Updates for EOL Ubuntu releases

When release reaches it's EOL, the repositories are no longer available at old location, so we have to change their addresses like this:

Edit /etc/apt/sources.list and change 'archive.ubuntu.com' to 'old-releases.ubuntu.com'

or

We can do this with 

sudo sed -i -e 's/archive.ubuntu.com/old-releases.ubuntu.com/g' /etc/apt/sources.list

and then update with 

sudo apt-get update && sudo apt-get dist-upgrade

Thanks to fossfreedom for providing the info on this topic.

Direction of VLAN interface ACL

Tricks of the "distribute-list" OSPF subcommand

The citation is from the Cisco Press ROUTE Official Cert Guide.

The mechanics of the distribute-list router subcommand has a few surprises, which are
summarized in this list:

• The command requires either an in or out direction. Only the in direction works for filtering routes as described in this section.

• The command must refer to either a numbered ACL, named ACL, prefix list, or route map. Regardless, routes matched with a permit action are allowed into the routing table, and routes matched with a deny action are filtered.

• Optionally, the command can include the interface interface-name-and-number parameters. The router compares these parameters to the route’s outgoing interface.

Choice of the best route from the ABR perspective

When choosing the best route to reach any given subnet, ABRs follow the next two rules:

1. Intra-area route is always better, than a competing inter-area route, regardless of metric;
2. Ignore Type 3 LSA learnt in non-backbone area.

Meaning of LSID for different OSPF LSA types

Type 1 LSA's list RID as a LSID
Type 2 LSA's list DR's interface IP address for the subnet as a LSID
Type 3 LSA's list subnet number being advertised as a LSID

Propagation of default route into EIGRP domain

Two main options exist:
1. Configure static default route and then redistribute it into EIGRP;
2. Configure default-network command that should point toward the network connected to gateway router (for example, it could be it's WAN subnet or just loopback host route). This command could be configured at the Enterprise edge router that have default route or full routing table. All routers in EIGRP domain will mark this newly learnt network as "candidate default". The most easily understandable explanation for me is that we should mark network as default if we know that when packet from anywhere of the inside network reach the router connected to this network it will know how to further forward this packet.

Date of the beginning of my CCIE studies!

October 1st, 2012 I began to study my CCIE Written and Lab Exam. Hope to be ready to pass the Lab by the end of 2013. First attempt is my goal, so I don't want to rush. Since the born of my twin daughters on 17 of January I don't have much time, but hope that this goal can be accomplished.

EIGRP Citation

About routers going Active and querying their neighbors.

From the CCNP ROUTE Cert Guide:

If a router receives an EIGRP Query for a prefix/prefix length, does not have an exactly matching (both prefix and prefix length) route, but does have a summary route that includes the prefix/prefix length, that router immediately sends an EIGRP Reply and does not flood the Query to its own neighbors.

Route filtering by means of distribution lists with ACLs, IP Prefix Lists and Route Maps

When using ACLs with Distribution lists, the most confusing thing for me is that:

1. Deny statement in ACL is used to deny the route from being accepted or sent;
2. If there is no "Permit Any" in the end of ACL then it will "pass" only routes explicitly mentioned with "Permit" statement.

I'm used to know, that to "catch" something, ACL's should do it with "Permit" statement (for example, this is the case when using distribution lists with route maps).

IP Prefix Lists use the same logic:

"Each command has a permit or deny action, but because it is used only for matching routes, and not for packet filtering, the permit or deny keyword just implies whether a route is matched (permit) or not (deny)." - CCNP ROUTE Off Cert Guide.

So, to permit the route in distribution list, "Permit" statement must be used in IP Prefix List and to deny the route "Deny" statement is used. As always, at the end of list is implicit "Deny All" statement.

Resources for my CCIE preparations

Well, I've spent the last few days thoroughly examining available books and other materials to start preparation for my Exam!
As a result, I made the following list, that I will use as a guideline in my preparation:

1. Refresh my CCNP knowledge
2. Official CCIE Certification Guide
3. Routing TCP/IP, Volume I
4. Routing TCP/IP, Volume II
5. Developing IP Multicast networks
6. End-to-End QoS network design
7. IPV6 enabled networks
8. Cisco LAN Switching (CCIE Professional Development series)
9. CCIE Professional Development Network Security Technologies and Solutions

This will be my main reading material. After refreshing theory, I'm going to start the labs and will switch to INE's materials in the following order:

1. INE CCIE Written Bootcamp
2. INE CCIE Routing & Switching Advanced Technologies
3. INE Deep Dive Security & Multicast
4. INE Workbooks Vol I & II
5. INE Advanced Troubleshooting
6. INE Workbooks Vol III & IV

Any suggestions?

