Pete's Packet

Limitless

  • Catagories

  • Global visitors

    free counters

  • RSS CCIE Jobs – Metro NY area

Juniper SRX – Basic NAT64 configuration example

Posted by Peter Kurdziel on May 2, 2012

[SRX] Basic NAT64 configuration example

SUMMARY:
This article provides an example of a basic NAT64 configuration.
PROBLEM OR GOAL:
Basic NAT64 Configuration Example.
IPv6-Host ( 2001:0660:1000:8c00::b ) <————> ( 2001:0660:1000:8c00::a ) | SRX-DUT | ( 192.168.203.1 ) <———-> ( 192.168.203.10 ) Server

You have a device with a IPV6 address; but your servers are using IPV4. So, in order to access IPV4 servers, you need to use NAT64 in security nat hierarchy.

Now, suppose the IPV6 address of the server for IPV6 hosts is 2001:0660:1000:9002::cafe.
CAUSE:

SOLUTION:
in order to configure NAT64, you need to have a pool of single IPs which will be the IPV4 address of the server.
root# set security nat destination pool ipPool address 192.168.203.10/32

Now you need to have a destination NAT configuration for the 2001:0660:1000:9002::cafe IPV6 address, that is any IPV6 host that has a destination address of ’2001:0660:1000:9002::cafe, its destination address NATs to the IPV4 address from the IP pool; which is tha actual IPV4 address (192.168.203.10/32) of the server.
root# set security nat destination pool ipPool address 192.168.203.10/32
root# set security nat destination rule-set test-1 from zone untrust
root# set security nat destination rule-set test-1 rule rule-1 match destination-address 2001:0660:1000:9002::cafe/128
root# set security nat destination rule-set test-1 rule rule-1 then destination-nat pool ipPool

Now, the destination address is IPV4, but the source address is IPV6. So here, you have to apply the source Nat in order to change the IPV6 address of the source to IPV4.
root# set security nat source rule-set test-2 from zone untrust
root# set security nat source rule-set test-2 to zone trust
root# set security nat source rule-set test-2 rule rule-2 match source-address 0::/0
root# set security nat source rule-set test-2 rule rule-2 match destination-address 192.168.203.10/32
root# set security nat source rule-set test-2 rule rule-2 then source-nat interface

Now you can check how the sessions are being established:
root> show security flow session
Session ID: 120000016, Policy name: default-policy-00/2, State: Active, Timeout: 1794, Valid
In: 2001:660:1000:8c00::b/1053 –> 2001:660:1000:9002::cafe/80;tcp, If: reth0.0, Pkts: 4, Bytes: 574
Out: 192.168.203.10/80 –> 192.168.203.1/24770;tcp, If: reth1.0, Pkts: 3, Bytes: 447

Posted in Juniper | Leave a Comment »

802.1q tunneling scenario 3

Posted by Peter Kurdziel on March 9, 2012

Configs:

custsw1

vlan 555
!
vlan 1700
name custvlan
!vlan 555
!
interface FastEthernet0/4
switchport access vlan 555
switchport mode access
!
interface FastEthernet0/5
switchport access vlan 1700
switchport mode access
!
interface FastEthernet0/22
des TRUNK to SPSW1
switchport trunk encapsulation dot1q
switchport mode trunk
!
interface Vlan555
ip address 5.5.5.1 255.255.255.0
!
interface Vlan1700
ip address 10.1.1.1 255.255.255.252
!

custsw2

vlan 555
!
vlan 1700
name custvlan
!vlan 555
!
interface FastEthernet0/6
switchport access vlan 555
switchport mode access
!
interface FastEthernet0/7
switchport access vlan 1700
switchport mode access
!
interface FastEthernet0/22
des TRUNK TO SPSW2
switchport trunk encapsulation dot1q
switchport mode trunk
!
interface Vlan555
ip address 5.5.5.2 255.255.255.0
!
interface Vlan1700
ip address 10.1.1.2 255.255.255.252

spsw1#
vlan dot1q tag native
!
vlan 104
name qinq
!
vlan 555
name SPpro555
!
vlan 1700
name SPpro1700
!

interface FastEthernet0/1
switchport access vlan 555
switchport mode access

interface FastEthernet0/22
des TO CUSTOMER SW 1
switchport access vlan 104
switchport trunk encapsulation dot1q
switchport mode dot1q-tunnel
l2protocol-tunnel cdp
no cdp enable
!
interface FastEthernet0/23
des TRUNK to SPSW2
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 104,555,1700
switchport mode trunk

interface GigabitEthernet0/1
switchport access vlan 1700
switchport mode access
interface Vlan555
ip address 5.5.5.1 255.255.255.0
!
interface Vlan1700
ip address 10.1.1.1 255.255.255.252
!

spsw2#

vlan dot1q tag native
!
vlan 104
name qinq
!
vlan 555
name SPpro555
!
vlan 1700
name SPpro1700
!
interface FastEthernet0/1
switchport access vlan 555
switchport mode access

switchport trunk encapsulation dot1q
switchport trunk allowed vlan 104
switchport mode trunk

interface FastEthernet0/22
des TO CUSTOMER SW 2
switchport access vlan 104
switchport trunk encapsulation dot1q
switchport mode dot1q-tunnel
l2protocol-tunnel cdp
no cdp enable
!
interface FastEthernet0/23
des TRUNK TO SPSW1
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 104,555,1700
switchport mode trunk

interface GigabitEthernet0/1
switchport access vlan 1700
switchport mode access

interface Vlan555
ip address 5.5.5.2 255.255.255.0
!
interface Vlan1700
ip address 10.1.1.2 255.255.255.252

Service Provider Verification
spsw1#sh ip int b | ex una
Interface              IP-Address      OK? Method Status                Protocol
Vlan555                5.5.5.1    YES manual up                    up
Vlan1700               10.1.1.1    YES manual up                    up

spsw1#sh dot1q-t int f0/22

dot1q-tunnel mode LAN Port(s)
—————————–
Fa0/22
spsw1#

spsw1#sh int trunk

Port        Mode             Encapsulation  Status        Native vlan
Fa0/23      on               802.1q         trunking      1

Port        Vlans allowed on trunk
Fa0/23      104,555,1700

Port        Vlans allowed and active in management domain
Fa0/23      104,555,1700

Port        Vlans in spanning tree forwarding state and not pruned
Fa0/23      104,555,1700

spsw1#sh int | in is up|address is|In
Vlan555 is up, line protocol is up
Hardware is EtherSVI, address is 0012.0183.3b00 (bia 0012.0183.3b00)
Internet address is 5.5.5.1/24

