tag:blogger.com,1999:blog-34848226914353031802024-03-18T05:03:01.762+02:00SC Labs | Networking notes (CCNA R/S, CCNA Sec, CCNP R/S, VMWare)SC Labs | Networking notes (CCNA R/S, CCNA Sec, CCNP R/S, VMWare)SChttp://www.blogger.com/profile/04139184178200036747noreply@blogger.comBlogger206125tag:blogger.com,1999:blog-3484822691435303180.post-78861193074491387282023-02-15T10:27:00.011+02:002024-02-14T14:27:23.631+02:00AWS study materials
<p> <span></span></p><a name='more'></a><p></p><p>2024</p><p>https://www.youtube.com/watch?v=7D9T5MTDeN8</p><p>https://dmfigol.me/posts/aws-networking-learning-path/</p><p>https://noteforms.com/views/aws-networking-learning-path-kcpw50</p><p><br /></p><p>2023</p><p>https://cloudpractitionerall.awsstudygroup.com/</p><p>https://000019.awsstudygroup.com/</p><p><br /></p><p><br /></p><div><br /></div><div><br /></div><div><br /></div><div><br /></div><div>S3 Buckets</div><div>https://docs.aws.amazon.com/AmazonS3/latest/userguide/UsingBucket.html</div><div><br /></div><div>VPC concepts</div><div><br /></div><div>VPC Peering</div><div> -non-trasitive MarketingVPC <cannot> DevelopmentVPC</div><div> with peering: MarketingVPC -> FinanceVPC</div><div> with peering: DevelopmentVPC -> FinanceVPC</div><div> - VPC peering supports peering between multiple AWS accounts</div><div> </div><div>https://www.chegg.com/flashcards/aws-cloud-e6d196ad-b258-4837-9aa9-4a4b2c7ccaad/deck</div><div> </div><div> </div><div>https://medium.com/awesome-cloud/aws-vpc-route-table-overview-intro-getting-started-guide-5b5d65ec875f</div><div><br /></div><div>https://medium.com/awesome-cloud/aws-vpc-difference-between-internet-gateway-and-nat-gateway-c9177e710af6</div><div><br /></div><div><br /></div><div>https://medium.com/awesome-cloud/year-2022-in-awesome-cloud-aws-publication-blogs-articles-for-developers-architects-cloud-devops-engineers-ca5a44977c3c</div><div><br /></div><div>https://medium.com/awesome-cloud/aws-difference-between-vpc-peering-and-transit-gateway-comparison-aws-vpc-peering-vs-aws-transit-gateway-3640a464be2d</div><div><br /></div>SChttp://www.blogger.com/profile/04139184178200036747noreply@blogger.comtag:blogger.com,1999:blog-3484822691435303180.post-29500132957403818132023-02-03T15:31:00.002+02:002023-02-03T15:31:34.214+02:00Fortigate AWS config migration order<div><span style="font-family: courier;"><span><a name='more'></a></span>config system global</span></div><div><span style="font-family: courier;">config system admin</span></div><div><span style="font-family: courier;"><br /></span></div><div><span style="font-family: courier;">config vpn ipsec phase1-interface</span></div><div><span style="font-family: courier;">config vpn ipsec phase2-interface</span></div><div><span style="font-family: courier;"><br /></span></div><div><span style="font-family: courier;">config firewall address</span></div><div><span style="font-family: courier;">config firewall addrgrp</span></div><div><span style="font-family: courier;">config firewall policy</span></div><div><span style="font-family: courier;"><br /></span></div><div><span style="font-family: courier;">config router static</span></div><div><span style="font-family: courier;"><br /></span></div><div><span style="font-family: courier;">==============</span></div><div><span style="font-family: courier;"># bring up</span></div><div><span style="font-family: courier;">diagnose vpn tunnel up Smart_VPN</span></div><div><span style="font-family: courier;"># Check the status of tunnel Phase-1</span></div><div><span style="font-family: courier;">diagnose vpn ike gateway list name Smart_VPN</span></div><div><span style="font-family: courier;"># Check status of Phase-2</span></div><div><span style="font-family: courier;">diagnose vpn tunnel list name Smart_VPN</span></div><div><span style="font-family: courier;"><br /></span></div><div><span style="font-family: courier;"><br /></span></div><div><span style="font-family: courier;">==============</span></div><div><span style="font-family: courier;"><br /></span></div><div><span style="font-family: courier;">show system global</span></div><div><span style="font-family: courier;"> set hostname </span></div><div><span style="font-family: courier;"><br /></span></div><div><span style="font-family: courier;">show system admin</span></div><div><span style="font-family: courier;"><br /></span></div><div><span style="font-family: courier;">show system interface</span></div><div><span style="font-family: courier;">show firewall address</span></div><div><span style="font-family: courier;">show firewall addrgrp</span></div><div><span style="font-family: courier;">show firewall policy</span></div><div><span style="font-family: courier;"><br /></span></div><div><span style="font-family: courier;"><br /></span></div><div><span style="font-family: courier;">show vpn ipsec phase1-interface</span></div><div><span style="font-family: courier;">show vpn ipsec phase2-interface</span></div><div><span style="font-family: courier;"><br /></span></div><div><span style="font-family: courier;"><br /></span></div><div><span style="font-family: courier;">show router static</span></div>SChttp://www.blogger.com/profile/04139184178200036747noreply@blogger.comtag:blogger.com,1999:blog-3484822691435303180.post-25521083294511665692022-06-09T19:42:00.005+03:002022-06-09T19:45:30.013+03:00SOPHOS XG IPS testing with Pytbull<p> <span><br /><br /><br /></span></p><a name='more'></a><p></p>svsv<div><br /></div><div>Scanner -Sophos-XG --- Web server (HTTP/HTTPS)</div><div>212.0.210.169 212.0.210.172 (port B) </div><div> 10.255.255.1 (port C) 10.255.255.172</div><div><br /></div><div><br /></div><div>1) Scanner VM: ubuntu-lts-20-soph-pytbull</div><div>https://www.bgasecurity.com/2013/08/ack-kaynak-kodlu-yazlmlar-kullanarak/</div><div><br /></div><div><br /></div><div>212.0.210.169</div><div><div>cd /zzz/pytbull/pytbull-ng-main/source</div><div>time /zzz/pytbull/pytbull-ng-main/source/pytbull -t 212.0.210.172 --mode=gateway</div></div><div><br /></div><div><br /></div><div><br /></div><div>2) Sophos XG 18.3 VM: sophos-18.5.3_MR-3.VMW-408_virtual_vm8</div><div>Network adapter 1<span style="white-space: pre;"> </span>vlan_0099 ( Port A : https://172.17.99.117:4444/</div><div><div>Network adapter 2<span style="white-space: pre;"> </span>vlan_3098 ( Port B : 212.0.210.172 (+ NAT to 10.255.255.172)</div><div>Network adapter 3<span style="white-space: pre;"> </span>vlan_0666 ( Port A : 10.255.255.1</div></div><div><br /></div><div><br /></div><div>3) Web Server: ubuntu-lts-20-soph-web-server</div><div>Network adapter 1<span style="white-space: pre;"> </span>vlan_0666 ( Port A : 10.255.255.172</div><div>https://sxg.telco.md/</div><div><br /></div><div><br /></div><div>====================================</div><div><br /></div><div><div>./GO-pytbull-scanner</div><div><div>(cd /zzz/pytbull/pytbull-ng-main/source</div><div>time /zzz/pytbull/pytbull-ng-main/source/pytbull -t 212.0.210.172 --mode=gateway)</div></div><div><br /></div><div> __ __ ____ </div><div> ____ __ __/ /_/ /_ __ __/ / / ____ ____ _</div><div> / __ \/ / / / __/ __ \/ / / / / /_____/ __ \/ __ `/</div><div> / /_/ / /_/ / /_/ /_/ / /_/ / / /_____/ / / / /_/ / </div><div> / .___/\__, /\__/_.___/\__,_/_/_/ /_/ /_/\__, / </div><div> /_/ /____/ /____/ </div><div> creator of pytbull: Sebastien Damaye, aldeid.com</div><div> creator of pytbull-ng: Michal Chrobak, efigo.pl</div><div><br /></div><div>What would you like to do?</div><div>1. Run a new campaign (will erase previous results)</div><div>2. View results from previous campaign</div><div>3. Exit</div><div>Choose an option: 1</div><div><br /></div><div>(gateway mode)</div><div><br /></div><div>+------------------------------------------------------------------------+</div><div>| pytbull will set off IDS/IPS alarms and/or other security devices |</div><div>| and security monitoring software. The user is aware that malicious |</div><div>| content will be downloaded and that the user should have been |</div><div>| authorized before running the tool. |</div><div>+------------------------------------------------------------------------+</div><div><br /></div><div>BASIC CHECKS</div><div>------------</div><div>Checking root privileges.........................................[ OK ]</div><div>Checking remote port 80/tcp (HTTP)...............................[ OK ]</div><div>Checking path for sudo...........................................[ OK ]</div><div>Checking path for nmap...........................................[ OK ]</div><div>Checking path for nikto..........................................[ OK ]</div><div>Checking path for niktoconf......................................[ OK ]</div><div>Checking path for hping3.........................................[ OK ]</div><div>Checking path for tcpreplay......................................[ OK ]</div><div>Checking path for ab.............................................[ OK ]</div><div>Checking path for ping...........................................[ OK ]</div><div>Checking path for ncrack.........................................[ OK ]</div><div>Removing temporary file..........................................[ OK ]</div><div>Cleaning database................................................[ OK ]</div><div><br /></div><div>TESTS</div><div>------------</div><div>Client Side Attacks..............................................[ no ]</div><div>Test Rules.......................................................[ no ]</div><div>Bad Traffic......................................................[ yes ]</div><div>Fragmented Packets...............................................[ yes ]</div><div>Brute Force......................................................[ no ]</div><div>Evasion Techniques...............................................[ yes ]</div><div>ShellCodes.......................................................[ no ]</div><div>Denial of Service................................................[ yes ]</div><div>Pcap Replay......................................................[ yes ]</div><div>Normal Usage.....................................................[ yes ]</div><div>IP Reputation....................................................[ yes ]</div><div><br /></div><div><br /></div><div>BAD TRAFFIC</div><div>------------</div><div>TEST #1 - [16:25:19-16:35:19] - Nmap Xmas scan........................[ done ]</div><div>TEST #2 - [16:25:24-16:26:24] - Malformed Traffic.....................[ done ]</div><div><br /></div><div>FRAGMENTED PACKETS</div><div>------------</div><div><br /></div><div>EVASION TECHNIQUES</div><div>------------</div><div>TEST #3 - [16:25:28-16:35:28] - Nmap decoy test (6th position)........[ done ]</div><div>TEST #4 - [16:27:56-16:37:56] - Nmap decoy test (7th position)........[ done ]</div><div>TEST #5 - [16:30:22-16:31:22] - Hex encoding..........................[ done ]</div><div>TEST #6 - [16:30:26-16:40:26] - Nmap scan with fragmentation..........[ done ]</div><div>TEST #7 - [16:31:15-16:32:15] - Nikto Random URI encoding.............[ done ]</div><div>TEST #8 - [16:31:36-16:32:36] - Nikto Directory self reference........[ done ]</div><div>TEST #9 - [16:32:11-16:33:11] - Nikto Premature URL ending............[ done ]</div><div>TEST #10 - [16:32:47-16:33:47] - Nikto Prepend long random string.....[ done ]</div><div>TEST #11 - [16:33:23-16:34:23] - Nikto Fake parameter.................[ done ]</div><div>TEST #12 - [16:33:32-16:34:32] - Nikto TAB as request spacer..........[ done ]</div><div>TEST #13 - [16:33:38-16:34:38] - Nikto Change the case of the URL.....[ done ]</div><div>TEST #14 - [16:34:15-16:35:15] - Nikto Windows directory separator....[ done ]</div><div>TEST #15 - [16:34:52-16:35:52] - Nikto Carriage return as request s...[ done ]</div><div>TEST #16 - [16:34:58-16:35:58] - Nikto Binary value as request spac...[ done ]</div><div>TEST #17 - [16:35:06-16:36:06] - Javascript Obfuscation...............[ done ]</div><div><br /></div><div>DENIAL OF SERVICE</div><div>------------</div><div>TEST #18 - [16:35:10-16:36:10] - ApacheBench DoS......................timed out...[ done ]</div><div>TEST #19 - [16:36:14-16:37:14] - hping SYN flood......................[ done ]</div><div><br /></div><div>PCAP REPLAY</div><div>------------</div><div><br /></div><div>NORMAL USAGE</div><div>------------</div><div>TEST #20 - [16:36:19-16:37:19] - ApacheBench 10 requests..............[ done ]</div><div>TEST #21 - [16:36:25-16:37:25] - Standard ping........................[ done ]</div><div><br /></div><div>IP REPUTATION</div><div>------------</div><div>TEST #22 - [16:36:29-16:37:29] - IP Reputation 103.129.98.17..........[ done ]</div><div>TEST #23 - [16:36:33-16:37:33] - IP Reputation 103.253.73.77..........[ done ]</div><div>TEST #24 - [16:36:37-16:37:37] - IP Reputation 103.83.81.144..........[ done ]</div><div>TEST #25 - [16:36:41-16:37:41] - IP Reputation 104.18.36.98...........[ done ]</div><div>TEST #26 - [16:36:45-16:37:45] - IP Reputation 107.175.64.210.........[ done ]</div><div>TEST #27 - [16:36:49-16:37:49] - IP Reputation 108.171.216.194........[ done ]</div><div>TEST #28 - [16:36:53-16:37:53] - IP Reputation 110.4.45.119...........[ done ]</div><div>TEST #29 - [16:36:57-16:37:57] - IP Reputation 184.168.221.43.........[ done ]</div><div>TEST #30 - [16:37:01-16:38:01] - IP Reputation 185.104.45.20..........[ done ]</div><div>TEST #31 - [16:37:05-16:38:05] - IP Reputation 185.174.100.116........[ done ]</div><div><br /></div><div>real 11m52.821s</div><div>user 0m10.923s</div><div>sys 0m3.134s</div></div><div><br /></div><div><br /></div><div><b style="background-color: #fff2cc;">Sophos XG IPS logs:</b></div><div><b style="background-color: #fff2cc;"><br /></b></div><div><span style="background-color: #fff2cc;"><div><span style="font-weight: bold; white-space: pre;"> </span>Time<span style="white-space: pre;"> </span>Log comp<span style="white-space: pre;"> </span>Log subtype<span style="white-space: pre;"> </span>Username<span style="white-space: pre;"> </span>Src IP<span style="white-space: pre;"> </span>Dst IP<span style="white-space: pre;"> </span>Signature ID<span style="white-space: pre;"> </span>Signature name<span style="white-space: pre;"> </span>Category<span style="white-space: pre;"> </span>Platform<span style="white-space: pre;"> </span>Victim<span style="white-space: pre;"> </span>Firewall rule<span style="white-space: pre;"> </span>Message ID<span style="white-space: pre;"> </span>Live PCAP</div><div>IPS<span style="white-space: pre;"> </span>6/9/2022 19:30<span style="white-space: pre;"> </span>Signatures<span style="white-space: pre;"> </span>Drop<span style="white-space: pre;"> </span>212.0.210.169<span style="white-space: pre;"> </span>10.255.255.172<span style="white-space: pre;"> </span>1122<span style="white-space: pre;"> </span>SERVER-WEBAPP /etc/passwd file access attempt<span style="white-space: pre;"> </span>server-webapp<span style="white-space: pre;"> </span>Linux<span style="white-space: pre;"> </span>Server<span style="white-space: pre;"> </span>6<span style="white-space: pre;"> </span>7002<span style="white-space: pre;"> </span>Open PCAP</div><div>IPS<span style="white-space: pre;"> </span>6/9/2022 19:27<span style="white-space: pre;"> </span>Signatures<span style="white-space: pre;"> </span>Drop<span style="white-space: pre;"> </span>212.0.210.169<span style="white-space: pre;"> </span>10.255.255.172<span style="white-space: pre;"> </span>2305362<span style="white-space: pre;"> </span>SCAN NMAP Script Scanner<span style="white-space: pre;"> </span>scan<span style="white-space: pre;"> </span>BSD,Linux,Mac,Other,Solaris,Unix,Windows<span style="white-space: pre;"> </span>Server<span style="white-space: pre;"> </span>6<span style="white-space: pre;"> </span>7002<span style="white-space: pre;"> </span>Open PCAP</div><div>IPS<span style="white-space: pre;"> </span>6/9/2022 19:27<span style="white-space: pre;"> </span>Signatures<span style="white-space: pre;"> </span>Drop<span style="white-space: pre;"> </span>212.0.210.169<span style="white-space: pre;"> </span>10.255.255.172<span style="white-space: pre;"> </span>2305362<span style="white-space: pre;"> </span>SCAN NMAP Script Scanner<span style="white-space: pre;"> </span>scan<span style="white-space: pre;"> </span>BSD,Linux,Mac,Other,Solaris,Unix,Windows<span style="white-space: pre;"> </span>Server<span style="white-space: pre;"> </span>6<span style="white-space: pre;"> </span>7002<span style="white-space: pre;"> </span>Open PCAP</div><div>IPS<span style="white-space: pre;"> </span>6/9/2022 19:27<span style="white-space: pre;"> </span>Signatures<span style="white-space: pre;"> </span>Drop<span style="white-space: pre;"> </span>212.0.210.169<span style="white-space: pre;"> </span>10.255.255.172<span style="white-space: pre;"> </span>2305362<span style="white-space: pre;"> </span>SCAN NMAP Script Scanner<span style="white-space: pre;"> </span>scan<span style="white-space: pre;"> </span>BSD,Linux,Mac,Other,Solaris,Unix,Windows<span style="white-space: pre;"> </span>Server<span style="white-space: pre;"> </span>6<span style="white-space: pre;"> </span>7002<span style="white-space: pre;"> </span>Open PCAP</div><div>IPS<span style="white-space: pre;"> </span>6/9/2022 19:27<span style="white-space: pre;"> </span>Signatures<span style="white-space: pre;"> </span>Drop<span style="white-space: pre;"> </span>212.0.210.169<span style="white-space: pre;"> </span>10.255.255.172<span style="white-space: pre;"> </span>2305362<span style="white-space: pre;"> </span>SCAN NMAP Script Scanner<span style="white-space: pre;"> </span>scan<span style="white-space: pre;"> </span>BSD,Linux,Mac,Other,Solaris,Unix,Windows<span style="white-space: pre;"> </span>Server<span style="white-space: pre;"> </span>6<span style="white-space: pre;"> </span>7002<span style="white-space: pre;"> </span>Open PCAP</div><div><br /></div><div><table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto;"><tbody><tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/a/AVvXsEhNWcmN9xYtkb_I4lqoFGxV0M8G0rgp8CDgZ6_9gSmmuJXr-A4vEsrK_5DAACu_tTaFC_FVMJM4xA7inx2-tY2LFjChi1iMLyDCDBNFAcgWjpfOMyWL1FPRpknjQyHgY91jYICn25mSS7c9VM_hR0BMS74SUdz_jmXCO4hwHDLUId3F3kX0gpB-X_kR" style="margin-left: auto; margin-right: auto;"><img alt="" data-original-height="960" data-original-width="1694" height="227" src="https://blogger.googleusercontent.com/img/a/AVvXsEhNWcmN9xYtkb_I4lqoFGxV0M8G0rgp8CDgZ6_9gSmmuJXr-A4vEsrK_5DAACu_tTaFC_FVMJM4xA7inx2-tY2LFjChi1iMLyDCDBNFAcgWjpfOMyWL1FPRpknjQyHgY91jYICn25mSS7c9VM_hR0BMS74SUdz_jmXCO4hwHDLUId3F3kX0gpB-X_kR" width="400" /></a></td></tr><tr><td class="tr-caption" style="text-align: center;">IPS logs</td></tr></tbody></table><br /><br /></div></span></div><div><br /></div><div><br /></div><div><br /></div><div><table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto;"><tbody><tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/a/AVvXsEitcHxMe4fZJBNjmGcQmxEHKtb5Zbewx1L8xAd5XX9-FFt3QvpLhAHbDUSKaS8ecCDL8Qc_TnZ7MV7dNbFNGm8NhEuGDENjm187gdWqAbljT54P_vxMK14reghRl8PXaEqMJ8exMRXRYHhPAbTeCQU8HsZRIMpujAdMddxv2eCQTO6tsTgcaQVSsdOD" style="margin-left: auto; margin-right: auto;"><img alt="" data-original-height="940" data-original-width="1441" height="261" src="https://blogger.googleusercontent.com/img/a/AVvXsEitcHxMe4fZJBNjmGcQmxEHKtb5Zbewx1L8xAd5XX9-FFt3QvpLhAHbDUSKaS8ecCDL8Qc_TnZ7MV7dNbFNGm8NhEuGDENjm187gdWqAbljT54P_vxMK14reghRl8PXaEqMJ8exMRXRYHhPAbTeCQU8HsZRIMpujAdMddxv2eCQTO6tsTgcaQVSsdOD=w400-h261" width="400" /></a></td></tr><tr><td class="tr-caption" style="text-align: center;">IPS Reports 1</td></tr></tbody></table><br /><table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto;"><tbody><tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/a/AVvXsEgQv5dl41ryi_dlzrV7qdtvJ0fnFw5upZ52PbxkMvZg2JSAs2Xr_MUhxUIuvikha3LfnRNk6mBECq1pGiF01GBbThQaEaGo6fSzFh71phb5ZSOubKK2DVJqwEnVuk6ZiPUNV7A0Zl0cKdWZeZ7iY4HzT9Ysf59EFIPnLg9VkwV1ctN2qzPXIUoXCMpw" style="margin-left: auto; margin-right: auto;"><img alt="" data-original-height="381" data-original-width="1146" height="133" src="https://blogger.googleusercontent.com/img/a/AVvXsEgQv5dl41ryi_dlzrV7qdtvJ0fnFw5upZ52PbxkMvZg2JSAs2Xr_MUhxUIuvikha3LfnRNk6mBECq1pGiF01GBbThQaEaGo6fSzFh71phb5ZSOubKK2DVJqwEnVuk6ZiPUNV7A0Zl0cKdWZeZ7iY4HzT9Ysf59EFIPnLg9VkwV1ctN2qzPXIUoXCMpw=w400-h133" width="400" /></a></td></tr><tr><td class="tr-caption" style="text-align: center;">IPS Reports 2</td></tr></tbody></table><br /><br /></div><div><br /></div><div><br /></div><div><br /></div>SChttp://www.blogger.com/profile/04139184178200036747noreply@blogger.comtag:blogger.com,1999:blog-3484822691435303180.post-83412299123532550752021-12-06T18:46:00.006+02:002021-12-07T13:41:51.533+02:00 km-effort and itra points estimations<a name='more'></a>
<pre></pre>
<iframe class="alltrails" frameborder="0" height="600" marginheight="0" marginwidth="0" scrolling="no" src="https://www.alltrails.com/widget/map/map-0397758--45?u=m" title="AllTrails: Trail Guides and Maps for Hiking, Camping, and Running" width="75%"></iframe>
<h1>This is 1st level heading</h1>
<p>This is a test paragraph.</p>
<p></p><blockquote><p>mont-blanc<span style="white-space: pre;"> </span>70.28<span style="white-space: pre;"> </span>45.40 + 24.88</p><p>azores<span style="white-space: pre;"> </span>71.42<span style="white-space: pre;"> </span>50 + 21.42</p><p><br /></p><p>dragon<span style="white-space: pre;"> </span>55.34<span style="white-space: pre;"> </span>44.75 + 10.59</p><p>bucovina<span style="white-space: pre;"> </span>49<span style="white-space: pre;"> </span>30.34 + 18.66</p><p>chis2021<span style="white-space: pre;"> </span>45<span style="white-space: pre;"> </span>42.5 +<span style="white-space: pre;"> </span>2.5</p><p>barca2021<span style="white-space: pre;"> </span>44.1<span style="white-space: pre;"> </span>42.79 + 1.3</p><p>Tipova<span style="white-space: pre;"> </span>42.6<span style="white-space: pre;"> </span>33.07 + 9.53</p><p>codru <span style="white-space: pre;"> </span>38.5<span style="white-space: pre;"> </span>30.35 +8.22 </p></blockquote><p></p><div><br /></div><div>https://itra.run/About/DiscoverTrailRunning</div><div><div>Distance<span style="white-space: pre;"> </span>1km = 1 Km-effort </div><div>Vertical <span style="white-space: pre;"> </span>+100m vertical meters = 1 Km-effort</div><div><br /></div><div><br /></div><div>Based on the number of Km-effort, each race is then classified according with its level of difficulty with ITRA Points ranging from 0 to 6 as follows:</div><div>ITRA Points<span style="white-space: pre;"> </span>Km-effort</div><div>0<span style="white-space: pre;"> </span>0 - 24</div><div>1<span style="white-space: pre;"> </span>25 - 44</div><div>2<span style="white-space: pre;"> </span>45 - 74</div><div>3<span style="white-space: pre;"> </span>75 - 114</div><div>4<span style="white-space: pre;"> </span>115 - 154</div><div>5<span style="white-space: pre;"> </span>155 - 209</div><div>6<span style="white-space: pre;"> </span>210+</div></div><div><br /></div><div><br /></div>SChttp://www.blogger.com/profile/04139184178200036747noreply@blogger.comtag:blogger.com,1999:blog-3484822691435303180.post-18868230986921247512021-03-26T12:06:00.005+02:002021-03-26T12:08:34.976+02:00Estimate Linux machine performance with pveperf (proxmox script)<br /><span><a name='more'></a></span><div># ./pverperf</div><div><div>CPU BOGOMIPS: 16799.96</div><div>REGEX/SECOND: 1686925</div><div>HD SIZE: 35.45 GB (/dev/mapper/centos-root)</div><div>BUFFERED READS: 728.94 MB/sec</div><div>AVERAGE SEEK TIME: 0.65 ms</div></div><div><br /><b># cat ./pverperf</b><p></p><blockquote><p>#!/usr/bin/perl</p><p>use strict;</p><p>use warnings;</p><p>#use File::Sync;</p><p>use Time::HiRes qw( usleep ualarm gettimeofday tv_interval );</p><p>#use Net::DNS::Resolver;</p><p>if ($#ARGV >= 1) {</p><p> print STDERR "usage: $0 [PATH]\n";</p><p> exit -1;</p><p>}</p><p>my $path = $ARGV[0] || '/';</p><p>sub drop_cache {</p><p> # free pagecache,dentries,inode cache</p><p> if (-f '/proc/sys/vm/drop_caches') {</p><p> system ("echo 3 > /proc/sys/vm/drop_caches");</p><p> }</p><p>}</p><p>sub test_bogomips {</p><p> my $bogomips = 0;</p><p> open (TMP, "/proc/cpuinfo");</p><p> while (my $line = <TMP>) {</p><p> if ($line =~ m/^bogomips\s*:\s*(\d+\.\d+)\s*$/) {</p><p> $bogomips += $1;</p><p> }</p><p> }</p><p> close (TMP);</p><p> printf "CPU BOGOMIPS: %.2f\n", $bogomips;</p><p>}</p><p>sub test_regex {</p><p> my $starttime = [gettimeofday];</p><p> my $count = 0;</p><p> my $elapsed = 0;</p><p> for (;; $count++) {</p><p> my $str = int(rand(1000000)) . time();</p><p> if ($str =~ m/(.+)123.?123/) {</p><p> }</p><p> $elapsed = tv_interval ($starttime);</p><p> last if $elapsed > 3;</p><p> }</p><p> printf "REGEX/SECOND: %d\n", $count;</p><p>}</p><p>sub test_fsync {</p><p> my $basedir = shift;</p><p> drop_cache ();</p><p> my $dir = "$basedir/ptest.$$";</p><p> eval {</p><p> mkdir $dir;</p><p> my $data = ('A' x 4000) . "\n";</p><p> my $starttime = [gettimeofday];</p><p> my $count;</p><p> my $elapsed = 0;</p><p> for ($count=1;;$count++) {</p><p> my $m = $count % 300;</p><p> my $filename = "$dir/tf_$m.dat";</p><p> open (TMP, ">$filename") || die "open failed";</p><p> </p><p> print TMP $data;</p><p> File::Sync::fsync (\*TMP);</p><p> close (TMP);</p><p> $elapsed = tv_interval ($starttime);</p><p> last if $elapsed > 3;</p><p> }</p><p> my $sps = $count /$elapsed; # fsync per second</p><p> printf "FSYNCS/SECOND: %.2f\n", $sps;</p><p> };</p><p> my $err = $@;</p><p> system ("rm -rf $dir");</p><p> die $err if $err;</p><p>}</p><p>sub test_seektime {</p><p> my ($rootdev, $hdsize) = @_;</p><p> drop_cache ();</p><p> open (ROOTHD, "<$rootdev") || die "unable to open HD";</p><p> my $starttime = [gettimeofday];</p><p> my $count;</p><p> my $elapsed = 0;</p><p> my $readbuf;</p><p> for ($count=1;;$count++) {</p><p> my $pos = int (rand (int($hdsize/512))) * 512;</p><p> sysseek (ROOTHD, $pos, 0);</p><p> (sysread (ROOTHD, $readbuf, 512) == 512) || die "read failed";</p><p> $elapsed = tv_interval ($starttime);</p><p> last if $elapsed > 3;</p><p> }</p><p> close (ROOTHD);</p><p> my $rps = $count /$elapsed; # blocks per second</p><p> my $ast = (1000/$rps);</p><p> printf "AVERAGE SEEK TIME: %.2f ms\n", $ast;</p><p>}</p><p>sub test_read {</p><p> my $rootdev = shift;</p><p> drop_cache ();</p><p> my $starttime = [gettimeofday];</p><p> my $bytes = 0;</p><p> my $elapsed = 0;</p><p> my $readbuf;</p><p><br /></p><p> open (ROOTHD, "<$rootdev") || die "unable to open HD";</p><p> </p><p> for (;;) {</p><p> my $c = sysread (ROOTHD, $readbuf, 2 * 1024 *1024);</p><p> die "read failed" if $c < 0;</p><p> $bytes += $c;</p><p> $elapsed = tv_interval ($starttime);</p><p> last if $elapsed > 3;</p><p> }</p><p> close (ROOTHD);</p><p> my $bps = $bytes /($elapsed * 1024 * 1024); # MB per second</p><p> printf "BUFFERED READS: %.2f MB/sec\n", $bps;</p><p>}</p><p>sub get_address {</p><p> my ($resolv, $dns) = @_;</p><p> if (my $a = $resolv->send ($dns, 'A')) {</p><p> foreach my $rra ($a->answer) {</p><p> if ($rra->type eq 'A') {</p><p> return $rra->address;</p><p> }</p><p> }</p><p> }</p><p> return undef;</p><p>}</p><p>sub test_dns {</p><p> my %dnsargs = (</p><p> tcp_timeout => 10,</p><p> udp_timeout => 10,</p><p> retry => 1,</p><p> retrans => 0,</p><p> dnsrch => 0,</p><p> defnames => 0,</p><p> debug => 0,</p><p> );</p><p> #$dnsargs{nameservers} = [ qw (208.67.222.222) ];</p><p> #$dnsargs{nameservers} = [ qw (127.0.0.1) ];</p><p> my $resolv = Net::DNS::Resolver->new (%dnsargs);</p><p> my $starttime = [gettimeofday];</p><p> my $count;</p><p> my $elapsed = 0;</p><p> my $uid = time() . int(rand(1000000));</p><p> my $domain = "nonexistent$uid.com";</p><p> for ($count=1;;$count++) {</p><p> my $hid = int(rand(1000000));</p><p> my $hname = "test${hid}.$domain";</p><p> get_address ($resolv, $hname);</p><p> $elapsed = tv_interval ($starttime);</p><p> last if ($count > 100) || ($elapsed > 3);</p><p> }</p><p> printf "DNS EXT: %0.2f ms\n", ($elapsed * 1000)/$count;</p><p> my $resolv_conf = `cat /etc/resolv.conf`;</p><p> ($domain) = $resolv_conf =~ m/^search\s+(\S+)\s*$/mg;</p><p> if ($domain) {</p><p> $starttime = [gettimeofday];</p><p> $elapsed = 0;</p><p> for ($count=1;;$count++) {</p><p> my $hid = int(rand(1000000));</p><p> my $hname = "test${hid}.$domain";</p><p> get_address ($resolv, $hname);</p><p> $elapsed = tv_interval ($starttime);</p><p> last if ($count > 100) || ($elapsed > 3);</p><p> }</p><p> printf "DNS INT: %0.2f ms (%s)\n", </p><p> ($elapsed * 1000)/ $count, $domain;</p><p> }</p><p>}</p><p>test_bogomips ();</p><p>test_regex ();</p><p>my $hd = `df -P '$path'`;</p><p>my ($rootdev, $hdo_total, $hdo_used, $hdo_avail) = $hd =~</p><p> m/^(\S+)\s+(\d+)\s+(\d+)\s+(\d+)\s+\S+\s+.*$/mg;</p><p>if ($rootdev) {</p><p> my $hdsize = $hdo_total*1024;</p><p> printf "HD SIZE: %.2f GB ($rootdev)\n", ($hdsize / (1024*1024*1024));</p><p> if ($rootdev =~ m|^/dev/|) {</p><p> test_read ($rootdev);</p><p> test_seektime ($rootdev, $hdsize);</p><p> }</p><p>}</p><p>test_fsync ($path) if $hdo_avail;</p><p>test_dns ();</p><p>exit (0);</p><div></div></blockquote><div><br /></div></div>SChttp://www.blogger.com/profile/04139184178200036747noreply@blogger.comtag:blogger.com,1999:blog-3484822691435303180.post-12087636807389069082021-03-01T12:49:00.003+02:002021-03-01T12:49:14.200+02:00USB Device Error PL2303HXA , driver update<p><span></span></p><a name='more'></a><p>PL2303HXA PHASED OUT SINCE 2012. PLEASE CONTACT YOUR SUPPLIER.</p><p>1) Install <a href="https://drive.google.com/file/d/13_VhQpYAPtQcc8hRVvo8VXVjUUAyLTwf/view?usp=sharing" target="_blank">Driver</a></p><p>2) Choose version that might work on your OS</p><p></p><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiW34fK6O1bzfvr0UgR4EG3YrsRVQQJLuWFwym-_Q7Ih21o4wZFcM8rD4Ha_J3rxEVBXcsTQK4HrKWvklZCgTyYgjGE_v6JOeN2LjQbGvHkulm5XECIxym51Y5hyHqUT-mPuIKmxmqhED0/" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img alt="" data-original-height="656" data-original-width="774" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiW34fK6O1bzfvr0UgR4EG3YrsRVQQJLuWFwym-_Q7Ih21o4wZFcM8rD4Ha_J3rxEVBXcsTQK4HrKWvklZCgTyYgjGE_v6JOeN2LjQbGvHkulm5XECIxym51Y5hyHqUT-mPuIKmxmqhED0/s16000/image.png" /></a></div><br /><br /><p></p>SChttp://www.blogger.com/profile/04139184178200036747noreply@blogger.comtag:blogger.com,1999:blog-3484822691435303180.post-38305088118487213672020-03-13T11:38:00.002+02:002020-03-13T18:37:49.216+02:00Centos-7 upgrade to Centos-8 without reboot<br />
<a name='more'></a><br />
<b><u>1) Upgrade Base OS</u></b><br />
<blockquote class="tr_bq">
#####<br />
##### Centos-7 upgrade to Centos-8<br />
# info @ <a href="https://www.tecmint.com/upgrade-centos-7-to-centos-8/">https://www.tecmint.com/upgrade-centos-7-to-centos-8/</a>#<br />
# cat /etc/redhat-release<br />
CentOS Linux release 7.7.1908 (Core)<br />
#<br />
#<br />
yum install epel-release -y<br />
yum install yum-utils<br />
yum install rpmconf<br />
rpmconf -a<br />
# reply with:<br />
# N<br />
# Y<br />
package-cleanup --leaves<br />
package-cleanup --orphans<br />
yum install dnf<br />
dnf -y remove yum yum-metadata-parser<br />
rm -Rf /etc/yum<br />
dnf upgrade<br />
dnf install http://mirror.bytemark.co.uk/centos/8.0.1905/BaseOS/x86_64/os/Packages/centos-release-8.0-0.1905.0.9.el8.x86_64.rpm<br />
dnf install http://mirror.centos.org/centos/8/BaseOS/x86_64/os/Packages/centos-release-8.1-1.1911.0.8.el8.x86_64.rpm<br />
dnf install http://mirror.centos.org/centos/8/BaseOS/x86_64/os/Packages/centos-repos-8.1-1.1911.0.8.el8.x86_64.rpm<br />
dnf -y upgrade https://dl.fedoraproject.org/pub/epel/epel-release-latest-8.noarch.rpm<br />
dnf clean all<br />
rpm -e `rpm -q kernel`<br />
rpm -e --nodeps sysvinit-tools<br />
#<br />
## installs 400 MB, and updates over 1000 packages<br />
dnf -y --releasever=8 --allowerasing --setopt=deltarpm=false distro-sync<br />
#<br />
dnf -y install kernel-core<br />
dnf -y groupupdate "Core" "Minimal Install"<br />
#<br />
#<br />
# cat /etc/redhat-release<br />
CentOS Linux release 8.1.1911 (Core)</blockquote>
<div>
<br />
<br />
<b><u>2) Upgrade the Linux Kernel on CentOS / RHEL / Oracle Linux 8</u></b><br />
<br />
<blockquote class="tr_bq">
# uname -a<br />Linux NGINX44-de <span style="background-color: #fce5cd;">3.10.0</span>-1062.12.1.el7.x86_64 #1 SMP Tue Feb 4 23:02:59 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux<br />#### Info from:<br />## https://www.osradar.com/upgrade-the-kernel-on-centos-8-rhel-8-oracle-linux-8/<br />rpm --import https://www.elrepo.org/RPM-GPG-KEY-elrepo.org<br />dnf install https://www.elrepo.org/elrepo-release-8.0-2.el8.elrepo.noarch.rpm<br />dnf repolist<br />dnf --enablerepo=elrepo-kernel install kernel-ml<br /># reboot<br /># uname -a<br />Linux NGINX44-de <span style="background-color: #fce5cd;">5.5.9</span>-1.el8.elrepo.x86_64 #1 SMP Wed Mar 11 19:04:03 EDT 2020 x86_64 x86_64 x86_64 GNU/Linux</blockquote>
<br />
<br />
<br />
<b><u>3) Updgrade MariaDB/Zabbix 4.4</u></b><br />
# yum list installed | grep mariadb<br />
mariadb.x86_64 1:5.5.64-1.el7 @base <br />
mariadb-libs.x86_64 1:5.5.64-1.el7 @base <br />
mariadb-server.x86_64 1:5.5.64-1.el7 @base <br />
#<br />
#<br />
Error:<br />
Problem: package zabbix-server-mysql-4.4.6-1.el8.x86_64 requires libmysqlclient.so.21()(64bit), but none of the providers can be installed<br />
