short but easy.
1. generate crypto key
R3(config)#ip domain-name test.com
R3(config)#crypto key generate rsa general-keys modulus 512
The name for the keys will be: R3.test.com
% The key modulus size is 512 bits
% Generating 512 bit RSA keys ...[OK]
R3(config)#
*Nov 25 19:45:10.421: %SSH-5-ENABLED: SSH 1.99 has been enabled
R3(config)#user cisco pas cisco
R3(config)#line vty 0 4
R3(config-line)#login local
R3(config-line)#tra
R3(config-line)#transport in ssh
R3(config-line)#^Z
R3#
test it:
R6#ssh -l cisco 24.1.3.3
Password:
R3>
thats it
cco resorces:
http://www.cisco.com/warp/public/707/ssh.shtml
Sunday, 25 November 2007
IS-IS over Frame Relay
running IS-IS over FR is also not easy task.
I have setup where R3 and R2 connected FR cloud (PVC). connection is confogured using major interface, inverse arp also in place:
R2#
!
interface Serial0/0
ip address 24.1.23.2 255.255.255.0
ip router isis
encapsulation frame-relay
no fair-queue
clockrate 128000
no dce-terminal-timing-enable
!
router isis
net 49.1a33.0000.1801.0202.00
log-adjacency-changes
!
R3#
!
interface Serial0/1/0
ip address 24.1.23.3 255.255.255.0
ip router isis
encapsulation frame-relay
no fair-queue
clockrate 128000
!
router isis
net 49.1a33.0000.1801.0303.00
log-adjacency-changes
!
R2#sho frame map
Serial0/0 (up): ip 24.1.23.3 dlci 203(0xCB,0x30B0), dynamic,
broadcast,
CISCO, status defined, active
R2#sho clns in ser 0/0
Serial0/0 is up, line protocol is up
Checksums enabled, MTU 1500, Encapsulation FRAME-RELAY
ERPDUs enabled, min. interval 10 msec.
CLNS fast switching enabled
CLNS SSE switching disabled
DEC compatibility mode OFF for this interface
Next ESH/ISH in 36 seconds
Routing Protocol: IS-IS
Circuit Type: level-1-2
Interface number 0x1, local circuit ID 0x2
Level-1 Metric: 10, Priority: 64, Circuit ID: R2.02
DR ID: 0000.0000.0000.00
Level-1 IPv6 Metric: 10
Number of active level-1 adjacencies: 0
Level-2 Metric: 10, Priority: 64, Circuit ID: R2.02
DR ID: 0000.0000.0000.00
Level-2 IPv6 Metric: 10
Number of active level-2 adjacencies: 0
Next IS-IS LAN Level-1 Hello in 7 seconds
Next IS-IS LAN Level-2 Hello in 7 seconds
R2#sho isis nei
System Id Type Interface IP Address State Holdtime Circuit Id
R2#
R3#sho frame map
Serial0/1/0 (up): ip 24.1.23.2 dlci 302(0x12E,0x48E0), dynamic,
broadcast,
CISCO, status defined, active
R3#
R3#
R3#
R3#
R3#sho clns int ser 0/1/0
Serial0/1/0 is up, line protocol is up
Checksums enabled, MTU 1500, Encapsulation FRAME-RELAY
ERPDUs enabled, min. interval 10 msec.
CLNS fast switching enabled
CLNS SSE switching disabled
DEC compatibility mode OFF for this interface
Next ESH/ISH in 31 seconds
Routing Protocol: IS-IS
Circuit Type: level-1-2
Interface number 0x1, local circuit ID 0x2
Level-1 Metric: 10, Priority: 64, Circuit ID: R3.02
DR ID: 0000.0000.0000.00
Level-1 IPv6 Metric: 10
Number of active level-1 adjacencies: 0
Level-2 Metric: 10, Priority: 64, Circuit ID: R3.02
DR ID: 0000.0000.0000.00
Level-2 IPv6 Metric: 10
Number of active level-2 adjacencies: 0
Next IS-IS LAN Level-1 Hello in 6 seconds
Next IS-IS LAN Level-2 Hello in 3 seconds
R3#sho isis nei
System Id Type
Interface IP Address State Holdtime Circuit Id
R6 L1 Fa0/0 24.1.36.6 UP 29 R3.01
R6 L2 Fa0/0 24.1.36.6 UP 29 R3.01
R3#
Real problem!!!! everything seams ok but no adjacencies build :(
lets debug isis
R2#debug isis adj-packets
R2#
*Apr 20 12:23:50.695: ISIS-Adj: Sending L2 LAN IIH on Loopback0, length 1514
*Apr 20 12:23:51.143: ISIS-Adj: Encapsulation failed for L2 LAN IIH on Serial0/0
*Apr 20 12:23:51.671: ISIS-Adj: Encapsulation failed for L1 LAN IIH on Serial0/0
*Apr 20 12:23:55.111: ISIS-Adj: Sending L1 LAN IIH on Loopback0, length 1514
*Apr 20 12:23:58.467: ISIS-Adj: Sending L2 LAN IIH on Loopback0, length 1514
*Apr 20 12:23:59.479: ISIS-Adj: Encapsulation failed for L1 LAN IIH on Serial0/0
*Apr 20 12:24:00.351: ISIS-Adj: Encapsulation failed for L2 LAN IIH on Serial0/0
*Apr 20 12:24:04.195: ISIS-Adj: Sending L1 LAN IIH on Loopback0, length 1514
*Apr 20 12:24:07.039: ISIS-Adj: Sending L2 LAN IIH on Loopback0, length 1514
*Apr 20 12:24:07.979: ISIS-Adj: Encapsulation failed for L2 LAN IIH on Serial0/0
*Apr 20 12:24:08.475: ISIS-Adj: Encapsulation failed for L1 LAN IIH on Serial0/0
R2#
some technologilac background - ISIS is not running on top of IP. it uses own protocol nr xxx.
problem is clear - frame relay map is not mapping clns next hop addresses.
