Selective export of routes in an MPLS VRF

Published on January 22, 2012 in MPLS and networking. 0 Comments

I need to be able to export just the public address from the route table inside a VRF, without impacting the existing route imports and exports

The existing VRF configuration is 

ip vrf blah
 rd 64512:12345
 route-target export 64512:1
 route-target import 64512:1

In this configuration all routes will be exported to all the other VRF’s that import 64512:1

The VRF has RFC1918 address space in it, but it also has some public IP address space that I need to be able to export to other VRF’s on the network.

After a bit of looking around, it appears the way to do this is to use the export map function, but there are a couple of catches. Firstly, you have to remove the other export statements, and you need bundle a number of match/set route maps together.

First create a couple of access lists

ip access-list standard rfc1918-address-space
 permit 10.0.0.0 0.255.255.255
ip access-list standard public-address-space
 permit 15.3.34.0 0.0.0.255

Now we need to create a route-map to set the exports based on the access lists.

route-map vrf-export-map permit 10
 match ip address rfc1918-address-space
 set extcommunity rt  64512:1
route-map vrf-export-map permit 20
 match ip address public-address-space
  set extcommunity rt 64512:1 64512:1001

The sequence 10 map, matches the rfc1918 address and adds an export of 64512:1 ( which is the existing export ). The sequence 20 map matches the public address space and adds 64512:1, and then also adds 64512:1001.

I think there is also an additive option – but I have not had time to look at it ( if I understand it correctly it address additional exports onto the current list of exports )

Now we just need to modify the VRF so that we pick up the route map.

ip vrf blah
 rd 64512:12345
 export map vrf-export-map
 route-target import 64512:1

You can now import the address space into multiple different VRF’s

This config will get all the address space

ip vrf blah2
 rd 64512:23456
 route-target import 64512:1

This config will just get the public address space

ip vrf blah3
 rd 64512:34567
 route-target import 64512:1001

Cheers
Pete

Sugarsync database reset

Published on January 16, 2012 in Uncategorized. 0 Comments

To reset your local SugarSync database

1. Open SugarSync Manager.
2. Click the SugarSync Manager window to select it.
3. Press and hold Command + Shift + R.
The following message appears:
“You are about to reset SugarSync Manager on this computer. Your local configuration information will be erased and the client will restart as a fresh install. Your files will not be affected. Are you sure you want to continue?”
4. Click OK.

Cheers
Pete

BGP neighbour between Juniper and Cisco reporting “unsupported/disjoint capability”

Published on January 14, 2012 in Uncategorized. 0 Comments

I am trying to connect a BGP session between a Juniper JunOS device and a Cisco device.

I started with a very basic ipv4 config on the JunOS device, but had a more more complicated BGP config on the Cisco side ( vpnv4 and mdt ).

As soon as I brought the connection up the Cisco router started to complain

*Jan 14 17:27:00.597: %BGP-3-NOTIFICATION: sent to neighbor 192.168.1.1 2/7 (unsupported/disjoint capability) 0 bytes  FFFF FFFF FFFF FFFF FFFF FFFF FFFF FFFF 003B 0104 FC00 005A 0A01 1205 1E02 0601 0400 0100 0102 0280 0002 0202 0002 0440 0200 7802 0641 0400 00FC 00

It appears there is a hidden command, to stop the routers negotiating capabilities, but that just seems wrong. What I actually needed was to match up the Juniper side with the Cisco side. In this case, I added the following family statements to the BGP config

set protocol bgp {
    family inet-vpn {
        unicast;
    }
    family inet-mdt {
        signaling;
    }
}

Now the BGP session comes up just fine.

Cheers
Pete

network interface on CentOS/redhat won’t come up

Published on December 30, 2011 in Uncategorized. 0 Comments

I was messing around in the network settings, and enabled IPv6 as automatic on the eth0 interface.

after that, service network stop and service network start both failed on eth0.

