Monday 5 February 2018

IPv6

IPv6 Link Local Addressing

Link-local IPv6 addresses are significant only within the context of a single link. This means that packets with link-local addresses cannot be routed between interfaces, and link-local addresses may overlap as long as they exist on different interfaces. The address format is FE80::/10.

Packets with link-local sources or destinations are mostly used by the router’s control plane protocols, such as IPv6 routing protocols. For broadcast segments, such as Ethernet, link-local reachability is implicit because of automatic resolution through ICMP Neighbor Discovery (ICMPv6).

IPv6 Unique Local Addressing

Unique Local IPv6 Unicast Addressing (ULA), defined in RFC 4193, deprecates the previously used Site-Local (FEC0::/10) addressing. ULA addresses in IPv6 are synonymous with the RFC 1918 private addresses and are not publicly routable prefixes on the Internet.

Other than the addressing format, ULA addressing exhibits no other unique behavior when compared to normal publicly routable IPv6 addresses.

IPv6 Global Aggregatable Addressing

Global unicast addresses, are publicly allocated and routable on the Internet. Global unicast addresses start with the binary prefix 001 (2000::/3) and therefore encompass the range 2000:: – 3FFF::. Generally only prefix 2001::/16 is currently used for allocation.

IPv6 EUI-64 Addressing

Extended Unique Identifiers (EUIs) are 64-bit values assigned to physical interfaces. EUIs are similar in many respects to IEEE MAC addresses, in that they identify a physical interface. IPv6 uses EUI-64 to construct a unique host address on a shared Ethernet segment automatically. When you use the eui-64 keyword, the IOS uses the 48-bit hardware address of the Ethernet interface as the foundation to construct the unique 64-bit interface identifier of the IPv6 address.

IPv6 Auto-Configuration

IPv6 has a special feature called auto-configuration. It replaces many functions served by DHCP in IPv4 networks. With IPv6 auto-configuration, an IPv6 host may automatically learn the IPv6 prefixes assigned to the local segment, as well as determine the default routers on that segment. A special type of link-local IPv6 addressing and the ICMPv6 ND (Neighbor Discovery) protocol accomplish this.

Router Advertisements can be sent at a specified interval, or the feature can be suppressed completely (“suppress-ra” is enabled by default on Ethernet interfaces; this default behavior can be changed with the no ipv6 nd suppress-ra).



Tuesday 23 January 2018

MPLS VPN - 3

MPLS LDP

LDP works similar to distance-vector protocols; it broadcasts all local prefixes with their respective labels. As soon as a local router learns the labels used by its neighbors for the same prefixes, it will program the LFIB with respective label values: incoming label (which has been locally generated) replaced with an outgoing label (used by the neighbor routers).

To enable MPLS switching on an interface and start LDP on the same interface, you must enter the interface-level command mpls ip . If you have too many interfaces to enable MPLS on, you may use MPLS LDP auto configuration, which is available when you run OSPF as your IGP protocol. Under the OSPF process, enter the command mpls ldp autoconfig. mpls ldp neighbor <IP> password <password>
By default, LDP will generate and advertise labels for every prefix found in the local routing table. Use mpls ldp advertise-labels for 10 command.

MP-BGP VPNv4

By default, when you create a new BGP neighbor using the command neighbor <IP> remote-as <NR> , the default IPv4 unicast address-family is activated for this neighbor. If for some reason you don’t want this behavior and only need the VPNv4 prefixes to be sent, you may disable the default behavior via the command no bgp default ipv4-unicast.

The VPN label is generated by the BGP process on the advertising router and directly corresponds to the local VRF route. The /32 restriction is needed to guarantee that the transport LSP terminates on the particular PE router, and not some shared network segment Check the MPLS labels (VPN labels) assigned to the VPN prefixes at the PE routers. There are two labels in the stack; one is the VPN label and the other is the transport label. You may find the VPN label in the BGP table, and the transport label can be found by looking up the VPNv4 BGP next-hop in the MPLS forwarding table.

MP-BGP Prefix Filtering

The special export route-map associated with the VRF could match the prefixes based on the prefix-lists, access-lists, or extendedcommunities. All routes not permitted in an export route-map are not exported into the BGP process. The export route-map may also be used to set the extendedcommunity attribute selectively, using the command set extcommunity rt.