lets help him:
R2(config-if)#frame-relay map clns 203 br
R2(config-if)#
*Apr 20 12:29:41.923: %CLNS-5-ADJCHANGE: ISIS: Adjacency to R3 (Serial0/0) Up, new adjacency
*Apr 20 12:29:47.923: %CLNS-5-ADJCHANGE: ISIS: Adjacency to R3 (Serial0/0) Down, adjacency type changed
*Apr 20 12:29:48.923: %CLNS-5-ADJCHANGE: ISIS: Adjacency to R3 (Serial0/0) Up, new adjacency
R2(config-if)#^Z
R2#sho fr
*Apr 20 12:30:21.175: %SYS-5-CONFIG_I: Configured from console by consolea
R2#sho frame map
Serial0/0 (up): CLNS dlci 203(0xCB,0x30B0), static,
broadcast,
CISCO, status defined, active
Serial0/0 (up): ip 24.1.23.3 dlci 203(0xCB,0x30B0), dynamic,
broadcast,
CISCO, status defined, active
R2#sho isis nei
System Id Type Interface IP Address State Holdtime Circuit Id
R3 L1 Se0/0 24.1.23.3 UP 7 R3.02
R3 L2 Se0/0 24.1.23.3 UP 7 R3.02
R2#
R3#conf t
Enter configuration commands, one per line. End with CNTL/Z.
R3(config)#int ser 0/1/0
R3(config-if)#frame map cln
R3(config-if)#frame map clns 302 br
R3(config-if)#^Z
R3#
*Nov 25 19:28:12.609: %CLNS-5-ADJCHANGE: ISIS: Adjacency to R2 (Serial0/1/0) Up, new adjacency
*Nov 25 19:28:13.521: %SYS-5-CONFIG_I: Configured from console by console
R3#
cisco major interfaces treated as multipoint interfaces by default. thats why we see L1 and L2 adjancencies. on a pure p-t-p interfaces we see only L1L2
R4#sho cln
R4#sho clns int ser 0/0.401
Serial0/0.401 is up, line protocol is up
Checksums enabled, MTU 1500, Encapsulation FRAME-RELAY
ERPDUs enabled, min. interval 10 msec.
CLNS fast switching enabled
CLNS SSE switching disabled
DEC compatibility mode OFF for this interface
Next ESH/ISH in 12 seconds
Routing Protocol: IS-IS
Circuit Type: level-1-2
Interface number 0x2, local circuit ID 0x100
Neighbor System-ID: R1
Level-1 Metric: 10, Priority: 64, Circuit ID: R4.00
Level-1 IPv6 Metric: 10
Number of active level-1 adjacencies: 1
Level-2 Metric: 10, Priority: 64, Circuit ID: R4.00
Level-2 IPv6 Metric: 10
Number of active level-2 adjacencies: 1
Next IS-IS Hello in 1 seconds
if state UP
R4#sho runn int ser 0/0.401
Building configuration...
Current configuration : 134 bytes
!
interface Serial0/0.401 point-to-point
ip address 24.1.14.4 255.255.255.0
ip router isis
frame-relay interface-dlci 401
end
R4#
and finaly different hello is send over ptp and ptmp inerfaces (LAN hello and serial hello).
something from CCO:
http://www.cisco.com/warp/public/97/isis-frint.html
I have setup where R3 and R2 connected FR cloud (PVC). connection is confogured using major interface, inverse arp also in place:
R2#
!
interface Serial0/0
ip address 24.1.23.2 255.255.255.0
ip router isis
encapsulation frame-relay
no fair-queue
clockrate 128000
no dce-terminal-timing-enable
!
router isis
net 49.1a33.0000.1801.0202.00
log-adjacency-changes
!
R3#
!
interface Serial0/1/0
ip address 24.1.23.3 255.255.255.0
ip router isis
encapsulation frame-relay
no fair-queue
clockrate 128000
!
router isis
net 49.1a33.0000.1801.0303.00
log-adjacency-changes
!
R2#sho frame map
Serial0/0 (up): ip 24.1.23.3 dlci 203(0xCB,0x30B0), dynamic,
broadcast,
CISCO, status defined, active
R2#sho clns in ser 0/0
Serial0/0 is up, line protocol is up
Checksums enabled, MTU 1500, Encapsulation FRAME-RELAY
ERPDUs enabled, min. interval 10 msec.
CLNS fast switching enabled
CLNS SSE switching disabled
DEC compatibility mode OFF for this interface
Next ESH/ISH in 36 seconds
Routing Protocol: IS-IS
Circuit Type: level-1-2
Interface number 0x1, local circuit ID 0x2
Level-1 Metric: 10, Priority: 64, Circuit ID: R2.02
DR ID: 0000.0000.0000.00
Level-1 IPv6 Metric: 10
Number of active level-1 adjacencies: 0
Level-2 Metric: 10, Priority: 64, Circuit ID: R2.02
DR ID: 0000.0000.0000.00
Level-2 IPv6 Metric: 10
Number of active level-2 adjacencies: 0
Next IS-IS LAN Level-1 Hello in 7 seconds
Next IS-IS LAN Level-2 Hello in 7 seconds
R2#sho isis nei
System Id Type Interface IP Address State Holdtime Circuit Id
R2#
R3#sho frame map
Serial0/1/0 (up): ip 24.1.23.2 dlci 302(0x12E,0x48E0), dynamic,
broadcast,
CISCO, status defined, active
R3#
R3#
R3#
R3#
R3#sho clns int ser 0/1/0
Serial0/1/0 is up, line protocol is up
Checksums enabled, MTU 1500, Encapsulation FRAME-RELAY
ERPDUs enabled, min. interval 10 msec.
