Xirrus

Perhaps you’ve heard about the Xirrus wireless vendor and its XN16 product: 16 Integrated Access Points in a single device which provides 4.8 Gbps total Wi-Fi bandwidth for up to thousand wireless clients. One array has 16 built-in AP with 48 integrated antennas, giving you 2 GigE ports as uplink to connect to your infrastructure.

 

What you might not be able to find easily, is how to configure them!!

I searched a lot to find what’s the console baud rate and found this:

 

Q: What is Xirrus console speed?

A: Use the following setting when establishing a serial connection:

Bits per second 115200

Databits 8

Parity None

Stopbits 1

Flow control None

 

Q: What is Xirrus default IP address?

A: If a DHCP server is not being used, you may connect using the Array’s default IP
addresses (10.0.2.1).

 

Q: What is Xirrus default username/password?

A: admin/admin

 

Sample Configuration?

administrator
  reset
  edit admin password admin read_write
exit
!
interface eth0
  ip dhcp
  up
exit
!
interface gig1
  ip addr      192.168.0.10
  ip mask      255.255.255.0
  ip gateway
  up
exit
!
interface gig2
  up
exit
!
date-time
  timezone      0 0
exit
!
ssid
  reset
  !
  edit "xirrus"
    band        both broadcast
    vlan        none
    qos         2
    encryption  none global_settings
    auth        open
    enable
  exit
exit
!

 

Further Reference:

To configure XS4
www.xirrus.com/pdfs/array_quick_install_guide_XS4.pdf

To configure XS8 or XS16
www.xirrus.com/pdfs/array_quick_install_guide_XS8-16.pdf

To configure Xirrus Management System (Linux) – XMS
www.xirrus.com/pdfs/XMS_QuickStart_4.0-002B.pdf

ASA Second Internet

As you may or may not know, ASA does not support having two different default gateways through different interfaces, so you can not have two different internet links. As Internet is expensive in Dubai, our customer wants to use two internet ADSL links, One for browsing/emails and another link for VPN tunnels. VPN tunnels are IPsec - site to site tunnels, so we know where is the end-point. There’s a feature in ASA called tunneled route:

“Users will have the option to configure two default gateways, one with a "tunneled" option and one without. All traffic that arrives at the appliance and cannot be routed using learned routes or static routes will be routed through default gateways. If the traffic was encrypted when it initially arrived at the appliance, it will be routed through Default Tunnel Gateway (DTGW); otherwise, it will be routed through Default Gateway (DGW). A set of default gateways can be installed for each virtual context”
http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6586/ps6635/ps6659/prod_white_paper0900aecd805f0bd6.html

But we have to keep in mind that it is not related to our issue, it’s for ingress traffic from tunnel terminating on our ASA… so this feature won’t work for us.

… Not a big deal… we don’t need to configure second default gateway, as we can use static route pointing to that specific site through second outside interface… something like:

route outside2 x.x.x.x 255.255.255.255 217.x.x.x (providers IP)

After setting up a route to destination through the second link, we have to set our IPsec and ISAKMP packes to use the proper source address from second link using crypto identifiers, then check “show crypto isakmp/ipsec sa” to see if traffic is sourced/originated from second internet link’s IP address…

But there’s a small problem, I saw traffic is coming through tunnel endpoint and they are able to send and recieve packets using encrypt/decrypt counter of “show crypto ipsec sa” but we were not able to ping or create a connection to the other side.

Using “debug icmp trace” I figured out that ASA is sending traffic to outside interface (default gateway) instead of outside2, another static route was required for tunneled traffic.

route outside2 10.x.x.x 255.0.0.0 217.x.x.x (providers IP)

Extreme Networks Switches

Next month we are going to implement a campus area network for an American school using extreme switches, I attended 5 days extreme seminar to learn their command line interface and network management software. Here are some notes for those who like to know more about extreme switches portfolio:

 

Hardware

• BlackDiamond: Chassis-based high-port density switches for Carrier-Ethernet service providers and enterprise core
• Summit: Standalone switches from L2 100Mbps to L3 10Gig top-of-rack datacenter switches.
• ReachNXT: Port Extender - Manageable by an access switch via XOS
• SummitWM: Wireless controllers
• Altitude: Wireless Access Points
• Sentriant NG: Intrusion Protection System (IPS)
• Sentriant AG: Network Access Controller (NAC)

