When we set FCOE vlan on CIMC under Default-vlan, is this vlan tagged (regular vlan) ? my understanding is yes.
I'm curious whether it's possible to set fcoe vlan as native vlan in CIMC ?
Cisco doc doesn't recommend it. I just curious if this's even possible.
Hello, mates!
Could you please clarify the situation which I have after applying solution steps?
I could recognized network mask mismatch but I got very strange behaviour. The Dialer117 iface on the PPPoE client receives not the ip address of 89.211.117.17 but it gets 89.211.117.1 i.e. the same as on PPPoE server. That's why later OSPF neighborship doesn't up.
Here the log of debug ppp nego on the client:
*Mar 26 23:02:04.522: Vi2 PPP: Phase is UP
*Mar 26 23:02:04.522: Vi2 IPCP: Protocol configured, start CP. state[Initial]
*Mar 26 23:02:04.522: Vi2 IPCP: Event[OPEN] State[Initial to Starting]
*Mar 26 23:02:04.522: Vi2 IPCP: O CONFREQ [Starting] id 1 len 20
*Mar 26 23:02:04.522: Vi2 IPCP: VSO OUI Cisco Netmask 0.0.0.0 (0x000A00000C0100000000)
*Mar 26 23:02:04.522: Vi2 IPCP: Address 0.0.0.0 (0x030600000000)
*Mar 26 23:02:04.522: Vi2 IPCP: Event[UP] State[Starting to REQsent]
*Mar 26 23:02:04.522: Vi2 CDPCP: Protocol configured, start CP. state[Initial]
*Mar 26 23:02:04.522: Vi2 CDPCP: Event[OPEN] State[Initial to Starting]
*Mar 26 23:02:04.522: Vi2 CDPCP: O CONFREQ [Starting] id 1 len 4
*Mar 26 23:02:04.522: Vi2 CDPCP: Event[UP] State[Starting to REQsent]
*Mar 26 23:02:04.522: Vi2 PPP: Process pending ncp packets
*Mar 26 23:02:04.522: Vi2 IPCP: Redirect packet to Vi2
*Mar 26 23:02:04.522: Vi2 IPCP: I CONFREQ [REQsent] id 1 len 10
*Mar 26 23:02:04.522: Vi2 IPCP: Address 89.211.117.1 (0x030659D37501)
*Mar 26 23:02:04.522: Vi2 IPCP: O CONFACK [REQsent] id 1 len 10
*Mar 26 23:02:04.522: Vi2 IPCP: Address 89.211.117.1 (0x030659D37501)
*Mar 26 23:02:04.522: Vi2 IPCP: Event[Receive ConfReq+] State[REQsent to ACKsent]
*Mar 26 23:02:04.522: Vi2 TAGCP: Redirect packet to Vi2
*Mar 26 23:02:04.522: Vi2 TAGCP: I CONFREQ [UNKNOWN] id 1 len 4
*Mar 26 23:02:04.522: Vi2 LCP: O PROTREJ [Open] id 2 len 10 protocol TAGCP (0x01010006)
*Mar 26 23:02:04.524: Vi2 IPCP: I CONFNAK [ACKsent] id 1 len 20
*Mar 26 23:02:04.524: Vi2 IPCP: VSO OUI Cisco Netmask 255.255.255.128 (0x000A00000C01FFFFFF80)
*Mar 26 23:02:04.524: Vi2 IPCP: Address 89.211.117.17 (0x030659D37511)
*Mar 26 23:02:04.524: Vi2 IPCP: O CONFREQ [ACKsent] id 2 len 20
*Mar 26 23:02:04.524: Vi2 IPCP: VSO OUI Cisco Netmask 255.255.255.128 (0x000A00000C01FFFFFF80)
*Mar 26 23:02:04.524: Vi2 IPCP: Address 89.211.117.17 (0x030659D37511)
*Mar 26 23:02:04.524: Vi2 IPCP: Event[Receive ConfNak/Rej] State[ACKsent to ACKsent]
*Mar 26 23:02:04.524: Vi2 LCP: I PROTREJ [Open] id 3 len 10 protocol CDPCP (0x01010006)
*Mar 26 23:02:04.524: Vi2 CDPCP: Event[Receive CodeRej-] State[REQsent to Stopped]
*Mar 26 23:02:04.525: Vi2 IPCP: I CONFACK [ACKsent] id 2 len 20
*Mar 26 23:02:04.525: Vi2 IPCP: VSO OUI Cisco Netmask 255.255.255.128 (0x000A00000C01FFFFFF80)
*Mar 26 23:02:04.525: Vi2 IPCP: Address 89.211.117.17 (0x030659D37511)
*Mar 26 23:02:04.525: Vi2 IPCP: Event[Receive ConfAck] State[ACKsent to Open]
*Mar 26 23:02:04.558: Vi2 IPCP: State is Open
*Mar 26 23:02:04.558: PPPoE : ipfib_encapstr prepared
*Mar 26 23:02:04.558: Vi2 IPCP: Subnet: address 89.211.117.17 mask 255.255.255.128
So, the final line looks good. But when I check ip I see the picture like this
R17#sh ip int b
Interface IP-Address OK? Method Status Protocol
...
