, not surprisingly, the results confirmed the theory:
Internal-Core#ping 22.214.171.124 data 0000 size 1200 repeat 50
Sending 50, 1200-byte ICMP Echos to 126.96.36.199, timeout is 2 seconds:
Packet has data pattern 0x0000
Success rate is 100 percent (50/50), round-trip min/avg/max = 608/608/632 ms
Internal-Core#ping 188.8.131.52 data FFFF size 1200 repeat 50
Sending 50, 1200-byte ICMP Echos to 184.108.40.206, timeout is 2 seconds:
Packet has data pattern 0xFFFF
Success rate is 100 percent (50/50), round-trip min/avg/max = 724/724/728 ms
The results are almost too close to the predicted ones, but they are real :)
The link to this white paper has been published in Joe Harris' blog.
- There is almost no impact on single-CPU software platforms; the router has to perform CEF lookup anyway and increases the CEF accounting counters on-the-fly;
- Distributed software platforms are more complex, as the central CPU has to (at the very least) collect the switching statistics.
- The impact on hardware platforms is dependent on the layer 3 lookup implementation
IBM obviously also had problems with bad modems and solved it with the NRZI encoding that was part of SDLC standard (and a major pain in the good old days when the appliques on the old Cisco routers did not support it and we've been trying hard to penetrate IBM accounts). You can still configure NRZI encoding on most routers' serial links (it might depend on the actual hardware platform) with the nrzi-encoding interface configuration command (you had to do it with jumpers in the AGS+). Incidentally, changing interface encoding to NRZI was really helpful when you had to break things in the preparation for the troubleshooting part of the original CCIE lab).
Enough theory, let's summarize the proposed solutions:
- The nrzi-encoding (if available) is the best one, as it reliably solves the problem, is transparent and does not incur additional overhead.
- Compression or encryption are OK, but they result in significant CPU overhead (unless you have hardware encryption/compression modules) and might (at least in theory) still produce a long sequence of zeroes, although with a very low probability. IPSec also introduces overhead due to additional IPSec headers.
- LFI (effectively multilink PPP over a single link) is also a good solution, as the PPP framing and MLPPP headers break the long sequences of zeroes (you might have to fine-tune the fragment size with ppp multilink fragment size configuration command), but it introduces overhead on the WAN link.
- IP fragmentation would work, but would be quite bandwidth-consuming. If the fragmentation would be performed by the router, the overhead would be 20 bytes per fragment (IP header), if the sending host performs the fragmentation, the overhead is 40 bytes per fragment for TCP sessions. For example, if we reduce the IP MTU size to 256 bytes, the TCP session overhead is over 18% (and we were scoffing at the ATM designers that made us live with 10% overhead).
- The invert data command would only help if the modem has problems with long strings of zeroes, not with long strings of the same value.
- The tunnel key command just sets a 4-byte field in the GRE header but does not affect the encapsulated data at all.
… and the last few months:
William Chu sent me a working configuration he uses to measure jitter with the IP SLA tool and react to excessive jitter on the primary link. First you have to create the jitter probe with the IP SLA commands:
ip sla monitor 3000
type jitter →
dest-ipaddr 220.127.116.11 dest-port 12333 →
source-ipaddr 18.104.22.168 codec g729a →
Note: The continuation character (→) indicates that the configuration command spans multiple lines
Next you have to define the IP SLA reaction to excessive jitter. William configured his router to react when the jitter exceeds 300 milliseconds and returns back to normal when the jitter falls below 290 milliseconds (some hysteresis is always a good thing).
ip sla monitor reaction-configuration 3000 →
react MOS threshold-value 300 290 →
threshold-type consecutive →
As the last step in the SLA configuration, you have to start the probe:
ip sla monitor schedule 3000 →
life forever start-time now
After the SLA probe and out-of-bounds reaction have been configured, the router will generate syslog messages whenever the jitter gets above the threshold as well as when it falls below the second threshold. You can then use the EEM applets to act on the syslog messages:
event manager applet MOS-Below
event syslog occurs 1 period 120 →
pattern "Threshold below for MOS"
... actions ...
event manager applet MOS-Above
event syslog occurs 1 period 120 →
pattern "Threshold exceeded for MOS"
... actions ...
If you're new to Tcl and would like to start using it on Cisco IOS, here's what worked for me:
- I've downloaded the ActiveTcl from ActiveState. It's always good to have development environment on your workstation.
- The documentation that comes with ActiveTcl is quite cryptic, but once you know what you're looking for, it's OK.
- To get to the "I know what I'm looking for" stage, I've used Tcl/Tk: A Developer's Guide.
If you know better beginner books/sources, let us all know.
And now two questions for you:
- What could you do on the router to fix this problem?
- Why was the synchronization retained when transmitting a long string of ones?
Did you believe MPLS TE was a quality-of-service feature? Did someone persuade you it's mandatory to run OSPF or IS-IS if you want to deploy MPLS TE? I've collected a few more myths like these two and explained the actual facts behind them in an article published by SearchTelecom.
Warning: Due to total lack of any security features in TFTP protocol, use this functionality only in lab environment.