Saturday, 27 August 2011

Catalyst Switch QoS

Layer 2 Qos is part of the R&S Blueprint and the pieces supporting how SRR queuing actually works can get quite confusing even though there is a method to the madness.

Vik Malhi has distilled this information into 3 blog posts which cover classification and marking, ingress queuing and scheduling and closing off with egress queueing, dropping and scheduling which can be found here.  Although this is primarily on the Catalyst 3750 platform, it shares many of the concepts that the Catalyst 3560 has and is configured and tested in the same manner.

These blog posts and the explanation from Narbik which he gave at his bootcamp turns a complex topic into something a bit more bearable..

Sunday, 21 August 2011

OSPF Domain Id and Sham Links

This post is looking at MPLS based VPNs and different aspects associated with routing information when OSPF is the CE-PE routing protocol

The topology under discussion is shown below:

R1(CE)===R2(PE)===R3(PE)===R4(CE)

Here are the base configurations

R1hostname R1
interface Loopback0
 ip address 1.1.1.1 255.255.255.255
 ip ospf 1 area 1
!
interface FastEthernet0/0
 description R2 Fa0/0
 ip address 10.1.12.1 255.255.255.0
 ip ospf 1 area 1
!

R2
hostname R2
ip vrf A
 rd 1:1
 route-target export 1:1
 route-target import 1:1
interface Loopback0
 ip address 2.2.2.2 255.255.255.255
 ip ospf 1 area 0
!
interface FastEthernet0/0
 description R1 Fa0/0
 ip vrf forwarding A
 ip address 10.1.12.2 255.255.255.0
 ip ospf 2 area 1
 speed 100
 full-duplex
!
interface FastEthernet0/1
 description R3 Fa0/1
 ip address 10.1.23.2 255.255.255.0
 ip ospf 1 area 0
 mpls ip
!
router ospf 2 vrf A
 log-adjacency-changes
 redistribute bgp 23 subnets
!
router ospf 1
 log-adjacency-changes
!
router bgp 23
 no bgp default ipv4-unicast
 bgp log-neighbor-changes
 neighbor 3.3.3.3 remote-as 23
 neighbor 3.3.3.3 update-source Loopback0
 !
 address-family vpnv4
  neighbor 3.3.3.3 activate
  neighbor 3.3.3.3 send-community extended
 exit-address-family
 !
 address-family ipv4 vrf A
  redistribute ospf 2 vrf A
  no synchronization
 exit-address-family
!

R3
hostname R3
ip vrf A
 rd 1:1
 route-target export 1:1
 route-target import 1:1
interface Loopback0
 ip address 3.3.3.3 255.255.255.255
 ip ospf 1 area 0
!
interface FastEthernet0/0
 description R4 Fa0/0
 ip vrf forwarding A
 ip address 10.1.34.3 255.255.255.0
 ip ospf 3 area 1
 speed 100
 full-duplex
!
interface FastEthernet0/1
 description R2 Fa0/1
 ip address 10.1.23.3 255.255.255.0
 ip ospf 1 area 0
 mpls ip
!
router ospf 1
 log-adjacency-changes
!
router ospf 3 vrf A
 log-adjacency-changes
 redistribute bgp 23 subnets
!
router bgp 23
 no bgp default ipv4-unicast
 bgp log-neighbor-changes
 neighbor 2.2.2.2 remote-as 23
 neighbor 2.2.2.2 update-source Loopback0
 !
 address-family vpnv4
  neighbor 2.2.2.2 activate
  neighbor 2.2.2.2 send-community extended
 exit-address-family
 !
 address-family ipv4 vrf A
  redistribute ospf 3 vrf A
  no synchronization
 exit-address-family
!

R4
hostname R4
interface Loopback0
 ip address 4.4.4.4 255.255.255.255
 ip ospf 1 area 1
!
interface FastEthernet0/0
 description R3 Fa0/0
 ip address 10.1.34.4 255.255.255.0
 ip ospf 1 area 1
!