Ethernet0/1.117 unassigned YES unset up up
Ethernet0/1.170 172.25.170.17 YES TFTP up up
Ethernet0/2 192.168.1.17 YES TFTP administratively down down
Ethernet0/3 unassigned YES TFTP administratively down down
Dialer117 89.211.117.1 YES manual up up
Loopback0 192.122.3.17 YES TFTP up up
Virtual-Access1 unassigned YES unset up up
Look that Dialer got the same ip as the server.
Here is the server config
R1#sh run int virtual-te 117
Building configuration...
Current configuration : 217 bytes
!
interface Virtual-Template117
ip address 89.211.117.1 255.255.255.128
ip pim sparse-mode
ip ospf 100 area 117
no peer neighbor-route
peer default ip address pool r1-r17-pool
ppp ipcp mask 255.255.255.128
end
R1#sh run | s local
ip local pool r1-r17-pool 89.211.117.17
If I check dhcp pool on client
R17#sh ip dhcp pool
Pool r1-r17-pool :
Utilization mark (high/low) : 100 / 0
Subnet size (first/next) : 0 / 0
Total addresses : 126
Leased addresses : 0
Pending event : none
1 subnet is currently in the pool :
Current index IP address range Leased addresses
89.211.117.1 89.211.117.1 - 89.211.117.126 0
Interface Dialer117 address assignment:
89.211.117.1 255.255.255.128
So I think that using the mask 255.255.255.128 and one ip address 89.211.117.17 in the pool config on the server makes the client to create whole pool for the subnet 89.211.117.0/25. When I ask ip address for Dialer I just receive the first ip which overlaps with server side. Am I right? How to resolve this task to avoid this duplication?
Thanks!
Hi
I am trying to achieve BGP for IPv6 to suppress inactive routes (RIB fauled routes) on R2 but its not working. can someone explain if I am missing something??!!
===============================================================
IGP is EIGRPv6 between SW1,SW2,R1 and R2
BGP for IPv6 between R1,SW2a and R2 with SW2 as RR
R1 redistributes EIGRPv6 into BGP
BGP Suppres Inactive configured for the address family on R2
===============================================================
R2#sh run | se bgp
router bgp 65012
bgp router-id 2.2.2.2
bgp log-neighbor-changes
neighbor 22.22.22.22 remote-as 65012
neighbor 22.22.22.22 update-source Loopback0
neighbor 2001:22:22:22::22 remote-as 65012
neighbor 2001:22:22:22::22 update-source Loopback0
neighbor 2001:200:1:24::4 remote-as 4
neighbor 200.1.24.4 remote-as 4
!
address-family ipv4
redistribute connected route-map C2BGP
neighbor 22.22.22.22 activate
neighbor 22.22.22.22 next-hop-self
no neighbor 2001:22:22:22::22 activate
no neighbor 2001:200:1:24::4 activate
neighbor 200.1.24.4 activate
exit-address-family
!
address-family ipv6
bgp suppress-inactive
neighbor 2001:22:22:22::22 activate
neighbor 2001:22:22:22::22 next-hop-self
neighbor 2001:200:1:24::4 activate
exit-address-family
ip bgp-community new-format
R2#
========================================================================
Below we can see that IGP route next-hop and BGP-NH recurse differently
So these routes in theory should be suppressed.
