ADSL QoS: dialer or physical interface?

Physical interface

A tunnel interface or a VLAN interface is a true logical interface; it behaves like any other interface (with a few exceptions; for example, tunnel interface does not have an output queue) and you can use most QoS actions (including shaping) on it. A dialer interface is even more “conceptual”. It can never be operational on its own – as soon as the link is established, it’s bound to a physical (for example, BRI0:1) or virtual access interface (which is yet again bound to a physical interface) and the shaping is performed on the final physical interface.

Reference1
Reference2

QoS ToS DSCP recap

RFC 791 

Bits 0-2:  Precedence.
      Bit    3:  0 = Normal Delay,      1 = Low Delay.
      Bits   4:  0 = Normal Throughput, 1 = High Throughput.
      Bits   5:  0 = Normal Relibility, 1 = High Relibility.
      Bit  6-7:  Reserved for Future Use.

         0     1     2     3     4     5     6     7
      +-----+-----+-----+-----+-----+-----+-----+-----+
      |                 |     |     |     |     |     |
      |   PRECEDENCE    |  D  |  T  |  R  |  0  |  0  |
      |                 |     |     |     |     |     |
      +-----+-----+-----+-----+-----+-----+-----+-----+

        Precedence

          111 - Network Control
          110 - Internetwork Control
          101 - CRITIC/ECP
          100 - Flash Override
          011 - Flash
          010 - Immediate
          001 - Priority
          000 - Routine

RFC 1349

it says: 

+  0     1     2     3     4     5     6     7

+-----+-----+-----+-----+-----+-----+-----+-----+
|                 |                       |     |
|   PRECEDENCE    |          TOS          | MBZ |
|                 |                       |     |
+-----+-----+-----+-----+-----+-----+-----+-----+

TOS

1000   --   minimize delay
0100   --   maximize throughput
0010   --   maximize reliability
0001   --   minimize monetary cost
0000   --   normal service 

RFC 2474

A replacement header field, called the DS field, is defined, which is
   intended to supersede the existing definitions of the IPv4 TOS octet
   [RFC791] and the IPv6 Traffic Class octet [IPv6].

The DS field structure is presented below:


        0   1   2   3   4   5   6   7
      +---+---+---+---+---+---+---+---+
      |         DSCP          |  CU   |
      +---+---+---+---+---+---+---+---+

        DSCP: differentiated services codepoint
        CU:   currently unused 

We wish to maintain some form of backward compatibility with present
   uses of the IP Precedence Field: bits 0-2 of the IPv4 TOS octet. 

ADSL reference diagram

A very good ADSL reference diagram

Data transfer rate

 

name	remark	unit	layer	alias
Gross bit rate	physical layer gross bit rate	bit	physical	line rate
Information rate	physical layer net bit rate	bit	data link
Network throughput	digital bandwidth consumption	bit	network
Goodput	data transfer rate	byte	application

 

 

 

 

Ref: 

http://en.wikipedia.org/wiki/Data_transfer_rate

http://blog.ioshints.info/2009/03/line-rate-and-bit-rate.html 

Configuring ATM Subinterfaces

Configuring ATM Subinterfaces

Problem

You want to configure an ATM link with PVCs that connect to several other routers.

Solution

Our preferred way of handling ATM PVCs is to use ATM subinterfaces.

Ref: http://fengnet.com

"Extendable" static translations:

Q: When to use ip nat ... extendable ？

A:

The extendable keyword allows the user to configure several ambiguous static translations, where an ambiguous translations are translations with the same local or global address.

ip nat inside source static <localaddr> <globaladdr> extendable

Some customers want to use more than one service provider and translate into each provider's address space. You can use route-maps to base the selection of global address pool on output interface as well as an access-list match. Following is an example:

ip nat pool provider1-space ...

ip nat pool provider2-space ...

ip nat inside source route-map provider1-map pool provider1-space

ip nat inside source route-map provider2-map pool provider2-space

!

route-map provider1-map permit 10

 match ip address 1

 match interface Serial0/0

!

route-map provider2-map permit 10

 match ip address 1

 match interface Serial0/1

Once that is working, they might also want to define static mappings for a particular host using each provider's address space. The software does not allow two static translations with the same local address, though, because it is ambiguous from the inside. The router will accept these static translations and resolve the ambiguity by creating full translations (all addresses and ports) if the static translations are marked as "extendable". For a new outside-to-inside flow, the appropriate static entry will act as a template for a full translation. For a new inside-to-outside flow, the dynamic route-map rules will be used to create a full translation.