Vlan1700 is up, line protocol is up
Hardware is EtherSVI, address is 0012.0183.3b00 (bia 0012.0183.3b00)
Internet address is 10.1.1.1/30

clear arp

spsw1#sh ip arp
Protocol  Address          Age (min)  Hardware Addr   Type   Interface
Internet  5.5.5.1                 -   0012.0183.3b00  ARPA   Vlan555
Internet  10.1.1.1                -   0012.0183.3b00  ARPA   Vlan1700

Internet  10.1.1.1                -   0012.0183.3b00  ARPA   Vlan1700
spsw1#ping 5.5.5.2

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 5.5.5.2, timeout is 2 seconds:
.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 1/2/4 ms
spsw1#ping 10.1.1.2

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.1.2, timeout is 2 seconds:
.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 1/3/4 ms

spsw1#sh ip arp
Protocol  Address          Age (min)  Hardware Addr   Type   Interface
Internet  5.5.5.1                 -   0012.0183.3b00  ARPA   Vlan555
Internet  5.5.5.2                 0   0018.b9ff.c7c2  ARPA   Vlan555
Internet  10.1.1.2                0   0018.b9ff.c7c1  ARPA   Vlan1700
Internet  10.1.1.1                -   0012.0183.3b00  ARPA   Vlan1700

0012.0183.3b00 is SPSW1
0018.b9ff.c7c1 is SPSW2
0018.b9ff.c7c2 is SPSW2

The customer switches do not see the arp requests from the service provider switches.

custsw1# sh ip arp
Protocol  Address          Age (min)  Hardware Addr   Type   Interface
Internet  5.5.5.1                 -   0018.b974.3fc2  ARPA   Vlan555
Internet  10.1.1.1                -   0018.b974.3fc1  ARPA   Vlan1700

custsw2# sh ip arp
Protocol  Address          Age (min)  Hardware Addr   Type   Interface
Internet  5.5.5.2                 -   0018.b9ff.adc2  ARPA   Vlan555
Internet  10.1.1.2                -   0018.b9ff.adc1  ARPA   Vlan1700
custsw2#

SPSW1 can ping SPpro555 and SPpro1700 but it can not ping CUST555 or CUST1700.

Service Provider Verification

spsw2#sh ip int b | ex una
Interface              IP-Address      OK? Method Status                Protocol
Vlan555                5.5.5.2    YES manual up                    up
Vlan1700               10.1.1.2    YES manual up                    up

spsw2#sh dot1q-t int f0/22

dot1q-tunnel mode LAN Port(s)
—————————–
Fa0/22

spsw2#sh int trunk

Port        Mode             Encapsulation  Status        Native vlan
Fa0/23      on               802.1q         trunking      1

Port        Vlans allowed on trunk
Fa0/23      104,555,1700

Port        Vlans allowed and active in management domain
Fa0/23      104,555,1700

Port        Vlans in spanning tree forwarding state and not pruned
Fa0/23      104,555

spsw2#sh int | in is up|address is|In
Vlan555 is up, line protocol is up
Hardware is EtherSVI, address is 0018.b9ff.c7c2 (bia 0018.b9ff.c7c2)
Internet address is 5.5.5.2/24

Vlan1700 is up, line protocol is up
Hardware is EtherSVI, address is 0018.b9ff.c7c1 (bia 0018.b9ff.c7c1)
Internet address is 10.1.1.2/30

clear arp

spsw2#sh arp
Protocol  Address          Age (min)  Hardware Addr   Type   Interface
Internet  5.5.5.2                 -   0018.b9ff.c7c2  ARPA   Vlan555
Internet  10.1.1.2                -   0018.b9ff.c7c1  ARPA   Vlan1700

spsw2#ping 5.5.5.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 5.5.5.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/205/1007 ms
spsw2#ping 10.1.1.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.1.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/205/1006 ms
spsw2#sh ip arp
Protocol  Address          Age (min)  Hardware Addr   Type   Interface
Internet  5.5.5.1                 0   0012.0183.3b00  ARPA   Vlan555
Internet  5.5.5.2                 -   0018.b9ff.c7c2  ARPA   Vlan555
Internet  10.1.1.2                -   0018.b9ff.c7c1  ARPA   Vlan1700
Internet  10.1.1.1                0   0012.0183.3b00  ARPA   Vlan1700

0012.0183.3b00 is SPSW1
0018.b9ff.c7c1 is SPSW2
0018.b9ff.c7c2 is SPSW2

The customer switches do not see the arp requests from the service provider switches.

custsw1# sh ip arp
Protocol  Address          Age (min)  Hardware Addr   Type   Interface
Internet  5.5.5.1                 -   0018.b974.3fc2  ARPA   Vlan555
Internet  10.1.1.1                -   0018.b974.3fc1  ARPA   Vlan1700

custsw2# sh ip arp
Protocol  Address          Age (min)  Hardware Addr   Type   Interface
Internet  5.5.5.2                 -   0018.b9ff.adc2  ARPA   Vlan555
Internet  10.1.1.2                -   0018.b9ff.adc1  ARPA   Vlan1700
custsw2#

SPSW2 can ping SPpro555 and SPpro1700 but it can not ping CUST555 or CUST1700.

Customer SW1 Verification
custsw1#sh ip int b | ex una
Interface              IP-Address      OK? Method Status                Protocol
Vlan555                5.5.5.1         YES manual up                    up
Vlan1700               10.1.1.1        YES manual up                    up
custsw1#sh int trunk

Port        Mode             Encapsulation  Status        Native vlan
Fa0/22      on               802.1q         trunking      1

Port        Vlans allowed on trunk
Fa0/22      1-4094

Port        Vlans allowed and active in management domain
Fa0/22      1,555,1700

Port        Vlans in spanning tree forwarding state and not pruned
Fa0/22      1,555,1700

custsw1#sh cdp nei
Capability Codes: R – Router, T – Trans Bridge, B – Source Route Bridge
S – Switch, H – Host, I – IGMP, r – Repeater, P – Phone

Device ID        Local Intrfce     Holdtme    Capability  Platform  Port ID
custsw2          Fas 0/22          157           S I      WS-C3560- Fas 0/22

custsw1#sh int | in is up|address is|In
Vlan555 is up, line protocol is up
Hardware is EtherSVI, address is 0018.b974.3fc2 (bia 0018.b974.3fc2)
Internet address is 5.5.5.1/24

Vlan1700 is up, line protocol is up
Hardware is EtherSVI, address is 0018.b974.3fc1 (bia 0018.b974.3fc1)
Internet address is 10.1.1.1/30

clear arp

custsw1#sh ip arp
Protocol  Address          Age (min)  Hardware Addr   Type   Interface
Internet  5.5.5.1                 -   0018.b974.3fc2  ARPA   Vlan555
Internet  10.1.1.1                -   0018.b974.3fc1  ARPA   Vlan1700

custsw1#ping 5.5.5.2

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 5.5.5.2, timeout is 2 seconds:
.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 1/2/8 ms
custsw1#ping 10.1.1.2

