Cisco back dialer-watch
interface Cellular0
dialer watch-group 1
!
dialer watch-list 1 ip 5.6.7.8 0.0.0.0
dialer watch-list 1 delay route-check initial 60
dialer watch-list 1 delay connect 1
Cisco IOS reflective ACL
interface Cellular0
ip access-group public-inbound-packet-catcher in
ip access-group public-outbound-packet-listener out
!
ip access-list extended public-inbound-packet-catcher
remark -= icmp permit’s and deny’s =-
permit icmp any any net-unreachable
permit icmp any any host-unreachable
permit icmp any any port-unreachable
permit icmp any any packet-too-big
permit icmp any any administratively-prohibited
permit icmp any any source-quench
permit icmp any any ttl-exceeded
permit icmp any any echo-reply
deny icmp any any
permit tcp any any eq 1723
permit gre any any
permit udp any eq isakmp any eq isakmp
permit esp any any
remark -= allow ssh and dns =-
permit tcp any any eq 22 log
permit tcp any any eq www log
permit udp any eq domain any
remark -= returning traffic =-
evaluate outside-access-in-reflexive-temporary-list
deny ip any any log-input
ip access-list extended public-outbound-packet-listener
permit tcp any any reflect outside-access-in-reflexive-temporary-list timeout 3600
permit udp any any reflect outside-access-in-reflexive-temporary-list timeout 3600
IPv6 6vpe Radius AVP
http://blog.ipspace.net/2011/09/ipv6-mplsvpn-6vpe-with-pppoe-and-radius.html
Basic IOS config (o.a. VTP en NTP)
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime localtime show-timezone
service password-encryption
!
clock timezone CET 1 0
clock summer-time SUM recurring last Sun Mar 2:00 last Sun Oct 3:00
!
aaa new-model
aaa authentication login local local
!
vtp mode transparent
!
username outeradmin secret PASSWORD
!
enable secret PASSWORD
!
no ip domain-lookup
!
ip domain-name routit.net
!
spanning-tree mode rapid-pvst
!
no ip http server
no ip http secure-server
!
banner exec ^
Organisatie : winfred.nl
Lokatie : site
Beheer : iemand @ winfred . nl
Installatie : iemand @ winfred . nl
^
banner motd ^
Waarschuwing !!!
Toegang tot dit systeem en informatie verkregen door middel van
deze systemen is strikt vertrouwelijk en in eigendom van
MOI
Toegang tot deze systemen en informatie is alleen met uitdrukkelijke
toestemming van de eigenaar geoorloofd, elke andere vorm van toegang
is niet toegestaan en kan juridische gevolgen hebben.
^
!
! NMS station SNMP
access-list 1 permit 172.31.180.10
!
! NMS station SSH
access-list 23 permit 10.35.0.0 0.0.255.255
!
line con 0
line vty 0 15
session-timeout 5
access-class 23 in
login authentication local
transport input ssh
!
snmp-server community 754d7066ab385bb0d44b6361d78faef1 RO 1
snmp-server ifindex persist
snmp-server location site
snmp-server contact iemand @ winfred . nl
snmp-server enable traps snmp linkdown linkup coldstart warmstart
snmp-server enable traps tty
!
! ntp update-calendar
! ntp0.nl.uu.net
ntp server 193.67.79.202
! ntp.pool.tu.nl
ntp server 193.79.237.14 prefer
Achtergrond:
http://www.firewall.cx/cisco-technical-knowledgebase/cisco-routers/334-cisco-router-ntp.html
ASA basic | fail-over
Controle context mode:
ASA-lab# sh mode Security context mode: multiple
Verwijderen call-home config
ASA-lab(config)# clear config call-home ASA-lab(config)# no service call-home
Aanmaken Admin context:
ASA-lab(config)# admin-context admin Creating context 'admin'... Done. (1)
Aanmaken interfaces:
interface GigabitEthernet0/0 channel-group 1 mode active speed 1000 ! interface GigabitEthernet0/1 channel-group 1 mode active speed 1000 ! interface GigabitEthernet0/2 description FailOver HA speed 1000 ! interface GigabitEthernet0/3 description FailOver FT speed 1000 ! interface Port-channel1 ! interface Port-channel1.300 description ASA-Lab HA vlan 300 ! interface Port-channel1.301 description ASA-Lab FT vlan 301 ! interface Port-channel1.302 description ASA-Lab Admin vlan 302
Instellen Admin context:
ASA-lab(config)# context admin ASA-lab(config-ctx)# description Admin-context ASA-lab(config-ctx)# config-url disk0:/admin-beheer.cfg WARNING: Could not fetch the URL disk0:/admin-beheer.cfg INFO: Creating context with default config INFO: Admin context will take some time to come up .... please wait. ASA-lab(config-ctx)# allocate-interface interface Port-channel1.302 Beheer
Instellen FO:
interface Redundant1 member-interface GigabitEthernet0/2 Primary UNIT: failover failover lan unit primary failover lan interface LAN Redundant1 failover key wachtwoord failover replication http failover link LAN Redundant1 failover interface ip LAN 169.254.255.1 255.255.255.252 standby 169.254.255.2 failover group 1 replication http Secondary UNIT: failover failover lan unit secondary failover lan interface LAN Redundant1 failover key wachtwoord failover replication http failover link LAN Redundant1 failover interface ip LAN 169.254.255.1 255.255.255.252 standby 169.254.255.2 failover group 1 replication http
Instellen admin context:
ASA-lab# changeto context admin interface Beheer nameif Beheer security-level 100 ip address 192.0.2.1 255.255.255.248 standby 192.0.2.2 ! http server enable http 192.0.2.0 255.255.255.0 Beheer ! user-identity default-domain LOCAL aaa authentication enable console LOCAL aaa authentication ssh console LOCAL aaa authentication secure-http-client
ASA security Netflow
http://www.cisco.com/c/en/us/td/docs/security/asa/asa90/configuration/guide/asa_90_cli_config/monitor_nsel.html#68826
DH group X ; The Logjam Attack
Highlight:
“We further estimate that an academic team can break a 768-bit prime and that a nation-state can break a 1024-bit prime. Breaking the single, most common 1024-bit prime used by web servers would allow passive eavesdropping on connections to 18% of the Top 1 Million HTTPS domains. A second prime would allow passive decryption of connections to 66% of VPN servers and 26% of SSH servers. A close reading of published NSA leaks shows that the agency’s attacks on VPNs are consistent with having achieved such a break”.
Dit zijn de encryptie sterkte van de DH groepen:
- DH Group 1: 768-bit group
- DH Group 2: 1024-bit group
- DH Group 5: 1536-bit group
- DH Group 14: 2048-bit group
- DH Group 15: 3072-bit group
- DH Group 19: 256-bit elliptic curve group
- DH Group 20: 384-bit elliptic curve group
ISG ; login based on IP/MAC
http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/isg/configuration/xe-3s/isg-xe-3s-book/isg-auto-sub-logon.html/index.html#GUID-6C9CCCB3-8EB2-4CEE-A8AA-578A883EA6DE
http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/isg/configuration/xe-3s/asr1000/isg-xe-3s-asr1000-book/isg-netwk-acess-pol.html
https://cisco-images.test.edgekey.net/c/en/us/td/docs/ios-xml/ios/bbdsl/configuration/xe-3s/bba-xe-3s-book.pdf
http://www.postseek.com/meta/c89669f50ef996712b544922d4d6ff80
Internet in VRF
>
> Nice that’s clever.
> And since you are using CSR1000v you don’t need to worry about the
> cost of HW for RRs.
Yes, the CSR1000v’s are workhorses.
> I see, so RRs do the routing decision on behalf of the PE routers in a
> particular PoP.
Correct, but in some cases, the routing decision is done in a completely different country/continent/cluster, before that final decision is pushed down to the RR which has the target edge router. Either way, the result is always the same, since the destination traffic was headed toward that different country/continent anyway.
> Since RR cluster is local to the PoP the AS-exit proximity is
> accurate, in other words what is good for the RR has to be good for
> the PEs within the PoP.
Yes, and this is a very important point that you note. Having iBGP sessions to RR’s not in the same physical PoP can lead to sub-optimal routing for devices in that PoP, as by default, RR’s base best-path selection for IGP metrics on the local IGP metric, while the iBGP neighbor would be remote.
BGP-ORR, covered in “draft-ietf-idr-bgp-optimal-route-reflection-09”, is trying to fix this. But I don’t know of anyone shipping code yet.
> But still you’d have to use add-path to advertise backup paths from
> RRs to PEs in a local PoP whereas with MP-BGP you’d just use unique RDs.
You might find it strange but I do neither :-).
Each cluster has 2x RR’s. Each iBGP client has 2x sessions to each RR for all address families.
Based on our hardware, we’ve modeled convergence performance for BGP routing and found it to be reasonably quick across the network.
Considering the additonal overhead Add-Paths and such would bring, it has been a calculated decision to keep things simple, and rely on Next-Hop Address Tracking tech. in Cisco and Juniper to speed up convergence. BFD for IS-IS has also been very helpful, as we’ve found BGP to be a lot more stable in a steady-state.
We are still watching this, and will decide if physically installing additional paths is a good idea. For now, it’s not hurting overall network performance.
>
>
> I see it as more of a good practice not to hold default route or full
> inet table on a peering box but as I said before peer pointing a
> default at you is rather a corner case I guess.