The error I was getting when I ran it was

[root@melvin init.d]# service network start
Bringing up loopback interface:                            [  OK  ]
Bringing up interface eth0:  Active connection state: activating
Active connection path: /org/freedesktop/NetworkManager/ActiveConnection/4

** (process:6538): WARNING **: _nm_object_get_property: Error getting 'State' for /org/freedesktop/NetworkManager/ActiveConnection/4: (19) Method "Get" with signature "ss" on interface "org.freedesktop.DBus.Properties" doesn't exist

state: unknown
Error: Connection activation failed.
                                                           [FAILED]
[root@melvin init.d]#

As it turned out, the problem was the IPv6. If look at dmesg, I see 

e1000: eth0 NIC Link is Up 1000 Mbps Full Duplex, Flow Control: None
8021q: adding VLAN 0 to HW filter on device eth0
eth0: no IPv6 routers present
lo: Disabled Privacy Extensions
eth0: no IPv6 routers present

Which is fair enough because I have not setup IPv6 on the network in any useful fashion.

The fix was to change IPv6 to LinkOnly, and worry about IPv6 later.

I would be nice if the message back from the ifup script was more descriptive though, I wonder how many other people have wasted time trying to work this out.

Cheers
Pete

filtering OSPF routes

Published on December 29, 2011 in Uncategorized. 0 Comments

Our external routers run full routes, but on the internal network the routers don’t have sufficient memory, nor do they need full routes.

To ensure that someone does not blow them up be accidently advertising full routes into the internal network, we filter the routes they will accept.

To do this, we configure a distribution-list on the router we are trying to protect.

lets say our block of address space is 170.12.42.0/23

ip prefix-list AS1234-filter seq 5 permit 170.12.42.0/23 le 32
ip prefix-list AS1234-filter seq 10 permit 0.0.0.0/0

then we add this to the OSPF router process

router ospf 1
 router-id 192.168.1.1
 log-adjacency-changes
 distribute-list prefix AS1234-filter in

Now you should only see the routes you need ( and the default router in this example ) in your router process

Cheers
Pete

100% CPU with multihop BGP

Published on December 11, 2011 in networking. 0 Comments Tags: .

I need to look at this more, but for the moment the problem is solved.

I had an issue where I configured BGP multihop, and the router CPU sat at 100% utilisation and stayed there.

The CPU utilisation looked like this

thing#show processes cpu sort
CPU utilization for five seconds: 99%/0%; one minute: 99%; five minutes: 96%
 PID Runtime(uS)     Invoked      uSecs   5Sec   1Min   5Min TTY Process
 295   326764000        7716      42348 48.54% 31.38% 31.09%   0 BGP Router
 154   509856000        3549     143661 44.16% 56.25% 51.87%   0 IP RIB Update
 297     8980000         131      68549  3.97%  1.03%  0.82%   0 BGP Scanner

The BGP config looks ( something ) like 

router bgp 1234
 bgp router-id 192.168.10.1
 no bgp default ipv4-unicast
 bgp log-neighbor-changes
 !
 address-family ipv4 vrf blah
  no synchronization
  bgp router-id 1.2.3.4
  network 1.2.3.0
  neighbor peer peer-group
  neighbor peer remote-as 8765
  neighbor peer ebgp-multihop 4
  neighbor peer update-source Loopback9000
  neighbor peer version 4
  neighbor peer send-community both
  neighbor peer soft-reconfiguration inbound
  neighbor 192.168.20.1 peer-group peer
  neighbor 192.168.20.1 activate
 exit-address-family
 !

The only really interesting bit, is the ebgp-multihop command – the rest is pretty standard

If I looked at the CEF table, a route that should have been learned via BGP was un-resolved

thing#show ip cef vrf blah 121.0.7.1
121.0.0.0/21
  unresolved via 200.170.81.17

If I kept doing show ip route vrf blah, the routes would appear, and then disappear.

Now I don’t profess to really understand how this has made a difference, but what I did was add a static route for the remove BGP peer.

