regarding to the post published at ine site (http://blog.ine.com/2013/09/06/modifying-traceroute-replies/), I have a question. I wonder if I can get the same result with redirecting locally generated traffic to loopback interface and apply NAT to the loopback. as the original scenario has shown, I have 4 routers with a loopback on each and OSPF everywhere. I'm going to configure R2 to send its loopback IP address to the routers that run traceroute test. for example, I want to run traceroute on R1 toward R4 loopback IP and excpect that R1 sees R2's loopback IP address in the first traceroute reply packet, instead of the R2's physical address (if the scenario is not clear, please take a look at the original post that I mentioned at the beginning). my R2 config is as follows:

R2:

interface Loopback0

 ip address 2.2.2.2 255.255.255.0

 ip nat inside

 ip ospf 1 area 0

!

interface FastEthernet0/0

 ip address 23.23.23.2 255.255.255.0

 ip nat outside

 ip ospf 1 area 0

!

interface Serial0/0

 ip address 24.24.24.2 255.255.255.0

 ip nat outside

 ip ospf 1 area 0

!

interface FastEthernet0/1

 ip address 12.12.12.2 255.255.255.0

 ip nat outside

!

ip local policy route-map LOCAL_POLICY_4NAT

!

ip nat inside source list FOR_NAT_2 interface Loopback0 overload

!

ip access-list extended FOR_NAT

 permit icmp any any port-unreachable

 permit icmp any any time-exceeded

!

ip access-list extended FOR_NAT_2

 permit icmp any any

!

route-map LOCAL_POLICY_4NAT permit 10

 match ip address FOR_NAT

 set interface Loopback0

--------------------------------

--------------------------------

now traceroute results from R1 toward R4's loopback:

R1(config)#do trace 4.4.4.4 ttl 0 3

  0  12.12.12.2 52 msec 68 msec 48 msec

  1  12.12.12.2 72 msec 68 msec 68 msec

  2  24.24.24.4 72 msec 60 msec 16 msec

although NAT is triggered on R2, but it translated 4.4.4.4 to 2.2.2.2, instead of its locally generated traffic. any idea?

Hello folks, 

I have been running CSR1000v downloaded as a trial from cisco.com.

It really seems the initial setup and boot process was easy. I am using it with GNS3 v1.2.1.

However I have been running into lot of inconsistencies and crashes.

On VirtualBox, sometimes I launch the CSR1000v, I use GNS3 to  connect it via a link to Linux box for example and I can't ping each other no matter what I do (occasionally that works great).

On VMWare Workstation 10.0 (without GNS3), I ran the CRS1000v image "NATed" to  a Linux box. Connectivity is great, I can consistely ping each other fine. However after few minutes the CSR1000v reboots itself.

Anyone there has any better luck? Which Virtualization tool is more recommended to run the CSR1000v, VM Worstation or VirtualBox?

csr1000v-universalk9.03.14.00.S.155-1.S-std

Hello. I'm trying to load balance a default route on an NSSA Area with one ASBR who is receiving the default route from another ospf process.

The config on the ASBR is:

R1

router ospf 50514
 router-id 10.192.100.137
 area 1 nssa default-information-originate no-summary
 network 10.192.100.152 0.0.0.3 area 1
 network 10.192.118.108 0.0.0.3 area 1

The config on the internal router is:

router ospf 50514
 router-id 10.192.100.137
 area 1 nssa
 network 10.192.100.152 0.0.0.3 area 1
 network 10.192.118.108 0.0.0.3 area 1

On the ASBR, the default route is right:

R1#show ip route 0.0.0.0
Routing entry for 0.0.0.0/0, supernet
  Known via "ospf 1", distance 110, metric 1, candidate default path, type NSSA extern 2, forward metric 100
  Last update from 10.192.118.109 on GigabitEthernet1/0/3, 00:00:04 ago
  Routing Descriptor Blocks:
  * 10.192.118.109, from 10.192.100.137, 00:00:04 ago, via GigabitEthernet1/0/3
      Route metric is 1, traffic share count is 1

The adjacency is right:

R2#show ip ospf neighbor

Neighbor ID     Pri   State           Dead Time   Address         Interface
10.192.100.137    0   FULL/  -        00:00:35    10.192.118.109  GigabitEthernet1/0/3
10.192.100.137    0   FULL/  -        00:00:39    10.192.100.153  GigabitEthernet1/0/0

I only received one default route and the metric on the interfaces is the same:

R2#show ip route ospf 
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route, + - replicated route

Gateway of last resort is 10.192.118.109 to network 0.0.0.0

O*N2  0.0.0.0/0 [110/1] via 10.192.118.109, 00:00:01, GigabitEthernet1/0/3

R2#show ip ospf database nssa-external

            OSPF Router with ID (10.192.98.19) (Process ID 7137)

                Type-7 AS External Link States (Area 1)

  Routing Bit Set on this LSA in topology Base with MTID 0
  LS age: 1790
  Options: (No TOS-capability, Type 7/5 translation, DC)
  LS Type: AS External Link
  Link State ID: 0.0.0.0 (External Network Number )
  Advertising Router: 10.192.100.137
  LS Seq Number: 80000751
  Checksum: 0xFDEC
  Length: 36
  Network Mask: /0
        Metric Type: 2 (Larger than any link state path)
        MTID: 0
        Metric: 1
        Forward Address: 10.192.118.109
        External Route Tag: 0

Can somebody know why this is happening?

Thanks for your help.

CCIP to CCNP Service Provider Migration Tool , aka  3 for 1 deal expires on July 24th 2015, that is soon. This means if anyone thinking about CCNP SP should do it soon, by July 24th.

The Deal is that old CCIP cert or any old exams QOS, BSCI, MPLS, BGP, ROUTE can be used to substitute new exam. see tool.  Migrating  is easy. Costs and time are save big time! Using one of old exams means 1 less exam to take (and pass).

Plus, you save on prerequisite.  Taking 1 of above exams will count as prerequisite, so you save another 2 exams. Otherwise, CCNP Service Provider Prerequisiteis CCNA SP which is 2 exams (2 exams cert is a waste of moeny and rip off by cisco).

After July 24th, you will have to take all 4 exams out of CCNP SP Plus CCNA SP (2 exams).

Another thing is ROUTE exam expires Jan 29th and new ROUTE exam does not count for the migration tool.

Hello everyone,

I'm practising with INE racks trying to configure the Jabber client. I've been able to make it work in deskphone mode, in softphone mode and with the extend and connect mode but I've not been able to get the chat to work and the contact lookup doesn't work either. 

I've tried with synchronising to LDAP, with local users and Jabber always says: 

Directory

Reason: Conection error

Error: Cannot contact to the server

Does anyone have an idea of what to look or to do? If you need any kind of info just let me know and I'll post it, thanks!

I'm trying to test pim dense mode over dmvpn and the results i got shocked me. As per classic nbma behaviour, when a spoke sends a prune message, the other spokes cannot hear it and can't send prune overrides. So, the traffic is pruned if at least 1 spoke doesn't want it.

However this is the result i got from the testing it

Summary
- R3 sends prune to R1
- R1 forward the prune back to R2 and R3, it wants to prune the group (172.16.1.6,226.6.6.6) ---- This is where things got interesting!
- R2 replies with a join back to R1 for (172.16.1.6,226.6.6.6) - Prune override (expected)
- R1 doesn't prune the traffic

I noticed that each time R3 sends a prune, R1 forwards the prune out to R2 also. R2 replies with a prune override and the result is that the traffic is not pruned.

Is this an optimization for PIM Dense mode to run well over nbma or am i missing something here.