Update: Also I would like to use INE's Audio Bootcamp always whenever I have a time like on my way to work.

ipSpace.net: BGP next hop processing

ipSpace.net: BGP next hop processing: Following my IBGP or EBGP in an enterprise network post a few people have asked for a more graphical explanation of IBGP/EBGP differences....

ipSpace.net: Penultimate Hop Popping (PHP) demystified

ipSpace.net: Penultimate Hop Popping (PHP) demystified: I got an interesting question after writing the Asymmetric MPLS MTU Problem post: “ Why does PHP happen only on directly-connected interfac...

Dependence between ARP max age time and MAC-address aging on Cisco switches

Let's begin with an example of typical switched network with multilayer distribution switches.

Assume that all the links between switches are trunk links, that both DL1 and DL2 are participating in HSRP groups where DL1 active for VLAN1 and VLAN3 and DL2 for VLAN2. STP is configured proportionally to block the rightmost links at access layer switches for even VLAN's and the leftmost links for odd VLAN's.

Now let's pretend that host C1 pings host C2.
Let's follow the path of the packet on its way to C2:
1. Since C1 resides in the different VLAN than host C2, then it should send the packets to its default gateway (DL1's VLAN1 interace). By means of ARP request C1 discovers MAC address of VLAN1 interface and sends the first ICMP packet.
2. DL1 routes the packet. VLAN2 is a directly connected network, so DL1 discovers with ARP MAC address of C2 and sends the packet to it (Packet traverse the link between DL1 and DL2 and then to AL2 since the leftmost link is blocked by STP for VLAN2 on AL2).

Important note: to this moment internal switch on DL1 have the following MAC-addresses: C1 in VLAN1 and C2 in VLAN2.

ICMP-reply from C2 follows the same path except that its default gateway will be DL2's VLAN2 interface. This means that in this network the routing between VLAN's is asymmetric.

What happens if the pings are coming for example for 10 minutes?
DL1 ages MAC-address entry for C2 in VLAN2 since it sees no new frames from it (remember, that reverse packets are first routed at DL2 and then sent from its VLAN1 interface?) and begins to flood the frames for C2 out of all its ports in VLAN2. Mirrored result is seen on DL2 for reverse packets.
The problem relies to the fact that router holds the arp entries for 14,400 seconds or 4 hours, but the switch ages CAM table in 5 minutes.

For this not to happen the timers on ARP and CAM table should be in SYNC!
The easiest way is to increase MAC aging time to 14,400 seconds.
For Catalyst 6500 it can be done with the following command:
mac-address-table aging-time seconds [vlan vlan_id]

Happy switching!

Waiting for your comments

Reading another great post of Ivan Pepelnjak from blog.ioshints.info, I followed a link to Cisco website with an article about Unicast Flooding in Switched Campus networks. When I looked at "Cause 1: Asymmetric Routing" diagram, I came to conclusion, that the packets won't be flooded, as it said there in article, because at the reverse route, S1 will reply with its own mac-address to RouterB ARP-request, so switchB will have it in its CAM table, so it will forward the packet to the proper interface toward SwitchA.

What do you think? Am I wrong?

Link, again.

P.S. I even lab'ed it. No unknown unicast happened.

UPD.: I came to yet another conclusion: the situation described above can be true, if entry in the switch's CAM table is timed-out. If the router still has the mac-address of S1, then it will send the packets without subsequent arp-requests, however the switch will now flood the unicast frames.

MPLS Fundamentals

LIB+RIB=LFIB
Information in LFIB is derived from LIB and RIB.

CCIE R&S v4.0 Topics

Topics


Can't wait to start preparation after vacation.

LAYER 2 TUNNEL PROTOCOL brief (by Cisco)

Click

ipSpace.net: Fix router configuration after a reload

ipSpace.net: Fix router configuration after a reload: Sometimes, parts of router configuration get lost during the reload process: although the configuration commands are saved in NVRAM, they ar...

ASA 8.4

1. Download archive from here.
2. Download AIO version of GNS3 for Windows (Qemu should be patched or it won't start with asa's connected interfaces). My version was 0.8.3.
3. Configure Qemu in GNS3 with following settings:
Qemu Options: -vnc none -vga none -m 1024 -icount auto -hdachs 980,16,32
Kernel cmd line: -append ide_generic.probe_mask=0x01 ide_core.chs=0.0:980,16,32 auto nousb console=ttyS0,9600 bigphysarea=65536
4. Configure the paths to image.
5. The hardest part - start you lab and enjoy :)

Direction on the access-lists on the VLAN interfaces

An access-list applied outbound to a vlan interface filters traffic going TO machines on that vlan.

An access-list applied inbound to a vlan filters traffic coming FROM machines on that vlan.

Cisco IOS 15 FAQ

Cisco IOS 15 FAQ

How to save Cisco routers' crypto keys in GNS3

One annoying thing in GNS3 is that sometimes after you configured SSH in your routers it stops working after reload. The problem is the key isn't stored in NVRAM, so after reboot, I have to regenerate them every time.
 There is a workaround of this problem - open .net file of the GNS3 project and delete
"cnfg="
lines from the routers configuration. It should solve the problem permanently.
Happy routing :)