R1 Fa0/0 and R4 Fa0/0 interfaces are both in OSPF area 1 when connected to the PEs so we would like to see their associated loopbacks as an "O" route

R1>sh ip route | b Gateway
Gateway of last resort is not set

     1.0.0.0/32 is subnetted, 1 subnets
C       1.1.1.1 is directly connected, Loopback0
     4.0.0.0/32 is subnetted, 1 subnets
O E2    4.4.4.4 [110/2] via 10.1.12.2, 00:04:19, FastEthernet0/0
     10.0.0.0/24 is subnetted, 2 subnets
C       10.1.12.0 is directly connected, FastEthernet0/0
O E2    10.1.34.0 [110/1] via 10.1.12.2, 00:04:19, FastEthernet0/0

R4>sh ip route | b Gateway
Gateway of last resort is not set

     1.0.0.0/32 is subnetted, 1 subnets
O E2    1.1.1.1 [110/2] via 10.1.34.3, 00:04:38, FastEthernet0/0
     4.0.0.0/32 is subnetted, 1 subnets
C       4.4.4.4 is directly connected, Loopback0
     10.0.0.0/24 is subnetted, 2 subnets
O E2    10.1.12.0 [110/1] via 10.1.34.3, 00:04:37, FastEthernet0/0
C       10.1.34.0 is directly connected, FastEthernet0/0

Right now these guys are seeing each other as external routes (Type 5 LSAs) Why is this?  Well if you think about it these should be external routes because we are redistributing from OSPF into BGP and then back into OSPF on our PEs.  However normally things are smart enough so that the MPLS network super backbone should keep things appearing as OSPF routes.  This isn't happening in this case for some reason:

R2#sh ip ospf int brief
Interface    PID   Area            IP Address/Mask    Cost  State Nbrs F/C
Fa0/1        1     0               10.1.23.2/24       1     DR    1/1
Lo0          1     0               2.2.2.2/32         1     LOOP  0/0
Fa0/0        2     1               10.1.12.2/24       1     BDR   1/1

R3#sh ip ospf int brief
Interface    PID   Area            IP Address/Mask    Cost  State Nbrs F/C
Fa0/0        3     1               10.1.34.3/24       1     BDR   1/1
Fa0/1        1     0               10.1.23.3/24       1     BDR   1/1
Lo0          1     0               3.3.3.3/32         1     LOOP  0/0

The problem here is the OSPF process ID for the CE facing interfaces on the PEs are different - if we had the same ospf domain id (which by default is inherited from the process id) these would not show up as external routes

R2#sh ip ospf | i Process|Domain
 Routing Process "ospf 1" with ID 2.2.2.2
 Routing Process "ospf 2" with ID 10.1.12.2
   Domain ID type 0x0005, value 0.0.0.2

R3#sh ip ospf | i Process|Domain
 Routing Process "ospf 3" with ID 10.1.34.3
   Domain ID type 0x0005, value 0.0.0.3
 Routing Process "ospf 1" with ID 3.3.3.3

So if we want the routes not to appear as external, all we need to do is make both sides agree on the domain id:

R2#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
R2(config)#router ospf 2
R2(config-router)#domain-id 0.0.0.3
R2(config-router)#end
*Mar  1 22:11:44.698: %SYS-5-CONFIG_I: Configured from console by console
R2#clear ip ospf proc
Reset ALL OSPF processes? [no]: yes
*Mar  1 22:11:59.690: %OSPF-5-ADJCHG: Process 1, Nbr 3.3.3.3 on FastEthernet0/1 from FULL to DOWN, Neighbor Down: Interface down or detached
*Mar  1 22:11:59.726: %OSPF-5-ADJCHG: Process 2, Nbr 1.1.1.1 on FastEthernet0/0 from FULL to DOWN, Neighbor Down: Interface down or detached
*Mar  1 22:11:59.778: %OSPF-5-ADJCHG: Process 1, Nbr 3.3.3.3 on FastEthernet0/1 from LOADING to FULL, Loading Done
*Mar  1 22:11:59.782: %OSPF-5-ADJCHG: Process 2, Nbr 1.1.1.1 on FastEthernet0/0 from LOADING to FULL, Loading Done

R2#sh ip ospf | i Process|Domain
 Routing Process "ospf 1" with ID 2.2.2.2
 Routing Process "ospf 2" with ID 10.1.12.2
   Domain ID type 0x0005, value 0.0.0.3