R3 sends prune
Jan 17 09:44:17.092: PIM(0): Insert (172.16.1.6,226.6.6.6) prune in nbr 172.16.123.1's queue
*Jan 17 09:44:17.092: PIM(0): Building Join/Prune packet for nbr 172.16.123.1
*Jan 17 09:44:17.092: PIM(0):  Adding v2 (172.16.1.6/32, 226.6.6.6) Prune
*Jan 17 09:44:17.092: PIM(0): Send v2 join/prune to 172.16.123.1 (Tunnel0)

R1 forwards the prune to both R2 and R3, R3 gets it but ignores it
Jan 17 09:44:17.111: PIM(0): Received v2 Join/Prune on Tunnel0 from 172.16.123.1, not to us
*Jan 17 09:44:17.112: PIM(0): Prune-list: (172.16.1.6/32, 226.6.6.6)

R1 forwards the prune to both R2 and R3, but R2 replies with prune override (join)
Jan 17 09:44:17.115: PIM(0): Received v2 Join/Prune on Tunnel0 from 172.16.123.1, not to us
*Jan 17 09:44:17.115: PIM(0): Prune-list: (172.16.1.6/32, 226.6.6.6)
*Jan 17 09:44:17.115: PIM(0): Set join delay timer to 500 msec for (172.16.1.6/32, 226.6.6.6) on Tunnel0
*Jan 17 09:44:17.534: PIM(0): Insert (172.16.1.6,226.6.6.6) join in nbr 172.16.123.1's queue
*Jan 17 09:44:17.535: PIM(0): Building Join/Prune packet for nbr 172.16.123.1
*Jan 17 09:44:17.535: PIM(0):  Adding v2 (172.16.1.6/32, 226.6.6.6) Join
*Jan 17 09:44:17.535: PIM(0): Send v2 join/prune to 172.16.123.1 (Tunnel0)

As a Result, R1 doesn't prune the traffic
*Jan 17 09:44:17.539: PIM(0): Received v2 Join/Prune on Tunnel0 from 172.16.123.2, to us
*Jan 17 09:44:17.540: PIM(0): Join-list: (172.16.1.6/32, 226.6.6.6)
*Jan 17 09:44:17.540: PIM(0): Update Tunnel0/172.16.123.2 to (172.16.1.6, 226.6.6.6), Forward state, by PIM SG Join

See topology below

Now R1/R3 have an ospf/eigrp peering we should consider EIGRP/OSPF admin distances.

Issuing a debug ip routing on either R1/R3 will show us the issue

(on R3)
RT: closer admin distance for 150.1.9.9, flushing 1 routes
RT: add 150.1.9.9/32 via 155.1.13.1, ospf metric [110/20]

shortly followed by:
RT: del 150.1.9.9 via 155.1.13.1, ospf metric [110/20]
RT: delete subnet route to 150.1.9.9/32
RT: updating eigrp 150.1.9.9/32 (0x0)  :
    via 155.1.13.1 Gi1.13  0 1048578

We see this in the RIB, continuously:
R3#sh ip route | in 150.1.9.9
O E2     150.1.9.9 [110/20] via 155.1.13.1, 00:00:04, GigabitEthernet1.13
R3#sh ip route | in 150.1.9.9
D EX     150.1.9.9 [170/131072] via 155.1.37.7, 00:00:01, GigabitEthernet1.37

Solution:
Change the AD of OSPF external routes in the OSPF process (I did this on R3)  (to be higher than the DEX routes).  

Off to dinner :)

Hello team,

we really need a formal schedule from INE about those releases.

When will we have it? When is the target? Does anyone have a official answer about it?

Regards,

going over ipsec nat-t

topology is simple

r1-------------r2-----------------r3

r2 does PAT for the ip address of r1.

I was trying to see the effect of disabling nat transversal on either r1 and r3, as per the documentation, since esp is stateless nat won't be done for it and r2 will drop the trafiic. But to my utmost surprise, the packet went true.

This is the show ip nat trans on r2

R2(config)#do sh ip nat tr
Pro Inside global      Inside local       Outside local      Outside global
esp 10.0.23.2:0        10.0.12.1:0        10.0.23.3:0        10.0.23.3:D8774F8A
esp 10.0.23.2:0        10.0.12.1:97FDBBBC 10.0.23.3:0        10.0.23.3:0

Is this expected? why is esp being natted. I though this was the motivation of tunneling esp over udp accross nat.

thanks.

Only after 5 years or so the whole Service Provider Operation Program is being retired!  From associate evel up.

