Blog Posts in August 2008

Small enhancement in zone-based firewalls

In the Deploying Zone-Based Firewalls book I wrote:
In early releases supporting zone-based policy firewall configuration (IOS 12.4(6)T), match protocol command cannot be used to classify traffic to or from the self zone. Only IP access lists can be used for traffic classification purposes.
Misha Volodko reported that the match protocol icmp command works for him when used with the self zone. Another small step toward perfect implementation :) ... and don't forget that you can always use class class-default to catch all the unclassified traffic (and log it before it's dropped, for example).
see 3 comments

… updated on Monday, December 28, 2020 12:35 UTC

Load Balancing with Parallel EBGP Sessions

Establishing parallel EBGP sessions across parallel links between two edge routers (EBGP peers) – as displayed in the diagram below – is the most versatile form of EBGP load balancing. It does not require static routing or extra routing protocol (like the design running EBGP between routers’ loopback interfaces), device-specific tricks like configuring the same IP address on multiple interfaces) or specific layer-2 encapsulation (like Ethernet LAG or Multilink PPP).

It even allows proportional load-balancing across unequal-bandwidth links and combinations of various layer-2 technologies (for example, load-balancing between a serial line and an Ethernet interface). The only drawback of this design is the increased size of the BGP table, as every BGP prefix is received from the EBGP neighbor twice.

read more add comment

SNMP v3 users not shown in running-config

Ralf sent me a SNMPv3 question:
If I create a SNMPv3 user which has a password (snmp-server user userthree groupthree v3 auth md5 user3passwd), this user does not appear in the running- or startup-config. Cisco even documents this if you know what to look for.

I strongly suspect (although I did not test this) that these users are also missing from configuration exported to TFTP servers. What would be the recommended way to make usable config backups of routers with such users?
Like certificates, the SNMPv3 users are stored in private-config and thus never appear in the router configuration. If you want to have a backup of the user data, create a text file on one of your NMS servers, add SNMPv3 usernames and passwords in the text file and use the copy somewhere running-config to configure SNMPv3 users on the routers.
This article is part of You've asked for it series.
see 4 comments

IOS scheduling parameters

Peter Weymann sent me a really intriguing question:

A few days ago I started reading the Ciscopress book End-to-End Network Security: Defense-in-Depth and stumbled over the scheduler command. This one could be used to allocate time that the cpu spends on fast switching packets or process switching packets, if I understand it correctly. They also mention interrupting CPU processes but honestly I don't really understand how it works.

Cisco routers support (at least) three forms of layer-3 switching (formerly known as routing). CEF switching and fast switching are performed entirely within the interrupt context (I/O adapter interrupts a process the CPU is currently executing and all the work is done before the process resumes). Process switching is performed in two steps: packet is briefly analysed within the interrupt context and requeued into the IP Input process where it's eventually switched. Almost all I/O adapters used these days use a concept of RX/TX rings to communicate with the CPU, meaning that the CPU potentially has to handle more than one packet for each interrupt.

read more see 1 comments

RIP route database

Did you know that RIP, the venerable routing protocol that is present in Cisco routers for the last 20 years, uses an internal database, not the IP routing table, to process RIP updates? This database contains no fancy information (like EIGRP topology table) that would allow RIP to converge faster, but there are still minor differences between the RIP database and the IP routing table.

read more see 1 comments

Do you have a good reason to use BGP aggregation?

For the last 10 years, I've been preaching that you should use static BGP prefix advertising (with the network mask router configuration command) to advertise your IP address space into the public Internet, not the BGP aggregation. I might see some use for BGP aggregation in enterprise networks (or MPLS VPN networks) using BGP as the core routing protocol with other routing protocols serving the edge, but I cannot find a good scenario where BGP aggregation in public Internet would be a good solution. Do you use BGP aggregation in your network? Do you have a good scenario that you'd like to share with us? Write a comment.
see 5 comments

Is a label imposed in case of Penultimate Hop Popping?

Shivlu Jain sent me an interesting question:
I'm wondering whether a router performing penultimate hop popping (PHP) imposes an IGP label or not.The value of implicit null is 3; does it mean the router imposes this label (and adds four bytes to the packet)?
The penultimate router does not impose the IGP label (that's why this behavior is called penultimate hop popping). However, the egress router has to signal to its upstream neighbor (the penultimate router) that it should NOT impose a label, so it uses "implicit null" label (= 3) in TDP/LDP updates to signal that the top label should be popped, not rewriten.
This article is part of You've asked for it series.
see 2 comments

Measure the cable lengths on a Catalyst switch

Ken McCoy sent me a short question:
At one point someone posted an article about a command you could run on the Catalyst switch that would give you back the distance of the cable between the switch and end device, but now I can't find it.
I remembered reading the same article and after I've figured out the underlying technology is called TDR (Time Domain Reflectometer), uncle Google immediately provided a reader tip from Csaba Farkas.
This article is part of You've asked for it series.
see 5 comments

CCIE is devalued? Get real.