R1>sh ip route | b Gateway
Gateway of last resort is not set

     1.0.0.0/32 is subnetted, 1 subnets
C       1.1.1.1 is directly connected, Loopback0
     4.0.0.0/32 is subnetted, 1 subnets
O IA    4.4.4.4 [110/3] via 10.1.12.2, 00:00:40, FastEthernet0/0
     10.0.0.0/24 is subnetted, 2 subnets
C       10.1.12.0 is directly connected, FastEthernet0/0
O IA    10.1.34.0 [110/2] via 10.1.12.2, 00:00:40, FastEthernet0/0

R4>sh ip route | b Gateway
Gateway of last resort is not set

     1.0.0.0/32 is subnetted, 1 subnets
O IA    1.1.1.1 [110/3] via 10.1.34.3, 00:00:40, FastEthernet0/0
     4.0.0.0/32 is subnetted, 1 subnets
C       4.4.4.4 is directly connected, Loopback0
     10.0.0.0/24 is subnetted, 2 subnets
O IA    10.1.12.0 [110/2] via 10.1.34.3, 00:00:40, FastEthernet0/0
C       10.1.34.0 is directly connected, FastEthernet0/0

Well these routes no longer appear as external (Type 5s) but are showing up as Inter-Area (type 3s) which closer but not what we wanted.

The way that this can be fixed so that the routes will appear as intra-Area (type 1s) is to use sham-links, which is a construct that is somewhat similar to a virtual-link in that it is a tunnel over the backbone area (the MPLS network super backbone in this case) but it can be used for more than just OSPF area 0... How do we make this work?

Firstly we need to add loopbacks on each PE that are associated with the CE's VRF and advertise that into MP-BGP

R2(config-if)#int lo23
R2(config-if)#ip vrf forwarding A
R2(config-if)#ip add 23.23.23.2 255.255.255.255
R2(config-if)#router bgp 23
R2(config-router)#address-family ipv4 vrf A
R2(config-router-af)#network 23.23.23.2 mask 255.255.255.255

R3(config-if)#int lo23
R3(config-if)#ip vrf forwarding A
R3(config-if)#ip add 23.23.23.3 255.255.255.255
R3(config-if)#router bgp 23
R3(config-router)#address-family ipv4 vrf A
R3(config-router-af)#network 23.23.23.3 mask 255.255.255.255

Then within the OSPF process for the VRF we configure the sham-link

R2(config-router-af)#router ospf 2
R2(config-router)#area 1 sham-link 23.23.23.2 23.23.23.3

R3(config-router-af)#router ospf 3
R3(config-router)#area 1 sham-link 23.23.23.3 23.23.23.2

Resulting in

*Mar  1 22:24:17.802: %OSPF-5-ADJCHG: Process 3, Nbr 10.1.12.2 on OSPF_SL1 from LOADING to FULL, Loading Done

R2#sh ip ospf sham-links
Sham Link OSPF_SL1 to address 23.23.23.3 is up
Area 1 source address 23.23.23.2
  Run as demand circuit
  DoNotAge LSA allowed. Cost of using 1 State POINT_TO_POINT,
  Timer intervals configured, Hello 10, Dead 40, Wait 40,
    Hello due in 00:00:09
    Adjacency State FULL (Hello suppressed)
    Index 2/2, retransmission queue length 0, number of retransmission 0
    First 0x0(0)/0x0(0) Next 0x0(0)/0x0(0)
    Last retransmission scan length is 0, maximum is 0
    Last retransmission scan time is 0 msec, maximum is 0 msec

R1>sh ip route | b Gateway
Gateway of last resort is not set

     1.0.0.0/32 is subnetted, 1 subnets
C       1.1.1.1 is directly connected, Loopback0
     4.0.0.0/32 is subnetted, 1 subnets
O       4.4.4.4 [110/4] via 10.1.12.2, 00:00:39, FastEthernet0/0
     23.0.0.0/32 is subnetted, 2 subnets
O E2    23.23.23.3 [110/1] via 10.1.12.2, 00:02:55, FastEthernet0/0
O E2    23.23.23.2 [110/1] via 10.1.12.2, 00:03:54, FastEthernet0/0
     10.0.0.0/24 is subnetted, 2 subnets
C       10.1.12.0 is directly connected, FastEthernet0/0
O       10.1.34.0 [110/3] via 10.1.12.2, 00:00:39, FastEthernet0/0