- package zabbix-server-mysql-4.4.6-1.el8.x86_64 requires libmysqlclient.so.21(libmysqlclient_21.0)(64bit), but none of the providers can be installed<br />
- installed package MariaDB-compat-10.4.12-1.el7.centos.x86_64 obsoletes mysql-libs provided by mysql-libs-8.0.17-3.module_el8.0.0+181+899d6349.x86_64<br />
- cannot install the best candidate for the job<br />
- problem with installed package MariaDB-compat-10.4.12-1.el7.centos.x86_64<br />
<br />
yum remove perl-DBD-MySQL<br />
yum --allowerasing install perl<br />
yum module enable perl:5.24<br />
# yum module enable perl:5.26<br />
dnf module reset perl:5.24 <br />
yum remove MariaDB-compat-10.4.12-1.el7.centos.x86_64<br />
<br />
dnf module reset perl-DBD-MySQL:4.046<br />
<br />
yum --allowerasing distrosync<br />
dnf module install mariadb<br />
<br />
<br />
# yum list installed | grep zabbix<br />
Modular dependency problems:<br />
<br />
Problem 1: conflicting requests<br />
- nothing provides module(perl:5.26) needed by module perl-DBD-MySQL:4.046:8010020191114030811:073fa5fe-0.x86_64<br />
Problem 2: conflicting requests<br />
- nothing provides module(perl:5.26) needed by module perl-DBI:1.641:8010020191113222731:16b3ab4d-0.x86_64<br />
zabbix-agent.x86_64 4.4.6-1.el7 @System <br />
zabbix-release.noarch 4.4-1.el7 @System <br />
zabbix-web.noarch 4.4.6-1.el7 @zabbix <br />
zabbix-web-pgsql.noarch 4.4.6-1.el7 @zabbix <br />
<br />
<br />
<br />
<br />
rpm -Uvh https://repo.zabbix.com/zabbix/4.4/rhel/8/x86_64/zabbix-release-4.4-1.el8.noarch.rpm<br />
dnf clean all<br />
dnf -y install zabbix-server-mysql zabbix-web-mysql zabbix-apache-conf zabbix-agent<br />
#<br />
#<br />
systemctl restart zabbix-server zabbix-agent<br />
systemctl enable zabbix-server zabbix-agent<br />
#<br />
#<br />
firewall-cmd --add-service={http,https} --permanent<br />
firewall-cmd --add-port={10051/tcp,10050/tcp} --permanent<br />
firewall-cmd --reload<br />
#<br />
systemctl restart httpd php-fpm<br />
systemctl enable httpd php-fpm</div>
<div>
<br /></div>
SChttp://www.blogger.com/profile/04139184178200036747noreply@blogger.comtag:blogger.com,1999:blog-3484822691435303180.post-20314657196264744142020-01-01T10:34:00.000+02:002016-11-02T14:33:40.973+02:00Welcome to SC Labs<table align="left" border="1" cellpadding="1" cellspacing="1" style="width: 1040px;"><tbody>
<tr><td>CCNA and CCNA Security</td><td>Network Related</td></tr>
<tr><td><b><span style="font-size: large;"><u>Cisco IOS/IOSX<span style="font-size: large;">R Hardening Guides</span></u></span></b><br />
- <a href="http://www.cisco.com/en/US/tech/tk648/tk361/technologies_tech_note09186a0080120f48.shtml"><b>IOS</b> Devices</a> <br />
- <a href="http://www.cisco.com/web/about/security/intelligence/CiscoIOSXR.html"><b>IOS-XR</b> Devices</a><br />
<br />
<b><span style="font-size: large;"><u>CCNA Security (</u></span><span style="font-size: large;"><u><span style="font-size: large;"><u>IINS</u></span>) 640-554</u></span></b><br />
<a href="http://sclabs.blogspot.com/2012/07/ccna-security-notes-chapter-1-modern.html" target="_blank">Chapter 1 - Modern Security Threats</a><br />
<a href="http://sclabs.blogspot.com/2012/07/ccna-security-chapter-2-securing.html" target="_blank">Chapter 2 - Securing Network Devices</a><br />
<a href="http://sclabs.blogspot.com/2012/08/chapter-3-authentication-authorization.html">Chapter 3 - Authentication, Authorization and Accounting</a><br />
<a href="http://sclabs.blogspot.com/2012/09/ccna-security-chapter-4-implementing.html">Chapter 4 - Implementing Firewall Technologies (part 1 ACLs)</a><br />
<a href="http://sclabs.blogspot.com/2012/09/ccna-security-chapter-4-implementing_7.html">Chapter 4 - Implementing Firewall Technologies (part 2 firewalls: CBAC, ZBF)</a><br />
<a href="http://sclabs.blogspot.com/2012/09/chapter-5-implementing-intrusion.html">Chapter 5 - Implementing Intrusion Prevention ( IPS/IDS )</a><br />
<a href="http://sclabs.blogspot.com/2012/09/ccna-security-chapter-6-securing-local.html">Chapter 6 - Securing the Local Area Network</a><br />
<a href="http://sclabs.blogspot.com/2012/10/ccna-security-chapter-7-cryptographic.html">Chapter 7 - Cryptographic Systems</a><br />
<a href="http://sclabs.blogspot.com/2012/11/ccna-security-chapter-8-implementing.html">Chapter 8 - Implementing Virtual Private Networks</a><br />
<a href="http://sclabs.blogspot.com/2012/12/ccna-security-chapter-9-managing-secure.html">Chapter 9 - Managing a Secure Network</a><br />
<a href="http://sclabs.blogspot.com/2013/01/chapter-10-implementing-cisco-adaptive.html">Chapter 10 - Implementing Cisco Adaptive Security Appliance (ASA) part 1</a><br />
<a href="http://sclabs.blogspot.com/2013/01/ccna-security-chapter-10-implementing.html">Chapter 10 - Implementing Cisco Adaptive Security Appliance (ASA) part 2</a><br />
<b><b> </b><a href="http://sclabs.blogspot.com/2013/01/ccna-security-final-exam.html">CCNA Security final exam</a></b><br />
<b> <a href="http://sclabs.blogspot.com/2013/04/ccna-security-ipsec-site-to-site.html">CCNA Security Lab - IPSec Site-to-Site</a></b><br />
<b><br /></b><b><span style="font-size: large;"><u>CCNA 640-802 R/S </u></span></b><br />
<span style="font-size: small;"><a href="http://sclabs.blogspot.com/p/ccna-faqs.html">CCNA Cheatsheet</a> / </span><span style="font-size: large;"><u><b></b></u></span><a href="http://sclabs.blogspot.com/p/ccna-commands.html"><span style="font-size: small;">CCNA Commands</span></a><b><span style="font-size: large;"><u><br /></u></span></b>
<a href="http://sclabs.blogspot.com/2013/03/ccna-lab-packet-tracer-activity-861.html"><span style="font-size: small;">CCNA LAB 8.6.1 (FR, PPP, NAT,<span style="font-size: small;"> EIGRP</span>, VLAN, STP, VTP, DHCP, ACL, Wi<span style="font-size: small;">F<span style="font-size: small;">i</span></span>)</span></a><b><br />CCNA 1 Exploration - Network Fundamentals</b><b><span style="font-size: large;"> </span></b><br />
<b>CCNA 2 Exploration - Routing Protocols and Concepts</b><b><span style="font-size: large;"> </span></b><br />
· <a href="http://sclabs.blogspot.com/2010/03/ex2-chapter-1-introduction-to-routing.html" target="_blank">Chapter 1: Introduction to Routing and Packet Forwarding</a><br />
· <a href="http://sclabs.blogspot.com/2010/03/ex2-chapter-2-static-routing.html" target="_blank">Chapter 2: Static Routes, CDP</a><br />
· <a href="http://sclabs.blogspot.com/2010/02/ex2-chapter-3-introduction-to-dynamic.html" target="_blank">Chapter 3: Introduction to Dynamic Routing Protocols</a><br />
· <a href="http://sclabs.blogspot.com/2010/02/ex2-chapter-4-distance-vector-routing.html" target="_blank">Chapter 4: Distance Vector Routing Protocols</a><br />
· <a href="http://sclabs.blogspot.com/2010/02/ex2-chapter-5-rip-version-1.html" target="_blank">Chapter 5: RIP v1: A Distance Vector, Claseful Routing Protocol</a><br />
· <a href="http://sclabs.blogspot.com/2010/02/ex2-chapter-6-vlsm-and-cidr.html" target="_blank">Chapter 6: Classless Routing: VLSM and CIDR</a><br />
· <a href="http://sclabs.blogspot.com/2010/02/ex2-chapter-7-rip-version-2.html" target="_blank">Chapter 7: Classless Routing Using RIPv2</a><br />
· <a href="http://sclabs.blogspot.com/2010/03/8-table-that-routing-table-hierarchy-in.html" target="_blank">Chapter 8: The Routing Table: A Closer Look</a><br />
· <a href="http://sclabs.blogspot.com/2010/03/module-9-eigrp.html" target="_blank">Chapter 9: EIGRP: A Distance Vector, Classless Routing Protocol</a><br />
· <a href="http://sclabs.blogspot.com/2010/03/module-10-link-state.html" target="_blank">Chapter 10: Link-State Routing Protocols</a><br />
· <a href="http://sclabs.blogspot.com/2010/03/module-11-ospf.html" target="_blank">Chapter 11: Single Area OSPF: A Link State, Classless Routing Protocol</a><br />
- <a href="http://sclabs.blogspot.com/2010/03/module-12-bgp-basics.html" target="_blank">EXTRA Chapter 12: BGP basics</a><br />
<b>CCNA 3 Exploration - LAN Switching and Wireless</b><br />
- <a href="http://sclabs.blogspot.com/2010/03/ex3-chapter-1-lan-design.html" target="_blank">Chapter 1: LAN Design</a><br />
- <a href="http://sclabs.blogspot.com/2010/03/ex3-chapter-2-switch-basic.html" target="_blank">Chapter 2: Basic Switch Concepts and Configuration</a><br />
- <a href="http://sclabs.blogspot.com/2010/04/ex3-chapter-3-vlans.html" target="_blank">Chapter 3: VLANs, <span style="font-size: small;">DTP</span></a><br />
- <a href="http://sclabs.blogspot.com/2010/04/ex3-chapter-3-vtp.html" target="_blank">Chapter 4: VTP</a><br />
- <a href="http://sclabs.blogspot.com/2010/04/ex3-chapter-3-stp.html" target="_blank">Chapter 5: STP (+Etherchannel)</a><br />
- <a href="http://sclabs.blogspot.com/2010/04/ex3-chapter-6-inter-vlan-routing.html" target="_blank">Chapter 6: Inter-VLAN Routing</a><br />
- <a href="http://sclabs.blogspot.com/2010/04/ex3-chapter-7-basic-wireless-concepts.html" target="_blank">Chapter 7: Basic Wireless Concepts and Configuration</a><br />
<b>CCNA 4 Exploration - Accessing the WAN</b><br />
- <a href="http://sclabs.blogspot.com/2010/07/ex4-chapter-1-introduction-to-wans.html" target="_blank">Chapter 1: Introductions to WANs</a><br />
- <a href="http://sclabs.blogspot.com/2010/07/ex4-chapter-2-ppp.html" target="_blank">Chapter 2: PPP</a><br />
- <a href="http://sclabs.blogspot.com/2010/07/ex4-chapter-3-frame-relay.html" target="_blank">Chapter 3: Frame Relay</a><br />
- <a href="http://sclabs.blogspot.com/2010/07/ex4-chapter-4-network-security.html" target="_blank">Chapter 4: Network Security</a><br />
- <a href="http://sclabs.blogspot.com/2010/07/ex4-chapter-5-acls.html" target="_blank">Chapter 5: ACLs</a><br />
- <a href="http://sclabs.blogspot.com/2010/08/ex4-chapter-6-telework-services.html" target="_blank">Chapter 6: Teleworker Services</a><br />
- <a href="http://sclabs.blogspot.com/2010/08/chapter-7-ip-addressing-services.html" target="_blank">Chapter 7: IP Addressing Services (DHCP, NAT, IPv6)</a><br />
- <a href="http://sclabs.blogspot.com/2010/08/ex4-chapter-8-network-troubleshooting.html" target="_blank">Chapter 8: Network Troubleshooting</a><br />
<u><b><span style="font-size: large;"></span></b></u><br />
<b><span style="font-size: large;"><u>FreeBSD</u></span></b><br />
sed -i -e 's/foo/bar/g' filename - replace text in file from cli<br />
egrep -v '^#|^$' ./file.conf - list config without comments and empty lines<br />
<blockquote class="tr_bq">
echo "alias mc='mc -ac'" >> ~/.bash_profile<br />
echo "alias mtr='mtr -o \"L D SR NBAW JMX\"' " >> ~/.bash_profile<br />
echo "alias atop='atop -f1 1'" >> ~/.bash_profile<br />
source ~/.bash_profile</blockquote>
- <a href="http://sclabs.blogspot.com/2011/02/freebsd-software-installremove.html">FreeBSD step 1 - Installation and updating</a><br />
- <a href="http://sclabs.blogspot.com/2011/02/freebsd-system-monitoring.html">FreeBSD step 2 - System information and monitoring</a><br />
- <a href="http://sclabs.blogspot.com/2011/04/famp-freebsd-apache-mysql-php.html">FreeBSD step 3 - FAMP (FreeBSD, Apache, MySQL, PHP)</a><br />
- <a href="http://sclabs.blogspot.com/2010/08/hotkeys.html">Hotkeys and configs for bash, mc, vi, tmux</a><br />
- <a href="http://sclabs.blogspot.com/2011/02/freebsd-optimizations.html">FreeBSD Configs, Tools and FAQs</a><br />
- <a href="http://sclabs.blogspot.com/2012/06/vmware-vsphere-esxi-management-with.html">FreeBSD VMWare ESXi Management</a><br />
- <a href="http://sclabs.blogspot.md/2016/02/freebsd-survival-guide-utf-8-console.html">FreeBSD Survival Guide</a><br />
<br />
<b><u><span style="font-size: large;">Others</span></u></b><br />
- <b><a href="http://sclabs.blogspot.com/2012/05/routing-troubleshooting.html">Routing questions to remember</a> </b><br />
- <a href="http://sclabs.blogspot.com/2013/12/random-stuff.html">Windows stuff</a><br />
- <a href="http://sclabs.blogspot.com/2012/08/cisco-ios-basics.html">Cisco IOS - basic operations</a><br />
- <a href="http://sclabs.blogspot.com/2014/10/cisco-ios-advanced-operations.html">Cisco IOS - advanced operations (navigation+include)</a> <br />
- <a href="http://sclabs.blogspot.com/2011/04/basic-cisco-switch-configuration.html">Cisco switch basic config</a><br />
- <a href="http://sclabs.blogspot.com/2011/03/dhcp.html">DHCP Client / Server Operation </a><br />
- <a href="http://sclabs.blogspot.com/2012/05/openvpn-bridge-with-pfsense-201.html">OpenVPN Bridge with pfSense </a><br />
- <a href="http://sclabs.blogspot.com/2011/05/ipv6-basics.html">IPv6 basics</a><br />
- <a href="http://sclabs.blogspot.com/2012/01/connectors.html">Optical connectors</a><br />
- <a href="http://sclabs.blogspot.com/2010/03/habits-of-highly-effective-students.html" target="_blank">Habits of Highly Effective Students</a><br />
<br />
<br />
<span style="background-color: #feffe5; font-family: "Bitstream Vera Sans Mono", monospace, "DejaVu Sans Mono", Monaco, "Lucida Console", Consolas, "Liberation Mono", "Courier New"; font-size: 13px;">%SystemRoot%\System32\Cmd.exe /c Cleanmgr /sageset:65535 & Cleanmgr /sagerun:65535</span><br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br /></td>
<td valign="top"><b>
<span style="font-size: large;"><u>CCNP TSHOOT 642-832</u></span></b><br />
<b>642-832 TSHOOT </b><br />
- <a href="http://sclabs.blogspot.com/2014/11/ccnp-tshoot-introduction-to-network.html">CCNP Tshoot - Introduction to Network Maintenance and Troubleshooting Processes </a><br />
- <a href="http://sclabs.blogspot.com/2014/11/ccnp-tshoot-maintenance-and.html">CCNP Tshoot - The Maintenance and Troubleshooting Toolbox</a><br />
- <a href="http://sclabs.blogspot.com/2014/11/ccnp-tshoot-basic-cisco-catalyst-switch.html">CCNP Tshoot - Basic Cisco Catalyst Switch Troubleshooting</a><br />
- <a href="http://sclabs.blogspot.com/2014/11/ccnp-tshoot-advanced-cisco-catalyst.html">CCNP Tshoot - Advanced Cisco Catalyst Switch Troubleshooting </a><br />
- <a href="http://sclabs.blogspot.com/2014/11/ccnp-tshoot-troubleshooting-routing.html">CCNP Tshoot - Troubleshooting Routing Protocols (RIB, EIGRP, OSPF, Redistribution, BGP)</a><br />
- <a href="http://sclabs.blogspot.com/2014/11/ccnp-tshoot-router-performance-issues.html">CCNP Tshoot - Router Performance Issues</a><br />
- <a href="http://sclabs.blogspot.com/2014/11/ccnp-tshoot-security-troubleshooting.html">CCNP Tshoot - Security Troubleshooting</a><br />
- <a href="http://sclabs.blogspot.com/2014/11/ccnp-tshoot-ip-services-troubleshooting.html">CCNP Tshoot - IP Services Troubleshooting (NAT, DHCP)</a><br />
- <a href="http://sclabs.blogspot.com/2014/11/ccnp-tshoott-ip-communications.html">CCNP Tshoot - IP Communications Troubleshooting (Voice, Video, QoS, Multicast)</a><br />
- <a href="http://sclabs.blogspot.com/2014/12/ccnp-tshoot-ipv6-troubleshooting.html">CCNP Tshoot - IPv6 Troubleshooting (IPv6, OSPFv3, RIPng)</a><br />
- <a href="http://sclabs.blogspot.com/2014/12/ccnp-tshoot-advanced-services.html">CCNP Tshoot - Advanced Services (ANS, Netflow, IP SLA, NBAR, QOS, Wireless)</a><br />
- <a href="http://sclabs.blogspot.com/2014/12/ccnp-tshoot-large-enterprise-network.html">CCNP Tshoot - Large Enterprise Network Troubleshooting (VPNs)</a> <br />
<br />
<b>
<span style="font-size: large;"><u>CCNP SWITCH 642-813</u></span></b><br />
<b>Building Campus Network</b><br />
- <a href="http://sclabs.blogspot.com/2014/10/ccnp-switch-switch-operation.html">CCNP Switch - Switch Operation (CAM/TCAM)</a><br />
- <a href="http://sclabs.blogspot.com/2014/09/show-interface-in-depth.html">CCNP Switch bonus - Troubleshooting Ethernet (show interface)</a><br />
- <a href="http://sclabs.blogspot.com/2014/10/ccnp-switch-switch-port-configuration.html">CCNP Switch - Switch Port Configuration</a> <br />
- <a href="http://sclabs.blogspot.com/2014/10/ccnp-switch-vlans-and-trunks.html">CCNP Switch - VLANs and Trunks (L2/L3 Switchport, ISL, VLAN,Trunk,DTP, QinQ, MultiVLAN)</a><br />
- <a href="http://sclabs.blogspot.com/2014/10/cncp-switch-vlan-trunking-protocol-vtp.html">CCNP Switch - VLAN Trunking Protocol VTP</a><br />
- <a href="http://sclabs.blogspot.com/2014/10/ccnp-switch-aggregating-switch-links.html">CCNP Switch - Aggregating Switch Links (L2/L3 Etherchannel,PAgP,LACP)</a><br />
- <a href="http://sclabs.blogspot.com/2014/10/ccnp-switch-traditional-spanning-tree.html">CCNP Switch - STP. Traditional Spanning Tree Protocol </a><br />
- <a href="http://sclabs.blogspot.com/2014/10/ccnp-switch-stp-configuration.html">CCNP Switch - STP Configuration</a><br />
- <a href="http://sclabs.blogspot.com/2014/10/ccnp-switch-protecting-stp-topology.html">CCNP Switch - Protecting the STP: RootGuard,BPDUGuard,BPDUFilter,LoopGuard,UDLD</a><br />
- <a class="GCUXF0KCPB" href="http://sclabs.blogspot.com/2014/10/ccnp-switch-advanced-spanning-tree.html">CCNP Switch - Advanced Spanning Tree Protocol (RSTP,MSTP)</a><br />
- <a href="http://sclabs.blogspot.com/2014/10/ccnp-switch-stp-versions.html">CCNP Switch bonus - STP versions interoperability</a><br />
- <a class="GCUXF0KCPB" href="http://sclabs.blogspot.com/2014/10/ccnp-switch-multilayer-switching.html">CCNP Switch - Multilayer Switching (SVI,CEF, DHCP)</a> <br />
<b>Designing Campus Network</b><br />
- <a href="http://sclabs.blogspot.com/2014/10/ccnp-switch-enterprise-campus-network.html">CCNP Switch - Enterprise Campus Network Design</a><br />
- <a href="http://sclabs.blogspot.com/2014/10/ccnp-switch-layer-3-high-availability.html">CCNP Switch - Layer 3 High Availability (HSRP, VRRP, GLBP, Redundancy, NSF)</a><br />
- <a href="http://sclabs.blogspot.com/2014/11/ccnp-switch-implementing-network.html">CCNP Switch - Implementing Network Monitoring: Syslog, SNMP, IP SLA</a><br />
<b>Campus Network Services</b><br />
- <a href="http://sclabs.blogspot.com/2014/10/ccnp-switch-ip-telephony.html">CCNP Switch - IP Telephony (PoE, Voice VLAN, QoS)</a><br />
- <a href="http://sclabs.blogspot.com/2014/10/ccnp-switch-wireless-lans.html">CCNP Switch - Wireless LANs</a><br />
<b>Securing Switched Networks</b><br />
- <a href="http://sclabs.blogspot.com/2014/10/ccnp-switch-securing-switched-networks.html">CCNP Switch - Port Security, 802.1x, DHCP Snooping, IP Source Guard, DAI</a><br />
- <a href="http://sclabs.blogspot.com/2014/10/ccnp-switch-securing-with-vlans.html">CCNP Switch - Securing with VLANs (VACL, PACL, Private VLANs, VLAN hopping)</a><br />
<br />
<b><span style="font-size: large;"><u>CCNP </u></span><span style="font-size: large;"><u><span style="font-size: large;"><u>ROUTE </u></span>642-902 </u></span></b> <br />
<b> -</b> <a href="http://sclabs.blogspot.com/2014/04/ccnp-route-design.html">CCNP Route - Network Design (CCNP network engineer roles)</a><br />
<b> - </b><a href="http://sclabs.blogspot.com/2014/03/ccnp-route-ip-routing-principles.html">CCNP Route - IP Routing Principles </a><br />
<b> - </b><a href="http://sclabs.blogspot.com/2014/03/ccnp-route-branch-office-connections-vpn.html">CCNP Route - Branch Office connections (VPNs, IPSec, GRE)</a><br />
<b> EIGRP</b><br />
- <a href="http://sclabs.blogspot.com/2013/10/ccnp-route-chapter-2-eigrp.html">CCNP Route - EIGRP part 1: Concept/packets/metric/config/auth/default_route/summ/troublesh</a><br />
- <a href="http://sclabs.blogspot.com/2013/10/ccnp-route-chapter-2-eigrp-part2.html">CCNP Route - EIGRP part 2: EIGRP over Frame Relay/MPLS/Balancing</a><br />
- <a href="http://sclabs.blogspot.com/2013/10/ccnp-route-chapter-2-eigrp-part3-labs.html">CCNP Route - EIGRP part 3 Labs</a><br />
- <a href="http://sclabs.blogspot.com/2013/10/ccnp-route-chapter-2-eigrp-part4.html">CCNP Route - EIGRP part 4: Commands</a><br />
- <a href="http://sclabs.blogspot.com/2013/11/ccnp-route-chapter-2-eigrp-lab.html">CCNP Route - EIGRP part 5 Frame Relay LAB part 1</a><br />
- <a href="http://sclabs.blogspot.com/2013/11/ccnp-route-chapter-2-eigrp-frame-relay.html">CCNP Route - EIGRP part 5 Frame Relay LAB part 2</a><br />
- <a href="http://sclabs.blogspot.com/2013/11/ccnp-route-implementing-and-planning.html">CCNP Route - EIGRP Memory tables</a><br />
<b> OSPF</b><br />
- <a href="http://sclabs.blogspot.com/2014/01/ccnp-route-chapter-3-ospf.html">CCNP Route - OSPF part 1: Concept/RID/Auth/Neighbors/LSA/DBD/Cost</a><br />
- <a href="http://sclabs.blogspot.com/2014/02/ccnp-route-ospf-part-2.html">CCNP Route - OSPF part 2: Planning/filtering/summarization/stub/default route/virt link</a><br />
- <a href="http://sclabs.blogspot.com/2014/02/ccnp-route-ospf-part-3-frame-relay.html">CCNP Route - OSPF part 3: Network type/Frame-Relay</a><br />
- <a href="http://sclabs.blogspot.com/2014/02/ccnp-route-ospf-part-4-to-do.html">CCNP Route - OSPF part 4: Commands, Labs, FAQs and Memory Tables</a><br />
<b> Path Control</b><br />
- <a href="http://sclabs.blogspot.com/2014/03/ccnp-route-path-control-part-1.html">CCNP Route - Path control, part 1: Redistribution</a><br />
- <a href="http://sclabs.blogspot.com/2014/03/ccnp-route-path-control-part-2.html">CCNP Route - Path control, part 2: Redistribution with Route Maps and Distribute Lists</a><br />
- <a href="http://sclabs.blogspot.com/2014/03/ccnp-route-path-control-part-3-policy.html">CCNP Route - Path control, part 3: PBR - Policy-Based Routing and IP SLA</a><br />
<b> BGP</b><br />
- <a href="http://sclabs.blogspot.com/2014/03/ccnp-route-bgp-part-1-intro.html">CCNP Route - BGP part 1: Internet Connectivity</a><br />
- <a href="http://sclabs.blogspot.com/2014/03/ccnp-route-bgp-part-2-bgp-intro.html">CCNP Route - BGP part 2: BGP Intro</a><br />
- <a href="http://sclabs.blogspot.com/2014/03/ccnp-route-bgp-part-3-ebgp-external-bgp.html">CCNP Route - BGP part 3: eBGP (announce, neighbor, bgp table, states )</a><br />
- <a href="http://sclabs.blogspot.com/2014/03/ccnp-route-bgp-part-4-ibgp.html">CCNP Route - BGP part 4: iBGP</a> <br />
- <a href="http://sclabs.blogspot.com/2014/03/ccnp-route-bgp-part-5-bgp-path-control.html">CCNP Route - BGP part 5: BGP path control (path attributes,best path, influencing path)</a><br />
- <a href="http://sclabs.blogspot.com/2014/03/ccnp-route-bgp-part-6-labs.html">CCNP Route - BGP part 6: Case Studies, Labs, FAQs</a><br />
<b> IPv6</b><br />
- <a href="http://sclabs.blogspot.com/2014/03/ccnp-route-ipv6-part-6-ipv6-addressing.html">CCNP Route - IPv6 part 1: IPv6 Addressing (IPv6 intro, DHCP, NDP, MTU, EUI-64)</a><br />
- <a href="http://sclabs.blogspot.com/2014/03/ccnp-route-ipv6-part-2-ipv6-addressing.html">CCNP Route - IPv6 part 2: IPv6 Addressing (unicast, multicast, configuration)</a><br />
- <a class="GCUXF0KCPB" href="http://sclabs.blogspot.com/2014/03/ccnp-route-ipv6-part-3-ipv6-routing.html">CCNP Route - IPv6 part 3: IPv6 Routing Protocols and Redistribution</a><br />
- <a href="http://sclabs.blogspot.com/2014/03/ccnp-route-ipv6-part-4-ipv4-and-ipv6.html">CCNP Route - IPv6 part 4: Migration to IPv6 (dual stack, tunnels, NAT)</a><br />
<br />
<b><span style="font-size: large;"><u>Monitoring</u></span></b><br />
- <a href="http://sclabs.blogspot.com/2011/03/cacti.html">Cacti installation,customization and optimization</a><br />
- <a href="http://sclabs.blogspot.com/2011/04/rrdtool-basics.html">RRDTool basics</a><br />
- <a href="http://sclabs.blogspot.com/2012/01/zabbix-monitoring.html">Zabbix installation and operation</a><br />
- <a href="http://sclabs.blogspot.com/2011/03/logging.html">Logging</a><br />
- <a href="http://sclabs.blogspot.com/2011/04/munin-installation.html">Munin: server monitoring</a> - <a href="http://sclabs.blogspot.com/2012/03/smokeping-onf-freebsd.html">Smokeping : latency monitoring</a> - <a href="http://sclabs.blogspot.com/2014/01/observium-ce-013104585-installation-on.html">Observium</a><br />
<br />
<b><span style="font-size: large;"><u>Network Tools</u></span></b><br />
- <a href="http://sclabs.blogspot.com/2013/04/gns3-install-and-configure.html">Linux Tips, Ubuntu Centos RedHat</a><br />
- <a href="http://sclabs.blogspot.com/2011/03/network-tools.html">Network Troubleshooting tools</a><br />
- <a href="http://sclabs.blogspot.com/2010/05/protocol-overhead.html">Protocol Overhead</a><br />
- <a href="http://sclabs.blogspot.com/2010/05/real-speedtest.html">Test TCP performance (speedtest) with nuttcp</a><br />
- <a href="http://sclabs.blogspot.com/2010/07/using-traceroute.html">Using Traceroute</a><br />
<a href="http://sclabs.blogspot.com/2012/05/routing-troubleshooting.html"></a></td></tr>
</tbody> </table>
SChttp://www.blogger.com/profile/04139184178200036747noreply@blogger.comtag:blogger.com,1999:blog-3484822691435303180.post-44460146148584970022019-12-09T18:07:00.002+02:002019-12-09T18:39:15.897+02:00ESXI VM CPU Ready<br />
<a name='more'></a><br />
https://kb.vmware.com/s/article/2002181<br />
https://kb.vmware.com/s/article/2001003<br />
http://www.joshodgers.com/2013/01/05/how-much-cpu-ready-is-ok/<br />
http://www.vmcalc.com/<br />
<br />
<br />
<b><span style="color: #cc0000;">vCPU to Core Ratio</span></b> - <span style="background-color: white; color: #333333; font-family: "georgia" , "droid serif" , "times" , serif; font-size: 18px;">The number of VM vCPUs allocated compared to the number of physical CPU cores available.</span><br />
<br />
<span style="background-color: white; color: #333333; font-family: "georgia" , "droid serif" , "times" , serif; font-size: 18px;">If workloads are CPU-intensive, the vCPU-to-core ratio will need to be smaller; if workloads are not CPU-intensive, the vCPU-to-core ratio can be larger. A typical vCPU-to-core ratio for server workloads is about 4:1—four vCPUs allocated for each available physical core. However, this can be much higher if workloads are not CPU-intensive.</span><br />
<br />
<br />
<span style="background-color: white; font-family: "metropolisregular"; font-size: 14px;"> </span><code style="background-color: #f9f2f4; border-radius: 4px; box-sizing: border-box; color: #c7254e; font-family: monospace, monospace; font-size: 14px; overflow-wrap: break-word;">%READY</code><span style="background-color: white; font-family: "metropolisregular"; font-size: 14px;"> - the percentage of time that the virtual machine was ready but could not be scheduled to run on a physical CPU.</span><br />
<span style="background-color: white; font-family: "metropolisregular"; font-size: 14px;"><br /></span>
<span style="background-color: white; box-sizing: border-box; font-family: "metropolisregular"; font-size: 14px; font-weight: 700;">Note</span><span style="background-color: white; font-family: "metropolisregular"; font-size: 14px;">: The result of above calculations are a sum of each virtual CPUs %RDY time. Individual core Ready time can be roughly estimated by dividing by the number of cores. However, it is more accurate to go by the vCPU metrics themselves. vCPU metrics are only collected in realtime by default.</span><br />
<span style="background-color: white; font-family: "metropolisregular"; font-size: 14px;"><br /></span>
<span style="background-color: white; font-family: "metropolisregular"; font-size: 14px;"><br /></span>
<b>Performance
Threshold: </b><br />
10% per vCPU based on the
following guide:<br />
Good: 1% to 5%<br />
Moderate: 6% to 9%<br />
Bad: 10%+<br />
<span style="background-color: white; font-family: "metropolisregular"; font-size: 14px;"><br /></span>
<span style="background-color: white; font-family: "metropolisregular"; font-size: 14px;"><br /></span>
<span style="font-family: "metropolisregular";"><span style="font-size: 14px;">If the load average is too high, and the ready time is not caused by CPU limiting, adjust the CPU load on the host. </span></span><br />
<span style="font-family: "metropolisregular";"><span style="font-size: 14px;"><br /></span></span>
<span style="font-family: "metropolisregular";"><span style="font-size: 14px;">To adjust the CPU load on the host, either:</span></span><br />
<span style="font-family: "metropolisregular";"><span style="font-size: 14px;">1) Increase the number of physical CPUs on the host</span></span><br />
<span style="font-family: "metropolisregular";"><span style="font-size: 14px;">2) Decrease the number of virtual CPUs allocated to the host. To decrease the number of virtual CPUs allocated to the host, either:</span></span><br />
<span style="font-family: "metropolisregular";"><span style="font-size: 14px;"> - Reduce the total number of CPUs allocated to all of the virtual machines running on the ESX host. For more information, see Determining if multiple virtual CPUs are causing performance issues (1005362).</span></span><br />
<span style="font-family: "metropolisregular";"><span style="font-size: 14px;"> - Reduce the number of virtual machines running on the host.</span></span><br />
<br />
<br />
<span style="font-family: "metropolisregular";"><span style="font-size: 14px;"><br /></span></span>
<br />
<div style="background-color: white; border: 0px; color: #373737; font-family: "Helvetica Neue", Helvetica, Arial, sans-serif; font-size: 15px; margin-bottom: 1.625em; outline: 0px; padding: 0px; vertical-align: baseline;">
For <span style="border: 0px; font-family: inherit; font-style: inherit; font-weight: inherit; margin: 0px; outline: 0px; padding: 0px; vertical-align: baseline;">Production server</span> workloads</div>
<div style="background-color: white; border: 0px; color: #373737; font-family: "Helvetica Neue", Helvetica, Arial, sans-serif; font-size: 15px; margin-bottom: 1.625em; outline: 0px; padding: 0px; vertical-align: baseline;">
<strong style="border: 0px; font-family: inherit; font-style: inherit; margin: 0px; outline: 0px; padding: 0px; vertical-align: baseline;"><2.5% CPU Ready </strong>Generally No Problem!<br />
<strong style="border: 0px; font-family: inherit; font-style: inherit; margin: 0px; outline: 0px; padding: 0px; vertical-align: baseline;">2.5%-5% CPU Ready </strong>Minimal contention that should be monitored during peak times<br />
<strong style="border: 0px; font-family: inherit; font-style: inherit; margin: 0px; outline: 0px; padding: 0px; vertical-align: baseline;">5%-10% CPU Ready </strong>Significant Contention that should be investigated & addressed<br />
<strong style="border: 0px; font-family: inherit; font-style: inherit; margin: 0px; outline: 0px; padding: 0px; vertical-align: baseline;">>10% CPU Ready </strong>Serious Contention to be investigated & addressed ASAP!</div>
<span style="background-color: white; color: #373737; font-family: "helvetica neue" , "helvetica" , "arial" , sans-serif; font-size: 15px;">However, applications which are latency sensitive may be severely impacted even with low levels of CPU ready, these types of VMs should be on clusters with lower CPU overcommitment, leverage DRS rules to separate the contending workloads or in extreme cases, dedicated clusters.</span><br />
<span style="background-color: white; color: #373737; font-family: "helvetica neue" , "helvetica" , "arial" , sans-serif; font-size: 15px;"><br /></span>
<span style="background-color: white; color: #373737; font-family: "helvetica neue" , "helvetica" , "arial" , sans-serif; font-size: 15px;">On the flip side, Some servers are much more tolerant to CPU ready, and 5%-10% CPU ready or higher may not noticeably impact performance.</span><br />
<span style="background-color: white; color: #373737; font-family: "helvetica neue" , "helvetica" , "arial" , sans-serif; font-size: 15px;"><br /></span>
<br />
<div style="background-color: white; border: 0px; color: #373737; font-family: "Helvetica Neue", Helvetica, Arial, sans-serif; font-size: 15px; margin-bottom: 1.625em; outline: 0px; padding: 0px; vertical-align: baseline;">
For <span style="border: 0px; font-family: inherit; font-style: inherit; font-weight: inherit; margin: 0px; outline: 0px; padding: 0px; vertical-align: baseline;">Virtual Desktop</span> workloads, what level of CPU ready is acceptable will largely depend on the individual user (ie: Power User verses Task Worker). Keep in mind virtual desktop deployments generally have high CPU consolidation ratios of around 6:1 all the way to >12:1.</div>
<div style="background-color: white; border: 0px; color: #373737; font-family: "Helvetica Neue", Helvetica, Arial, sans-serif; font-size: 15px; margin-bottom: 1.625em; outline: 0px; padding: 0px; vertical-align: baseline;">
I would suggest the following , again as a rule of thumb</div>
<div style="background-color: white; border: 0px; color: #373737; font-family: "Helvetica Neue", Helvetica, Arial, sans-serif; font-size: 15px; margin-bottom: 1.625em; outline: 0px; padding: 0px; vertical-align: baseline;">
<strong style="border: 0px; font-family: inherit; font-style: inherit; margin: 0px; outline: 0px; padding: 0px; vertical-align: baseline;"><5% CPU Ready </strong>Generally No Problem!<br />
<strong style="border: 0px; font-family: inherit; font-style: inherit; margin: 0px; outline: 0px; padding: 0px; vertical-align: baseline;">5%-10% CPU Ready </strong>Minimal contention that should be monitored during peak times<br />
<strong style="border: 0px; font-family: inherit; font-style: inherit; margin: 0px; outline: 0px; padding: 0px; vertical-align: baseline;">>10% CPU Ready </strong>Contention to be investigated & addressed where the end user experience is being impacted.</div>
<div style="background-color: white; border: 0px; color: #373737; font-family: "Helvetica Neue", Helvetica, Arial, sans-serif; font-size: 15px; margin-bottom: 1.625em; outline: 0px; padding: 0px; vertical-align: baseline;">
<b>Ready time greater than 10 percent could be a performance concern.