PE-CE Routing with RIP

When you need to redistribute the MP-BGP routes into RIP, use the command redistribute bgp <N> metric [X|transparent] under the respective address family. Here, N is the BGP process number (AS#) and X is the metric assigned to the RIP routes. If you are using the keyword transparent , the RIP metrics will be recovered from the BGP MED attribute, which in turn is copied from RIP metrics learned at the remote site. This allows for transparent preservation of RIPv2 metric values across the VPN and better path selection in case of backdoor links.

PE-CE Routing with OSPF

All OSPF routes redistributed into MP-BGP are treated pretty much like Type 3 summary LSAs, because they enter the super-backbone from other areas. When
injected into BGP, OSPF prefixes have two extended-community attributes attached to them. One of the attributes is known as domain-id, which is equal to the OSPF
process numbers on the local router OR explicitly configured using the command domain-id under the OSPF process. The purpose of this attribute is to identify
OSPF processes belonging to different VPNs. It is assumed that you configured all OSPF processes within the same VPN using the same domain-id (such as the same
process number). If for some reason you exchange routes between two different VPNs using different domain-ids, the OSPF process will interpret all such prefixes
as if they are Type-5 External LSAs, effectively external routes. The other extended community attribute is known as the OSPF route-type, which
has three significant fields: source area, route-type, and option. They are usually depicted as triple X:Y:Z. Here, Y=2 for intra-area learned prefix, Y=3 for inter-area routes, Y=5 for external prefixes.

Notice that all routes redistributed from BGP into OSPF appear like inter-area routes even if they belong to the same area number at different sites. This effect occurs because the LSAs cross the super-backbone and essentially are inter-area routes. The last BGP attribute used to carry OSPF information is MED or metric, which copies the original route’s metric from the routing table. The route-type attribute is needed to allow for proper OSPF best-path calculation when routes are inserted into the OSPF database based on redistribution from BGP. Notice that the routes traveling the MP-BGP cloud do not increment their metric unless you manually change the MED attribute for incoming BGP prefixes.

OSPF implements some basic loop prevention rules. First, all summary LSAs generated from the routes redistributed from BGP have a special “Down” bit set in the LSA headers. If a router receives a summary-LSA with the down bit set on an interface that belongs to a VRF, it simply drops this LSA. This is to prevent the case of routing loops for multi-homed sites, when a summary LSA is flooded across the CE site and delivered back to another PE. However, this feature may have an undesirable effect when you have a CE router configured with multiple VRFs. In this case, you may want to enter the OSPF process command capability vrf-lite on the CE router. This will disable the default loop-prevention capability. Be advised that some IOS versions do not support this feature (such as older IOSs or some Catalyst IOS revisions). If you have such a router configured for multi-VRF and experience route black holing, configure the PE routers with different
domain-IDs; this will force all redistributed routes to become external and bypass the down-bit check. Note that in newer IOS versions, such as the one used in this example, the down bit is also included in Type-5 LSAs. capability vrf-lite would be needed.

The other feature is based on the route tagging. All routes redistributed via a particular PE will carry the OSPF route tag with the BGP AS number encoded
inside. The receiving router that has VRFs enabled will compare the AS number in the tag with the local BGP AS number. If they match, this could mean the LSA has
looped back to another PE connecting the same site to the MPLS backbone. If for some reason you encounter this issue and need to get rid of it, simply apply a
proper tag to the redistributed routes.

OSPF Sham-Link

If the link is in the same area as the PE/CE routers, the PE routers will prefer the path across the back-door link, because OSPF treats all paths across it
as intra-area, and the prefixes received via MP-BGP are interpreted as inter-area.
OSPF sham-link is a special tunnel similar to a virtual-link connecting two PE routers and configured in the same area as the PE routers. When the routes are being installed in the respective VRF RIB, the forwarding information is based on looking up the MP-BGP learned routes based on exact prefix-match. The corresponding VPN and transport labels are then used for actual packet forwarding across the MPLS core. Therefore, the information loaded across the sham-link is used only for SPF calculations and best-path selection; the actual forwarding is being done based on the information learned via MP-BGP.

Sham-links are sourced off actual interfaces configured in the respective VRF. Commonly, these are Loopback interfaces used as endpoints for the shamlink
tunnel. Notice that the IP addresses for these interfaces should be advertised into the VRF routing table by means other than OSPF, most commonly via BGP.
The sham-link’s endpoints should not be advertised into OSPF.


