Cisco Blackhole uRPF

> Today.. I only have one ISP and uRPF works fine with this syntax

> -> ” ip verify unicast source reachable-via any 2699″

> I’m moving to a router with multiple  ISP and IX connections and some of our traffic is now asymmetric.

The above uRPF config didn’t work and was removed.

 

Does the router have a default-route? If so, “ip verify unicast source reachable-via any allow-default” should accomplish what you want.

 

If the router is default-free, is it not able to receive reachability information from the rest of your network for the prefixes that are getting incorrectly dropped? (assuming that was the symptoms of “didn’t work”)

 

Finally, what are the contents of access-list 2699? I assume it’s a whitelist of IPs to not drop traffic from, even if there aren’t discrete routes in the routing table for?

> Finally, what are the contents of access-list 2699? I assume it’s a

> whitelist of IPs to not drop traffic from, even if there aren’t

> discrete routes in the routing table for?

 

I’d forgotten about that option – always a bad idea, as it causes performance issues.

Allow-default is useful in circumstances where a default is present – it essentially renders the uRPF ‘S/RTBH-only’

 

This should work, but there’s little detail provided.

 

Did you configure it on both of the uplinks?

How did you monitor the drops and concluded that it ‘didn’t work’?

How you get the default route, is it pointing on one of the uplinks? ‘allow-default’ may be important here.

 

=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=

 

Usually it is done on the same session, and the customer adds a special community for blackhole routes.

 

The method I saw was:

 

1) add a null route for a private or test address (e.g. 192.0.2.1/32) on each router.

2) enable ‘ip verify unicast source reachable-via any’ on edge interfaces so that traffic in both directions is dropped for a null-routed prefix.

3) add a route-map that looks for your special community and changes the next hop for those prefixes to 192.0.2.1 (also to make sure that the prefix belongs to that customer, and that the mask length is not too small (e.g. >28))

 

Here’s an example for a different purpose, but basically the same idea:

 

http://www.team-cymru.org/bogon-reference-bgp.html

 

This method also allows you to republish the same blackhole prefix to your upstream providers if they support it, too (e.g. Level3 use community 3356:9999 for blackhole) to stop the traffic before it fills your upstream link.

-=-==-=-=-=–=

You want to just provide a community for your customer to tag which will take the route and change the next hop to null 0.  The idea here if URPF loose mode is enabled you can take any route that your customer tags with the appropriate community, set it’s next hop to null0 and as a result drop the traffic at your edges where you implement this action.

 

There’s a good all be it JunOS example of configuration in the RFC itself and a ton available via google for Cisco.

 

The basic idea is very simple though and just requires changing next hop when a tag is presented.

 

 

 

> Hi

>

> I have a network with ~10 router cisco with the full table BGP.

> I want add for my customer a blackhole possibility.

>

> Anyone have a tuto for this ?

>

> i think’s add a second bgp session with my customer and when he sent a

> prefix in this session, that put a route null on all of my router,

> it’s possible ?

>

 

Cisco, Netwerk (C-NSP)

IANA AS Numbers registry update

The IANA AS Numbers registry has been updated to reflect the allocation of the following block to ARIN in April 2015:

 

64198-64296 Assigned by ARIN 2015-04-29

394240-395164 Assigned by ARIN 2015-04-29

 

You can find the IANA AS Numbers registry at:

 

http://www.iana.org/assignments/as-numbers/as-numbers.xml

 

The allocation was made in accordance with the Policy for Allocation of ASN Blocks to Regional Internet Registries:

 

https://www.icann.org/resources/pages/global-policy-asn-blocks-2010-09-21-en

 

Cloud, Security

IOS(XR) MTU

There were a number of TCP enhancements that went in around the 5.1

timeframe which impact the way window scaling works as well.

Also, do you have path-mtu enabled on all the devices?

on XR you want something like this:

tcp selective-ack

tcp window-size 65535

tcp path-mtu-discovery

IOS:

ip tcp path-mtu-discovery

ip tcp window-size 65535

http://www.cisco.com/c/en/us/support/docs/ios-nx-os-software/ios-xr-software/116350-trouble-ios-xr-mtu-00.html

> interface GigabitEthernet0/0/1 no ip address

>

> service instance 100 ethernet

> xconnect x.x.x.x {VC_ID} encapsulation mpls mtu {}

>

> But If I configured the below

> l2vpn xconnect context {NAME}

>

> There is no option for the MTU under it

 

 

You have to configure it on the pseudowire interface:

http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/mp_l2_vpns/configuration/xe-3s/mp-l2-vpns-xe-3s-book/mp-any-transport-xe.html#concept_B3B085AFF0384B5C867E3EF9A4C58564

 

Cisco

Monitoring overzicht

System en netwerk utilities

https://www.openinfosecfoundation.org/download/suricata-2.0.9.tar.gz

 

https://mathias-kettner.de/checkmk_omd.html

http://liveaction.com/

http://www.librenms.org/

http://www.nedi.ch/

Opmantek

Observium

OMD version of Nagios

PRTG ?

Nagios / Icinga / Opsview / other clones / forks – allow the most

customization but maintenance and changing eats quite a bit of one’s

time (at least until the setup is in place)

Observium – nice, user friendly, when you want to have custom checks or

develop more than what the package already provides, then you need to

think a bit if it’s really worth it

Cacti – not really monitoring, albeit you can install a Threshold and

Alerting plugin, plus you do have a nice weathermap

Monitoring, Security

IOS MPLS troubleshooting

Does the MPLS ping works between the two routers? -that would verify that the transport (i.e. LDP) labels for PE loopbacks are in place.

ping mpls ipv4 x.x.x.x/32 source y.y.y.y

 

Try cmd ” sh mpls forwarding-table” on both PEs and try to search for each other’s loopback IP /32 address.