 

Software

• ExtremeWare is VxWorks based = first generation of Extreme networks operating system
• ExtremeXOS = 2nd Generation OS based on Linux kernel and BusyBox
• EPICenter = Network Management Tool

 

Configuration

Switch CLI prompt is driven from SNMP host name value

Space bar to go to BootROM: for return to factory default configuration: config none

Extreme FDB = Forwarding Database for MAC addresses - 300 Sec Aging timer per MAC

IP FDB (L3) for IP forwarding
    show iparp
    show fdb
    create fdbentry
    delete fdbentry
    disable learning
    enable learning

# configure ports 1 vlan accounting unlimited-learnings
# configure ports 1 vlan accounting learning-limit 3 (use aging timer also) (only for dynamic entries)

Lock-learning (sticky mac) 
# configure ports 1 vlan VLAN1 lock-learning 
# configure ports 1 vlan VLAN1 unlock-learning
    show vlan default security

 

ELSM (Extreme Link Status monitoring)
gets link status from other-end
     enable elsm ports
    disable elsm ports
    configure elsm ports
    clear elsm ports

VLANs

1. Port-based
2. 802.1Q Tagged VLAN
3. Protocol-based VLAN
           create vlan vlan_name
           delete vlan vlan_name
           configure vlan vlan_name add ports
           configure vlan vlan_name delete ports
           disable vlan vlan_name
           enable vlan vlan_name
           configure vlan vlan_name tag <tag_value>
           configure vlan default delete port 7
           configure vlan ENGINEERING add port 7 untagged
           configure vlan ENGINEERING add ports 2,3 tagged
           show vlan ENGINEERING 
           BPDU –> vlan0

 

Port Sharing (Aggregation) LAG
    enable sharing 1 grouping 1-4 algorithm address-based lacp
    show port sharing

 

Port Settings

   enable lldp port all
   show ports configuration no-refresh
   enable jumbo-frame ports all
   show vlan VLAN1 security

• spanning-tree is disabled by default
• EMI-STP Encapsulation - Extreme Multi Instance Spanning Tree - VST+ additional header

 

EAPS - Ethernet Automatic Protection Switching (Ring)

• Ring Topology
• L2 Protocol - Multicast MAC
• EAPS version 2 (advanced feature - EAPS shared port for preventing superloop)
• 50 ms failover
• Device Roles: Master node, Transit nodes
• Primary/secondary port on each switch
• Master blocks its secondary port
• Control VLAN and Protected VLAN (one Control VLAN per EAPS domain)
• EAPS flush FDB when there's a topology change

        create vlan control_vlan_name 
   configure vlan control_vlan_name tag vlan_tag 
   configure vlan control_vlan_name add port <primary.secondary> tagged
        create eaps <name>
        configure eaps <name> mode master|transit
        configure eaps <name> primary port <port number>
        configure eaps <name> secondary port <port number>
        configure eaps <name> add control vlan control_vlan_name
        configure eaps <name> add protect vlan <name>
        enable eaps
        enable eaps <name>
        configure eaps fast-convergence [off|on] -> additional 250ms
        configure eaps name failtime expiry-action open secondary-port > by default sends alert!

 

EAPS with a Shared Port

• Configure partner
• Configure controller port
• link-id must be same on both switches

 

SummitStack

• Should have same image:
  download image <ip> <file> slot <slot-number>
• 40Gbps full duplex capacity per switch
• MAX: 8 devices
          enable stacking
          show stacking
          show stacking configuration
          configure stacking easy-setup

 

IP Routing

• By default is disabled
      enable ipforwarding
      configure iproute add x.x.x.x/x y.y.y.y
      show ipconfig
• In new vlan ip forwarding might be disabled make sure to check.
      show iproute
      show ipstats
• icmp is enabled by default

 

OSPF

    enable ipforwarding
    configure ospf routerid 1.1.1.1
    enable loopback vlanname (if you want to have loopback)
    configure ospf address VLAN1 area 0.0.0.0
    configure ospf address VLAN2 area 0.0.0.0
    enable ospf
    show ospf
    show ospf area 0.0.0.0
    show ospf neighbors
    show ospf lsdb

• Redistribution is disabled and is configurable by policy files.
• Core license required for OSPF DR/BDR function.
• on edge / advanced edge license: we can not have DRs so priority:0

