Pete's Packet

Limitless

Archive for February, 2012

Google Global Cache (GGC)

Posted by Peter Kurdziel on February 29, 2012

Google Global Cache

Google Global Cache (GGC) allows you to serve Google content, primarily video, from the edge of your own network. This eases congestion on your network and lessens traffic on peering and transit links. GGC saves you money while improving the experience of your users.

I am only posting the “Network” side of the installation. GCC specific instructions are provided with the product.

Access Control Lists

Access Control Lists (ACLs) are not recommended on network equipment serving the

GGC node. An IP firewall runs on each server in the GGC cluster.

If ACLs are used, the following ports must be allowed for the entire subnet:

  •  inbound and outbound HTTP and HTTPS (TCP/80, TCP/443)
  •  inbound and outbound ICMP (Protocol ID 1)
  •  inbound and outbound SSH (TCP/22)
  •  outbound DNS (UDP/53 and TCP/53)
  •  outbound NTP (UDP/123)
  •  outbound BGP (TCP/179)

Google Confidential 9 of 10

  •  the node must be reachable from any IP on the Internet.

Cisco Switch Configuration Example Fragment

!

interface GigabitEthernet1/1
description GGChost1-Gb1
switchport mode access
channel-protocol lacp
channel-group 1 mode passive
!
interface GigabitEthernet1/2
description GGChost1-Gb2
switchport mode access
channel-protocol lacp
channel-group 1 mode passive
!
interface Port-channel1
description GGChost1
switchport
switchport mode access
!
interface GigabitEthernet1/3
description GGChost2-Gb1
switchport mode access
channel-protocol lacp
channel-group 2 mode passive
!
interface GigabitEthernet1/4
description GGChost2-Gb2
switchport mode access
channel-protocol lacp
channel-group 2 mode passive
!
interface Port-channel2
description GGChost2
switchport
switchport mode access
end

BGP Configuration

BGP Peer Configuration Examples

Cisco Option 1: Prefix list based route filtering

neighbor <IP address of GGC> remote-as 65535
neighbor <IP address of GGC> transport connection-mode passive
neighbor <IP address of GGC> prefix-list deny-any in
neighbor <IP address of GGC> prefix-list GGC-OUT out
ip prefix-list deny-any deny 0.0.0.0/0 le 32
ip prefix-list GGC-OUT permit <x.y.z/24>
ip prefix-list GGC-OUT permit <a.b.c/24>

 

Cisco Option 2: AS-PATH based route filtering

neighbor <IP address of GGC> remote-as 65535
neighbor <IP address of GGC> transport connection-mode passive
neighbor <IP address of GGC> filter-list 1 in
neighbor <IP address of GGC> filter-list 2 out
ip as-path access-list 1 deny .*
ip as-path access-list 2 permit _100_
ip as-path access-list 2 permit _200$
ip as-path access-list 2 permit ^300$

 

Juniper Option 1: Prefix based policy

neighbor <IP address of GGC> {
description “GGC”;
import no-routes;
export export-filter;
peer-as 65535;
passive;
}
policy-statement no-routes {
term default {
then reject;
}
}
policy-statement export-filter {
term allow-routes {
from {
route-filter a.b.c.d/xy orlonger;
}
then accept;
}
}

 

Juniper Option 2: AS-PATH based policy

neighbor <IP address of GGC> {
description “GGC”;
import no-routes;
export export-filter;
peer-as 65535;
passive;
}
policy-statement no-routes {
term default {
then reject;
}
}
policy-statement export-filter {
term allow-routes {
from {
from as-path-group GGC;
}
then accept;
}
}
as-path-group GGC {
as-path AS-PATH-NAME-1 “^100.*”;
as-path AS-PATH-NAME-2 “^200.*”;
}

Posted in Real World | Leave a Comment »

How to Implement Multiprotocol BGP for IPv6

Posted by Peter Kurdziel on February 29, 2012

 

Configuring a BGP Process, BGP Router ID, and IPv6 Multiprotocol BGP Peer

ipv6 unicast-routing
!
router bgp 65000
no bgp default ipv4-unicast
bgp router-id 192.168.99.70
neighbor 2001:DB8:0:CC00::1 remote-as 64600
address-family ipv6 unicast
  neighbor 2001:DB8:0:CC00::1 activate