My favorite provocateur has dreamed up another sensational story ... and even has numbers to back it up. Reverse engineering the increase in reported number of CCIEs and taking in account the estimated number of seats in Cisco's labs worldwide, he concluded that the pass rate for CCIE R/S is currently at 35% whereas in the past the rumors claimed it was only around 10%. The conclusions in the story should not surprise you ... it must be the braindumps and the devaluing of the CCIE program. Of course it's the braindumps: people like Petr Lapukhov, Jeremy Stretch, Arden Packeer, Joe Harris and tens of others (including yours truly) are dumping the contents of their gray cell matter into blogs and wikis, creating astounding amount of information that we've never got from Cisco in the past.

The CCIE preparation programs also cover an enormous amount of scenarios and variations, giving you lots of material to practice (BTW, when I was teaching CCIE preparation bootcamps 15 years ago, the pass rate of my students was over 90% as I simply forced them to configure all the possible stupidities Cisco IOS could do at that time). The tests don't have to get any easier; the participants (if the calculations are correct) are simply better prepared. Whether the increased number of CCIEs results in the perceived devaluing of the program is another question (remember: the supply/demand rules), but I am absolutely sure that people passing CCIE lab exam these days know approximately as much as those passing it two or three years ago.

Of course you could argue whether someone who did tens (or sometimes hundreds) of scenarios in his lab and then passed the CCIE test is an expert or a braindump cheater (let's wait for the first blog post that claims that), but I doubt anyone is able to remember so many recipes and apply the correct one without a profound understanding of the underlying issues.
see 11 comments

Interesting links | 2008-08-10

It looks like some people forgot that July and August are supposed to be summer months when everyone is off to the nearest beach enjoying the sun (or maybe the global warning has caused unusually rainy weather in some parts of the globe). Leading the pack is Petr Lapukhov (a few more weeks like this and I'll start suspecting he's actually an pseudonym for a group of people like Tony Li was rumored to be a decade ago), who described Per-VLAN spanning tree (PVST) protocol, Multiple Spanning Trees Protocol (MSTP) and Dynamic Multipoint VPNs (DMVPN) (this one is so long I'll probably never find the willpower to read it)

DMVPN is also covered by Jeremy Stretch (I'm starting to wonder what's the root cause for the sudden fascination with this solution), who also provided a nice introduction to EUI-64 IPv6 addresses, a very practical view on shaping-versus-policing dilemma and simple step-by-step introduction to 802.1X.

As one would expect, Joe Harris and Arden Packeer are also ignoring the summer temptations. Joe provided an interesting link to the CCDE practical exam demo and Arden is continuing with his "OSPF over Frame Relay" saga (a few more installments and he'll be getting close to Jordan's Wheel of Time).

And last but not least: Tim Riegert sent me a link to a page full of TCP/IP and IMS Sequence Diagrams. The diagrams serve as a demonstration of EventStudio System Designer capabilities, but they are still good.
see 3 comments

… updated on Friday, November 20, 2020 09:24 UTC

BGP Route Reflector Details

BGP route reflectors have been supported in Cisco IOS well before I started to develop the first BGP course for Cisco in mid 1990s. It’s a very simple feature, so I was pleasantly surprised when I started digging into it and discovered a few rarely known details.

The Basics

Route reflector is an IBGP feature that allows you to build scalable IBGP networks. The original BGP protocol (RFC 1771) contained no intra-AS loop prevention mechanism; routers were therefore prohibited from sending routes received from an IBGP peer to another IBGP peer, requiring a full-mesh of IBGP sessions between all BGP routers within an AS.

read more see 9 comments

SSH works without AAA

I was always under impression that you have to configure AAA (even if you have local passwords) if you want to use SSH on a Cisco router. Based on the comment made by shef I tried various options and found out that SSH works without AAA (at least in IOS releases 12.4 and 12.2SRC). In both cases, you can configure AAA authentication (using AAA servers or local passwords) or local username/password authentication (you can also use enhanced password security).
read more see 13 comments

Identifying TACACS+ failure

I've got an interesting question from Colin a while ago:

I would like to generate a different prompt during the login to the router if the TACACS+ server has failed, indicating to the network operators that they have to log-in with the special (local) username, not with the TACACS+ authenticated username/password.

Fortunately he was running TACACS+ which supplies its own prompts during the authentication phase (the solution would not work with RADIUS). If you change the local authentication prompts, you'll get the prompts from TACACS+ server if it's reachable from the router (the AAA authentication is performed via TACACS+ server) and the local prompts if the TACACS+ server has failed (the AAA authentication is performed via any other mechanism). Here's a sample configuration:

read more see 11 comments

OSPF in a VRF Requires a Box-Unique Router ID

It’s obvious why two routers in the same OSPF domain cannot have the same router ID. However, requiring unique router IDs on OSPF processes running in different VRFs is probably too harsh, even though it does prevent confusion if two VRFs ever get connected through a customer site. Anyhow, if you have overlapping IP addresses on loopback interfaces in different VRFs, OSPF process might not start.

read more see 6 comments
Sidebar