 

ESRP

Extreme Standby Routing Protocol - ESRP is extreme protocol for redundancy something like VRRP

 

QOS

• No much QOS support
• Traffic shaping is called metering
• 8 queue per interface
• Queue 1 and 8 are used by default (2q)

Catalyst to ProCurve

Two months ago, as I blogged about it I passed HP ProCurve AIS exam and shared a summary of my preparation notes, Last week I passed Master ASE – HP ProCurve Campus LANs [2010] online exam (HP2-Z04) and became HP Master ASE – MASE, so I thought to share parts of my study notes as some customers are buying ProCurve instead of Cisco Catalyst (Budget reasons) it’s good to know equivalent terminologies and commands. Do I recommend HP ProCurve over Cisco Catalyst? No.

Cisco vs. HP terminology

• Trunk Port = Tagged Port
• Port Channel Interface = Trunk Port
• Access port = Untagged Port
• Auxiliary VLAN (voice) = tagged/untagged
• Access port with Auxiliary = tagged (voice) + untagged (data) 
                vlan11
              untagged a1
          vlan12
              voice
              tagged a1
• Interface Gigabitethernet0/1 = interface 1
• Modular switches  = interface a1 "Module name: a,b,c... from top left"
• HP does not send CDP (can receive) - HP speaks LLDP - IEEE802.1AB
• BPDU Guard = BPDU protection
• Keepalive = Loop protection
• SPAN = traffic mirroring

HP ProCurve software license

Edge License Features:

• IPv4 RIP + Static Routes
• IGMP
• ACLs
• QoS
• Bandwidth Control
• Edge Security
• Basic IPv6

Premium Features:

• OSPF + ECMP
• PIM
• IPv6 RIP + OSPFv3
• VRRP
• QinQ VLANs

WLAN Evolution

• 1st Gen: Standalone Access Points
• 2nd Gen: Centralized WLAN Management with Thin APs
• 3rd Gen: Multiservice Controller
• 4th Gen: Unified WLAN Architecture (Controller Blades) Mobility Controller
  • Multi-Service Mobility Solution (MSM7xx)
    • Mobility License: Guest Roaming
  • Mobility Manager Software (on top of ProCurve Manager - PCM)
    • Software updates
    • WLAN Security settings
    • Radio settings
    • Rogue detection
    • Monitoring and Troubleshooting
  • ProCurve Guest Management Software
    • Authentication
    • Temporary Credentials + expiration + Printable Vouchers
  • RF Manager
    • IDS/IPS
  • RF Planner
    • Windows based WLAN planning software

PoE Devices

• PD - Powered Device
• PSE - Power Sourcing Equipment
  • IEEE802.3af
  • IEEE802.3at (PoE+) up to 24W
  • Keep higher priority ports on lower port numbers
  • We can use power shelf (zl switch) or RPS for additional power

LLDP vs. LLDP-MED

• LLDP
  • Network Management + Inventory data + IP/speed/duplex
• LLDP-MED
  • Voice VLAN, QoS, Location services, advanced PoE. detailed inventory management:
    • Class I   IP communications controller
    • Class II  IP phones, end user IP communication
    • Class III media streams, conference bridges

Quality of Service

• Queues per port: 8
• Rate limits: ingress & egress
• GMB (guaranteed minimum bandwidth): egress only
• Classification
  • CoS
  • DSCP/IPP
  • VLAN
  • Interface
  • L2 Protocol
  • IP Address/port
• Marking
  • 802.1p
  • DSCP

Configurations

• CLI
• Menu Interface
• GUI (HTTP/HTTPS)
• PCM/PCM+
• User Level:
  • Operator Level
  • Manager Level
    #password operator user-name operator plaintext password
    #password manager user-name manager plaintext password
    #include-credentials > to include security hashed texts in configuration views (Passwords/SSH key/RADIUS key, etc)
    show front-panel-security > to check reset/clear button setting

Port Configurations
    #speed-duplex 1000-full

Aggregated Port (Trunk)
    #trunk 47-48 trunk1 trunk
    #trunk 47-48 trunk1 lacp
    #vlan 11 tagged trunk1
    #interface 47 name 'link to other switch'
    show trunk
        Once the trunk is configured ports will become "untagged vlan1"