========================================================================
R2#
R2#sh ipv6 route 2001:1:1:1::1/128
Routing entry for 2001:1:1:1::1/128
Known via "eigrp 1", distance 90, metric 1024640, type internal
Backup from "bgp 65012 [200]"
Route count is 1/1, share count 0
Routing paths:
FE80::A8BB:CCFF:FE00:110, Ethernet0/1.12
Last updated 00:17:18 ago
R2#sh ipv6 route 2001:21:21:21::21/128
Routing entry for 2001:21:21:21::21/128
Known via "eigrp 1", distance 90, metric 3584000, type internal
Backup from "bgp 65012 [200]"
Route count is 1/1, share count 0
Routing paths:
FE80::A8BB:CCFF:FE80:F00, Ethernet0/1.221
Last updated 00:17:21 ago
R2#sh ipv6 cef 2001:1:1:1::1/128 detail
2001:1:1:1::1/128, epoch 0
nexthop FE80::A8BB:CCFF:FE00:110 Ethernet0/1.12
R2#
R2#sh ipv6 cef 2001:21:21:21::21/128 detail
2001:21:21:21::21/128, epoch 0
nexthop FE80::A8BB:CCFF:FE80:F00 Ethernet0/1.221
R2#
R2#sh bgp ipv6 uni 2001:21:21:21::21/128
BGP routing table entry for 2001:21:21:21::21/128, version 88
Paths: (1 available, best #1, table default, RIB-failure(145))
Advertised to update-groups:
1
Refresh Epoch 1
Local
2001:1:1:1::1 (metric 1024640) from 2001:22:22:22::22 (22.22.22.22)
Origin incomplete, metric 3584000, localpref 100, valid, internal, best
Originator: 1.1.1.1, Cluster list: 22.22.22.22
rx pathid: 0, tx pathid: 0x0
R2#
======================================================================================
The below shows that RIB-NH Matches (Yes)
For example for the network 2001:21:21:21::21/128 this should indicate (No) as we have seen above the IGP next-hop is different from the BGP-NH
=====================================================================================
R2#
R2#sh bgp ipv6 uni rib-failure
Network Next Hop RIB-failure RIB-NH Matches
2001:1:1:1::1/128 2001:1:1:1::1 IPv6 Higher admin distanc Yes
2001:2:2:2::2/128 2001:1:1:1::1 IPv6 Higher admin distanc Yes
2001:3:3:3::3/128 2001:1:1:1::1 IPv6 Higher admin distanc Yes
2001:5:5:5::5/128 2001:1:1:1::1 IPv6 Higher admin distanc Yes
2001:6:6:6::6/128 2001:1:1:1::1 IPv6 Higher admin distanc Yes
2001:7:7:7::7/128 2001:1:1:1::1 IPv6 Higher admin distanc Yes
2001:8:8:8::8/128 2001:1:1:1::1 IPv6 Higher admin distanc Yes
2001:10:1:12::/64 2001:1:1:1::1 IPv6 Higher admin distanc Yes
2001:10:1:21::/64 2001:1:1:1::1 IPv6 Higher admin distanc Yes
2001:10:1:22::/64 2001:1:1:1::1 IPv6 Higher admin distanc Yes
2001:10:1:56::/64 2001:1:1:1::1 IPv6 Higher admin distanc Yes
2001:10:1:57::/64 2001:1:1:1::1 IPv6 Higher admin distanc Yes
2001:10:1:68::/64 2001:1:1:1::1 IPv6 Higher admin distanc Yes
2001:10:1:121::/64 2001:1:1:1::1 IPv6 Higher admin distanc Yes
2001:10:1:122::/64 2001:1:1:1::1 IPv6 Higher admin distanc Yes
2001:10:1:221::/64 2001:1:1:1::1 IPv6 Higher admin distanc Yes
2001:10:1:222::/64 2001:1:1:1::1 IPv6 Higher admin distanc Yes
2001:21:21:21::21/128
2001:1:1:1::1 IPv6 Higher admin distanc Yes
2001:22:22:22::22/128
2001:1:1:1::1 IPv6 Higher admin distanc Yes
2001:100:1:13::/64 2001:1:1:1::1 IPv6 Higher admin distanc Yes
2001:100:1:35::/64 2001:1:1:1::1 IPv6 Higher admin distanc Yes
2001:100:1:39::/64 2001:1:1:1::1 IPv6 Higher admin distanc Yes
2001:100:1:103::/64
2001:1:1:1::1 IPv6 Higher admin distanc Yes
2001:200:1:24::/64 2001:1:1:1::1 IPv6 Higher admin distanc Yes
2001:200:1:46::/64 2001:1:1:1::1 IPv6 Higher admin distanc Yes
R2#
===========================================================================
Thge RIB-Failure routes are still advertised to eBGP peer 2001:200:1:24::4
How can this be explained? It should have been suppressed !!!