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.1.2, timeout is 2 seconds:
.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 1/2/8 ms

custsw1#sh ip arp
Protocol  Address          Age (min)  Hardware Addr   Type   Interface
Internet  5.5.5.1                 -   0018.b974.3fc2  ARPA   Vlan555
Internet  5.5.5.2                 1   0018.b9ff.adc2  ARPA   Vlan555
Internet  10.1.1.2                1   0018.b9ff.adc1  ARPA   Vlan1700
Internet  10.1.1.1                -   0018.b974.3fc1  ARPA   Vlan1700

0018.b974.3fc2 is custsw1
0018.b9ff.adc1 is custsw2
0018.b9ff.adc2 is custsw2

The service provider switches do not see the arp requests from the customer switches.

spsw1#sh ip arp
Protocol  Address          Age (min)  Hardware Addr   Type   Interface
Internet  5.5.5.1                 -   0012.0183.3b00  ARPA   Vlan555
Internet  10.1.1.1                -   0012.0183.3b00  ARPA   Vlan1700

spsw2#sh ip arp
Protocol  Address          Age (min)  Hardware Addr   Type   Interface
Internet  5.5.5.2                 -   0018.b9ff.c7c2  ARPA   Vlan555
Internet  10.1.1.2                -   0018.b9ff.c7c1  ARPA   Vlan1700

CUSTSW1 can ping CUST555 and CUST1700 but it can not ping SPpro555 or SPpro1700.

Customer SW2 Verification
custsw2#sh ip int b | ex una
Interface              IP-Address      OK? Method Status                Protocol
Vlan555                5.5.5.2         YES manual up                    up
Vlan1700               10.1.1.2        YES manual up                    up
custsw2#sh int trunk

Port        Mode             Encapsulation  Status        Native vlan
Fa0/22      on               802.1q         trunking      1

Port        Vlans allowed on trunk
Fa0/22      1-4094

Port        Vlans allowed and active in management domain
Fa0/22      1,555,1700

Port        Vlans in spanning tree forwarding state and not pruned
Fa0/22      1,555,1700

custsw2#sh cdp nei
Capability Codes: R – Router, T – Trans Bridge, B – Source Route Bridge
S – Switch, H – Host, I – IGMP, r – Repeater, P – Phone

Device ID        Local Intrfce     Holdtme    Capability  Platform  Port ID
custsw1          Fas 0/22          150           S I      WS-C3560- Fas 0/22

custsw2#sh int | in is up|address is|In
Vlan555 is up, line protocol is up
Hardware is EtherSVI, address is 0018.b9ff.adc2 (bia 0018.b9ff.adc2)
Internet address is 5.5.5.2/24

Vlan1700 is up, line protocol is up
Hardware is EtherSVI, address is 0018.b9ff.adc1 (bia 0018.b9ff.adc1)
Internet address is 10.1.1.2/30

clear arp

custsw2# sh ip arp
Protocol  Address          Age (min)  Hardware Addr   Type   Interface
Internet  5.5.5.2                 -   0018.b9ff.adc2  ARPA   Vlan555
Internet  10.1.1.2                -   0018.b9ff.adc1  ARPA   Vlan1700

custsw2#ping 5.5.5

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 5.5.5.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/4/9 ms
custsw2#ping 10.1.1.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.1.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/4/9 ms

custsw2#sh ip arp
Protocol  Address          Age (min)  Hardware Addr   Type   Interface
Internet  5.5.5.1                 7   0018.b974.3fc2  ARPA   Vlan555
Internet  5.5.5.2                 -   0018.b9ff.adc2  ARPA   Vlan555
Internet  10.1.1.2                -   0018.b9ff.adc1  ARPA   Vlan1700
Internet  10.1.1.1                7   0018.b974.3fc1  ARPA   Vlan1700

0018.b974.3fc1 is custsw1
0018.b974.3fc2 is custsw1
0018.b9ff.adc1 is custsw2
0018.b9ff.adc2 is custsw2

The service provider switches do not see the arp requests from the customer switches.

spsw1#sh ip arp
Protocol  Address          Age (min)  Hardware Addr   Type   Interface
Internet  5.5.5.1                 -   0012.0183.3b00  ARPA   Vlan555
Internet  10.1.1.1                -   0012.0183.3b00  ARPA   Vlan1700

spsw2#sh ip arp
Protocol  Address          Age (min)  Hardware Addr   Type   Interface
Internet  5.5.5.2                 -   0018.b9ff.c7c2  ARPA   Vlan555
Internet  10.1.1.2                -   0018.b9ff.c7c1  ARPA   Vlan1700

CUSTSW1 can ping CUST555 and CUST1700 but it can not ping SPpro555 or SPpro1700.

 

Posted in CATALYST, Routing & Switching Lab | Tagged: , , | Leave a Comment »

802.1q tunneling scenario 2

Posted by Peter Kurdziel on March 9, 2012

Configs

custsw1

vlan 555
!
vlan 1700
name custvlan
!vlan 555
!
interface FastEthernet0/4
switchport access vlan 555
switchport mode access
!
interface FastEthernet0/5
switchport access vlan 1700
switchport mode access
!
interface FastEthernet0/22
des TRUNK to SPSW1
switchport trunk encapsulation dot1q
switchport mode trunk
!
interface Vlan555
ip address 5.5.5.1 255.255.255.0
!
interface Vlan1700
ip address 10.1.1.1 255.255.255.252
!

custsw2

vlan 555
!
vlan 1700
name custvlan
!vlan 555
!
interface FastEthernet0/6
switchport access vlan 555
switchport mode access
!
interface FastEthernet0/7
switchport access vlan 1700
switchport mode access
!
interface FastEthernet0/22
des TRUNK TO SPSW2
switchport trunk encapsulation dot1q
switchport mode trunk
!
interface Vlan555
ip address 5.5.5.2 255.255.255.0
!
interface Vlan1700
ip address 10.1.1.2 255.255.255.252

spsw1#
vlan dot1q tag native
!
vlan 104
name qinq
!
vlan 555
name SPpro555
!
vlan 1700
name SPpro1700
!

interface FastEthernet0/1
switchport access vlan 555
switchport mode access

interface FastEthernet0/22
des TO CUSTOMER SW 1
switchport access vlan 104
switchport trunk encapsulation dot1q
switchport mode dot1q-tunnel
l2protocol-tunnel cdp
no cdp enable
!
interface FastEthernet0/23
des TRUNK to SPSW2
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 104,555,1700
switchport mode trunk

interface GigabitEthernet0/1
switchport access vlan 1700
switchport mode access
interface Vlan555
ip address 192.168.55.1 255.255.255.252
!
interface Vlan1700
ip address 192.168.17.1 255.255.255.252
!