Configuring an IPv6 Multiprotocol BGP Peer Using a Link-Local Address

router bgp 65000
 neighbor FE80::XXXX:BFF:FE0E:A471 remote-as 64600
 neighbor FE80::XXXX:BFF:FE0E:A471 update-source fastethernet0
address-family ipv6
 neighbor FE80::XXXX:BFF:FE0E:A471 activate
 neighbor FE80::XXXX:BFF:FE0E:A471 route-map nh6 out
route-map nh6 permit 10
 match ipv6 address prefix-list cisco
 set ipv6 next-hop 2001:DB8:5y6::1
ipv6 prefix-list cisco permit 2001:DB8:2Fy2::/48 le 128
ipv6 prefix-list cisco deny ::/0
Note  

If you specify only the global IPv6 next-hop address (the ipv6-address argument) with the set ipv6 next-hop command after specifying the neighbor interface (the interface-type argument) with the neighbor update-source command, the link-local address of the interface specified with the interface-type argument is included as the next hop in the BGP updates. Therefore, only one route map that sets the global IPv6 next-hop address in BGP updates is required for multiple BGP peers that use link-local addresses.

Configuring an IPv6 Multiprotocol BGP Peer Group

router bgp 65000
no bgp default ipv4-unicast
neighbor group1 peer-group
neighbor 2001:DB8:0:CC00::1 remote-as 64600
address-family ipv6 unicast
 neighbor group1 activate
 neighbor 2001:DB8:0:CC00::1 peer-group group1

Advertising Routes into IPv6 Multiprotocol BGP

router bgp 65000
 no bgp default ipv4-unicast
address-family ipv6 unicast
  network 2001:DB8::/24

Configuring a Route Map for IPv6 Multiprotocol BGP Prefixes

router bgp 64900
no bgp default ipv4-unicast
neighbor 2001:DB8:0:CC00::1 remote-as 64700
address-family ipv6 unicast
 neighbor 2001:DB8:0:CC00::1 activate
 neighbor 2001:DB8:0:CC00::1 route-map rtp in
ipv6 prefix-list cisco seq 10 permit 2001:DB8::/24
route-map rtp permit 10
 match ipv6 address prefix-list cisco

Redistributing Prefixes into IPv6 Multiprotocol BGP

router bgp 64900
no bgp default ipv4-unicast
address-family ipv6 unicast
 redistribute rip

Advertising IPv4 Routes Between IPv6 Peers

router bgp 65000
!
 neighbor 6peers peer-group
 neighbor 2001:DB8:yyyy::2 remote-as 65002
 address-family ipv4
 neighbor 6peers activate
 neighbor 6peers soft-reconfiguration inbound
 neighbor 2001:DB8:yyyy::2 peer-group 6peers
 neighbor 2001:DB8:yyyy::2 route-map rmap in
!   
route-map rmap permit 10
 set ip next-hop 10.21.8.10

 

Posted in BGP, IPV6 | Leave a Comment »

Troubleshooting BGP

Posted by Peter Kurdziel on February 29, 2012

Main Troubleshooting Flowchart

bgp_trouble_main.jpg

Troubleshooting BGP Neighbor Establishment

bgp_trouble_neighbor.jpg

Note: *Sample log messages to be checked when neighbor is not coming up:

BGP_SESSION-5-ADJCHANGE: neighbor[ip address] IPv4 Unicast topology base removed
  from session Peer closed the session
BGP_SESSION-5-ADJCHANGE: neighbor[ip address] IPv4 Unicast topology base removed
  from session Unknown path error

Note: **Example of ping with packet size and enable does not fragment bit in IP header:

Router#ping 10.10.10.2 size 1400 df-bit

Type escape sequence to abort.
Sending 5, 1400-byte ICMP Echos to 10.10.10.2, timeout is 2 seconds:
Packet sent with the DF bit set
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/37/84 ms

Troubleshooting Routes Missing from the Routing Table

bgp_trouble_route_missing.jpg

Note: In the debug ip bgp x.x.x.x updates command, x.x.x.x is the neighbor to which the route should be advertised.