Spanning Tree
    #spanning tree
    #spanning tree 1-3 admin-edge-port (default is auto-edge-port which will wait for 3 seconds to see if there's any BPDU)
    #no spanning tree 4 edge-port
    #spanning tree protocol-version mstp
    reload
    #spanning tree config-name "name"
    #spanning tree config-revision 1
    #spanning tree instance 1 vlan 1,2
    #spanning tree instance 2 vlan 3,4
    show spanning tree mst-config
    #spanning tree priority 0 (on root switch)
    #spanning tree priority 1 (on secondary root switch)
    #spanning tree instance 1 priority 0 (on root switch)
    #spanning tree instance 2 priority 1 (on secondary root/instance)

PoE
    show power-management
    show power-management brief
    #power threshold n (1-99) to alert if power usage raises

DHCP
    #dhcp-snooping
    #dhcp-snooping vlan 2
    #dhcp-snooping trust a1 (trusted port)
    #dhcp-snooping authorized-server 1.1.1.1 (DHCP server)

Traffic Mirroring
    #interface a1 monitor all both mirror 1
    #vlan 2 monitor ip access-group acl1 mirror 1
    #mirror 1 port a2
    show monitor

VLAN sample
    vlan 11
        name "VLAN11"
        untagged a9-a12
        ip helper-address 10.10.10.10
        ip address 10.11.11.11 255.255.255.0
        exit

IP Routing
    #ip routing
    #interface loopback 1 ip address 10.1.1.1
    #ip route 10.0.0.0/24 10.1.1.254

    router ospf
        area backbone
    vlan 2
        ip address 10.1.1.1 255.255.255.0
        ip ospf 10.1.1.1 passive
        ip ospf 10.1.1.1 area backbone
        ip ospf cost 10

Internet Through MPLS – Default Route Propagation

Yesterday we had a customer network migration from IPsec VPN to MPLS. Customer’s headquarter network wanted to be the point of internet sharing so that all branch offices use that point for internet browsing. OSPF was chosen to be the dynamic routing protocol between CE and PE, as ASA is deaf to BGP. We configured everything on CE side and contacted customer’s service provider to check their configuration, everything was fine, but the default route. We had injected a default route at HQ but the branch offices were unable to get that particular 0.0.0.0/0 route through MPLS.

The service provider (DU) told me that OSPF is not able to inject default route from one CE to another CE… and you have to migrate to BGP! what!? It’s not true… I’ve sent them a sample configuration to set on their PE LSRs, now it’s time to explain the problem in detail:

1. Customer 1 is injecting default-information via OSPF by “default-information originate” command to the service provider’s PE router.
2. Service provider receives LSA type 5 and should “redistribute ospf x vrf Customer1 match external” into MP-BGP to other PE.
3. BGP will not redistribute default-information unless we configure “default-information originate” under bgp address-family ipv4 vrf Customer1 (Tricky)
4. The other PE receives 0.0.0.0/0 via BGP from the first PE and should redistribute it to OSPF but it won’t unless we configure “default-information originate” under OSPF process.

In our example R7 is connected to internet using a static route. R7 injects internet to PE (R3) by “redistribute static subnets”. R3 redistribute that to BGP by “default-information originate” to the other PE (R2). Now R2 has 0.0.0.0/0 in the BGP and should redistribute it into OSPF and use “default-information originate” to send it to its own connected CE.

 

So I sent the following diagram to the provider for their reference:

 

Example (based on the first topology):

 

R7 (CE-Internet):
router ospf 1
redistribute static subnets
network 172.16.37.7 0.0.0.0 area 0
 default-information originate
!
ip route 0.0.0.0 0.0.0.0 172.16.69.68
!

R3 (PE):
router ospf 147 vrf VPN1
redistribute bgp 666 subnets
network 0.0.0.0 255.255.255.255 area 0
!
router bgp 666
no synchronization
bgp log-neighbor-changes
neighbor 2.2.2.2 remote-as 666
neighbor 2.2.2.2 update-source Loopback0
no auto-summary
!
address-family vpnv4
  neighbor 2.2.2.2 activate
  neighbor 2.2.2.2 send-community extended
exit-address-family
!
address-family ipv4 vrf VPN1
  redistribute ospf 147 vrf VPN1 match internal external 1 external 2
  default-information originate
  no synchronization
exit-address-family
!