===========================================================================
R2#
R2#
R2#sh bgp ipv6 uni neighbors 2001:200:1:24::4 advertised-routes
BGP table version is 102, local router ID is 2.2.2.2
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
r RIB-failure, S Stale, m multipath, b backup-path, f RT-Filter,
x best-external, a additional-path, c RIB-compressed,
Origin codes: i - IGP, e - EGP, ? - incomplete
RPKI validation codes: V valid, I invalid, N Not found
Network Next Hop Metric LocPrf Weight Path
r>i 2001:1:1:1::1/128
2001:1:1:1::1 0 100 0 ?
r>i 2001:2:2:2::2/128
2001:1:1:1::1 1024640 100 0 ?
r>i 2001:3:3:3::3/128
2001:1:1:1::1 0 100 0 3 ?
r>i 2001:5:5:5::5/128
2001:1:1:1::1 0 11111 0 3 65056 ?
r>i 2001:6:6:6::6/128
2001:1:1:1::1 0 11111 0 3 65056 ?
r>i 2001:7:7:7::7/128
2001:1:1:1::1 0 11111 0 3 65056 ?
r>i 2001:8:8:8::8/128
2001:1:1:1::1 0 11111 0 3 65056 ?
r>i 2001:10:1:12::/64
2001:1:1:1::1 0 100 0 ?
r>i 2001:10:1:21::/64
2001:1:1:1::1 1029120 100 0 ?
r>i 2001:10:1:22::/64
2001:1:1:1::1 1029120 100 0 ?
r>i 2001:10:1:56::/64
2001:1:1:1::1 0 11111 0 3 65056 ?
r>i 2001:10:1:57::/64
2001:1:1:1::1 0 11111 0 3 65056 ?
r>i 2001:10:1:68::/64
2001:1:1:1::1 0 11111 0 3 65056 ?
r>i 2001:10:1:121::/64
2001:1:1:1::1 0 100 0 ?
r>i 2001:10:1:122::/64
2001:1:1:1::1 0 100 0 ?
r>i 2001:10:1:221::/64
2001:1:1:1::1 1029120 100 0 ?
r>i 2001:10:1:222::/64
2001:1:1:1::1 1029120 100 0 ?
r>i 2001:21:21:21::21/128
2001:1:1:1::1 3584000 100 0 ?
r>i 2001:22:22:22::22/128
2001:1:1:1::1 3584000 100 0 ?
r>i 2001:100:1:13::/64
2001:1:1:1::1 0 100 0 ?
r>i 2001:100:1:35::/64
2001:1:1:1::1 0 100 0 3 ?
r>i 2001:100:1:39::/64
2001:1:1:1::1 0 100 0 3 ?
r>i 2001:100:1:103::/64
2001:1:1:1::1 0 100 0 3 ?
r>i 2001:200:1:24::/64
2001:1:1:1::1 1536000 100 0 ?
r>i 2001:200:1:46::/64
2001:1:1:1::1 0 11111 0 3 65056 ?
Total number of prefixes 25
R2#
R2#
Hi all,
I have a dynamic crypto map to permit remote access vpn.
The remote access vpn should be:
- anyconnect
- cisco vpn client
- microsoft native client (L2TP over IPsec)
with anyconnect I have no issue. The problem is about cisco vpn client and microsoft native because the Microsoft vpn client must use transport mode and cisco vpn client wants tunnel mode.
With dynamic crypto map I can't filter the source IP and microsoft vpn client and cisco vpn client always match first proposal and so I'm able to use only one client at the same time
In my idea one way to solve the problem is to force the client to use a specific encryption and hash method (but I don't know how to do that) and so for example with microsoft L2TP I use esp-3des esp-sha-hmac and with Cisco VPN client ESP-AES-256-MD5.. in this way I can specify tunnel mode for Cisco VPN and transport mode for Microsoft L2TP native client..
Any other ideas? Here you can find a small snippet of the conf. At the moment I always match the first policy (20) and so I'm able to use Cisco VPN client but not Microsoft L2TP client. If I move the policy 30 on top I can use Microsoft L2TP client but not Cisco VPN client..
