Search this Blog

Wednesday, February 29, 2012

Is there added value of having multiple BGP AS# for a single VRF on IP-VPN

Is there any added value of having mutiple private AS numbers for a single VRF, compared to the usual practise of having one single AS for the entire enterprise network of a given customer. The solution provider is presenting a solution, basically connecting branches to Primary Data Center & DRC using 3-AS numbers, one AS for Primary Data Center, and one for Disaster Recovery Center and one for all the 1,000+ branches.

If the provider is using the same AS number for all sites belonging to the cusomer, it's sometimes difficult to troubleshoot possible routing problems from the CE router point of view.
As the provider has to use BGP features like as-override or allowas-in to make a CE router to accept prefixes originated be other sites using the same AS number. And then looking into a CE router BGP table it's not clear which site the prefix was originated from.

Also the use of multiple AS numbers on the customer side allows to build a clear hiearchy of BGP routes from the point of view of branch offices.
By using different AS numbers, as-override feature is not needed on the provider(s) side, and routes originated on the disaster recovery site can be made less preferred by simply using AS path prepending that is reported to every branch site.

If also branch to branch communication should be blocked for any reason it is enough to skip the as-override on the provider site of each branch facing PE node.


Citation - This blog post does not reflect original content from the author. Rather it summarizes content that are relevant to the topic from different sources in the web. The sources might include any online discussion boards, forums, websites and others.

Monday, February 20, 2012

Can an ACL itself has an implicit deny after it is executed on an ip range?


Can an ACL itself has an implicit deny after it is executed on an ip range. to clarify see below:

20 access-list 101 permit ip 10.168.10 255.255.255.255 192.168.1.0 255.255.255.255
30 access-list 101 permit ip 10.168.1.10 255.255.255.255 192.168.2.0 255.255.255.255
40 access-list 101 permit ip 192.168.2.0 255.255.255.255 10.168.1.10 255.255.255.255

Does the acls in sequence 30 and 40 get invalidated because in ACL sequence 20,
the same IP address (10.168.1.10)is only permitted to 192,168.1.0
(hence packets going to 192.168.2.0 which are permited later will not be allowed
as they are dropped on a previous ACL). So later on when we added further access
for an IP which is part of an earlier ACL sequence it got negated because
access for the same IP has already been defined.

Also does sequence 20 negate sequence 40 although it is an ACL for packets
coming to 10.168.1.10 instead of packets going from it?


When an ACL is evaluated, it is evaluated in a first-match method. ACL's will have an implicit deny at the end. When evaluating whether a packet will be permitted or denied by an ACL, you need to consider each line of the ACL starting from the top. For instance in your example - if line 20 did not match, no decision has yet to be made on that packet. Line 30, then line 40 will be evaluated. If neither of those match, the packet will be implicitly denied.

So - in your question you asked if the source was matched in ACL line 20 - but the destination did not match, would it be implicitly denied since it did not fully match line 20? The answer is no. It will continue to be evaluated against the other ACL entries, in order, until a match is found (or not found - and it is implicitly denied).

The second part of your post asked about ACL's and traffic direction. When an ACL is applied to an interface, it must be applied with a direction. Remember, the direction is from the perspective of the interface with the ACL applied.

For example, say VLAN 10 is inclusive of 192.168.1.0/24, and the SVI (interface vlan 10) is 192.168.1.1. Let's also say that VLAN 20 is inclusive of 192.168.2.0/24, and the SVI is 192.168.2.1. You want an ACL to control traffic routing between these two subnets, and active hosts are 192.168.1.10 and 192.168.2.10.

If you applied an ACL as an "inbound" access-list on interface VLAN 10, the ACL would be applied to traffic entering the router from VLAN 10. Traffic between 192.168.1.10 and 192.168.2.10 would be evaluated with the source of 192.168.1.10 and the destination of 192.168.2.10. If your ACL included an entry that had a source of 192.168.2.10 and destination of 192.168.1.10, that line would never be matched in this scenario.

Alternatively, if you applied the ACL as an "outbound" on interface VLAN 10, this means it is evaluating the ACL on traffic leaving the router towards VLAN 10. With that in mind, traffic would be evaluated with a source of 192.168.2.10 and destination of 192.168.1.10. So that line that was never matched when it was applied as an inbound ACL would now be matched.

An exception to this is when you are routing between two subnets on the same interface (for instance with ip address secondaries configured). In this scenario the router is hairpinning traffic in and out the same interface, so the ACL has to include both directions.


Citation - This blog post does not reflect original content from the author. Rather it summarizes content that are relevant to the topic from different sources in the web. The sources might include any online discussion boards, forums, websites and others.