R2 (PE):

router ospf 147 vrf VPN1
redistribute bgp 666 subnets
network 0.0.0.0 255.255.255.255 area 0
 default-information originate
!
router bgp 666
no synchronization
bgp log-neighbor-changes
neighbor 3.3.3.3 remote-as 666
neighbor 3.3.3.3 update-source Loopback0
no auto-summary
!
address-family vpnv4
  neighbor 3.3.3.3 activate
  neighbor 3.3.3.3 send-community extended
exit-address-family
!
address-family ipv4 vrf VPN1
  redistribute ospf 147 vrf VPN1 match internal external 1 external 2
  no synchronization
exit-address-family

 

Verification:

 

R3#show ip ospf 147 database

            OSPF Router with ID (172.16.37.3) (Process ID 147)

                Router Link States (Area 0)

Link ID         ADV Router      Age         Seq# 
172.16.37.3     172.16.37.3     1047        0x8000
172.16.37.7     172.16.37.7     1021        0x8000

                Net Link States (Area 0)

Link ID         ADV Router      Age         Seq# 
172.16.37.3     172.16.37.3     1047        0x8000

                Summary Net Link States (Area 0)

Link ID         ADV Router      Age         Seq# 
172.16.24.0     172.16.37.3     1047        0x8000

                Type-5 AS External Link States

Link ID         ADV Router      Age         Seq# 
0.0.0.0         172.16.37.7     482         0x8000
47.47.47.4      172.16.37.3     1047        0x8000
47.47.47.7      172.16.37.7     1021        0x8000

 

R3#show ip route vrf VPN1

Routing Table: VPN1
Gateway of last resort is 172.16.37.7 to network 0.0.0.0

     172.16.0.0/24 is subnetted, 2 subnets
C       172.16.37.0 is directly connected, Ethernet0/2
B       172.16.24.0 [200/0] via 2.2.2.2, 01:27:35
     47.0.0.0/32 is subnetted, 2 subnets
O E2    47.47.47.7 [110/20] via 172.16.37.7, 01:24:49, Ethernet0/2
B       47.47.47.4 [200/20] via 2.2.2.2, 01:27:35
O*E2 0.0.0.0/0 [110/1] via 172.16.37.7, 00:09:39, Ethernet0/2

R2#show ip bgp vpnv4 vrf VPN1
BGP table version is 41, local router ID is 2.2.2.2
   Network          Next Hop            Metric LocPrf Weight Path
Route Distinguisher: 172.16.12.2:1 (default for vrf VPN1)
*>i0.0.0.0          3.3.3.3                  1    100      0 ?
*> 47.47.47.4/32    172.16.24.4             20         32768 ?
*>i47.47.47.7/32    3.3.3.3                 20    100      0 ?
*> 172.16.24.0/24   0.0.0.0                  0         32768 ?
*>i172.16.37.0/24   3.3.3.3                  0    100      0 ?

R4#show ip route
Gateway of last resort is 172.16.24.2 to network 0.0.0.0

     172.16.0.0/24 is subnetted, 2 subnets
O IA    172.16.37.0 [110/11] via 172.16.24.2, 03:32:41, Ethernet0/0
C       172.16.24.0 is directly connected, Ethernet0/0
     47.0.0.0/32 is subnetted, 2 subnets
O E2    47.47.47.7 [110/20] via 172.16.24.2, 01:27:21, Ethernet0/0
C       47.47.47.4 is directly connected, Loopback0
O*E2 0.0.0.0/0 [110/1] via 172.16.24.2, 00:12:15, Ethernet0/0

Note that branch offices still have their own internet as backup, so whenever MPLS goes down, they can use their own internet with IPsec capability to connect to the headquarter automatically, if I would use “default-information originate always” then CE would always advertise default route regardless of it’s existence in the routing table but in our case we have IP SLA monitored static route to the internet, and whenever it goes down OSPF will take back default-route advertisement (default-information originate – without always!) and branch office will use the higher administrative distance static route to its own internet (floating route). Then it will use IPsec to HQ as the crypto-map on internet interface will be triggered.