CLNS fast switching enabled
CLNS SSE switching disabled
DEC compatibility mode OFF for this interface
Next ESH/ISH in 31 seconds
Routing Protocol: IS-IS
Circuit Type: level-1-2
Interface number 0x1, local circuit ID 0x2
Level-1 Metric: 10, Priority: 64, Circuit ID: R3.02
DR ID: 0000.0000.0000.00
Level-1 IPv6 Metric: 10
Number of active level-1 adjacencies: 0
Level-2 Metric: 10, Priority: 64, Circuit ID: R3.02
DR ID: 0000.0000.0000.00
Level-2 IPv6 Metric: 10
Number of active level-2 adjacencies: 0
Next IS-IS LAN Level-1 Hello in 6 seconds
Next IS-IS LAN Level-2 Hello in 3 seconds
R3#sho isis nei
System Id Type
Interface IP Address State Holdtime Circuit Id
R6 L1 Fa0/0 24.1.36.6 UP 29 R3.01
R6 L2 Fa0/0 24.1.36.6 UP 29 R3.01
R3#
Real problem!!!! everything seams ok but no adjacencies build :(
lets debug isis
R2#debug isis adj-packets
R2#
*Apr 20 12:23:50.695: ISIS-Adj: Sending L2 LAN IIH on Loopback0, length 1514
*Apr 20 12:23:51.143: ISIS-Adj: Encapsulation failed for L2 LAN IIH on Serial0/0
*Apr 20 12:23:51.671: ISIS-Adj: Encapsulation failed for L1 LAN IIH on Serial0/0
*Apr 20 12:23:55.111: ISIS-Adj: Sending L1 LAN IIH on Loopback0, length 1514
*Apr 20 12:23:58.467: ISIS-Adj: Sending L2 LAN IIH on Loopback0, length 1514
*Apr 20 12:23:59.479: ISIS-Adj: Encapsulation failed for L1 LAN IIH on Serial0/0
*Apr 20 12:24:00.351: ISIS-Adj: Encapsulation failed for L2 LAN IIH on Serial0/0
*Apr 20 12:24:04.195: ISIS-Adj: Sending L1 LAN IIH on Loopback0, length 1514
*Apr 20 12:24:07.039: ISIS-Adj: Sending L2 LAN IIH on Loopback0, length 1514
*Apr 20 12:24:07.979: ISIS-Adj: Encapsulation failed for L2 LAN IIH on Serial0/0
*Apr 20 12:24:08.475: ISIS-Adj: Encapsulation failed for L1 LAN IIH on Serial0/0
R2#
some technologilac background - ISIS is not running on top of IP. it uses own protocol nr xxx.
problem is clear - frame relay map is not mapping clns next hop addresses.
lets help him:
R2(config-if)#frame-relay map clns 203 br
R2(config-if)#
*Apr 20 12:29:41.923: %CLNS-5-ADJCHANGE: ISIS: Adjacency to R3 (Serial0/0) Up, new adjacency
*Apr 20 12:29:47.923: %CLNS-5-ADJCHANGE: ISIS: Adjacency to R3 (Serial0/0) Down, adjacency type changed
*Apr 20 12:29:48.923: %CLNS-5-ADJCHANGE: ISIS: Adjacency to R3 (Serial0/0) Up, new adjacency
R2(config-if)#^Z
R2#sho fr
*Apr 20 12:30:21.175: %SYS-5-CONFIG_I: Configured from console by consolea
R2#sho frame map
Serial0/0 (up): CLNS dlci 203(0xCB,0x30B0), static,
broadcast,
CISCO, status defined, active
Serial0/0 (up): ip 24.1.23.3 dlci 203(0xCB,0x30B0), dynamic,
broadcast,
CISCO, status defined, active
R2#sho isis nei
System Id Type Interface IP Address State Holdtime Circuit Id
R3 L1 Se0/0 24.1.23.3 UP 7 R3.02
R3 L2 Se0/0 24.1.23.3 UP 7 R3.02
R2#
R3#conf t
Enter configuration commands, one per line. End with CNTL/Z.
R3(config)#int ser 0/1/0
R3(config-if)#frame map cln
R3(config-if)#frame map clns 302 br
R3(config-if)#^Z
R3#
*Nov 25 19:28:12.609: %CLNS-5-ADJCHANGE: ISIS: Adjacency to R2 (Serial0/1/0) Up, new adjacency
*Nov 25 19:28:13.521: %SYS-5-CONFIG_I: Configured from console by console
R3#
cisco major interfaces treated as multipoint interfaces by default. thats why we see L1 and L2 adjancencies. on a pure p-t-p interfaces we see only L1L2
R4#sho cln
R4#sho clns int ser 0/0.401
Serial0/0.401 is up, line protocol is up
Checksums enabled, MTU 1500, Encapsulation FRAME-RELAY
ERPDUs enabled, min. interval 10 msec.
CLNS fast switching enabled
CLNS SSE switching disabled
DEC compatibility mode OFF for this interface
Next ESH/ISH in 12 seconds
Routing Protocol: IS-IS
Circuit Type: level-1-2
Interface number 0x2, local circuit ID 0x100
Neighbor System-ID: R1
Level-1 Metric: 10, Priority: 64, Circuit ID: R4.00
Level-1 IPv6 Metric: 10
Number of active level-1 adjacencies: 1
Level-2 Metric: 10, Priority: 64, Circuit ID: R4.00
Level-2 IPv6 Metric: 10
Number of active level-2 adjacencies: 1
Next IS-IS Hello in 1 seconds
if state UP
R4#sho runn int ser 0/0.401
Building configuration...
Current configuration : 134 bytes
!
interface Serial0/0.401 point-to-point
ip address 24.1.14.4 255.255.255.0
ip router isis
frame-relay interface-dlci 401
end
R4#
and finaly different hello is send over ptp and ptmp inerfaces (LAN hello and serial hello).
something from CCO:
http://www.cisco.com/warp/public/97/isis-frint.html
Saturday, 17 November 2007
IP over ATM
just before leaving warszawa some info mastering ATM technology.
CCO link about static maping and inarp on ATM technology:
http://www.cisco.com/warp/public/121/routed_rfc1483.html
like FR, ATM has two posibilieties to find next hop ip address:
1. static mapping
interface ATM2/0/0.116 multipoint
ip address 10.0.0.1 255.0.0.0
no ip directed-broadcast
pvc ip 1/116 protocol ip 10.0.0.2 broadcast
encapsulation aal5mux ip
!
2. inverse arp (inarp)
interface ATM2/0/0.116 multipoint
ip address 10.0.0.1 255.0.0.0
no ip directed-broadcast
protocol ip inarp broadcast
!
CCO link about static maping and inarp on ATM technology:
http://www.cisco.com/warp/public/121/routed_rfc1483.html
like FR, ATM has two posibilieties to find next hop ip address:
1. static mapping
interface ATM2/0/0.116 multipoint
ip address 10.0.0.1 255.0.0.0
no ip directed-broadcast
pvc ip 1/116 protocol ip 10.0.0.2 broadcast
encapsulation aal5mux ip
!
