Quantcast
Channel: IEOC - INE's Online Community
Viewing all 10744 articles
Browse latest View live

FCoE port config

$
0
0

When configuring the ethernet interface is it a requirement to change the data vlan to the host to be the native vlan? 


Interesting traffic (in GRE over IPsec)

$
0
0

hi all,

normally when we configure IPsec interesting traffic, we specify LAN to LAN subnets

 

but in GRE over IPsec: the interesting traffic will match exactly what is configured in GRE tunnel source and destination IP address as well as encapsulation.

 

but the traffic is sourced from LAN machine, how this works !?

BGP Backdoor - solution mistake

$
0
0

I believe RSv5 workbook solution missed BGP->EIGRP redistribution on R1 and R4 without redistribution on this routers BGP route is still use even shows AD 200 due to we dont have this route in EIGRP.

R4#sh ip route 150.1.77.77
Routing entry for 150.1.77.77/32
  Known via "bgp 100", distance 200, metric 0
  Tag 200, type locally generated
  Last update from 155.1.45.5 00:22:30 ago
  Routing Descriptor Blocks:
  * 155.1.45.5, from 155.1.45.5, 00:22:30 ago
      Route metric is 0, traffic share count is 1
      AS Hops 2
      Route tag 200
      MPLS label: none

FCoE Load-balance

$
0
0

By default FC uses a SRC-DST-OX-ID, which should give a better utilization than just SRC-DST-ID... But when using FCoE, the vfc is bound to an Ethernet Port-Channel... Does anyone know how the load-balancing works in this case?

Ethernet load-balancing can be configured as source-destination-<ip|mac|port>... At first, for FCoE, IP and Port doesn't make much sense... and if mac is used, a one to one conversation will use only one port... not as effective as SRC-DST-OX-ID when using FC... Does anyone has a documment that explains what happens when we use the IP or Port?

No IP MTU Command Needed With VTI?

$
0
0

Can someone explain why the IP MTU command is not needed with IPSec VTI but is with GRE?
In the INE ATC Brian references two reasons:
1. With VTI, the DF bit can be copied to the ESP header.
2. With VTI, the router can see the transform sets and calculate the available MTU for data since it knows what encryption algorithms are used.

Number 2 does not make sense to me. Why would the router not see the encryption algorithms used in the transform set with GRE?

Thanks

BSR - Multiple RP Candidates

$
0
0

Hello,

this configuration lab lists the following:

  • R5 should distribute this information and instruct all routers to load-balance multicast groups between the two RPs.
    • Use the maximum possible hash mask length to evenly distribute the load across the RPs.
Later, in the solution, the answer provided is:
ip pim bsr-candidate Loopback0 31
Which implies hash mask length of 31.
It looks like that maximum possible hash mask length is actually 32:
R5(config)#ip pim bsr-candidate Loopback0 ?
  <0-32>  Hash Mask length for RP selection
  <cr>
R5(config)#ip pim bsr-candidate Loopback0 32
R5(config)#
I've checked how evenly the groups are distributed. Done on 256 groups starting 224.10.10.0 to 224.10.10.255
- While using mask 31: it is 126:130 - basically 1:1, however one particular RP is always used for 4 (or 6) consecutive groups
- While using mask 32: it is 126:130 also, but consecutive groups count for a particular RP ranges from 1 to 6. Counts of the same RP used in a row: 127x 1 time in a row, 43x 2 times in a row, 4x 3 times in a row, 6x 4 times in a row and 1x 6 times in a row
I'm sure that this is because I've chosen to use 224.10.10.X, but anyway it looks like the distribution is uniform, so the correct answer should probably be 32 instead of 31.
What do you think? :)

Automatic reply: If possible to know in ospf which networks are received from a no passive interface?

$
0
0

I will be out of the office beginning 4/20/15 returning on 4/21/15. During this time I will not have phone or email access. Please utilize the CNOS project DL (Agency-DL-CSO-NICS-Projects-CNOS) for any CNOS required support. In addition, please contact the Tony Stewart (CNOC) at 256-544-4400 for any CNOC LAN  (Wireless, Wired or VPN) support questions/concerns.

 

If possible to know in ospf which networks are received from a no passive interface?

$
0
0

Hi Guys 

I wanted to ask your help with one question about OSPF , I had try to find any information but i was not able to found it .  I need to  know exactly which routes are received from  OSPF neighbor 

 for example:  I have a core Switch with has several L3 switches connected and in the same campus (let’s call this campus C) and this core switches also talks ospf with two main campus  (A & B) which received several networks from f others mini campus (D to Z)  and all this networks are received on  Core switches on the campus  C and bellow to the same area 0,  I have tried to found an approach to find which network are originated on all the access Switch (l3 Switch) without need to look the route table of all the Access switched connected to the CORES (on Campus C) .  I suppose that should be a quick way to do this.  

my problem is that I can not trust on all the ospf network on the core due this is connect to other 2 campus and received several network.  Maybe there is some way to find this information on the ospf database or maybe knowing the no passive interfaces.