Any help is very appreciated! regards
crypto ipsec ikev1 transform-set L2TP-set esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set L2TP-set mode transport
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto dynamic-map client-map 20 set pfs
crypto dynamic-map client-map 20 set ikev1 transform-set ESP-AES-256-MD5
crypto dynamic-map client-map 20 set security-association lifetime seconds 28800
crypto dynamic-map client-map 20 set security-association lifetime kilobytes 4608000
crypto dynamic-map client-map 30 set ikev1 transform-set L2TP-set
Dear All,
Could you please be so kind to point me to a table with ASA "NSEL Extended Event ID" description?
I've found a few document like this http://www.cisco.com/c/en/us/td/docs/security/asa/asa84/asdm64/configuration_guide/asdm_64_config/monitor_nsel.html. All of them tell "> 2000—Flow was torn down". But I would like to know what exactly means ID 2031.
Thank you in advance.
Best Regards,
Kanstantin
Hello everybody,
I have a task to limit class-default traffic so that it doesn't exceed into the remaining bandwidth.
I am thinking of fair-queue with adjusting the queue size, something like:
R1(config-pmap)#class class-default
R1(config-pmap-c)#fair-queue 128
However, I am not sure if this will prevent class-default traffic to exceed inside my remaining bandwith.
Can you share your idea with me?
If any documentation which explains this, really appreciated.
Thank you
- Sami
- "English is not my native language, appologize if there are any mistakes in my writing."
Hello team
i have confustion on session-timeout command under vty lines , what is difference between " session-timeout " and " exec-timeout "seems both of them are same ?
also i could not get "session-limit " command , lets say on line 0 we can only have one telnet connection , if i say " session-limit 2 " will i be able to get two telnet connections ? what is the usage of " session-limit " command
lastly i tried removing commands such as " transport preferred none " or " transport output none" however using no form of command is not removing it from running config . did any one tried removing them under vty line ?
R1#show run | sec line
line vty 0 4
privilege level 15
password cisco
login
transport input none
transport output none
R1#conf t
Enter configuration commands, one per line. End with CNTL/Z.
R1(config)#line vty 0 4
R1(config-line)#no transport output --> tried removing them
R1(config-line)#no transport input --> tried removing them
R1(config-line)#end
R1#
%SYS-5-CONFIG_I: Configured from console by console
R1#show run | sec line
line vty 0 4
privilege level 15
password cisco
login
transport input none ==> still their
transport output none ==> still thier
TIA
Hi,
For all of these DMVPN Tasks, I have being building them in sections. i.e. First build the tunnels, then build the IGP, then build the IPSec and add it to the tunnel.
At all stages I have been able to test the tunnel connectivity. So for example after I build up the tunnels in the previous questions with R1-R4 being spokes and R5 being the hub, I can ping all tunnel addresses such as 155.1.0.1 - 5 on all DMVPN Routers. Then I can continue with the IGPs and IPSEC also and still all would be fine.
On this task however, when I build the tunnels - I cannont get R5 to ping R6 and vice versa. So neither of them will ping 155.1.0.5 or 155.1.0.6. They can ping their own Interfaces alright. I have the VRFs setup correctly and am following the solutions guide also.
If I issue sh dmvpn on both routers, R5 can see R6 but its NEVER established. R6 sees nothing??
In this task, is it any different to the others. Do I have to have the IGP and the IPSEC sections built before the basic VRF section will work? I woulnd't of thought so but Im having no luck with this task at all :o - a little stumped at this stage. I've shut the tunnels down and unshut them many times, but I just keep getting the same results. R5 and R6 can ping each other via the VRF no problems i.e. (6.6.6.6 and 155.1.45.5) but I can't get any connectivity between 155.1.0.5 and 155.1.0.6????
Any help would be appreciated...
Thanks,
Ian.
Hi all,
as you know the Cisco IPSec VPN client is no longer supported and if you want to use the remote access vpn without buy the anyconnect license, one solution is to use the native windows L2TP over IPSec client.
I configured the ASA and the LT2P over IPSec vpn is working fine but I have a problem with the split tunnel.
By removing the flag "use default network on remote gateway" on the Windows VPN configuration I've enable the split tunnel.
But also if I have specified the ACL for the split tunnel in the ASA configuration, the only route that I find in the client routing table is for the classful network of the IP client pool..
I tried to use "intercept-dhcp" as mentioned in some cisco doc but witout success..
any ideas?
Many thanks!