Reference: from Cisco.com

TCL/expect log the result

set date [exec date +%Y%m%d]

set log "STX51366\.log\.$date.txt"
log_file "$log"







# stop logging the result
log_file

TCL/expect debug

exp_internal 1

above command can help you to debug your expect script

Cisco TCL script

1. create the script onto a Cisco router

2. run the script from that router

3. collect the result from that router

877w#tclsh

877w(tcl)#

puts [open flash:pinggoogle.tcl w+] {

set pingresult [open flash:pingresult w+]

set output [exec ping 8.8.8.8 r 1000]

puts $pingresult [string trim $output]

close $pingresult

}

877w(tcl)#tclquit

877w#tclsh pinggoogle.tcl

Ref: http://www.tcl.tk/man/tcl/tutorial/Tcl24.html 

http://www.cisco.com/en/US/docs/ios/12_3t/12_3t2/feature/guide/gt_tcl.html#wp1027177 

http://en.wikipedia.org/wiki/Tcl 

http://www.netcraftsmen.net/resources/archived-articles/374-tcling-your-cisco-router.html 

http://www.cisco.com/en/US/docs/ios/12_3t/12_3t2/feature/guide/gt_tcl.html 

BGP AFI/SAFI

BGP Finite-State Machine Operation

http://www.informit.com/library/content.aspx?b=CCIE_Practical_Studies_II&seqNum=79

BGP AFI/SAFI

Address Family Identifiers (AFI)

http://www.iana.org/assignments/address-family-numbers/address-family-numbers.xhtml

Subsequent Address Family Identifier (SAFI)

http://www.iana.org/assignments/safi-namespace 

http://routing-bits.com/2009/11/26/output-101-bgp-afisafi/ 

http://www.cisco.com/en/US/docs/ios/12_0s/feature/guide/sbgprmib.html 

Configuring PPTP (VPDN) Server On A Cisco Router

1. Enable vpdn and define pptp parameters 
vpdn-group 1
! Default PPTP VPDN group
 accept-dialin
  protocol pptp
  virtual-template 1
!
2. setup the ip scheme for the dialin user
interface Virtual-Template1
 ip unnumbered Dot11Radio0.2
 peer default ip address pool PPTP-Pool
 no keepalive
 ip nat inside          <<<<<<<<<<<<<<<<<<<<add this is if you want dialin user use Internet
 ppp encrypt mppe 128
 ppp authentication ms-chap ms-chap-v2
!
3. specify the ip range
ip local pool PPTP-Pool 192.168.2.90 192.168.2.100

4. create username/password
username firewall password gfk$20!2


Ref:http://www.firewall.cx/cisco-technical-knowledgebase/cisco-routers/329-cisco-router-pptp-server.html

Cisco 877 SNR Adjustment

Go into global configuration mode and type the following:
service internal
int atm 0
dsl noise-margin (a value between -3 and 3)
The service internal command exposes the dsl noise-margin command (and other hidden/non standard commands). The dsl noise-margin forces the router to training at a higher noise margin (sacrificing speed for stability). Setting this to 3 for example should see you get a higher noise margin, slower speed (and depending on firmware) a higher attenuation.
Start at 3 and work your way down to 0 in 0.5 steps until you get a stable connection. A value of 0 is the same as not having this command at all (eg: normal settings).
If you add a dsl noise-margin command, after a reload you’ll see “WARNING: Unsupported Command. May cause violation to ADSL standards.” on bootup, ignore it, it’s just the addition of the noise-margin command.
Use the dsl noise-margin command to fine tune your connection to get that extra stability if required.

The default value of  noise-margin is 0, I find -3 igive me the best download speed (3776 kbps) compares to default settings (3220 kbps).

