Thursday, November 17, 2016

Changing SSH port for a router

SSH by default uses port 22
on a cisco router you can change the port to another port

let's say using port 800

in this case you need to login the router and issue the command
#ip ssh port 800 rotary 1    ! this command will instruct the router SSH to use port 800 in addition to original port

then you need to tell the VTY to use the rotary group 1 so issue the command
#rotary 1

now you have to prevent the old port which is 22 from being used for SSH connection and that's can be done by ACL, so let's create ACL that will permit the port 800 and deny any other

#ip access-list extended SSH
#permit tcp any any eq 800
#deny   ip any any

then login to Line VTY again and issue the command #access-class SSH in
and this would apply the new ACL named SSH to the line VTY interface

you can add more flavours for the source you want to permit SSH connections.

now you can test connecting SSH using both ports and you should get connection refused for port 22 and connection via new port (800) should be ok.






Sunday, November 6, 2016

QoS studying

I have finally started to study QoS, and since i have zero experience in QoS i spent some time trying to find the best study material
i have got some suggestions to study some books like End to End QoS and some other books, which i didn't read because the books start deep diving from the beginning, so what i did was searching youtube for some videos and i found Jeremy Cioara video which was so good check the link
the video i think is part of QoS for CCVP certification but definitely its good for CCIE R/S QoS part as well.


so let me list them down :

Videos
A. Jeremy Cioara  [ CCVP QoS ]
B. Keith Bogart [ INE Introduction to QoS for CCIE R/S]

Books
INE WorkBook [ great labs ]

Websites

Cisco QoS websites
Networklessons.com

Finally Go Back to INE Videos by Brian Mcgahan


searching bits and bites from here and there would do the trick for you when you are starting with something new, QoS is very important in CCIE R/S study and exam and in real networks as well, because your network always going to have some point of congestion and you need to resolve it with QoS.






Saturday, October 15, 2016

Implementing VRRP on DMZ SWITCHES

Hi All,


recently my employer asked me to configure DMZ on Firewall to be used for any server that will have direct internet access, so i have implemented the DMZ and we started shifting any server that we think it might get attacked to the DMZ for example DNS, NTP and others.

ok, after the DMZ setup finished, we started to think about the redundancy of DMZ switches which is by the way is not Cisco, we use HP in most of our network.


anyhow i have started to check what available options do we have to work to provide HA.

1.stacking
2.HP IRF
3.redundancy protocols [ VRRP ]

so stacking didn't work even with the feature existence on the switch but after thorough check i found out that many people on HP community were suffering from the same issue, they can't get it to work.

anyway, moving to IRF which is good protocol but it requires 10G speed port to work and the maximum speed i had was 1Gbps

so i was left with only VRRP to try get it to work, and i configured it and it was great and added the tracking for the interface facing the Firewall, because if the Firewall interface is down, the Firewall will switch to the standby, but the other parts of DMZ will see the switch as its gateway, so the tracking will make the switch change to standby if the interface facing firewall is down


check the figure below sorry if you find it not detailed nor organized but that's what i have right now:



the configurations used mentioned below:
[DMZ-SECONDARY]
interface Vlan-interface500
 ip address 172.16.16.249 255.255.255.0
 vrrp vrid 1 virtual-ip 172.16.16.254
 vrrp vrid 1 priority 120
 undo vrrp vrid 1 preempt-mode
 vrrp vrid 1 track 1 reduced 50 

[MAIN-DMZ]
interface Vlan-interface500
 ip address 172.16.16.250 255.255.255.0
 vrrp vrid 1 virtual-ip 172.16.16.254
 vrrp vrid 1 priority 150
 undo vrrp vrid 1 preempt-mode
 vrrp vrid 1 track 1 reduced 50

and the tracking is done as below :
[MAIN-DMZ]dis track all 
Track ID: 1
  Status: Positive
  Duration: 34 days 16 hours 4 minutes 32 seconds
  Notification delay: Positive 0, Negative 0 (in seconds)
  Reference object:
    Track interface  :
    Interface status : Inserted
    Interface        : GigabitEthernet1/0/1
    Protocol         : None






Thursday, June 9, 2016

Sending VPN logs to your email

every VPN connection site to site or SSL or Remote access usually the might face problems that need your troubleshooting and diagnosing

the process may need your access to CLI and enable logging and debugging in order to find the problem which might be in right time when the user had the problem

so in here i will create configuration steps that help you receive the logs from your Firewall [ ASA ] to your email account
in this case you can check logs for failed connections at your inbox and you can find the error codes and check what the issue from there....