2. inverse arp (inarp)
interface ATM2/0/0.116 multipoint
ip address 10.0.0.1 255.0.0.0
no ip directed-broadcast
protocol ip inarp broadcast
!
Friday, 16 November 2007
ppp over ATM
hello from warszawa:)
PPP over ATM is not supported in my LAB so dynamips will help.
info on CCO how to configure ppp termination:
http://www.cisco.com/en/US/products/hw/routers/ps314/products_feature_guide_chapter09186a008007e26a.html
Server is R1
!
interface ATM4/0
no ip address
no atm ilmi-keepalive
pvc 0/102
protocol ppp Virtual-Template1
!
!
interface Virtual-Template1
ip unnumbered Loopback0
peer default ip address pool test_01
!
router ospf 100
log-adjacency-changes
network 0.0.0.0 255.255.255.255 area 0
!
ip local pool test_01 10.1.12.2 10.1.12.4
ip classless
!
Client is R2
!
interface ATM4/0
no ip address
no atm ilmi-keepalive
pvc 0/201
dialer pool-member 1
protocol ppp dialer
!
!
interface Dialer0
ip address negotiated
encapsulation ppp
dialer pool 1
dialer persistent
dialer-group 1
!
router ospf 100
log-adjacency-changes
network 0.0.0.0 255.255.255.255 area 0
!
ip classless
!
no ip http server
!
!
dialer-list 1 protocol ip permit
!
theoreticaly it must work but in reality not.
after entering clear interface dialer 0 router R2 displays:
*Nov 20 09:35:39.999: Di0 DDR: Dialer cannot nail-up the profile - dialer string not configured
probably because ppp client is not to used on 7200 series.
PPP over ATM is not supported in my LAB so dynamips will help.
info on CCO how to configure ppp termination:
http://www.cisco.com/en/US/products/hw/routers/ps314/products_feature_guide_chapter09186a008007e26a.html
Server is R1
!
interface ATM4/0
no ip address
no atm ilmi-keepalive
pvc 0/102
protocol ppp Virtual-Template1
!
!
interface Virtual-Template1
ip unnumbered Loopback0
peer default ip address pool test_01
!
router ospf 100
log-adjacency-changes
network 0.0.0.0 255.255.255.255 area 0
!
ip local pool test_01 10.1.12.2 10.1.12.4
ip classless
!
Client is R2
!
interface ATM4/0
no ip address
no atm ilmi-keepalive
pvc 0/201
dialer pool-member 1
protocol ppp dialer
!
!
interface Dialer0
ip address negotiated
encapsulation ppp
dialer pool 1
dialer persistent
dialer-group 1
!
router ospf 100
log-adjacency-changes
network 0.0.0.0 255.255.255.255 area 0
!
ip classless
!
no ip http server
!
!
dialer-list 1 protocol ip permit
!
theoreticaly it must work but in reality not.
after entering clear interface dialer 0 router R2 displays:
*Nov 20 09:35:39.999: Di0 DDR: Dialer cannot nail-up the profile - dialer string not configured
probably because ppp client is not to used on 7200 series.
Wednesday, 7 November 2007
ppp over frame relay authorization
we have first snow in Vilnius this morning :)
Nice link on CCO about ppp chap authentication
http://www.cisco.com/en/US/tech/tk713/tk507/technologies_tech_note09186a00800b4131.shtml
Folowing PPPoFR topic today authorized ppp session on server (R6). nothing special, standart ppp auth commands does the job:
R6# (server)
!
username R4 password 0 R4test
!
interface Virtual-Template2
ip address 150.2.46.6 255.255.255.0
ppp authentication chap pap
!
R4# (client)
!
interface Virtual-Template2
ip address 150.2.46.4 255.255.255.0
ppp pap sent-username R4 password 0 R4test
!
Nice link on CCO about ppp chap authentication
http://www.cisco.com/en/US/tech/tk713/tk507/technologies_tech_note09186a00800b4131.shtml
Folowing PPPoFR topic today authorized ppp session on server (R6). nothing special, standart ppp auth commands does the job:
R6# (server)
!
username R4 password 0 R4test
!
interface Virtual-Template2
ip address 150.2.46.6 255.255.255.0
ppp authentication chap pap
!
R4# (client)
!
interface Virtual-Template2
ip address 150.2.46.4 255.255.255.0
ppp pap sent-username R4 password 0 R4test
!
Tuesday, 6 November 2007
ppp over frame relay
This time about ppp over frame relay. very simple configuration (comparing to ppp over ethernet) because on cisco site thereis very nice document describing this functionality.
http://www.cisco.com/univercd/cc/td/doc/product/software/ios120/120newft/120t/120t1/pppframe.htm
how it goes:
1. configure virtual-template interface
2. apply this virtual template to frame relay dlci
!
interface Serial0/0.2 point-to-point
frame-relay interface-dlci 406 ppp Virtual-Template2
!
interface Virtual-Template2
ip address 150.2.46.4 255.255.255.0
!
some show commands:
R4#sho int virtual-access 3
Virtual-Access3 is up, line protocol is up
Hardware is Virtual Access interface
Internet address is 150.2.46.4/24
MTU 1500 bytes, BW 100000 Kbit, DLY 100000 usec,
reliability 255/255, txload 1/255, rxload 1/255 Encapsulation PPP, LCP Open Open: IPCP PPPoFR vaccess, cloned from Virtual-Template2 Vaccess status 0x44 Bound to Serial0/0.2 DLCI 406, Cloned from Virtual-Template2, loopback not set Keepalive set (10 sec) DTR is pulsed for 5 seconds on reset Last input 00:00:01, output never, output hang never Last clearing of "show interface" counters 00:18:25 Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0 Queueing strategy: fifo Output queue: 0/40 (size/max) 5 minute input rate 0 bits/sec, 0 packets/sec 5 minute output rate 0 bits/sec, 0 packets/sec 128 packets input, 8984 bytes, 0 no buffer Received 0 broadcasts, 0 runts, 0 giants, 0 throttles 0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort 160 packets output, 9354 bytes, 0 underruns 0 output errors, 0 collisions, 0 interface resets 0 output buffer failures, 0 output buffers swapped out 0 carrier transitions
R4#
next steps within this toppic (ppp over fr):
http://www.cisco.com/univercd/cc/td/doc/product/software/ios120/120newft/120t/120t1/pppframe.htm
how it goes:
1. configure virtual-template interface
2. apply this virtual template to frame relay dlci
!