The Alcatel firmware fireware also related to the sync speed: FW4.0.15 in IOS 15 only sync to 3000 kbps whereas FW 3.0.14 in IOS 12.4 can sync to 3200 kbps

Ref: http://www.alcatron.net/?cat=7&paged=2

DDNS configuration on Cisco

1. create DDNS A record from a DDNS provider, e.g. no-ip.org or dnsdynamic.org
2. configure it onto a cisco router:
ip name-server 8.8.8.8
ip name-server 8.8.4.4
ip ddns update method no-ip
 HTTP
  add http://username:password@dynupdate.no-ip.com/nic/update?hostname=ywt.no-ip.org
 interval maximum 0 0 1 0

interface Dialer0
 ip ddns update hostname ywt.no-ip.org
 ip ddns update no-ip

Use "debug ip ddns update" to check the result.

Ref: http://www.cisco.com/en/US/docs/ios/12_3/12_3y/12_3ya8/gt_ddns.html
http://www.firewall.cx/cisco-technical-knowledgebase/cisco-routers/811-cisco-router-ddns.html
http://www.no-ip.com/support/guides/routers/using_cisco_routers_with_no-ip.html

Cisco 877W recover IOS using tftpdnld from ROMMON

256M memory, 36M (20+16) flash

1. get IOS and setup a TFTP server
2. connect the TFTP server DIRECT to a FE port of  877W using a cat5 cable
3. go into rommon mode by hit "ctrl + Break"
4. delete old IOS from flash
rommon 1 >delete flash:c870-adventerprisek9-mz.150-1.XA4.bin
Are you sure you want to delete "flash:c870-adventerprisek9-mz.150-1.XA4.bin" (y
/n)?y
Delete operation will take approximately 37 to 940 seconds

5. issue continually ping from TFTP to 877W (e.g. ping -t 192.168.1.1)
6. configure IP so 877W can reach the TFTP server
rommon 1 >IP_ADDRESS=192.168.1.1
rommon 1 >TFTP_SERVER=192.168.1.2
rommon 1 >TFTP_FILE=c870-advipservicesk9-mz.124-15.XY3.bin
rommon 1 >IP_SUBNET_MASK=255.255.255.0
rommon 1 >DEFAULT_GATEWAY=192.168.1.2
rommon 1 >tftpdnld
***********check the result, you want all escalation mark - !!!!!!; anything else means fail************

7.configure to boot from now IOS
rommon 1 >BOOT=flash:c870-advipservicesk9-mz.124-15.XY3.bin
8. reset

Tips: be patient, it took me several times to get it right.
Make sure NO other interferences such as TV; USB HD, PCs, mobile, etc.

I once got below error and ping (procedure 5) fixed it

Receiving c870-advipservicesk9-mz.151-3.T.bin from 192.168.2.28 !!!!!!!!!!!!!!!!
!!!!!!!!!!!!
ARP: address resolution for 192.168.2.1 timed out.
ARP failed with failure code 3.  TFTP transfer aborted.
TFTP: Operation terminated prematurely.

Ref:http://www.cisco.com/en/US/products/hw/routers/ps259/products_tech_note09186a008015bf9e.shtml
http://bayupw.blogspot.com/2008/08/recover-ios-using-tftpdnld-from-rommon.html

Cisco 877W configuration

http://www.certforums.co.uk/forums/general-cisco-certifications/40739-real-life-cisco-877-adsl-vpn-wireless-configurations.html

http://www.vleeuwen.net/2009/05/877w-wireless-config

http://www.alcatron.net/?p=123 [IRB feature]

tacacs-server timeout

tacacs-server timeout 

To set the interval that the server waits for a server host to reply, use the tacacs-server timeout global configuration command. Use the no form of this command to restore the default (5 seconds).

tacacs-server timeout seconds

no tacacs-server timeout 

tacacs-server host

To specify a TACACS+ host, use the tacacs-server host command in global configuration mode. To delete the specified name or address, use the no form of this command.

tacacs-server host host-name [port integer] [timeout integer] [key string] [single-connection] [nat]

no tacacs-server host host-name 

Specifies a timeout value. This overrides the global timeout value set with the tacacs-server timeout command for this server only.