PE-CE Routing with EIGRP

One issue with transporting EIGRP routes over MP-BGP is preserving the original metric values, the route type, the source AS#, and the remote Router ID. These all are encoded using special BGP extended-community attributes that allow the remote site to properly decode the incoming routing update information.

Of course, the local EIGRP process will treat all prefixes originated in different remote AS# as external, per the normal EIGRP rules. Therefore, the AS# and the Router-ID information could be crucial to resolve potential routing loops in scenarios with backdoor links between the VPN sites. Another special attribute used with EIGRP prefixes redistributed into MP-BGP is known as the “cost attribute.” Although this attribute was designed to have pretty wide use, the main idea is to change the BGP best-path selection process. The problem with MPLS VPN route redistribution is that the same route may enter the PE’s BGP table using redistribution (learned from a CE router) and via a BGP update (learned from a remote site). Per the BGP best-path selection process, locally redistributed prefixes have a BGP weight of 32768, which make them always win the best-path selection process. Therefore, BGP will always choose the locally received update even if the remote site has better a EIGRP metric to reach the destination.

To resolve this issue, EIGRP prefixes redistributed into MP-BGP will have the Cost attribute value set to their composite metric. The BGP process will honor the Cost attribute value before ANY other best-path selection option if the attribute is present. The prefix with the lowest cost will immediately win the best-path selection and will be redistributed into the local EIGRP process. This process happens automatically and does not require any additional configuration. Notice that the Cost attribute is NOT needed with OSPF because the prefixes received via MP-BGP are treated as inter-area and are always less preferred compared to the same prefixes learned as intra-area from a CE device. When RIP is used for PE-CE routing, Cisco IOS does not implement the Cost attribute at all, so the locally redistributed prefixes will always get preferred over MP-BGP learned prefixes, preventing effective RIP deployment in scenarios with backdoor links.

When configuring EIGRP for MPLS VPNs, the same process is shared among multiple VRFs. An address family must be configured per VRF under the routing
process, and for every address-family you must configure an AS number using the command autonomous-system N . This command is mandatory to enable EIGRP for
that particular VRF.

EIGRP Site-of-Origin

With multi-homed scenarios similar to the ones we are using, BGP and EIGRP perform mutual redistribution at PE routers. This may potentially result in transient
routing loops, when a prefix is withdrawn in MP-BGP at one PE router and it is not timely propagated into EIGRP. EIGRP could then feed the invalid information back to BGP at another PE router, keeping the false information circulating between the PE routers until it’s eliminated by counting to infinity. The core of this problem is the mutual redistribution that allows the information learned from BGP at one site to reenter BGP at another site.

Cisco IOS implements a special feature known as EIGRP Site-of-Origin (SoO), which uses an extended community appended to BGP and EIGRP routing updates. All BGP prefixes redistributed into EIGRP and sent over the interface with the SoO set will have this extended community appended, but only if the community is not already present. If the update to be sent already has the same extended community value set, it is discarded as being redistributed back to the same site. The next thing that this feature does is apply the same extended community to all EIGRP routes received on the interface and redistributed into BGP. All these actions are performed by IOS automatically; you need only apply the route-map to the relevant interfaces.

-If you need to preserve the path across the MPLS core network, you should use different SoO values at every PE router of a multi-homed site. However, this means that the MP-BGP information injected into EIGRP at one PE router will reach the other PEs without being blocked. To prevent this effect, an additional SoO interface should be configured on the CE routers with the backdoor link.


Wednesday 1 November 2017

MPLS VPNs - 2

MPLS VPN services enable the possibility for the SP to provide a wide variety of additional services to its customers because MPLS VPNs are aware of the Layer 3 addresses at the customer locations. Additionally, MPLS VPNs can still provide the privacy inherent in Layer 2 WAN services. MPLS VPNs use MPLS unicast IP forwarding inside the SP’s network, with additional MPLS-aware
features at the edge between the provider and the customer.

Both P and PE routers run LDP and an IGP to support unicast IP routing. However, the IGP advertises routes only for subnets inside the MPLS network, with no customer routes included.

