Friday, January 20, 2012

OSPF filtering with route-map

Which of the following examples can work ? More than one may be correct.

1st Example: 

router ospf 1
   distribute-list route-map filter-from-r4 in
route-map filter-from-r4 deny 10 
   match ip address prefix-list three
   match ip next-hop prefix-list four
route-map filter-from-r4 permit 100
   exit
ip prefix-list three permit 150.22.3.3/32
ip prefix-list four permit 155.22.146.4/32

 2nd Example: 

router ospf 1
   distribute-list route-map filter-from-r4 in
route-map filter-from-r4 deny 10
   match ip address 3
   match ip next-hop 4
route-map filter-from-r4 permit 100
  exit
access-list 3 permit 150.22.3.3
access-list 4 permit 155.22.146.4

3nd Example: 

router ospf 1
   distribute-list route-map filter-from-r4 in
route-map filter-from-r4 deny 10
   match ip address prefix-list three
   match ip next-hop 4
route-map filter-from-r4 permit 100
  exit
ip prefix-list three permit 150.22.3.3/32
access-list 4 permit 155.22.146.4


Read more »
Posted by at 11:53 PM

Short note on OSPF LSDB and RIB

The fact is

RIP's RIB = rip database = "show ip rip database"
EIGRP's RIB = topology table = "show ip eigrp topology"
BGP's RIB = bgp rib (?) = "show ip bgp"

Thats why many think that OSPF's RIB is the ospf database i.e LSDB but this isn't true. Here is the fact why

LSDB is not considered as RIB for ospf because it contains entire topolgy information in the form of LSAs and network reachability is merely an attribute of the LSA. However the network reachability information can be derivered from the LSAs stored in the LSDB, now since ospf does not have its own RIB like other routing protocols to store its routing information so ospf uses main routing table for this purpose and from there ospf generate summary LSAs type 3 or 4 etc..
Posted by at 11:25 PM

NBAR with class-map

Lets take a question on NBAR match statement under a class-map

Why do these two matching statement generally be configured under a class-map?

class-map type inspect match-all CMAP_TELNET
  match access-group name ACL_TELNET
  match protocol tcp
!

ip access-list extended ACL_TELNET

permit tcp any any eq 23

When two match statements configured under a class map like above way then logical AND operation occurs meaning that the class is true only when both statements are matched.
In the above case one match statement inspecting the entire tcp protocol suit but on the condition if that traffic is destined for port 23 coming from anywhere. Also keep in mind that NBAR feature is activated with match protocol statement and this feature not only checks the port numbers but also various signatures associated with the protocol if required. 

If there is no need for deep packet level inspection then you can avoid usiing NBAR. However it is very common to use this feature in real world.

Let me ask you something, how you will classify telnet traffic if telnet server is hosted on port other than 23 say 2323. If it’s known to you than you can easily classify it based on destination port number but if you don’t then you have no option but to use NBAR for classification. FTP also requires using NBAR for classification because it uses different ports for control and data transfer (learn more about active and passive FTP modes).
Posted by at 11:17 PM 0 comments

Multicast sparse mode SPT switchover

Background
Cisco router would automatically attempt to do a SPT-switchover as soon as it receives first  multicast packet by default and learns source IP of the multicast source. What exactly happens here is the explanation
Explanation
Once first hop router i.e router directly attached to the receiver starts receiving multicast packets it immediately knows about the source IP address. First thing it does, it internally checks the commands ip pim spt-threshold <>. If the incoming multicast flow is under the configured threshold it continues the same path via RP i.e only (*,G) entries up to the RP. But if it crosses the threshold limit it does this.

Now since it knows about the source IP (which it did not not know earlier) it consults its unicast routing table to see source IP is reachable by which interface. It then sends a PIM join message towards the source out of the interface by which source IP address is reachable of. It does this even if this outgoing interface is leading towards RP itself. After sending join message towards the source an SPT is built between source DR and this router (directly attached to the receiver). At this stage all the routers in the SPT have (S,G) entries. This could be seperate path towards the source or via RP towards the source.

This router now starts getting two flows just for a moment, then immediately it sends a prune message to the RP to remove itself from the shared tree, this prune message is then reaches to RP as hop by hop basis, the RP further sends it towards the source in order to leave SPT for this particular group.

At this stage router attached to the receiver get only one multicast flow from the source via shotest path. 
Posted by at 11:00 PM 0 comments

Unregistered EEM Applet Policy

Lets take a question on EEM
Q: How can I unregister an EEM applet without actually deleting it? I tried with no event  manager policy... but that did not work.
A: "no even manager policy" command can only unregister policy those are created using by this command i.e via eem tcl script. The only way to unregister an EEM applet is by modifying the existing applet and exit out of applet comfiguration mode. Else just delete them. 
Posted by at 10:38 PM 0 comments

Understanding spanning-tree vlan root primary command

Today's lets understand the command "spanning-tree vlan <vlan-id> root primary. Its nothing but a macro which works like  this

The macro "spanning-tree vlan <vlanid> root primary" configured lets say on sw1 works as follows with only one exception

1. sw1 first tries to be the root bridge by setting its priority equal to the current root bridge(by increasing or decreasing its priority). It becomes root bridge if its mac address is lower than current root bridge.

2. If sw1's mac address is not lower than current root bridge then sw1 further reduces its priority by 4096 and becomes the root bridge.

3. Macro can not set sw1's priority to be 0 even if current root bridge has priority 4096+vlanid. This case may arise when sw1 mac address is higher than current root bridge and cuurent root bridge priority is 4096+vlanid.

4. The only exception to this rule is if current root bridge has priority anything over 28672+vlanid, then sw1 sets its priority to 24576+vlanid this happens only because it has to accomodate the priority of secondary root bridge which is always be 28672+vlanid. 

This macro is mainly designed for switches enabled with extended system-id.
Posted by at 10:31 PM 0 comments

Routers and Switches are Initializing

The best to learn technologies is by asking question yourself about any technology in question therefore as a part of active learning approach every day I will be taking up few technologies and try to answer to those questions which came to your minds but remain unanswered.
Posted by at 10:22 PM
Subscribe to: Posts (Atom)