MPLS Traffic Engineering

TE was the main driver and reason for MPLS invention. To utilize bandwidth of unused links, to have flexibility in path selection just like previous WAN switching technologies. To create Virtual circuits on top of IP networks. IP Routing is performed hop by hop and you can not dictate a policy to other hops. TE is configured on Head-End LSR and gets/uses a particular label for a particular path. (Explicit Routing/Source-based routing)

RSVP is used to prepare a path and create a tunnel and label to route packets through the network. Link State routing protocols are required as well to report available bandwidth on each link and also other extra information such as Maximum reserve-able bandwidth and so on. Extensions were made to RSVP (Carry Label, Record Route), OSPF and ISIS (Constrained Metric) to be able to do Traffic Engineering. So once that we want to enable Traffic Engineering on our SP backbone, we have to enable specific technologies in order to run TE, such as:

1. Enable TE (mpls traffic-engineering tunnels) on routers and ports.
2. Adjust reversable bandwidth with “ip rsvp bandwidth” on ports.
3. Tune your link state routing protocol to deliver TE attributes.
4. Create your tunnel on the head-end LSR (uni-directional) and send packets through it.

Example:

 

In our example, we will configure a TE tunnel from R3 to R4, and from R4 to R3 (reverse direction) to transit our traffic through R3 – R1 – R2 – R4.

 

Configuration

R3:

mpls traffic-eng tunnels
!
interface Tunnel1000
 ip unnumbered Loopback0
 tunnel destination 10.10.4.4
tunnel mode mpls traffic-eng
tunnel mpls traffic-eng autoroute announce
tunnel mpls traffic-eng priority 7 7
tunnel mpls traffic-eng bandwidth  100
 tunnel mpls traffic-eng path-option 5 explicit name myway
!
interface Loopback0
ip address 10.10.3.3 255.255.255.255
!
interface FastEthernet0/0
ip address 10.10.35.3 255.255.255.0
mpls ip
!
interface FastEthernet0/1
ip address 10.10.34.3 255.255.255.0
mpls traffic-eng tunnels
mpls ip
ip rsvp bandwidth 1000
!
interface ATM2/0
ip address 10.10.13.3 255.255.255.0
ip ospf network point-to-point
mpls traffic-eng tunnels
mpls ip
ip rsvp bandwidth 1000
pvc 100/0
  protocol ip 10.10.13.1 broadcast
!
!
router ospf 10
network 10.10.0.0 0.0.255.255 area 0
mpls traffic-eng router-id Loopback0
mpls traffic-eng area 0
!
ip explicit-path name myway enable
next-address 10.10.1.1
next-address 10.10.12.2
next-address 10.10.24.4
!

R1:

mpls traffic-eng tunnels
!
interface Loopback0
ip address 10.10.1.1 255.255.255.255
!
interface FastEthernet0/0
ip address 10.10.12.1 255.255.255.0
mpls traffic-eng tunnels
mpls ip
ip rsvp bandwidth 1000
!
interface ATM2/0
ip address 10.10.13.1 255.255.255.0
ip ospf network point-to-point
mpls traffic-eng tunnels
mpls ip
ip rsvp bandwidth 1000
pvc 100/0
  protocol ip 10.10.13.3 broadcast
!
!
router ospf 10
network 0.0.0.0 255.255.255.255 area 0
mpls traffic-eng router-id Loopback0
mpls traffic-eng area 0
!

R2:

mpls traffic-eng tunnels
!        
interface Loopback0
ip address 10.10.2.2 255.255.255.255
!
interface Ethernet0/0
ip address 10.10.12.2 255.255.255.0
mpls label protocol ldp
mpls ip
mpls traffic-eng tunnels
ip rsvp bandwidth 1000
!
interface Serial1/0
ip address 10.10.24.2 255.255.255.0
encapsulation frame-relay
ip ospf network point-to-point
mpls ip
mpls traffic-eng tunnels
frame-relay map ip 10.10.24.2 204
frame-relay map ip 10.10.24.4 204 broadcast
no frame-relay inverse-arp
ip rsvp bandwidth 1000
!
router ospf 10
mpls traffic-eng router-id Loopback0
mpls traffic-eng area 0
network 0.0.0.0 255.255.255.255 area 0
!