PEs have several other duties as well, all geared toward the issue of learning customer routes and keeping track of which routes belong to which customers. PEs exchange routes with the connected CE routers from various customers, using either external BGP (eBGP), RIPv2, OSPF, or EIGRP, noting which routes are learned from which customers. To keep track of the possibly overlapping prefixes, PE routers do not put the routes in the normal IP routing table—instead, PEs store those routes in separate per-customer routing tables, called VRFs. Then the PEs use IBGP to exchange these customer routes with other PEs—never advertising the routes to the P routers.

The extra work for the PE relates to the fact that the MPLS VPN data plane causes the ingress PE to place two labels on the packet, as follows:
- An outer MPLS header (S-bit = 0), with a label value that causes the packet to be label switched to the egress PE
- An inner MPLS header (S-bit = 1), with a label that identifies the egress VRF on which to base the forwarding decision

Virtual Routing and Forwarding Tables

Each VRF has three main components
   1. An IP routing table (RIB)
   2. A CEF FIB, populated based on that VRF’s RIB
   3. A separate instance or process of the routing protocol used to exchange routes with the CEs that need to be supported by the VRF

MP-BGP and Route Distinguishers

MPLS VPN protocols define the use of IBGP to advertise the routes—all the routes, from all the different VRFs. MPLS deals with the overlapping prefix problem by adding another number in front of the original BGP network layer reachability information (NLRI) (prefix). Each different number can represent a different customer, making the NLRI values unique.

RDs allow BGP to advertise and distinguish between duplicate IPv4 prefixes. Every VRF must be configured with an RD. The RD itself is 8 bytes with the first 2 bytes identify which of the three formats is followed.

MPLS RTs enable MPLS to support all sorts of complex VPN topologies—for example, allowing some sites to be reachable from multiple VPNs, a concept called overlapping VPNs. PEs advertise RTs in BGP Updates as BGP Extended Community path attributes (PA). RT values follow the same basic format as the values of an RD. However, note that while a particular prefix can have only one RD, that same prefix can have one or more RTs assigned to it.

It is sometimes helpful to think of the term export to mean “redistribute out of the VRF into BGP” and the term import to mean “redistribute into the VRF from BGP.”

For simple VPN implementations, in which each VPN consists of all sites for a single customer, most configurations simply use a single RT value, with each VRF for a customer both importing and exporting that RT value.

Overlapping VPNs

An overlapping VPN occurs when at least one CE site needs to be reachable by CEs in different VPNs. The RT concept allows an MPLS network to leak routes from multiple VPNs into a particular VRF.

MPLS VPN Configuration

MPLS VPN configuration focuses primarily on control plane functions: creating the VRF and associated RDs and RTs, configuring MP-BGP, and redistributing between the IGP used with the customer and BGP used inside the MPLS cloud.

The mpls ip command tells IOS that IP packets should be forwarded and received with an MPLS label.
The planning process must match the exported RT on one PE router to the imported RT on the remote PE, and vice versa, for the two
routers to exchange routes with MP-BGP.
The route-target both command could be used when using the same value as both an import and export RT.

Configuring the IGP Between PE and CE

The configuration of a routing protocol between the PE and CE. This routing protocol allows the PE router to learn the customer routes, and the customer routers to learn customer routes learned by the PE from other PEs in the MPLS cloud.

Configuring Redistribution Between PE-CE IGP and MP-BGP

The mechanics of the MPLS VPN mutual redistribution configuration requires that both the IGP and BGP be told the specific VRF for which redistribution occurs.
The configuration of the redistribute command, under both the BGP and IGP process, uses the address-family ipv4 vrf vrf-name command to set the VRF context. The redistribute command then acts on that VRF.
BGP uses a default metric (BGP MED) of using the integer metric to the redistributed route, so the redistribute eigrp command did not require a default metric setting.

MPLS Basic - 1

Instead of forwarding packets based on the packets’ destination IP address, MPLS defines how routers can forward packets based on an MPLS label. By disassociating the forwarding decision from the destination IP address, MPLS allows forwarding decisions based on other factors, such as traffic engineering, QoS requirements, and the privacy requirements for multiple customers connected to the same MPLS network, while still considering the traditional information learned using routing
protocols.

With MPLS unicast IP forwarding, the MPLS forwarding logic forwards packets based on labels. However, when choosing the interfaces out which to forward the packets, MPLS considers only the routes in the unicast IP routing table.

