Tuesday, September 30, 2008
Frame Relay Traffic Shaping - Part II
int s2/0
frame-relay traffic-shaping
frame-relay interface-dlci x
class generic
frame-relay interface-dlci y
class generic
frame-relay interface-dlci z
class generic
However this can also be achieved by simplying applying the class under the main physical interface.
Int s2/0
Frame-relay class generic
Frame Relay Traffic Shaping - Part I
A mock lab question stated apply a CIR of 128000 to an interface, ensure the minumum tc value is used and ensure no bursting above this rate is allowed.
The initial solution I applied was as follows…
I) create a frame-relay map class and apply the necessary parameters
map-class frame-relay 204
frame-relay tc 10
frame-relay cir 128000
frame-relay be 0
II) turn on traffic shaping and apply to the interface
Int s2/0
Frame-relay traffic-shaping
Frame-relay interface-dlcI 204
Class 204
To verify my solution I used the show traffic-shape command
Access Target Byte Sustain Excess Interval Increment Adapt VC List Rate Limit bits/int bits/int (ms) (bytes) Active
204 128000 2000 128000 0 125 2000 -
I noticed from the above that despite explicitly setting the tc in the map-class statement it was NOT in use, instead the default 125 ms tc was still in effect!
In fact the correct method to manipulate the tc is by indirectly setting the bc (committed burst). Remembering the formula Bc = CIR * tc…
Now adjusting my solution accordingly I achieved the required result.
#map-class frame-relay 204
#no frame-relay tc 10
#frame-relay bc 1280
Show traffic-shape Interface Se2/0
Access Target Byte Sustain Excess Interval Increment Adapt
VC List Rate Limit bits/int bits/int (ms) (bytes) Active
204 128000 160 1280 0 10 160 -
Monday, September 29, 2008
Dot1x Authentication
http://www.cisco.com/en/US/docs/switches/lan/catalyst3560/software/release/12.2_44_se/configuration/guide/sw8021x.html#wp1025133
Following the doc cd the config would be as follows:-
configure terminal
aaa new-model
aaa authentication dot1x default group radius
dot1x system-auth-control
radius-server host 1.2.3.4
radius-server key CISCO
int fa0/8
switchport mode access
dot1x port-control auto
One item of concern here is to not inadvertently lock yourself out of the switch. Once dot1x is enabled this will be used for all interfaces, console and vty, and unless an alternative method is specified username and password will be prompted for, even if not configured! Hence this needs to be addressed in the solution. I show a couple of workarounds here:-
The sledgehammer approach:
aaa authentication login default none
A more granular approach:
aaa authentication login myvty none
aaa authentication login mycon none
line vty 0 4
login authentication myvty
line con 0
login authentication mycon
One further point to err on the side of caution. Before logging out of the switch do NOT save the config and issue the reload in 5 command. This way if there is an error in your script at least you will be able to get back in if you wait 5 minutes! Of course if all is OK and access is granted simply cancel the reload (reload cancel) and save the config. A useful backdoor when changing access configuration to any device.
N.B.
Once dot1x is globally enabled access ports are NOT entered into dot1x control by default. The default is NO dot1x - this can be seen by executing the 'show dot1x' command. To enable dot1x do so as specified above i.e. dot1x port-control auto. Any attached device will NOT get any access until the radius credentials have been satisfied. Two other dot1x states that can be set are 'force-authorised' and 'force-unauthorised'.
N.B.B
An alternative to
aaa authentication login myvty none
is
aaa authentication login myvty line
the later then requires standard vty password to be set.
i.e.
config-line#password cisco
and
config#enable password cisco
Sunday, September 28, 2008
Link Aggregation Control Protocol (LACP) and Priorities
Ports can be configured as active or passive, determining if they will actively negotiate to become an ether channel or simply respond to incoming requests.
Alongside this LACP utilises the concept of system and port priorities. Both system priority and port priorities are configured dynamically by the switch and hence why they may go unnoticed during standard ether channel config.
The LACP system priority and port priorities are 2 byte values and by default are assigned value 32768. The system priority determines which switch makes the decisions on ports that will be bundled into the ether channel. The lowest value determines who is in change and is set in global configuration using
#lacp system-priority 100
The port priority determines the pecking order in terms of which ports are assigned to the etherchannel. LACP supports up to 16 member ports per group but will only allow 8 to be active at once. The ports with the lowest port priority will join the ether channel first (assuming all ports are eligible).
Config-if#lacp port-priority 100
Verification commands include
Show lacp sys-id
Show lacp neighbor
Show lacp internal
Saturday, September 27, 2008
Gateway Load Balancing Protocol (GLBP)
A cisco proprietary protocol that is another default gateway router redundancy protocol that sits alongside HSRP and VRRP. With the later protocols one router is active within the group. This can reduce the upstream forwarding capabilities. GLBP removes this potential limitation by enabling more than 1 router to be active at the same time.
This extra forwarding capability is achieved by the GLBP protocol responding with multiple MAC addresses when it receives ARP requests. As such the algorithm used to load balance is NOT true ‘load balancing’ in the manner that this word is often used to describe. In reality it will distribute load based on the source of the traffic.