R4>sh ip route | b Gateway
Gateway of last resort is not set

     1.0.0.0/32 is subnetted, 1 subnets
O       1.1.1.1 [110/4] via 10.1.34.3, 00:00:49, FastEthernet0/0
     4.0.0.0/32 is subnetted, 1 subnets
C       4.4.4.4 is directly connected, Loopback0
     23.0.0.0/32 is subnetted, 2 subnets
O E2    23.23.23.3 [110/1] via 10.1.34.3, 00:03:06, FastEthernet0/0
O E2    23.23.23.2 [110/1] via 10.1.34.3, 00:04:01, FastEthernet0/0
     10.0.0.0/24 is subnetted, 2 subnets
O       10.1.12.0 [110/3] via 10.1.34.3, 00:00:49, FastEthernet0/0
C       10.1.34.0 is directly connected, FastEthernet0/0

As we can see R1 and R2 now see the routes as intra-area (Type 1) as an extra clean up we may want to get rid of the loopbacks for the sham links, which can be done by controlling the redistribution from MP-BGP into OSPF

R2#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
R2(config)#access-list 23 deny 23.23.23.0 0.0.0.255
R2(config)#access-list 23 permit any
R2(config)#route-map BGP2OSPF
R2(config-route-map)#match ip address 23
R2(config-route-map)#router ospf 2
R2(config-router)#default domain-id
R2(config-router)#redistribute bgp 23 subnets route-map BGP2OSPF
R2(config-router)#do clear ip ospf proc
Reset ALL OSPF processes? [no]: yes
R2(config-router)#do sh ip ospf | i Process|Domain
 Routing Process "ospf 1" with ID 2.2.2.2
 Routing Process "ospf 2" with ID 10.1.12.2
   Domain ID type 0x0005, value 0.0.0.2

R3#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
R3(config)#access-list 23 deny 23.23.23.0 0.0.0.255
R3(config)#access-list 23 permit any
R3(config)#route-map BGP2OSPF
R3(config-route-map)#match ip address 23
R3(config-route-map)#router ospf 3
R3(config-router)#redistribute bgp 23 subnets route-map BGP2OSPF
R3(config-router)#do sh ip ospf | i Process|Domain
 Routing Process "ospf 3" with ID 10.1.34.3
   Domain ID type 0x0005, value 0.0.0.3
 Routing Process "ospf 1" with ID 3.3.3.3

I reset the domain-id to the default on R2 just to show that for Sham-links the domain id doesn't matter

R1>sh ip route | b Gateway
Gateway of last resort is not set

     1.0.0.0/32 is subnetted, 1 subnets
C       1.1.1.1 is directly connected, Loopback0
     4.0.0.0/32 is subnetted, 1 subnets
O       4.4.4.4 [110/4] via 10.1.12.2, 00:02:00, FastEthernet0/0
     10.0.0.0/24 is subnetted, 2 subnets
C       10.1.12.0 is directly connected, FastEthernet0/0
O       10.1.34.0 [110/3] via 10.1.12.2, 00:02:00, FastEthernet0/0

R4>sh ip route | b Gateway
Gateway of last resort is not set

     1.0.0.0/32 is subnetted, 1 subnets
O       1.1.1.1 [110/4] via 10.1.34.3, 00:01:54, FastEthernet0/0
     4.0.0.0/32 is subnetted, 1 subnets
C       4.4.4.4 is directly connected, Loopback0
     10.0.0.0/24 is subnetted, 2 subnets
O       10.1.12.0 [110/3] via 10.1.34.3, 00:01:54, FastEthernet0/0
C       10.1.34.0 is directly connected, FastEthernet0/0

So why would we even care about this?  If there could be a backup link that bypasses the MPLS between between R1 and R2.  If OSPF was running on that link as well, the path via the MPLS network would not be used regardless of the link metric because intra-area routes are preferred over inter-area routes which are preferred over external routes.  Potentially the backdoor link may require the ospf cost to be increased to ensure that it is used only if the MPLS link is down.