Ref: http://www.cisco.com/en/US/docs/ios/12_0/security/command/reference/srtacs.html#wp1032232

http://www.cisco.com/en/US/docs/ios/12_2/security/command/reference/srftacs.html#wp1028783

IKE phase explained

IKE phase 1 is built as a management tunnel between the 2 peers.  This IKE phase 1 tunnel lifetime is controlled by the parameter in the "crypto isakmp policy x" and the lower value of the two peers is used for this life time.   When this tunnel is built, it is used by the peers for negotiating the next tunnel (the IKE phase 2 tunnel, which is coming next).    If the lifetime for the IKE phase 1 tunnel is 90 seconds, and within that 90 seconds the two peers build the IKE phase 2 tunnel (which has its own lifetime too, controlled by the "set security-association lifetime" command in the crypto map), then the IKE phase 1 tunnel may not be needed any more, if the IKE phase 2 tunnel lifetime is an hour, and that 2nd tunnel is still fine.   In this case, the original IKE phase 1 tunnel would time out after 90 seconds, and the IKE phase 2 SA (tunnel) would go on strong for the duration of its lifetime.

If, after an hour, the IKE phase 2 tunnel expires, and there is more traffic that needs to be encrypted, a new IKE phase 1 tunnel will be built, and used to negotiate a new IPSec SA (phase 2 tunnel), and the process would repeat.

IKE phase 1, such as show crypto isakmp sa detail, will show no IKE phase 1 tunnel.
show commands for the IKE phase 2 SAs will show the tunnel details for IKE phase 2, such as show crypto ipsec sa.

Ref: https://learningnetwork.cisco.com/thread/21724

An Introduction to IP Security (IPSec) Encryption [Site to Site]

Key Components of creating an IPSec tunnel in chronological order:
· Crypto Policy
· Transform-set
· Access-list
· Defining your crypto map

A crypto policy must be established identically on both the corporate router and
the third party corporation’s router including the pre-shared key.

Transform sets are a combination of security protocols and algorithms that
protect the data flow across the internet.

The crypto access list will specify which data traffic will pass through the IPSec
tunnel.

A crypto map pulls all the pieces together required to create an IPSEC
connection.

Once the crypto map has been established on both peering routers it is time to
apply the configuration to an interface.

http://www.sans.org/reading_room/whitepapers/vpns/understanding-configuring-ipsec-cisco-routers_1356

http://www.cisco.com/en/US/tech/tk583/tk372/technologies_tech_note09186a0080094203.shtml

IPsec Troubleshooting: Understanding and Using debug Commands

show crypto isakmp sa

This command shows the Internet Security Association Management Protocol (ISAKMP) security associations (SAs) built between peers.

dst       src        state     conn-id     slot
12.1.1.2  12.1.1.1   QM_IDLE    1           0

show crypto ipsec sa

This command shows IPsec SAs built between peers. The encrypted tunnel is built between 12.1.1.1 and 12.1.1.2 for traffic that goes between networks 20.1.1.0 and 10.1.1.0. You can see the two Encapsulating Security Payload (ESP) SAs built inbound and outbound. Authentication Header (AH) is not used since there are no AH SAs.

Ref: http://www.cisco.com/en/US/tech/tk583/tk372/technologies_tech_note09186a00800949c5.shtml

Reflexive Access Lists

What Are Reflexive Access Lists

They go on the filtering router connecting your network to the outside world. (I'm avoiding "firewall router", since we usually think of a firewall as a dedicated security box now). Reflexive access lists allow you to dynamically open up your filtering router to allow reply packets back through, in response to an outbound TCP connection or UDP session initiated from within your network. This mechanism reduces exposure to spoofing and denial-of-service, since desirable inbound flows are mostly in response to outbound traffic.