However, some less CPU-sensitive applications and VMs can have much
higher values of ready time and still perform satisfactorily. </b></div>
<div style="background-color: white; border: 0px; margin-bottom: 1.625em; outline: 0px; padding: 0px; vertical-align: baseline;">
<div style="color: #373737; font-family: "helvetica neue", helvetica, arial, sans-serif; font-size: 15px;">
<b><u>EXAMPLE:</u></b></div>
<span style="color: #373737; font-family: "helvetica neue" , "helvetica" , "arial" , sans-serif;"><span style="font-size: 15px;">HOST<span style="white-space: pre;"> </span>Dell R710<span style="white-space: pre;"> </span> </span></span><br />
<span style="color: #373737; font-family: "helvetica neue" , "helvetica" , "arial" , sans-serif;"><span style="font-size: 15px;">CPU<span style="white-space: pre;"> </span>Xeon L5520 @ 2.2GHz</span></span><br />
<span style="color: #373737; font-family: "helvetica neue" , "helvetica" , "arial" , sans-serif;"><span style="font-size: 15px;">CPUs<span style="white-space: pre;"> </span>2 sock x 4 cores</span></span><br />
<span style="color: #373737; font-family: "helvetica neue" , "helvetica" , "arial" , sans-serif;"><span style="font-size: 15px;">CPU HT enabled<span style="white-space: pre;"> </span>yes</span></span><br />
<span style="color: #373737; font-family: "helvetica neue" , "helvetica" , "arial" , sans-serif;"><span style="font-size: 15px;">vCPUs<span style="white-space: pre;"> </span>16</span></span><br />
<span style="color: #373737; font-family: "helvetica neue" , "helvetica" , "arial" , sans-serif;"><span style="font-size: 15px;">ESXI<span style="white-space: pre;"> </span>6.0, 4192238</span></span><br />
<span style="color: #373737; font-family: "helvetica neue" , "helvetica" , "arial" , sans-serif;"><span style="font-size: 15px;"><br /></span></span>
<span style="color: #373737; font-family: "helvetica neue" , "helvetica" , "arial" , sans-serif;"><span style="font-size: 15px;">http://www.four2.org/cpubusy/cpubusy.zip</span></span><br />
<span style="color: #373737; font-family: "helvetica neue" , "helvetica" , "arial" , sans-serif;"><span style="font-size: 15px;"><br /></span></span>
<br />
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi2ieKb765LJgf4b7H09txhmR-vUt16XzpbcMd1Hk6T2gMxa5Op1y6ibNArGruA-Ss6J9FCRXjcZqubVllMrIv8I0yLK6RHTQKS8df8VkMvCT9qWVSzsQEQ_sgvzPrndDk0Gxi1uNDK7SE/s1600/cpu-ready.jpg" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" data-original-height="425" data-original-width="1137" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi2ieKb765LJgf4b7H09txhmR-vUt16XzpbcMd1Hk6T2gMxa5Op1y6ibNArGruA-Ss6J9FCRXjcZqubVllMrIv8I0yLK6RHTQKS8df8VkMvCT9qWVSzsQEQ_sgvzPrndDk0Gxi1uNDK7SE/s1600/cpu-ready.jpg" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;"><b>HOST CPU Ready</b></td></tr>
</tbody></table>
<span style="color: #373737; font-family: "helvetica neue" , "helvetica" , "arial" , sans-serif;"><span style="font-size: 15px;"><br /></span></span>
<br />
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgp8T1WA90UyaFnubGmZ1iveGDuhINIDjY5nCsCkVeM6iKQlrHVa_IzhxBDrGavNlnCqawPoKMc76qtMHXqNk6MSkAVsYg_h2prtbgnX6VB8NexqVpxv6GSiWtYY6pcLmogByCpOnAobRg/s1600/cpubusy.jpg" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" data-original-height="163" data-original-width="832" height="125" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgp8T1WA90UyaFnubGmZ1iveGDuhINIDjY5nCsCkVeM6iKQlrHVa_IzhxBDrGavNlnCqawPoKMc76qtMHXqNk6MSkAVsYg_h2prtbgnX6VB8NexqVpxv6GSiWtYY6pcLmogByCpOnAobRg/s640/cpubusy.jpg" width="640" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;"><b>Calculating CPU cycles and contention</b></td></tr>
</tbody></table>
<br />
<span style="color: #373737; font-family: "helvetica neue" , "helvetica" , "arial" , sans-serif;"><span style="font-size: 15px;"><br /></span></span>
<span style="color: #373737; font-family: "helvetica neue" , "helvetica" , "arial" , sans-serif;"><span style="font-size: 15px;"><br /></span></span>
<span style="color: #373737; font-family: "helvetica neue" , "helvetica" , "arial" , sans-serif;"><span style="font-size: 15px;"><br /></span></span>
<span style="color: #373737; font-family: "helvetica neue" , "helvetica" , "arial" , sans-serif;"><span style="font-size: 15px;">Results:</span></span><br />
<span style="color: #373737; font-family: "helvetica neue" , "helvetica" , "arial" , sans-serif;"><span style="font-size: 15px;"><br /></span></span>
<br />
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiNO1pWjCPcfj3i38X_opC0AICLXBeRWxX0SPT5jVubZ5psDWmA3NnMznHoFw1XX-xxNh6VpQgx9tj-xRg4c2ihPb26w_Ywln2FAj3QB4ni1c3WgLkYJZZ3xtsJ5WLYcl6Y67K4d77OEKE/s1600/CPU-ready-results-2.jpg" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" data-original-height="269" data-original-width="1110" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiNO1pWjCPcfj3i38X_opC0AICLXBeRWxX0SPT5jVubZ5psDWmA3NnMznHoFw1XX-xxNh6VpQgx9tj-xRg4c2ihPb26w_Ywln2FAj3QB4ni1c3WgLkYJZZ3xtsJ5WLYcl6Y67K4d77OEKE/s1600/CPU-ready-results-2.jpg" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">Different configurations</td></tr>
</tbody></table>
<span style="color: #373737; font-family: "helvetica neue" , "helvetica" , "arial" , sans-serif;"><span style="font-size: 15px;"><br /></span></span>
<span style="color: #373737; font-family: "helvetica neue" , "helvetica" , "arial" , sans-serif;"><span style="font-size: 15px;"><br /></span></span>
<span style="color: #373737; font-family: "helvetica neue" , "helvetica" , "arial" , sans-serif;"><span style="font-size: 15px;"><br /></span></span>
<br />
<table border="0" cellpadding="0" cellspacing="0" style="border-collapse: collapse; width: 1182px;">
<colgroup><col style="mso-width-alt: 1678; mso-width-source: userset; width: 35pt;" width="47"></col>
<col style="mso-width-alt: 1991; mso-width-source: userset; width: 42pt;" width="56"></col>
<col style="mso-width-alt: 3925; mso-width-source: userset; width: 83pt;" width="110"></col>
<col style="mso-width-alt: 3128; mso-width-source: userset; width: 66pt;" width="88"></col>
<col span="4" style="mso-width-alt: 2218; mso-width-source: userset; width: 47pt;" width="62"></col>
<col span="2" style="mso-width-alt: 1450; mso-width-source: userset; width: 31pt;" width="41"></col>
<col style="mso-width-alt: 2616; mso-width-source: userset; width: 55pt;" width="74"></col>
<col style="mso-width-alt: 1735; mso-width-source: userset; width: 37pt;" width="49"></col>
<col style="mso-width-alt: 2616; mso-width-source: userset; width: 55pt;" width="74"></col>
<col style="mso-width-alt: 1450; mso-width-source: userset; width: 31pt;" width="41"></col>
<col style="mso-width-alt: 2616; mso-width-source: userset; width: 55pt;" width="74"></col>
<col style="mso-width-alt: 1450; mso-width-source: userset; width: 31pt;" width="41"></col>
<col style="mso-width-alt: 2958; mso-width-source: userset; width: 62pt;" width="83"></col>
<col style="mso-width-alt: 1450; mso-width-source: userset; width: 31pt;" width="41"></col>
<col style="mso-width-alt: 2616; mso-width-source: userset; width: 55pt;" width="74"></col>
</colgroup><tbody>
<tr height="19" style="height: 14.4pt;">
<td class="xl66" height="19" style="height: 14.4pt; width: 35pt;" width="47"></td>
<td class="xl69" style="width: 42pt;" width="56"></td>
<td class="xl69" style="width: 83pt;" width="110"></td>
<td class="xl69" style="width: 66pt;" width="88"></td>
<td class="xl69" style="width: 47pt;" width="62"></td>
<td class="xl69" style="width: 47pt;" width="62"></td>
<td class="xl69" style="width: 47pt;" width="62"></td>
<td class="xl69" style="width: 47pt;" width="62"></td>
<td class="xl66" style="width: 31pt;" width="41">HOST</td>
<td class="xl69" style="width: 31pt;" width="41"></td>
<td class="xl67" style="width: 55pt;" width="74"></td>
<td class="xl73" colspan="2" style="border-left: none; border-right: 1.0pt solid black; width: 92pt;" width="123">VM1</td>
<td class="xl81" colspan="2" style="border-left: none; border-right: 1.0pt solid black; width: 86pt;" width="115">VM2</td>
<td class="xl73" colspan="2" style="border-left: none; border-right: 1.0pt solid black; width: 93pt;" width="124">VM3</td>
<td class="xl70" colspan="2" style="border-right: 1.0pt solid black; width: 86pt;" width="115">VM4</td>
</tr>
<tr height="58" style="height: 43.2pt;">
<td class="xl68" height="58" style="height: 43.2pt;">VMs</td>
<td class="xl72" style="width: 42pt;" width="56">vCPU <br />
on Host</td>
<td class="xl65">CPU Stress</td>
<td class="xl72" style="width: 66pt;" width="88">VM1<br />
cpubusy-result</td>
<td class="xl65">VM1 CPU</td>
<td class="xl65">VM2 CPU</td>
<td class="xl65">VM3 CPU</td>
<td class="xl65">VM4 CPU</td>
<td class="xl75" style="width: 31pt;" width="41">CPU<br />
usage</td>
<td class="xl72" style="width: 31pt;" width="41"></td>
<td class="xl76" style="width: 55pt;" width="74">Summation<br />
Ready, ms</td>
<td class="xl79" style="border-left: none; width: 37pt;" width="49">CPU<br />
ready %</td>
<td class="xl77" style="width: 55pt;" width="74">Summation<br />
Ready, ms</td>
<td class="xl82" style="border-left: none; width: 31pt;" width="41">CPU<br />
ready %</td>
<td class="xl76" style="width: 55pt;" width="74">Summation<br />
Ready, ms</td>
<td class="xl79" style="border-left: none; width: 31pt;" width="41">CPU<br />
ready %</td>
<td class="xl77" style="width: 62pt;" width="83">Summation<br />
Ready, ms</td>
<td class="xl83" style="width: 31pt;" width="41">CPU<br />
ready %</td>
<td class="xl76" style="width: 55pt;" width="74">Summation<br />
Ready, ms</td>
</tr>
<tr height="19" style="height: 14.4pt;">
<td class="xl97" height="19" style="height: 14.4pt;">1</td>
<td class="xl98">16 vCPU</td>
<td class="xl98">cpubusy</td>
<td class="xl98">0.546</td>
<td class="xl98">12</td>
<td class="xl98">na</td>
<td class="xl98">na</td>
<td class="xl98">na</td>
<td class="xl97">~18</td>
<td class="xl98"></td>
<td class="xl99">500</td>
<td class="xl100" style="border-left: none;">0.2</td>
<td class="xl99">600</td>
<td class="xl106" style="border-left: none;">na</td>
<td class="xl99">na</td>
<td class="xl106" style="border-left: none;">na</td>
<td class="xl99">na</td>
<td class="xl108">na</td>
<td class="xl99">na</td>
</tr>
<tr height="19" style="height: 14.4pt;">
<td class="xl97" height="19" style="height: 14.4pt;">1</td>
<td class="xl98">16 vCPU</td>
<td class="xl98">cpuz+cpubusy</td>
<td class="xl98">0.905</td>
<td class="xl98">100</td>
<td class="xl98">na</td>
<td class="xl98">na</td>
<td class="xl98">na</td>
<td class="xl97">~51</td>
<td class="xl98"></td>
<td class="xl99">1330</td>
<td class="xl101" style="border-left: none;">0.4</td>
<td class="xl99">1400</td>
<td class="xl106" style="border-left: none;">na</td>
<td class="xl99">na</td>
<td class="xl106" style="border-left: none;">na</td>
<td class="xl99">na</td>
<td class="xl108">na</td>
<td class="xl99">na</td>
</tr>
<tr height="19" style="height: 14.4pt;">
<td class="xl94" height="19" style="height: 14.4pt;">2</td>
<td class="xl95">32 vCPU</td>
<td class="xl95">cpuz+cpubusy</td>
<td class="xl95">0.921</td>
<td class="xl95">100</td>
<td class="xl95">1</td>
<td class="xl95">na</td>
<td class="xl95">na</td>
<td class="xl94">~54</td>
<td class="xl95"></td>
<td class="xl96">4800</td>
<td class="xl102" style="border-left: none;">1.2</td>
<td class="xl96">3700</td>
<td class="xl107" style="border-left: none;">5.0</td>
<td class="xl96">1100</td>
<td class="xl107" style="border-left: none;">na</td>
<td class="xl96">na</td>
<td class="xl109">na</td>
<td class="xl96">na</td>
</tr>
<tr height="19" style="height: 14.4pt;">
<td class="xl94" height="19" style="height: 14.4pt;">3</td>
<td class="xl95">48 vCPU</td>
<td class="xl95">cpuz+cpubusy</td>
<td class="xl95">0.951</td>
<td class="xl95">100</td>
<td class="xl95">1</td>
<td class="xl95">1</td>
<td class="xl95">na</td>
<td class="xl94">~55</td>
<td class="xl95"></td>
<td class="xl96">7300</td>
<td class="xl102" style="border-left: none;">1.6</td>
<td class="xl96">5100</td>
<td class="xl107" style="border-left: none;">4.0</td>
<td class="xl96">1260</td>
<td class="xl107" style="border-left: none;">4.0</td>
<td class="xl96">1260</td>
<td class="xl109">na</td>
<td class="xl96">na</td>
</tr>
<tr height="19" style="height: 14.4pt;">
<td class="xl86" height="19" style="height: 14.4pt;">4</td>
<td class="xl84">64 vCPU</td>
<td class="xl84">cpuz+cpubusy</td>
<td class="xl84">0.811</td>
<td class="xl84">100</td>
<td class="xl84">1</td>
<td class="xl84">1</td>
<td class="xl84">1</td>
<td class="xl86">68</td>
<td class="xl84"></td>
<td class="xl85">10700</td>
<td class="xl103" style="border-left: none;">0.6</td>
<td class="xl85">1900</td>
<td class="xl103" style="border-left: none;">0.8</td>
<td class="xl85">2400</td>
<td class="xl103" style="border-left: none;">0.8</td>
<td class="xl85">2415</td>
<td class="xl110">1.5</td>
<td class="xl85">4800</td>
</tr>
<tr height="19" style="height: 14.4pt;">
<td class="xl91" height="19" style="height: 14.4pt;">4</td>
<td class="xl92">64 vCPU</td>
<td class="xl92">2 cpuz+cpubusy</td>
<td class="xl92">1.1-1.51</td>
<td class="xl92">100</td>
<td class="xl92">1</td>
<td class="xl92">100</td>
<td class="xl92">1</td>
<td class="xl91">80</td>
<td class="xl92"></td>
<td class="xl93">61900</td>
<td class="xl113" style="border-left: none;">8.2</td>
<td class="xl93">26300</td>
<td class="xl104" style="border-left: none;">0.8</td>
<td class="xl93">2500</td>
<td class="xl113" style="border-left: none;">9.9</td>
<td class="xl93">31800</td>
<td class="xl111">0.8</td>
<td class="xl93">2700</td>
</tr>
<tr height="19" style="height: 14.4pt;">
<td class="xl91" height="19" style="height: 14.4pt;">4</td>
<td class="xl92">64 vCPU</td>
<td class="xl92">4 cpuz+cpubusy</td>
<td class="xl92">2.4-3.1</td>
<td class="xl92">100</td>
<td class="xl92">100</td>
<td class="xl92">100</td>
<td class="xl92">100</td>
<td class="xl91">87</td>
<td class="xl92"></td>
<td class="xl93">128000</td>
<td class="xl113" style="border-left: none;">10.5</td>
<td class="xl93">33500</td>
<td class="xl113" style="border-left: none;">10.8</td>
<td class="xl93">34500</td>
<td class="xl113" style="border-left: none;">9.2</td>
<td class="xl93">29500</td>
<td class="xl114">10.0</td>
<td class="xl93">32000</td>
</tr>
<tr height="19" style="height: 14.4pt;">
<td class="xl86" height="19" style="height: 14.4pt;">4</td>
<td class="xl84">64 vCPU</td>
<td class="xl84">cpubusy</td>
<td class="xl84">0.561</td>
<td class="xl84">8</td>
<td class="xl84">2</td>
<td class="xl84">2</td>
<td class="xl84">2</td>
<td class="xl86">30</td>
<td class="xl84"></td>
<td class="xl85">7100</td>
<td class="xl103" style="border-left: none;">0.9</td>
<td class="xl85">3000</td>
<td class="xl103" style="border-left: none;">0.4</td>
<td class="xl85">1400</td>
<td class="xl103" style="border-left: none;">0.4</td>
<td class="xl85">1400</td>
<td class="xl110">0.5</td>
<td class="xl85">1660</td>
</tr>
<tr height="20" style="height: 15.0pt;">
<td class="xl87" height="20" style="height: 15.0pt;">6</td>
<td class="xl88">96 vCPU</td>
<td class="xl88">cpubusy</td>
<td class="xl89">0.561-0.577</td>
<td class="xl88">8</td>
<td class="xl88">2</td>
<td class="xl88">2</td>
<td class="xl88">2</td>
<td class="xl87">20</td>
<td class="xl88"></td>
<td class="xl90">13830</td>
<td class="xl105" style="border-left: none;">0.8</td>
<td class="xl90">2700</td>
<td class="xl105" style="border-left: none;">0.7</td>
<td class="xl90">2300</td>
<td class="xl105" style="border-left: none;">0.7</td>
<td class="xl90">2300</td>
<td class="xl112">0.7</td>
<td class="xl90">2300</td>
</tr>
</tbody></table>
<span style="color: #373737; font-family: "helvetica neue" , "helvetica" , "arial" , sans-serif;"><span style="font-size: 15px;"><br /></span></span>
<span style="color: #373737; font-family: "helvetica neue" , "helvetica" , "arial" , sans-serif;"><span style="font-size: 15px;"><br /></span></span>
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgi7oMmm5SLyTx7SWAjbyWX-56TySYhy3AoFZtBjvWUI-NDL1gczA28-VXdc6BoO-vlrAEhj7czJKD-zy01fNwxWNz_u0B3NLJ4lQKtIQjRYJsGl9JioZdMducz6MCxk8KlXVTMbDng6Bc/s1600/xorux-cpuready.jpg" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" data-original-height="595" data-original-width="1040" height="366" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgi7oMmm5SLyTx7SWAjbyWX-56TySYhy3AoFZtBjvWUI-NDL1gczA28-VXdc6BoO-vlrAEhj7czJKD-zy01fNwxWNz_u0B3NLJ4lQKtIQjRYJsGl9JioZdMducz6MCxk8KlXVTMbDng6Bc/s640/xorux-cpuready.jpg" width="640" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;"><b>Results in Xorux</b></td></tr>
</tbody></table>
<span style="color: #373737; font-family: "helvetica neue" , "helvetica" , "arial" , sans-serif;"><span style="font-size: 15px;"><br /></span></span></div>
<span style="font-family: "metropolisregular";"><span style="background-color: white; font-size: 14px;"></span></span>SChttp://www.blogger.com/profile/04139184178200036747noreply@blogger.comtag:blogger.com,1999:blog-3484822691435303180.post-26047700443304712622019-11-25T17:51:00.001+02:002019-11-25T17:51:35.105+02:00esxi 6.0 to 6.5 esxcli update upgrade manually cli vmware<br />
<a name='more'></a><br /><br />
[root@localhost:/vmfs/volumes/LOCAL]<br />
esxcli software sources profile list -d /vmfs/volumes/Local-DELL-R710-144/ESXi650-201908001.zip<br />
Name Vendor Acceptance Level<br />
------------------------------- ------------ ----------------<br />
ESXi-6.5.0-20190804001-no-tools VMware, Inc. PartnerSupported<br />
ESXi-6.5.0-20190804001-standard VMware, Inc. PartnerSupported<br />
<br />
<br />
esxcli software profile update -d /vmfs/volumes/Local-DELL-R710-144/ESXi650-201908001.zip -p ESXi-6.5.0-20190804001-standard<br />
<div>
<br /></div>
SChttp://www.blogger.com/profile/04139184178200036747noreply@blogger.comtag:blogger.com,1999:blog-3484822691435303180.post-36896830387373811912019-06-05T12:16:00.002+03:002019-06-05T16:16:24.602+03:00Email security<a name='more'></a><br />
<b>1) Basic security: DNS MX, PTR</b><br />
<b>2) Advanced: Use SPF with DKIM and DMARC.</b><br />
<br />
<span style="background-color: #ffd966;">1) Basic security: DNS MX, PTR</span><br />
Domain have DNS record for email : MX record.<br />
domain un.org --MX-> (1) unasav5.un.org --A--> (2) 157.150.241.16 --PTR-> (3) unasav5.un.org<br />
<br />
(1) must be the same as (3)<br />
<br />
>nslookup -q=mx un.org 8.8.8.8<br />
un.org MX preference = 10, mail exchanger = unasav5.un.org<br />
>nslookup -q=a unasav5.un.org<br />
Address: 157.150.241.16<br />
>nslookup -q=ptr 157.150.241.16<br />
16.241.150.157.in-addr.arpa name = unasav5.un.org<br />
<br />
Example when it is <b>not</b> configured:<br />
>nslookup -q=mx exmple.com 8.8.8.8<br />
exmple.com MX preference = 10, mail exchanger = localhost.exmple.com<br />
>nslookup -q=a localhost.exmple.com 8.8.8.8<br />
Address: 127.0.0.1<br />
>nslookup -q=ptr 127.0.0.1<br />
*** google-public-dns-a.google.com can't find 1.0.0.127.in-addr.arpa.: Non-existent domain<br />
<br />
<b style="background-color: #ffd966;">2) Advanced security</b><br />
<br />
SPF: firewall for source mail's<br />
DKIM: 'HTTPS' for receiving mail's<br />
DMARC: what happens to mail's if SPF and DKIM tests not pass.<br />
<br />
SPF validates the domains/IPs that can send messages.<br />
DKIM verifies that message content is authentic and not changed (help prevent email spoofing on outgoing messages.)<br />
DMARC specifies how your domain handles suspicious emails that it gets.<br />
<br />
<a href="https://toolbox.googleapps.com/apps/checkmx/">https://toolbox.googleapps.com/apps/checkmx/</a><br />
<a href="https://toolbox.googleapps.com/apps/dig/#TXT/">https://toolbox.googleapps.com/apps/dig/#TXT/</a><br />
<br />
===SPF<br />
Create a TXT record with the following values:<br />
Name/Host/Alias: Enter @ or leave it blank.<br />
TTL: Enter 3600 or leave the default.<br />
Value examples:<br />
v=spf1 include:_spf.google.com ~all<br />
v=spf1 ip4:172.16.254.1 include:_spf.google.com ~all<br />
v=spf1 include:serverdomain.com include:_spf.google.com ~all<br />
v=spf1 redirect=_spf.mail.ru<br />
<br />
<br />
<br />
===DKIM<br />
DKIM adds an encrypted signature to the header of all outgoing messages.<br />
Email servers that get these messages use DKIM to decrypt the message header, and verify the message was not changed after it was sent.<br />
<br />
<br />
DKIM uses a pair of keys, one private and one public, to verify messages.<br />
A private domain key adds an encrypted header to all outgoing messages sent from your Gmail domain.<br />
A matching public key is added to the Domain Name System (DNS) record for your Gmail domain. Email servers that get messages from your domain use the public key to decrypt message headers and verify the message source.<br />
When you turn on email authentication in Gmail, DKIM starts encrypting the headers of outgoing messages.<br />
<br />
1) Generate the domain key for your domain.<br />
2) Add the public key to your domain's DNS records. Email servers can use this key to read message DKIM headers.<br />
3) Turn on DKIM signing to start adding a DKIM signature to all outgoing messages.<br />
<br />
DNS:<br />
In this example, the DKIM key is split into two text strings and each string is in quotes:<br />
"v=DKIM1; k=rsa; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAraC3pqvqTkAfXhUn7Kn3JUNMwDkZ65ftwXH58anno/bElnTDAd/idk8kWpslrQIMsvVKAe+mvmBEnpXzJL+0LgTNVTQctUujyilWvcONRd/z37I34y6WUIbFn4ytkzkdoVmeTt32f5LxegfYP4P/w7QGN1mOcnE2Qd5SKIZv3Ia1p9d6uCaVGI8brE/7zM5c/"<br />
"zMthVPE2WZKA28+QomQDH7ludLGhXGxpc7kZZCoB5lQiP0o07Ful33fcED73BS9Bt1SNhnrs5v7oq1pIab0LEtHsFHAZmGJDjybPA7OWWaV3L814r/JfU2NK1eNu9xYJwA8YW7WosL45CSkyp4QeQIDAQAB"<br />
<br />
<br />
Check, in the header, find the line starting with "DKIM-Signature", as in this example (d is the sending domain and s is the signing domain):<br />
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=mydomain.com; s=google;<br />
<br />
<br />
====DMARC<br />
DMARC uses SPF and DKIM to verify that messages are authentic.<br />
Messages that do not pass SPF or DKIM trigger your DMARC policy.<br />
<br />
To turn on DMARC, update your domain settings with a DNS TXT record.<br />
<br />
TXT record name: In the first field, under DNS Host name, enter:<br />
_dmarc.solarmora.com<br />
<br />
TXT record value: In the second field, enter the values that define your DMARC policy, for example:<br />
v=DMARC1; rua=mailto:dmarc-reports@solarmora.com; p=quarantine; pct=90; sp=none<br />
<br />
<br />
<br />
To pass the DMARC check:<br />
- Incoming messages must be authenticated by DKIM, SPF, or both.<br />
- The authenticated domain must align with the domain in message From header address.<br />
<br />
The policy is in the form of a DNS TXT record, and defines how your domain handles suspicious emails.<br />
A DMARC policy supports three ways to handle suspicious emails:<br />
- Take no action on the message and log it in a daily report.<br />
ex: v=DMARC1; p=none; rua=mailto:dmarc@solarmora.com<br />
<br />
- Mark the message as spam. Gmail puts these messages in the recipient's spam folder.<br />
ex: v=DMARC1; p=quarantine; pct=5; rua=dmarc@solarmora.com<br />
<br />
- Tell the receiving server to reject the message. This also causes an SMTP bounce to the sender.<br />
ex: v=DMARC1; p=reject; rua=mailto:postmaster@solarmora.com, mailto:dmarc@solarmora.com<br />
<div>
<br /></div>
SChttp://www.blogger.com/profile/04139184178200036747noreply@blogger.comtag:blogger.com,1999:blog-3484822691435303180.post-52031523947737506662019-04-25T15:10:00.002+03:002019-04-25T15:10:57.937+03:00DDOS/udpsenderSChttp://www.blogger.com/profile/04139184178200036747noreply@blogger.comtag:blogger.com,1999:blog-3484822691435303180.post-28279480456150422472019-01-20T12:49:00.000+02:002021-12-07T13:43:50.369+02:00VMWARE ESXI 6.5/6.7 NFS4.1, CLI update<b><u></u></b><br />
<a name='more'></a><b><u>ESXi 5.1 update via CLI:</u></b><br />
<b>- enable ssh on host</b><br />
<blockquote class="tr_bq">
vim-cmd /hostsvc/maintenance_mode_enter<br />
esxcli network firewall ruleset set -e true -r httpClient<br />
esxcli software sources profile list -d https://hostupdate.vmware.com/software/VUM/PRODUCTION/main/vmw-depot-index.xml | grep ESXi-5.5<br />
esxcli software profile update -d https://hostupdate.vmware.com/software/VUM/PRODUCTION/main/vmw-depot-index.xml -p ESXi-5.5.0-20180904001-standard<br />
reboot<br />
esxcli network firewall ruleset set -e false -r httpClient<br />
vim-cmd /hostsvc/maintenance_mode_exit</blockquote>
<b><u><br /></u></b>
<b><u><br /></u></b>
<b><u><br /></u></b>
<b><u>NFS4.1 FreeNAS issue:</u></b><br />
https://www.ixsystems.com/community/threads/nfs-4-1-datastore-mounted-as-read-only.69173/<br />
<br />
ESX 6.5 NFSv4.1 mounts do not work well, due to what I believe are violations of RFC-5661 and should not be used.<br />
https://redmine.ixsystems.com/projects/freenas/repository/os/revisions/5fb1d5502de565b42474155a4ba4ed73af268b82<br />
<br />
<br />
<br />
<br />
<b><u>NFS on Centos 7</u></b><br />
<br />
yum install nfs-utils<br />
mkdir /mnt/nfs41<br />
chmod -R 755 /mnt/nfs41<br />
chown nfsnobody:nfsnobody /mnt/nfs41<br />
<br />
<br />
systemctl enable rpcbind<br />
systemctl enable nfs-server<br />
systemctl enable nfs-lock<br />
systemctl enable nfs-idmap<br />
systemctl start rpcbind<br />
systemctl start nfs-server<br />
systemctl start nfs-lock<br />
systemctl start nfs-idmap<br />
<br />
nano /etc/exports<br />
/mnt/nfs41 *(rw,sync,no_root_squash,no_all_squash)<br />
<br />
systemctl restart nfs-server<br />
<br />
<br />
[root@centos7 nfs41]# showmount -e localhost<br />
Export list for localhost:<br />
/mnt/nfs41 *<br />
[root@centos7 nfs41]#SChttp://www.blogger.com/profile/04139184178200036747noreply@blogger.comtag:blogger.com,1999:blog-3484822691435303180.post-88012273217052562042018-09-17T12:47:00.000+03:002019-02-18T12:03:25.380+02:00IELTS xp<br />
<br />
<a name='more'></a><div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjyWNOsLuflfom-0RYMRPp6XxgvAuioY4yh3MK1V7xrxU1g_wNvsz6Ek6n7LHYVkov06Zr3M1dvwC7WrsM4ziM6HyIRcwjzaROhB4XtPkWfVC0K_8OeITJJsTqoAX_8N5okMWo_S7PKPgU/s1600/TakeIELTSROguidedesign2.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="795" data-original-width="740" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjyWNOsLuflfom-0RYMRPp6XxgvAuioY4yh3MK1V7xrxU1g_wNvsz6Ek6n7LHYVkov06Zr3M1dvwC7WrsM4ziM6HyIRcwjzaROhB4XtPkWfVC0K_8OeITJJsTqoAX_8N5okMWo_S7PKPgU/s1600/TakeIELTSROguidedesign2.png" /></a></div>
<br />
Todo:<br />
- personal vocabulary<br />
- topic keywords<br />
- pdf,<br />
<br />
<br />
<span style="background-color: #fff2cc;">pencil - creion</span><br />
<span style="background-color: #fff2cc;">pen - pix, toc</span><br />
<br />
<br />
Start prep time ~ 03 sept 2018<br />
<br />
<br />
<span style="font-size: large;"><u>FAQ</u></span><br />
<b>1) Versions</b><br />
Academic - for those who want to study at a tertiary level in an English-speaking country.<br />
GT General Training - is for those who want to do work experience or training programs or migrate to an English-speaking country.<br />
LS/SPK - SAME<br />
<span style="background-color: #fff2cc;">RD/WR - DIFF </span><br />
<br />
<b>2) Format</b><br />
The total test time is 2 hours and 45 minutes.<br />
<br />
<b><span style="background-color: #fff2cc;">2.1) Listening</span> </b>30 minutes, <span style="background-color: #f4cccc;">ONLY pencil</span>, the audio is played only once, not repeated, +10 minutes to transfer answer.<br />
<b>Listening Test Format</b><br />
- Section 1: A conversation between two speakers in a social or semi-official context.<br />
- Section 2: A talk by a single speaker based on a non-academic situation.<br />
- Section 3: A conversation with up to four speakers based on academic topics or course-related situations.<br />
- Section 4: A university-style lecture or talk.<br />
* The questions mostly follow the same sequence as the information contained in the Listening cassette.<br />
* Write your answers directly into the question booklet. Do not write at answer sheet at this time. You are allocated 10 minutes to transfer your answers at the end of the exam.<br />
<br />
<span style="background-color: #fff2cc;"><b>2.2) Reading </b></span>- 60 minutes, <span style="background-color: #f4cccc;">ONLY pencil</span>, you must write all your answers on the answer sheet in this time.<br />
- Section 1 - 1/2 or 3 texts (usually 2). Each text could be an advertisement for a hotel, shop, college, sports centre, or an office. The texts are not long and are factual rather than descriptive.<br />
- Section 2 may also consist of more than one text and often relates to courses of a college, leaflet and content related to work and living in an English speaking country.<br />
- Section 3 is usually a long reading passage and the hardest among the three reading passages.<br />
<br />
<b style="background-color: #fff2cc;">2.3) Writing</b> - 60 minutes, <span style="background-color: #f4cccc;">pen OR pencil</span><br />
Task 1 - A more than 150words letter requesting information or explaining a situation.<br />
Task 2, candidates are presented with a point of view or argument or problem. Required to write at least 250 words.<br />
<span style="background-color: #f4cccc;"><br /></span>
<b style="background-color: #fff2cc;">2.4) Speaking</b> - 11–14 minutes<br />
Consists of an interview with a trained examiner, and is recorded on a tape recorder.<br />
However, this recording is made to assess the examiner and not the candidate.<br />
There are 3 parts to the Speaking Sub-test.....<br />
<br />
The Listening, Reading and Writing tests are done in one sitting.<br />
The Speaking test may be on the same day or up to seven days before or after the other tests.<br />
<br />
<b>- What can I bring into the examination room?</b><br />
'Only pens, pencils and erasers.<br />
You must bring the passport/national identity card you used on the IELTS Application Form<br />