1. add the source of the emails to be send from and the destination of the emails that would be your email account
to do that from ASDM :
Configuration > device management > logging > email setup
then add source email address and then add destination email

2. create your event list that will be used to identify events and severity  to be monitored
configuration > device management > logging >  event lists


add your list and name it and choose the events that you will need to be triggered for in our case we will choose for example : SSL, VPN, Auth 



then Now you have to enable this list

Go to Logging Filters and choose E-mail logging in the path Configuration > device management > logging > logging filters


choose the E-Mail loggin from the options available in the page

then click on Edit
choose the event list from the drop box, which you created in event list before
choose Ok and apply then save configurations


you should now receive emails in your inbox for the authentication process of remote access VPN and if there is any problem with authentication which will help you identify if there is a problem and how to solve it depends on error code and description 

the logs should be something like this
<165>Jun 09 2016 13:12:00: %ASA-5-713120: Group = HIS_VPN, Username = name, IP = x.x.x.x, PHASE 2 COMPLETED (msgid=a0779307)



hope this was helpful 




Monday, June 6, 2016

Threat Detection on Cisco ASA Firewall


Threat Detection is feature that you can enable on Cisco ASA Firewall and we will use the ASA5512-X in our example:

Check below simple topology,









enabling the threat detection can be done on CLI using the following


# threat-detection basic-threat   [ enables basic threat detection ]
#threat-detection scanning-threat shun except object-group NOT-ATTACKER
#threat-detection statistics   [ this command will enable advanced threat detection ]
#threat-detection statistics tcp-intercept rate-interval 5 burst-rate 25 average-rate 25


on ASDM [ Configuration>Firewall>Threat Detection



while the NOT-ATTACKER is object group that contains IP's that you dont want to be in the shun list
and it will be excepted from the action the firewall will take for the other event triggers.


to check the enable features by the command #threat-detection statistics [ advanced ] then you can use the command below:

# show running-config all threat-detection 
threat-detection rate dos-drop rate-interval 600 average-rate 100 burst-rate 400
threat-detection rate dos-drop rate-interval 3600 average-rate 80 burst-rate 320
threat-detection rate bad-packet-drop rate-interval 600 average-rate 100 burst-rate 400
threat-detection rate bad-packet-drop rate-interval 3600 average-rate 80 burst-rate 320
threat-detection rate acl-drop rate-interval 600 average-rate 400 burst-rate 800
threat-detection rate acl-drop rate-interval 3600 average-rate 320 burst-rate 640
threat-detection rate conn-limit-drop rate-interval 600 average-rate 100 burst-rate 400
threat-detection rate conn-limit-drop rate-interval 3600 average-rate 80 burst-rate 320
threat-detection rate icmp-drop rate-interval 600 average-rate 100 burst-rate 400
threat-detection rate icmp-drop rate-interval 3600 average-rate 80 burst-rate 320
threat-detection rate scanning-threat rate-interval 600 average-rate 5 burst-rate 10
threat-detection rate scanning-threat rate-interval 3600 average-rate 4 burst-rate 8
threat-detection rate syn-attack rate-interval 600 average-rate 100 burst-rate 200
threat-detection rate syn-attack rate-interval 3600 average-rate 80 burst-rate 160
threat-detection rate fw-drop rate-interval 600 average-rate 400 burst-rate 1600
threat-detection rate fw-drop rate-interval 3600 average-rate 320 burst-rate 1280
threat-detection rate inspect-drop rate-interval 600 average-rate 400 burst-rate 1600
threat-detection rate inspect-drop rate-interval 3600 average-rate 320 burst-rate 1280
threat-detection rate interface-drop rate-interval 600 average-rate 2000 burst-rate 8000
threat-detection rate interface-drop rate-interval 3600 average-rate 1600 burst-rate 6400
threat-detection basic-threat
threat-detection scanning-threat shun except object-group NOT-ATTACKER
threat-detection statistics access-list
threat-detection statistics host number-of-rate 1
threat-detection statistics port number-of-rate 1
threat-detection statistics protocol number-of-rate 1
threat-detection statistics tcp-intercept rate-interval 5 burst-rate 25 average-rate 25