R4:

mpls traffic-eng tunnels
!
interface Loopback0
ip address 10.10.4.4 255.255.255.255
!
interface Tunnel1000
ip unnumbered Loopback0
tunnel destination 10.10.3.3
tunnel mode mpls traffic-eng
tunnel mpls traffic-eng autoroute announce
tunnel mpls traffic-eng path-option 5 explicit name myway
no routing dynamic
!
interface Ethernet0/0
ip address 10.10.46.4 255.255.255.0
mpls ip
!
interface Ethernet0/1
ip address 10.10.34.4 255.255.255.0
mpls ip
mpls traffic-eng tunnels
ip rsvp bandwidth 1000
!        
interface Serial1/0
ip address 10.10.24.4 255.255.255.0
encapsulation frame-relay
ip ospf network point-to-point
mpls ip
mpls traffic-eng tunnels
frame-relay map ip 10.10.24.2 402 broadcast
frame-relay map ip 10.10.24.4 402
no frame-relay inverse-arp
ip rsvp bandwidth 1000
!
router ospf 10
mpls traffic-eng router-id Loopback0
mpls traffic-eng area 0
log-adjacency-changes
network 10.10.0.0 0.0.255.255 area 0
!
ip explicit-path name myway enable
next-address 10.10.24.2
next-address 10.10.12.1
next-address 10.10.13.3
!

R3#show mpls traffic tunnel

Name: R3_t1000             (Tunnel1000) Destination: 10.10.4.4

Status:    Admin: up  Oper: up  Path: valid   Signalling: connected
path option 5, type explicit myway (Basis for Setup, path weight 66)
Config Parameters:
Bandwidth: 100   kbps (Global)  Priority: 7  7   Affinity: 0x0/0xFFFF
    Metric Type: TE (default)
    AutoRoute:  enabled   LockDown: disabled  Loadshare: 100   bw-based
    auto-bw: disabled

  InLabel  :  -
  OutLabel : ATM2/0, 26
  RSVP Signalling Info:
  Src 10.10.3.3, Dst 10.10.4.4, Tun_Id 1000, Tun_Instance 176
  RSVP Path Info:
  My Address: 10.10.13.3   
  Explicit Route: 10.10.13.1 10.10.12.1 10.10.12.2 10.10.24.4 10.10.4.4
      Record   Route:   NONE
      Tspec: ave rate=100 kbits, burst=1000 bytes, peak rate=100 kbits
    RSVP Resv Info:
      Record   Route:   NONE
      Fspec: ave rate=100 kbits, burst=1000 bytes, peak rate=100 kbits

LSP Tunnel R4_t1000 is signalled, connection is up
  InLabel  : ATM2/0, implicit-null
  OutLabel :  -
  RSVP Signalling Info:
       Src 10.10.4.4, Dst 10.10.3.3, Tun_Id 1000, Tun_Instance 131

Verification

Before:

R5#trace 10.10.6.6

Type escape sequence to abort.
Tracing the route to 10.10.6.6

  1 10.10.35.3 [MPLS: Label 23 Exp 0]
  2 10.10.34.4 [MPLS: Label 17 Exp 0]
  3 10.10.46.6

After:

R5#trace 10.10.6.6

Type escape sequence to abort.
Tracing the route to 10.10.6.6

  1 10.10.35.3 [MPLS: Labels 23 Exp 0]
  2 10.10.13.1 [MPLS: Label 26 Exp 0]
  3 10.10.12.2 [MPLS: Label 25 Exp 0]
  4 10.10.24.4 
  5 10.10.46.6

Dynamic Path Configuration:

interface Tunnel1000
ip unnumbered Loopback0
tunnel destination 10.10.4.4
tunnel mode mpls traffic-eng
tunnel mpls traffic-eng autoroute announce
tunnel mpls traffic-eng priority 7 7
tunnel mpls traffic-eng bandwidth  100
 tunnel mpls traffic-eng path-option 10 dynamic
!