spsw2#

vlan dot1q tag native
!
vlan 104
name qinq
!
vlan 555
name SPpro555
!
vlan 1700
name SPpro1700
!
interface FastEthernet0/1
switchport access vlan 555
switchport mode access

switchport trunk encapsulation dot1q
switchport trunk allowed vlan 104
switchport mode trunk

interface FastEthernet0/22
des TO CUSTOMER SW 2
switchport access vlan 104
switchport trunk encapsulation dot1q
switchport mode dot1q-tunnel
l2protocol-tunnel cdp
no cdp enable
!
interface FastEthernet0/23
des TRUNK TO SPSW1
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 104,555,1700
switchport mode trunk

interface GigabitEthernet0/1
switchport access vlan 1700
switchport mode access

interface Vlan555
ip address 192.168.55.2 255.255.255.252
!
interface Vlan1700
ip address 192.168.17.2 255.255.255.252

Service Provider Verification
spsw1#sh ip int b | ex una
Interface              IP-Address      OK? Method Status                Protocol
Vlan555                192.168.55.1    YES manual up                    up
Vlan1700               192.168.17.1    YES manual up                    up

spsw1#sh dot1q-t int f0/22

dot1q-tunnel mode LAN Port(s)
—————————–
Fa0/22
spsw1#

spsw1#sh int trunk
Port        Mode             Encapsulation  Status        Native vlan
Fa0/23      on               802.1q         trunking      1
Port        Vlans allowed on trunk
Fa0/23      104,555,1700
Port        Vlans allowed and active in management domain
Fa0/23      104,555,1700
Port        Vlans in spanning tree forwarding state and not pruned
Fa0/23      104,555,1700

spsw1#ping 192.168.55.2
Sending 5, 100-byte ICMP Echos to 192.168.55.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 4/4/4 ms

spsw1#ping 192.168.17.2
Sending 5, 100-byte ICMP Echos to 192.168.17.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/3/4 ms

spsw1#ping 5.5.5.1
Sending 5, 100-byte ICMP Echos to 5.5.5.1, timeout is 2 seconds:
…..
Success rate is 0 percent (0/5)

spsw1#ping 5.5.5.2
Sending 5, 100-byte ICMP Echos to 5.5.5.2, timeout is 2 seconds:
…..
Success rate is 0 percent (0/5)
spsw1#ping 10.1.1.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.1.1, timeout is 2 seconds:
…..
Success rate is 0 percent (0/5)

spsw1#ping 10.1.1.2
Sending 5, 100-byte ICMP Echos to 10.1.1.2, timeout is 2 seconds:
…..
Success rate is 0 percent (0/5)

SWSP1 can ping SPpro555 and SPpro1700 but it can not ping CUST555 or CUST1700.

 

Service Provider Verification

spsw2#sh ip int b | ex una
Interface              IP-Address      OK? Method Status                Protocol
Vlan555                192.168.55.2    YES manual up                    up
Vlan1700               192.168.17.2    YES manual up                    up

spsw2#sh dot1q-t int f0/22

dot1q-tunnel mode LAN Port(s)
—————————–
Fa0/22

spsw2#sh int trunk

Port        Mode             Encapsulation  Status        Native vlan
Fa0/23      on               802.1q         trunking      1

Port        Vlans allowed on trunk
Fa0/23      104,555,1700

Port        Vlans allowed and active in management domain
Fa0/23      104,555,1700

Port        Vlans in spanning tree forwarding state and not pruned
Fa0/23      104,555

spsw2#ping 192.168.55.1
Sending 5, 100-byte ICMP Echos to 192.168.55.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/3/8 ms

spsw2#ping 192.168.17.1
Sending 5, 100-byte ICMP Echos to 192.168.17.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/8 ms

spsw2#ping 5.5.5.1
Sending 5, 100-byte ICMP Echos to 5.5.5.1, timeout is 2 seconds:
…..
Success rate is 0 percent (0/5)

spsw2#ping 5.5.5.2
Sending 5, 100-byte ICMP Echos to 5.5.5.2, timeout is 2 seconds:
…..
Success rate is 0 percent (0/5)

spsw2#ping 10.1.1.1
Sending 5, 100-byte ICMP Echos to 10.1.1.1, timeout is 2 seconds:
…..
Success rate is 0 percent (0/5)

spsw2#ping 10.1.1.2
Sending 5, 100-byte ICMP Echos to 10.1.1.2, timeout is 2 seconds:
…..
Success rate is 0 percent (0/5)

SWSP2 can ping SPpro555 and SPpro1700 but it can not ping CUST555 or CUST1700.

 

Customer SW1 Verification
custsw1#sh ip int b | ex una
Interface              IP-Address      OK? Method Status                Protocol
Vlan555                5.5.5.1         YES manual up                    up
Vlan1700               10.1.1.1        YES manual up                    up
custsw1#sh int trunk

Port        Mode             Encapsulation  Status        Native vlan
Fa0/22      on               802.1q         trunking      1

Port        Vlans allowed on trunk
Fa0/22      1-4094

Port        Vlans allowed and active in management domain
Fa0/22      1,555,1700

Port        Vlans in spanning tree forwarding state and not pruned
Fa0/22      1,555,1700

custsw1#sh cdp nei
Capability Codes: R – Router, T – Trans Bridge, B – Source Route Bridge
S – Switch, H – Host, I – IGMP, r – Repeater, P – Phone

Device ID        Local Intrfce     Holdtme    Capability  Platform  Port ID
custsw2          Fas 0/22          157           S I      WS-C3560- Fas 0/22

custsw1#ping 5.5.5.2
Sending 5, 100-byte ICMP Echos to 5.5.5.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/5/9 ms

custsw1#ping 10.1.1.2
Sending 5, 100-byte ICMP Echos to 10.1.1.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms

custsw1#ping 192.168.55.1
Sending 5, 100-byte ICMP Echos to 192.168.55.1, timeout is 2 seconds:
…..
Success rate is 0 percent (0/5)

custsw1#ping 192.168.55.2
Sending 5, 100-byte ICMP Echos to 192.168.55.2, timeout is 2 seconds:
…..
Success rate is 0 percent (0/5)

custsw1#ping 192.168.17.1
Sending 5, 100-byte ICMP Echos to 192.168.17.1, timeout is 2 seconds:
…..
Success rate is 0 percent (0/5)

custsw1#ping 192.168.17.2
Sending 5, 100-byte ICMP Echos to 192.168.17.2, timeout is 2 seconds:
…..
Success rate is 0 percent (0/5)