Note:
as you possibly have some smart phones that connects to your network, you might face threats from inside your network, its better to add your Inside subnets to the exception list, in order not to block any host from your networks

ASA# show object-group id NOT-ATTACKER
object-group network NOT-ATTACKER
 description: this object group contains hosts excluded from shun
 network-object 10.211.0.0 255.255.0.0
 network-object 192.168.200.0 255.255.252.0
 network-object 172.16.16.0 255.255.255.0
 network-object 10.80.90.0 255.255.255.0





Check the statistics below that shows what have been done from events that was considered as threat

ASA# show threat-detection rate
                          Average(eps)    Current(eps) Trigger      Total events
  10-min ACL  drop:                 43              42      14             26160
  1-hour ACL  drop:                 45              43       0            163347
  10-min ICMP attk:                  0               0       0                 5
  1-hour ICMP attk:                  0               0       0                29
  10-min SYN attck:                 41              38     471             25067
  1-hour SYN attck:                 42              38      79            151824
  10-min  Scanning:                120             114   52852             72070
  1-hour  Scanning:                123             115   34517            444929
  10-min Bad  pkts:                 34              33       0             20596
  1-hour Bad  pkts:                 35              33       0            128188
  10-min  Firewall:                 78              75       0             47003
  1-hour  Firewall:                 81              77       0            293105
  10-min DoS attck:                  0               0       0               242
  1-hour DoS attck:                  0               0       0              1541
  10-min Interface:                 80             237       2             48218
  1-hour Interface:                 83              79       0            301326




Samer R. Saleem

Sunday, June 5, 2016

How Does the IP phone works?




This Subject can be found from the link below:
http://www.manucomp.com/cisco_tips/IP_phone_startup.html

IP Phone Startup Process

Click the image for a larger view
Click the image for a larger view 

This figure provides an overview of the startup process for a Cisco IP Phone if you are using a Cisco Catalyst switch that is capable of providing Cisco prestandard Power over Ethernet (PoE).

  1. Obtain power from the switch: If you are using a Cisco switch that is capable of providing Cisco inline power, the switch will send a Fast Link Pulse (FLP) signal. The switch uses the FLP to determine if the attached device is an unpowered Cisco IP Phone. In the unpowered state, a Cisco IP Phone loops back the FLP, signaling the switch to send -48 V DC power down the line.
  2. Load the stored phone image: The Cisco IP Phone has nonvolatile Flash memory in which it stores firmware images and user-defined preferences. At startup, the phone runs a bootstrap loader that loads a phone image stored in Flash memory. Using this image, the phone initializes its software and hardware.
  3. Configure VLAN: After the IP Phone receives power and boots up, the switch sends a Cisco Discovery Protocol packet to the IP Phone. This Cisco Discovery Protocol packet provides the IP Phone with voice VLAN information, if that feature has been configured.
  4. Obtain IP address and TFTP server address: Next, the IP Phone broadcasts a request to a DHCP server. The DHCP server responds to the IP Phone with a minimum of an IP address, a subnet mask, and the IP address of the Cisco TFTP
  5. Contact TFTP server for configuration: The IP Phone then contacts the Cisco TFTP server. The TFTP server has configuration files (.cnf file format or .cnf.xml) for telephony devices, which define parameters for connecting to Cisco CallManager. The TFTP server sends the configuration information for that IP Phone, which contains an ordered list of up to three Cisco CallManagers. In general, any time you make a change in Cisco CallManager that requires a phone (device) to be reset, a change has been made to the configuration file of that phone. If a phone has an XML-compatible load, it requests an XMLDefault.cnf.xml format configuration file; otherwise, it requests a .cnf file.
    If you have enabled auto-registration in Cisco CallManager, the phones access a default configuration file (sepdefault.cnf.xml) from the TFTP server. If you have manually entered the phones into the Cisco CallManager database, the phone accesses a .cnf.xml file that corresponds to its device name. The .cnf.xml file also contains the information that tells the phone which image load that it should be running. If this image load differs from the one that is currently loaded on the phone, the phone contacts the TFTP server to request the new image file, which is stored as a .bin file.
  6. Register with Cisco CallManager: After obtaining the file from the TFTP server, the phone attempts to make a TCP connection to the highest-priority Cisco CallManager on the list.