The last day to test for the CCIE Service Provider Operations certification will be January 31, 2015. No new certifications will be issued beginning February 1, 2015. 

so hurry up and pass this cert!   or not  

I think this was a big waste of money and resource by cisco. someone got bored and came up with scheme to make money.  The idea of separating the Service Provider track into SP and SP operations was ridicules.  there is not much of a difference in OPs and SP material  that it would justify a separate certification track. 

Does anyone know somone who passed CCIE SP Operations cert?

While studying "Designing Cisco Network Service Architectures (ARCH) Foundation Learning Guide", I came across Role Based Addressing. Could you friends please help me understand this. Would appreciate if could get me some links too to understand.

Why Role Based Addressing is not effective in IPv6 as against IPv4?

After creating a virtual link between R1 and R6 on the stock/basic OSPF routing configuration provided by INE, R1 stops injecting the 150.1.10.10/32 T3 LSA’s into Area 1 for 150.1.10.10 (R10 Loopback), however R4 does not.

In addition, R1 prefers an inter-area route through R4 to reach the R10 loopback as opposed to the route through area 0.

I verified R1 is receiving the route via R5 in area 0 as a T3 and shows R5 as an ABR:

R1#sh ip ospf data sum adv-router 150.1.5.5

            OSPF Router with ID (150.1.1.1) (Process ID 1)

                Summary Net Link States (Area 0)

---output removed---
  LS age: 757
  Options: (No TOS-capability, DC, Upward)
  LS Type: Summary Links(Network)
  Link State ID: 150.1.10.10 (summary Network Number)
  Advertising Router: 150.1.5.5
  LS Seq Number: 80000002
  Checksum: 0x8C5F
  Length: 28
  Network Mask: /32
        MTID: 0         Metric: 3


R1#sh ip ospf border

            OSPF Router with ID (150.1.1.1) (Process ID 1)


                Base Topology (MTID 0)

Internal Router Routing Table
Codes: i - Intra-area route, I - Inter-area route

i 150.1.5.5 [1000] via 155.1.0.5, Tunnel0, ABR, Area 0, SPF 9



Why is R1 using the route through area 1 to reach R10 when is has a path through area 0 to reach R10? I understand that the cost would be lower to go through R4, but I thought that all traffic between areas had to go through area 0, in this case its going Area 1 and then to area 0 and finally to area 3 where the route lives.

Why is R1 not injecting the R10 T3 LSA for its loopback into Area 1 like R4 is? It is receiving the same T3 LSA for the R10 loopback as R4 is, yet it is not injecting it into area 1.

When I remove the OSPF virtual link between R1 and R6, R1 once again injects the T3 LSA's for R10's loopback into Area 1 and no longer uses the path through R4 to reach R10, and instead uses the path through R5.

I think the OSPF transit capability that gets turn on when you add a virtual link is causing R1 to use the path through R4 when the virtual link is in place, but I am not sure. However, I have no idea why R1 would stop sending the R10 T3 LSA's into Area 1.

### Update ##

If I disable capability transit on R1, it no longer installed the route to R10's loopback through R4 and once again starts sending T3 LSA's into Area 1 for R10's loopback.

From what I have read about the command, disabling the transit capability expalins why it no longer uses R4 to reach R10, but it does not explain why R1 stops injecting the T3 LSA for R10's loopback.

Any input would be appreciated.

Thanks!

Hi Please help me out regarding the difference between RD and RT.

As per documents they state RD will be mapped to bgp attribute to avoid duplicity of ip address because mp-bgp is the best protocol to carry routes between ce and pe.

RT is used to push the concerned routes into the proper VRF.

Here are my doubts:

Cant we use RD alone since it is also avoiding duplicity and making routes unique.

Please specify any good document for my basic understanding,how much ever i put in but i am getting lost some where.

any good document which refers packet level exposure.I am really thankfull.