I wanted to do something similar to sho ip bgp neigh x.x.x.x routes but after my research  I have not being able to find  any similar command,  I know that they work very different ,  I just say it because the input that I expect to find is similar to that command.

Note: these SW are on a production environment and I can not use any configuration or debug I must use SHOWs commands

Thanks For your help 


Static Policy NAT

$
0
0

Hi, I read in the cisco article below that:

http://www.cisco.com/en/US/technologies/tk648/tk361/tk438/technologies_white_paper09186a0080091cb9.pdf

"...The software does not allow two static translations with the same local address, though, because it is ambiguous from the inside. The router will accept these static translations and resolve the ambiguity by creating full translations (all addresses and ports) if the static translations are marked as“extendable”." 

 

While in this LAB, we do need to configure two NAT with the same inside local address, why don't we need the "extendable" keyword? When I typed two NAT below with the same inside local 155.1.7.7, the router didn't show any error message to preventing it.

ip nat inside source static 155.1.7.7 155.1.13.1 route-map LINK_TO_R1

ip nat inside source static 155.1.7.7 155.1.23.7 route-map LINK_TO_R2

Thanks,

PIM Sparse-Dense Mode

$
0
0

Hello,

In this lab, when ping 224.10.10.10 which is the group uses RP, the workbook shows a "stop" in the Expire timer on R5:

( *, 224.10.10.10), 00:05:33/stopped, RP 150.1.5.5, flags: S

Is this an error? Since this group is in sparse mode, this timer should be started.

IGMP Timers task - RPF failure

$
0
0

Using “initial Multicast” configurations, I found a RFP error after enabling sparse-mode multicast delivery on VLAN 146 (R1,R4, and R6).


Debug on R1:

PIM(0): Received v2 Bootstrap on GigabitEthernet1.146 from 155.1.146.6
PIM-BSR(0): bootstrap (150.1.6.6) on non-RPF path GigabitEthernet1.146 (expected ) or from non-RPF neighbor 155.1.146.6 (expected 0.0.0.0) discarded
PIM(0): Received v2 Bootstrap on GigabitEthernet1.146 from 155.1.146.6
PIM-BSR(0): bootstrap (150.1.6.6) on non-RPF path GigabitEthernet1.146 (expected ) or from non-RPF neighbor 155.1.146.6 (expected 0.0.0.0) discarded
PIM(0): Received v2 Bootstrap on GigabitEthernet1.146 from 155.1.146.6
PIM-BSR(0): bootstrap (150.1.6.6) on non-RPF path GigabitEthernet1.146 (expected ) or from non-RPF neighbor 155.1.146.6 (expected 0.0.0.0) discarded

RFP check for R6’s loopback

R1#sh ip rpf 150.1.6.6
 failed, no route exists
R1#

Basically, I was able to fix this by adding the eigrp 100 configuration (like the ones on R4 and R6) to R1.

Again, it did not impact the solution for this task.  Did anyone else see this or did I make a mistake?

BGP Aggregation - Advertise Map

$
0
0

Filtering AS300 with a as-path acl, works as well.

ip as-path access-list 1 permit _300_

 

ip prefix-list AS300_PREFIX permit 222.22.3.0/24
!
route-map ADVERTISE_MAP deny 10
match as-path 1
!
route-map ADVERTISE_MAP permit 100
!
router bgp 100
aggregate-address 222.22.0.0 255.255.252.0 summary-only as-set advertise-map ADVERTISE_MAP

"switchport vlan mapping" - a must-know for a Cisco engineer?

$
0
0

I felt myself very ashamed yesterday: after almost a year of studying for the CCIE R&S exam, I couldn't create a working test VLAN to ping a directly connected switch!..Embarrassed

Here's the story (please excuse for a link to another site - I could copy-paste, but decided to be brief):

https://supportforums.cisco.com/discussion/12481626/cant-ping-our-service-provider-directly-connected-link 

Could anyone please clarify why I wasn't able to use my test VLAN to ping the swtch on the other end of a direct link (that switch was a non-Cisco switch, but the same configuration worked well with a non-Cisco switch from another vendor).

Thanks in advance for you attention and help!

OSPF Path Selection with Cost

$
0
0

in the section OSPF Path Selection with cost,

in the DMVPN cloud on R5, we could use

R5#conf t

   int gig1.45

    ip ospf cost 1001

    exi

    router ospf 1

    neighbor 155.1.0.1 cost 999

    exi

I did this and in DMVPN, I could change the cost per-neighbor in point-to-multipoint nonbroadcast case 

of R5

----------------------------- the workbook, states that we cannot change the cost per neighbor in DMVPN cloud with point-to-mltipoint non-broadcast

 

any comments on this ?????????????????????