Friday, June 3, 2016

IPSEC VPN Lan-to-Lan (GNS3 LAB)







Here is a lab to configure Site to Site VPN, this is a great service to help companies to connect their branches and of course it is important when companies start to expand.

as a network engineer, you are required to provide the needed network and security infrastructure to help your organization to achieve its goals and help business continuity.
so let's go through the configuration between two sites, and remember this is a lab environment, real life scenarios could be different in some cases.
you might think this topology is very simple, but this is all you need to do your lab!
So why not!

IPsec Site-to-Site VPN between Router #1 and Router #2

R1 IP is 50.1.1.1 with Loopback 0 IP of 1.1.1.1
R2 IP is 50.1.1.2 with Loopback 0 IP of 2.2.2.2

 We will establish the VPN  be between the Loopback interfaces (to be considered LAN interfaces traffic of two the companies).

So in this LAB the traffic between the two LAN's will be going under the process of Encryption and Decryption

the peering will be done on the two Public IP's

R1 Configs:

archive
 log config
  hidekeys
crypto isakmp policy 10
 encr aes
 authentication pre-share
 group 5
crypto isakmp key 6 cisco address 50.1.1.2
crypto ipsec transform-set ts esp-aes esp-sha-hmac
crypto map cmap 10 ipsec-isakmp
 set peer 50.1.1.2
 set transform-set ts
 match address vpn
ip tcp synwait-time 5
interface Loopback0
 ip address 1.1.1.1 255.255.255.0
interface FastEthernet0/0
 ip address 50.1.1.1 255.255.255.0
 duplex auto
 speed auto
 crypto map cmap
interface FastEthernet0/1
 no ip address
 shutdown
 duplex auto
 speed auto
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 50.1.1.2
no ip http server
no ip http secure-server
!
ip access-list extended vpn
 permit ip 1.1.1.0 0.0.0.255 2.2.2.0 0.0.0.255
 
 
 
R2 Config:


!
crypto isakmp policy 10
 encr aes
 authentication pre-share
 group 5
crypto isakmp key 6 cisco address 50.1.1.1
!
!
crypto ipsec transform-set ts esp-aes esp-sha-hmac
!
crypto map cmap 10 ipsec-isakmp
 set peer 50.1.1.1
 set transform-set ts
 match address vpn
!
!
!
ip tcp synwait-time 5
!
!      
!
!
interface Loopback0
 ip address 2.2.2.2 255.255.255.0
!
interface FastEthernet0/0
 ip address 50.1.1.2 255.255.255.0
 duplex auto
 speed auto
 crypto map cmap
!
interface FastEthernet0/1
 no ip address
 shutdown
 duplex auto
 speed auto
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 50.1.1.1
!
!
no ip http server
no ip http secure-server
!
ip access-list extended vpn
 permit ip 2.2.2.0 0.0.0.255 1.1.1.0 0.0.0.255
!