Luca
I have configured all of this as follows:
interface FastEthernet0/19
switchport trunk encapsulation dot1q
switchport mode trunk
spanning-tree port-priority 16
interface FastEthernet0/20
switchport trunk encapsulation dot1q
switchport mode trunk
spanning-tree port-priority 0
And I would assume that given port 20 has a priority of 0 that it would become the root port in this network. However, sh spanning tree on any vlan still shows port 19 as the root port:
SW4#sh spanning-tree vlan 10
VLAN0010
Spanning tree enabled protocol ieee
Root ID Priority 4106
Address 0018.ba98.aa80
Cost 38
Port 21 (FastEthernet0/19)
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
Bridge ID Priority 8202 (priority 8192 sys-id-ext 10)
Address 0018.73c7.5d00
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
Aging Time 15 sec
Interface Role Sts Cost Prio.Nbr Type
------------------- ---- --- --------- -------- --------------------------------
Fa0/19 Root FWD 19 16.21 P2p
Fa0/20 Altn BLK 19 0.22 P2p
Fa0/23 Altn BLK 19 128.25 P2p
Fa0/24 Altn BLK 19 128.26 P2p
Why isn't port 20 assuming the root port role? I also shut port 19 thinking 20 may acquire th role. That didn't work either.
Thanks
Dean
Surely this Question was asked befor for many times but now , I assume that I am going to finish learning PIM from the BOOK Developing IP Multicast Network vol 1 other than TCP/IP vol II is there's any additional resources to improve our knowledge about it regardless of the track R&S SP or even DC
which modern book you recommend regarding Switching in Expert lvl ? other than the Cert guide
many thanks in Advance
As Cisco 10000 ESR is EOL, I have 2 of them.
How can I make use of these devices?
hi,
I know him from the blogs he write in http://blog.ine.com/
his posts are really unique because of the level of details he covers, just wondering why he does not appear in any video of INE ?
does he do Bootcamps for Cisco certifications?
also I thing since long time he did not post any thread !!
I've been trying to find information on the topic of NAT used at either the egress on ingress PE in an MPLS VPN network. One of the articles that I've found that does a "decent" job discussing the matter is this one:
http://www.cisco.com/en/US/tech/tk648/tk361/technologies_white_paper09186a0080b40929.shtml
But yet I find that it's lacking thorough explanation. It's definitly a new concept for me, specially NAT when used at the egress PE. There is a missing piece to the puzzle that I have not been able to fit.
Have any of you found any good reads regarding this topic? I am having a difficult time wrapping my head around at.
Hello,
I am getting ready to go to an INE CCNP R&S Bootcamp in a few weeks. A few weeks later I am scheduled to take CCNP route but I am thinking about trying to change it to CCNP Switch if Pearson Vue will let me since a lot of people suggest to take that first. Right now I am working my way through the CCNP R&S V2 video course and I have an HP DL360 G6 server with 84GB ram at my house. I have installed VMWare ESXI 5.5 onto my server and have managed to install one CSR 1000V on it so far. I also have 500 rack rental tokens I am able to use for my studies so I was wondering what recommendations there are for setting up my lab? I have a bit of experience with GNS3 so I could continue using that or I have also looked into possibly using VIRL. I don't think I will have too much issue setting up routers but I would like to do virtual switches as well. I read that in VIRL I can do L2 Switching but I haven't tried it yet. I also heard about IOU but that is supposedly only for Cisco use and not available to the general public.
If anyone has any suggestions it would be greatly appreciated. Thanks!
Regards,
Cory
Hi all,
I managed to trip over a routing loop in BGP just by changing the local preference in an outbound route-map between two routers running IBGP.
I was using the following topology:
+-+-+-+-+
| R2 |
+-+-+-EBGP-+-+-+ AS 2 |
| +-+-+-+-+
| |
+-+-+-+-+ |
| R1 | IBGP
| AS 1 | |
+-+-+-+-+ |
| +-+-+-+-+
| | R3 |
+-+-+-EBGP-+-+-+ AS 2 |
+-+-+-+-+
R1 was in AS 1
R2 and R3 were in AS 2
R1 was advertising 1.1.1.1/32 to R2 and R3 via EBGP
R2 and R3 were connected via IBGP
During testing I used an outbound route-map between R2 and R3 to set the local preference of 1.1.1.1/32 to 1000.
This caused R2 and R3 to both consider each other the best path to 1.1.1.1/32 which resulted in a loop.
It was my naive belief that routing loops are only caused by bad redistribution or misconfigured static routes. It was a surprise to me that a simple outbound BGP policy could cause this.