I already had 

ip route vrf blah 0.0.0.0 0.0.0.0 192.168.50.1

but I added

ip route vrf blah 192.168.20.1 255.255.255.255 192.168.50.1

I can see a different in the CEF table now

thing#show ip cef vrf blah 121.0.7.1 detail
121.0.0.0/21, epoch 0, flags rib only nolabel, rib defined all labels
  recursive via 192.168.20.1
    recursive via 192.168.50.1
      attached to Vlan97
thing#

An the CPU has completely calmed down.

Hope it helps!
Pete

Optimise BGP memory using by limiting the number of AS-PATHs

Published on December 1, 2011 in networking. 0 Comments Tags: .

The full route table is getting pretty big, and a simple way to limit the amount of memory usage on your routers, is to limit the number of AS-PATHs that you accept. If you are connected to the Tier 1 providers, then most major networks will only be 3 or 4 AS’s away, so anything else you can just use a default route for.

If I pick up full routes, show bgp all summary looks like this

show bgp all summary 

374859 network entries using 53979696 bytes of memory
374859 path entries using 19492668 bytes of memory
63037/63037 BGP path/bestpath attribute entries using 8320884 bytes of memory
56456 BGP AS-PATH entries using 2223352 bytes of memory

and the route table looks like

show ip route summary

Route Source    Networks    Subnets     Replicates  Overhead    Memory (bytes)
connected       0           8           0           448         1376
static          1           0           0           56          172
bgp 64513       144752      229965      0           20984152    64451324
  External: 374717 Internal: 0 Local: 0
internal        4380                                            15466904
Total           149133      229973      0           20984656    79919776

So if I am reading it right, BGP is using 83MB of memory and the route table is using 80MB

If I want to limit the number of paths, I can do that by setting an as-path access list with the right regex

ip as-path access-list 10 permit ^[0-9]+( [0-9]+)( [0-9]+)( [0-9]+)$
ip as-path access-list 10 deny .*

In this example, I am allow 4 AS hops. if I wanted three, I would just remove the last ( [0-9]+) entry.

To apply this access list, you need to add a bgp filter into your bgp config

 address-family ipv4 vrf blah
  neighbor 1.2.3.4 remote-as 1239
  neighbor 1.2.3.4 local-as 1790 no-prepend replace-as
  neighbor 1.2.3.4 version 4
  neighbor 1.2.3.4 send-community both
  neighbor 1.2.3.4 filter-list 10 in
  neighbor 1.2.3.4 activate
 exit-address-family

Now bgp all sum looks like this

show bgp all summary

109629 network entries using 15786576 bytes of memory
109629 path entries using 5700708 bytes of memory
21302/21302 BGP path/bestpath attribute entries using 2811864 bytes of memory
19510 BGP AS-PATH entries using 780400 bytes of memory

Thats about 30MB of memory, rather than 80MB on BGP, and if I look at the route table, its at 23MB rather than 80MB – we have saved about 100MB of memory.

If your going to do this, you need to make sure you do not have soft-reconfigure turned on. Before you turn it off, make sure you understand what it does first :-)

If I turn on soft-reconfigure, even with the filter-list in place, the bgp summary looks like this again ( 83MB )

show bgp all summary

374735 network entries using 53961840 bytes of memory
374735 path entries using 19486220 bytes of memory
63026/21302 BGP path/bestpath attribute entries using 8319432 bytes of memory
56451 BGP AS-PATH entries using 2221352 bytes of memory

Even though the route table does not have all the routes ( 24MB )

show ip route summary

Route Source    Networks    Subnets     Replicates  Overhead    Memory (bytes)
connected       0           8           0           448         1376
static          1           0           0           56          172
bgp 64513       40138       69516       0           6140624     18860488
  External: 109654 Internal: 0 Local: 0
internal        1997                                            4796348
Total           42136       69524       0           6141128     23658384

So, you can save a 100MB of memory with a little tweak, but its a minimal gain really – a better solution is to purchase more ram for your router – its not that expensive.

Cheers
Pete

undeleting photos with testdisk

Published on May 31, 2011 in Uncategorized. 0 Comments

Opps.