On each PE -for the other PEs loopback in Outgoing Label column there should either be a “label value” or a “Pop Label” if the PEs are directly connected.

If it displays No Label then labels are not advertised/received for some reason.

-most of the times the problem is that LDP neighbours don’t see each other via Hello messages multicasted over the directly connected interface but only via the targeted LDP session.

– this can be caused when the interface is not enabled for MPLS i.e. cmd “mpls ip” is not enabled under the interface.

– or LDP passwords do not match.

(this will also be accompanied by OSPF advertising maximum metric for the link to avoid forwarding of MPLS packets over the link when the MPLS is actually not functional on the interface).

 

-or there’s a problem with access-list controlling the label advertisement on the neighbouring router.

 

-if the above is not the case it might be a HW programing issue.

The outgoing label for the other PE’s loopback IP address should be visible when you issue cmd “sh ip cef x.x.x.x/32 detail” *not sure about the exact syntax.

Cisco, Netwerk (C-NSP)

Updaten ArborOs

Copier de upgrade bestanden naar een USB disk en plaats deze in een USB aansluiting van de Arbor TRA.

Voor de installatie een volledige back-up maken:

/ services sp backup

/services/sp/backup# show

 Backup status

 Backup state: idle
 Full backup image timestamp: Mon Mar 09 07:41:26 +0000 2015
 Incremental backup image timestamp: Tue Mar 10 07:31:42 +0000 2015
 Backup image version: 7.0.1

/services/sp/backup# create full

admin@TRA:/services/sp/backup# show
 Backup status
 Backup state: running full backup

/services/sp/backup# show
 Backup status
 Backup state: running full backup

Totdat deze is voltooid en de state weer 'idle' word.

Om de inhoud van de USB disk op te vragen:

/ system files

admin@TRA:/system/files# dir usb:
 Peakflow-SP-7.0.2-FCCG-B 325651 May29 2015 Signed package
 arbos-6.1-FCCG-B 98610 May29 2015 Signed package

Controle bestaande OS en applicatie:

/system/files# show
 Installed packages:
 ArbOS_6.1 ArbOS 6.1 system files (build ELSJ-B) (arch x86_64)
 Peakflow-SP-7.0.1 Arbor Networks Peakflow SP (build ELSJ-B) (arch x86_64)

Stoppen van SP:

/ services sp

/services/sp# stop
Stopping Peakflow SP services......................................done.

Updaten van OS:

/ system files

/system/files# install usb:arbos-6.1-FCCG-B
Extracting package...done.
Changes to ArbOS will take effect after the next reload.

/system/files# reload
 You are about to reboot the system. Do you wish to proceed? [n] y
094: Rebooting the system..

/ system files
/system/files# show
 Installed packages:
 ArbOS_6.1 ArbOS 6.1 system files (build FCCG-B) (arch x86_64)
 Peakflow-SP-7.0.1 Arbor Networks Peakflow SP (build ELSJ-B) (arch x86_64)

Updaten van applicatie:

/ services sp stop

Stopping Peakflow SP services......................................done.

/ system files
/system/files# install usb:Peakflow-SP-7.0.2-FCCG-B
376: Peakflow-SP-7.0.2-FCCG-B conflicts with Peakflow-SP-7.0.1

 

Bij een conflict fout zoals (Peakflow-SP-7.0.2-FCCG-B conflicts with Peakflow-SP-7.0.1), eerst oude install verwijderen:

/system/files# uninstall Peakflow-SP-7.0.1 
Uninstalling package Peakflow-SP-7.0.1..done. 

/ system files install usb:Peakflow-SP-7.0.2-FCCG-B
Extracting package...done.
Collecting inventory information.done
Writing SNMP system description...done.
Upgrading to 7.0.2...
Adding direction to Host Detection table...done
Checking database schema........................................................................................................................................................................................................................................................................................done
Copying Misuse Default to Shared Host Detection Settings...done
Converting Managed Object Host Detection Settings to Shared Host Detection Settings...done
Upgrading malware fingerprint name...done
Saving ArbOS configuration...
Saving SP configuration...
Updating saved command cache (this may take a while)...done
Upgrade successful. Welcome to 7.0.2. 

De applicatie weer starten:

/ services sp start
Starting Peakflow SP services......done.
Arbor Networks, Security

Google no longer returning AAAA records?

For the avoidance of mystery: Google performs measurements of IPv6 connectivity and latency on an ongoing basis. The Google DNS servers do not return AAAA records to DNS resolvers if our measurements indicate that for users of those resolvers, HTTP/HTTPS access to dual-stack Google services is substantially worse than to equivalent IPv4-only services. “Worse” covers both reliability (e.g., failure to load a URL) and latency (e.g., IPv6 is 100ms worse than IPv4 because it goes over an ocean). The resolvers must also have a minimum query volume, which is fairly low.

Tips:

I suggest checking if any of your affected users have broken 6to4 setups,
and that you are applying the relevant mitigations in RFC 6343.

MTU size issues and high latency have also both been mentioned as
possible reasons for the mysterious AAAA blacklist.

 

 

IPv6, Netwerk (C-NSP)
1 11 12 13 14 15 20