Troubleshooting Multihoming Inbound

bgp_trouble_multi_in.jpg

Troubleshooting BGP Route Advertisement

bgp_trouble_route_adv.jpg

Troubleshooting Multihoming Outbound

bgp_trouble_multi_out.jpg

Source:

http://www.cisco.com/en/US/tech/tk365/technologies_tech_note09186a008009478a.shtml#bgp_trouble_neighbor

 

Posted in BGP, Troubleshooting | Leave a Comment »

Alert: OPT-AMP-C Amplifiers with higher power due to ASE computation

Posted by Peter Kurdziel on February 14, 2012

Cisco Notification Service Alert:
________________________________________________________________________________

Cisco Notification Alert -ONS 15454 known issues-02/14/2012 08:36 GMT

Known Bugs-Cisco ONS 15454 Multiservice Transport Platform (MSTP)-02/13/2012 04:31 GMT-02/14/2012 08:31 GMT

Bug Id: CSCto89640
Headline: OPT-AMP-C Amplifiers with higher power due to ASE computation
Description: Symptom: OPT-AMP-C and OPT-BST might have their signal output power 3-4dB above the set point. Conditions: This has been observed on Cisco ONS15454 running release 9.2.1. Workaround: None. Extent Having multiple amplifiers sites in cascade can lead to accumulating this extra power. The network is perfectly working in those conditions and APC still regulates it well. The worst situation is with only a single channel running, the more channels are enabled and the better the situation will get.
Status: Resolved
Last Modified date: 2012-02-13 19:25:19.0
Url: https://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCto89640

For more bug searches you can visit the Bug Toolkit: http://tools.cisco.com/Support/BugToolKit
________________________________________________________________________________

Known Bugs-Cisco ONS 15454 SDH Multiservice Provisioning Platform (MSPP)-02/13/2012 04:31 GMT-02/14/2012 08:31 GMT

Bug Id: CSCto89640
Headline: OPT-AMP-C Amplifiers with higher power due to ASE computation
Description: Symptom: OPT-AMP-C and OPT-BST might have their signal output power 3-4dB above the set point. Conditions: This has been observed on Cisco ONS15454 running release 9.2.1. Workaround: None. Extent Having multiple amplifiers sites in cascade can lead to accumulating this extra power. The network is perfectly working in those conditions and APC still regulates it well. The worst situation is with only a single channel running, the more channels are enabled and the better the situation will get.
Status: Resolved
Last Modified date: 2012-02-13 19:25:19.0
Url: https://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCto89640

For more bug searches you can visit the Bug Toolkit: http://tools.cisco.com/Support/BugToolKit
________________________________________________________________________________

Known Bugs-Cisco ONS 15454 SONET Multiservice Provisioning Platform (MSPP)-02/13/2012 04:31 GMT-02/14/2012 08:31 GMT

Bug Id: CSCto89640
Headline: OPT-AMP-C Amplifiers with higher power due to ASE computation
Description: Symptom: OPT-AMP-C and OPT-BST might have their signal output power 3-4dB above the set point. Conditions: This has been observed on Cisco ONS15454 running release 9.2.1. Workaround: None. Extent Having multiple amplifiers sites in cascade can lead to accumulating this extra power. The network is perfectly working in those conditions and APC still regulates it well. The worst situation is with only a single channel running, the more channels are enabled and the better the situation will get.
Status: Resolved
Last Modified date: 2012-02-13 19:25:19.0
Url: https://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCto89640

For more bug searches you can visit the Bug Toolkit: http://tools.cisco.com/Support/BugToolKit

Posted in Routing & Switching Lab | Tagged: , , , | Leave a Comment »

14 steps to upgrading the ASR9010 from IOS-XR 4.1.1 to IOS-XR 4.1.2

Posted by Peter Kurdziel on February 9, 2012

For the latest upgrade documents please refer to the following page:

http://www.cisco.com/web/Cisco_IOS_XR_Software/index.html

This is an abbreviated version of the upgrade procedures.

1. Check system stability
The following commands should be executed to verify basic system stability before the upgrade/downgrade:

(admin)# show platform [verify that all Nodes are in "IOS XR RUN" state, SPAs in "OK" state,Fan Tray and Power Modules are in “READY” state.]