interface Serial0/0.2 point-to-point
frame-relay interface-dlci 406 ppp Virtual-Template2
!
interface Virtual-Template2
ip address 150.2.46.4 255.255.255.0
!
some show commands:
R4#sho int virtual-access 3
Virtual-Access3 is up, line protocol is up
Hardware is Virtual Access interface
Internet address is 150.2.46.4/24
MTU 1500 bytes, BW 100000 Kbit, DLY 100000 usec,
reliability 255/255, txload 1/255, rxload 1/255 Encapsulation PPP, LCP Open Open: IPCP PPPoFR vaccess, cloned from Virtual-Template2 Vaccess status 0x44 Bound to Serial0/0.2 DLCI 406, Cloned from Virtual-Template2, loopback not set Keepalive set (10 sec) DTR is pulsed for 5 seconds on reset Last input 00:00:01, output never, output hang never Last clearing of "show interface" counters 00:18:25 Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0 Queueing strategy: fifo Output queue: 0/40 (size/max) 5 minute input rate 0 bits/sec, 0 packets/sec 5 minute output rate 0 bits/sec, 0 packets/sec 128 packets input, 8984 bytes, 0 no buffer Received 0 broadcasts, 0 runts, 0 giants, 0 throttles 0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort 160 packets output, 9354 bytes, 0 underruns 0 output errors, 0 collisions, 0 interface resets 0 output buffer failures, 0 output buffers swapped out 0 carrier transitions
R4#
next steps within this toppic (ppp over fr):
- point-t0-multipoint subinterfaces
- frame-relay over main interfaces
- dynamic assigment of ip address (from ppp and dhcp pools)
- pap and chap authentication
Sunday, 4 November 2007
frame relay
on a Cisco router there two possibilieties to configure frame relay:
- static (using framerelay map and point to point subinterfaces)
- dynamic (using inverse arp)
Simpliest is inverse arp based configuration. inverse arp is responsible for mapping next hop ip addresses to correct DLCIs. inverse arp is enabled by default.
inverse arp on point to multipoint subinterface:
!
interface Serial0/0.2 multipoint
ip address 10.1.13.1 255.255.255.0
no ip route-cache
frame-relay interface-dlci 102
frame-relay interface-dlci 103
!
R1_pod2#sho frame-relay map
Serial0/0.2 (up): ip 10.1.13.2 dlci 102(0x66,0x1860), dynamic,
broadcast,, status defined, active
Serial0/0.2 (up): ip 10.1.13.3 dlci 103(0x67,0x1870), dynamic,
broadcast,, status defined, active
R1_pod2#
Static mapping involves permanent assigments of next hop ip addressess to DLCI values. It is possible to use static mapping on interfaces where inverse arp is used.
!
interface Serial0/1/0.1 multipoint
ip address 10.1.13.3 255.255.255.0
frame-relay map ip 10.1.13.1 301
frame-relay map ip 10.1.13.2 302
frame-relay interface-dlci 301
frame-relay interface-dlci 302
no frame-relay inverse-arp
!
Very important is LMI status messages. by default they send every 10 sec. default behaviour can be changed using:
R3#conf t
Enter configuration commands, one per line. End with CNTL/Z.
R3(config)#int ser 0/1/0
R3(config-if)#
R3(config-if)#keepalive 6
R3(config-if)#^Z
R3#
Monday, 22 October 2007
ospf on pppoe session
not so easy task. very much dependend on IOS software version.
For 3640 best is 12.3(14)T7
With 12.2 and 12.4 i was not able to achieve desired functionality.
the main steps are.
1. On Server site is to enable DHCP server to deliver ip addresses from pool.
2. On Client use ip address dhcp to receive /24 address for ppp interface!!!
3. On both sites use ip ospf mtu-ignore to ignore DDR packet mtu setting (both sides has different mtu sizes)
here goes configurations:
client:
R3#
!
interface Dialer1
ip address dhcp
encapsulation ppp
ip ospf mtu-ignore
no peer neighbor-route ## this removes connected route to peer - sometimes this can help avoid some ospf flapping
dialer pool 1
dialer idle-timeout 0
dialer persistentend
!
!
interface Virtual-Template2
ip address 150.1.40.1 255.255.255.0
ip ospf mtu-ignore
no peer neighbor-route ## this removes connected route to peer - sometimes this can help avoid some ospf flapping
peer default ip address dhcp-pool test_02
!
main paroblem that can occur running ospf on dial interface is mtu mismach between peers. usualu dialer (client) gets 1500 and virtual-access gets 1492 (server calculates actual one)
ospf will stuck EXCHANGE state - because DDR packet is can not fit into 1500 packet.
thereis two options:
1. use ip ospf mtu-ignore on the interface configuration level
2. make dialer interface mtu = virtual-access mtu
interface Dialer1
mtu 1492
ip address dhcp
encapsulation ppp
dialer pool 1
dialer persistent
end
very good explanation about mtu issues is no Ivan Pepelnjak's site:
http://ioshints.blogspot.com/2007/10/tale-of-three-mtus.html
For 3640 best is 12.3(14)T7
With 12.2 and 12.4 i was not able to achieve desired functionality.
the main steps are.
1. On Server site is to enable DHCP server to deliver ip addresses from pool.
2. On Client use ip address dhcp to receive /24 address for ppp interface!!!
3. On both sites use ip ospf mtu-ignore to ignore DDR packet mtu setting (both sides has different mtu sizes)
here goes configurations:
client:
R3#
!
interface Dialer1
ip address dhcp
encapsulation ppp
ip ospf mtu-ignore
no peer neighbor-route ## this removes connected route to peer - sometimes this can help avoid some ospf flapping
dialer pool 1
dialer idle-timeout 0
dialer persistentend
!