Many of the more helpful MPLS applications, such as MPLS Virtual Private Networks (VPN) and MPLS traffic engineering (TE), use MPLS unicast IP forwarding as one part of the MPLS network.

CEF Review

The FIB entry details the information needed for forwarding: the next-hop router and the outgoing interface. Additionally, the CEF adjacency table lists the new data-link header that the router will then copy in front of the packet before forwarding. For the data plane, a CEF router compares the packet’s destination IP address to the CEF FIB, ignoring the IP routing table. CEF optimizes the organization of the FIB so that the router spends very little time to find the correct FIB entry, resulting in a smaller forwarding delay and a higher volume of packets per second through a router. For each packet, the router finds the matching FIB entry, then finds the adjacency table entry referenced by the matching FIB entry, and forwards the packet.

Overview of MPLS Unicast IP Forwarding

The term Label Switch Router (LSR) refers to any router that has awareness of MPLS labels, for example, Routers PE1, P1, and PE2. 
FIB: Used for incoming unlabeled packets. Cisco IOS matches the packet’s destination IP address to the best prefix in the FIB and forwards the packet based on that entry.
LFIB: Used for incoming labeled packets. Cisco IOS compares the label in the incoming packet to the LFIB’s list of labels and forwards the packet based on that LFIB entry.

The MPLS Header and Label

The MPLS header is a 4-byte header, located immediately before the IP header. The MPLS EXP bits allow for QoS marking, which can be done using CB Marking. The MPLS EXP bits allow for QoS marking, which can be done using CB Marking. The LSRs will decrement the MPLS TTL field, and not the IP TTL field, as the packet passes through the MPLS network.

MPLS TTL propagation refers to the MPLS routers propagate the same TTL value across the MPLS network—the same TTL values that would have occurred if MPLS was not used at all.

Cisco routers can be configured to disable MPLS TTL propagation. When disabled, the ingress ELSR sets the MPLS header’s TTL field to 255, and the egress E-LSR leaves the original IP header’s TTL field unchanged. As a result, the entire MPLS network appears to be a single router hop from a TTL perspective, and the routers inside the MPLS network are not seen from the customer’s traceroute command.

PE1 can be configured to use TTL propagation for locally created packets, which allows the traceroute command issued from PE1 to list all the routers in the MPLS cloud. At the same time, PE1 can be configured to disable TTL propagation for “forwarded” packets (packets received from customers), preventing the customer from learning router IP addresses inside the MPLS network. (The command is no mpls ip propagatettl.)

MPLS IP Forwarding: Control Plane

MPLS supports many different control plane protocols. For example, MPLS VPNs use two control plane protocols: LDP and multiprotocol BGP (MP-BGP). While multiple control plane protocols can be used for some MPLS applications, MPLS unicast IP forwarding uses an IGP and one MPLS-specific control plane protocol: LDP.

MPLS LDP Basics

For unicast IP routing, LDP simply advertises labels for each prefix listed in the IP routing table. To do so, LSRs use LDP to send messages to their neighbors, with the messages listing an IP prefix and corresponding label. By advertising an IP prefix and label, the LSR is essentially saying, “If you want to send packets to this IP prefix, send them to me with the MPLS label listed in the LDP update.”
The LDP advertisement is triggered by a new IP route appearing in the unicast IP routing table. Upon learning a new route, the LSR allocates a label called a local label. The local label is the label that, on this one LSR, is used to represent the IP prefix just added to the routing table

The routers in the MPLS cloud must use some IP routing protocol to learn IP routes to trigger the LDP process of advertising labels. Typically, for MPLS unicast IP routing, you would use an interior gateway protocol (IGP) to learn all the IP routes, triggering the process of advertising the corresponding labels. 

The MPLS Label Information Base Feeding the FIB and LFIB

LSRs store labels and related information inside a data structure called LIB. The FIB and LFIB contain labels only for the currently used best LSP segment, while the LIB contains all labels known to the LSR, whether the label is currently used for forwarding or not. To make a decision about the best label to use, LSRs rely on the routing protocol’s decision about the best route.

To enable MPLS for simple unicast IP forwarding, an LSR simply needs to enable CEF, globally enable MPLS, and enable MPLS on each desired interface. Also, IOS uses LDP by default. 