 

Customer SW2 Verification
custsw2#sh ip int b | ex una
Interface              IP-Address      OK? Method Status                Protocol
Vlan555                5.5.5.2         YES manual up                    up
Vlan1700               10.1.1.2        YES manual up                    up
custsw2#sh int trunk

Port        Mode             Encapsulation  Status        Native vlan
Fa0/22      on               802.1q         trunking      1

Port        Vlans allowed on trunk
Fa0/22      1-4094

Port        Vlans allowed and active in management domain
Fa0/22      1,555,1700

Port        Vlans in spanning tree forwarding state and not pruned
Fa0/22      1,555,1700

custsw2#sh cdp nei
Capability Codes: R – Router, T – Trans Bridge, B – Source Route Bridge
S – Switch, H – Host, I – IGMP, r – Repeater, P – Phone

Device ID        Local Intrfce     Holdtme    Capability  Platform  Port ID
custsw1          Fas 0/22          150           S I      WS-C3560- Fas 0/22

custsw2#ping 5.5.5.1
Sending 5, 100-byte ICMP Echos to 5.5.5.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/9 ms

custsw2#ping 10.1.1.1
Sending 5, 100-byte ICMP Echos to 10.1.1.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/8 ms

custsw2#ping 192.168.17.1
Sending 5, 100-byte ICMP Echos to 192.168.17.1, timeout is 2 seconds:
…..
Success rate is 0 percent (0/5)

custsw2#ping 192.168.17.2
Sending 5, 100-byte ICMP Echos to 192.168.17.2, timeout is 2 seconds:
…..
Success rate is 0 percent (0/5)

custsw2#ping 192.168.55.1
Sending 5, 100-byte ICMP Echos to 192.168.55.1, timeout is 2 seconds:
…..
Success rate is 0 percent (0/5)

custsw2#ping 192.168.55.2
Sending 5, 100-byte ICMP Echos to 192.168.55.2, timeout is 2 seconds:
…..
Success rate is 0 percent (0/5)

 

 

 

Posted in CATALYST, Routing & Switching Lab | Leave a Comment »

802.1q tunneling scenario 1

Posted by Peter Kurdziel on March 8, 2012

How 802.1q tunneling works.

802.1Q tunneling enables service providers to use a single VLAN to support customers who have multiple VLANs, while preserving customer VLAN IDs and keeping traffic in different customer VLANs segregated.

A port configured to support 802.1Q tunneling is called a tunnel port. When you configure tunneling, you assign a tunnel port to a VLAN that you dedicate to tunneling, which then becomes a tunnel VLAN. To keep customer traffic segregated, each customer requires a separate tunnel VLAN, but that one tunnel VLAN supports all of the customer’s VLANs.

802.1Q tunneling is not restricted to point-to-point tunnel configurations. Any tunnel port in a tunnel VLAN is a tunnel entry and exit point. An 802.1Q tunnel can have as many tunnel ports as are needed to connect customer switches.

The customer switches are trunk connected, but with 802.1Q tunneling, the service provider switches only use one service provider VLAN to carry all the customer VLANs, instead of directly carrying all the customer VLANs.

With 802.1Q tunneling, tagged customer traffic comes from an 802.1Q trunk port on a customer device and enters the service-provider edge switch through a tunnel port. The link between the 802.1Q trunk port on a customer device and the tunnel port is called an asymmetrical link because one end is configured as an 802.1Q trunk port and the other end is configured as a tunnel port. You assign the tunnel port to an access VLAN ID unique to each customer.

Configs

custsw1

vlan 555
!
vlan 1700
name custvlan
!vlan 555
!
interface FastEthernet0/4
switchport access vlan 555
switchport mode access
!
interface FastEthernet0/5
switchport access vlan 1700
switchport mode access
!
interface FastEthernet0/22
des TRUNK to SPSW1
switchport trunk encapsulation dot1q
switchport mode trunk
!
interface Vlan555
ip address 5.5.5.1 255.255.255.0
!
interface Vlan1700
ip address 10.1.1.1 255.255.255.252
!

custsw2

vlan 555
!
vlan 1700
name custvlan
!vlan 555
!
interface FastEthernet0/6
switchport access vlan 555
switchport mode access
!
interface FastEthernet0/7
switchport access vlan 1700
switchport mode access
!
interface FastEthernet0/22
des TRUNK TO SPSW2
switchport trunk encapsulation dot1q
switchport mode trunk
!
interface Vlan555
ip address 5.5.5.2 255.255.255.0
!
interface Vlan1700
ip address 10.1.1.2 255.255.255.252

spsw1#

vlan dot1q tag native
!
vlan 104
name qinq

interface FastEthernet0/22
des to CUSTOMER SW 1
switchport access vlan 104
switchport trunk encapsulation dot1q
switchport mode dot1q-tunnel
l2protocol-tunnel cdp
no cdp enable
!
interface FastEthernet0/23
des to SPSW2
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 104
switchport mode trunk

spsw2#

vlan dot1q tag native
!
vlan 104
name qinq

interface FastEthernet0/22
des to CUSTOMER SW 2
switchport access vlan 104
switchport trunk encapsulation dot1q
switchport mode dot1q-tunnel
l2protocol-tunnel cdp
no cdp enable
!
interface FastEthernet0/23
des to SPSW1
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 104
switchport mode trunk

Posted in CATALYST, Routing & Switching Lab | Tagged: , , , | Leave a Comment »

How to configure a Catalyst 3750/3750-E/3750-X Series Switches Using LLDP (Link Layer Discovery Protocol)

Posted by Peter Kurdziel on March 8, 2012

Link Layer Discovery Protocol - LLDP

LLDP is a neighbor discovery protocol that allows non-Cisco devices to advertise information about themselves to other devices on the network. Cisco switches supports the IEEE 802.1AB LLDP which allow non-Cisco devices for interoperability between other devices. LLDP runs over the data-link layer which allows two devices running different network layer protocols to learn about each other.

LLDP discovers neighbor devices by using a set of attributes that contain type, length, and value descriptions. These attributes are referred to as TLVs. LLDP supported devices can use TLVs to receive and send information to their neighbors. This protocol can advertise details such as configuration information, device capabilities, and device identity.