 

 

 

BGP diverse path advertisements ?

$
0
0

what is BGP diverse path advertisements ? anything to do with igp multipath ?


Automatic reply: San Diego / SoCal / PST Study Group or Partners Interest

$
0
0

I will be out of the office beginning 4/20/15 returning on 4/21/15. During this time I will not have phone or email access. Please utilize the CNOS project DL (Agency-DL-CSO-NICS-Projects-CNOS) for any CNOS required support. In addition, please contact the Tony Stewart (CNOC) at 256-544-4400 for any CNOC LAN  (Wireless, Wired or VPN) support questions/concerns.

 

ASA 5515 load sharing?

$
0
0

I am studying for the R&S track but ran across a curious issue at work with the ASA 5515 FW so I thought I'd ask a question here :)

 

The FW is running in an Active/Standby pair in Routed mode single context, so only one FW is sending/receiving. Each FW there are 2 outside interfaces, each to CE routers 1 and 2, in a criscrossing setup.

 

Cisco's docs don't mention that the 5515 FW supports load-sharing/balancing, at least not in layer 3. Even if it does, here is the peculiar part - we do not run dynamic routing protocols on the FW, just static default routes. The ASA software does not allow installing 2 equal-distance static routes out 2 different outside interface, like this:

 

route outside_1 0.0.0.0 0.0.0.0 123.123.123.123 1 track 1

route outside_2 0.0.0.0 0.0.0.0 123.123.123.124 1 track 2

 

So in the end we have to do this instead:

 

route outside_1 0.0.0.0 0.0.0.0 123.123.123.123 1 track 1

route outside_2 0.0.0.0 0.0.0.0 123.123.123.124 2 track 2

 

Now because the 2nd route has an AD of 2, it will not be installed in the routing table unless the track 1 object is down, so all traffic will go out only outside_1. But the reality is, both outside interfaces are sending traffic. We don't really understand why this is happening, but will happily accept the fact that the ASA 5515 FW does support load-sharing/balancing. The question is, what algorithm of load-sharing does it use? Is it per packet, per flow? Why does it do it?

 

Foundation LAB 3 redistribution Issue

$
0
0

on foundation LAb 3 the RIP route 9.9.9.9 when redistributed on R1 loops are happen concerning this prefix

so what is the fix for that cause BGP task 5.2 can't be done between R1 & R9

 

Does Hash really provide data integrity?

$
0
0

Hi,  I have a question regarding hash (e.g. MD5, SHA)

 

The applications of hash I am refering to is IPSec and TLS, or even routing protocols.

 

Now, let me show you what my understanding is:   A device (A) is sending plaintext (abcdefg) to another device (B).  In order to make sure that no one temper with the plaintext, device A will calculate a hash based on a hash function (MD5 or SHA).  Device A will take the original plaintext (abcdefg), run the hash function and the output is the hash (123).  Then Device A will attach the hash to the plaintext and send it to Device B.  Device B will receive something like abcdefg.123.    Device B will use the text "abcdefg", run it with the hash function, and the output is 123 (which is the same as the 123 in abcdefg.123).  So Device B will think that no one changed anything in the original text.

** I read a book and it says the hash function is based on the plaintext.

 

Now, let's say there is an eavesdropper (EVE).   EVE picked up the message abcdefg.123  and she alters the original message from abcdefg to aaaabbbb.  Then EVE runs a hash function (MD5 or SHA => let's say she guessed the correct hash function) with this new text "aaaabbbb" and the output is 456.  Then EVE sends "aaaabbbb.456" to Device B.  Device B runs the hash function with "aaaabbbb" and the output is 456, which is the same as the 456 in "aaaabbbb.456".  So Device B will think no one tampered with the original message.  But in fact EVE has tampered with the original message.

 

My question is,  does my scenario make sense?  Can it happen?  If it can happen, hash cannot provide data integrity.

 

Thanks.

 

 

 

 

 

CCIE SPv4 Kickoff Online Seminar

$
0
0

This class marks the kickoff of INE’s CCIE SPv4 product line for the New CCIE Service Provider Version 4 Blueprint, which goes live May 22nd 2015!  In this class we’ll cover the v3 to v4 changes, including exam format changes and topic adds and removes, recommended readings and resources, INE’s new CCIE SPv4 hardware specification and CCIE SPv4 Workbook, and the schedule for INE’s upcoming CCIE Service Provider Version 4 Advanced Technologies Class.  Class runs tomorrow, Tuesday April 14th at 09:00 PDT (16:00 UTC), and is free to attend.  Simply sign up for an INE Members account or visit this direct link for the class.

Viewing all 10744 articles
Browse latest View live