The term remote binding refers to a label-prefix binding learned through LDP from some LDP neighbor.

The FIB is used to forward packets that arrived unlabeled, and the LFIB is used to forward packets that arrived already labeled. 
show mpls forwarding-table 10.3.3.0 24
show mpls ldp bindings 10.3.3.0 24


Label Distribution Protocol Reference

LDP uses a Hello feature to discover LDP neighbors and to determine to what IP address the ensuing TCP connection should be made. LDP multicasts the Hellos to IP address 224.0.0.2, using UDP port number 646 for LDP.

After discovering neighbors through an LDP Hello message, LDP neighbors form a TCP connection to each neighbor, again using port 646.table. After the TCP connection is up, each router advertises all its bindings of local labels and prefixes


Monday 25 September 2017

VRF Lite - 1

All router interfaces which provide transport for both types of traffic have been configured with two subinterfaces performing 802.1Q encapsulation; .10 for VLAN 10 (blue) and .20 for VLAN 20 (red).

VRF lite is simple: each routed interface (whether physical or virtual) belongs to exactly one VRF. Unless import/export maps have been applied, routes (and therefore packets) cannot move from one VRF to another, much like the way VLANs work at layer two. Packets entering VRF A can only follow routes in routing table A, as we'll see shortly.

Topology



After configuring, the routing tables are as follows:


--

----


----------------------------------

Trace route test from the Host PCs




Reachability from PC4 to PC1 is fine (BLUE vrf). The traceroute result shows PC4 <-> R3 <-> R2 <-> PC1.



Reachability from PC4 to PC2 is not working as they are in different VRF and 10.0.0.1 (FW) does not have a route to 192.168.x.x network.




Thursday 31 August 2017

EEM Scripting

EEM Scripting - Interface Events

Embedded Event Manager is a feature of the Cisco IOS operating system that allows you to write handlers for various system events. The core of EEM is a special process known as an EEM server that acts as a middleware agent between event detectors and EEM event subscribers. There is a fixed number of event detectors that post an event when a programmed condition is met.
 CLI event detector – detects various commands typed in CLI based on regular expression matching
 Syslog event detector – responds to various syslog strings, allowing for matching on regular expressions just like CLI detector
 Interface counter – responds to various interface’s counters crossing threshold settings
 Counter – responds to the change of value of a generic system counter
 SNMP – monitors
 None –a special case of event detector triggered when a user issues the command "event manager run" to execute a named EEM script/applet
 Watchdog – generates periodic timer events and allows the EEM script to be run at repeating time intervals

The other parts of the EEM system—event subscribers—are defined and registered with the EEM server as either EEM applets or scripts. Applets are simple programs written using a very basic set of CLI commands that start with an action keyword. Scripts are special TCL scripts written to handle EEM events. The applets are easy to write and powerful enough to perform many functions including CLI commands, email sending, SNMP/Syslog message generation, and implementing basic program logic (such as branching or computations).

Every EEM applet has a name and a detector condition defined to trigger the applet. The applet may access global variables defined using the command event manager environment or the parameters passed to them by an event detector. There are predefined environment variables accessible to the EEM scripts, specific to every event detector.You may also list the variables for an event detector using the command show event manager detector <NAME> detailed. Every applet definition starts with a group of event commands that specify the event detector and the condition to trigger the applet. Normally there is only one event defined for an applet. If you define multiple events, you must further specify how they co-relate to each other

  event manager applet INTERFACE_LOAD
  event tag 1 interface name Serial0/0/0 parameter rxload entry-op gt entry-val 153 entry-type value poll-interval 30
  action 0.0 cli command "enable"
  action 1.0 cli command "conf t"
  action 2.0 cli command "interface Serial 0/0/0"
  action 3.0 cli command "ip access-group CRITICAL_TRAFFIC in"
  action 4.0 mail server "155.1.146.100" to "noc@INE.com" from "r5@INE.com" subject "Interface Alert" body "Interface ...