The switch supports these basic management TLVs, which are mandatory LLDP TLVs:

  • Port description TLV
  • System name TLV
  • System description TLV
  • System capabilities TLV
  • Management address TLV

These organizationally-specific LLDP TLVs are also advertised to support LLDP-MED:

  • Port VLAN ID TLV (IEEE 802.1 organizationally specific TLVs)
  • MAC/PHY configuration/status TLV (IEEE 802.3 organizationally-specific TLVs)
    Catalyst 3750 Switch 
    Switch#configure terminal

 !--- Enable LLDP globally on the switch. 
Switch(config)#lldp run

 !--- Specify time for the device to hold LLDP information. 
Switch(config)#lldp holdtime 180

 !--- Set the time for sending frequency of LLDP updates. 
Switch(config)#lldp timer 50

 !--- Enable LLDP specific to an interface. 
Switch(config)#interface gigabitethernet 1/0/1

 !--- Enable the interface to send LLDP. 
Switch(config-if)#lldp transmit

 !--- Enable the interface to receive LLDP. 
Switch(config-if)#lldp receive

 !--- Return to privileged EXEC mode. 
Switch(config-if)#end

 !--- Save the configurations in the device. 
switch(config)#copy running-config startup-config
Switch(config)#exit

 !--- Disable LLDP feature on the switch. 
Switch(config)#no lldp run
Switch(config)#end

Posted in Routing & Switching Lab | Leave a Comment »

Sample IPv6 Configuration for BGP with Two Different Service Providers (Multihoming) [IP Routed Protocols] – Cisco Systems

Posted by Peter Kurdziel on March 8, 2012

Sample IPv6 Configuration for BGP with Two Different Service Providers (Multihoming)  [IP Routed Protocols] – Cisco Systems

Router-A
Router-A#
ipv6 unicast-routing
!—Enables the forwarding of IPv6 packets.
ipv6 cef
interface Serial3/0
description CONNECTED TO SP-A
ip address 192.168.10.1 255.255.255.0
ipv6 address 1202:ABCD::/64 eui-64
ipv6 enable
no fair-queue
clock rate 64000
!
interface Serial3/1
description CONNECTED TO SP-B
no ip address
ipv6 address 2303:ABCD::/64 eui-64
clock rate 64000
!
router bgp 101
bgp router-id 1.1.1.1
no bgp default ipv4-unicast
bgp log-neighbor-changes
neighbor 1202:ABCD::21B:54FF:FEA9:24B0 remote-as 202
!— Configures SP-A as neighbor.
neighbor 1202:ABCD::21B:54FF:FEA9:24B0 ebgp-multihop 2
neighbor 2303:ABCD::21B:54FF:FE54:FB10 remote-as 303
!— Configures SP-B as neighbor.
!
address-family ipv6
neighbor 1202:ABCD::21B:54FF:FEA9:24B0 activate
neighbor 2303:ABCD::21B:54FF:FE54:FB10 activate
network 1010:1010::/64
network 2020:2020::/64
exit-address-family
!
Service ProviderA
SP-A#
ipv6 unicast-routing
ipv6 cef
interface Serial1/0
no ip address
ipv6 address 1202:ABCD::/64 eui-64
ipv6 enable
no fair-queue
!
router bgp 202
bgp router-id 2.2.2.2
no bgp default ipv4-unicast
bgp log-neighbor-changes
neighbor 1202:ABCD::21C:58FF:FEED:3E90 remote-as 101
!— Configuers Router A as neighbor.
!
address-family ipv6
neighbor 1202:ABCD::21C:58FF:FEED:3E90 activate
network 1212:1212::/64
exit-address-family
!
Service ProviderB
SP-B#
ipv6 unicast-routing
ipv6 cef
interface Serial1/0
no ip address
ipv6 address 2303:ABCD::/64 eui-64
no fair-queue
!
router bgp 303
no synchronization
bgp router-id 3.3.3.3
bgp log-neighbor-changes
neighbor 2303:ABCD::21C:58FF:FEED:3E90 remote-as 101
!— Configures as Router A as neighbor.
neighbor 2303:ABCD::21C:58FF:FEED:3E90 ebgp-multihop 5
no auto-summary
!
address-family ipv6
neighbor 2303:ABCD::21C:58FF:FEED:3E90 activate
network 1212:1212::/64
exit-address-family
!
Verification

  • Router-A# show bgp ipv6 unicast summary 
BGP router identifier 1.1.1.1, local AS number 101
BGP table version is 6, main routing table version 6
3 network entries using 447 bytes of memory
4 path entries using 304 bytes of memory
4/2 BGP path/bestpath attribute entries using 496 bytes of memory
2 BGP AS-PATH entries using 48 bytes of memory
0 BGP route-map cache entries using 0 bytes of memory
0 BGP filter-list cache entries using 0 bytes of memory
BGP using 1295 total bytes of memory
BGP activity 3/0 prefixes, 14/10 paths, scan interval 60 secs

Neighbor        V    AS MsgRcvd MsgSent   TblVer  InQ OutQ Up/Down  State/PfxRcd
1202:ABCD::21B:54FF:FEA9:24B0 4 202 108 119 6 0 0 00:31:41 1 2303:ABCD::21B:54FF:FE54:FB10 4 303 108 121 6 0 0 00:25:1 1
 !--- Indicates that Router A is peering with both the ISP SP-A and SP-B
  • Router-A learned Routes from SP-A and SP-B
    Router-A#show bgp ipv6 unicast
BGP table version is 6, local router ID is 1.1.1.1
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
              r RIB-failure, S Stale
Origin codes: i - IGP, e - EGP, ? - incomplete

   Network          Next Hop            Metric LocPrf Weight Path
*> 1010:1010::/64   ::                       0                          32768 i
*  1212:1212::/64   2303:ABCD::21B:54FF:FE54:FB10 0  0 303 i
*>                              1202:ABCD::21B:54FF:FEA9:24B0 0  0 202 i
*> 2020:2020::/64   ::                       0                         32768 i
  • On SP-A:
    SP-A#sh bgp ipv6 unicast
BGP table version is 4, local router ID is 2.2.2.2
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
              r RIB-failure, S Stale
Origin codes: i - IGP, e - EGP, ? - incomplete

   Network          Next Hop            Metric LocPrf Weight Path
*> 1010:1010::/64   1202:ABCD::21C:58FF:FEED:3E90 0 0 101 i
*> 1212:1212::/64   ::                       0            32768              i
*> 2020:2020::/64   1202:ABCD::21C:58FF:FEED:3E90 0 0 101 i
  • On SP-B:
    SP-B#sh bgp ipv6 unicast
BGP table version is 4, local router ID is 3.3.3.3
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
              r RIB-failure, S Stale
Origin codes: i - IGP, e - EGP, ? - incomplete

   Network          Next Hop            Metric LocPrf Weight Path
*> 1010:1010::/64   2303:ABCD::21C:58FF:FEED:3E90 0             0 101 i
*  1212:1212::/64   2303:ABCD::21C:58FF:FEED:3E90  0                 101 202 i
*>                  ::                       0         32768 i
*> 2020:2020::/64   2303:ABCD::21C:58FF:FEED:3E90 0             0 101 i