!
interface Virtual-Template2
ip address 150.1.40.1 255.255.255.0
ip ospf mtu-ignore
no peer neighbor-route ## this removes connected route to peer - sometimes this can help avoid some ospf flapping
peer default ip address dhcp-pool test_02
!
main paroblem that can occur running ospf on dial interface is mtu mismach between peers. usualu dialer (client) gets 1500 and virtual-access gets 1492 (server calculates actual one)
ospf will stuck EXCHANGE state - because DDR packet is can not fit into 1500 packet.
thereis two options:
1. use ip ospf mtu-ignore on the interface configuration level
2. make dialer interface mtu = virtual-access mtu
interface Dialer1
mtu 1492
ip address dhcp
encapsulation ppp
dialer pool 1
dialer persistent
end
very good explanation about mtu issues is no Ivan Pepelnjak's site:
http://ioshints.blogspot.com/2007/10/tale-of-three-mtus.html
Thursday, 18 October 2007
PPPoE session authentication PAP and CHAP
The same story but pppoe session must be authorized
A) pppoe authorized using pap
here R3 (client) sends pap username and password and R4 authorizes him
note !!! R3 accepts connection from R4 without any consideration
one line added to client interface configuration:
#R3
!
interface Dialer1
ip address negotiated
encapsulation ppp
dialer pool 1
dialer idle-timeout 0
dialer persistent
ppp pap sent-username test password 0 test
!
On the server
#R4
!
aaa new-model
!
!
aaa authentication ppp ppp_local local
aaa authentication ppp list1 local
!
username test password 0 test
!
interface Virtual-Template2
ip unnumbered Loopback0
peer default ip address pool test_01
ppp authentication pap ## we are authetticating client using pap
!
ip local pool test_01 150.1.34.2
Please look at previous configuration for compleate configuration script!!!
A.1) now i am authetticating both sides (server author client and client author server)
R4#
!
username R3 password 0 CISCO
!
interface Virtual-Template1
ip address 10.10.10.1 255.255.255.0
no peer neighbor-route
peer default ip address dhcp-pool test_01
ppp authentication pap
ppp pap sent-username R4 password 0 CISCO
end
R3#
!
username R4 password 0 CISCO
!
!interface Dialer1
mtu 1492
ip address dhcp
encapsulation ppp
dialer pool 1
dialer persistent
ppp authentication
pap ppp pap sent-username R3 password 0 CISCO
end
B) pppoe authorized using chap
#R3
!
interface Dialer1
ip address negotiated
encapsulation ppp
dialer pool 1
dialer idle-timeout 0
dialer persistent
ppp chap hostname testaz
ppp chap password 0 testaz
!
On the server
#R4
!
aaa new-model
!
!
aaa authentication ppp chap_local loca
aaa authentication ppp list1 local
!
username testaz password 0 testaz
!
interface Virtual-Template2
ip unnumbered Loopback0
peer default ip address pool test_01
ppp authentication chap chap_local
!
ip local pool test_01 150.1.34.2
Please look at previous configuration for compleate configuration script!!!
A) pppoe authorized using pap
here R3 (client) sends pap username and password and R4 authorizes him
note !!! R3 accepts connection from R4 without any consideration
one line added to client interface configuration:
#R3
!
interface Dialer1
ip address negotiated
encapsulation ppp
dialer pool 1
dialer idle-timeout 0
dialer persistent
ppp pap sent-username test password 0 test
!
On the server
#R4
!
aaa new-model
!
!
aaa authentication ppp ppp_local local
aaa authentication ppp list1 local
!
username test password 0 test
!
interface Virtual-Template2
ip unnumbered Loopback0
peer default ip address pool test_01
ppp authentication pap ## we are authetticating client using pap
!
ip local pool test_01 150.1.34.2
Please look at previous configuration for compleate configuration script!!!
A.1) now i am authetticating both sides (server author client and client author server)
R4#
!
username R3 password 0 CISCO
!
interface Virtual-Template1
ip address 10.10.10.1 255.255.255.0
no peer neighbor-route
peer default ip address dhcp-pool test_01
ppp authentication pap
ppp pap sent-username R4 password 0 CISCO
end
R3#
!
username R4 password 0 CISCO
!
!interface Dialer1
mtu 1492
ip address dhcp
encapsulation ppp
dialer pool 1
dialer persistent
ppp authentication
pap ppp pap sent-username R3 password 0 CISCO
end
B) pppoe authorized using chap
#R3
!
interface Dialer1
ip address negotiated
encapsulation ppp
dialer pool 1
dialer idle-timeout 0
dialer persistent
ppp chap hostname testaz
ppp chap password 0 testaz
!
On the server
#R4
!
aaa new-model
!
!
aaa authentication ppp chap_local loca
aaa authentication ppp list1 local
!
username testaz password 0 testaz
!
interface Virtual-Template2
ip unnumbered Loopback0
peer default ip address pool test_01
ppp authentication chap chap_local
!
ip local pool test_01 150.1.34.2
Please look at previous configuration for compleate configuration script!!!
Wednesday, 17 October 2007
PPPoE on Cisco routers (ip address asigment dynamic from server)
after several investigations have working configuration.
main requirement is to assign ip address for pppoe session for client (R3) from server (R4)
here goes config:
vpdn enable
!
!
!
!
interface Ethernet0/0
no ip address
full-duplex
pppoe enable
pppoe-client
dial-pool-number 1
!
!
interface Dialer1
ip address negotiated
encapsulation ppp
dialer pool 1
dialer idle-timeout 0
dialer persistent
!
vpdn enable
!
vpdn-group 1
accept-dialin
protocol pppoe
virtual-template 2
!
!
interface Loopback100
ip address 150.1.34.1 255.255.255.255
!
