Sonntag, 31. Juli 2011

INE Vol2 - Troubleshooting Lab 4

Failed... total disaster

Mittwoch, 27. Juli 2011

Training some MQC

Hm.. why do i always get Tracebacks when i apply "service-policy" ? ;) Who has the answer ?





Rack1R5(config-if)#service-policy output 1033
Rack1R5(config-if)#
*Jul 27 08:30:52.800: %SYS-2-INTSCHED: 'may_suspend' at level 4 -Process= "Exec", ipl= 4, pid= 88,  -Traceback= 0x816F117z 0xA728AD3z 0x9B4482Az 0x9B3A931z 0xA06F7EEz 0xA07813Bz 0xA076320z 0xA070C64z 0xA05BE2Cz 0xA069090z 0xA17F14Az 0xA0BED8Cz 0xA0B6B58z 0xA0B6920z 0xA0B90BEz 0xA1CC6A3z
*Jul 27 08:30:52.800: %SYS-2-INTSCHED: 'may_suspend' at level 4 -Process= "Exec", ipl= 4, pid= 88,  -Traceback= 0x816F117z 0xA728AD3z 0x9B4482Az 0x9B3A931z 0xA06F803z 0xA07813Bz 0xA076320z 0xA070C64z 0xA05BE2Cz 0xA069090z 0xA17F14Az 0xA0BED8Cz 0xA0B6B58z 0xA0B6920z 0xA0B90BEz 0xA1CC6A3z
Rack1R5(config-if)#

Dienstag, 26. Juli 2011

INE WB Vol1 - 10.40 MQC Class-Based Generic Traffic Shaping




FRTS by default assumes Be=0, while GTS by default assumes
Be=Bc.

Config with be = 0

policy-map 1040_67
 class class-default
    shape average 512000 10240 0

Rack1R6#show policy-map interface eth0/0.67 
 Ethernet0/0.67 

  Service-policy output: 1040_67

    Class-map: class-default (match-any)
      4 packets, 1336 bytes
      5 minute offered rate 0 bps, drop rate 0 bps
      Match: any 
      Queueing
      queue limit 64 packets
      (queue depth/total drops/no-buffer drops) 0/0/0
      (pkts output/bytes output) 4/1520
      shape (average) cir 512000, bc 10240, be 0
      target shape rate 512000

!
Config without be

policy-map 1040_67_BE
 class class-default
    shape average 512000 10240

Rack1R6#show policy-map interface eth0/0.146
 Ethernet0/0.146 

  Service-policy output: 1040_67_BE

    Class-map: class-default (match-any)
      3 packets, 1264 bytes
      5 minute offered rate 0 bps, drop rate 0 bps
      Match: any 
      Queueing
      queue limit 64 packets
      (queue depth/total drops/no-buffer drops) 0/0/0
      (pkts output/bytes output) 3/570
      shape (average) cir 512000, bc 10240, be 10240
      target shape rate 512000
Rack1R6#

INE WB Vol1 - 10.32 Frame-Relay Traffic Policing & Congestion Mgmt

Aha..

INE WB Vol1 - 10.20 Legacy Frame Relay Traffic Shaping

Be = Tc * (PIR - CIR)

256 kbit allowed, Peaks up to 384kbit/s , 10ms Tc

Be = 10ms * (384 - 256)
Be = 10ms * 128kbit
Be = 128000bit * 10/1000
Be = 1280bit/10ms

INE WB Vol1 - 10.18 Legacy CAR Access-Lists

A really nice one...