Posted in Routing & Switching Lab | Tagged: | Leave a Comment »

Recent Field Notices

Posted by Peter Kurdziel on March 8, 2012

All Cisco Field Notices
01-MAR-2012
(Cisco ONS 15400 Series) Field Notice: FN – 63484 – OC192XFP card does not recognize newer revisions of XFP ONS-XC-10G-C= (Rev. 02 or higher) and ONS-XC-10G-xx.y= (Rev. 02 or higher) prior to 9.2.1- SW update required

01-FEB-2012
(Cisco IP Interactive Voice Response) Field Notice: FN – 63487 – UCCX 8.5(X) Incorrect agent email states

06-JAN-2012
(Cisco ONS 15400 Series) Field Notice: OTBU: FN63478: ONS15454-M6/SDH: TNC/TSC/TNCE/TSCE cards shipped with R9.3 software prior to 12/01/2011 experience BKUPMEMP alarm declaration. Workaround Available.

13-DEC-2011
(Cisco Catalyst 3560 Series Switches) Field Notice: FN – 63476 – Certain Catalyst 3560G and 3750G Switches Do Not Support Some Older IOS Versions

14-SEP-2011
(Cisco 7600 Series Routers) Field Notice: FN – 63313 – 7600: A batch of WS-X6582-2PA may fail when booting under low temperature

08-SEP-2011
(Cisco Agent Desktop) Field Notice: FN – 63454 – Agent desktops upgraded to Cisco Agent Desktop 8.5(2) are unable to launch

17-AUG-2011
(Cisco ONS 15400 Series) Field Notice: FN – 63406 – 15454 CE-1000 interoperability issue with other vendor products specifically the ALU9500 MPR (SW up grade available)

22-JUL-2011
(Cisco ONS 15600 Series) Field Notice: FN – 63439 – OTBU 15600-TSC Flash Drive Failure: Cisco recommends replacement

22-JUL-2011
(Cisco ONS 15400 Series) Field Notice: FN – 63305 – 15454-ML1000-2 – Interoperability issues between the 15454-ML1000-2 and CAT4507 with auto negotiation enabled

20-JUL-2011
(Cisco ONS 15600 Series) Field Notice: FN – 63440 – OTBU 15600-TSC cards can create Network outage in systems running R6.0 – R9.0.x

21-JUN-2011
(Cisco CRS Series Routers) Field Notice: FN – 63381 – CRS-MSC-B and CRS-FP40 boards will start using RLDRAM2 because of component EOL – Mandatory SMU required for both HW types

17-JUN-2011
(Cisco Unified CallManager) Field Notice: FN – 63421 – Cisco Unified Communications products might experience “media check failure” when installing product; workaround provided

03-JUN-2011
(Cisco ONS 15400 Series) Field Notice: FN – 63388 – 15454-OPT-AMP-C Certain cards at risk of traffic outage due to firmware upgrade, replacement recommended

10-MAY-2011
(Cisco MDS 9100 Series Multilayer Fabric Switches) Field Notice: FN – 63416 – DS-C9124 & DS-C9148 have incorrect MAC Programming; UMPIRE Program in Place

04-MAY-2011
(Cisco 7800 Series Media Convergence Servers) Field Notice: FN – 63372 – MCS-7825-I4, Windows 2003.1.5 fresh install fails to build the RAID array, Upgrade required

22-APR-2011
(Cisco Unified Contact Center Hosted) Field Notice: FN – 63410 – Cisco Agent Desktop (CAD) for UCCE 8.0(1) unable to login

02-FEB-2011
(Cisco Security Agent) Field Notice: FN – 62428 – SpamMailI2RTest1

28-JAN-2011
(Cisco Unified Intelligent Contact Management Enterprise) Field Notice: FN – 63371 – Unable to Make Config Changes – UpdateAW Process Failure

30-NOV-2010
(Cisco ONS 15400 Series) Field Notice: FN – 63361 – 15454-OTU2-XP, 15454-10GE-XP and 15454-10GE-XPE: Possible mechanical interference issues with faceplates and certain heatpipes – Unit Replacement Recommended

28-OCT-2010
(Cisco ONS 15400 Series) FN – 63110 – 15454-MR-L1-xx.x, 15454-MRP-L1-xx.x – Bad Lot of Boards – Recall Due to a MOSFET Reliability Issue in a DC to DC Circuit on the Cards

 

Posted in Routing & Switching Lab | Tagged: | Leave a Comment »

Google Global Cache (GGC)

Posted by Peter Kurdziel on February 29, 2012

Google Global Cache

Google Global Cache (GGC) allows you to serve Google content, primarily video, from the edge of your own network. This eases congestion on your network and lessens traffic on peering and transit links. GGC saves you money while improving the experience of your users.

I am only posting the “Network” side of the installation. GCC specific instructions are provided with the product.

Access Control Lists

Access Control Lists (ACLs) are not recommended on network equipment serving the

GGC node. An IP firewall runs on each server in the GGC cluster.

If ACLs are used, the following ports must be allowed for the entire subnet:

  •  inbound and outbound HTTP and HTTPS (TCP/80, TCP/443)
  •  inbound and outbound ICMP (Protocol ID 1)
  •  inbound and outbound SSH (TCP/22)
  •  outbound DNS (UDP/53 and TCP/53)
  •  outbound NTP (UDP/123)
  •  outbound BGP (TCP/179)

Google Confidential 9 of 10

  •  the node must be reachable from any IP on the Internet.

Cisco Switch Configuration Example Fragment

!

interface GigabitEthernet1/1
description GGChost1-Gb1
switchport mode access
channel-protocol lacp
channel-group 1 mode passive
!
interface GigabitEthernet1/2
description GGChost1-Gb2
switchport mode access
channel-protocol lacp
channel-group 1 mode passive
!
interface Port-channel1
description GGChost1
switchport
switchport mode access
!
interface GigabitEthernet1/3
description GGChost2-Gb1
switchport mode access
channel-protocol lacp
channel-group 2 mode passive
!
interface GigabitEthernet1/4
description GGChost2-Gb2
switchport mode access
channel-protocol lacp
channel-group 2 mode passive
!
interface Port-channel2
description GGChost2
switchport
switchport mode access
end

BGP Configuration

BGP Peer Configuration Examples

Cisco Option 1: Prefix list based route filtering

neighbor <IP address of GGC> remote-as 65535
neighbor <IP address of GGC> transport connection-mode passive
neighbor <IP address of GGC> prefix-list deny-any in
neighbor <IP address of GGC> prefix-list GGC-OUT out
ip prefix-list deny-any deny 0.0.0.0/0 le 32
ip prefix-list GGC-OUT permit <x.y.z/24>
ip prefix-list GGC-OUT permit <a.b.c/24>