<br />
https://ieltsninja.com/content/ielts-writing-task-2-questions/?utm_source=email&utm_medium=newsletter<br />
<br />
https://ieltsninja.com/content/how-to-build-an-ielts-writing-task-2-vocabulary-using-our-expert-tips/<br />
<br />
<b>3) IELTS sites</b><br />
<a href="http://www.ielts-practice.org/writing-correction-service/">http://www.ielts-practice.org/writing-correction-service/</a><br />
<br />
<a href="https://www.testbig.com/ielts">https://www.testbig.com/ielts-writing-task-ii-ielts-general-training-essays/men-are-naturally-better-women-certain-kinds</a><br />
<br />
<a href="https://ielts-simon.com/ielts-help-and-english-pr/2017/06/ielts-writing-task-2-homework-essay.html">https://ielts-simon.com/ielts-help-and-english-pr/2017/06/ielts-writing-task-2-homework-essay.html</a><br />
<br />
<b>Libraries of the future</b><br />
<div>
<a href="https://www.dw.com/en/libraries-of-the-future/av-47433742">https://www.dw.com/en/libraries-of-the-future/av-47433742</a></div>
<div>
<br /></div>
<br />
<br />
https://www.youtube.com/watch?v=i0nRPDfpbkY<br />
I don't know why it didn't occur to me until now, but does anyone else think that the conductor looks like a wizard casting spells?<br />
I've seen this at least 50 times and i still love how much the conductor is into this. Look at his face! that is pure ecstasy on that last earth shattering note. Lucky bastard!<br />
<br />
<br />
<br />
<br />
<br />
<b>4) Reading practice</b><br />
<a href="https://www.nationalgeographic.com/travel/destinations/europe/moldova/worlds-largest-wine-cellar/">https://www.nationalgeographic.com/travel/destinations/europe/moldova/worlds-largest-wine-cellar/</a><br />
<br />
<br />
<a href="https://www.grammarbook.com/grammar/subjectVerbAgree.asp">https://www.grammarbook.com/grammar/subjectVerbAgree.asp</a><br />
<br />
<br />
<b>5) Sample Tests</b><br />
<a href="https://www.ielts.org/about-the-test/sample-test-questions">https://www.ielts.org/about-the-test/sample-test-questions</a><br />
<a href="https://takeielts.britishcouncil.org/prepare-test/free-practice-tests">https://takeielts.britishcouncil.org/prepare-test/free-practice-tests</a><br />
<a href="https://www.ieltsessentials.com/global/prepare/freepracticetests">https://www.ieltsessentials.com/global/prepare/freepracticetests</a><br />
<a href="https://www.ielts-exam.net/ielts_reading/">https://www.ielts-exam.net/ielts_reading/</a><br />
<a href="https://www.blogger.com/goog_1766691456"><br /></a>
<a href="https://www.youtube.com/watch?v=q4trEgPCbSU">https://www.youtube.com/watch?v=q4trEgPCbSU</a><br />
<br />
<b><a href="http://ielts-up.com/listening/ielts-listening-practice.html">http://ielts-up.com/listening/ielts-listening-practice.html</a></b><br />
<br />
<a href="http://ielts-up.com/writing/ielts-essay-vocabulary.html">http://ielts-up.com/writing/ielts-essay-vocabulary.html</a><br />
<br />
<a href="https://ieltsonlinetests.com/ielts-mock-test-2018-november-reading-practice-test-2/solution">https://ieltsonlinetests.com/ielts-mock-test-2018-november-reading-practice-test-2/solution</a><br />
<br />
<a href="https://www.ieltstestonline.com/amember4/signup/free-trial-module">https://www.ieltstestonline.com/amember4/signup/free-trial-module</a><br />
<br />
<br />
<span style="font-size: large;"><u>IELTS Tips and Strategy (needed for me)</u></span><br />
<br />
<b>==Reading</b><br />
-Read the instructions carefully<br />
-Read the questions first.<br />
-Read the incomplete sentences first<br />
-"72 or "state-of-the-art", count as one word.<br />
-Don't forget about "Not given" when "true/false" is asked<br />
<br />
<br />
==Listening<br />
- no abreviations (30s/30sec instead of 30 seconds)<br />
- use plural form when asked/needed<br />
<br />
triathlon<br />
https://ieltsonlinetests.com/ielts-recent-actual-test-answers-speaking-practice-test-1SChttp://www.blogger.com/profile/04139184178200036747noreply@blogger.comtag:blogger.com,1999:blog-3484822691435303180.post-60119664718933344122017-12-09T23:34:00.000+02:002017-12-09T23:49:37.226+02:00EIGRP Load balancing and EIGRP Traffic Sharing<br />
<a name='more'></a><br />
<a href="https://learningnetwork.cisco.com/thread/99664">https://learningnetwork.cisco.com/thread/99664</a><br />
<br />
1. EIGRP Load balancing and EIGRP Traffic Sharing are both different<br />
<br />
Load balancing deals with which routes, to the same destination, will be put in the routing table to distribute the traffic.<br />
Traffic sharing deals with how the traffic is transmitted, per-destination or per-packet.<br />
<br />
IOS, per-default does load-balancing for all equal-cost routes to the same destination and per-destination sharing to transmit the packets.<br />
You can change this enabling "load-sharing per-packet" in the interface.<br />
Can also use CEF.<br />
The better situation is to do per-packet traffic sharing and again EIGRP has this feature inside of its code.<br />
<br />
2. EIGRP Load Balancing is of two types : a.) Equal cost load balancing b.) Unequal cost Load balancing<br />
a) Equal cost - routes with equal metric to the same destination network are put in the routing table<br />
b) Unequal cost - routes with different metrics to the same destination network are put in the routing table (using 'variance' command)<br />
<br />
<br />
3. In EIGRP equal cost load-balancing, two paths having same metric share equal amount of load (one packet on each path).<br />
EIGRP (and other routing protocols) puts routes with same metric in the routing table by default.<br />
The issue of how packets are transmitted is another thing (per-destination or per-packet).<br />
<br />
4. In EIGRP unequal cost load-balancing, two paths with different metrics share equal amount of load (again one packet on each path using variance command)<br />
EIGRP and IGRP are the only protocols that can do unequal cost load-balance.<br />
<br />
5. In EIGRP load-sharing, two paths with different metrics share unequal amount of load (one packet through the high cost path and two packets through low cost path)<br />
<br />
traffic-sharing where it transmitts using per-packet sharing across different routes.<br />
<br />
1) Balanced: EIGRP will do load-sharing inversely proportional of the current metric installed in the RIB.<br />
2) Min across-interfaces : All traffic shared among <min metric> paths using different interfaces for equal-cost paths.<br />
<br />
<blockquote class="tr_bq">
R1#<b> sh ip eigrp topology</b><br />
P 8.8.8.8/32, 1 successors, FD is 161280<br />
via 192.168.2.2 (161280/158720), FastEthernet0/0<br />
via 192.168.1.1 (1636608/158720), FastEthernet1/0</blockquote>
<br />
<blockquote class="tr_bq">
R1# <b>sh ip route 8.8.8.8 255.255.255.255 longer-prefixes</b><br />
8.0.0.0/32 is subnetted, 3 subnets<br />
D 8.8.8.8 [90/1636608] via 192.168.1.1, 01:08:37, FastEthernet1/0<br />
[90/161280] via 192.168.2.2, 01:08:37, FastEthernet0/0<br />
R1#<br />
<div>
<br /></div>
</blockquote>
<br />
<blockquote class="tr_bq">
R1# <b>sh ip route 8.8.8.8 255.255.255.255</b><br />
Routing entry for 8.8.8.8/32<br />
Known via "eigrp 1", distance 90, metric 161280, type internal<br />
Redistributing via eigrp 1<br />
Last update from 192.168.1.1 on FastEthernet1/0, 01:08:32 ago<br />
Routing Descriptor Blocks:<br />
192.168.1.1, from 192.168.1.1, 01:08:32 ago, via FastEthernet1/0<br />
<b><span style="color: blue;">Route metric is 1636608, traffic share count is 1</span></b><br />
Total delay is 62930 microseconds, minimum bandwidth is 100000 Kbit<br />
Reliability 255/255, minimum MTU 1500 bytes<br />
Loading 1/255, Hops 3<br />
* 192.168.2.2, from 192.168.2.2, 01:08:32 ago, via FastEthernet0/0<br />
<b><span style="color: blue;">Route metric is 161280, traffic share count is 10</span></b><br />
Total delay is 5300 microseconds, minimum bandwidth is 100000 Kbit<br />
Reliability 255/255, minimum MTU 1500 bytes<br />
Loading 1/255, Hops 3</blockquote>
<br />
<blockquote class="tr_bq">
R1#<b>sh ip cef 8.8.8.8 255.255.255.255</b>8.8.8.8/32, version 20, epoch 0, per-destination sharing<br />
0 packets, 0 bytes<br />
via 192.168.1.1, FastEthernet1/0, 0 dependencies<br />
<b> <u><span style="color: blue;">traffic share 1</span></u></b> next hop 192.168.1.1, FastEthernet1/0<br />
valid adjacency<br />
via 192.168.2.2, FastEthernet0/0, 0 dependencies<br />
<span style="color: blue;"> </span><b><u><span style="color: blue;">traffic share 10</span></u></b> next hop 192.168.2.2, FastEthernet0/0<br />
valid adjacency<br />
R1#</blockquote>
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
Please, check the links bellow for more complete information :<br />
<a href="http://www.cisco.com/c/en/us/support/docs/ip/border-gateway-protocol-bgp/5212-46.html">http://www.cisco.com/c/en/us/support/docs/ip/border-gateway-protocol-bgp/5212-46.html</a><br />
<a href="http://www.cisco.com/c/en/us/support/docs/ip/enhanced-interior-gateway-routing-protocol-eigrp/13677-19.html">http://www.cisco.com/c/en/us/support/docs/ip/enhanced-interior-gateway-routing-protocol-eigrp/13677-19.html</a>SChttp://www.blogger.com/profile/04139184178200036747noreply@blogger.comtag:blogger.com,1999:blog-3484822691435303180.post-66312428774944290282017-12-06T20:07:00.001+02:002017-12-06T20:11:04.735+02:002017 CCNP RS, NAT64 lab<div class="tr_bq">
</div>
<a name='more'></a><br />
<br />
Source:<br />
<a href="https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/ipaddr_nat/configuration/xe-3s/nat-xe-3s-book/iadnat-stateful-nat64.pdf">https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/ipaddr_nat/configuration/xe-3s/nat-xe-3s-book/iadnat-stateful-nat64.pdf</a><br />
<br />
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj_r269yWphWvUo6-k_kFEjj5c_BsQ4wnsIiwvs1D3vA2koJ74fJdEUfzrFDGknyOuayc1T01bUWXS8wR_4C6oAqPH9ZR7mH_hgy-epipK4acG57_HAqy4oic_ldqEADE0AvBkK6F8T_Eg/s1600/nat64.png" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" data-original-height="230" data-original-width="802" height="183" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj_r269yWphWvUo6-k_kFEjj5c_BsQ4wnsIiwvs1D3vA2koJ74fJdEUfzrFDGknyOuayc1T01bUWXS8wR_4C6oAqPH9ZR7mH_hgy-epipK4acG57_HAqy4oic_ldqEADE0AvBkK6F8T_Eg/s640/nat64.png" width="640" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;"><span style="font-size: small;">NAT64 topology</span></td></tr>
</tbody></table>
<br />
<br />
<span style="font-size: large;"><b>HOSTS</b></span><br />
<blockquote class="tr_bq">
VPCS> set pcname ipv4<br />
ipv4> ip 10.0.0.2/24 10.0.0.1<br />
ipv4> show ip<br />
NAME : ipv4[1]<br />
IP/MASK : 10.0.0.2/24<br />
GATEWAY : 10.0.0.1<br />
!<br />
ipv4> ping 10.0.0.1<br />
10.0.0.1 icmp_seq=1 timeout<br />
84 bytes from 10.0.0.1 icmp_seq=2 ttl=255 time=3.623 ms<br />
84 bytes from 10.0.0.1 icmp_seq=3 ttl=255 time=1.647 ms</blockquote>
<blockquote class="tr_bq">
VPCS> set pcname ipv6<br />ipv6> ip 2001:DB8:1::2/96 2001:DB8:1::1<br />ipv6> show ipv6<br />ipv6> show ipv6<br />NAME : ipv6[1]<br />LINK-LOCAL SCOPE : fe80::250:79ff:fe66:680b/64<br />GLOBAL SCOPE : 2001:db8:1::2/96<br />!<br />ipv6> ping 2001:db8:1::1<br />2001:db8:1::1 icmp6_seq=1 ttl=64 time=2.936 ms<br />2001:db8:1::1 icmp6_seq=2 ttl=64 time=1.619 ms</blockquote>
<span style="font-size: large;"><b><br /></b></span>
<span style="font-size: large;"><b>ROUTER NAT64</b></span><br />
2001:DB8:1::1/96 network range<span style="white-space: pre;"> </span><br />
2001:0db8:0001:0000:0000:0000:0000:0000-<br />
2001:0db8:0001:0000:0000:0000:ffff:ffff<br />
<br />
<blockquote class="tr_bq">
hostname <b>NAT64</b><br />
ipv6 unicast-routing<br />
!<br />
interface Gi0/1<br />
description -=interface facing ipv6<br />
no sh<br />
no ip address<br />
ipv6 address 2001:DB8:1::1/96<br />
ipv6 enable<br />
nat64 enable<br />
!<br />
interface Gi0/0<br />
description -=interface facing ipv4<br />
no sh<br />
ip address 10.0.0.1 255.255.255.0<br />
nat64 enable<br />
!</blockquote>
<br />
<br />
<span style="font-size: large;"><b>NAT64 static:</b></span><br />
!<br />
! The Stateful NAT64 translator translates the source IP address to IPv6 by using the Stateful NAT64 prefix (if a stateful prefix is configured)<br />
! or the Well Known Prefix (WKP) (if a stateful prefix is not configured).<br />
<br />
! nat64 prefix stateful 3001::/96<br />
! nat64 prefix stateful 2001:DB8:1::1/96<br />
<br />
<b><span style="color: #cc0000;">! if not configured:</span></b><br />
Router#show nat64 prefix stateful global<br />
Global Stateful Prefix: 64:FF9B::/96<br />
<br />
<br />
! if it is received an IPv4 packet with destination 10.0.0.3 will translated to 2001:DB8:1::2<br />
<blockquote class="tr_bq">
nat64 v6v4 static 2001:DB8:1::2 10.0.0.3</blockquote>
<br />
<br />
<span style="font-size: large;"><b>NAT64 dynamic example:</b></span><br />
!<br />
! Dynamically translates an IPv6 source address to an IPv6 source address<br />
! and an IPv6 destination address to an IPv4 destination address for NAT64.<br />
Device(config)# nat64 prefix stateful 2001:DB8:1::1/96<br />
<br />
Device(config)# ipv6 access-list nat64-acl<br />
Device(config-ipv6-acl)# permit ipv6 2001:DB8:2::/96 any<br />
! nat64 v4 pool <pool-name> <start-ip-address> <end-ip-address><br />
Device(config)# nat64 v4 pool pool1 209.165.201.1 209.165.201.254<br />
<br />
<br />
Device(config)# nat64 v6v4 list nat64-acl pool pool1<br />
<br />
<br />
<span style="font-size: large;"><b>NAT64 check:</b></span><br />
<br />
NAT64# debug ip icmp<br />
NAT64# debug ipv6 icmp<br />
<br />
ipv4> ping 10.0.0.3<br />
84 bytes from 10.0.0.3 icmp_seq=1 ttl=62 time=2.954 ms<br />
<br />
19:52:31.123645<span style="white-space: pre;"> </span>10.0.0.2<span style="white-space: pre;"> </span>ICMP<span style="white-space: pre;"> </span>10.0.0.3<span style="white-space: pre;"> </span>Echo (ping) request id=0x5f2e, seq=1/256, ttl=64 (reply in 4)<span style="white-space: pre;"> </span>ICMP<br />
19:52:31.133602<span style="white-space: pre;"> </span>10.0.0.3<span style="white-space: pre;"> </span>ICMP<span style="white-space: pre;"> </span>10.0.0.2<span style="white-space: pre;"> </span>Echo (ping) reply id=0x5f2e, seq=1/256, ttl=62 (request in 3)<span style="white-space: pre;"> </span>ICMP<br />
<br />
ipv6><br />
19:50:06.834964<span style="white-space: pre;"> </span>64:ff9b::a00:2<span style="white-space: pre;"> </span>ICMPv6<span style="white-space: pre;"> </span>2001:db8:1::2<span style="white-space: pre;"> </span>Echo (ping) request id=0xce2d, seq=1, hop limit=63 (reply in 4)<span style="white-space: pre;"> </span><br />
19:50:06.835044<span style="white-space: pre;"> </span>2001:db8:1::2<span style="white-space: pre;"> </span>ICMPv6<span style="white-space: pre;"> </span>64:ff9b::a00:2<span style="white-space: pre;"> </span>Echo (ping) reply id=0xce2d, seq=1, hop limit=63 (request in 3)<span style="white-space: pre;"> </span><br />
<br />
Global Stateful Prefix: 64:FF9B::/96<br />
nat64 v6v4 static 2001:DB8:1::2 10.0.0.3<br />
<br />
<br />
host 'ipv4' can reach host 'ipv6' by IP=10.0.0.3<br />
<br />
<b><span style="color: #cc0000;">Steps host 'ipv4' pings host 'ipv6':</span></b><br />
<blockquote class="tr_bq">
1) host 'ipv4' send: s:10.0.0.2 d:10.0.0.3<br />
2) ROUTER NAT64 translate: s:10.0.0.2 d:10.0.0.3 => s:64:ff9b::a00:2 d:2001:DB8:1::2<br />
3) host ipv6 receive: s:64:ff9b::a00:2 d:2001:DB8:1::2</blockquote>
<br />
show nat64 translations<br />
show nat64 statistics<br />
<br />
<br />
<br />
<blockquote class="tr_bq">
NAT64#<b>show nat64 translations</b>Proto Original IPv4 Translated IPv4<br />
Translated IPv6 Original IPv6<br />
--------------------------------------------------------<br />
icmp 10.0.0.2:40753 [64:FF9B::A00:2]:40753<br />
10.0.0.3:40753 [2001:DB8:1::2]:40753<br />
icmp 10.0.0.2:41009 [64:FF9B::A00:2]:41009<br />
10.0.0.3:41009 [2001:DB8:1::2]:41009<br />
--- --- ---<br />
10.0.0.3 2001:DB8:1::2<br />
Total number of translations: 3<br />
NAT64#</blockquote>
<br />
<br />
<blockquote>
NAT64#<b>show nat64 statistics</b>NAT64 Statistics<br />
Number of NAT64 enabled interfaces: 2<br />
Number of packets translated by stateless NAT64:<br />
Packets translated (IPv4 -> IPv6): 0<br />
Packets translated (IPv6 -> IPv4): 0<br />
Number of packets translated by stateful NAT64:<br />
Packets translated (IPv4 -> IPv6): 13<br />
Packets translated (IPv6 -> IPv4): 17<br />
Number of packets translated by MAP-T:<br />
Packets translated (IPv4 -> IPv6): 0<br />
Packets translated (IPv6 -> IPv4): 0<br />
Number of packets processed by MAP-E:<br />
Packets processed (IPv4 -> IPv6): 0<br />
Packets processed (IPv6 -> IPv4): 0<br />
Global Statistics<br />
Prefix: 64:FF9B::/96<br />
Packets translated (IPv4 -> IPv6): 12<br />
Packets translated (IPv6 -> IPv4): 1<br />
Packets dropped: 0<br />
Interface Statistics<br />
Total active translations: 1(1 static, 0 dynamic,0 extended)<br />
Active sessions: 2<br />
Number of expired entries: 29<br />
Number of packets:<br />
CEF Translated: 15 CEF Punted packets: 10<br />
Dropped: 29<br />
Hits: 18 Misses: 41<br />
Dynamic Mapping Statistics<br />
Limit Statistics<br />
Maximum entries limit not configured<br />
NAT64# </blockquote>
<br />
<br />SChttp://www.blogger.com/profile/04139184178200036747noreply@blogger.comtag:blogger.com,1999:blog-3484822691435303180.post-42224790786419486942017-12-06T12:15:00.002+02:002017-12-06T15:40:29.002+02:00Linux Kernel upgrade<a name='more'></a><br />
sc@ubuntu-16-04-lts:~$ <b>date</b><br />
Wed Dec 6 05:16:27 EST 2017<br />
<br />
<b>Disable service in Ubuntu 14</b><br />
apt-get install sysv-rc-conf<br />
update-rc.d apache2 disable<br />
<br />
<b><span style="font-size: large;">Kernel Changelogs:</span></b><br />
<a href="https://kernelnewbies.org/LinuxVersions">https://kernelnewbies.org/LinuxVersions</a><br />
<blockquote class="tr_bq">
4.x<br />
<i><b><span style="color: #0b5394;">Linux 4.15 will be Released 14/21 January 2018</span></b></i><br />
Linux 4.14 Released 12 November, 2017 (70 days)<br />
Linux 4.13 Released 3 September, 2017 (63 days)<br />
Linux 4.12 Released 2 July, 2017 (63 days)<br />
Linux 4.11 Released 30 April, 2017 (70 days)<br />
Linux 4.10 Released 19 February, 2017 (70 days)<br />
Linux 4.9 Released 11 December, 2016 (70 days)<br />
Linux 4.8 Released 2 October, 2016 (70 days)<br />
Linux 4.7 Released 24 July, 2016 (70 days)<br />
Linux 4.6 Released 15 May, 2016 (63 days)<br />
Linux 4.5 Released 13 March, 2016 (63 days)<br />
Linux 4.4 Released 10 January, 2016 (70 days)<br />
Linux 4.3 Released 1 November, 2015 (63 days)<br />
Linux 4.2 Released 30 August, 2015 (70 days)<br />
Linux 4.1 Released 21 June, 2015 (70 days)<br />
Linux 4.0 Released 12 April, 2015 (63 days)</blockquote>
<a href="https://kernelnewbies.org/Linux_4.15">https://kernelnewbies.org/Linux_4.15</a><br />
06-dec-2017<br />
Linux 4.15 has not been released. Meanwhile, you can read about it here:<br />
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=f0b60bfa952458286f43a63c07b0eea170b2cc95<br />
<br />
<br />
<br />
sc@ubuntu-16-04-lts:~$ uname -sr<br />
<b>Linux 4.10.0-28-generic</b><br />
sc@ubuntu-16-04-lts:~$<br />
<br />
<br />
<b><span style="font-size: large;">Update to current Distro </span></b><br />
<b><br /></b>
<b>Ubuntu 16.04.05 LTS (dec 2017) has:</b><br />
<blockquote class="tr_bq">
sc@ubuntu-16-04-lts:~$ uname -sr<br />
<b>Linux 4.10.0-28-generic</b></blockquote>
<b>Another example (Proxmox 5.1)</b><br />
<blockquote class="tr_bq">
root@cvm65:~# uname -r<br />
<b>4.13.4-1-pve</b></blockquote>
<br />
<b>Let's update it</b><br />
<blockquote class="tr_bq">
root@ubuntu-16-04-lts:~# apt update<br />
root@ubuntu-16-04-lts:~# apt upgrade -y<br />
root@ubuntu-16-04-lts:~# reboot</blockquote>
<br />
Result is kernel update, but anyway old enough:<br />
<blockquote class="tr_bq">
sc@ubuntu-16-04-lts:~$ uname -sr<br />
<b>Linux 4.10.0-40-generic</b></blockquote>
<br />
<br />
<br />
<b><span style="font-size: large;">Update to latest Kernel</span></b><br />
<br />
<b><span style="color: blue;">Manual update</span></b><br />
<blockquote class="tr_bq">
1) Go here: http://kernel.ubuntu.com/~kernel-ppa/mainline/<br />
2) Download 3 (maybe 4) debs to a folder somewhere:<br />
mkdir kernel<br />
$ wget http://kernel.ubuntu.com/~kernel-ppa/mainline/v4.14/linux-headers-4.14.0-041400_4.14.0-041400.201711122031_all.deb<br />
$ wget http://kernel.ubuntu.com/~kernel-ppa/mainline/v4.14/linux-headers-4.14.0-041400-generic_4.14.0-041400.201711122031_amd64.deb<br />
$ wget http://kernel.ubuntu.com/~kernel-ppa/mainline/v4.14/linux-image-4.14.0-041400-generic_4.14.0-041400.201711122031_amd64.deb<br />
3) cd /path/to/folder/where/you/put/the/debs<br />
dpkg -i *.deb<br />
dpkg -i linux-*.deb<br />
update-grub<br />
reboot now</blockquote>
<br />
<b><span style="color: blue;">Script update</span></b><br />
<blockquote class="tr_bq">
curl https://raw.githubusercontent.com/muhasturk/ukupgrade/master/ukupgrade > ukupgrade<br />
chmod +x ./ukupgrade<br />
<b><span style="color: #cc0000;">!! Edit ./ukupgrade, because it contains reboot after update!!</span></b>./ukupgrade</blockquote>
<br />
<span style="font-size: large;"><b>Remove old kernel</b></span><br />
<br />
<b>Current kernel installed</b><br />
<blockquote class="tr_bq">
sc@ubuntu-16-04-lts:~$ uname -r<br />
<b>4.14.0-041400-lowlatency</b></blockquote>
<b>Remove it</b><br />
<blockquote class="tr_bq">
dpkg -l | grep linux<br />
apt-get remove linux-headers-4.14.0-041400-lowlatency<br />
apt-get remove linux-image-4.14.0-041400-lowlatency<br />
apt autoremove<br />
update-grub<br />
reboot now</blockquote>
<b>Current kernel:</b><br />
<blockquote class="tr_bq">
sc@ubuntu-16-04-lts:~$ uname -sr<br />
<b>Linux 4.14.0-041400-generic</b>sc@ubuntu-16-04-lts:~$ </blockquote>
SChttp://www.blogger.com/profile/04139184178200036747noreply@blogger.comtag:blogger.com,1999:blog-3484822691435303180.post-71822808080235164372017-12-04T18:23:00.000+02:002017-12-05T17:45:32.756+02:00VCSA - VMware vCenter Server Appliance 5.1.0.30400 Build 3868380 cleanup<a name='more'></a><br />
vCenter100-Server-clone-5-1-0-1123961<br />
vCenter Server 5.1 Update 1a | 22 May 2013 | Build 1123961<br />
<br />
update to:<br />
vCenter Server 5.1 Update 3d | 24 May 2016 | Build 3814779<br />
<br />
<br />
<a href="https://kb.vmware.com/s/article/2056448">https://kb.vmware.com/s/article/2056448</a><br />
<br />
<b>Version:</b><br />
<blockquote class="tr_bq">
VMware vCenter Server Appliance 5.1.0.30400 Build 3868380<br />
vpbx:~ # vmtoolsd -v<br />
VMware Tools daemon, version 9.0.17.55356 (build-3774305)</blockquote>
vpbx:~ # lsblk -f<br />
NAME FSTYPE LABEL MOUNTPOINT<br />
sda <br />
├─sda1 ext3 /boot<br />
├─sda2 swap [SWAP]<br />
└─sda3 ext3 /<br />
sdb <br />
├─sdb1 ext3 /storage/core<br />
├─sdb2 ext3 /storage/log<br />
└─sdb3 ext3 /storage/db<br />
<br />
<b><u>BEFORE</u></b><br />
vpbx:~ # df -h<br />
Filesystem Size Used Avail Use% Mounted on<br />
/dev/sda3 9.8G 5.0G 4.3G 55% /<br />
/dev/sdb1 20G 20G 0 100% /storage/core<br />
/dev/sdb2 20G 8.2G 11G 44% /storage/log<br />
/dev/sdb3 60G 14G 43G 25% /storage/db<br />
vpbx:~ #<br />
<br />
<b><u>AFTER</u></b><br />
vpbx:~ # df -h<br />
Filesystem Size Used Avail Use% Mounted on<br />
/dev/sda3 9.8G 5.0G 4.3G 54% /<br />
/dev/sda1 128M 22M 100M 18% /boot<br />
/dev/sdb1 20G 20G 0 100% /storage/core<br />
/dev/sdb2 20G 547M 19G 3% /storage/log<br />
/dev/sdb3 60G 13G 44G 22% /storage/db<br />
vpbx:~ #<br />
<br />
<br />
<b>Files to delete</b><br />
<blockquote class="tr_bq">
rm -rf /storage/core/core.vpxd-worker.*<br />
rm -rf /storage/log/vmware/vpx/sps/sps.log.*<br />
rm -rf /storage/log/vmware/vpx/sps/wrapper.log.*<br />
rm -rf /storage/log/vmware/vpx/tomcat/logs/localhost_access_log.20*<br />
rm -rf /storage/log/vmware/vpx/sms.log.*<br />
rm -rf /storage/log/vmware/vpx/vsm.log.*<br />
rm -rf /storage/log/vmware/vpx/vws.log.*<br />
rm -rf /storage/log/vmware/vpx/cim-diag.log.*<br />
rm -rf /storage/log/vmware/sso/localhost-access-20*<br />
rm -rf /storage/log/vmware/sso/status-live.log.*<br />
rm -rf /storage/log/vmware/sso/ssoAdminServer.log.*<br />
rm -rf /storage/log/vmware/sso/rootlogger.log.*<br />
rm -rf /storage/log/vmware/sso/backup/imsRuntimeAudit.20*<br />
rm -rf /storage/log/vmware/sso/backup/imsTrace.20*<br />
rm -rf /var/log/audit/audit.log.*<br />
> /var/log/cron </blockquote>
<br />
<b>vPostgre cleanup</b><br />
<blockquote class="tr_bq">
cat /etc/vmware-vpx/embedded_db.cfg | grep PASSWORD<br />
EMB_DB_PASSWORD='xxxx'</blockquote>
<br />
<blockquote class="tr_bq">
<br />
vpbx:/storage/core # <b>sudo -u postgres /opt/vmware/vpostgres/9.0/bin/vacuumdb -a -e -v -f -U postgres > /tmp/vacuumdb.log</b><br />
Password:<br />
INFO: vacuuming "pg_catalog.pg_statistic"<br />
INFO: vacuuming "pg_catalog.pg_type"<br />
INFO: vacuuming "vpx.vpx_hist_stat4_67"<br />
INFO: vacuuming "vpx.vpx_hist_stat4_116"<br />
...<br />
INFO: vacuuming "vpx.vpx_event" !!!!!!!! very long time to complete</blockquote>
<div>
<br /></div>
SChttp://www.blogger.com/profile/04139184178200036747noreply@blogger.comtag:blogger.com,1999:blog-3484822691435303180.post-1707946387949221412017-12-04T10:44:00.001+02:002017-12-05T18:53:13.326+02:00Cisco default value<br />
<a name='more'></a><br />
<b><span style="font-size: large;">CEF</span></b><br />
- Cisco Express Forwarding is enabled by default on most Cisco platforms running Cisco IOS software Release12.0 or later.<br />
- When Cisco Express Forwarding is enabled on a router, the Route Processor (RP) performs the express forwarding.<br />
<br />
<b>Enabling or Disabling CEF or dCEF on a Router</b><br />
<div>
[no] ip cef</div>
[no] ip cef distributed<br />
<br />
<b>When to Enable or Disable CEF on an Interface</b><br />
<div>
The input interface determines the Cisco IOS switching path that a packet takes. </div>
- CEF to be enabled on the incoming interface for packets to be CEF switched.<br />
Because CEF makes the forwarding decision on input, you need<br />
<blockquote class="tr_bq">
! on the ingress interface<br /><b>[no] ip route-cache cef </b></blockquote>
<br />
In contrast, because Cisco IOS builds a fast-switching cache entry after switching a packet, a packet coming in on a process-switched interface and going out through a fast-switched interface is fast switched. If you want to disable fast switching, use<br />
<blockquote class="tr_bq">
! on the egress interface<br /><b>no ip route-cache</b></blockquote>
<br />
<br />
<br />
<br />
<br />
Interface Bandwidth/ Delay:<br />
<table border="0" cellpadding="0" cellspacing="0" style="border-collapse: collapse; width: 698px;">
<colgroup><col style="mso-width-alt: 13596; mso-width-source: userset; width: 287pt;" width="382"></col>
<col style="mso-width-alt: 5518; mso-width-source: userset; width: 116pt;" width="155"></col>
<col style="mso-width-alt: 5717; mso-width-source: userset; width: 121pt;" width="161"></col>
</colgroup><tbody>
<tr height="38" style="height: 28.8pt;">
<td class="xl65" height="38" style="height: 28.8pt; width: 287pt;" width="382"><span style="background-color: #d0e0e3;"><b>INTERFACE</b></span></td>
<td class="xl66" style="width: 116pt;" width="155"><span style="background-color: #d0e0e3;"><b>bandwidth in kbits/s</b></span></td>
<td class="xl67" style="width: 121pt;" width="161"><span style="background-color: #d0e0e3;"><b>Delay in microseconds<br />
(1 μs = 1/10^6 sec)</b></span></td>
</tr>
<tr height="19" style="font-style: inherit; font-weight: inherit; height: 14.4pt;">
<td height="19" style="font-style: inherit; height: 14.4pt;">10
Mbps Ethernet</td>
<td class="xl64" style="font-style: inherit;">10'000</td>
<td class="xl64" style="font-style: inherit;">1000</td>
</tr>
<tr height="19" style="height: 14.4pt;">
<td height="19" style="height: 14.4pt;">100 Mbps Ethernet</td>
<td class="xl64">100'000</td>
<td class="xl64">100</td>
</tr>
<tr height="19" style="height: 14.4pt;">
<td height="19" style="height: 14.4pt;">1000 Mbps Ethernet</td>
<td class="xl64">1'000'000</td>
<td class="xl64">10</td>
</tr>
<tr height="19" style="height: 14.4pt;">
<td height="19" style="height: 14.4pt;">10000 Mbps Ethernet</td>
<td class="xl64">10'000'000</td>
<td class="xl64">1</td>
</tr>
<tr height="19" style="font-style: inherit; font-weight: inherit; height: 14.4pt;">
<td height="19" style="font-style: inherit; height: 14.4pt;">Loopback</td>
<td class="xl64" style="font-style: inherit;">8'000'000</td>
<td class="xl64" style="margin-right: 0px; padding-bottom: 2px; padding-top: 2px;">5000</td>
</tr>
<tr height="19" style="height: 14.4pt;">
<td height="19" style="height: 14.4pt;">Tunnel BW</td>
<td class="xl64">100</td>
<td class="xl64">50000</td>
</tr>
<tr height="38" style="height: 28.8pt;">
<td class="xl63" height="38" style="height: 28.8pt; width: 287pt;" width="382">Tunnel
transmit/receive BW<br />
(only used with RBSCP - rate based satellite control protocol )</td>
<td class="xl64">8'000</td>
<td class="xl64"></td>
</tr>
<tr height="19" style="font-style: inherit; font-weight: inherit; height: 14.4pt;">
<td height="19" style="font-style: inherit; height: 14.4pt;">Token
ring</td>
<td class="xl64" style="font-style: inherit;">16000</td>
<td class="xl64" style="font-style: inherit;">630</td>
</tr>
<tr height="19" style="font-style: inherit; font-weight: inherit; height: 14.4pt;">
<td height="19" style="font-style: inherit; height: 14.4pt;">Fddi</td>
<td class="xl64" style="font-style: inherit;">100000</td>
<td class="xl64" style="font-style: inherit;">100</td>
</tr>
<tr height="19" style="font-style: inherit; font-weight: inherit; height: 14.4pt;">
<td height="19" style="font-style: inherit; height: 14.4pt;">Serial</td>
<td class="xl64" style="font-style: inherit;">1544</td>
<td class="xl64" style="font-style: inherit;">20000</td>
</tr>
<tr height="19" style="font-style: inherit; font-weight: inherit; height: 14.4pt;">