Hello Cristian,

I am wondering whether I can arrange task 6.4 by using the following ACL in router R4 and R5 instead of the VLAN ACL in SW5

R5

Extended IP access list 101
    10 permit ospf host 190.1.45.4 any (32 matches)
    20 deny ospf any any
    30 permit ip any any (10 matches)

R4

Extended IP access list 101
    10 permit ospf host 190.1.45.5 any (65 matches)
    20 deny ospf any any
    30 permit ip any any (10 matches)

I do not see why I should use VLAN ACL. Coud you give me an explanation?

Kind regards,

José Antonio

Hi,

what is the difference between them? I feel the difference but can it be somehow measured, in percent or in any way?

Router(config-pmap-c)# police 8000 conform-action transmit exceed-action set-qos-transmit 4 violate-action drop

regards

Hubert

Hi folks;

a question please.  i have a policy map (below), that seems a little suspect to me.  I have voice and otehr rsignaliimg info passing through my me3600x (interfacing with PEs on wan side and customerswtch on lan side).

here is the policy map detail:

policy-map LAN_OUT

 class LAN_QOS_GROUP_EF

  police 1000000 conform-action transmit  exceed-action drop

  priority

 class LAN_QOS_GROUP_AF3

 class LAN_QOS_GROUP_AF2

 class LAN_QOS_GROUP_AF1

 class class-default

  bandwidth percent 1 

ef is being put into priority queue, service rate for that queue is 1M (as indicated by 1000000 bps). I am not sure what is happening with  af3, af2 and af1 classes in teh above configuraion. Class default  is getting only 1 percent of bandwidth (1 percent of physical port speed i think, is it?

thanks in advance. 

Hi,

Can someone explain me the difference between “DHCP Snooping + ARP Inspection” and “IP Source Guard”? From user perspective they work exactly the same. Untrusted hosts which are not in the binding table are not able to connect to other hosts (based on IP/MAC). Are there any cons/pros to choose particular one? Did you see them in production networks? Be honest I have never seen any of them in any of my enterprise customers, so I’m just curious which one is better, more popular, etc.

Thank you
Hubert

Hi Guys,

I understand spanning-tree loopguard is configured in global config mode, and the Cisco documentation states that it is only enabled on Root and ALT ports.  So basically, if the primary link or backup link to our root bridge stops receiving BPDU's, but the port remains up, then STP is gonna ensure it gets blocked (as opposed to transition into designated forwarding) to prevent a unidirectional loop. Fine, I'm happy with that.  In the CLI, I'm not happy about it though.  In the output below, you can see Loop Guard is showing to be enabled on every kind of port, whether its designated, root or whatever.  What's the reason for this?

06470s1(config)#spanning-tree loopguard default

06470s1(config)#end

06470s1#sh span vlan 10

VLAN0010

  Spanning tree enabled protocol ieee

  Root ID    Priority    32778

             Address     0012.d930.d7c0

             Cost        19

             Port        14 (FastEthernet0/12)

             Hello Time   2 sec  Max Age 20 sec  Forward Delay 15 sec

  Bridge ID  Priority    32778  (priority 32768 sys-id-ext 10)