Good that we have DocCD -> Cisco 12.4T->Configuration Guides -> QoS -> Part 1 : Classification -> Configuring Committed Access Rate

INE WB Vol1 - 10.17 Legacy CAR for Rate Limiting




Cisco recommendation of (Bc = CIR * 1,5) and (Be = Bc * 2)

256000 / 8 * 1,5 = 48000 byte Bc -> 48000 Bc * 2 = 96000

If Be=Bc = Burst Excessive disabled.


 rate-limit input 256000 48000 96000 conform-action transmit exceed-action drop

INE WB Vol1 - 10.16 Oversubscription with Legacy CAR and WFQ



Some calculations examples from my side

- guarantee 64k
- allow upto 128k
- average time interval 200ms (Tc)


 rate-limit output access-group 145 64000 3200 3200 conform-action transmit exceed-action continue
 rate-limit output access-group 145 128000 3200 3200 conform-action transmit exceed-action drop

Who to calculate ? 128000 bit / 8 = 16000 byte/s * (200 ms) = 16000 * (200/1000) = 3200 byte


Another excample
- guarantee 64k
- allow upto 128k
- average time interval 30ms (Tc)

 rate-limit output access-group 145 64000 4800 4800 conform-action transmit exceed-action continue
 rate-limit output access-group 145 128000 4800 4800 conform-action transmit exceed-action drop
Who to calculate ? 128000 bit / 8 = 16000 byte/s * (300 ms) = 16000 * (300/1000) = 4800 byte

Montag, 25. Juli 2011

INE WB Vol1 - 10.11 Payload Compression on Serial Links



Need a Frame-Relay Map for FRF.9 compression


interface Serial0/0/0
frame-relay map ip 155.1.0.2 502 broadcast IETF payload-compression
FRF9 stac one-way-negotiation

Debug this

Rack1R2#show compress 
 Serial1/0 - DLCI: 205
  Software compression enabled
  uncompressed bytes xmt/rcv 6940/16952 
  compressed bytes   xmt/rcv 874/1599 
  Compressed bytes sent:       874 bytes   0 Kbits/sec  ratio: 7.940
  Compressed bytes recv:      1599 bytes   0 Kbits/sec  ratio: 10.601
  1  min avg ratio xmt/rcv 0.005/0.005 
  5  min avg ratio xmt/rcv 0.022/0.020 
  10 min avg ratio xmt/rcv 0.022/0.020 
  no bufs xmt 0 no bufs rcv 0
  resyncs 2
  Additional Stac Stats:
  Transmit bytes:  Uncompressed =        0 Compressed =        629
  Received bytes:  Compressed =       1165 Uncompressed =        0

Rack1R2#

INE WB Vol1 - 10.6 Legacy Random Early Detection



Routing updates contain IP Prec 6. As the hold-queue doesn't go up to 11 there will be no random-detect on routing updates.


random-detect precedence 6 11 12
hold-queue 10 out

INE WB Vol1 - 10.6 Legacy Custom Queueing with Prioritization



Oh yes i like it, when we do QoS on the floor....


queue-list 1 protocol ip 1 lt 65
queue-list 2 protocol ip 2 list 199
queue-list 2 protocol ip 3 list 198
queue-list 5 protocol ip 0 udp rip <--- Priority Queue (0)
queue-list 5 protocol ip 1 lt 65  <--- not a Priority Queue
queue-list 5 protocol ip 2 list 199
queue-list 5 protocol ip 3 list 198
queue-list 5 queue 1 byte-count 320
queue-list 5 queue 2 byte-count 640 limit 10
queue-list 5 queue 3 byte-count 104

To set Queue 1 as a Priority Queue, Round Robin to start at Queue 2

queue-list 5 lowest-custom 2

To set Queue 1,2 as a Priority Queue, Round Robin to start at Queue 3

queue-list 5 lowest-custom 3

INE WB Vol1 - 10.5 Legacy Custom Queueing




It took me ages to understand this shitty math excercise


30% VoIP (64 byte Packet = 4 Byte HDLC + 60 Byte VoIP)
60% HTTP (160 byte Packet = 4 byte HDLC + 156 Byte WWW)
10% ICMP (104 byte Packet = 4 byte HDLC + 100 byte ICMP)