Verify:

lets verify that we have everything OK on ISAKMP

R1#show crypto isakmp sa  
IPv4 Crypto ISAKMP SA
dst             src             state          conn-id slot status
50.1.1.2        50.1.1.1        QM_IDLE           1001    0 ACTIVE


Note: you need to send traffic between both peers in order to make the session up.


verify IPSEC

sending traffic from the source of Lo0 to destination of Lo0 which will match the ACL configuration for the traffic to be protected will give the below result.

R1#ping 2.2.2.2 source loopback 0 repeat 100

Type escape sequence to abort.
Sending 100, 100-byte ICMP Echos to 2.2.2.2, timeout is 2 seconds:
Packet sent with a source address of 1.1.1.1 
......!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
Success rate is 94 percent (94/100), round-trip min/avg/max = 4/14/48 ms

R1#show crypto ipsec sa

interface: FastEthernet0/0
    Crypto map tag: cmap, local addr 50.1.1.1

   protected vrf: (none)
   local  ident (addr/mask/prot/port): (1.1.1.0/255.255.255.0/0/0)
   remote ident (addr/mask/prot/port): (2.2.2.0/255.255.255.0/0/0)
   current_peer 50.1.1.2 port 500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 94, #pkts encrypt: 94, #pkts digest: 94
    #pkts decaps: 94, #pkts decrypt: 94, #pkts verify: 94
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 6, #recv errors 0

     local crypto endpt.: 50.1.1.1, remote crypto endpt.: 50.1.1.2
     path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/0
     current outbound spi: 0xAD55A003(2908069891)

     inbound esp sas:
      spi: 0x4052EA88(1079175816)
        transform: esp-aes esp-sha-hmac ,
        in use settings ={Tunnel, }
        conn id: 1, flow_id: SW:1, crypto map: cmap
        sa timing: remaining key lifetime (k/sec): (4429861/3489)
        IV size: 16 bytes
        replay detection support: Y
        Status: ACTIVE

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:
      spi: 0xAD55A003(2908069891)
        transform: esp-aes esp-sha-hmac ,
        in use settings ={Tunnel, }
        conn id: 2, flow_id: SW:2, crypto map: cmap
        sa timing: remaining key lifetime (k/sec): (4429861/3489)
        IV size: 16 bytes
        replay detection support: Y
        Status: ACTIVE

     outbound ah sas:

     outbound pcp sas:
R1#

on R2 the SPI should be the same sent from R1 but the outbound would be inbound and vice versa

check below output:



     inbound esp sas:
      spi: 0xAD55A003(2908069891)
        transform: esp-aes esp-sha-hmac ,
        in use settings ={Tunnel, }
        conn id: 1, flow_id: SW:1, crypto map: cmap
        sa timing: remaining key lifetime (k/sec): (4521941/3279)
        IV size: 16 bytes
        replay detection support: Y
        Status: ACTIVE

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:
      spi: 0x4052EA88(1079175816)
        transform: esp-aes esp-sha-hmac ,
        in use settings ={Tunnel, }
        conn id: 2, flow_id: SW:2, crypto map: cmap
        sa timing: remaining key lifetime (k/sec): (4521941/3279)
        IV size: 16 bytes
        replay detection support: Y
        Status: ACTIVE




Samer R. Saleem

Thursday, June 2, 2016

MPLS VPN Practice




Explanation for the topology above:

R7, R5, R8, R6 are customer routers that uses static Routes to ISP 0.0.0.0/0,  or you can say [ CE ]

R3, R1, R2, R4 are ISP Network domain, R3 and R4 are PE's while R1, R2, are P's


ISP Domain uses OSPF for IGP
ISP Domain uses MPLS  service to provide the customer with a VPN on the P's and on internal interfaces of the PE's
LDP protocol is used for labeling and exchange of the labels, with manual labeling and auto
on PE's redistribution have been implemented into OSPF domain to provide reachability to CE's.