             Address     001a.2fc6.2680

             Hello Time   2 sec  Max Age 20 sec  Forward Delay 15 sec

             Aging Time  300 sec

Interface           Role Sts Cost      Prio.Nbr Type

------------------- ---- --- --------- -------- --------------------------------

Fa0/1               Desg FWD 19        128.3    P2p 

Fa0/2               Desg FWD 19        128.4    P2p Edge 

Fa0/4               Desg FWD 19        128.6    P2p Edge 

Fa0/5               Desg FWD 19        128.7    P2p Edge 

Fa0/6               Desg FWD 19        128.8    P2p 

Fa0/9               Desg FWD 19        128.11   P2p Edge 

Fa0/10              Desg FWD 19        128.12   P2p Edge 

Fa0/12              Root FWD 19        128.14   P2p 

Fa0/14              Desg FWD 19        128.16   P2p Edge 

Fa0/17              Desg FWD 19        128.19   P2p Edge 

Fa0/20              Desg FWD 19        128.22   P2p Edge 

Fa0/29              Desg FWD 19        128.33   P2p Edge 

Fa0/31              Desg FWD 19        128.35   P2p Edge 

Fa0/32              Desg FWD 19        128.36   P2p Edge 

Fa0/33              Desg FWD 19        128.37   P2p Edge 

Fa0/34              Desg FWD 19        128.38   P2p Edge 

Fa0/35              Desg FWD 19        128.39   P2p Edge 

Fa0/36              Desg FWD 19        128.40   P2p Edge 

Fa0/37              Desg FWD 19        128.41   P2p Edge 

Fa0/38              Desg FWD 19        128.42   P2p Edge 

Fa0/39              Desg FWD 19        128.43   P2p Edge 

Fa0/40              Desg FWD 19        128.44   P2p Edge 

Fa0/41              Desg FWD 19        128.45   P2p Edge 

Fa0/42              Desg FWD 19        128.46   P2p Edge 

Fa0/44              Desg FWD 19        128.48   P2p Edge 

Fa0/45              Desg FWD 19        128.49   P2p Edge 

Fa0/46              Desg FWD 19        128.50   P2p Edge 

Fa0/47              Desg FWD 19        128.51   P2p Edge 

06470s1#sh span int fa0/2 det | i Loop

   Loop guard is enabled by default on the port

06470s1#sh span int fa0/1 det | i Loop

   Loop guard is enabled by default on the port

   Loop guard is enabled by default on the port

   Loop guard is enabled by default on the port

06470s1#sh span int fa0/12 det | i Loop

   Loop guard is enabled by default on the port

   Loop guard is enabled by default on the port

   Loop guard is enabled by default on the port

The reason it says this 3 times, btw, is because I have 3 VLANs on the port

Hello everyone, I'm hoping that someone might be able to shed some light on a problem I'm having.

I have a lab in GNS3 with multiple regions (5 in total), setup with DMVPN Phase 3. Spoke-to-Spoke traffic is working as expected, but I'm having an issue with Spoke to a different Region's (or the Central) Hub traffic. The first few pings work just fine, but as soon as the NHRP Mappings are established, the pings cease to go through. Basically, Phase 3 is breaking the connection between the Spoke and Hub.

Does anyone have any insight as to why this might be happening? I greatly appreciate any info that you guys can give me.

Hi Guys,

I just got some new 3650's to play a bit with the stacking.  Upon boot, I get the syslog msg "%PLATFORM_MGR-1-PLATMGR_INIT_FAIL: Platform Manager: Failed to set system LEDs after POST." (shown at the bottom of this post).  I get this on both of my brand new switches, however the LED System LED light is actually lit.  So does anyone know why this message is being displayed?

Booting...Initializing RAM +++++++@@@@@@@@...++++++++++++++++++++++++++++++++@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@done.

Memory Test Pass!

Base ethernet MAC Address: f0:7f:06:aa:75:80

Interface GE 0 link down***ERROR: PHY link is down

Initializing Flash...

flashfs[7]: 0 files, 1 directories

flashfs[7]: 0 orphaned files, 0 orphaned directories

flashfs[7]: Total bytes: 6784000

flashfs[7]: Bytes used: 1024

flashfs[7]: Bytes available: 6782976

flashfs[7]: flashfs fsck took 1 seconds....done Initializing Flash.

Getting rest of image

Reading full image into memory....done

Reading full base package into memory...: done = 79121160

Nova Bundle Image

--------------------------------------

Kernel Address    : 0x6042d333

Kernel Size       : 0x402ecf/4206287

Initramfs Address : 0x60830233

Initramfs Size    : 0xdb98e6/14391526

Compression Format: .mzip

Bootable image at @ ram:0x6042d333

Bootable image segment 0 address range [0x81100000, 0x82110000] is in range [0x80180000, 0x90000000].

@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@boot_system: 377

Loading Linux kernel with entry point 0x81651310 ...

Bootloader: Done loading app on core_mask: 0xf

### Launching Linux Kernel (flags = 0x5)

All packages are Digitally Signed

Starting System Services

Jan 19 08:57:04 %PLATFORM_MGR-1-PLATMGR_INIT_FAIL: Platform Manager: Failed to set system LEDs after POST.