%/Byte = Ratio       > normalize Ratio     = Multiplier    Mu*Byte = Bytecount
30/64  = 0,46875     > 0,46875/0,096153846 = 4,875000008 = 5 * 64  = 320
60/160 = 0,375       > 0,375/0,096153846   = 3,900000006 = 4 * 160 = 640
10/104 = 0,096153846 > 0,096153846/0,0916  = 1           = 1 * 104 = 104
45% VoIP (84 byte Packet = 4 byte HDLC + 80 byte VoIP)
25% HTTP (140 byte Packet = 4 byte HDLC + 136 byte WWW)
30% ICMP (104 byte Pakcet = 4 byte HDLC + 100 byte ICMP)

45/84  = 0,535714286     > 0,535714286/0,178571429 = 2,999999994        = 3 = 252 (252/(252+140+208) = 42 %
25/140 = 0,178571429     > 0,178571429/0,178517429 = 1                  = 1 = 140 (140/(252+140+208) = 23 %
30/104 = 0,288461538     > 0,288461538/0,178517429 = 1,615873249        = 2 = 208 (208/(252+140+208) = 34 %

I hate Custom Queueing !!

INE WB Vol1 - 10.3 Legacy RTP Reserved Queue

Rack1R4(config-if)#max-reserved-bandwidth 75
Rack1R4(config-if)#do sh run int s0/1/0 | incl max-res
Rack1R4(config-if)#max-reserved-bandwidth 76
Rack1R4(config-if)#do sh run int s0/1/0 | incl max-res
max-reserved-bandwidth 76
Rack1R4(config-if)#max-reserved-bandwidth 75
Reservable bandwidth is being reduced.
Some existing reservations may be terminated.
Rack1R4(config-if)#do sh run int s0/1/0 | incl max-res
Rack1R4(config-if)#

Max reservable bandwidth is 75, if you need to reserve 100% for QoS you need to configure max-reserved-bandwidth 100

INE WB Vol1 - 10.2 WFQ

Calculate MTU

128000bit per second -> /1000
128bit per milisecond -> /8
16byte per milisecond -> * 10
160byte per 10ms -> -4 (HDLC header) (PPP must be 8 byte, i think)
156byte IP MTU

Sonntag, 24. Juli 2011

INE WB Vol2 - Configuration Lab 3

1. Layer 2 Technologies
1.1) IP Bridging - 3p
1.2) Spanning-Tree Protocol - 3p

2. IPv4
2.1) OSPF - 4p
2.2) IGP Features - 4p
2.3) BGP Path Manipulation - 4p
2.4) BGP Attributes - 5p

3. IPv6
3.1) IPv6 Addressing - 3p
3.2) IPv6 Routing - 3p

4. MPLS VPN
4.1) Label Exchange - 3p
4.2) MPLS VPN - 3p
4.3) PE-CE Routing - 3p

5. Multicast
5.1) Multicast Forwarding - 2p
5.2) Multicast Filtering - i used pim accept-register/solution is a IP IGMP access-group - 0p
5.3) Multicast Filtering - 2p

6. Security
6.1) Traffic Filtering - used ACL no reflexive ones - 0p
6.2) DoS Prevention - 3p
6.3) DHCP Security - 3p

7. Network Services
7.1) IOS Management - 2p
7.2) File Management - 2p
7.3) Auto-Install - ip drected broadcast, ip helper,frame-relay map- 0p
7.4) Local Authorization - 3p
7.5) Local Authorization - 3p
7.6) Switch Management - 2p
7.7) GLBP - 4p

8. QoS
8.1) Frame Relay Traffic Shaping - 2p
8.2) Rate Limiting - 2p
8.3) Signaling - rsvp - 0p

(Full 79/Pass 64/My 68)

INE Vol2 - Troubleshooting Lab 3

1)wrong RT R5/R4 - 2p
2)also use peer-group on R1,update-source on R6 - 2p
3)missing auth-mode on R3 - 2p
4)acl100/101 allow udp 224.0.0.9, what about OSPF ? - 2p
5)fix frame-relay map on R1, ip ospf cost 1 - R1 and R5 - 2p
6) SoO - 0p
7) link-status - 2p
8) speed-mismatch - 2p
9) ??? mpls ldp discovery transport-address interface - 0 p
10) ??? missing d in address - 0p
--------------------------------------
solved 7 (1-5,7,8) tickets in 27 mins
(Total 21p / Pass 16p / Score 14p)

Missed by one fucking ticket .... ARGH !!!!!