Register the applet with the “none” event detector to be able to run the applet from the CLI for “dry-run” testing purposes. Enable EEM debugging commands to track the CLI and E-Mail actions and run the applet manually first.
  event manager applet INTERFACE_LOAD
   event tag 2.0 none
  Rack1R5#debug event manager action cli
  Rack1R5#event manager run INTERFACE_LOAD


EEM Scripting - Syslog Events
---------------------------------------
  event manager applet INTERFACE_SHUTDOWN
  event tag 1.0 syslog pattern "Interface GigabitEthernet1.*changed.*down"
  action 1.0 cli command "enable"
  action 2.0 cli command "conf t"
  action 3.0 cli command "interface GigabitEthernet1"
  action 4.0 cli command "no shutdown"
  action 5.0 cli command "end"
  action 6.0 cli command "show users"


EEM Scripting: CLI Events
----------------------------------
The CLI event detector allows for monitoring certain CLI patterns and publishes an event if a match occurs. The event monitoring configuration could use the parameter sync set to either “yes” or “no” to define a synchronous or asynchronous applet. When the applet event condition is synchronous, the EEM server will hold the matched CLI command execution until the script terminates. The script should return an exit value in the variable $_exit_status , and this will determine whether the triggered command will run (status 1) or not (status 0). Asynchronous event handlers will let the CLI command execute and the event will be posted after that. The script cannot affect the command execution. Notice that asynchronous CLI events require a set of additional parameters, such as number of occurrences and the time window for the occurrences. Another command we use in the script below is the puts action. It allows you to display arbitrary text on the console, provided that the script is synchronous.

  event manager applet SHOW_RUN_FILTER
  event tag 1.0 cli pattern "show run" sync yes
  action 1.0 cli command "enable"
  action 2.0 cli command "show run | exclude username"
  action 3.0 puts $_cli_result
  !
  ! Exit status of 0 block execution of the original command
  !
  action 4.0 set $_exit_status 0
  R5#show event manager policy registered event-type cli

EEM Scripting: Periodic Scheduling
-----------------------------------------------
Event applets may be configured to respond to periodic or timed events—for example, to fire every time interval or start at a fixed time in the future.
  event manager applet SHOW_RUN_EVERY_5MIN
  event tag 1.0 timer watchdog time 300
  !
  ! We use write term as we intercepted show runin the previous task
  !
  action 1.0 cli command "enable"
  action 2.0 cli command "write term"
  action 3.0 syslog msg "Configuration Saved"



DHCP Relay
------------

DHCP relay is supposed to insert the “giaddr” field in the relayed DHCP packets, so that DHCP server may identify the pool to be used for the request. The choice of the pool is made based on the “giaddr” field or the incoming interface, if the “giaddr” is missing or zero . Option 82 serves as refinement to the request, allowing the DHCP server to select a “sub-range” in the pool. (Notice that by default Cisco IOS devices reject packets with zero “giaddr” and by default Cisco Catalyst switches use “giaddr” of zero when configured for DHCP snooping!) A switch with DHCP Snooping enabled will drop packets on untrusted ports that contain Option 82 or have a non-zero giaddr (e.g. 0.0.0.0).
just a couple of sub-options, namely the “remote-id” (option ID 0×2) and the “circuit-id” (ID 0×01). Those two are supposed to identify the remote device and the port where the DHCP request was received.

the giaddr is used in DHCP relay scenarios to indicate which pool/subnet the DHCP server should assign the address from.
Option 82 is used in provider networks to give extra information to the DHCP server regarding where a device is located.
we have two options:
 1. Tell the switch not to set Option 82
no ip dhcp snooping information option
 2. Tell the router to ignore Option 82
ip dhcp relay information trust-all  --This command instructs the DHCP server that blank giaddr is acceptable, even if option 82 is set.

Tuesday 30 May 2017

Quality of Service - 2

MQC Class-Based Generic Traffic Shaping

The purpose of traffic shaping is to “format” an outbound packet flow so that it conforms to a traffic contract. The formatting process slows down the average bitrate and the packet flow structure, resulting in a traffic flow consisting of uniformly spaced traffic bursts. For example a customer buys an Ethernet circuit provisioned at 10Mbps, but the physical link to the provider is FastEthernet (100Mbps). Since the customer’s interface always serializes packets outbound at 100Mbps, and the service provider performs traffic policing/admission control inbound, shaping is needed on the customer side.

To slow the rate down, the first task of the shaper is to meter the traffic coming into the output queue, and decide whether it exceeds the target average rate. The concept of metering is based on the fact that traffic leaves an interface in a serial manner (bit by bit, packet by packet), and that packets are usually grouped in bursts, separated by periods of interface silence. While the router sends each burst at AR speed, the spacing between bursts makes the average rate less than the AR. The goal of metering is to mark those bursts that exceed (do not conform to) the desired average rate, called the Committed Information Rate (CIR).