configs will be as followed
R1:


interface Loopback0
 ip address 1.1.1.1 255.255.255.0
 ip ospf 1 area 0
!
interface FastEthernet0/0
 ip address 12.1.1.1 255.255.255.0
 duplex auto
 speed auto
 mpls ip
!
interface FastEthernet0/1
 ip address 31.1.1.1 255.255.255.0
 duplex auto
 speed auto
 mpls ip
!
router ospf 1
 log-adjacency-changes
 network 12.1.1.0 0.0.0.255 area 0
 network 31.1.1.0 0.0.0.255 area 0

mpls ldp router-id Loopback0 force
!
control-plane
!
!
==========================================================


R2:

mpls label range 200 299
mpls label protocol ldp
!
interface Loopback0
 ip address 2.2.2.2 255.255.255.0
 ip ospf network point-to-point
 ip ospf 1 area 0
!
interface FastEthernet0/0
 ip address 12.1.1.2 255.255.255.0
 duplex auto
 speed auto
 mpls ip
!
interface FastEthernet0/1
 ip address 24.1.1.2 255.255.255.0
 duplex auto
 speed auto
 mpls ip
!
router ospf 1
 log-adjacency-changes
 network 12.1.1.0 0.0.0.255 area 0
 network 24.1.1.0 0.0.0.255 area 0
!

!
mpls ldp router-id Loopback0 force
!

==============================================================


R7:


!
interface Loopback0
 ip address 7.7.7.7 255.255.255.0
!
interface FastEthernet0/0
 ip address 37.1.1.7 255.255.255.0
 speed 100
 full-duplex
!
interface FastEthernet0/1
 no ip address
 shutdown
 duplex auto
 speed auto
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 37.1.1.3
!
!


===========================================================

R4

mpls label protocol ldp
!
!
!
interface Loopback0
 ip address 4.4.4.4 255.255.255.0
 ip ospf 1 area 0
!
interface FastEthernet0/0
 ip address 46.1.1.4 255.255.255.0
 duplex auto
 speed auto
!
interface FastEthernet0/1
 ip address 24.1.1.4 255.255.255.0
 ip ospf 1 area 0
 duplex auto
 speed auto
 mpls ip
!
interface FastEthernet1/0
 ip address 48.1.1.4 255.255.255.0
 ip ospf 1 area 0
 duplex auto
 speed auto
!
router ospf 1
 log-adjacency-changes
 redistribute connected subnets
 network 4.0.0.0 0.0.0.255 area 0
 network 24.0.0.0 0.0.0.255 area 0
!
ip forward-protocol nd
!
!
no ip http server
no ip http secure-server
!
!
!
mpls ldp router-id Loopback0 force
!
==============================================================

R5


!
interface Loopback0
 ip address 5.5.5.5 255.255.255.0
!
interface FastEthernet0/0
 ip address 53.1.1.5 255.255.255.0
 duplex auto
 speed auto
!
interface FastEthernet0/1
 no ip address
 shutdown
 duplex auto
 speed auto
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 53.1.1.3
!
===============================================================


R6


!
interface Loopback0
 ip address 6.6.6.6 255.255.255.0
!
interface FastEthernet0/0
 ip address 46.1.1.6 255.255.255.0
 duplex auto
 speed auto
!
interface FastEthernet0/1
 no ip address
 shutdown
 duplex auto
 speed auto
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 46.1.1.4
!
!
==================================================================

R3


mpls label protocol ldp
multilink bundle-name authenticated
!
!

!
archive
 log config
  hidekeys
!

interface Loopback0
 ip address 3.3.3.3 255.255.255.0
 ip ospf 1 area 0
!
interface FastEthernet0/0
 ip address 53.1.1.3 255.255.255.0
 duplex auto
 speed auto
!
interface FastEthernet0/1
 ip address 31.1.1.3 255.255.255.0
 ip ospf 1 area 0
 duplex auto
 speed auto
 mpls ip
!
interface FastEthernet1/0
 ip address 37.1.1.3 255.255.255.0
 ip ospf 1 area 0
 duplex auto
 speed auto
!
router ospf 1
 log-adjacency-changes
 redistribute connected subnets
!
ip forward-protocol nd
!
!
no ip http server
no ip http secure-server
!
!
!
!
!
mpls ldp router-id Loopback0







====================================================================


R8


interface Loopback0
 ip address 8.8.8.8 255.255.255.0
!
interface FastEthernet0/0
 ip address 48.1.1.8 255.255.255.0
 speed 100
 full-duplex
!
interface FastEthernet0/1
 no ip address
 shutdown
 duplex auto
 speed auto
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 48.1.1.4
!
!