Samstag, 23. Juli 2011

DUMBASS SECTION - OSPF no adjacencie

rack1SW2#sh run int eth0/0
Building configuration...

Current configuration : 90 bytes
!
interface Ethernet0/0
description VLAN146
ip address 150.1.15.129 255.255.255.224
end

rack1SW2#
--------------------------------------------------------------------------------
rack1R2#sh run int eth0/1.146
Building configuration...

Current configuration : 97 bytes
!
interface Ethernet0/1.146
encapsulation dot1Q 146
ip address 150.1.15.130 255.255.255.240
end

rack1R2#

debug ip ospf hello

*Jul 23 13:38:13.047: OSPF: Rcv hello from 150.1.2.2 area 2 from Ethernet0/0 150.1.15.130
*Jul 23 13:38:13.047: OSPF: Mismatched hello parameters from 150.1.15.130
*Jul 23 13:38:13.047: OSPF: Dead R 40 C 40, Hello R 10 C 10 Mask R 255.255.255.240 C 255.255.255.224

Finished INE Vol1 IPv6

- no big surprises on IPv6
- there is no documentation how to calcualte the embedded RP on the DocCD (if there is one, please tell me)

Tomorrow i will face INE Vol2 TS3 and Lab3

Mittwoch, 20. Juli 2011

ipv6 prefix-list - A very nice implementation

Rack1R5(config)#ipv6 prefix-list ?
  sequence-number  Include/exclude sequence numbers in NVGEN

Rack1R5(config)#ipv6 prefix-list TEST ?
% Unrecognized command
Rack1R5(config)#ipv6 prefix-list TEST permit FC00:1:0:6::6/64
Rack1R5(config)#do sh run | incl prefix
 ipv6 nd prefix FC00:1:0:58::/64 14400 14400 no-autoconfig
 ipv6 nd prefix FC00:1:0:85::/64 14400 14400
ipv6 prefix-list TEST seq 5 permit FC00:1:0:6::/64
Rack1R5(config)#

Another nice one made by our favourite company 

Montag, 18. Juli 2011

INE Vol2 - Configuration Lab 2 - Crazy Redistribution

http://blog.ine.com/2008/07/19/advanced-route-redistribution-scenario-iewb-rs-v41-vol-ii-lab-2-task-411/ <----- REVIEW

INE WB Vol2 - Configuration Lab 2

After a hard weekend with lots of alcohol ->


1. Layer 2 Technologies
1.1) Link Aggregation - missing lacp system-priority 1 - 0p
1.2) 802.1x Authentication - 3p
1.3) Performance Optimaization - sdm prefer routing - 0p

2. IPv4
2.1) OSPF - missing area auth - 0p
2.2) EIGRP - 3p
2.3) RIP Filtering - 2p
2.4) IGP Redistribution - missing external ospf AD - 0p
2.5) BGP Peering - missing no prepend on local-as - 0p
2.6) BGP Filtering - 2p
2.7) BGP Summarization - missing deny to IGP neighbors - 0p
2.8) BGP Tuning - bgp nexthop trigger delay 15 - 0p

3. IPv6
3.1) IPv6 Deployment - 3p

4. MPLS VPN
4.1) L2 VPN - missing native config on R4 - interface-types must match - 0p

5. Multicast
5.1) Multicast Testing - 2p
5.2) Multicast Traffic Control - missing nbma - 0p

6. Security
6.1) Router Hardening - 2p
6.2) Zone-Based Firewall - 4p
6.3) Traffic Logging - permit instead of deny any - 0p
6.4) ICMP Filtering - 0p

7. Network Services
7.1) RMON - 3p
7.2) Remote Access - 0p
7.3) Remote Access Security - 0p
7.4) Syslog - 0p
7.5) System Management - no setup express...aha - 0p

8. QoS
8.1) Congestion Management - 0p
8.2) Policy Routing - missing ftp-data - 0p
8.3) Congestion Management - 0p
8.4) Frame Relay Traffic Shaping - 0p


(Full 79/Pass 64/My 21)

INE Vol2 - Troubleshooting Lab 2

Yeah..... PASSED !!!!