<td height="19" style="font-style: inherit; height: 14.4pt;"><div style="font-style: inherit; font-weight: inherit;">
Low-speed serial:</div>
</td>
<td class="xl64">115</td>
<td class="xl64" style="font-style: inherit;">20000</td>
</tr>
<tr height="19" style="height: 14.4pt;">
<td height="19" style="height: 14.4pt;"><div style="font-style: inherit; font-weight: inherit;">
WIC on 1600/2600/3600 series,</div>
</td>
<td class="xl64"></td>
<td class="xl64"></td>
</tr>
<tr height="19" style="height: 14.4pt;">
<td height="19" style="height: 14.4pt;"><div style="font-style: inherit; font-weight: inherit;">
sync/async interfaces on 252x,</div>
</td>
<td class="xl64"></td>
<td class="xl64"></td>
</tr>
<tr height="19" style="height: 14.4pt;">
<td height="19" style="height: 14.4pt;">sync/async serial modules on 2600/3600,
etc..</td>
<td class="xl64"></td>
<td class="xl64"></td>
</tr>
<tr height="19" style="font-style: inherit; font-weight: inherit; height: 14.4pt;">
<td height="19" style="font-style: inherit; height: 14.4pt;">ISDN
BRI & PRI</td>
<td class="xl64" style="font-style: inherit;">64</td>
<td class="xl64" style="font-style: inherit;">20000</td>
</tr>
<tr height="19" style="font-style: inherit; font-weight: inherit; height: 14.4pt;">
<td height="19" style="font-style: inherit; height: 14.4pt;">Dialer</td>
<td class="xl64" style="font-style: inherit;">56</td>
<td class="xl64" style="font-style: inherit;">20000</td>
</tr>
<tr height="19" style="font-style: inherit; font-weight: inherit; height: 14.4pt;">
<td height="19" style="font-style: inherit; height: 14.4pt;">Channelized
T1 or E1</td>
<td class="xl64" style="font-style: inherit;">n * 64</td>
<td class="xl64" style="font-style: inherit;">20000</td>
</tr>
<tr height="19" style="font-style: inherit; font-weight: inherit; height: 14.4pt;">
<td height="19" style="font-style: inherit; height: 14.4pt;">Async</td>
<td class="xl64" style="font-style: inherit;">tty line speed</td>
<td class="xl64" style="font-style: inherit;">100000</td>
</tr>
</tbody></table>
SChttp://www.blogger.com/profile/04139184178200036747noreply@blogger.comtag:blogger.com,1999:blog-3484822691435303180.post-60375454979420736412017-11-30T12:21:00.004+02:002017-12-11T13:32:19.319+02:002017 CCNP RS, PPPoE Labs<a name='more'></a>interface Dialer1<br />
<span style="background-color: #f4cccc;"><b>ip address negotiated</b></span> !! use an IP address provided by the PPPoE server<br />
<div>
<br /></div>
<br />
<b>Foundation::</b><br />
<a href="http://sclabs.blogspot.com/2010/07/ex4-chapter-2-ppp.html">http://sclabs.blogspot.com/2010/07/ex4-chapter-2-ppp.html</a><br />
<a href="http://sclabs.blogspot.com/2014/03/ccnp-route-branch-office-connections-vpn.html">http://sclabs.blogspot.com/2014/03/ccnp-route-branch-office-connections-vpn.html</a><br />
<a href="http://sclabs.blogspot.com/2012/08/chapter-3-authentication-authorization.html">http://sclabs.blogspot.com/2012/08/chapter-3-authentication-authorization.html</a><br />
<a href="http://sclabs.blogspot.com/2014/03/ccnp-route-branch-office-connections-vpn.html">http://sclabs.blogspot.com/2014/03/ccnp-route-branch-office-connections-vpn.html</a><br />
<b><br /></b>
<b>Sources:</b><br />
<a href="http://packetlife.net/blog/2009/apr/20/configuring-pppoe/">http://packetlife.net/blog/2009/apr/20/configuring-pppoe/</a><br />
<a href="https://www.networking-forums.com/guides-and-labs/ccnp-route-300-101-sub-topics-ppp-pppoe/">https://www.networking-forums.com/guides-and-labs/ccnp-route-300-101-sub-topics-ppp-pppoe/</a><br />
<a href="https://aproductiveday.wordpress.com/2013/09/08/ppp-negotiation-process-3/">https://aproductiveday.wordpress.com/2013/09/08/ppp-negotiation-process-3/</a><br />
<br />
<span style="font-size: large;"><b>PPP - Point-to-point protocol</b></span><br />
-Layer 2 Encapsulating (L2 frames)<br />
-PPP supports two types of authentication<br />
-PAP – Plain text<br />
-CHAP – Secure (uses a shared secret)<br />
<br />
<b>PPP Phases:</b><br />
1) LCP (Link establishment Phase).<br />
Parameters are specified for the link to be established,<br />
both devices need to agree on authentication type, compression, error detection, multilink and ppp callback.<br />
Once the values are agreed it can move onto step 2 or 3.<br />
<br />
2) Authentication (PAP,CHAP or EAP).<br />
Optional phase, but if implemented both devices need to know that the device they are speaking to is who they say they are.<br />
<br />
3) NCP (Network Control Phase).<br />
Layer 2 to layer 3 transition phase.<br />
<br />
It provides communication with the IP layer (IPCP). Gives us an IP address we can then communicate with.<br />
<br />
<br />
<b>PPP configuration:</b><br />
Username R2 password secret<br />
Interface ser0/0<br />
Encapsulation ppp<br />
Ppp authentication chap<br />
Ppp chap hostname R1<br />
<br />
<b>PPP Verification:</b><br />
show ppp interfaces<br />
show interfaces<br />
<br />
<span style="font-size: large;"><b>PPPoE - PPP over Ethernet</b></span><br />
To understand PPPoE, one must understand the limits of PPP.<br />
The limit of PPP is that it MUST be POINT TO POINT. What if I want to provide 100,000 customers with access, but restrict everyone else who is not a paying customer because this is a shared medium? DING DING DING! PPPoE.<br />
<br />
PPPoE lets us make virtual tunnels across Ethernet, and it allows for Authentication (MAC ADDRESS), Username/password challenges, encryption, traffic shaping (good for ISPs), and a way to gauge number of connections to correctly bill people.<br />
<br />
How does PPPoE create its sessions?<br />
1) The client advertises a PADI packet (PPPoE Active Discovery Initiation)<br />
2) When the Access Concentrator (server) receives a valid PADI packet, it replies with a PADO (PPPoE Active Discovery Offer)<br />
3) Because PPPoE is running across a shared medium it can receive multiple PADOs. It has to filter out, and find the correct PADO (hostname/services). Then it sends a PADR (PPPoE Active Discovery Request) packet to the access concentrator.<br />
4) Finally the AC replies with a PADS (PPPoE Active Discovery Session-information). This creates the virtual interface that will negotiate PPP.<br />
<br />
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh0WUAo_-JYxAtsvmpGjPTLatR5cdjbNubNid0W4sWU8vAjEMjY94GpTKeG6JsXFG-ubEtxiwtfZZKFzn5DkwAokrNIPmxcayaozDWYDBp2YkNy9puvWTnvgzR82nQvw6FROQgEqrIGkNE/s1600/pppoe.jpg" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" data-original-height="303" data-original-width="528" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh0WUAo_-JYxAtsvmpGjPTLatR5cdjbNubNid0W4sWU8vAjEMjY94GpTKeG6JsXFG-ubEtxiwtfZZKFzn5DkwAokrNIPmxcayaozDWYDBp2YkNy9puvWTnvgzR82nQvw6FROQgEqrIGkNE/s1600/pppoe.jpg" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;"><a href="https://www.cisco.com/c/en/us/td/docs/ios/solutions_docs/edge_ios/dep_atm.html">Link</a></td></tr>
</tbody></table>
<br />
<span style="font-size: large;"><b>Terminology</b></span><br />
<b><span style="color: blue;">CPE</span></b>—The customer premises equipment router is a small router such as the Cisco 800 series router that is used either as a bridge or to initiate PPP over Ethernet (PPPoE) connections from the customer PC to the Layer 2 Tunnel Protocol (L2TP) access concentrator (<b><span style="color: blue;">LAC</span></b>).<br />
<br />
Cisco Intelligent Service Gateway <b>(<span style="color: blue;">ISG</span>)</b> and ATM as the aggregation technology.<br />
The Cisco ISG software provides a feature set that assists the service provider with provisioning and maintaining broadband networks that have many types of edge devices and many subscribers and services.<br />
The Cisco ISG software combines real-time session and flow control with programmable, dynamic policy control to deliver flexible and scalable subscriber session management capabilities.<br />
<br />
•ISG—A Cisco router such as the Cisco 7200, 7300, and 10000 series is configured as an ISG to control subscriber access at the edge of an IP/MPLS network.<br />
•ISG as LAC—In the L2TP deployments, the ISG also serves as a LAC. It is maintained by the ISP as part of its central network. It receives incoming sessions from the DSLAM and forwards them to the appropriate retail ISP by establishing an L2TP tunnel with the LNS. The LAC contacts the ISP's authentication, authorization, and accounting (AAA) server to determine the forwarding information based on the subscriber's domain name.<br />
•ISG as LNS—An LNS is used only in L2TP deployments. The LNS terminates the L2TP tunnel from the LAC and the PPPoE session from the subscriber. It is maintained by the ISP on its central network. The ISG LNS authenticates the user by contacting the AAA server for ISP, and assigns the user a VRF. The ISG LNS also communicates with the AAA server when the user requests additional services.<br />
•ISG as <b><span style="color: blue;">BRAS</span></b>—A Broadband Remote Access Server (BRAS) is a high-density ISG router that supports thousands of simultaneous active sessions for the widest variety of broadband architectures.<br />
<span style="text-align: center;"><br /></span>
<br />
<span style="text-align: center;">A broadband remote access server (BRAS, B-RAS or BBRAS) routes traffic to and from broadband remote access devices such as digital subscriber line access multiplexers (DSLAM) on an Internet service provider's (ISP) network. BRAS can also be referred to as a Broadband Network Gateway (<b><span style="color: blue;">BNG</span></b>).</span><br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjRZV0UN4xZ5wR_J8FmSKQH7iHX9i7rzJvLAbAj7RVED_H_Z6xLN95rjXPzBth-Fnx0fhUKm3U655DyNel3a0XQdcARdPllRtLEfR8uvzmE_yZKe2Q5-eOJbFH8mPE44KU79mcu6iyUigA/s1600/pppoe-stack.gif" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="351" data-original-width="500" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjRZV0UN4xZ5wR_J8FmSKQH7iHX9i7rzJvLAbAj7RVED_H_Z6xLN95rjXPzBth-Fnx0fhUKm3U655DyNel3a0XQdcARdPllRtLEfR8uvzmE_yZKe2Q5-eOJbFH8mPE44KU79mcu6iyUigA/s1600/pppoe-stack.gif" /></a></div>
<span style="text-align: center;"><br /></span>
<span style="text-align: center;"><br /></span>
<span style="text-align: center;"><b>Configure a PPPoE Client:</b></span><br />
<blockquote class="tr_bq">
<b>interface gi0/0</b><br />
no ip address<br />
pppoe enable !! enables pppoe<br />
pppoe-client dial-pool-number 1 !! configures a pppoe client and specifies dial-on-demand (ddr) functionality<br />
<b>!</b><br />
<b>interface dialer 1 !! defines a dialer rotary group</b><br />
mtu 1492 !! set mtu to 1492 because of 8 bit ppp overhead; else fragment<br />
ip address negotiated !! ip address is obtained via ppp/ipcp negotiation<br />
encapsulation ppp<br />
dialer pool 1 !! sets the dialing pool the dialer interface uses to connect<br />
ppp pap sent-username u1 pass pwd1 !! defines pap auth<br />
ppp chap hostname blah_hostname !! defines separate chap hostname for auth<br />
ppp chap password 0 blah_pass !! defines chap password for autrh </blockquote>
<b>Configure PPPoE Server </b>(NOT NEEDED FOR CCNP ROUTE, BUT NEEDED TO LAB PPPOE):<br />
<blockquote class="tr_bq">
bba-group pppoe bba1<span style="white-space: pre;"> </span> virtual-template 1<br />
!<br />
interface loopback 1<br />
ip address 192.2.0.2 255.255.255.0<br />
!<br />
interface GigabitEthernet 0/0<br />
no ip address<br />
negotiation auto<br />
pppoe enable group bba1<br />
!<br />
interface virtual-template 1<br />
description pppoe bba1<br />
mtu 1492<br />
ip unnumbered loopback 1<br />
peer default ip address pool pool1<br />
ppp authentication pap<br />
!<br />
ip local pool pool1 192.2.0.1 192.2.0.10</blockquote>
<br />
<b>PPPoE Verification Commands:</b><br />
<blockquote class="tr_bq">
show pppoe interfaces<br />
show pppoe statistics<br />
show pppoe summary</blockquote>
<br />
<br />
<span style="font-size: large;"><b>PPPoE QA:</b></span><br />
1) What are the most common PPPoE clients?<br />
PCs connected to an ISP over broadband<br />
<br />
2) What communication technology is most associated with PPPoE?<br />
DSL<br />
<br />
3) What are the phases of PPPoE? What happens in each phase?<br />
Phase 1 = LCP (protocol acception + authentication matches).<br />
Phase 2 = NCP (Negotiation of L3 protocols) IF IP it negotiates compression + IP Address assignments.<br />
<br />
4) What protocols are used to authenticate PPPoE?<br />
PAP/CHAP<br />
a) Which one uses encryption? How does that protocol establish a connection?<br />
CHAP. It uses a three-way handshake to establish a connection.<br />
b) By process of elimination, which protocol uses plaintext?<br />
PAP<br />
c) How does *that* protocol establish a connection?<br />
During the LCP process it checks its local database for a match from the neighbor.<br />
<br />
5) Can a PPPoE server initiate a PPPoE connection?<br />
No, only a client can establish a PPPoE connection.<br />
<br />
6) Will PPPoE communicate via IP addresses or MAC addresses? Why?<br />
Because PPPoE goes accross a shared medium, IP addresses are used to communicate with the concentrator.<br />
However MAC is used as an authenticator.<br />
<br />
7) What is the most common MTU for PPPoE?<br />
1492<br />
a) Why is it smaller than a typical Ethernet frame?<br />
Because PPP has an 8 byte overhead<br />
<br />
8) Why is DHCP not supported with PPPoE?<br />
Because DHCP is an IP based protocol, while PPPoE is a L2 protocol.<br />
<br />
9) What is the "setroute" option used for?<br />
The setroute option sets the the default route for a PPPoE client has not yet established a connection<br />
<br />
10) What command is used to set a static IP address for a PPPoE interface?<br />
Under interface dialer, configure ip address for static.<br />
<br />
11) What is "interesting traffic"?<br />
Any traffic that matches a permit statement in an ACL<br />
a) Why would you want it for a PPPoE connection?<br />
You want to specificy interesting traffic if you are paying for a subscription service based on throughput.<br />
This limits what can use the connection.<br />
b) What is DDR and how does it relate to "interesting traffic"?<br />
DDR = Dial On Demand Routing is the feature that supports interesting traffic.<br />
<br />
12) Before configuring a username and password on a Cisco device, what commands are used for the VPDN setup?<br />
vpdn enable; vpdn-group <X>; request-dialin; protocol pppoe<br />
<br />
13) What command displays current PPPoE configuration?<br />
show pppoe session / show ip address outside pppoe<br />
<br />
14) What command displays current VPDN configuration?<br />
show vpdn / show vpdn tunnel<br />
<br />
15) What command clears VPDN settings?<br />
clear configure vpdn group<br />
<br />
16) Is it possible to set up an Easy VPN over PPPoE?<br />
no, easyvpn is not supported over pppoe<br />
a) How about MLP?<br />
no, MLPPP is not supported over pppoe<br />
b) What about NSF with SSO?<br />
no, NSF with SSO is not supported over pppoe<br />
<br />
17) Can a device be both a PPPoE client and server?<br />
no, a device cannot be a client and server<br />
<br />
18) In PPPoE, what is PADI, PADO, and PADR?<br />
PADI - PPPoE Active Dsicovery intitiation,<br />
PADO - PPPoE Active Discovery Offer,<br />
PADR - PPPoE Active Discovery Request<br />
<br />
<br />
<span style="color: blue; font-size: large;"><b>LAB</b></span><br />
Configuring PPPoE in a VPDN group limited PPPoE configuration options because only one PPPoE VPDN group with one virtual template is permitted on a device.<br />
<br />
The PPPoE Profiles feature (bba-group = Broadband Aggregation Group) provides simplicity and flexibility in PPPoE configuration by separating PPPoE from VPDN configuration. The PPPoE Profiles feature allows multiple PPPoE profiles, each with a different configuration, to be used on a single device.<br />
- bba-group is needed if you want to use more then one PPPoE session<br />
<br />
<br />
VPDN is depricated:<br />
Config with old IOS<br />
<blockquote class="tr_bq">
vpdn enable<br />
vpdn-group PPPOE<br />
accept-dialin<br />
protocol pppoe<br />
virtual-template 1<br />
<br />
interface virtual-template 1<br />
ip address 1.1.1.1 255.255.255.0<br />
ppp authentication chap<br />
ppp chap hostname MYROUTER</blockquote>
<br />
When configuring the vpdn running version 12.4(23)<br />
<a href="http://remiphilippe.fr/configuring-pppoe/">http://remiphilippe.fr/configuring-pppoe/</a><br />
<blockquote class="tr_bq">
SPRack1R6(config)#vpdn-group PPPOE<br />
SPRack1R6(config-vpdn)#accept-dialin<br />
SPRack1R6(config-vpdn-acc-in)#protocol pppoe</blockquote>
<br />
% PPPoE config from vpdn-group is converted to pppoe-profile based config.<br />
% Continue PPPoE configuration under 'bba-group pppoe global'<br />
<br />
Changed to:<br />
<blockquote class="tr_bq">
bba-group pppoe global<br />
virtual-template 1</blockquote>
<br />
<br />
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiMmiOW45DVXhehBdaxQ8vkfZg1IOt1_OUHWyQxFgJMUy_VAbIacus2DHY59xyhwB6RIrs4wqp51GbH-0OZ9ORXaMoFbcKSonR81Q0F3S-EoO0l5UDmrGTu7C9cjNvDbJfgWo0MG-LGip0/s1600/ccnp-rs-pppoe-lab1.png" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" data-original-height="203" data-original-width="907" height="143" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiMmiOW45DVXhehBdaxQ8vkfZg1IOt1_OUHWyQxFgJMUy_VAbIacus2DHY59xyhwB6RIrs4wqp51GbH-0OZ9ORXaMoFbcKSonR81Q0F3S-EoO0l5UDmrGTu7C9cjNvDbJfgWo0MG-LGip0/s640/ccnp-rs-pppoe-lab1.png" width="640" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;"><span style="font-size: small;">Topology</span></td></tr>
</tbody></table>
<br />
<span style="font-size: large;"><b>SERVER</b></span><br />
<blockquote class="tr_bq">
hostname SERVER<br />
username CPE password 0 MyPassword<br />
!<br />
bba-group pppoe MyGroup !! Broadband Aggregation (BBA) group will handle incoming PPPoE connection attempts<br />
virtual-template 1<br />
sessions per-mac limit 2 !! PPPoE session limits.<br />
!<br />
interface Gi0/0<br />
no sh<br />
no ip address<br />
duplex auto<br />
speed auto<br />
pppoe enable group MyGroup<br />
!<br />
int lo9<br />
ip add 9.9.9.9 255.255.255.0<br />
!<br />
interface Virtual-Template1 !! virtual template for the customer-facing interface<br />
ip address 10.0.0.1 255.255.255.0<br />
peer default ip address pool MyPool<br />
ppp authentication chap callin !! enforce CHAP authentication on our virtual template<br />
ppp ipcp route default !! send default route to client<br />
!<br />
ip local pool MyPool 10.0.0.2 10.0.0.254<br />
!<br />
ip route 0.0.0.0 0.0.0.0 10.0.0.2 !! route back to CPE LAN just for sake of testing<br />
!</blockquote>
<br />
<span style="font-size: large;"><b>Client</b></span><br />
<blockquote class="tr_bq">
hostname CPE<br />
interface Gi0/0<br />
no sh<br />
no ip address<br />
duplex auto<br />
speed auto<br />
pppoe enable<br />
pppoe-client dial-pool-number 1<br />
!<br />
interface Dialer1 !! handle the PPPoE connection, and tie it to a physical interface which provides the transport<br />
mtu 1492 !! to avoid unnecessary fragmentation<br />
ip address negotiated !! use an IP address provided by the PPPoE server<br />
encapsulation ppp<br />
dialer pool 1<br />
ppp chap password 0 MyPassword<br />
!<br />
int lo1<br />
descr -= emulante LAN=-<br />
ip add 192.168.1.1 255.255.255.0<br />
!<br />
! ip route 0.0.0.0 0.0.0.0 Dialer1 !! Route all traffic via the PPPOE link, ppp ipcp route default no working<br />
do wr<br />
!</blockquote>
<br />
<br />
CPE# show pppoe session<br />
CPE# clear int dialer 1 !! restart pppoe client<br />
CPE# debug ppp authentication<br />
CPE# debug ppp negotiation<br />
SERVER# show users<br />
<br />
<span style="font-size: large;"><b>Verify</b></span><br />
<br />
A virtual template interface is used to provide the configuration for dynamically created Virtual-Access interfaces.<br />
It is created by users and can be saved in nonvolatile RAM (NVRAM).<br />
<br />
SERVER# <b>sh ip int br | inc up</b><br />
GigabitEthernet0/0 unassigned YES NVRAM up up <br />
Loopback9 9.9.9.9 YES NVRAM up up <br />
Virtual-Access2 unassigned YES unset up up <br />
Virtual-Access2.1 10.0.0.1 YES NVRAM up up <br />
SERVER#<br />
<br />
SERVER# <b>show users</b><br />
Line User Host(s) Idle Location<br />
* 0 con 0 idle 00:00:00 <br />
Interface User Mode Idle Peer Address<br />
Vi2.1 PPPoE - 10.0.0.2<br />
SERVER#<br />
<br />
<br />
CPE# <b>sh ip int br | inc up</b><br />
GigabitEthernet0/0 unassigned YES unset up up <br />
Dialer1 10.0.0.2 YES IPCP up up <br />
Loopback1 192.168.1.1 YES manual up up <br />
Virtual-Access1 unassigned YES unset up up <br />
Virtual-Access2 unassigned YES unset up up <br />
CPE#<br />
<br />
CPE# <b>show pppoe session</b><br />
1 client session<br />
Uniq ID PPPoE RemMAC Port VT VA State<br />
SID LocMAC VA-st Type<br />
N/A 1 5003.0002.0000 Gi0/0 Di1 Vi2 UP <br />
5003.0001.0000 UP <br />
<br />
<b> Check conectivity:</b><br />
<blockquote class="tr_bq">
CPE#<b> ping 9.9.9.9 source 192.168.1.1</b>Sending 5, 100-byte ICMP Echos to 9.9.9.9, timeout is 2 seconds:<br />
Packet sent with a source address of 192.168.1.1<br />
!!!!!<br />
Success rate is 100 percent (5/5), round-trip min/avg/max = 4/6/15 ms<br />
CPE#</blockquote>
<br />
<b>Restart PPPoE session</b><br />
<blockquote class="tr_bq">
CPE# debug ppp negotiation<br />
CPE# debug ppp authentication<br />
CPE# clear int dialer 1<br />
CPE#<br />
*Nov 30 10:19:50.142: %DIALER-6-UNBIND: Interface Vi2 unbound from profile Di1<br />
*Nov 30 10:19:50.147: Vi2 PPP: Block vaccess from being freed [0x10]<br />
*Nov 30 10:19:50.163: Di1 Deleted neighbor route from AVL tree: topoid 0, address 10.0.0.1<br />
*Nov 30 10:19:50.164: Di1 IPCP: Remove route to 10.0.0.1<br />
*Nov 30 10:19:50.166: %LINEPROTO-5-UPDOWN: Line protocol on Interface Virtual-Access2, hanged state to down<br />
*Nov 30 10:19:50.173: %LINK-3-UPDOWN: Interface Virtual-Access2, changed state to down<br />
*Nov 30 10:19:50.174: Vi2 PPP: Sending cstate DOWN notification<br />
*Nov 30 10:19:50.188: Vi2 PPP: Processing CstateDown message<br />
*Nov 30 10:19:50.189: Vi2 PPP DISC: Lower Layer disconnected<br />
*Nov 30 10:19:50.190: PPP: NET STOP send to AAA.<br />
*Nov 30 10:19:50.192: Vi2 IPCP: Event[DOWN] State[Open to Starting]<br />
*Nov 30 10:19:50.193: Vi2 IPCP: Event[CLOSE] State[Starting to Initial]<br />
*Nov 30 10:19:50.193: Vi2 CDPCP: Event[DOWN] State[Stopped to Starting]<br />
*Nov 30 10:19:50.194: Vi2 CDPCP: Event[CLOSE] State[Starting to Initial]<br />
*Nov 30 10:19:50.195: Vi2 LCP: O TERMREQ [Open] id 2 len 4<br />
*Nov 30 10:19:50.195: Vi2 LCP: Event[CLOSE] State[Open to Closing]<br />
*Nov 30 10:19:50.196: Vi2 PPP: Phase is TERMINATING<br />
*Nov 30 10:19:50.200: Vi2 LCP: Event[DOWN] State[Closing to Initial]<br />
*Nov 30 10:19:50.204: Vi2 PPP: Unlocked by [0x10] Still Locked by [0x0]<br />
*Nov 30 10:19:50.205: Vi2 PPP: Free previously blocked vaccess<br />
*Nov 30 10:19:50.205: Vi2 PPP: Phase is DOWN<br />
CPE#</blockquote>
<br />
<span style="font-size: large;"><b>Debug on</b><b> SERVER</b></span><br />
<b>PPP Phases:</b><br />
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgyU9N97THpQTmwfqzVpKbqrU8rNUHA7I_4eOx9caw-OJx59jp29EjqSTq-APoMbhPv_3T7PGbAtrpf7n_jzUbMta4i-G1ZYMiJAmY4KK4YNITKeZdxCr2j91UJQw02GWDGEi6t2rK2vh0/s1600/25440-debug-ppp-negotiation3.png" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" data-original-height="246" data-original-width="574" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgyU9N97THpQTmwfqzVpKbqrU8rNUHA7I_4eOx9caw-OJx59jp29EjqSTq-APoMbhPv_3T7PGbAtrpf7n_jzUbMta4i-G1ZYMiJAmY4KK4YNITKeZdxCr2j91UJQw02GWDGEi6t2rK2vh0/s1600/25440-debug-ppp-negotiation3.png" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;"><a href="https://www.cisco.com/c/en/us/support/docs/wan/point-to-point-protocol-ppp/25440-debug-ppp-negotiation.html">https://www.cisco.com/c/en/us/support/docs/wan/point-to-point-protocol-ppp/25440-debug-ppp-negotiation.html</a></td></tr>
</tbody></table>
<br />
1) LCP (Link establishment Phase).<br />
2) Authentication (PAP,CHAP or EAP).<br />
3) NCP (Network Control Phase).<br />
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjt2QZ8g0K5wfFfmseoadF3lgUVqV4O2ONZmSL_lW2OBE65dhQUZ7tMkaueifl4AUMt9q4xvYucLhqbQepOn63CtFfBiLcAxdpI7kOxEpjGF4_tOGZAg2acSe0dYOVUVZfTL_nS9yyo0q8/s1600/pppoe-phases.PNG" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" data-original-height="602" data-original-width="880" height="433" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjt2QZ8g0K5wfFfmseoadF3lgUVqV4O2ONZmSL_lW2OBE65dhQUZ7tMkaueifl4AUMt9q4xvYucLhqbQepOn63CtFfBiLcAxdpI7kOxEpjGF4_tOGZAg2acSe0dYOVUVZfTL_nS9yyo0q8/s640/pppoe-phases.PNG" width="640" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">https://aproductiveday.wordpress.com/2013/09/08/ppp-negotiation-process-3/</td></tr>
</tbody></table>
<br />
<br />
I CONFREQ - Device receive packet (IN)<br />
O CONFACK - Device send packet (OUT)<br />
<b><br /></b>
SERVER#<b> debug pppoe events </b><br />
SERVER#<b> debug ppp authentication</b><br />
SERVER#<b> debug ppp negotiation </b><br />
SERVER#<br />
<span style="background-color: #d9ead3;">*Dec 3 13:17:36.448: PPPoE 0: I <b><span style="color: blue;">PADI </span></b>R:5003.0001.0000 L:ffff.ffff.ffff Gi0/0</span><br />
*Dec 3 13:17:36.450: Service tag: NULL Tag<br />
<span style="background-color: #d9ead3;">*Dec 3 13:17:36.450: PPPoE 0: O <b><span style="color: blue;">PADO</span></b>, R:5003.0002.0000 L:5003.0001.0000 Gi0/0</span><br />
*Dec 3 13:17:36.451: Service tag: NULL Tag<br />
!<br />
<span style="background-color: #d9ead3;">*Dec 3 13:17:38.497: PPPoE 0: I <b><span style="color: blue;">PADR </span></b>R:5003.0001.0000 L:5003.0002.0000 Gi0/0</span><br />
*Dec 3 13:17:38.498: Service tag: NULL Tag<br />
*Dec 3 13:17:38.499: PPPoE : encap string prepared<br />
*Dec 3 13:17:38.500: [5]PPPoE 5: Access IE handle allocated<br />
*Dec 3 13:17:38.503: [5]PPPoE 5: AAA unique ID 13 allocated<br />
*Dec 3 13:17:38.503: [5]PPPoE 5: No AAA accounting method list<br />
*Dec 3 13:17:38.507: [5]PPPoE 5: Service request sent to SSS<br />
*Dec 3 13:17:38.508: [5]PPPoE 5: Created, Service: None R:5003.0002.0000 L:5003.0001.0000 Gi0/0<br />
*Dec 3 13:17:38.539: [5]PPPoE 5: State NAS_PORT_POLICY_INQUIRY Event SSS MORE KEYS<br />
*Dec 3 13:17:38.540: PPP: Alloc Context [EBC3F4C]<br />
<span style="background-color: #d9ead3;">*Dec 3 13:17:38.541: ppp5 PPP: Phase is ESTABLISHING</span><br />
*Dec 3 13:17:38.546: [5]PPPoE 5: data path set to PPP<br />
*Dec 3 13:17:38.547: [5]PPPoE 5: Segment (SSS class): PROVISION<br />
*Dec 3 13:17:38.547: [5]PPPoE 5: State PROVISION_PPP Event SSM PROVISIONED<br />
<span style="background-color: #d9ead3;">*Dec 3 13:17:38.548: [5]PPPoE 5: O <b><span style="color: blue;">PADS </span></b>R:5003.0001.0000 L:5003.0002.0000 Gi0/0</span><br />
*Dec 3 13:17:38.551: ppp5 PPP: Using vpn set call direction<br />
*Dec 3 13:17:38.552: ppp5 PPP: Treating connection as a callin<br />
*Dec 3 13:17:38.552: ppp5 PPP: Session handle[90000005] Session id[5]<br />
*Dec 3 13:17:38.553: ppp5 LCP: Event[OPEN] State[Initial to Starting]<br />
*Dec 3 13:17:38.554: ppp5 PPP: No remote authentication for call-in<br />
*Dec 3 13:17:38.554: ppp5 PPP LCP: Enter passive mode, state[Stopped]<br />
*Dec 3 13:17:38.629: ppp5 LCP: I CONFREQ [Stopped] id 1 len 14<br />
*Dec 3 13:17:38.630: ppp5 LCP: MRU 1492 (0x010405D4)<br />
*Dec 3 13:17:38.630: ppp5 LCP: MagicNumber 0x13410D31 (0x050613410D31)<br />
*Dec 3 13:17:38.631: ppp5 LCP: O CONFREQ [Stopped] id 1 len 14<br />
*Dec 3 13:17:38.631: ppp5 LCP: MRU 1492 (0x010405D4)<br />
*Dec 3 13:17:38.632: ppp5 LCP: MagicNumber 0x13269944 (0x050613269944)<br />
*Dec 3 13:17:38.633: ppp5 LCP: O CONFACK [Stopped] id 1 len 14<br />
*Dec 3 13:17:38.634: ppp5 LCP: MRU 1492 (0x010405D4)<br />
*Dec 3 13:17:38.634: ppp5 LCP: MagicNumber 0x13410D31 (0x050613410D31)<br />
*Dec 3 13:17:38.635: ppp5 LCP: Event[Receive ConfReq+] State[Stopped to ACKsent]<br />
*Dec 3 13:17:38.640: ppp5 LCP: I CONFACK [ACKsent] id 1 len 14<br />
*Dec 3 13:17:38.641: ppp5 LCP: MRU 1492 (0x010405D4)<br />
*Dec 3 13:17:38.641: ppp5 LCP: MagicNumber 0x13269944 (0x050613269944)<br />
*Dec 3 13:17:38.641: ppp5 LCP: Event[Receive ConfAck] State[ACKsent to Open]<br />
*Dec 3 13:17:38.649: ppp5 PPP: No authorization without authentication<br />
<span style="background-color: #d9ead3;">*Dec 3 13:17:38.651: ppp5 PPP: Phase is FORWARDING, Attempting Forward</span><br />
<span style="background-color: #d9ead3;">*Dec 3 13:17:38.651: ppp5 LCP: State is Open</span><br />
*Dec 3 13:17:38.705: ppp5 PPP: Queue IPCP code[1] id[1]<br />
*Dec 3 13:17:38.706: ppp5 PPP: Discarded CDPCP code[1] id[1]<br />
*Dec 3 13:17:38.718: [5]PPPoE 5: State LCP_NEGOTIATION Event SSS CONNECT LOCAL<br />
*Dec 3 13:17:38.732: [5]PPPoE 5: Segment (SSS class): UPDATED<br />
*Dec 3 13:17:38.733: [5]PPPoE 5: Segment (SSS class): BOUND<br />
*Dec 3 13:17:38.734: [5]PPPoE 5: data path set to Virtual Acess<br />
*Dec 3 13:17:38.734: [5]PPPoE 5: State LCP_NEGOTIATION Event SSM UPDATED<br />
<span style="background-color: #d9ead3;">*Dec 3 13:17:38.737: Vi2.1 PPP: Phase is ESTABLISHING, Finish LCP</span><br />
<span style="background-color: #d9ead3;">*Dec 3 13:17:38.738: Vi2.1 PPP: Phase is UP</span><br />
*Dec 3 13:17:38.738: Vi2.1 IPCP: Protocol configured, start CP. state[Initial]<br />
*Dec 3 13:17:38.739: Vi2.1 IPCP: Event[OPEN] State[Initial to Starting]<br />
*Dec 3 13:17:38.739: Vi2.1 IPCP: O CONFREQ [Starting] id 1 len 10<br />
*Dec 3 13:17:38.740: Vi2.1 IPCP: Address 10.0.0.1 (0x03060A000001)<br />
*Dec 3 13:17:38.741: Vi2.1 IPCP: Event[UP] State[Starting to REQsent]<br />
*Dec 3 13:17:38.742: Vi2.1 PPP: Process pending ncp packets<br />
*Dec 3 13:17:38.742: Vi2.1 IPCP: Redirect packet to Vi2.1<br />
*Dec 3 13:17:38.742: Vi2.1 IPCP: I CONFREQ [REQsent] id 1 len 10<br />
*Dec 3 13:17:38.742: Vi2.1 IPCP: Address 0.0.0.0 (0x030600000000)<br />