==================================================================


Verifying configuration:

1st method is of course the ICMP packets
lets ping from one CE to another


R5 ping to R6

R5#ping 46.1.1.6 repeat 50

Type escape sequence to abort.
Sending 50, 100-byte ICMP Echos to 46.1.1.6, timeout is 2 seconds:
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
Success rate is 100 percent (50/50), round-trip min/avg/max = 20/58/84 ms
R5#

trace route from R5 to R6
R5#traceroute 46.1.1.6

Type escape sequence to abort.
Tracing the route to 46.1.1.6

  1 53.1.1.3 4 msec 12 msec 8 msec
  2 31.1.1.1 [MPLS: Label 106 Exp 0] 60 msec 52 msec 40 msec
  3 12.1.1.2 [MPLS: Label 202 Exp 0] 72 msec 52 msec 32 msec
  4 24.1.1.4 48 msec 60 msec 36 msec
  5 46.1.1.6 108 msec 52 msec 76 msec
R5#


R5 is using static route to reach R6

R5#show ip route 46.1.1.6
% Network not in table
R5#show ip cef 46.1.1.6
0.0.0.0/0, version 17, epoch 0, cached adjacency 53.1.1.3
0 packets, 0 bytes
  via 53.1.1.3, 0 dependencies, recursive
    next hop 53.1.1.3, FastEthernet0/0 via 53.1.1.3/32
    valid cached adjacency





Checking MPLS forwarding table on Provider  Routers inside ISP network:

R1#show mpls forwarding-table
Local  Outgoing    Prefix            Bytes tag  Outgoing   Next Hop  
tag    tag or VC   or Tunnel Id      switched   interface            
100    Pop tag     24.1.1.0/24       0          Fa0/0      12.1.1.2    
101    Pop tag     2.2.2.0/24        0          Fa0/0      12.1.1.2    
103    200         4.4.4.4/32        0          Fa0/0      12.1.1.2    
104    Pop tag     37.1.1.0/24       0          Fa0/1      31.1.1.3    
105    201         48.1.1.0/24       0          Fa0/0      12.1.1.2    
106    202         46.1.1.0/24       12332      Fa0/0      12.1.1.2    
107    Pop tag     53.1.1.0/24       13026      Fa0/1      31.1.1.3    
108    Pop tag     3.3.3.0/24        0          Fa0/1      31.1.1.3  


Hope this practice was useful!
Samer R. Saleem




EBGP peering - Simple Topology

EBGP peering Lab

The Topology above shows a simple EBGP peers, part of my study journey towards CCIE Routing and Switching certificate.
no matter how big your topology is, EBGP peering basically work the same way

Router #1 contains the configs below:
where the loopback interfaces are used as update source, this type of configs will require IGP route to each loopback interface in order for the routers to be able to
* Adding  the Command #ebgp multihop in order to increase the TTL to be more than 1 and also to cancel the connected check option between two BGP neighbors that requires two routers to be in the same subnet [ connected ] in order to be peers.
=======================================================================
Router #1 Configs :

interface Loopback0
 ip address 100.100.100.100 255.255.255.0
!
interface Loopback100
 ip address 50.50.50.1 255.255.255.0
!
interface FastEthernet0/0
 ip address 10.0.0.1 255.255.255.0
 speed 100
 full-duplex
!
interface FastEthernet0/1
 ip address 13.13.13.1 255.255.255.0
 duplex auto
 speed auto
!
router bgp 100
 no synchronization
 bgp log-neighbor-changes
 network 50.50.50.0 mask 255.255.255.0
 neighbor 3.3.3.3 remote-as 90
 neighbor 3.3.3.3 ebgp-multihop 2
 neighbor 3.3.3.3 update-source Loopback0
 neighbor 5.5.5.5 remote-as 200
 neighbor 5.5.5.5 ebgp-multihop 2
 neighbor 5.5.5.5 update-source Loopback0
 no auto-summary
!