Donnerstag, 14. Juli 2011

IPv6 on 3550 - Yeah ! It's possible

Rack1SW1#show version | incl 35
Cisco IOS Software, C3550 Software (C3550-IPSERVICESK9-M), Version 12.2(44)SE6, RELEASE SOFTWARE (fc1)
ROM: Bootstrap program is C3550 boot loader
System image file is "flash:/c3550-ipservicesk9-mz.122-44.SE6.bin"
Cisco WS-C3550-24 (PowerPC) processor (revision G0) with 65526K/8192K bytes of memory.
Model number: WS-C3550-24-SMI
Rack1SW1#sh run | incl ipv6
ipv6 unicast-routing
 ipv6 address FC00:1:0:37::7/64
 ipv6 rip TEST enable 
 ipv6 enable
Rack1SW1#sh run int tun0
Building configuration...

Current configuration : 127 bytes
!
interface Tunnel0
 no ip address
 ipv6 address FC00:1:0:37::7/64
 ipv6 rip TEST enable
 tunnel source Loopback0
 tunnel destination 150.1.3.3
end

Rack1SW1#ping fc00:1:0:37::3

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to FC00:1:0:37::3, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 0/3/4 ms
Rack1SW1#show ipv6 neigh
Rack1SW1#show ipv6 route
IPv6 Routing Table - Default - 4 entries
Codes: C - Connected, L - Local, S - Static, U - Per-user Static route
       R - RIP, D - EIGRP, EX - EIGRP external
R   2002::/64 [120/2]
     via FE80::20E:D7FF:FE10:4700, Tunnel0
C   FC00:1:0:37::/64 [0/0]
     via Tunnel0, directly connected
L   FC00:1:0:37::7/128 [0/0]
     via Tunnel0, receive
L   FF00::/8 [0/0]
     via Null0, receive
Rack1SW1#
Rack1SW1#ping 2002::2

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 2002::2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 0/2/4 ms
Rack1SW1#

Dienstag, 12. Juli 2011

INE WB Vol1 - 8.31 Anycast RP

Lab it up again on a small scenario

msdp originator-id should be set to unique peering loopbacks not the Anycast RP Loopback !

Sonntag, 10. Juli 2011

INE WB Vol2 - Configuration Lab 1

1. Layer 2
1.1 Layer 2 Features - 0 Points
- missed VLAN on removal
- PrivateVLANs not possible on 3550

2. IGP
2.1 OSPF - 0 Points
- missed virtual link
- missed hello multiplier (speed convergence)
- missed non-broadcast neighborship for security

2.2 IGP Features - 3 Points
2.3 BGP Bestpath Selection - 4 Points
3. IPv6
3.1 IPv6 Addressing - 4 Points
3.2. IPv6 Multicast Basics - 0 Points
- R4/R5 RP/BSR mixed-up (DAMN!)

4. MPLS VPN
4.1 LDP - 3 points
4.2 VPN - 3 points

5. IP Multicast
5.1 RP Assignment - 2 Points
5.2 Multicast Testing - 3 Points
5.3 Multicast Filtering - 0 Points
- used ip multicast boundary 1 instead of ip igmp access-group 1

6. Security
6.1 Denial of Service Tracking - 3 Points
6.2 Spoof Prevention - 2 Points
6.3 Information leaking - 0 Points
- used only unreachables not mask-reply
6.4 Control Plane Protection - 0 Points
- used a control plane policy :( instead of simple ACLs

7. Network Services
7.1 RMON - 3 Points
7.2 NTP - 2 Points
7.3 NTP Authentication 3 Points
7.4 Traffic Accounting - 3 Points
7.5 Gateway Redundancy - 3 Points
7.6 Network Address Translation - 3 Points
7.7 Embedded Event Management - 0 Points
- had absolutely no clue