Thursday, 18 August 2011

IPv6 Tunnelling over IPv4

Today I'm going to play around with some IPv6 tunnelling techniques

The topology for this example will be a string of 4 IPv4 enabled routers connected by Ethernet, each with a Loopback 100.100.100.x/32 with all the interfaces advertised into OSPF

Here are their base configurations:

R1
hostname R1
interface Loopback0
 ip address 100.100.100.1 255.255.255.255
!
interface FastEthernet0/0
 description R2 Fa0/0
 ip address 10.1.12.1 255.255.255.0
!
router ospf 1
 network 10.1.12.1 0.0.0.0 area 0
 network 100.100.100.1 0.0.0.0 area 0

R2
hostname R2
interface Loopback0
 ip address 100.100.100.2 255.255.255.255
!
interface FastEthernet0/0
 description R1 Fa0/0
 ip address 10.1.12.2 255.255.255.0
!
interface FastEthernet0/1
 description R3 Fa0/1
 ip address 10.1.23.2 255.255.255.0
!
router ospf 1
 network 10.1.12.2 0.0.0.0 area 0
 network 10.1.23.2 0.0.0.0 area 0
 network 100.100.100.2 0.0.0.0 area 0

R3
hostname R3
interface Loopback0
 ip address 100.100.100.3 255.255.255.255
!
interface FastEthernet0/0
 description R4 Fa0/0
 ip address 10.1.34.3 255.255.255.0
!
interface FastEthernet0/1
 description R2 Fa0/1
 ip address 10.1.23.3 255.255.255.0
!
router ospf 1
 network 10.1.23.3 0.0.0.0 area 0
 network 10.1.34.3 0.0.0.0 area 0
 network 100.100.100.3 0.0.0.0 area 0

R4
hostname R4
interface Loopback0
 ip address 100.100.100.4 255.255.255.255
!
interface FastEthernet0/0
 description R3 Fa0/0
 ip address 10.1.34.4 255.255.255.0
!
router ospf 1
 log-adjacency-changes
 network 10.1.34.4 0.0.0.0 area 0
 network 100.100.100.4 0.0.0.0 area 0

IPv6 over GRE and IPv6 over IPv4

IPv6 over GRE over IPv4 is the easiest configuration method for a point-to-point tunnel IPv6 over an IPv4 network.

The initial tunnel configuration between R1 and R3 in this example is nothing special - we're just specifying that the tunnel needs to be set up between the Loopback interfaces, the only thing we are doing here is assigning the IPv6 address to each tunnel endpoint

R1
interface Tunnel13
 ipv6 address FEC0:13::1/64
 
tunnel source 100.100.100.1
 tunnel destination 100.100.100.3

R3
interface Tunnel13
  ipv6 address FEC0:13::3/64
 
tunnel source 100.100.100.3
 tunnel destination 100.100.100.1



R1#ping fec0:13::1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to FEC0:13::1, timeout is 2 seconds:
!!!!!

IPv6 over IPv4 is working fine


R1#sh int tun13 | i transport
  Tunnel protocol/transport GRE/IP


As we can see we are tunneling IPv6 over GRE over IPv4 - GRE is a handy protocol since it carries all sorts of protocols over it but in this case it's a little inefficient with regards to the encapsulation overhead and potentially reducing the effective MTU on this path so we could look at directly transporting IPv6 over IPv4 and skip the GRE middle man and have a larger payload MTU

R1
interface Tunnel13
  tunnel mode ipv6ip

R3
interface Tunnel13
  tunnel mode ipv6ip

R1#sh int tun13 | i transport
  Tunnel protocol/transport IPv6/IP
 
IPv6 over IPv4 automatic tunnels


Another type of tunnelling method is quite interesting in the way that it's defined.  The destination address of the tunnel is not actually specified, this is because this is encoded within the destination IPv6 Address.  The 2002::/16 network is a special segment that is used to contain the IPv4 destination address and network