!
interface Virtual-Template2
ip unnumbered Loopback100
peer default ip address pool test_01
!
ip local pool test_01 150.1.34.2
main tips:
1. on Client (R3) ip address negotiated in dialer intrface must be used
2. on Server (R4) under virtual-template 2 must use some ip unnumbered interface. Otherwise interface comes up but no ip address from local pool is asigned. Configuration was working in WB presentation, but in real lab not!!!
some outputs:
R3#sho ip ro
150.1.0.0/32 is subnetted, 2 subnets
C 150.1.34.1 is directly connected, Dialer1
C 150.1.34.2 is directly connected, Dialer1
R3#
R4#sho ip int b
Interface IP-Address OK? Method Status ProtocolEthernet0/0 unassigned YES NVRAM up up Ethernet0/1 unassigned YES NVRAM administratively down down Ethernet0/2 unassigned YES NVRAM administratively down down Ethernet0/3 unassigned YES NVRAM administratively down down Serial1/0 unassigned YES NVRAM administratively down down Serial1/1 unassigned YES NVRAM administratively down down Serial1/2 unassigned YES NVRAM administratively down down Serial1/3 unassigned YES NVRAM administratively down down Virtual-Access1 unassigned YES unset up up Virtual-Access1.1 150.1.34.1 YES TFTP up up Virtual-Template1 unassigned YES NVRAM down down Virtual-Access2 unassigned YES unset down down Virtual-Template2 150.1.34.1 YES TFTP down down Loopback0 unassigned YES unset up up Loopback100 150.1.34.1 YES manual up up
main requirement is to assign ip address for pppoe session for client (R3) from server (R4)
here goes config:
vpdn enable
!
!
!
!
interface Ethernet0/0
no ip address
full-duplex
pppoe enable
pppoe-client
dial-pool-number 1
!
!
interface Dialer1
ip address negotiated
encapsulation ppp
dialer pool 1
dialer idle-timeout 0
dialer persistent
!
vpdn enable
!
vpdn-group 1
accept-dialin
protocol pppoe
virtual-template 2
!
!
interface Loopback100
ip address 150.1.34.1 255.255.255.255
!
!
interface Virtual-Template2
ip unnumbered Loopback100
peer default ip address pool test_01
!
ip local pool test_01 150.1.34.2
main tips:
1. on Client (R3) ip address negotiated in dialer intrface must be used
2. on Server (R4) under virtual-template 2 must use some ip unnumbered interface. Otherwise interface comes up but no ip address from local pool is asigned. Configuration was working in WB presentation, but in real lab not!!!
some outputs:
R3#sho ip ro
150.1.0.0/32 is subnetted, 2 subnets
C 150.1.34.1 is directly connected, Dialer1
C 150.1.34.2 is directly connected, Dialer1
R3#
R4#sho ip int b
Interface IP-Address OK? Method Status ProtocolEthernet0/0 unassigned YES NVRAM up up Ethernet0/1 unassigned YES NVRAM administratively down down Ethernet0/2 unassigned YES NVRAM administratively down down Ethernet0/3 unassigned YES NVRAM administratively down down Serial1/0 unassigned YES NVRAM administratively down down Serial1/1 unassigned YES NVRAM administratively down down Serial1/2 unassigned YES NVRAM administratively down down Serial1/3 unassigned YES NVRAM administratively down down Virtual-Access1 unassigned YES unset up up Virtual-Access1.1 150.1.34.1 YES TFTP up up Virtual-Template1 unassigned YES NVRAM down down Virtual-Access2 unassigned YES unset down down Virtual-Template2 150.1.34.1 YES TFTP down down Loopback0 unassigned YES unset up up Loopback100 150.1.34.1 YES manual up up
Monday, 15 October 2007
PPPoE on Cisco routers (ip address asigment statical)
This topic goes about PPPoE issues on Cisco routers.
link about brodband termination on 7200
http://www.cisco.com/en/US/tech/tk175/tk15/technologies_configuration_example09186a0080093e43.shtml
Just started this topic when i am in Belgrade. To be compleated later :)
It is true - thereis not so much information about pppoe in Cisco site.
Some information from simulations.
a) R3 is client and R4 is server. Ip addresses assigned staticaly.
hostname R3
vpdn enable
! interface Ethernet0/0
no ip address
full-duplex
pppoe enable
pppoe-client dial-pool-number 1
!
!
interface Dialer1
ip address 150.1.34.3 255.255.255.0
encapsulation ppp
dialer pool 1
dialer idle-timeout 0
dialer persistent
!
!
hostname R4
!
vpdn enable
!
vpdn-group 1
accept-dialin
protocol pppoe
virtual-template 1
!
!
!
!
!
interface Ethernet0/0
no ip address
full-duplex
pppoe enable
!
!
interface Virtual-Template1
ip address 150.1.34.4 255.255.255.0
!
some outputs:
R4#sho vpdn session
%No active L2TP tunnels
%No active L2F tunnels
%No active PPTP tunnels
PPPoE Session Information Total tunnels 1 sessions 1
PPPoE Session InformationUID SID RemMAC OIntf Intf Session LocMAC VASt state 1 1 cc02.1d68.0000 Et0/0 Vi1.1 CNCT_PTA cc03.1d68.0000 UP
R3#sho vpdn session
%No active L2TP tunnels
%No active L2F tunnels
%No active PPTP tunnels
PPPoE Session Information Total tunnels 1 sessions 1
PPPoE Session InformationUID SID RemMAC OIntf Intf Session LocMAC VASt state 0 1 cc03.1d68.0000 Et0/0 Vi2 N/A cc02.1d68.0000 UP
R3#sho ip int b
Interface IP-Address OK? Method Status Protocol
Ethernet0/0 unassigned YES unset up up
Ethernet0/1 unassigned YES unset administratively down down
Ethernet0/2 unassigned YES unset administratively down down
Ethernet0/3 unassigned YES unset administratively down down
Serial1/0 unassigned YES unset administratively down down
Serial1/1 unassigned YES unset administratively down down
Serial1/2 unassigned YES unset administratively down down
Serial1/3 unassigned YES unset administratively down down
Virtual-Access1 unassigned YES unset down down
Virtual-Access2 unassigned YES unset up up
Dialer1 150.1.34.3 YES manual up up
R3#
R4#sho ip int bInterface IP-Address OK? Method Status Protocol
Ethernet0/0 unassigned YES unset up up
Ethernet0/1 unassigned YES unset administratively down down
Ethernet0/2 unassigned YES unset administratively down down
Ethernet0/3 unassigned YES unset administratively down down
Serial1/0 unassigned YES unset administratively down down
Serial1/1 unassigned YES unset administratively down down
Serial1/2 unassigned YES unset administratively down down
Serial1/3 unassigned YES unset administratively down down
Virtual-Access1 unassigned YES unset up up
Virtual-Access1.1 150.1.34.4 YES TFTP up up
Virtual-Template1 150.1.34.4 YES manual down down
Virtual-Access2 unassigned YES unset down down
R4#
compleated with it in Prague airport
link about brodband termination on 7200
http://www.cisco.com/en/US/tech/tk175/tk15/technologies_configuration_example09186a0080093e43.shtml
Just started this topic when i am in Belgrade. To be compleated later :)
It is true - thereis not so much information about pppoe in Cisco site.