Hehe, depends. Some folk point default toward you at peering points because they don’t know better. Others do because they are chancers.
Either way, avoid the risk.
We have dedicated peering routers in each PoP. We carry neither a full table nor a default route on those. In fact, we null-route default routes on every peering box.
>
>
> Yeah been doing EoMPLS PW to provide full internet feed to customers
> behind MEs didn’t have the confidence to use the table-map/SRD 🙂
You should try BGP-SD, works great over here :-).
Tunnels or eBGP-Multihop is too much for me for passing full feeds to customers :-).
ASR903 AToM
When configuring REP with trunk in place on ASR903 , I cannot use xconnect (Cisco TAC) So my only option is vfi
You need to configure l2vpn vfi instead of l2vpn xconnectTake a look at http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/mp_l2_vpns/configuration/xe-3s/asr903/mp-l2-vpns-xe-3s-asr903-book/mp-vpls.html
I’d use the following config for the service instances and the L2VPNI guess you can’t use the service instance in the L2VPN, because of the bridge-domain command inside the service instance.
service instance 1 ethernet encapsulation dot1q 100,200,300 rewrite ingress tag pop 1 symmetric l2vpn xconnect context L2VPNmember GigabitEthernet0/0/0 service instance 1member GigabitEthernet0/1/0 service instance 1member pseudowire 20 Maybe the trunk keyword in the service instance plays some role..
This is how it would look like using the “old-style”
ASR903
interface GigabitEthernet0/0/0
service instance trunk 1 ethernet
encapsulation dot1q 100,200,300
rewrite ingress tag pop 1 symmetric
xconnect 2.2.2.2 20 encapsulation mpls
! interface GigabitEthernet0/1/0
! service instance trunk 1 ethernet
! encapsulation dot1q 100,200,300
! rewrite ingress tag pop 1 symmetric
! xconnect 2.2.2.2 40 encapsulation mpls
! — config related to backup PW–
Also on ME I’d recommend using xconnect under the service instance rather than attaching the service instance to a BD and configuring xconnect under the VLAN interface. Because if you attach a service instance to a BD by default MAC learning is in place and you don’t want that for a simple p2p PW (MAC learning can be disabled using cmd: ” no mac learning” under the BD config).
ME3600
interface GigabitEthernet0/x
service instance trunk 1 ethernet
encapsulation dot1q 100,200,300
rewrite ingress tag pop 1 symmetric
xconnect 1.1.1.1 20 encapsulation mpls
! backup peer 1.1.1.1 40 encapsulation mpls
! — config related to backup PW–
> ASR903
> interface GigabitEthernet0/0/0
> description Connected-To-AS1-G0/2
> no ip address
> negotiation auto
> rep segment 20 edge primary
> rep preempt delay 30
> rep block port 3 vlan 1-4094
> service instance trunk 1 ethernet
> encapsulation dot1q 100,200,300
> rewrite ingress tag pop 1 symmetric
> bridge-domain from-encapsulation
>
>
> interface GigabitEthernet0/1/0
> description Connected-To-AS2-G0/2
> no ip address
> negotiation auto
> rep segment 20 edge preferred
> rep preempt delay 30
> service instance trunk 1 ethernet
> encapsulation dot1q 100,200,300
> rewrite ingress tag pop 1 symmetric
> bridge-domain from-encapsulation
>
> interface pseudowire 20
> encapsulation mpls
> neighbor 2.2.2.2 20
>
> l2vpn xconnect context L2VPN
> member GigabitEthernet0/0/0 –> When I tried to put service-instance ,
> it did
> not accept the command
> member pseudowire 20
>
> ME3600
> interface vlan 100
> no ip address
> xconnect 1.1.1.1 20 encapsulation mpls
>
> Now , the xconnect came up as shown in the output below
>
> ME3600X#show mpls l2transport vc 20
>
> Local intf Local circuit Dest address VC ID Status
> ————- ————————– ————— ———-
> ———-
> Vl100 Eth VLAN 100 1.1.1.1 20 UP
>
> ASR903#sh xconnect all
> Legend: XC ST=Xconnect State S1=Segment1 State S2=Segment2 State
> UP=Up DN=Down AD=Admin Down IA=Inactive
> SB=Standby HS=Hot Standby RV=Recovering NH=No Hardware
>
> XC ST Segment 1 S1 Segment 2 S2
> ——+———————————+–+———————————+–
> UP pri mpls 2.2.2.2:20 UP ac Gi0/0/0:6(Ethernet) UP
>
> No ping between the two sites , I tried to modify the MTU vlaue on the
> interfaces going to the CE side , and the xconnect is down directly
> I have tested L3VPN using the exact same setup (without modifying the
> MTU
> values on any interface) and it worked fine
>
> Any ideas?