The metering function of traffic shaping uses what is known as a token bucket model to determine if traffic conforms to, or exceeds, the average rate. Every time a packet tries to be de-queued to the transmit ring, the metering function compares the size of the packet trying to leave to the amount of tokens, or credit, in the token bucket. If the size of the packet is less than or equal to the amount of credit, the packet conforms and is sent. If the size of packet is greater than the amount of credit in the token bucket, the packet exceeds, and is delayed. The size of the token bucket is calculated by taking the desired average rate (CIR) in bits per second, and breaking it down into a smaller value of bursts in bits per interval in milliseconds. These values are expressed as Bc (Burst Committed) bits, and Tc (Time Committed) milliseconds. The size of the token bucket is Bc bits. Essentially every Tc period, the token bucket is refilled with the Bc amount in bits. Think of the Bc bits as tokens going into the bucket every Tc interval. The key point here isthat Bc bits per Tc interval is the same value as CIR bits per second, but is simply expressed in smaller units.

If packet exceeds because there are not enough tokens in the bucket, the shaping process delays the packet and holds it in the internal shaping queue. By this logic, even though traffic is always sent at the AR, the periods of delay incurred by non-conforming traffic in the shaping queue results in the overall average rate (CIR) being lower than the AR. The size of Tc is not manually configurable, however it is configured indirectly by configuring the CIR and the Bc values based on the formula Bc = CIR * Tc/1000; Tc is in milliseconds.

One possible problem with the above calculation for Bc is the case that the packet trying to be de-queued is larger than Bc, which means that there would never be enough credits in the token bucket to send it. For example if a packet’s size is 1500 bytes, but the Bc is only 1000 bytes. To deal with this situation the shaper calculates a deficit counter (e.g. 1000-1500=-500) and adds this counter to the accumulated credit in the next round (next Tc interval). In effect this reduces the amount of traffic to send the next time around.  To avoid this problem altogether ensure that Bc is greater than the average packet size, which will achieve a smoother packet distribution. This is not always possible though, since there are cases when CIR value is too low. In the latter case, layer 2 fragmentation can be introduced. The next problem case that the scheduler can run into is when it has no traffic to send during a time interval (e.g. a pause in the packet stream), but it has more than Bc bits to send in the following time interval. Based on the leaky token bucket algorithm, no more than Bc bytes can be sent per Tc interval, even if in previous intervals it did not send enough traffic. The result of this is that the shaper achieves less than the desired average rate. To resolve this problem, traffic shaping uses what is known as a dual leaky token bucket, with the first token bucket represented as Committed Burst (Bc) and the second token bucket as Excess Burst (Be).

The Excess Burst bucket is only filled in the case that the full Bc bucket was not emptied in the previous interval. The extra credits, or tokens, left over from the Bc bucket are then moved to the Be bucket before the Bc bucket is refilled. For example, if the Bc size is 10 bits, but only 8 bits were sent in the current interval, a credit of 2 bits can be moved to the Be bucket if space is available. During the next interval, the scheduler can now de-queue up to Bc+Be bits. If Bc capacity is again not used completely, the left over credits are moved to Be, up to its maximum size.

Like Bc, Be has a finite size defined which controls how much credit can be stored. The size of the Be bucket is constrained by the Access Rate of the physical link, since the packets are always serialized at this rate. Therefore the maximum Be value (maxBe) is equal to (AR-CIR)*Tc/1000 which implies that if the shaper sends Bc+maxBe per Tc, it is sending at the Access Rate. The Be value can be set lower than maxBe, but should never exceed maxBe. Note that since Be is only populated due to a lack of Bc being used, the average sending rate over time still never exceeds the CIR.

With the command shape average under the policy-map class configuration, the CIR, Bc, and Be are defined. We used class-based shaping to limit the sub-interfaces sending rate. This is a common use of GTS(Generic Traffic Shaping), and the effect is that each sub-interface now uses its own software queue, whereas by default, all sub-interfaces share the software queue of their main interface. This also allows the use of separate QoS policies per sub-interface, because of the ability to tune shaper’s queue.