R1
interface Tunnel123
 no ip address
 no ip redirects
 ipv6 address 2002:6464:6401:1::/128
 tunnel source 100.100.100.1
 tunnel mode ipv6ip 6to4
!
ipv6 route 2002::/16 Tunnel123

In this case, the tunnel source IPv4 address is converted to hexadecimal 100.100.100.1 becomes 6464:6401 and the associated network is 1 (this way we can terminate multiple IPv6 networks using the same IPv4 address if we had to)

All of the remote ends of the tunnel are in the 2002::/16 network so we instruct the router to reach them via the tunnel where it inspects the destination and automatically establishes the tunnel destination

R2
interface Tunnel123
 no ip address
 no ip redirects
 ipv6 address 2002:6464:6402:1:/128
 tunnel source 100.100.100.2
 tunnel mode ipv6ip 6to4
!
ipv6 route 2002::/16 Tunnel123

R1#ping 2002:6464:6402:1::

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 2002:6464:6402:1::, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 4/6/12 ms

This is a multipoint tunnel, if we add another IPv6overIPv4 tunnel or R3, things should work just as easily


R3
interface Tunnel123
 no ip address
 no ip redirects
 ipv6 address 2002:6464:6403:9:/128
 tunnel source 100.100.100.3
 tunnel mode ipv6ip 6to4
!
ipv6 route 2002::/16 Tunnel123

R1#ping 2002:6464:6403:9::

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 2002:6464:6403:9::, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 4/10/12 ms

ISATAP tunnels

A similar concept to the above but somewhat different are ISATAP tunnels - unlike IPv6inIPv4 auto tunnels which have to use the 2002::/16 network, ISATAP tunnels are a lot more flexible in the address allocations available. IPv6 addresses are automatically derived from the tunnel source IPv4 address but are created using the eui-64 method to embed the IPv4 address and the special 5EFE identifier which is used before the hex encoded IPv4 address to let us know that this is an ISATAP address

R2
interface Tunnel24
 no ip address
 no ip redirects
 ipv6 address FEC0:24::/64 eui-64
 no ipv6 nd ra suppress
 tunnel source 100.100.100.2
 tunnel mode ipv6ip isatap

R4
interface Tunnel24
 no ip address
 no ip redirects
 ipv6 address FEC0:24::/64 eui-64
 no ipv6 nd ra suppress
 tunnel source 100.100.100.4
 tunnel mode ipv6ip isatap

R2#sh ipv6 int tun24 | i EUI
    FEC0:24::5EFE:6464:6402, subnet is FEC0:24::/64 [EUI]



We can see that the EUI address is using the 5EFE flag for ISATAP addressing and 6161:6402 which is the hex encoded version of 100.100.100.2

R4#sh ipv6 int tun24 | i EUI
    FEC0:24::5EFE:6464:6404, subnet is FEC0:24::/64 [EUI]


As R4 is on the same subnet as R2 in tunnel 24 we don't need a specific route for it, however a tunnel to R4 (100.100.100.4) will be established by inspecting the destination address

R2#ping FEC0:24::5EFE:6464:6404 source tun24

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to FEC0:24::5EFE:6464:6404, timeout is 2 seconds:
Packet sent with a source address of FEC0:24::5EFE:6464:6402
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 8/9/12 ms

These are the main transition techniques for carrying IPv6 over IPv4 enabled networks at least for what should be found in the CCIE for Routing and Switching Version 4.0

Wednesday, 17 August 2011

Enabling RSH in IOS

Here's a very quick recipe for enabling RSH on IOS routers - Where abouts on the DOC-CD?  Assuming you're starting at the beginning of the IOS Software Release page for the version you care about (12.4T)

Configuration Guides -> System Management -> Cisco IOS Configuration Fundamentals Configuration Guide, Release 12.4T -> Part 6: Configuring Basic File Transfer Services

Lets start with a very simple topology R1 and R2 are back to back over ethernet:

R1
interface FastEthernet0/0
 ip address 10.10.12.1 255.255.255.0
!
interface Loopback0
 ip address 1.1.1.1 255.255.255.255
!
router eigrp 12
 network 1.1.1.1 0.0.0.0
 network 10.10.12.1 0.0.0.0
 no auto-summary