I imported a load of photos, and deleted the contents of the camera. Later, I managed to delete the imported versions :-(

There are loads of shareware undelete tools, but as soon as they find the files they want you to pay to restore them. I found this tool TestDisk.

I was lucky that I had not taken any more photos on the flash card, and TestDisk did a good job of restoring all the files. The photo’s are ok, but the movies appear to be broken. At least I have the files to work with though.

If you found this page because you have lost some of your Photo’s, I really hope TestDisk works for you.

Cheers
Pete

Identifying bandwidth usage (top talkers) on a Juniper firewall

Published on May 29, 2011 in juniper and networking. 2 Comments

I have often needed to find out who the top bandwidth users (top talkers) are on a Juniper SSG firewall.

Cisco’s have Netflow, and Junos has Jflow or whatever its called.  Netscreen Juniper make a lot of noise about how good their traffic shaping is on the SSG firewalls, but finding who is using the bandwidth at any point in time has always eluded me, until today.

First you need to enable fprofiling

set fprofile packet enable

Now you need to capture some data

set fprofile packet start

wait a bit, then turn it off

set fprofile packet stop

Now you can see who the top talkers are by looking at the captured data

myfw-> get fprofile packet
packet buffer size(in kilo-packets): 4
total ip packet: 4041
total ip packet time(us): 693434
total none-ip packet: 55
total none-ip packet time(us): 5834
Id  Type        Protocol    Source            Destination             Sport       Dport        Time  Percentage
1  ip          0x06        61.165.32.63    34.52.134.6            80        1369      195490  27.95%
2  ip          0x06        61.165.32.63    192.168.1.10              80       49362      104221  14.90%
3  ip          0x06        192.168.1.10      61.165.32.63         49362          80       78254  11.19%
4  ip          0x06        192.168.1.15       102.168.2.27            64754        4242       72124  10.31%
5  ip          0x06        87.248.210.253    34.52.134.6            80        1954       60716   8.68%
6  ip          0x06        102.168.2.27       192.168.1.15             4242       64754       38429   5.49%
7  ip          0x06        87.248.210.253    192.168.1.11              80       59031       31086   4.44%
8  ip          0x01        192.168.0.5        192.168.1.6                11           0       25952   3.71%
9  ip          0x06        192.168.1.11      87.248.210.253         59031          80       23852   3.41%
10  ip          0x06        34.52.134.6    87.248.211.190          1369          80       18404   2.63%
myfw->

its good practice to clean up at the end

usnet fprofile packet enable

static ipv6 address on solaris 10

Published on May 28, 2011 in Solaris and ipv6. 0 Comments

This seems silly, but it took quite a while to get a static ipv6 address to configure itself properly on solaris ten.

There were loads of errors, mainly like

  • Failed to configure IPv6 interfaces(s): e1000g0
  • t_optmgmt: System error: Cannot assign requested address

If you read the various versions of the documentation, they suggest you add the following to /etc/hostname6.e1000g0

inet6 ipv6-address up
addif inet6 ipv6-address up
...

But this actually doesn’t seem to work. :-(

This seems to work though

bash-3.00$ cat /etc/inet/ndpd.conf
if-variable-name StatelessAddrConf false
bash-3.00$ cat /etc/hostname6.e1000g0
addif 2001:8e3:ee12:2::36/64 up
bash-3.00$

Putting inet6 into the hostname file seems to be the main issue, and it works just fine without it.

Interestingly, you still get the various address you would normally expect (local and global), so the static address will appear as a sub interface rather than an IP on the primary interface

$ /usr/sbin/ifconfig -a
lo0: flags=2002000849 mtu 8252 index 1
        inet6 ::1/128
e1000g0: flags=2000841 mtu 1500 index 2
        inet6 fe80::20c:23df:fe61:e321/10
e1000g0:1: flags=2000841 mtu 1500 index 2
        inet6 2001:8e3:ee12:2::36/64
e1000g0:2: flags=2080841 mtu 1500 index 2
        inet6 2001:8e3:ee12:2:20c:23df:fe61:e321/64
$