Some information from simulations.
a) R3 is client and R4 is server. Ip addresses assigned staticaly.
hostname R3
vpdn enable
! interface Ethernet0/0
no ip address
full-duplex
pppoe enable
pppoe-client dial-pool-number 1
!
!
interface Dialer1
ip address 150.1.34.3 255.255.255.0
encapsulation ppp
dialer pool 1
dialer idle-timeout 0
dialer persistent
!
!
hostname R4
!
vpdn enable
!
vpdn-group 1
accept-dialin
protocol pppoe
virtual-template 1
!
!
!
!
!
interface Ethernet0/0
no ip address
full-duplex
pppoe enable
!
!
interface Virtual-Template1
ip address 150.1.34.4 255.255.255.0
!
some outputs:
R4#sho vpdn session
%No active L2TP tunnels
%No active L2F tunnels
%No active PPTP tunnels
PPPoE Session Information Total tunnels 1 sessions 1
PPPoE Session InformationUID SID RemMAC OIntf Intf Session LocMAC VASt state 1 1 cc02.1d68.0000 Et0/0 Vi1.1 CNCT_PTA cc03.1d68.0000 UP
R3#sho vpdn session
%No active L2TP tunnels
%No active L2F tunnels
%No active PPTP tunnels
PPPoE Session Information Total tunnels 1 sessions 1
PPPoE Session InformationUID SID RemMAC OIntf Intf Session LocMAC VASt state 0 1 cc03.1d68.0000 Et0/0 Vi2 N/A cc02.1d68.0000 UP
R3#sho ip int b
Interface IP-Address OK? Method Status Protocol
Ethernet0/0 unassigned YES unset up up
Ethernet0/1 unassigned YES unset administratively down down
Ethernet0/2 unassigned YES unset administratively down down
Ethernet0/3 unassigned YES unset administratively down down
Serial1/0 unassigned YES unset administratively down down
Serial1/1 unassigned YES unset administratively down down
Serial1/2 unassigned YES unset administratively down down
Serial1/3 unassigned YES unset administratively down down
Virtual-Access1 unassigned YES unset down down
Virtual-Access2 unassigned YES unset up up
Dialer1 150.1.34.3 YES manual up up
R3#
R4#sho ip int bInterface IP-Address OK? Method Status Protocol
Ethernet0/0 unassigned YES unset up up
Ethernet0/1 unassigned YES unset administratively down down
Ethernet0/2 unassigned YES unset administratively down down
Ethernet0/3 unassigned YES unset administratively down down
Serial1/0 unassigned YES unset administratively down down
Serial1/1 unassigned YES unset administratively down down
Serial1/2 unassigned YES unset administratively down down
Serial1/3 unassigned YES unset administratively down down
Virtual-Access1 unassigned YES unset up up
Virtual-Access1.1 150.1.34.4 YES TFTP up up
Virtual-Template1 150.1.34.4 YES manual down down
Virtual-Access2 unassigned YES unset down down
R4#
compleated with it in Prague airport
Saturday, 13 October 2007
Ethernet switching
Ethernet switching in SP lab is not a big part. You can not make a lot with two switches.
So basic topics will be:
So basic topics will be:
- VTP
- STP
- EtherChannel
First topic is VTP.
Best resource is CCO:
http://www.cisco.com/en/US/tech/tk389/tk689/technologies_tech_note09186a0080094c52.shtml
It can operate in 3 modes:
- Server - (this is default mode) all local vlan database chages are propagated to vtp domain members.
- Client - do not modify vlan information just listens.
- Transparent - do not participate in vtp related activities (no vtp adverts, no vtp database synchros). VTP messages received from other sw are transparently forwarded to neighbors.
Basic config:
vtp mode server
vtp domain ilikecisco
vtp password hmm
remarks from vtp issues
default version in witch SW operates by default is 2
Rack1SW1#sho vtp status VTP Version : 2Configuration Revision : 2Maximum VLANs supported locally : 256Number of existing VLANs : 6VTP Operating Mode : ServerVTP Domain Name : ciscoVTP Pruning Mode : DisabledVTP V2 Mode : DisabledVTP Traps Generation : DisabledMD5 digest : 0x6D 0x53 0x36 0xBC 0x9D 0x79 0x02 0x1A Configuration last modified by 0.0.0.0 at 3-1-93 03:13:31Local updater ID is 0.0.0.0 (no valid interface found)
Some VTP tips:
- if switch comes with higher VTP rewision number - he wins. it means his VLAN information is used in domain.
- diff between ver 1 and 2. if sw is running ver 1 transparent mode and vtp advertisment from another domain is comming - it is dropped. if sw is running ver 2 then this advertisment is propagated (forwarded) - want to say this info was conducted from Shiran Guez blog ;)
Second topic is STP (first need to determine what level of knowledge is needed for the lab)
Etherchannel section
nothing very special:configuration very straight forward
!interface Port-channel1 switchport mode trunk no ip address!!interface FastEthernet1/13 switchport mode trunk no ip address channel-group 1 mode on!interface FastEthernet1/14 switchport mode trunk no ip address channel-group 1 mode on!interface FastEthernet1/15 switchport mode trunk no ip address channel-group 1 mode on!
main problem arrises when vlan filtering is enabled on ports individualy. in such conditions sw will remove port from group.
just passed my CCIE SP written
on 2007 10 11 i have passes my 350-029 exam. first try was in april and i failed to achieve 69%. 60% was not enought.
This time was perfect with 98%
Not much time for joy. Lets go with lab preparations. It will not be easy because i am starting it without existing routing/switching certification.
This time was perfect with 98%
Not much time for joy. Lets go with lab preparations. It will not be easy because i am starting it without existing routing/switching certification.
Subscribe to:
Posts (Atom)