! create the named extended access list that "sees" the outbound packets
ip access-list extended outbound-packet-watch
  permit tcp any any reflect reflexive-temporary-list
  permit udp any any reflect reflexive-temporary-list
! create the named extended access list that evaluates the inbound packets
ip access-list extended inbound-packet-catcher
  ! allow BGP routing but deny ICMP from outside
  permit bgp any any
  deny icmp any any
  evaluate reflexive-temporary-list
interface serial 1/0
  ! apply the named access list to watch packets leaving the secure network
  ! as they go out serial 1/0
  ip access-group outbound-packet-watch out
  ip access-group inbound-packet-catcher in

Ref: http://www.netcraftsmen.net/resources/archived-articles/432.html

Random Early Detection and the Mark Probability Denominator

The denominator is the bottom end of a fraction. The numerator in the equation (top value) will be 1. This can also be viewed as a fraction. 1/10 is 1 out of 10.

random-detect precedence 5 40 90 5

This will look at IPPrec 5 packets. And will start discarding when the queue depth reaches 40. By the time the queue-depth reaches 90 (which yes, would need to have been increased first!) it will discard 1 of every 5 packets.

Ref: https://learningnetwork.cisco.com/thread/4439

BGP maximum-prefix

R1 - ebgp - R2

R2(config-router)#neighbor 10.0.12.1 maximum-prefix 3 2

- the command will R2 can only receive three prefixes from R1 and will send notification after receving two prefixes; after receiving (more than three) prefixes, it will simply notifiy its neighbour and then drop the bgp session.

When R1 send R2 two prefixes, R2 has
*Mar  1 00:48:31.511: %BGP-4-MAXPFX: No. of prefix received from 10.0.12.1 (afi 0) reaches 2, max 3


When R1 send R2 three prefixes R2 has
*Mar  1 00:49:10.695: %BGP-4-MAXPFX: No. of prefix received from 10.0.12.1 (afi 0) reaches 3, max 3

When R1 send R2 four prefixes R2 has
 *Mar  1 00:50:18.015: %BGP-3-MAXPFXEXCEED: No. of prefix received from 10.0.12.1 (afi 0): 4 exceed limit 3
*Mar  1 00:50:18.015: %BGP-5-ADJCHANGE: neighbor 10.0.12.1 Down BGP Notification sent
*Mar  1 00:50:18.015: %BGP-3-NOTIFICATION: sent to neighbor 10.0.12.1 3/1 (update malformed) 0 bytes                           

While R1 has
*Mar  1 00:50:18.411: %BGP-3-NOTIFICATION: received from neighbor 10.0.12.2 3/1 (update malformed) 0 bytes
*Mar  1 00:50:18.411: %BGP-5-ADJCHANGE: neighbor 10.0.12.2 Down BGP Notification received

To fix, change the maximum-prefix value and do clear ip bgp

Pls note: neighbor 10.0.12.1 maximum-prefix 3 2 restart 1 - the restart dosen't work as you have to manually change the maximum-prefix value at the first place.

GRE Tunnel MTU issue

0. you are using GRE tunnel
1. you can ping google.com
2. you can not browse google.com

this mostly like the MTU issue

fix:

interface LAN-INTERFACE
ip mtu 1435
ip tcp adjust-mss 1385
ip policy route-map CLEAR-DF



route-map CLEAR-DF permit 10
 set ip df 0

http://www.cisco.com/en/US/tech/tk827/tk369/technologies_tech_note09186a0080093f1f.shtml
Resolve IP Fragmentation, MTU, MSS, and PMTUD Issues with GRE and IPSEC

Switching Ethernet - back to the basic

Switching Ethernet

➢ A switch is a multi port bridge, it takes an incoming packet, and looks at the destination MAC address

➢ It decides what port to send the traffic to by looking at its CAM table (MAC to port # mapping)

➢ A switch does NOT do ARP to route ethernet frames (it will flood for unknow frame)

➢ A layer 2 switch does not even know what TCP/IP or ARP are. If it did, how would it route non IP traffic?

➢ Ethernet and TCP/IP were not designed with switches in mind, switches are supposed to be transparent. Thismeans they do switching with no protocol support

Ref: http://marc.merlins.org/linux/talks/Layer2&ARP/talk-src/Layer2&ARP.pdf
http://aconaway.com/2008/07/14/back-to-basics-cam-table-population/
http://www.routeralley.com/ra/docs/switching_tables.pdf

OSPF External Route Path Selection

both the intra-area and inter-area cost can still be considered in the OSPF path selection regardless of whether the route is E1 or E2.

ref: http://blog.ine.com/2011/04/04/understanding-ospf-external-route-path-selection/