The fix in this case was to change to an inbound route-map on R2 and R3 to set local preference on the EBGP sessions from R1.
So have I missed something fundamental with BGP route-maps? Are BGP outbound policies vulnerable to loops in general?
I can’t be the only person to run into this type of issue. Would love to see some references to documents/case studies.
Thanks,
Bob
hi everyone
when i type
interface loopback 0
ip address 1.1.1.1 255.255.255.0
interface loopback 1
ip address 1.1.0.1 255.255.255.0
why router don`t accept this command??
and give me this syslog msg:-
% 1.1.0.0 overlaps with Loopback0
each network of these are into different subnet ,
so why router don`t accept these ip address?
This is something I have been thinking about. Recently, I was labbing up a scenario with basic DMVPN phase 1. The spoke is behind dynamic PAT and the hub is behind a static NAT. Everthing looked fine, but the tunnel would not come up at all. Phase 1 completed fine, but phase II would not finish. On the spoke side, it actually showed IPSEC SA's, but no packets encrypted. Packet errors increasing on the SA. On the hub side, it never showed any SA's and a debug crypto ipsec revealed the following
Mar 25 21:22:56.616 EDT: map_db_find_best did not find matching map
Now, as soon as I flipped over to transport mode everything worked immediately. There are 2 things I want to understand after researching this for some time now
1) Why did the tunnel itself not come up at phase II? I would expect that the tunnel would come up, but DMVPN/NHRP just would not work based on what I have read
2) This is the meat of my question. I understand it would not work in tunnel mode because of NHRP. Apparently, the reason is because during NHRP registration, the hub looks at the NBMA address in the NHRP packet and compares it against the source IP address in the GRE IP header. If they don't match, it knows there is a NAT involved. In tunnel mode, the GRE IP header is encrypted, and in transport mode it is not, so this makes sense to me.
Here is my visualization of the stacks...
Tunnel Mode w/ NAT-T: [ESP IP Header][UDP][ESP][GRE IP Header][GRE][NHRP]
Transport Mode w/ NAT-T: [GRE IP Header][UDP][ESP][GRE][NHRP]
So, here is my doubt. Everything I read says the reason transport mode is needed is because the GRE IP header is not encrypted. OK, I get that. But, the NHRP packet is still encrypted. So, if the router wants to compare the NBMA address in the NHRP packet with the source IP in the GRE IP header, it still has to decrypt the packet first. If we were to use tunnel mode, I get that the GRE IP header is encrypted, but again, we have to decrypt the packet anyways to get to the NHRP data inside. I guess I don't get why tunnel mode can't be used. In both situations, we have to decrypt the packet anyway.
Hi,
I have a few questions about these requirement
firstly R7 acting as ZPF between vlan17 - 76
and we have the following traffics :
1- the management WSA traffic (src = 130.1.91.0 dest = WSA M1 IP)
Inspect action is applied (VLAN17 -> 76 ) so no worry about reverse direction
2- R1 Redirected http traffic (src =130.1.91.0 dest = any eq 80)
Inspect action is applied (VLAN17 -> 76 ) ** my point here is when WSA P1 interface put that traffic back and spoof users SRC ip so it will have the same (src ,dst) but this time the flow (VLAN76 -> 17) MY question is how the firewall will allow that and there is a state
entry from the first inspect and it now expect (src,dst) to be exchanged but it receive it the same ,, is it going to drop such tarffic as ASA may do in such case ?? and it more considerable to just PASS them from (17 to 79) ? and then inspect from (79 to 17 normally for the reply back from SW1 to testPC add spoofed by WSA)
another question regarding DNS traffic , the WSA P1 , M1 are both configured as proxy ports when WSA make dns query which port will source that from ? the solution opened hole for M1 only on ASA1 outside interface , why not P1 ???
Hi,
I was trying out GETVPN and I have a simple setup between 3 GETVPN routers.
Since for GETVPN, reachability to remote subnets is required due to transport mode and lack of addition header, I thought that to protect the outer interface and ensure that all traffic is actually encrypted to apply an ACL like this
access-list 100 permit esp any any
int f0/0
ip access-group 100 out
So that this will ensure only encrypted traffic leave the interface.
To my surprise, they were actually dropped. Upon loggin on the ACL I see they are hitting the "deny ip any any".
Is this an expected behaviour?
What is the order of operation involving crypto and interface ACLs when using GETVPN