(admin)# show redundancy[verify that Active & Standby RSP are available and in “ACTIVE role” & “is ready” states]

(admin)# show interface summary [verify that all interfaces are "UP"]

(admin)# show install active [verify that the proper set of packages are active]

(admin)# cfs check
(admin)# clear configuration inconsistency [verify/fix configuration file system in exec and admin mode]

Before upgrade/downgrade, check for the tftp reachability

2. Pre-upgrade tasks
(admin)# show filesystem | inc disk0: [make sure you have enought disk space to perform the upgrade. A minimum 500MB free disk0: disk space is required for the upgrade.]

YOu can free up space by removing old files from disk0:.
- before removing old files issue:
(admin)# install commit
- To view files that will be deleted:
(admin)# install remove inactive test sync
- After ensuring all active packages are ‘committed’, then issue the following command from admin mode:
(admin)# install remove inactive

3. Verify Mgmt LAN access to the router
- RP/0/RSP0/CPU0:router# ping x.x.x.x

4. Back up the running config:
- RP/0/RSP0/CPU0:router#copy running-config tftp://x.x.x.x/running_config.txt

- RP/0/RSP0/CPU0:router#admin
- RP/0/RSP0/CPU0:router(admin)#copy running-config tftp://x.x.x.x/admin-running_config.txt
- RP/0/RSP0/CPU0:router(admin)#exit

5. Disable disk mirroring. Disk mirroring can increase upgrade time. Enable disk mirroring after upgrading the IPS XP.

6. Add the required pies to disk(here I am adding all the pies, add what you need to add). The use of ‘sync’ option will prevent the user from executing any other command during the
install operation, and is recommended.

You can add all the pies with a single command
RP/0/RSP0/CPU0:router(admin)# install add tftp://172.16.1.99/asr9k-mini-p.pie-4.1.2 tftp://172.16.1.99/asr9k-upgrade-p.pie-4.1.2 tftp://172.16.1.99/asr9k-mcast-p.pie-4.1.2 tftp://172.16.1.99/asr9k-mgbl-p.pie-4.1.2 tftp://172.16.1.99/asr9k-mpls-p.pie-4.1.2 tftp://172.16.1.99/asr9kk9sec-p.pie-4.1.2 tftp://172.16.1.99/ asr9k-video-p.pie-4.1.2 tftp://172.16.1.99/asr9k-doc-p.pie-4.1.2 tftp://172.16.1.99/asr9k-optic-p.pie-4.1.2 sync

- this generated errors so I added each pie indvidually

install add tftp://172.16.1.99/asr9k-mini-p.pie-4.1.2 sync
install add tftp://172.16.1.99/asr9k-upgrade-p.pie-4.1.2 sync !NOTE use the upgrade pie for versions rpior to 4.0.0 or you will get an error and have to remove the pie before you can continue.
install add tftp://172.16.1.99/asr9k-mcast-p.pie-4.1.2 sync
install add tftp://172.16.1.99/asr9k-mgbl-p.pie-4.1.2 sync
install add tftp://172.16.1.99/asr9k-mpls-p.pie-4.1.2 sync
install add tftp://172.16.1.99/asr9k-k9sec-p.pie-4.1.2 sync
install add tftp://172.16.1.99/asr9k-video-p.pie-4.1.2 sync
install add tftp://172.16.1.99/asr9k-doc-p.pie-4.1.2 sync
install add tftp://172.16.1.99/asr9k-optic-p.pie-4.1.2 sync

NOTE: if you choose to use the sync command after each line you will have to wait for the pie to be installed before you can run the next install command.
This process while take a while(up to 35 minutes).
Use ‘show install request’ to see the state of the current install.

