Categorie: Cisco

Cisco BNG deployment guide (PPP, IPoE)

https://blog.ine.com/2009/07/22/understanding-dhcp-option-82

https://www.alcatron.net/Cisco%20Live%202013%20Melbourne/Cisco%20Live%20Content/Service%20Provider/BRKSPG-2303%20%20Residential%20Broadband%20Subscriber%20Aggregation%20and%20BNG%20Deployment%20Models.pdf

https://supportforums.cisco.com/t5/service-providers-documents/asr9000-xr-bng-deployment-guide/ta-p/3110436#DHCPIP_sessions

https://www.cisco.com/c/en/us/td/docs/routers/asr9000/software/asr9k_r6-1/bng/configuration/guide/b-bng-cg-asr9k-61x/b-bng-cg-asr9k-61x_chapter_0101.pdf

https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/ipaddr_dhcp/configuration/15-s/dhcp-15-s-book/dhcp-option-82.html

https://supportforums.cisco.com/document/12516486/asr9k-bng-radius-and-coa-deployment-guide
https://supportforums.cisco.com/document/94171/asr9000xr-bng-deployment-guide
https://supportforums.cisco.com/t5/tkb/articleprintpage/tkb-id/4441-docs-service-providers/article-id/1985
https://supportforums.cisco.com/t5/xr-os-and-platforms/asr-9k-bng-dhcp-triggered-session-start-ack-not-received-by/td-p/2641468
https://supportforums.cisco.com/t5/service-providers-documents/asr9000-xr-bng-deployment-guide/ta-p/3110436#DHCPIP_sessions
https://supportforums.cisco.com/t5/service-providers-documents/asr9000-xr-bng-vsa-s-vendor-specific-attributes-and-services/ta-p/3141601
https://supportforums.cisco.com/t5/service-providers-documents/asr9000-bng-training-guide-setting-up-pppoe-and-ipoe-sessions/ta-p/3124670

https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/iwag/configuration/xe-3s/IWAG_Config_Guide_BookMap/dhcp-option-82-remote-id-format.pdf

Cisco

Google cloud gateway

https://cloud.google.com/compute/docs/vpn/advanced

https://cloud.google.com/files/CloudVPNGuide-UsingCloudVPNwithCiscoASA.pdf

 

heres a (final/working) config in case anyone else wants to do this:

===================

crypto ikev2 proposal gcp-ikev2-proposal-1

encryption aes-cbc-128 aes-cbc-192 aes-cbc-256

integrity sha1 sha256 sha384 sha512

group 2 5 14 15 16

!

crypto ikev2 policy gcp-ikev2-policy-1

match fvrf any

proposal gcp-ikev2-proposal-1

!

crypto ikev2 profile gcp-ikev2-profile-1

match identity remote address gcp.gcp.gcp.gcp 255.255.255.255

identity local address me.me.me.me

authentication remote pre-share key xxxxxxxxxxxx

authentication local pre-share key xxxxxxxxxxxx

lifetime 10800

!

crypto ipsec transform-set gcp-tset-1 esp-aes esp-sha-hmac

mode tunnel

!

crypto ipsec profile gcp-ipsec-profile-1

set transform-set gcp-tset-1

set pfs group14

set ikev2-profile gcp-ikev2-profile-1

!

interface Tunnel0

ip address 169.254.0.2 255.255.255.252

tunnel source me.me.me.me

tunnel mode ipsec ipv4

tunnel destination gcp.gcp.gcp.gcp

tunnel protection ipsec profile gcp-ipsec-profile-1

!

===================

And then configure BGP or maybe static routes as required.

After adding in the Tunnel0 interface config it just started working

straight away. So I guess my config was right all along, its just some

other aspect of IPSEC that wasnt happy with something missing… Yay

misleading debug output. :-/

Hope that helps someone else.

Tom

Cisco, Cloud, Security

Cisco VDSL SNMP oid’s

Subtree : .1.3.6.1.2.1.10.94.1.1

Download:
Noise Margin (/10):
.1.3.6.1.2.1.10.94.1.1.3.1.4.21 96 Gauge 192.0.2.254:161
Actual Power:
.1.3.6.1.2.1.10.94.1.1.3.1.7.21 124 Gauge 192.0.2.254:161
Attainable Rate:
.1.3.6.1.2.1.10.94.1.1.3.1.8.21 65969000 Gauge 192.0.2.254:161
Speed (kbps):
.1.3.6.1.2.1.10.94.1.1.4.1.2.21 51998000 Gauge 192.0.2.254:161

Upload:
Noise Margin (/10):
.1.3.6.1.2.1.10.94.1.1.2.1.4.21 126 Gauge 192.0.2.254:161
Actual Power:
.1.3.6.1.2.1.10.94.1.1.2.1.7.21 86 Gauge 192.0.2.254:161
Attainable Rate:
.1.3.6.1.2.1.10.94.1.1.2.1.8.21 23538000 Gauge 192.0.2.254:161
Speed (kbps):
.1.3.6.1.2.1.10.94.1.1.5.1.2.21 10448000 Gauge 192.0.2.254:161