R2
interface FastEthernet0/0
 ip address 10.10.12.2 255.255.255.0
!

interface Loopback0
 ip address 2.2.2.2 255.255.255.255
!
router eigrp 12
 network 2.2.2.2 0.0.0.0
 network 10.10.12.2 0.0.0.0
 no auto-summary

Make sure we have Loopback to Loopback connectivity before we go further:

R1#sh ip route eigrp
     2.0.0.0/32 is subnetted, 1 subnets
D       2.2.2.2 [90/409600] via 10.10.12.2, 00:00:19, FastEthernet0/0
R2#sh ip route eigrp
     1.0.0.0/32 is subnetted, 1 subnets
D       1.1.1.1 [90/409600] via 10.10.12.1, 00:00:31, FastEthernet0/0
R2#ping 1.1.1.1 source 2.2.2.2

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 1.1.1.1, timeout is 2 seconds:
Packet sent with a source address of 2.2.2.2
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 4/4/4 ms

Okay, so in this example R1 will be the RSH server and R2 will be the RSH client


Lets create two local accounts which will be able to be used for RSH one will be used to execute non-priviledged commands while the other will be used for enable level commands


R1#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
R1(config)#username level1 password 0 admin
R1(config)#username level2 password 0 admin

Now we want to enable R2 to use the above accounts for RSH commands that come from R2's Loopback0.  The level2 user will be able to execute enable level commands

R1(config)#ip rcmd remote-host level1 2.2.2.2 R2
R1(config)#ip rcmd remote-host level2 2.2.2.2 R2 enable

Now we enable RSH

R1(config)#ip rcmd rsh-enable

For R2, we want to set our source interface to be loopback 0, otherwise we will just use the closest interface IP to the destination (Fa0/0)

R2#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
R2(config)#ip rcmd source-interface Loopback0



Lets see if R2 can get the IOS version that is running R1



R2(config)#do rsh 1.1.1.1 /user level1 show ver | i IOS
Cisco IOS Software, 3700 Software (C3725-ADVENTERPRISEK9-M), Version 12.4(15)T14, RELEASE SOFTWARE (fc2)

Cool - ok, lets verify that the enable permissions are working - lets try to get the running config of interface loopback0 using the level1 user

R2(config)#do rsh 1.1.1.1 /user level1 show run int lo0

Line has invalid autocommand "show run int lo0"

Okay, that appears to have failed as expected, lets try with the level2 user

R2(config)#do rsh 1.1.1.1 /user level2 show run int lo0

Building configuration...

Current configuration : 63 bytes
!
interface Loopback0
 ip address 1.1.1.1 255.255.255.255
end

Working as desired.  The biggest part is to make sure the router acting as the rsh server has the command string for the remote user set up correctly in this form:

ip rcmd remote-host LOCAL-USER-ACCOUNT REMOTE-IP REMOTE-HOSTNAME



Monday, 15 August 2011

Scheduled Attempt #2

It's just about 4 weeks before I have my second stab at the CCIE Lab.  When I attended the Micronics Bootcamp they were running the Cisco LabSafe program which included a lab-retake voucher if you did well enough in the assessment labs, which is quite helpful as it takes away some of the costs for the next shot.  Interestingly, Cisco has increased the price from $US1400 to $US1500 on the first of August.  The voucher covered $US1400, so I had to make up the difference plus the 10% Goods and Service Tax that they like to charge us in Australia, so having to pay $US250 for another go at the lab is not too bad at all - flights and accomodation also need paying for too but thats the price.  Looking at the CCIE numbers being announced in places like GroupStudy, should I get through this time my guess is that my number will be in the 30,000+ range.

As for my preparation - I've been pretty flat out with work particularly since I've been inter-state but I have been keeping at the labs (I brought a personal laptop that is running dynamips to lab small things up).  When I'm home I'm still going through the Troubleshooting workbook with two labs left to do I will have gone through it all once but I plan to revisit some of the labs just to keep the practice going.  There seems to be a pretty good level of difficulty and variety in there, I'm finding it useful because sometimes I jump into trying to fix a problem that is probably deep, when it's possibly something as basic as  a sub-interface is up but the main interface is down.