*Dec 3 13:17:38.743: Vi2.1 IPCP AUTHOR: Done. Her address 0.0.0.0, we want 0.0.0.0<br />
*Dec 3 13:17:38.744: Vi2.1 IPCP: Pool returned 10.0.0.6<br />
*Dec 3 13:17:38.745: Vi2.1 IPCP: O CONFNAK [REQsent] id 1 len 10<br />
*Dec 3 13:17:38.745: Vi2.1 IPCP: Address 10.0.0.6 (0x03060A000006)<br />
*Dec 3 13:17:38.747: Vi2.1 IPCP: Event[Receive ConfReq-] State[REQsent to REQsent]<br />
*Dec 3 13:17:38.749: Vi2.1 IPCP: I CONFACK [REQsent] id 1 len 10<br />
*Dec 3 13:17:38.749: Vi2.1 IPCP: Address 10.0.0.1 (0x03060A000001)<br />
*Dec 3 13:17:38.749: Vi2.1 IPCP: Event[Receive ConfAck] State[REQsent to ACKrcvd]<br />
*Dec 3 13:17:38.753: [5]PPPoE 5: State PTA_BINDING Event STATIC BIND RESPONSE<br />
*Dec 3 13:17:38.754: [5]PPPoE 5: Connected PTA<br />
*Dec 3 13:17:38.754: Vi2.1 IPCP: I CONFREQ [ACKrcvd] id 2 len 10<br />
*Dec 3 13:17:38.755: Vi2.1 IPCP: Address 10.0.0.6 (0x03060A000006)<br />
*Dec 3 13:17:38.755: Vi2.1 IPCP: <b><span style="color: blue;">O CONFACK</span></b> [ACKrcvd] id 2 len 10<br />
*Dec 3 13:17:38.756: Vi2.1 IPCP: <b><span style="color: blue;">Address 10.0.0.6</span></b> (0x03060A000006)<br />
*Dec 3 13:17:38.757: Vi2.1 IPCP: Event[Receive ConfReq+] State[ACKrcvd to Open]<br />
*Dec 3 13:17:38.758: Vi2.1 IPCP: State is Open<br />
*Dec 3 13:17:38.761: PPPoE : ipfib_encapstr prepared<br />
*Dec 3 13:17:38.765: Vi2.1 IPCP: Install default route thru 10.0.0.6<br />
*Dec 3 13:17:38.768: Vi2.1 Added to neighbor route AVL tree: topoid 0, address 10.0.0.6<br />
*Dec 3 13:17:38.768: Vi2.1 IPCP: Install route to 10.0.0.6<br />
*Dec 3 13:17:40.686: Vi2.1 CDPCP: I CONFREQ [UNKNOWN] id 2 len 4<br />
*Dec 3 13:17:40.686: Vi2.1 LCP: O PROTREJ [Open] id 2 len 10 protocol CDPCP (0x01020004)<br />
SERVER#<br />
<br />
<br />
<b>Check Client IP</b><br />
<blockquote class="tr_bq">
<b>CPE</b># sh ip int br | inc Dialer1<br />
Interface IP-Address OK? Method Status Protocol<br />
Dialer1 <span style="color: blue;"><b>10.0.0.6 </b></span> YES IPCP up up <br />
CPE#</blockquote>
SChttp://www.blogger.com/profile/04139184178200036747noreply@blogger.comtag:blogger.com,1999:blog-3484822691435303180.post-12569754762344575892017-11-26T13:29:00.003+02:002017-12-11T11:15:30.623+02:002017 CCNP RS, IP operations: ICMP, TCP, UDP, TTL, Fragmentation<a name='more'></a><br />
LFN: BDP > 12.5 KBytes<br />
<br />
<br />
Sources:<br />
- <a href="https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/ipapp/configuration/12-4t/iap-12-4t-book/iap-tcp.html">https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/ipapp/configuration/12-4t/iap-12-4t-book/iap-tcp.html</a><br />
- <a href="https://en.wikipedia.org/wiki/Maximum_segment_size">https://en.wikipedia.org/wiki/Maximum_segment_size</a><br />
- <a href="http://blog.ine.com/2008/11/05/dealing-with-fragmented-traffic/">http://blog.ine.com/2008/11/05/dealing-with-fragmented-traffic/</a><br />
- <a href="http://routenull.net/route-300-101/">http://routenull.net/route-300-101/</a><br />
- <a href="https://en.wikipedia.org/wiki/IP_fragmentation">https://en.wikipedia.org/wiki/IP_fragmentation</a><br />
<br />
<span style="color: blue; font-size: large;"><b>IP Fragmentation</b></span><br />
IP fragmentation is an Internet Protocol (IP) process that breaks datagrams into smaller pieces (fragments), so that packets may be formed that can pass through a link with a smaller maximum transmission unit (MTU) than the original datagram size. The fragments are reassembled by the receiving host.<br />
RFC 791 describes the procedure for IP fragmentation, and transmission and reassembly of datagrams.RFC 815 describes a simplified reassembly algorithm.<br />
<br />
Under IPv4, a router that receives a protocol data unit (PDU) larger than the next hop's MTU has two options:<br />
- drop the PDU and send an Internet Control Message Protocol (ICMP) message which indicates the condition Packet too Big,<br />
- or fragment the IP packet and send it over the link with a smaller MTU.<br />
<br />
IPv6 hosts are required to determine the optimal Path MTU before sending packets; however, it is guaranteed that any IPv6 packet smaller than or equal to 1280 bytes must be deliverable.<br />
<br />
<b>IPv4 and IPv6 differences</b><br />
Overall architectural approach to fragmentation, are different between IPv4 and IPv6.<br />
<b>Routers:</b><br />
- In IPv4, routers perform fragmentation, whereas in IPv6, routers do not fragment, but drop the packets that are larger than their MTU.<br />
- Unlike in IPv4, <u><span style="color: #cc0000;"><b>IPv6 routers never fragment IPv6 packets.</b></span></u> Packets exceeding the size of the maximum transmission unit of the destination link are dropped and this condition is signaled by a Packet too Big ICMPv6 type 2 message to the originating node, similarly to the IPv4 method when the Don't Fragment bit is set.<br />
- Though the header formats are different for IPv4 and IPv6, analogous fields are used for fragmentation, so the same algorithm can be reused for IPv4 and IPv6 fragmentation and reassembly.<br />
<br />
- When a router receives an IPv4 packet larger than the MTU of the egress interface it splits it into multiple smaller packets. The packets are forwarded as autonomous packets and the destination host is responsible for reassembling them.<br />
- However, when the don’t fragment bit (TCP DF) is set in the header the packets are discarded instead of fragmented. The router will also generate an ICMP Unreachable error message (Type3, Code 4).<br />
<br />
<b>Hosts:</b><br />
- In IPv4, hosts must make a best-effort attempt to reassemble fragmented IP datagrams with a total reassembled size of up to 576 bytes. They may also attempt to reassemble fragmented IP datagrams larger than 576 bytes, but they are also permitted to silently discard such larger datagrams.<br />
- In IPv6, hosts must make a best-effort attempt to reassemble fragmented datagrams with a total reassembled size of up to 1500 bytes, larger than IPv6's minimum MTU of 1280 bytes. Fragmented datagrams with a total reassembled size larger than 1500 bytes may optionally be silently discarded.<br />
<br />
<b>Why Fragmentation should be avoided</b><br />
- Fragmentation isn’t always supported by applications<br />
- CPU and memory overhead to fragment the packets<br />
- CPU and memory overhead to reassemble the packets at the destination<br />
- Entire packets are retransmitted when a single fragment is dropped<br />
- Firewalls using layer 4 to 7 filtering can have issues processing fragments<br />
- impacts applications performance (e.g. TCP needs to re-send the whole packet on a single fragment loss)<br />
- traffic fragmentation is used in numerous network attacks, allowing an attacker to bypass firewalls or IDSes in some situations.<br />
<br />
<br />
<b><span style="color: blue; font-size: large;">ICMP</span></b><br />
<b> - </b>Internet Control Message Protocol<br />
- ICMP for IPv4 is defined in RFC 792<br />
- Is a supporting protocol in the Internet protocol suite.<br />
- It is used by network devices, including routers, to send error messages and operational information indicating, for example, that a requested service is not available or that a host or router could not be reached.<br />
- ICMP is used to obtain diagnostic information (e.g. Round-trip times, routers along a path)<br />
- ICMP differs from transport protocols such as TCP and UDP in that it is not typically used to exchange data between systems, nor is it regularly employed by end-user network applications (with the exception of some diagnostic tools like ping and traceroute).<br />
<br />
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiayaE7_YMEwyqg6CO83hK9CuWTiR6NbCW_HmrZYak7i9gKe-JFh40Gsw0q-RQFIurxiqykFXiucl6y-_MhvshkbkomZwnm_IEqkFkIzeZiYegJrQEKHWzF5ssTbQgSem4D6l6uRtFP0Ik/s1600/icmp.png" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" data-original-height="391" data-original-width="705" height="221" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiayaE7_YMEwyqg6CO83hK9CuWTiR6NbCW_HmrZYak7i9gKe-JFh40Gsw0q-RQFIurxiqykFXiucl6y-_MhvshkbkomZwnm_IEqkFkIzeZiYegJrQEKHWzF5ssTbQgSem4D6l6uRtFP0Ik/s400/icmp.png" width="400" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;"><b>ICMP Encapsulation</b></td></tr>
</tbody></table>
<br />
<br />
<br />
ICMP Header differs - <a href="https://www.frozentux.net/iptables-tutorial/chunkyhtml/x281.html">https://www.frozentux.net/iptables-tutorial/chunkyhtml/x281.html</a><br />
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhKK7pfF7T7Gz-GC-w-9NkZeAbjf8XNqzOt6ZSij2CmOJ69KaycpQf8aJPyGWzNvQTZxPBmXILvW8_-aHCzFSbU4FkEd8T_MyUDUnR7nTEvmgHpGYa-5-3ufhCOJxR5FNwvBDDHbQpjXhY/s1600/icmp_header.png" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" data-original-height="177" data-original-width="500" height="141" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhKK7pfF7T7Gz-GC-w-9NkZeAbjf8XNqzOt6ZSij2CmOJ69KaycpQf8aJPyGWzNvQTZxPBmXILvW8_-aHCzFSbU4FkEd8T_MyUDUnR7nTEvmgHpGYa-5-3ufhCOJxR5FNwvBDDHbQpjXhY/s400/icmp_header.png" width="400" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;"><span style="font-size: small;"><b>ICMP Header</b></span></td></tr>
</tbody></table>
There are also a couple of headers that are used by all of the ICMP types.<br />
<br />
<b>Type</b> - The type field contains the ICMP type of the packet. This is always different from ICMP type to type. For example ICMP Destination Unreachable packets will have a type 3 set to it. For a complete listing of the different ICMP types, see the ICMP types appendix. This field contains 8 bits total.<br />
<br />
<b>Code</b> - All ICMP types can contain different codes as well. Some types only have a single code, while others have several codes that they can use. For example, the ICMP Destination Unreachable (type 3) can have at least code 0, 1, 2, 3, 4 or 5 set. Each code has a different meaning in that context then. For a complete listing of the different codes, see the ICMP types appendix. This field is 8 bits in length, total. We will discuss the different codes a little bit more in detail for each type later on in this section.<br />
<br />
<b>Checksum</b> - The Checksum is a 16 bit field containing a one's complement of the ones complement of the headers starting with the ICMP type and down. While calculating the checksum, the checksum field should be set to zero.<br />
<br />
At this point the headers for the different packets start to look different also. We will describe the most common ICMP Types one by one, with a brief discussion of its headers and different codes.<br />
<br />
<br />
<b><a href="http://telescript.denayer.wenk.be/~hcr/cn/idoceo/ip_icmp.html">http://telescript.denayer.wenk.be/~hcr/cn/idoceo/ip_icmp.html</a></b><br />
<table align="center" border="0" cellpadding="2" cellspacing="4" style="font-family: Arial, Helvetica, sans-serif; width: 84%px;"><tbody>
<tr style="color: #333333; font-size: 12px; line-height: 18px;"><td class="header" style="background-color: #eeee00; color: black; font-size: 13px; font-style: italic; line-height: 18px;" valign="top" width="26%"><strong>Function</strong></td><td class="header" style="background-color: #eeee00; color: black; font-size: 13px; font-style: italic; line-height: 18px;" valign="top" width="31%"><strong>ICMP message(s)</strong></td><td class="header" style="background-color: #eeee00; color: black; font-size: 13px; font-style: italic; line-height: 18px;" valign="top" width="43%"><strong>Use</strong></td></tr>
<tr style="color: #333333; font-size: 12px; line-height: 18px;"><td style="line-height: 18px;" valign="top"><strong><em>Error reporting</em></strong></td><td style="line-height: 18px;" valign="top">Destination Unreachable</td><td style="line-height: 18px;" valign="top">a datagram has been discarded due to the reason specified in the message</td></tr>
<tr style="color: #333333; font-size: 12px; line-height: 18px;"><td style="line-height: 18px;" valign="top"></td><td style="line-height: 18px;" valign="top">Time exceeded</td><td style="line-height: 18px;" valign="top">Time-to-live parameter in a datagram expired and hence discarded.<br />
<b>TraceRoute</b> is a tool which maps network routes by sending packets with small TTL values and watching the ICMP timeout announcements.</td></tr>
<tr style="color: #333333; font-size: 12px; line-height: 18px;"><td style="line-height: 18px;" valign="top"></td><td style="line-height: 18px;" valign="top">Parameter Error</td><td style="line-height: 18px;" valign="top">A parameter in the header of a datagram is unrecognizable</td></tr>
<tr style="color: #333333; font-size: 12px; line-height: 18px;"><td style="line-height: 18px;" valign="top"></td><td style="line-height: 18px;" valign="top"></td><td style="line-height: 18px;" valign="top"></td></tr>
<tr style="color: #333333; font-size: 12px; line-height: 18px;"><td style="line-height: 18px;" valign="top"><strong><em>Reachability testing</em></strong></td><td style="line-height: 18px;" valign="top">Echo request / reply</td><td style="line-height: 18px;" valign="top">Checks the reachability of a specified host or gateway. <b>Ping</b>, a common network management tool, is based on this feature. Ping will transmit a series of packets, measuring average round--trip times and computing loss percentages.</td></tr>
<tr style="color: #333333; font-size: 12px; line-height: 18px;"><td style="line-height: 18px;" valign="top"></td><td style="line-height: 18px;" valign="top"></td><td style="line-height: 18px;" valign="top"></td></tr>
<tr style="color: #333333; font-size: 12px; line-height: 18px;"><td style="line-height: 18px;" valign="top"><strong><em>Congestion control</em></strong></td><td style="line-height: 18px;" valign="top">Source Quench</td><td style="line-height: 18px;" valign="top">Requests a host to reduce the rate at which datagrams are sent</td></tr>
<tr style="color: #333333; font-size: 12px; line-height: 18px;"><td style="line-height: 18px;" valign="top"></td><td style="line-height: 18px;" valign="top"></td><td style="line-height: 18px;" valign="top"></td></tr>
<tr style="color: #333333; font-size: 12px; line-height: 18px;"><td style="line-height: 18px;" valign="top"><strong><em>Route exchange</em></strong></td><td style="line-height: 18px;" valign="top">Redirect</td><td style="line-height: 18px;" valign="top">Used by a gateway to inform a host attached to one of its networks to use an alternative gateway on the same network for forwarding datagrams toa specific destination</td></tr>
<tr style="color: #333333; font-size: 12px; line-height: 18px;"><td style="line-height: 18px;" valign="top"></td><td style="line-height: 18px;" valign="top"></td><td style="line-height: 18px;" valign="top"></td></tr>
<tr style="color: #333333; font-size: 12px; line-height: 18px;"><td style="line-height: 18px;" valign="top"><strong><em>Performance measuring</em></strong></td><td style="line-height: 18px;" valign="top">Time-stamp request / reply</td><td style="line-height: 18px;" valign="top">determines the transit delay between two hosts</td></tr>
<tr style="color: #333333; font-size: 12px; line-height: 18px;"><td style="line-height: 18px;" valign="top"></td><td style="line-height: 18px;" valign="top"></td><td style="line-height: 18px;" valign="top"></td></tr>
<tr style="color: #333333; font-size: 12px; line-height: 18px;"><td style="line-height: 18px;" valign="top"><strong><em>Subnet addressing</em></strong></td><td style="line-height: 18px;" valign="top">Address mask request / reply</td><td style="line-height: 18px;" valign="top">Used by a host to determine the address mask associated with a subnet</td></tr>
</tbody></table>
<br />
<span style="color: blue;">The most commonly used messages types are:</span><br />
<b>Errors:</b><br />
Destination Unreachable (Type 3)<br />
Redirect (Type 5)<br />
Time Exceeded (Type 11) - <b>TTL expired - used by traceroute</b><br />
Parameter Problem (Type 12)<br />
<br />
<b>Informational:</b><br />
Echo Reply (Type 0) <b> -ping send</b><br />
Echo Request (Type 8) <b> - ping reply</b><br />
Router Advertisement (Type 9)<br />
Router Solicitation (Type 10)<br />
<br />
<b>ICMP Redirect</b><br />
An ICMP redirect is an error message sent by a router to the sender of an IP packet . Redirects are used when a router believes a packet is being routed sub optimally and it would like to inform the sending host that it should forward subsequent packets to that same destination through a different gateway. In theory a host with multiple gateways could have one default route and learn more optimal specific routes over time by way of ICMP redirects.<br />
<a href="http://www.cymru.com/gillsr/documents/icmp-redirects-are-bad.htm">http://www.cymru.com/gillsr/documents/icmp-redirects-are-bad.htm</a><br />
<br />
<br />
<br />
<b><span style="color: blue; font-size: large;">IP MTU</span></b><br />
<br />
<a href="https://elifulkerson.com/projects/mturoute.php">https://elifulkerson.com/projects/mturoute.php</a><br />
<b>mturoute.exe</b> is a small command line application that uses ICMP pings of various sizes in order to determine the MTU values on the path between itself and the target system. It also includes a "traceroute" like mode where it will attempt to determine the lowest MTU between the local host and each hop in the communication.<br />
<br />
Maximum Transmission Unit is the size of the largest network layer protocol data unit that can be communicated in a single network transaction.<br />
<blockquote class="tr_bq">
Ethernet v2<span style="white-space: pre;"> </span>1500<br />
Ethernet jumbo 1501 – 9198 or more<br />
Ethernet IEEE 802.2 LLC<span style="white-space: pre;"> </span>1492<br />
WLAN (802.11)<span style="white-space: pre;"> </span>2304<br />
Token Ring (802.5)<span style="white-space: pre;"> </span>4464<span style="white-space: pre;"> </span>FDDI<span style="white-space: pre;"> </span>4352<br />
Internet IPv4 <span style="white-space: pre;"> </span>min 68 - max 64KB<br />
Internet IPv6<span style="white-space: pre;"> </span>min 1280, max of 64KB, but up to 4GB with option</blockquote>
<br />
Every internet module must be able to forward a datagram of 68 octets without further fragmentation.<br />
This is because an internet header may be up to 60 octets, and the minimum fragment is 8 octets.<br />
<br />
Every internet destination must be able to receive a datagram of 576 octets either in one piece or in fragments to be reassembled.<br />
Fragmentation in IPv4 is handled in either the host or in routers.<br />
<a href="https://tools.ietf.org/html/rfc791">https://tools.ietf.org/html/rfc791</a><br />
<br />
MTU vs IP MTU<br />
<a href="http://switchpacket.blogspot.md/2014/07/understanding-difference-between-mtu.html">http://switchpacket.blogspot.md/2014/07/understanding-difference-between-mtu.html</a><br />
<br />
<span style="color: blue;"><b>MSS</b></span><br />
<b><u>(The Default)</u></b> TCP Maximum Segment Size<br />
- The default IP Maximum Datagram Size is 576.<br />
- The default TCP Maximum Segment Size is 536. (TCP MSS = IP Max Datagram-40)<br />
<br />
- The maximum size datagram that all hosts are required to accept or reassemble from fragments is 576 octets.<br />
- The maximum size reassembly buffer every host must have is 576 octets.<br />
- Hosts are allowed to accept larger datagrams and assemble fragments into larger datagrams, hosts may have buffers as large as they please.<br />
- Hosts must not send datagrams larger than 576 octets unless they have specific knowledge that the destination host is prepared to accept larger datagrams.<br />
<br />
<br />
- IPv4 hosts are required to be able to handle an MSS of 536 octets (= 576 - 20 - 20)<br />
- IPv6 hosts are required to be able to handle an MSS of 1220 octets (= 1280 - 40 - 20).<br />
<br />
<br />
- Small MSS values will reduce or eliminate IP fragmentation, but will result in higher overhead.<br />
- Each direction of data flow can use a different MSS.<br />
- For most computer users, the MSS option is established by the operating system.<br />
<br />
<br />
<span style="color: blue;"><b>PMTUD </b></span><br />
Path MTU Discovery is a standardized technique in computer networking for determining the maximum transmission unit (MTU) size on the network path between two Internet Protocol (IP) hosts, usually with the goal of avoiding IP fragmentation.<br />
<br />
- PMTUD was originally intended for routers in IPv4.<br />
- However, all modern operating systems use it on endpoints.<br />
- In IPv6, this function has been explicitly delegated to the end points of a communications session.<br />
<br />
Many network security devices block all ICMP messages for perceived security benefits, including the errors that are necessary for the proper operation of PMTUD. This can result in connections that complete the TCP three-way handshake correctly, but then hang when data is transferred. This state is referred to as a <b>black hole connection</b>.<br />
<br />
A workaround used by some routers is to change the maximum segment size (MSS) of all TCP connections passing through links with MTU lower than the Ethernet default of 1500. This is known as <b>MSS clamping</b>. (because Internet-wide Path MTU Discovery rarely works) <a href="http://blog.ipspace.net/2013/01/tcp-mss-clamping-what-is-it-and-why-do.html">link :)</a><br />
<br />
<br />
<b>Adjusting the MTU</b><br />
<span style="background-color: #f4cccc;">IP MTU = Adjust the MTU based on the egress interface for packet sending.</span><br />
<span style="background-color: #f4cccc;">IP TCP Adjust-MSS = Adjust the MTU based on the egress interface for packet sending and returning.</span><br />
<span style="background-color: #f4cccc;"><br /></span>
Adjusts the MSS value of TCP SYN packets going through a router.<br />
The max-segment-size argument is the maximum segment size, in bytes.<br />
The range is from 500 to 1460.<br />
<br />
- Any packet that contains an initial TCP header flowing through your router will be examined against the MSS.<br />
- The MSS in the header will be lowered to this amount if the setting is lower than what is in the header.<br />
- If the header value is already lower, it will flow through unmodified. The end hosts will use the lower setting of the two hosts.<br />
- If this is needing to be tweaked, you would set it at 40 bytes lower than the minimum path mtu. So to account for things like pppoe (1492 byte mtu), I often set the following "ip tcp adjust-mss 1452".<br />
<br />
TCP Clamping can be configured so that a router intercepts TCP SYN packets and rewrites the TCP MSS values. As the MSS value doesn’t include headers of the MTU, these need to be taken into account during configuration. This is suitable for VPN tunnels but requires router resources, may not be supported on all routers and affects all TCP traffic.<br />
<blockquote class="tr_bq">
R1(config)#int fa1/1<br />
R1(config-if)#ip tcp adjust-mss 1360</blockquote>
<br />
<b>Setting the DF Bit to Zero</b><br />
By using a route map a router can set the DF bit to zero and then fragment any packets larger than the egress MTU. However, this also requires router resources and does not work with IPv6 as there is no DF bit to set to zero.<br />
<blockquote class="tr_bq">
R1(config)#route-map CLEAR-DF permit 10<br />
R1(config-route-map)#set ip df 0<br />
R1(config)#int fa0/0<br />
R1(config-if)#ip policy route-map CLEAR-DF</blockquote>
<br />
<br />
<b><span style="color: blue; font-size: large;">Time-To-Live (TTL)</span></b><br />
<div>
<b>IPv4</b></div>
<div>
- The Time to Live (TTL) field is an 8-bit field in the IPv4 header which permits values between 0 and 255. </div>
<div>
- A packets TTL value is decremented by 1 every time it passes through a router.</div>
<div>
- The purpose of the TTL value is to prevent infinite routing loops as routers will discard packets when their TTL reaches 0.</div>
<div>
- When performing a traceroute the sender starts with a TTL of 0 and increments it until finally reaching the destination or the maximum of 255 hops.</div>
<div>
- The default TTL value varies by manufacturer, operating system and protocol. For example, the default TTL for Cisco is 254 and a Windows PC is 128. The IANA recommend a default TTL of 64 for the IP protocol.</div>
<br />
<b>IPv6 Hop Limit Field</b><br />
- The IPv6 header contains an 8-bit Hop Limit field which replaces the IPv4 TTL field and performs the same function.<br />
- It is decremented at each router hop until it reaches 0, when it is discarded.<br />
<br />
<br />
<span style="color: blue; font-size: large;"><b>UDP</b></span><br />
TCP Starvation/UDP Dominance<br />
- During times of congestion where TCP and UDP flows are in the same QoS class, UDP usually wins the battle for bandwidth.<br />
- This is because TCP includes mechanisms for congestion avoidance, flow control and error discovery. When TCP detects drops it assumes they’re due to network congestion and its back off algorithms reduce the load on the network by throttling traffic.<br />
- Whereas UDP has no flow control, it does not back off during congestion and keeps sending data with no regard to how it affects other traffic flows. Some UDP applications have application-level windowing, flow control, and re-transmission capabilities, but most are oblivious to drops and don’t lower transmission rates.<br />
<br />
- TCP Starvation/UDP Dominance is most likely to occur where business critical <b>TCP-based applications are assigned to the same QoS class as UDP-based</b> applications such as video streaming.<br />
<br />
<b>Recommendations</b><br />
- Place critical TCP flows into queues which ensure they always have a good chance of success.<br />
- Isolate TCP and UDP flows by placing them into different queues. However, TCP flows can still experience starvation if its queue reaches the threshold.<br />
It’s important to recognise that WRED (Weighted Random Early Detection) queueing doesn’t help prevent TCP Starvation/UDP Dominance as it only works on TCP flows.<br />
<br />
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEii93z8C74bfKLE4v3SbAYf3MiN3n1gVzAwICDheVounsB_yFSvwfGE3m9laghNSCUNJR-GsON12IAbJnItTTdjprcox2slOtH5cONFTQtkhMPlllIl9E3GW1Q5TUm6E0gYGsDYQYGi38w/s1600/tcp-starvation.png" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" data-original-height="480" data-original-width="640" height="300" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEii93z8C74bfKLE4v3SbAYf3MiN3n1gVzAwICDheVounsB_yFSvwfGE3m9laghNSCUNJR-GsON12IAbJnItTTdjprcox2slOtH5cONFTQtkhMPlllIl9E3GW1Q5TUm6E0gYGsDYQYGi38w/s400/tcp-starvation.png" width="400" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;"><a href="http://web.opalsoft.net/qos/default.php?p=flows-05">http://web.opalsoft.net/qos/default.php?p=flows-05</a></td></tr>
</tbody></table>
<br />
<br />
<b><span style="color: blue; font-size: large;">TCP</span></b><br />
<br />
TCP Options Lists - <a href="https://www.iana.org/assignments/tcp-parameters/tcp-parameters.xhtml">https://www.iana.org/assignments/tcp-parameters/tcp-parameters.xhtml</a><br />
<br />
<br />
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiStloNDCvZ0X3vM-zTEHfAK8th_chLv2-VyyhtGmrkrcA9NCcPWJS6Vft2ZVuVpkO9uS9IGvrUp6wrGUf1XFcwbbBLBO6Ym9Nzi7RZUb6v9j9Ti1RCiMbAaCnp9fbObgiJYdZ558q1yUc/s1600/CCNP-TCP-header.png" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" data-original-height="483" data-original-width="1227" height="249" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiStloNDCvZ0X3vM-zTEHfAK8th_chLv2-VyyhtGmrkrcA9NCcPWJS6Vft2ZVuVpkO9uS9IGvrUp6wrGUf1XFcwbbBLBO6Ym9Nzi7RZUb6v9j9Ti1RCiMbAaCnp9fbObgiJYdZ558q1yUc/s640/CCNP-TCP-header.png" width="640" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;"><b><span style="font-size: small;">TCP Header</span></b></td></tr>
</tbody></table>
<br />
<b><span style="color: blue;">LFN - long fat network</span></b><br />
A network with a large bandwidth-delay product is commonly known as a long fat network (shortened to LFN). As defined in RFC 1072, a network is considered an LFN if its bandwidth-delay product is significantly larger than 10^5 bits (<b><span style="color: #cc0000;">12500 bytes</span></b>).<br />
Ultra-high speed LANs may fall into this category, where protocol tuning is critical for achieving peak throughput, on account of their extremely high bandwidth, even though their delay is not great.<br />
<br />
<b><span style="color: blue;">Bandwidth-delay product (BDP)</span></b> is the maximum amount of data “in-transit” at any point in time, between two endpoints. In other words, it is the amount of data “in flight” needed to saturate the link. You can think the link between two devices as a pipe. The cross section of the pipe represents the bandwidth and the length of the pipe represents the delay (the propagation delay due to the length of the pipe).<br />
<br />
Therefore the Volume of the pipe = Bandwidth x Propagation Delay (or Round-Trip-Time).<br />
The volume of the pipe is also the BDP.<br />
<br />
<br />
BDP = Bandwidth * RTT<br />
<blockquote class="tr_bq">
57,6 kB - Moderate speed satellite network: 512 kbit/s, 900 ms RTT; B×D = 512×103 b/s × 900×10−3 s = 460,800 b<br />
12.5 kB - Residential DSL: 2 Mbit/s, 50 ms RTT, B×D = 2×106 b/s × 50×10−3 s = 100×10^3 b<br />
75 kB - Mobile broadband (HSDPA): 6 Mbit/s, 100 ms RTT, B×D = 6×106 b/s × 10−1 s = 6×105 b<br />
125 kB - Residential ADSL2+: 20 Mbit/s (from DSLAM to residential modem), 50 ms RTT; B×D = 20×10^6 b/s × 50×10−3 s = 125 kB<br />
125 kB - High-speed terrestrial network: 1 Gbit/s, 1 ms RTT; B×D = 10^9 b/s × 10−3 s = 125 kB.</blockquote>
Ping measures RTT - the time from client, to server, and back again (rtt - round trip time)<br />
<br />
<br />
<b><u>TCP Sliding Window</u></b><br />
TCP uses a sliding window for flow control.<br />
The sending device can send all packets within the TCP window size (as specified in the TCP header) without receiving an ACK, and should start a timeout timer for each of them.<br />