Thursday, February 9, 2012

Cannot Uplink/Daisy Chain Cisco 2960 S Series Switch to Cisco 3750 Switch


We have a new Cisco 2960 S series switch with a basic configuration that needs to be uplinked or daisy chained to a Cisco 3750 switch. We are not getting any connectivity to the network with either a straight through or crossover cable. the port remains in amber but a 'show interface' indicates that the interface is up. We can manage the switch with a PC patched into any port on the switch with a static IP address.

Amber could mean a few things:

1. Spanning-tree;
2. Auto-negotiation between access and trunk port.

If you'd like try the following command on each switches:

2960S
interface
switchport mode trunk
speed auto
duplex auto

3750
default interface
interface
switchport encapsulation dot
switchport mode trunk
speed auto
duplex auto

If the spanning tree put the port in blocking mode for a reason , somewhere you have a built in loop in your design and you could put your net at risk by shutting off spanning tree between devices.


Citation - This blog post does not reflect original content from the author. Rather it summarizes content that are relevant to the topic from different sources in the web. The sources might include any online discussion boards, forums, websites and others.

Saturday, February 4, 2012

%C6K_PLATFORM-0-UNKNOWN_CHASSIS - 7600 stuck in RoMMon

We have a 7600 with ws-sup750 and when it boots it displays these errors:

Cisco IOS Software, s72033_sp Software (s72033_sp-ADVIPSERVICESK9_WAN-M), Version 12.2(33)SXH2a, RELEASE SOFTWARE (fc2)

Firmware compiled 07-Apr-08 22:12 by integ Build [100]

00:00:05: %C6K_PLATFORM-0-UNKNOWN_CHASSIS: The chassis type is not known.(0x6003)

%Software-forced reload

22:49:38 UTC Thu Apr 28 2011: Breakpoint exception, CPU signal 23, PC = 0x41183348

--------------------------------------------------------------------
Possible software fault. Upon reccurence, please collect
crashinfo, "show tech" and contact Cisco Technical Support.
--------------------------------------------------------------------

Autoboot executing command: "boot bootdisk:/s72033-advipservicesk9_wan-mz.122-33.SXH2a.bin"
Loading image, please wait ...

Initializing ATA monitor library...

Then it got stuck in rommon, we tried using a 7200 pcmcia card (we downloaded the 7600 IOS there) but if we do from rommon boot disk0:

it complaints with :open: file "c7200-atafslib-m" not found
so, it does not boot.


On the 7600 chassis, you will need to use 12.2SR and not 12.2SX. SX is for 6500 switches, SR is for the 7600 routers.

Please click here for Cisco IOS Software Release 12.2SX Update

Please click here for the Release Notes of 12.2SR


Citation - This blog post does not reflect original content from the author. Rather it summarizes content that are relevant to the topic from different sources in the web. The sources might include any online discussion boards, forums, websites and others.

Thursday, February 2, 2012

%C6KPWR-4-DISABLED: power to module in slot 4 set off (New fabric sync sequence not supported)

We are using Cat6509-V-E chassis with redundant SUP-2T with ACE module. We are running IOS version: bootdisk:s2t54-advipservicesk9_npe-mz.SPA.150-1.SY.bin

ACE version: 4.1

We installed ACE on module 4 & 1. But in both the cases we are getting the following error message:
================================================================================================================
Router# *Feb 1 10:53:25.459: %C6KPWR-4-DISABLED: power to module in slot 4 set off (New fabric sync sequence not supported)
Router# *Feb 1 11:51:25.459: %C6KPWR-4-DISABLED: power to module in slot 1 set off (New fabric sync sequence not supported)
================================================================================================================

Any suggestions to resolve this?

A4(1.0) code. This is not a supported version on SUP2T(chassis hardware
being used by you). Please click here for the release notes.

The minimum required ACE30 module software version for Supervisor Engine 2T support is A4(2.1a) or later. This ACE software version supports both supervisor engine models: VS-S2T-10G and VS-S2T-10G-XL.

This is the reason for getting "New fabric sync sequence not supported" messages. Therefore please upgrade ACE module to A4(2.1) in order to run it on SUP2T. I would request you to seat this module in a supported SUP hardware like SUP720. Once loaded, please upgrade to A4(2.1). Then you can plug it back to the current SUP. It was supported finally in A4(2.1) upwards.


Citation - This blog post does not reflect original content from the author. Rather it summarizes content that are relevant to the topic from different sources in the web. The sources might include any online discussion boards, forums, websites and others.
 
/* Google Analytics begin ----------------------------------------------- */ /* Google Analytics end ----------------------------------------------- */