 

Cisco Option 2: AS-PATH based route filtering

neighbor <IP address of GGC> remote-as 65535
neighbor <IP address of GGC> transport connection-mode passive
neighbor <IP address of GGC> filter-list 1 in
neighbor <IP address of GGC> filter-list 2 out
ip as-path access-list 1 deny .*
ip as-path access-list 2 permit _100_
ip as-path access-list 2 permit _200$
ip as-path access-list 2 permit ^300$

 

Juniper Option 1: Prefix based policy

neighbor <IP address of GGC> {
description “GGC”;
import no-routes;
export export-filter;
peer-as 65535;
passive;
}
policy-statement no-routes {
term default {
then reject;
}
}
policy-statement export-filter {
term allow-routes {
from {
route-filter a.b.c.d/xy orlonger;
}
then accept;
}
}

 

Juniper Option 2: AS-PATH based policy

neighbor <IP address of GGC> {
description “GGC”;
import no-routes;
export export-filter;
peer-as 65535;
passive;
}
policy-statement no-routes {
term default {
then reject;
}
}
policy-statement export-filter {
term allow-routes {
from {
from as-path-group GGC;
}
then accept;
}
}
as-path-group GGC {
as-path AS-PATH-NAME-1 “^100.*”;
as-path AS-PATH-NAME-2 “^200.*”;
}

Posted in Real World | Leave a Comment »

How to Implement Multiprotocol BGP for IPv6

Posted by Peter Kurdziel on February 29, 2012

 

Configuring a BGP Process, BGP Router ID, and IPv6 Multiprotocol BGP Peer

ipv6 unicast-routing
!
router bgp 65000
no bgp default ipv4-unicast
bgp router-id 192.168.99.70
neighbor 2001:DB8:0:CC00::1 remote-as 64600
address-family ipv6 unicast
  neighbor 2001:DB8:0:CC00::1 activate

Configuring an IPv6 Multiprotocol BGP Peer Using a Link-Local Address

router bgp 65000
 neighbor FE80::XXXX:BFF:FE0E:A471 remote-as 64600
 neighbor FE80::XXXX:BFF:FE0E:A471 update-source fastethernet0
address-family ipv6
 neighbor FE80::XXXX:BFF:FE0E:A471 activate
 neighbor FE80::XXXX:BFF:FE0E:A471 route-map nh6 out
route-map nh6 permit 10
 match ipv6 address prefix-list cisco
 set ipv6 next-hop 2001:DB8:5y6::1
ipv6 prefix-list cisco permit 2001:DB8:2Fy2::/48 le 128
ipv6 prefix-list cisco deny ::/0
Note  

If you specify only the global IPv6 next-hop address (the ipv6-address argument) with the set ipv6 next-hop command after specifying the neighbor interface (the interface-type argument) with the neighbor update-source command, the link-local address of the interface specified with the interface-type argument is included as the next hop in the BGP updates. Therefore, only one route map that sets the global IPv6 next-hop address in BGP updates is required for multiple BGP peers that use link-local addresses.

Configuring an IPv6 Multiprotocol BGP Peer Group

router bgp 65000
no bgp default ipv4-unicast
neighbor group1 peer-group
neighbor 2001:DB8:0:CC00::1 remote-as 64600
address-family ipv6 unicast
 neighbor group1 activate
 neighbor 2001:DB8:0:CC00::1 peer-group group1

Advertising Routes into IPv6 Multiprotocol BGP

router bgp 65000
 no bgp default ipv4-unicast
address-family ipv6 unicast
  network 2001:DB8::/24

Configuring a Route Map for IPv6 Multiprotocol BGP Prefixes

router bgp 64900
no bgp default ipv4-unicast
neighbor 2001:DB8:0:CC00::1 remote-as 64700
address-family ipv6 unicast
 neighbor 2001:DB8:0:CC00::1 activate
 neighbor 2001:DB8:0:CC00::1 route-map rtp in
ipv6 prefix-list cisco seq 10 permit 2001:DB8::/24
route-map rtp permit 10
 match ipv6 address prefix-list cisco

Redistributing Prefixes into IPv6 Multiprotocol BGP

router bgp 64900
no bgp default ipv4-unicast
address-family ipv6 unicast
 redistribute rip

Advertising IPv4 Routes Between IPv6 Peers

router bgp 65000
!
 neighbor 6peers peer-group
 neighbor 2001:DB8:yyyy::2 remote-as 65002
 address-family ipv4
 neighbor 6peers activate
 neighbor 6peers soft-reconfiguration inbound
 neighbor 2001:DB8:yyyy::2 peer-group 6peers
 neighbor 2001:DB8:yyyy::2 route-map rmap in
!   
route-map rmap permit 10
 set ip next-hop 10.21.8.10

 

Posted in BGP, IPV6 | Leave a Comment »

Troubleshooting BGP

Posted by Peter Kurdziel on February 29, 2012

Main Troubleshooting Flowchart

bgp_trouble_main.jpg

Troubleshooting BGP Neighbor Establishment

bgp_trouble_neighbor.jpg

Note: *Sample log messages to be checked when neighbor is not coming up:

BGP_SESSION-5-ADJCHANGE: neighbor[ip address] IPv4 Unicast topology base removed
  from session Peer closed the session
BGP_SESSION-5-ADJCHANGE: neighbor[ip address] IPv4 Unicast topology base removed
  from session Unknown path error

Note: **Example of ping with packet size and enable does not fragment bit in IP header:

Router#ping 10.10.10.2 size 1400 df-bit

Type escape sequence to abort.
Sending 5, 1400-byte ICMP Echos to 10.10.10.2, timeout is 2 seconds:
Packet sent with the DF bit set
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/37/84 ms

Troubleshooting Routes Missing from the Routing Table

bgp_trouble_route_missing.jpg

Note: In the debug ip bgp x.x.x.x updates command, x.x.x.x is the neighbor to which the route should be advertised.

Troubleshooting Multihoming Inbound

bgp_trouble_multi_in.jpg

Troubleshooting BGP Route Advertisement

bgp_trouble_route_adv.jpg

Troubleshooting Multihoming Outbound

bgp_trouble_multi_out.jpg

Source:

http://www.cisco.com/en/US/tech/tk365/technologies_tech_note09186a008009478a.shtml#bgp_trouble_neighbor

 

Posted in BGP, Troubleshooting | Leave a Comment »

« Previous Entries
 
Follow

Get every new post delivered to your Inbox.