The receiving device should acknowledge each packet it received, indicating the sequence number of the last well-received packet.<br />
After receiving the ACK from the receiving device, the sending device slides the window to right side.<br />
- if a window size=0 is reported, the transmitting system must wait for an acknowledgment before sending the next chunk of data.<br />
- if the receiving system reports that the buffer size is larger than the size of a single data packet, the transmitting system knows that it can send multiple chunks of data before waiting for an acknowledgment.<br />
<br />
<br />
<b><u>TCP Window Scaling</u></b><br />
The TCP Window Scaling feature adds support for the TCP Window Scaling option in RFC 1323.<br />
A larger window size is recommended to improve TCP performance in network paths with large bandwidth, long-delay characteristics that are called Long Fat Networks (LFNs). This TCP Window Scaling enhancement provides that support.<br />
The larger scalable window size will allow TCP to perform better over LFNs.<br />
Use the <b>ip tcp window-size</b> command in global configuration mode to configure the TCP window size.<br />
A TCP sliding window provides more efficient use of network bandwidth because it enables hosts to send multiple bytes or packets before waiting for an acknowledgment.<br />
A window size of zero means "Send no data."<br />
The default TCP window size is <b><span style="color: blue;">4128 bytes</span> (516 kB)</b>.<br />
We recommend you keep the default value unless you know your router is sending large packets (greater than 536 bytes). Use the ip tcp window-size command to change the default window size.<br />
<br />
<b><u>TCP Explicit Congestion Notification</u></b><br />
The TCP Explicit Congestion Notification (ECN) feature provides a method for an intermediate router to notify the end hosts of impending network congestion. It also provides enhanced support for TCP sessions associated with applications that are sensitive to delay or packet loss including Telnet, web browsing, and transfer of audio and video data. The benefit of this feature is the reduction of delay and packet loss in data transmissions.<br />
<br />
<br />
<b><u>TCP Connection Attempt Time</u></b><br />
You can set the amount of time the Cisco IOS software will wait to attempt to establish a TCP connection. Because the connection attempt time is a host parameter, it does not pertain to traffic going through the device, just to traffic originated at the device. To set the TCP connection attempt time, use the<b> ip tcp synwait-time</b> command in global configuration mode. <b>The default is 30 seconds.</b><br />
<br />
<b><u>TCP Selective Acknowledgment (SACK)</u></b><br />
The TCP Selective Acknowledgment feature improves performance in the event that multiple packets are lost from one TCP window of data.<br />
Prior to selective acknowledgment, if TCP lost packets 4 and 7 out of an 8-packet window, TCP would receive acknowledgment of only packets 1, 2, and 3. Packets 4 through 8 would need to be re-sent. With selective acknowledgment, TCP receives acknowledgment of packets 1, 2, 3, 5, 6, and 8. Only packets 4 and 7 must be re-sent.<br />
TCP selective acknowledgment is used only when multiple packets are dropped within one TCP window.<br />
RFC 2018 specified the use of the SACK option for acknowledging out-of-sequence data not covered by TCP's cumulative acknowledgement field.<br />
<br />
<b><u>TCP Time Stamp</u></b><br />
The TCP time-stamp option provides improved TCP round-trip time measurements (RTTM). Because the time stamps are always sent and echoed in both directions and the time-stamp value in the header is always changing, TCP header compression will not compress the outgoing packet.<br />
<br />
"TCP timestamps are used to provide protection against wrapped sequence numbers. It is possible to calculate system uptime (and boot time) by analyzing TCP timestamps (see below). These calculated uptimes (and boot times) can help in detecting hidden network-enabled operating systems (see TrueCrypt), linking spoofed IP and MAC addresses together, linking IP addresses with Ad-Hoc wireless APs, etc."<br />
<br />
<b><u>TCP global synchronization</u></b><br />
TCP global synchronization in computer networks can happen to TCP/IP flows during periods of congestion because each sender will reduce their transmission rate at the same time when packet loss occurs.<br />
Routers on the Internet normally have packet queues, to allow them to hold packets when the network is busy, rather than discarding them.<br />
Because routers have limited resources, the size of these queues is also limited. The simplest technique to limit queue size is known as tail drop. The queue is allowed to fill to its maximum size, and then any new packets are simply discarded, until there is space in the queue again.<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgECpVDcZYJJbwdoI8znqq7OQh0mkVBzV4CWTCvazsUNAKEKpvNzzhtZm8vaaa88oAVXJuf41jXF3hTI3AfoLguGOujFJCs7o-KUb2Z2FCJpjoVd7AL8nM-fMUSu7KDmTtD0PSX1cC97dw/s1600/CCNP-TCP-global-synch.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="336" data-original-width="697" height="192" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgECpVDcZYJJbwdoI8znqq7OQh0mkVBzV4CWTCvazsUNAKEKpvNzzhtZm8vaaa88oAVXJuf41jXF3hTI3AfoLguGOujFJCs7o-KUb2Z2FCJpjoVd7AL8nM-fMUSu7KDmTtD0PSX1cC97dw/s400/CCNP-TCP-global-synch.png" width="400" /></a></div>
<br />
<a href="https://en.wikipedia.org/wiki/TCP_global_synchronization">https://en.wikipedia.org/wiki/TCP_global_synchronization</a><br />
<br />
<br />
<b><u>TCP Path MTU Discovery (PMTUD)</u></b><br />
Path MTU Discovery is a method for maximizing the use of available bandwidth in the network between the endpoints of a TCP connection, which is described in RFC 1191. IP Path MTU Discovery allows a host to dynamically discover and cope with differences in the maximum allowable maximum transmission unit (MTU) size of the various links along the path. Sometimes a router is unable to forward a datagram because it requires fragmentation (the packet is larger than the MTU you set for the interface with the interface configuration command), but the "don't fragment" (DF) bit is set. The intermediate gateway sends a "Fragmentation needed and DF bit set" Internet Control Message Protocol (ICMP) message to the sending host, alerting it to the problem. Upon receiving this ICMP message, the host reduces its assumed path MTU and consequently sends a smaller packet that will fit the smallest packet size of all the links along the path.<br />
<br />
<b>By default, TCP Path MTU Discovery is disabled. </b>Existing connections are not affected when this feature is enabled or disabled.<br />
<br />
<br />
With RTT-based measurements, it is hard to isolate the direction in which congestion is experienced. One-way measurements solve this problem and make the direction of congestion immediately apparent. Since traffic can be asymmetric at many sites that are primarily producers or consumers of data, this allows for more informative measurements.<br />
<br />
UDP dominance can happen during times of congestion. When a link is fully utilized, TCP has automatic congestion avoidance and error discovery methods that allow it to know when to slow down the sending rate. On the contrary, UDP has no such mechanism. It keeps blasting the link with data, with absolutely no regard to how this may affect other traffic flows. Since TCP lowers its transmission rates while UDP continues to utilize the freed bandwidth, this effectively leads to a situation called UDP dominance (or TCP starvation).<br />
<br />
One of the best possible ways to prevent this from happening is to classify the TCP and UDP flows into different QoS classes (or at least separating UDP-based, bandwidth-hungry applications into dedicated a dedicated QoS class). Important too is highlighthing the fact that WRED does not help to prevent TCP starvation/UDP dominance as WRED only works on TCP flows, and not on UDP ones.<br />
<br />
<b><u>TCP keepalive</u></b><br />
Transmission Control Protocol (TCP) keepalives are an optional feature, and if included must default to off. The keepalive packet contains null data. In an Ethernet network, a keepalive frame length is 60 bytes, while the server response to this, also a null data frame, is 54 bytes. There are three parameters related to keepalive:<br />
- <b>Keepalive time</b> is t he duration between two keepalive transmissions in idle condition. TCP keepalive period is required to be configurable and by default is set to no less than 2 hours.<br />
- <b>Keepalive interval </b>is the duration between two successive keepalive retransmissions, if acknowledgement to the previous keepalive transmission is not received.<br />
- <b>Keepalive retry </b>is the number of retransmissions to be carried out before declaring that remote end is not available.<br />
<br />
Keepalive usage:<br />
- Checking for dead peers<br />
- Preventing disconnection due to network inactivity<br />
<br />
<br />
<b><u>Out-of-order packet </u></b><br />
Out-of-order packet processing can<br />
- significantly degrade system performance,<br />
- reduce TCP session throughput,<br />
- loss of data in some UDP-based protocols (eg: SNA or NetBIOS Fast Sequenced Transport (FST), or Voice-over-IP – VoIP),<br />
- might be even interpreted as attacks by some firewalls.<br />
<br />
Out of order packets causes:<br />
- per-packet load balancing with Process Switching (because differential delay may exist within the network), not CEF<br />
- multiple routes to a specific network via multiple routing protocols (multiple paths).<br />
- Queuing mechanisms which don’t forward packets in a first-in/first-out order.<br />
- Asymmetric routing.<br />
<br />
<br />
<br />
Multipath routing is expected to keep packets from the same connection on the same path.<br />
This avoids out-of-order delivery, which can be quite undesirable.<br />
It does so by looking at the address and port of the source and destination<br />
<br />
Linux traceroute's default changes the UDP port for each probe, so they change paths.<br />
MTR's default uses ICMP echo, which does not have a port number and therefore its probes will all follow the same path.<br />
<br />
<br />
<b>>C:\nuttcp\tracetcp.exe facebook.com (TCP)</b><br />
Tracing route to 185.60.216.35 on port 80<br />
...<br />
5 45 ms 44 ms 45 ms 87.245.232.245 [ae1-5.RT.IRX.FKT.DE.retn.net]<br />
6 46 ms 45 ms 45 ms 157.240.65.66 [ae19.pr01.fra2.tfbnw.net]<br />
7 43 ms 44 ms 43 ms 173.252.66.154 [po111.asw01.fra5.tfbnw.net]<br />
8 43 ms 38 ms 42 ms 157.240.43.3 [po233.psw01.fra5.tfbnw.net]<br />
9 42 ms 43 ms 43 ms 173.252.67.35<br />
10 Destination Reached in 43 ms. Connection established to 185.60.216.35<br />
Trace Complete.<br />
C:\Windows\System32><br />
<br />
<b>mtr --show-ips facebook.com (ICMP)</b><br />
...<br />
5. ???<br />
6. ???<br />
7. ae29.pr05.fra2.tfbnw.net (103.4.97.60) <br />
8. po115.asw02.fra5.tfbnw.net (204.15.20.164) <br />
9. po242.psw02.fra3.tfbnw.net (31.13.27.221) <br />
10. 157.240.36.17 <br />
11. edge-star-mini-shv-02-frt3.facebook.com (157.240.20.35) <br />
<br />
<br />
<b>mtr --show-ips -u facebook.com (UDP)</b><br />
...<br />
3. xe-0-2-2.cr1-fra6.ip4.gtt.net (141.136.101.69) <br />
4. xe-0-0-0.cr3-fra2.ip4.gtt.net (141.136.110.117) <br />
xe-4-1-3.cr3-fra2.ip4.gtt.net (141.136.110.113)<br />
xe-4-1-6.cr3-fra2.ip4.gtt.net (141.136.110.105)<br />
xe-0-1-0.cr3-fra2.ip4.gtt.net (141.136.110.125)<br />
xe-0-1-1.cr3-fra2.ip4.gtt.net (141.136.110.129)<br />
xe-4-0-4.cr3-fra2.ip4.gtt.net (141.136.110.109)<br />
xe-0-0-1.cr3-fra2.ip4.gtt.net (141.136.110.121)<br />
xe-9-1-6.cr3-fra2.ip4.gtt.net (89.149.129.57)<br />
5. edgecst-network-gw.ip4.gtt.net (141.136.99.229) <br />
6. po115.asw02.fra5.tfbnw.net (204.15.20.164) <br />
po115.asw01.fra2.tfbnw.net (31.13.24.222)<br />
po115.asw01.fra5.tfbnw.net (31.13.28.168)<br />
7. po231.psw03.fra5.tfbnw.net (157.240.43.5) <br />
po242.psw04.fra5.tfbnw.net (157.240.43.73)<br />
po213.psw04.fra5.tfbnw.net (157.240.43.123)<br />
po211.psw01.fra5.tfbnw.net (157.240.43.101)<br />
po241.psw04.fra5.tfbnw.net (157.240.43.71)<br />
po231.psw04.fra5.tfbnw.net (157.240.43.17)<br />
po213.psw01.fra5.tfbnw.net (157.240.43.105)<br />
po212.psw03.fra5.tfbnw.net (157.240.43.115)<br />
8. 173.252.67.13 <br />
173.252.67.109<br />
173.252.67.35<br />
173.252.67.141<br />
173.252.67.99<br />
173.252.67.167<br />
173.252.67.185<br />
173.252.67.3<br />
9. ???<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />SChttp://www.blogger.com/profile/04139184178200036747noreply@blogger.comtag:blogger.com,1999:blog-3484822691435303180.post-47486947202016309262017-11-25T18:02:00.000+02:002017-12-06T14:00:36.729+02:002017 CCNP RS, uRPF<a name='more'></a><span class="fontstyle0"><br /></span>
<span class="fontstyle0">Sources:</span><br />
<span class="fontstyle0"> - </span><a href="https://learningnetwork.cisco.com/thread/82304">https://learningnetwork.cisco.com/thread/82304</a><br />
- <a href="http://www.ietf.org/rfc/rfc3704.txt">http://www.ietf.org/rfc/rfc3704.txt</a><br />
<br />
<span class="fontstyle0"><b><br /></b></span>
<span class="fontstyle0"><b>Unicast Reverse Path Forwarding (uRPF)</b></span><br />
<span class="fontstyle0">-</span><span class="fontstyle0"> prevent malicious traffic from entering a network</span><br />
- can help block packets having a spoofed IP address. The way that uRPF works is to check the source IP address of a packet arriving on an interface and determine whether that IP address is reachable, based on the router’s Forwarding Information Base (FIB) used by Cisco Express Forwarding (CEF).<br />
- Optionally, the router can also check to see whether the packet is arriving on the interface the router would use to send traffic back to that IP address.<br />
<b><span class="fontstyle0"> - CEF must be enabled on a router to use uRPF.</span> </b><br />
<b><br /></b>
- Unicast RPF originally was designed to prevent source address spoofing at the customer-ISP edge<br />
- Recommended ways to prevent spoofing attacks would be to disable source routing feature on the devices by using the command <b>"no ip source-route"</b> in global config mode.<br />
- The largest practical problem with uRPF is it usually doesn't work when you have multiple ISPs.<br />
- Show ip traffic – This command will tell you how many packets uRPF has dropped.<br />
<br />
<br />
<b></b>
<b><br /></b>
<span class="fontstyle0">Modes of operation for uRPF:</span><br />
<span class="fontstyle3"><b>1) Strict mode:</b> </span><span class="fontstyle0">a router not only checks to make sure that the source IP address of an arriving packet is reachable, based on the router’s FIB, but the packet must also be arriving on the same interface the router would use to send traffic back to that IP address.</span><br />
<span class="fontstyle0"><br /></span>
<b><span class="fontstyle0">2) </span><span class="fontstyle2">Loose mode: </span></b><span class="fontstyle3">a router only verifies that the source IP of a packet is reachable, based on the router’s FIB.</span><br />
<span class="fontstyle3"><br /></span>
<span class="fontstyle2"><b>3) VRF mode:</b> </span><span class="fontstyle3">(also known as </span><span class="fontstyle4">uRPF version 3 </span><span class="fontstyle3">or </span><span class="fontstyle4">uRPFv3</span><span class="fontstyle3">) is similar to loose mode operation in that source IP addresses are checked against the FIB for a specific VRF.</span><br />
<br />
<span class="fontstyle0">Strict mode could cause traffic to be dropped if an asynchronous routing situation exists (that is, traffic from a network address space might be received on one router interface, but traffic to that same network address space might be transmitted out of a different router interface).</span> Should typically be used where there is no chance of asynchronous routing (for example, a branch office with<br />
<span class="fontstyle0">only one connection going back to a corporate headquarters).</span><br />
<div>
<span class="fontstyle0"><br /></span></div>
<div>
<span class="fontstyle0"><span class="fontstyle0">uRPF supports an </span><span class="fontstyle2"><b>allow-default </b></span><span class="fontstyle0">option that accepts a default route as a valid way to get back to a source IP address.</span> </span></div>
<div>
<span class="fontstyle0"><br /></span></div>
<blockquote class="tr_bq">
<span class="fontstyle0">Router(config-if)# </span><span class="fontstyle0"><b>ip verify unicast source reachable-via</b> </span><span class="fontstyle2">{</span><span class="fontstyle0">rx </span><span class="fontstyle2">| </span><span class="fontstyle0">any</span><span class="fontstyle2">} [</span><span class="fontstyle0">allow-default</span><span class="fontstyle2">] [</span><span class="fontstyle0">allow-self ping</span><span class="fontstyle2">] [</span><span class="fontstyle3">acl</span><span class="fontstyle2">]</span><br />
rx - <b><span style="color: #990000;">strict </span></b>mode uRPF<br />
any - <b><span style="color: blue;">loose </span></b>mode uRPF = return path can be through ANY interface<br />
<br />
allow-default - Allows uRPF to use a default route if an exact network is not found in a router’s FIB<br />
(Note: The allow-default option can be used with either strict or loose mode)<br />
<br />
allow-self-ping - Allows a router to ping itself when checking the reachability of an IP address<br />
(Note: Cisco recommends against using the allow-self-ping option in most cases, because it introduces a security risk.)<br />
<br />
acl - Identifies an optional access control list that can either permit or deny traffic that fails the uRPF check </blockquote>
<div>
<span class="fontstyle0"><br /></span></div>
<div>
<span class="fontstyle0"><br /></span></div>
<div>
<span class="fontstyle0"><br /></span></div>
<div>
<span class="fontstyle0"><br /></span></div>
<div>
<span class="fontstyle0"><br /></span></div>
<div>
<span class="fontstyle0"><br /></span></div>
<div>
<span class="fontstyle0"><br /></span></div>
<div>
<span class="fontstyle0"><br /></span></div>
<div>
<span class="fontstyle0"><br /></span></div>
<div>
<span class="fontstyle0"><br /></span></div>
<div>
<span class="fontstyle0"><br /></span></div>
<div>
<span class="fontstyle0"><br /></span></div>
<div>
<span class="fontstyle0"><br /></span></div>
<div>
<span class="fontstyle0"><br /></span></div>
<div>
<span class="fontstyle0"><br /></span></div>
<div>
<span class="fontstyle0"><br /></span></div>
<div>
<span class="fontstyle0"><br /></span></div>
<div>
<span class="fontstyle0"><br /></span></div>
<div>
<span class="fontstyle0"><br /></span></div>
SChttp://www.blogger.com/profile/04139184178200036747noreply@blogger.comtag:blogger.com,1999:blog-3484822691435303180.post-39009330709903371052017-11-23T11:38:00.001+02:002017-12-05T18:44:56.699+02:002017 CCNP RS, DMVPN lab<a name='more'></a><br />
<b><span style="font-size: large;">Tunnel interface example:</span></b><br />
!<br />
interface Tunnel1<br />
ip address 172.16.1.1 255.255.255.0 !! Select a private IP subnet for the tunnels<br />
!<br />
tunnel protection ipsec profile PROFSEC !! encrypts the traffic passing through this tunnel using ipsec<br />
tunnel source GigabitEthernet0/0 !! source of the tunnel is the WAN interface<br />
tunnel mode gre multipoint !! designates the tunnel as a mGRE tunnel<br />
tunnel key 100000 !! pick the right tunnel (by key ID) before it can decapsulate the packet and look at the IP address.<br />
!<br />
ip nhrp authentication nhrp1234 !! (optional) authentication used for updates between the routers<br />
ip nhrp network-id 1 !! (mandatory) network identification that has to be the same on all the routers<br />
!<br />
ip nhrp map multicast dynamic !! Enables multicast across the tunnel, hub replicates multicast packets to all spokes registered via NHRP<br />
! Add spoke to multicast list upon registration<br />
!<br />
!<br />
!<br />
ip mtu 1400 !! Reduce the MTU to allow extra overhead from mGRE and IPSEC<br />
load-interval 30 !! IOS calculates statistics (including load) over this interval (default 5 min)<br />
!<br />
!! Keepalives must be missed before the tunnel is shut down.<br />
keepalive 5 10 !! [seconds [retries]] - Keepalives are sent every 5 seconds and 10 retries. (default is 10 3)<br />
!<br />
bandwidth 1000<span style="white-space: pre;"> </span>!! default is 8 kbps, it may not have enough Bw when the number of spoke increases and you will see session flapping.<br />
delay 1000 !! default is 50000 microsec<br />
!<br />
no ip split-horizon eigrp 1 !! disable split horizon for EIGRP<br />
no ip next-hop-self eigrp 1 !! routing update with the next hop unmodified to the spokes<br />
!<br />
!<br />
<br />
<b>Tunnel Bandwidth</b><br />
Cisco IOS/NX-OS/etc. software does not configure the bandwidth for a virtual tunnel interface based on the physical interface to which it is assigned; instead, it applies a default "bandwidth" statement to the interface that depends on model of hardware and the version of software it is running (on many devices the default "BW" for a tunnel is <span style="color: blue;">8kbps</span>) !<br />
<br />
<b>IOSv L3:</b><br />
HUB# sh int Tunnel1 | inc BW|bandwidth<br />
MTU 17916 bytes, <b style="background-color: #d0e0e3;">BW 100 Kbit/sec</b>, DLY 50000 usec,<br />
Tunnel transmit bandwidth 8000 (kbps)<br />
Tunnel receive bandwidth 8000 (kbps)<br />
HUB#<br />
<br />
<b>IOS 7200 Software , Version 15.1(4)M2</b><br />
C_C7200#sh int tunnel 11 | inc BW|band<br />
MTU 17916 bytes, BW 100 Kbit/sec, DLY 50000 usec,<br />
Tunnel transmit bandwidth 8000 (kbps)<br />
Tunnel receive bandwidth 8000 (kbps)<br />
C_C7200#<br />
<div>
<br /></div>
<br />
<b>Other IOS's:</b><br />
dyn5#sh int tunnel 0<br />
Tunnel0 is up, line protocol is up<br />
Hardware is Tunnel<br />
Internet address is 10.10.10.5/24<br />
MTU 1416 bytes, <span style="background-color: #d0e0e3;"><b>BW 9 Kbit</b>,</span> DLY 500000 usec,<br />
<br />
int tunnel 1<br />
bandwidth <bandwidth> ! Bandwidth in kbps<br />
bandwidth 1000 ! Bandwidth is set to 1000 kbps = 1 mbps<br />
tunnel bandwidth {receive | transmit} <bandwidth> ! specify the capacity of the satellite link.<br />
delay <1-16777215> Throughput delay (tens of microseconds)<br />
<br />
The show interface commands displays delay in microsecond units.<br />
The delay interface command specifies the delay metric, in 10 microsecond units.<br />
EIGRP calculates its metric from the minimum bandwidth in Kbps for all links in the path,<br />
and the cumulative delay in microseconds for all links in the path.<br />
<br />
<br />
Sources:<br />
- <a href="https://www.networkstraining.com/cisco-dmvpn-configuration-example/">https://www.networkstraining.com/cisco-dmvpn-configuration-example/</a><br />
- <a href="https://www.cisco.com/c/en/us/support/docs/security-vpn/ipsec-negotiation-ike-protocols/41940-dmvpn.html">https://www.cisco.com/c/en/us/support/docs/security-vpn/ipsec-negotiation-ike-protocols/41940-dmvpn.html</a><br />
- <a href="http://blog.ine.com/2008/08/02/dmvpn-explained/">http://blog.ine.com/2008/08/02/dmvpn-explained/</a><br />
- <a href="https://learningnetwork.cisco.com/blogs/vip-perspectives/2017/02/15/dmvpn-the-phases-in-depth">https://learningnetwork.cisco.com/blogs/vip-perspectives/2017/02/15/dmvpn-the-phases-in-depth</a><br />
- <a href="https://www.cisco.com/c/dam/en/us/products/collateral/security/dynamic-multipoint-vpn-dmvpn/dmvpn_design_guide.pdf">https://www.cisco.com/c/dam/en/us/products/collateral/security/dynamic-multipoint-vpn-dmvpn/dmvpn_design_guide.pdf</a><br />
<br />
DMVPN uses the following group of networking technologies:<br />
1) Multipoint GRE (mGRE)<br />
2) Next-Hop Resolution Protocol (NHRP)<br />
4) Dynamic Routing Protocol (EIGRP, RIP, OSPF, BGP) or static routing<br />
3) Dynamic IPsec encryption<br />
5) Cisco Express Forwarding (CEF)<br />
<br />
Two major phases of DMVPN evolution:<br />
<b>1) Phase 1</b> – Only Hub to Spoke tunnel deployment (mGRE hub, p2p GRE spokes)<br />
<i>This means GRE tunnels are only built between the hub and the spokes. Traffic destined to networks behind spokes is forced to first traverse the hub.</i><br />
<i><br /></i>
<b>2) Phase 2</b> – Hub-to-Spoke and Spoke-to-Spoke tunnels (mGRE everywhere)<br />
<i>Phase 2 improved on Phase 1 by allowing spokes to build a spoke-to-spoke tunnel on demand with these restrictions: </i><br />
<i> - Spokes must use multipoint GRE tunnels</i><br />
<i> - The spokes must receive specific routes for all remote spoke subnets</i><br />
<i> - The next hop of the entry in the routing table must list the remote spoke as the next hop</i><br />
This is achieved by removing the static <b>tunnel destination </b>command and replacing it with the <b>tunnel mode gre multipoint</b> command.<br />
Phase 2 with EIGRP, split horizon must be disabled on the tunnel interface using the no ip split-horizon eigrp [asn] command.<br />
<i><br /></i>
<b>3) Phase 3</b> – "Scalable Infrastructure"<br />
<i>Though DMVPN Phase 2 deployment provided direct spoke-to-spoke tunnels, one of the limitations is maintaining full routing tables on the spokes. Each route for remote spoke networks needs to be a specific route with the next hop pointing to the remote spoke’s tunnel address. This prevents the hub from being able to send down a summarized route to the spokes for a more concise routing table.</i><br />
<i><br /></i>
<i>Phase 3 overcomes this restriction using NHRP traffic indication messages from the hub to signal to the spokes that a better path exists to reach the target network. This functionality is enabled by configuring <b>ip nhrp redirect</b> on the hub and <b>ip nhrp shortcut</b> on the spokes. The redirect command tells the hub to send the NHRP traffic indication message while the shortcut command tells the spokes to accept the redirect and install the shortcut route.</i><br />
<i><br /></i>
<i><br /></i>
The protocol header for an mGRE packet is four bytes larger than a p2p GRE packet. The additional four
bytes constitute a tunnel key value, which is used to differentiate between mGRE interfaces in the same
router. Without a tunnel key, a router can support only one mGRE interface, corresponding to one IP
network. Tunnel keys enable a branch router to have a different mGRE interface corresponding to each
DMVPN cloud in the network topology. A headend router can also be configured with two mGRE interfaces
pointing to each DMVPN cloud for high availability and redundancy. Cisco IOS Software Releases
12.3(13)T, 12.3(11)T3, or later support the configuration of multiple mGRE interfaces on a single router
without tunnel keys. In this case, each mGRE interface must reference a unique IP address as its tunnel
source.<br />
<br />
<b>Tunnel Protection Mode</b><br />
Tunnel protection is used to secure (encrypt) the data transfer inside the GRE tunnel by applying an IPsec profile to the mGRE tunnel interface. Crypto maps are unnecessary in IOS Release 12.2(13)T or later.<br />
There is no
need to specify the IPsec peer address or the ACL to match the packets that are to be encrypted. If a packet
is routed through the tunnel, it is encrypted.<br />
If more than one mGRE tunnel interface or an mGRE and p2pGRE tunnel interface is configured on a router, and they use the same tunnel source address, the <b>shared </b>keyword must be configured on the tunnel protection command.<br />
<br />
<b>NHRP Configuration</b><br />
- Each router in topology acts as either NHC (Next-Hop Client) or NHS (Next-Hop Server).<br />
- NHRP provides a mapping between the inside (VPN) and outside (NBMA) address of a tunnel endpoint.<br />
- One of the functions of NHC is to register with NHS its IP address mapped to NBMA Layer 2 address (e.g. ATM NSAP address). To make registration possible, you configure each NHC with the IP address of at least one NHS. In turn, NHS acts as a database agent, storing all registered mappings, and replying to NHC queries. If NHS does not have a requested entry in its database, it can forward packet to another NHS to see if it has the requested association.<br />
- A router may act as a Next-Hop server and client at the same time. a router may act as a Next-Hop server and client at the same time.<br />
- NHRP entry has countdown expire timer, initialized from the registration hold-time. Every 60 seconds global NHRP process runs on a router and checks the expire timer on all NHRP entries. If the expire timer for an NHRP entry is greater than 120 seconds, nothing is done to the corresponding CEF entry. If the timer is less than 120 seconds, the NHRP process marks the corresponding CEF entry as “stale” but still usable. As soon as the router switches an IP packet using the “stale” entry, it triggers new NHRP resolution request, and eventually refreshes the corresponding NHRP entry as well as CEF entry itself. If no packet hits the “stale” CEF entry, the NHRP mapping will eventually time-out (since the router does not send any “refreshing” requests) and the corresponding CEF entry will become invalid. This will effectively tear down the spoke-to-spoke tunnel.<br />
<br />
- Mappings can be static or dynamic.<br />
- On the branch (spoke) routers, you must configure at
least one static NHRP mapping in order to reach the NHS.<br />
- Additionally, you would need to enable broadcast/multicast over the spoke-hub tunnel for routing
protocols and other multicast data to work over the DMVPN tunnel.<br />
- IP multicast/broadcast packets are supported only on tunnels with static mappings (the spoke-hub
tunnels). Hubs are configured to enable NHRP to automatically add routers to multicast NHRP mappings.