From R1 and R7 in the example i ping the default gateway address of 10.0.0.254 and then examine the router arp tables:
Router_1#s arp inc 10.0.0.254
Internet 10.0.0.254 2 0007.b400.0101 ARPA FastEthernet0/0
Router_7#s arp inc 10.0.0.254
Internet 10.0.0.254 1 0007.b400.0102 ARPA FastEthernet0/0
As displayed they each have a different mac address for the default gateway. We can examine the GLBP status on router 2 and determine the vmac address of each router
Router_2#s glbp brief
Interface Grp Fwd Pri State Address Active router Standby route
Fa0/0 1 - 100 Active 10.0.0.254 local 10.0.0.3
Fa0/0 1 1 7 Active 0007.b400.0101 local -
Fa0/0 1 2 7 Listen 0007.b400.0102 10.0.0.3 -
It can be seen from the output that R2 owns 0007.b400.0101 and R3 owns 0007.b400.0102. GLBP is working!
GLBP can then be tweeked to optimise the load balancing capabilities. The commands glbp {group} load-balancing [host-dependent round-robin weighted ] can be used.
GLBP weighting can even be used to decide when a router can become eligible to become an AVF within a group.
Here i introduce glbp weighting to R3. With the applied config r3 will be an AVF as long as its weighting remains above the lower threshold of 96.
Router 3
track 10 interface fastehernet 1/0 ip routing
interface fasethernet 1/0
glbp 1 weighting 100 lower 96 upper 99
glbp 1 weighting track 10 decrement 50
When i applied the config upstream interface fa1/0 was fully operational. I then proceeded to take down the interface, and consequently the glbp weight was decremented by 50 and the router was no longer eligible to be an AVF.
This can be seen from the output of the show glbp command on R2:
Router_2#s glbp brief
Interface Grp Fwd Pri State Address Active router Standby route
Fa0/0 1 - 100 Active 10.0.0.254 local 10.0.0.3
Fa0/0 1 1 7 Active 0007.b400.0101 local -
Fa0/0 1 2 7 Active 0007.b400.0102 local -
The active virtual forwarder for both VMACS is now router 2 (10.0.0.2).
Friday, September 26, 2008
Cisco IOS privilege levels
To access the complete command set users enter privilege exec mode by typing ‘enable’ and by default this moves the user to privilege level 15. As such this represents an ‘all or nothing’ approach to providing access within the IOS.
Within the IOS command set it is possible to configure further privilege levels that furnish access to pre-defined commands only. Thus providing a more graded approach to access.
First to view the default privilege level of commands this can be done by making use of the show parser dump command. For example
R3#show parser dump exec inc show ip interface brief
1 show ip interface brief
R3#show parser dump exec inc debug ip packet detail
15 debug ip packet detail
15 no debug ip packet detail
15 undebug ip packet detail
In the above show ip interface brief can be seen as available at privilege level 1, whereas debug ip packet detail is available at privilege level 15.
As an example I make the debug ip packet detail command available at level 7. There are 2 steps involved: create the enable password for level 7 and then redefine the privilege level of the required command.
R3(config)#enable password level 7 RICH
R3(config)#privilege exec level 7 debug ip packet detail
R3(config)#privilege exec level 7 undebug ip packet detail
I then validate my solution….
R3>show privilege
Current privilege level is 1
Indicates current privilege level as 1
R3>debug ip packet detail
^
% Invalid input detected at '^' marker.
Indicates command is not available at privilege level 1
R3>enable 7
Password:
R3#debug ip packet detail
IP packet debugging is on (detailed)
I log into privilege level 7 and I am now able to execute said command!
It is possible to assign users to specific privilege levels by default at login time. This can be achieved in either at the user level (see below)
R3(config)#username rich privilege 7 password rich
R3(config)#line vty 0 4
R3(config-line)#privilege level 7
On the cisco doc cd the info is available under IOS Security Guide Configuration
http://www.cisco.com/en/US/docs/ios/12_2/security/configuration/guide/scfpass.html
Thursday, September 25, 2008
OSPF routing part II - discard routes
This default behavior can be turned off with the use of the 'no discard-route' at the ospf config router prompt.
config-router#no discard-route internal
config-router#no discard-route external
OSPF routing part I - RFC1583 vs RFC2328
The usage guidelines states
Because of the introduction of RFC 2328, OSPF Version 2, the method used to calculate summary route costs has changed. Use the no compatible rfc1583 command to enable the calculation method used per RFC 2328.
IMO this description, especially in the midst of a CCIE lab, would not be that helpfull in terms of understanding how and when to use this command. It doesn't really give enough context, unless you reference the RFC documentation which of course will not be available to you in the lab. Hence i have written the following to further expand on the use of this command in the OSPF routing protocol.
In the first implementation of OSPF (RFC1583) the summary route would assume the cost of the granular route with the lowest cost. This was and still is the default behaviour on Cisco routers.
When OSPF RFC 2328 came along this was changed so that the summary route assumes the cost of the granular route with the highest cost.
To enable the behaviour of RFC 2328 execute 'no compatible rfc1583' at the config router prompt. It is necessary to enable this command on all routers in the OSPF domain. If not the summary route from ABRs usind RFC 1583 will be chosen in preference, since the cost they are advertising will be lower.