8. QoS
8.1 Frame Relay Traffic Shaping - 0 Points
- had no real clue
8.2 Rate Limiting - 0 Points
- made it with rate-limit not with a policy-map
8.3 CBWFQ - 0 Points
- service-policy on physical interface not on DLCIs
8.4. Catalyst QoS - 0 Points
- no clue



(Full 79/Pass 64/My 44)

INE WB Vol2 - Troubleshooting Lab 1

TS1.1) 2p nni->dce
TS1.2) 2p next-hopf-self
TS1.3) 3p wrong static def.global
TS1.4) - RIP
TS1.5) 2p ospf-dead-interval
TS1.6) - WCCP
TS1.7) 2p ip rip send version 1 -> 2
TS1.8) 2p database-filter
TS1.9) - http authentication local
TS1.10) 2p drop / control-plane
----------------------------------
15 - FAIL (Passing grade 16) - but i used only 1 h and did not verify

Donnerstag, 7. Juli 2011

[OT] TFTPD Error code 1: File not found

l33th4x0r@os390:~$ tftp 1.1.1.1
tftp> put i-hate-tftpd.txt
Error code 1: File not found
tftp>
...
my-fucking-tftpd:~# cat /etc/default/tftpd-hpa
#Defaults for tftpd-hpa
RUN_DAEMON="yes"
OPTIONS="-l -c -s /var/lib/tftpboot/"
#change to "-c" for creating files
my-fucking-tftpd:~#
my-fucking-tftpd:~# chown nobody -R /var/lib/tftpboot/
my-fucking-tftpd:~# chmod -R 777 /var/lib/tftpboot/
...
l33th4x0r@os390:~$ tftp 1.1.1.1
tftp> put i-hate-tftpd.txt
Sent 856063 bytes in 1.2 seconds
tftp>

Wow....

If you encounter problems with the tftpd-hpa package on Debian systems... here's the solution

Samstag, 2. Juli 2011

DUMBASS SECTION - BGP communities

 route-map COM, permit, sequence 10
  Match clauses:
    community (community-list filter): 200:200
  Set clauses:
    local-preference 200
  Policy routing matches: 0 packets, 0 bytes
route-map COM, permit, sequence 20
  Match clauses:
  Set clauses:
  Policy routing matches: 0 packets, 0 bytes
Rack1R3#
Rack1R3#show ip bgp 112.0.0.0
BGP routing table entry for 112.0.0.0/8, version 9
Paths: (3 available, best #1, table Default-IP-Routing-Table)
  Advertised to update-groups:
     1          2          3        
  100 54 50 60
    155.1.13.1 from 155.1.13.1 (150.1.1.1)
      Origin IGP, localpref 100, valid, external, best
      Community: 200:200
  300 100 54 50 60
    155.1.37.7 from 155.1.37.7 (150.1.7.7)
      Origin IGP, localpref 100, valid, external
  100 54 50 60
    155.1.45.4 (metric 27262976) from 155.1.0.5 (150.1.5.5)
      Origin IGP, metric 0, localpref 100, valid, internal
Rack1R3#
...
Hm.. community arrives at R3 but the route-map doesn't care. Still localpref 100 not 200.
Minutes passing by....
....
AHH not the community itself, sure... i need a community-list
....
Rack1R3(config)#ip community-list standard 200:200 permit 200:200 ?
Rack1R3#show ip bgp regexp _60$
BGP table version is 25, local router ID is 150.1.3.3
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
              r RIB-failure, S Stale
Origin codes: i - IGP, e - EGP, ? - incomplete

   Network          Next Hop            Metric LocPrf Weight Path
*> 112.0.0.0        155.1.13.1                    200      0 100 54 50 60 i
*                   155.1.37.7                             0 300 100 54 50 60 i
*> 113.0.0.0        155.1.13.1                    200      0 100 54 50 60 i
*                   155.1.37.7                             0 300 100 54 50 60 i
Rack1R3#s