R3(config-if)#do sh mpls traf tu

Name: R3_t1000                    (Tunnel1000) Destination: 10.10.4.4
  Status:
    Admin: up     Oper: up     Path: valid       Signalling: connected

    path option 10, type dynamic (Basis for Setup, path weight 1)

  Config Parameters:
    Bandwidth: 100 kbps (Global)  Priority: 7  7   Affinity: 0x0/0xFFFF
    Metric Type: TE (default)
    AutoRoute:  enabled   LockDown: disabled  Loadshare: 100  bw-based
    auto-bw: disabled

  InLabel  :  -
  OutLabel : FastEthernet0/1, implicit-null
  RSVP Signalling Info:
       Src 10.10.3.3, Dst 10.10.4.4, Tun_Id 1000, Tun_Instance 178
    RSVP Path Info:
      My Address: 10.10.34.3  
      Explicit Route: 10.10.34.4 10.10.4.4
      Record   Route:   NONE
   

R5#trace 10.10.6.6

Type escape sequence to abort.
Tracing the route to 10.10.6.6

  1 10.10.35.3 [MPLS: Labels 23 Exp 0]
  2 10.10.34.4 
  3 10.10.46.6

R3(config-if)#int fa 0/1
R3(config-if)#no mpls tra tun

R3#sh mpls tra tun

Name: R3_t1000                            (Tunnel1000) Destination: 10.10.4.4
  Status:
    Admin: up     Oper: up     Path: valid       Signalling: connected

    path option 10, type dynamic (Basis for Setup, path weight 66)

  Config Parameters:
    Bandwidth: 100 kbps (Global)  Priority: 7  7   Affinity: 0x0/0xFFFF
    Metric Type: TE (default)
    AutoRoute:  enabled   LockDown: disabled  Loadshare: 100   bw-based
    auto-bw: disabled

  InLabel  :  -
  OutLabel : ATM2/0, 26
  RSVP Signalling Info:
       Src 10.10.3.3, Dst 10.10.4.4, Tun_Id 1000, Tun_Instance 180
    RSVP Path Info:
      My Address: 10.10.13.3  
      Explicit Route: 10.10.13.1 10.10.12.1 10.10.12.2 10.10.24.4
                      10.10.4.4
      Record   Route:   NONE
      Tspec: ave rate=100 kbits, burst=1000 bytes, peak rate=100 kbits
    RSVP Resv Info:
      Record   Route:   NONE
      Fspec: ave rate=100 kbits, burst=1000 bytes, peak rate=100 kbits
  History:
    Tunnel:
      Time since created: 2 hours, 42 minutes
      Time since path change: 12 seconds
    Current LSP:
      Uptime: 12 seconds
    Prior LSP:
      ID: path option 10 [179]
      Removal Trigger: tunnel shutdown

LSP Tunnel R4_t1000 is signalled, connection is up
  InLabel  : ATM2/0, implicit-null
  OutLabel :  -
  RSVP Signalling Info:
       Src 10.10.4.4, Dst 10.10.3.3, Tun_Id 1000, Tun_Instance 136

CCIE Magazine

For those of you who haven’t heard about CCIE flyer magazine, is not a bad idea to check their website: http://www.ccieflyer.com. They have CCIE related stories, interviews, CCIE training boot camps with special pricing and also workbook promotions. CCIE Agent, Eman (Emmanuel Conde) is a CCIE recruiter promoted by Worldwide Channels of Cisco Systems.

Cisco VPN Client for Windows 7

October 2009 seems to be a super active month for Cisco, after introducing IOS 15, ISR 2nd Generation and the new version of CCIE, (and rumors of new catalysts),  it’s time for Windows 7 and MacOS Snow Leopard to have Cisco VPN Client and Cisco SSL AnyConnect VPN Client versions, available to download. Here are some cool new features:

• Split DNS Fallback: AnyConnect tunnels only DNS queries that match specific domains, sending other request to a public DNS server.
• Log-on/off Scripting
• Proxy Support Enhancements
• Trusted Network Detection: AnyConnect automatically disconnect a VPN connection inside the trusted network.

 Cisco VPN Client 5.0.06

vpnclient-win-msi-5.0.06.0110-k9.exe

Release Date: 19/Oct/2009

VPN Client Software for x86 version of 2000/XP/Vista/Windows 7 - Microsoft Installer

Note:

Win7 64bit and Vista 64bit are still not supported by Cisco  VPN Client (IPsec), Cisco is pushing customers toward SSL VPN solution.

 

Cisco AnyConnect VPN Client 2.4

anyconnect-dart-win-2.4.0202-k9.pkg for Windows platforms.

anyconnect-linux-2.4.0202-k9.tar.gz tarball package for Linux platforms.

anyconnect-wince-ARMv4I-2.4.0202-k9.cab for Windows Mobile platforms.

anyconnect-macosx-i386-2.4.0202-k9.dmg for Mac OS X "Intel" platforms.