ip route 3.3.3.0 255.255.255.0 13.13.13.3
ip route 5.5.5.0 255.255.255.0 10.0.0.2


=====================================================================

Router #2 Configs
!
interface Loopback0
 ip address 5.5.5.5 255.255.255.0
!
interface Loopback20
 ip address 20.20.20.20 255.255.255.0
!
interface FastEthernet0/0
 ip address 10.0.0.2 255.255.255.0
 speed 100
 full-duplex
!
interface FastEthernet0/1
 no ip address
 shutdown
 duplex auto
 speed auto
!
router bgp 200
 no synchronization
 bgp log-neighbor-changes
 network 20.20.20.0 mask 255.255.255.0
 neighbor 100.100.100.100 remote-as 100
 neighbor 100.100.100.100 ebgp-multihop 2
 neighbor 100.100.100.100 update-source Loopback0
 no auto-summary
!

ip route 100.100.100.0 255.255.255.0 10.0.0.1
!

====================================================================


Router #3 Configs

interface Loopback0
 ip address 3.3.3.3 255.255.255.0
interface Loopback90
 ip address 9.9.9.9 255.255.255.0
interface FastEthernet0/0
 no ip address
 shutdown
 duplex auto
 speed auto
interface FastEthernet0/1
 ip address 13.13.13.3 255.255.255.0
 duplex auto
 speed auto
!
router bgp 90
 no synchronization
 bgp log-neighbor-changes
 network 9.9.9.0 mask 255.255.255.0
 neighbor 100.100.100.100 remote-as 100
 neighbor 100.100.100.100 ebgp-multihop 2
 neighbor 100.100.100.100 update-source Loopback0
 no auto-summary
!

ip route 100.100.100.0 255.255.255.0 13.13.13.1


Now let's verify the configurations :



R1#show ip bgp
BGP table version is 4, local router ID is 100.100.100.100
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
              r RIB-failure, S Stale
Origin codes: i - IGP, e - EGP, ? - incomplete

   Network          Next Hop            Metric LocPrf Weight Path
*> 9.9.9.0/24       3.3.3.3                  0             0 90 i
*> 20.20.20.0/24    5.5.5.5                  0             0 200 i
*> 50.50.50.0/24    0.0.0.0                  0         32768 i

===========================================================

R1#show ip bgp summary
BGP router identifier 100.100.100.100, local AS number 100
BGP table version is 4, main routing table version 4
3 network entries using 360 bytes of memory
3 path entries using 156 bytes of memory
4/3 BGP path/bestpath attribute entries using 496 bytes of memory
2 BGP AS-PATH entries using 48 bytes of memory
0 BGP route-map cache entries using 0 bytes of memory
0 BGP filter-list cache entries using 0 bytes of memory
Bitfield cache entries: current 1 (at peak 1) using 32 bytes of memory
BGP using 1092 total bytes of memory
BGP activity 3/0 prefixes, 3/0 paths, scan interval 60 secs

Neighbor        V    AS MsgRcvd MsgSent   TblVer  InQ OutQ Up/Down  State/PfxRcd
3.3.3.3              4    90       8      10        4    0    0                           00:04:04           1
5.5.5.5            4    200       8      10        4    0    0                           00:04:07           1

Hope this was useful!

Samer R. Saleem


Python-Jinja template configuration generator for Cisco devices and printout configs to external text files

 In this post, I worked on collecting a code that works with Jinja template. the nice thing in working with Jinja is that you can have basel...