Once completed yopu will get a message on the screen:
Install operation 46 completed successfully

7. List the inactive packages list using ‘show install inactive summary’
RP/0/RSP0/CPU0:router(admin)# show install inactive summary
Default Profile:
SDRs:
Owner
Inactive Packages:
disk0:asr9k-mini-p-4.1.1
disk0:asr9k-upgrade-p-4.1.1
disk0:asr9k-mcast-p-4.1.1
disk0:asr9k-mgbl-p-4.1.1
disk0:asr9k-mpls-p-4.1.1
disk0:asr9k-video-p-4.1.1
disk0:asr9k-k9sec-p-4.1.1
disk0:asr9k-optic-p-4.1.1
disk0:asr9k-doc-p-4.1.1

- Using the list of inactive packages select and test the activation using the
RP/0/RSP0/CPU0:router(admin)# install activate disk0:asr9k-mini-p-4.1.1 disk0:asr9kupgrade-
p-4.1.1 disk0:asr9k-doc-p-4.1.1 disk0:asr9k-mcast-p-4.1.1 disk0:asr9k-mgbl-p-4.1.1
disk0:asr9k-k9sec-p-4.1.1 disk0:asr9k-mpls-p-4.1.1 asr9k-video-p-4.1.1 asr9k-optic-p-4.1.1
sync test
No actual changes will be made when ‘test’ option is used.

- ‘show configuration removed’ command can be used to view what will be removed as result of the
software upgrade. Removed config can be reapplied using the ‘load config removed .cfg’
command from config mode after the upgrade has been completed.

8. Activate inactive packages added in step 6 using command:

RP/0/RSP0/CPU0:router (admin)# install activate disk0:asr9k-mini-p-4.1.1 disk0:asr9kupgrade-
p-4.1.1 disk0:asr9k-doc-p-4.1.1 disk0:asr9k-mcast-p-4.1.1 disk0:asr9k-mgbl-p-4.1.1
disk0:asr9k-k9sec-p-4.1.1 disk0:asr9k-mpls-p-4.1.1 asr9k-video-p-4.1.1 asr9k-optic-p-4.1.1
sync
- you can also use this command after step 6:
RP/0/RSP0/CPU0:router (admin)# install activate id 46 sync
NOTE:The Router will reload at the end of activation to start using the new packages. This reload
operation will impact traffic for small duration. This will take about 20 minutes.

9. Check to see if there were any failed startup config.
RP/0/RSP0/CPU0:router# show configuration failed startup

10. Verify system stability.

(admin)# show platform [verify that all Nodes are in "IOS XR RUN" state, SPAs in "OK" state,Fan Tray and Power Modules are in “READY” state.]

(admin)# show redundancy[verify that Active & Standby RSP are available and in “ACTIVE role” & “is ready” states]

(admin)# show interface summary [verify that all interfaces are "UP"]

(admin)# show install active [verify that the proper set of packages are active]

(admin)# cfs check
(admin)# clear configuration inconsistency [verify/fix configuration file system in exec and admin mode]

11. Commit the newly activated software and verify:
RP/0/RSP0/CPU0:router (admin)# install commit
RP/0/RSP0/CPU0:router (admin)# show install committed summary

12. Check for which firmware files need to be upgraded:
RP/0/RSP0/CPU0:router(admin)#show hw-module fpd location all

- Auto FPD Upgrade on ASR9K
-Starting 4.0.1; user can configure this option, it will allow automatic fpd upgrade
from 4.0.1 to 4.1.1
- Following shows how to config for Auto FPD Upgrade
RP/0/RSP0/CPU0:router1(admin)#conf
RP/0/RSP0/CPU0:router1(admin-config)#fpd auto-upgrade
RP/0/RSP0/CPU0:router1(admin-config)#commit

RP/0/RSP0/CPU0:router(admin)# show hw-module fpd location all
RP/0/RSP0/CPU0:router(admin)#show fpd package
RP/0/RSP0/CPU0:router(admin)#upgrade hw-module fpd all location all

13. If you disabled disk mirroring in step 5 re-enable it.

14. Clean up.
- To obtain a list of inactive packages and note the names of packages that are not needed:
RP/0/RSP0/CPU0:router(admin)#show install inactive summary

- Remove the unnecessary inactive packages:
RP/0/RSP0/CPU0:router(admin)# install remove
disk0:disk0: .. disk0: sync
or
RP/0/RSP0/CPU0:router(admin)#install remove inactive sync

Posted in Real World | Tagged: , , | Leave a Comment »

 
Follow

Get every new post delivered to your Inbox.