Cisco

ASR9K Upgrade

admin install add tftp://x.x.x.x/asr9k-mini-px.pie-5.3.2 synchronous

admin install activate disk0:asr9k-mini-px.pie-5.3.2 synchronous

admin install

commit

admin

install remove inactive

 

https://supportforums.cisco.com/document/123576/asr9000xr-understanding-turboboot-and-initial-system-bring

 

Also beware of

http://www.cisco.com/c/en/us/support/docs/field-notices/639/fn63979.html

 

recently did a upgrade on two ASR9k1’s from 4.2.3 to 5.1.3

Thou I didn’t have the space issue, Here is 1 things you can try before hand –

‘admin install remove inactive’

Befogging upgrading you may will want to install the following SMU’s

CSCud98419

CSCud37351

CSCud54093

 

You will need to install the fpd so it will upgrade the fed upon boot or manually.

had ‘fpd auto-upgrade’ in my admin config. So it did it automatically

This is what we installed after we did the pre-requs:

asr9k-fpd-px-5.1.3

asr9k-k9sec-px-5.1.3

asr9k-mgbl-px-5.1.3

asr9k-mini-px-5.1.3

asr9k-px-5.1.3.CSCut52232-1.0.0

asr9k-px-5.1.3.sp7-1.0.0

asr9k-px-5.1.3.CSCur72219-1.0.0

asr9k-px-5.1.3.CSCur83427-1.0.0

 

It’s also possible to re-partitioning the disk to get some extra space(300M). Executing the re-partitioning is not service impacting.

https://tools.cisco.com/bugsearch/bug/CSCub41271

https://supportforums.cisco.com/document/145991/managing-disk-space-rsp-4grsp-8g-aka-rsp2

Cisco, Netwerk (C-NSP)

IPv6 HSRP Config

Interface vlan777

ipv6 enable

 

 

Otherwise, the config looks spot on

 

Our config looks like:

 

interface Vlan110

standby version 2

standby 110 ipv6 FE80::1

standby 110 timers 1 3

standby 110 priority 110

standby 110 preempt delay minimum 180

standby 110 authentication xxxx

ipv6 address dead:beef:1::FFFE/64

ipv6 enable

ipv6 nd other-config-flag

ipv6 nd router-preference High

ipv6 pim dr-priority 4294967295

ipv6 dhcp relay destination dead:beef:0::1

ipv6 dhcp relay destination dead:beef:0::2

Cisco, IPv6, Netwerk (C-NSP)

NAT DS-Lite

Ended up with the following for DSL customers using DS-Lite:

 

block size 512

max blocks per user 16

block timeout 120

address-sharing-ratio 8:1

 

avg usage is 34 ports per block and 1,3 blocks per address, but the top 1% are at least x10.

 

Some years ago we had started with more relaxed numbers (to be on the safe side), but last year we squeezed them a little. No complaints until now.

 

Mon Feb 29 14:25:16.812 CST

Building configuration…

!! IOS XR Configuration 5.3.1

service cgn cgn1

service-location preferred-active 0/3/CPU0  service-type nat44 nat1

portlimit 5000

alg ActiveFTP

inside-vrf six

!

!

!

end

 

RP/0/RSP0/CPU0:eng-lab-9k-1(config-cgn-invrf)#bulk-port-alloc ?

size  Bulk size for allocation.

Should be greater or equal to one fourth of the port limit

and less than twice the port limit.

For optimum results, should be close to half the port limit RP/0/RSP0/CPU0:eng-lab-9k-1(config-cgn-invrf)#bulk-port-alloc size ?

none  No bulk allocation

8     Allocate 8 ports in bulk

16    Allocate 16 ports in bulk

32    Allocate 32 ports in bulk

64    Allocate 64 ports in bulk

128   Allocate 128 ports in bulk

256   Allocate 256 ports in bulk

512   Allocate 512 ports in bulk

1024  Allocate 1024 ports in bulk

2048  Allocate 2048 ports in bulk

4096  Allocate 4096 ports in bulk

Cisco, Netwerk (C-NSP)

IOS XR vrf export route-policy

vrf export route-policy doesn’t seem to directly deny prefixes from advertisement… but according to this one site you can indirectly deny prefixes… it seems that vrf export route-policy is mainly used to more granularly assign rt’s and add rt’s to rt’s (additive).

http://www.akbintel.com/mediawiki/index.php/VRF/Config#export_map

http://nagendrakumar-nagendra.blogspot.com/2011/09/mpls-vpn-vrf-export-map.html

Thought it was pretty clever to not put a route-target export x:x and then whichever prefixes are denied in the export route-policy will drop out of the route-map logic, and this will not be advertised since there isn’t a route-target export statement in the vrf.  Cool.

Cisco, Netwerk (C-NSP)
1 2 3 4 5 14