This is necessary to run routing protocols over the DMVPN mGRE tunnel. NHRP can only add a peer to the
multicast mapping list when it receives an NHRP registration packet (only on NHRP NHSs).<br />
- NHRP hold time is used to determine how long receiving routers should consider the cached entry
information to be valid.<br />
- NHRP registration requests are sent periodically (by default, one-third of the holdtime) to keep a NHRP
registration mapping entry on the hub from timing out. <br />
- Other NHRP options Cisco recommends to use are authentication and network-ID. NHRP authentication is
used to authenticate the NHRP messages. All routers configured with NHRP within a DMVPN cloud must
share the same authentication string.<br />
<br />
<br />
<br />
<b>NHRP Flags:</b><br />
<b> - authoritative: </b>NHRP information was obtained from the Next Hop Server,<br />
<b> - implicit: </b>Indicates that the information was learned not from an NHRP request generated from the local router, but from an NHRP packet being forwarded or from an NHRP request being received by the local router.<br />
<b> - negative:</b> indicates that the requested NBMA mapping could not be obtained. When NHRP sends an NHRP resolution request it inserts an incomplete (negative) NHRP mapping entry for the address in the resolution request. This is to keep the router from triggering more NHRP resolution requests while this NHRP resolution request is being resolved and the IKE or IPsec tunnel created.<br />
<b> - unique: </b>NHRP registration request packet had the "unique" flag set (on by default). NHRP mapping entry cannot be overwritten with a mapping entry that has the same IP address but a different NBMA address.<br />
<b> - registered:</b> The mapping entry was created from receiving an NHRP registration request. The NHC must periodically send NHRP registration requests to keep these mappings from expiring.<br />
<b>- used:</b>When data packets are process-switched and this mapping entry was used, the mapping entry is marked as used.<br />
<b> - router: </b>NHRP mapping entries that are for a remote router.<br />
<b> - local: </b>NHRP mapping entries that are for a network's local to this router (serviced by this router)<br />
<br />
<br />
<b><span style="font-size: large;">Topology</span></b><br />
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjnMnNaBXiR_xO50K94ThSGODNbAYSWdIkhZmmOT1Ip9fIf5pkR5rKlvxvLhnc3njFVDXc8t0yMNkt1YfSuO8GJXTuyWL4B07rocNGIoHd5FDSOoHQTmJIge3JVesdv0MR5eZBvVO1dZQM/s1600/ccnp-rs-2017-dmvpn-sclabs.png" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" data-original-height="887" data-original-width="855" height="640" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjnMnNaBXiR_xO50K94ThSGODNbAYSWdIkhZmmOT1Ip9fIf5pkR5rKlvxvLhnc3njFVDXc8t0yMNkt1YfSuO8GJXTuyWL4B07rocNGIoHd5FDSOoHQTmJIge3JVesdv0MR5eZBvVO1dZQM/s640/ccnp-rs-2017-dmvpn-sclabs.png" width="616" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;"><b><span style="font-size: small;">DMVPN topology</span></b></td></tr>
</tbody></table>
<br />
Traffic flow example [VPC-4] --> [VPC-5]:<br />
1) VPC-4 (192.168.160.10) is sending to VPC-5 (192.168.164.10) via defa GW: 192.168.160.1<br />
2) Default GW is HUB (192.168.160.1) checks RIB<br />
<blockquote class="tr_bq">
HUB# <b>sh ip route 192.168.164.10</b><br />
Routing entry for 192.168.164.0/24<br />
Known via "static", distance 1, metric 0<br />
* 172.16.1.2<br />
HUB# <b>sh ip route 172.16.1.2</b><br />
Routing entry for 172.16.1.0/24<br />
Known via "connected", distance 0, metric 0 (connected, via interface)<br />
* directly connected, via Tunnel1<br />
HUB# <b>sh int tun 1 | inc GRE</b><br />
Tunnel protocol/transport multi-GRE/IP<br />
HUB#<br />
HUB# <b>show ip nhrp 172.16.1.2</b><br />
172.16.1.2/32 via 172.16.1.2<br />
Tunnel1 created 04:02:12, expire 01:58:12<br />
Type: dynamic, Flags: registered nhop<br />
NBMA address: 10.10.10.5<br />
HUB#<br />
HUB#<b> show ip route 10.10.10.5 </b><br />
% Subnet not in table<br />
HUB#<b> show ip route 0.0.0.0 </b><br />
Routing entry for 0.0.0.0/0, supernet<br />
Known via "static", distance 1, metric 0, candidate default path<br />
* 10.10.10.2</blockquote>
<br />
3) Router Spoke 1 (10.10.10.5) receive ecrypter packet on int Gi 0/0,<br />
After decryption 172.16.1.2, destination is Gi0/1 (192.168.164.1).<br />
<br />
<br />
<span style="font-size: large;"><b>Configs</b></span><br />
<br />
IPSec is the same for all DMVPN routers (HUB, Spoke1, Spoke2) and it is applied to interface Tunnel.<br />
<blockquote class="tr_bq">
! IPSEC - IKE phase 1 (HAGLE)<br />
crypto isakmp policy 1<br />
encryption 3des<br />
hash md5<br />
authentication pre-share<br />
group 2<br />
!<br />
crypto isakmp key isakmp1234 address 0.0.0.0 !! accept from any source to accommodate also dynamic spokes<br />
!<br />
! IPSEC - IKE phase 2 (IPsec transform)<br />
crypto ipsec transform-set TS esp-3des esp-md5-hmac<br />
mode tunnel<br />
!<br />
crypto ipsec profile PROTECT-GRE<br />
set security-association lifetime seconds 86400<br />
set transform-set TS<br />
!</blockquote>
<br />
Inet (emulation) routers use EIGRP:<br />
<blockquote class="tr_bq">
hostname inet<b><span style="color: blue;">x</span></b>!<br />
router ei 1<br />
network 10.0.0.0<br />
network 1.0.0.0<br />
no au<br />
!</blockquote>
<br />
<br />
<b><span style="color: blue;">Hub router</span></b><br />
<blockquote class="tr_bq">
hostname HUB<br />
!<br />
interface GigabitEthernet0/0<br />
description -=to Inet<br />
ip address 10.10.10.1 255.255.255.252<br />
!<br />
interface GigabitEthernet0/1<br />
description -=to LAN<br />
ip address 192.168.160.1 255.255.255.0<br />
!<br />
interface Tunnel1<br />
description -= DMVPN Tunnel<br />
ip address 172.16.1.1 255.255.255.0 <span style="background-color: #d0e0e3;">!! Select a private IP subnet for the tunnels</span><br />
!<br />
tunnel protection ipsec profile PROTECT-GRE <span style="background-color: #d0e0e3;">!! encrypts the traffic passing through this tunnel using ipsec</span><br />
tunnel source GigabitEthernet0/0 <span style="background-color: #d0e0e3;">!! source of the tunnel is the WAN interface</span><br />
tunnel mode gre multipoint <span style="background-color: #d0e0e3;">!! designates the tunnel as a mGRE tunnel</span><br />
!<br />
ip nhrp authentication nhrp1234 <span style="background-color: #d0e0e3;">!! (optional) authentication used for updates between the routers</span><br />
ip nhrp network-id 1 <span style="background-color: #d0e0e3;">!! (mandatory) network identification that has to be the same on all the routers</span><br />
!<br />
ip nhrp map multicast dynamic <span style="background-color: #d0e0e3;">!! Enables multicast across the tunnel, the hub replicates multicast packets to all spokes registered via NHRP</span><br />
<span style="background-color: #d0e0e3;"> ! Add spoke to multicast list upon registration</span><br />
!<br />
!<br />
!<br />
ip mtu 1440 <span style="background-color: #d0e0e3;">!! Reduce the MTU to allow extra overhead from mGRE and IPSEC</span><br />
load-interval 30<br />
keepalive 5 10<br />
!<br />
!<br />
! Configure static routing on HUB (dynamic routing is recommended for larger networks)<br />
ip route 192.168.164.0 255.255.255.0 172.16.1.2 !! The remote LAN can be reached via the remote tunnel IP<br />
ip route 192.168.161.0 255.255.255.0 172.16.1.3 !! The remote LAN can be reached via the remote tunnel IP<br />
ip route 0.0.0.0 0.0.0.0 10.10.10.2<br />
!</blockquote>
<br />
<b><span style="color: blue;">Spoke-1</span></b><br />
<blockquote class="tr_bq">
hostname SPOKE-1<br />
!<br />
interface GigabitEthernet0/0<br />
no sh<br />
description -=to Inet<br />
ip address 10.10.10.5 255.255.255.252<br />
!<br />
interface GigabitEthernet0/1<br />
no sh<br />
description -=To LAN<br />
ip address 192.168.164.1 255.255.255.0<br />
!<br />
interface Tunnel1<br />
description -= DMVPN Tunnel<br />
ip address 172.16.1.2 255.255.255.0<br />
!<br />
tunnel protection ipsec profile PROTECT-GRE<br />
tunnel source GigabitEthernet0/0<br />
tunnel mode gre multipoint<br />
!<br />
ip nhrp authentication nhrp1234<br />
ip nhrp network-id 1<br />
!<br />
ip nhrp map multicast dynamic !! Enables forwarding of multicast traffic across the tunnel.<br />
ip nhrp map multicast 10.10.10.1 !! Send multicast to the Hub only. Hub will receive all multicast (e.g EIGRP updates) and then send out updates to all the Spoke routers.<br />
! This step is required on multipoint GRE tunnels and not required on point-point RE tunnels.<br />
ip nhrp map 172.16.1.1 10.10.10.1 !! required to be static map the tunnel IP of the HUB to the WAN IP of the HUB (not needed with PVC)<br />
ip nhrp nhs 172.16.1.1<span style="white-space: pre;"> </span> !! configures NHRP client with the IP address of its NHRP server (Next Hop Server)<br />
ip nhrp registration no-unique * !! if a NHRP map is done for this IP another one will not be allowed<br />
!<br />
ip mtu 1440<br />
load-interval 30<br />
keepalive 5 10<br />
!<br />
ip route 192.168.160.0 255.255.255.0 172.16.1.1<br />
ip route 192.168.161.0 255.255.255.0 172.16.1.3<br />
ip route 0.0.0.0 0.0.0.0 10.10.10.6<br />
!</blockquote>
ip nhrp registration no-unique -<br />
Если изменится внешний адрес spoke-маршрутизатора и этой команды не будет, то hub-маршрутизатор не обновит свою базу nhrp из-за ошибки: unique address registered already<br />
<br />
<b><span style="color: blue;"><br /></span></b>
<b><span style="color: blue;">Spoke-2</span></b><br />
<blockquote class="tr_bq">
hostname SPOKE-2<br />
interface GigabitEthernet0/0<br />
no sh<br />
description -=to INET<br />
ip address 10.10.10.9 255.255.255.252<br />
!<br />
interface GigabitEthernet0/1<br />
no sh<br />
description -=To LAN<br />
ip address 192.168.161.1 255.255.255.0<br />
!<br />
interface Tunnel1<br />
description -= DMVPN Tunnel<br />
ip address 172.16.1.3 255.255.255.0<br />
!<br />
tunnel protection ipsec profile PROTECT-GRE<br />
tunnel source GigabitEthernet0/0<br />
tunnel mode gre multipoint<br />
!<br />
ip nhrp authentication nhrp1234<br />
ip nhrp network-id 1<br />
!<br />
ip nhrp map multicast dynamic<br />
ip nhrp map multicast 10.10.10.1<br />
ip nhrp map 172.16.1.1 10.10.10.1<br />
ip nhrp nhs 172.16.1.1<br />
ip nhrp registration no-unique<br />
!<br />
ip mtu 1440<br />
load-interval 30<br />
keepalive 5 10<br />
!<br />
ip route 192.168.160.0 255.255.255.0 172.16.1.1<br />
ip route 192.168.164.0 255.255.255.0 172.16.1.2<br />
ip route 0.0.0.0 0.0.0.0 10.10.10.10<br />
!</blockquote>
<br />
<br />
<b><span style="font-size: large;">Verification</span></b><br />
<br />
<b><u># View traffic on Router "inet2" int Gi0/1 </u></b><br />
# VPC-4 (192.168.160.10) => HUB => 10.10.10.2->1.1.1.2->10.10.10.5 => Spoke1 => VPC-5 (192.168.164.10)<br />
<blockquote class="tr_bq">
VPC-4> <b> show ip</b><br />
IP/MASK : 192.168.160.10/24<br />
GATEWAY : 192.168.160.1<br />
MTU : 1500<br />
VPC-4><br />
VPC-4> <b>ping 192.168.164.10 -t</b><br />
84 bytes from 192.168.164.10 icmp_seq=1 ttl=62 time=17.546 ms<br />
84 bytes from 192.168.164.10 icmp_seq=2 ttl=62 time=11.317 ms</blockquote>
<br />
<b>Wireshark:</b><br />
<br />
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhskIOVM-dXUoAojXgrAGNHQXN6zEUh4GMc3gwR2fBVViGVCCDDIEIE19UlwnUKeXVjt-9yURVvCeCj80NkyNkpbM39yxAIu_F_R-0InWVROTWlMTt5odX1KcxTZEtPOqF52j6Wxw-9Ex0/s1600/dmvpn-ESP-tunnel-mode.png" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" data-original-height="178" data-original-width="683" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhskIOVM-dXUoAojXgrAGNHQXN6zEUh4GMc3gwR2fBVViGVCCDDIEIE19UlwnUKeXVjt-9yURVvCeCj80NkyNkpbM39yxAIu_F_R-0InWVROTWlMTt5odX1KcxTZEtPOqF52j6Wxw-9Ex0/s1600/dmvpn-ESP-tunnel-mode.png" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;"><span style="font-size: small;"><b>DMVPN with IPSEC Tunnel mode + ESP</b></span></td></tr>
</tbody></table>
<br />
Same traffic without ESP:<br />
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgbnOOfJItMkcf33wh4ysBZ2UL9CoWnuTEdD5WW5j_YCVFVYSVKbW9BCDkkmtZ8TAuqDDgwzGM4dSwd-zvuedybYF9_ekK8q9UTrIha0HaJTnX3YwV5SlPjflrJQs0TsS8vqVNFTT87vCY/s1600/dmvpn-noESP-tunnel-mode.png" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" data-original-height="568" data-original-width="1240" height="293" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgbnOOfJItMkcf33wh4ysBZ2UL9CoWnuTEdD5WW5j_YCVFVYSVKbW9BCDkkmtZ8TAuqDDgwzGM4dSwd-zvuedybYF9_ekK8q9UTrIha0HaJTnX3YwV5SlPjflrJQs0TsS8vqVNFTT87vCY/s640/dmvpn-noESP-tunnel-mode.png" width="640" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;"><table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td class="tr-caption" style="font-size: 12.8px;"><span style="font-size: small;"><b>DMVPN with without IPSEC-ESP</b></span></td></tr>
</tbody></table>
</td></tr>
</tbody></table>
<br />
<span style="font-size: large;"><b>Troubleshooting</b></span><br />
<blockquote class="tr_bq">
!<br />
show crypto session<br />
show crypto isakmp sa<span style="white-space: pre;"> </span>! if you see QM_IDLE, it's good.<br />
show crypto isakmp policy<br />
show crypto isakmp diagnose error<br />
show crypto ipsec sa<br />
show crypto ipsec sa | inc crypt: ! if you are seeing packet being encrypted and decrypted, it's good.<br />
show dmvpn<br />
show dmvpn int tunnel 1 detail<br />
show ip nhrp<br />
show ip nhrp br<br />
show ip nhrp nhs detail<br />
show adjacency 172.16.1.3<br />
show ip cef 172.16.1.3 internal<br />
!<br />
show run interface tunnel 1<br />
! disable cef before debug ip packet !!!!!<br />
debug ip packet<br />
debug tunnel<br />
debug nhrp<br />
debug nhrp packet<br />
debug cry isakmp<br />
debug cry ipsec<br />
undebug all<br />
!<br />
clear crypto isakmp<br />
clear crypto sa<br />
!</blockquote>
<br />
<div>
<br />
Examples:<br />
<b><u><span style="color: blue;">IPSEC</span></u></b><br />
<blockquote class="tr_bq">
HUB# <b>show crypto session</b><br />
Crypto session current status<br />
!<br />
Interface: Tunnel1<br />
Session status: UP-ACTIVE <br />
Peer: 10.10.10.9 port 500<br />
Session ID: 0<br />
IKEv1 SA: local 10.10.10.1/500 remote 10.10.10.9/500 Active<br />
IPSEC FLOW: permit 47 host 10.10.10.1 host 10.10.10.9<br />
Active SAs: 2, origin: crypto map<br />
!<br />
Interface: Tunnel1<br />
Session status: UP-ACTIVE <br />
Peer: 10.10.10.5 port 500<br />
Session ID: 0<br />
IKEv1 SA: local 10.10.10.1/500 remote 10.10.10.5/500 Active<br />
IPSEC FLOW: permit 47 host 10.10.10.1 host 10.10.10.5<br />
Active SAs: 2, origin: crypto map<br />
!<br />
HUB#</blockquote>
<blockquote class="tr_bq">
HUB# show crypto isakmp sa<br />
!<br />
IPv4 Crypto ISAKMP SA<br />
dst src state conn-id status<br />
10.10.10.5 10.10.10.1 QM_IDLE 1006 ACTIVE<br />
10.10.10.1 10.10.10.9 QM_IDLE 1007 ACTIVE<br />
HUB# </blockquote>
<blockquote class="tr_bq">
HUB#show crypto isakmp policy<br />
Global IKE policy<br />
Protection suite of priority 1<br />
encryption algorithm: Three key triple DES<br />
hash algorithm: Message Digest 5<br />
authentication method: Pre-Shared Key<br />
Diffie-Hellman group: #2 (1024 bit)<br />
lifetime: 86400 seconds, no volume limit<br />
HUB#</blockquote>
<br />
<blockquote class="tr_bq">
HUB# show crypto ipsec sa | inc crypt:|current_peer<br />
current_peer 10.10.10.9 port 500<br />
#pkts encaps: 8, #pkts encrypt: 8, #pkts digest: 8<br />
#pkts decaps: 8, #pkts decrypt: 8, #pkts verify: 8<br />
current_peer 10.10.10.5 port 500<br />
#pkts encaps: 7, #pkts encrypt: 7, #pkts digest: 7<br />
#pkts decaps: 7, #pkts decrypt: 7, #pkts verify: 7<br />
HUB#</blockquote>
<br />
<b><u><span style="color: blue;">DMVPN</span></u></b><br />
<blockquote class="tr_bq">
HUB# <b>show dmvpn | be Interface</b><br />
Interface: Tunnel1, IPv4 NHRP Details<br />
Type:Hub, NHRP Peers:2,<br />
!<br />
# Ent Peer NBMA Addr Peer Tunnel Add State UpDn Tm Attrb<br />
----- --------------- --------------- ----- -------- -----<br />
1 10.10.10.5 172.16.1.2 UP 05:40:08 D<br />
1 10.10.10.9 172.16.1.3 UP 04:25:17 D<br />
!<br />
HUB#</blockquote>
<br />
<blockquote class="tr_bq">
HUB# <b>show ip nhrp</b><br />
172.16.1.2/32 via 172.16.1.2<br />
Tunnel1 created 05:40:37, expire 01:39:47<br />
Type: dynamic, Flags: registered nhop<br />
NBMA address: 10.10.10.5<br />
172.16.1.3/32 via 172.16.1.3<br />
Tunnel1 created 04:25:46, expire 01:54:29<br />
Type: dynamic, Flags: registered nhop<br />
NBMA address: 10.10.10.9<br />
HUB#</blockquote>
<br />
<br />
<b><u><span style="color: blue;">IP CEF </span></u></b><br />
<blockquote class="tr_bq">
HUB#show adjacency 172.16.1.3<br />
Protocol Interface Address<br />
IP Tunnel1 172.16.1.3(10)<br />
!<br />
HUB#show ip cef 172.16.1.3 internal<br />
172.16.1.3/32, epoch 0, flags [att], refcnt 6, per-destination sharing<br />
sources: Adj, RR<br />
subblocks:<br />
Adj source: IP midchain out of Tunnel1, addr 172.16.1.3 0F521D98<br />
Dependent covered prefix type adjfib, cover 172.16.1.0/24<br />
1 RR source [no flags]<br />
ifnums:<br />
Tunnel1(9): 172.16.1.3<br />
path list 0D7964C4, 2 locks, per-destination, flags 0x49 [shble, rif, hwcn]<br />
path 0D7951AC, share 1/1, type adjacency prefix, for IPv4<br />
attached to Tunnel1, IP midchain out of Tunnel1, addr 172.16.1.3 0F521D98<br />
output chain:<br />
IP midchain out of Tunnel1, addr 172.16.1.3 0F521D98<br />
IP adj out of GigabitEthernet0/0, addr 10.10.10.2 0E7279C0<br />
HUB# </blockquote>
<br />
<br />
Some issued during lab configuration:<br />
<br />
SPOKE-1#<b>show crypto isakmp sa</b><br />
IPv4 Crypto ISAKMP SA<br />
dst src state conn-id status<br />
10.10.10.1 10.10.10.5 MM_NO_STATE 0 ACTIVE<br />
10.10.10.1 10.10.10.5 MM_NO_STATE 0 ACTIVE (deleted)<br />
SPOKE-1#<br />
<br />
workaround: reload routers<br />
<br />
The following four modes are found in IKE main mode<br />
- MM_NO_STATE* – ISAKMP SA process has started but has not continued to form (typically due to a connectivity issue with the peer)<br />
- MM_SA_SETUP* – Both peers agree on ISAKMP SA parameters and will move along the process<br />
- MM_KEY_EXCH* – Both peers exchange their DH keys and are generating their secret keys. (This state could also mean there is a mis-matched authentication type or PSK, if it does not proceed to the next step)<br />
- MM_KEY_AUTH* – ISAKMP SA’s have been authenticated in main mode and will proceed to QM_IDLE immediately.<br />
<br />
The following three modes are found in IKE aggressive mode<br />
- AG_NO_STATE** – ISAKMP SA process has started but has not continued to form (typically do to a connectivity issue with the peer)<br />
- AG_INIT_EXCH** – Peers have exchanged their first set of packets in aggressive mode, but have not authenticated yet.<br />
- AG_AUTH** – ISAKMP SA’s have been authenticated in aggressive mode and will proceed to QM_IDLE immediately.<br />
<br />
The following mode is found in IKE Quick Mode, phase 2<br />
- QM_IDLE*** – The ISAKMP SA is idle and authenticated<br />
<br />
<br />
<br />
<b>sh crypto session</b><br />
This command will give you a quick list of all IKE and IPSec SA sessions.<br />
Some of the common session statuses are as follows:<br />
- Up-Active – IPSec SA is up/active and transferring data.<br />
- Up-IDLE – IPSsc SA is up, but there is not data going over the tunnel<br />
- Up-No-IKE – This occurs when one end of the VPN tunnel terminates the IPSec VPN and the remote end attempts to keep using the original SPI, this can be avoided by issuing crypto isakmp invalid-spi-recovery<br />
- Down-Negotiating – The tunnel is down but still negotiating parameters to complete the tunnel.<br />
- Down – The VPN tunnel is down.<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br /></div>
SChttp://www.blogger.com/profile/04139184178200036747noreply@blogger.comtag:blogger.com,1999:blog-3484822691435303180.post-28644546344571453632017-11-21T15:48:00.000+02:002017-12-11T13:36:58.750+02:002017 CCNP RS, DHCPv6<a name='more'></a><br />
<br />
<b>Sources:</b><br />
- <a href="https://www.cisco.com/c/en/us/td/docs/security/asa/asa72/configuration/guide/conf_gd/ipv6.pdf">https://www.cisco.com/c/en/us/td/docs/security/asa/asa72/configuration/guide/conf_gd/ipv6.pdf</a><br />
- <a href="https://supportforums.cisco.com/t5/network-infrastructure-documents/stateful-dhcpv6-relay-configuration-example/ta-p/3149338">https://supportforums.cisco.com/t5/network-infrastructure-documents/stateful-dhcpv6-relay-configuration-example/ta-p/3149338</a><br />
- <a href="https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/ipaddr_dhcp/configuration/xe-3s/dhcp-xe-3s-book/ip6-dhcp-rel-agent-xe.pdf">https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/ipaddr_dhcp/configuration/xe-3s/dhcp-xe-3s-book/ip6-dhcp-rel-agent-xe.pdf</a><br />
<br />
<b><span style="font-size: large;">DHCPv6</span></b><br />
In Stateful DHCP the address assignment is centrally managed and clients must obtain configuration information such as address autoconfiguration and neighbor discovery that is not available through protocols.DHCPv6 can be implemented in two ways : Rapid-Commit and Normal Commit mode.<br />
- Rapid-Commit mode , the DHCP client obtain configuration parameters from the server through a rapid two message exchange (<b style="color: blue;">solicit </b>and <b style="color: blue;">reply</b>).<br />
- Normal-Commit mode, the DHCP client uses four message exchanges (<b><span style="color: blue;">solicit, advertise, request and reply</span></b>). <b>By default normal-commit is used.</b><br />
In order to use the rapid-commit option, it has to be enabled by both client and server so that it uses two-message exchange.<br />
<br />
<b>Relay Agent</b><br />
A DHCPv6 relay agent, which may reside on the client’s link, is used to relay messages between the client and the server. The DHCPv6 relay agent operation is transparent to the client. A DHCPv6 client locates a DHCPv6 server using a reserved, link-scoped multicast address.<br />
<br />
<br />
DHCPv6 pool configuration can contain operational information:<br />
- <b>Prefix delegation </b>information, which could include:<br />
A prefix pool name and associated preferred and valid lifetimes<br />
A list of available prefixes for a particular client and associated preferred and valid lifetimes<br />
- A list of IPv6 addresses of <b>DNS servers</b><br />
- A<b> domain search list</b>, which is a string containing domain names for DNS resolution<br />
<br />
<br />
<span style="font-size: large;"><b>DHCPv6 ports:</b></span><br />
<br />
546 (UDP) client<br />
547 (UDP) server and relay agent<br />
<br />
Multicast addresses:<span style="white-space: pre;"> </span><br />
FF02::1:2, All DHCP relay agents and servers.<br />
FF05::1:3, All DHCP servers.<br />
<br />DHCPv6 uses UDP port number <b><span style="color: blue;">546 for clients</span></b> and port number <span style="color: blue;">547 for servers</span>.<br />
<br />
Server's link-local fe80::0011:22ff:fe33:5566<br />
Client's link-local fe80::aabb:ccff:fedd:eeff<br />
<blockquote class="tr_bq">
1) DHCPv6 client sends a <b><u>Solicit </u></b>from [fe80::aabb:ccff:fedd:eeff]:546 for [ff02::1:2]:547<br />
2) DHCPv6 server replies with an <b><u>Advertise</u> </b>from [fe80::0011:22ff:fe33:5566]:547 for [fe80::aabb:ccff:fedd:eeff]:546<br />
3) DHCPv6 client replies with a <b><u>Request</u></b> from [fe80::aabb:ccff:fedd:eeff]:546 for [ff02::1:2]:547<br />
(Client messages are sent to the multicast address, per section 13 of RFC 3315)<br />
4) DHCPv6 server finishes with a <b><u>Reply</u></b> from [fe80::0011:22ff:fe33:5566]:547 for [fe80::aabb:ccff:fedd:eeff]:546</blockquote>
<div>
<br /></div>
<br />
<b><span style="font-size: large;">Topology</span></b><br />
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhjgcXrTJ1UIrWF0jHBjXvgkV8x6ukPWKQHF1e9aq6oONkFo4xOlbZeA6F8vKNS68OjU4d-rJHNdRVRI5yzjKDaTLJB6dMsPzamqMrVfEAOSP2xlMhbG9f5JojWl64n6Vu46HNX6Oy2eyo/s1600/ccnp-rs-2017-dhcpv6.PNG" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" data-original-height="304" data-original-width="716" height="270" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhjgcXrTJ1UIrWF0jHBjXvgkV8x6ukPWKQHF1e9aq6oONkFo4xOlbZeA6F8vKNS68OjU4d-rJHNdRVRI5yzjKDaTLJB6dMsPzamqMrVfEAOSP2xlMhbG9f5JojWl64n6Vu46HNX6Oy2eyo/s640/ccnp-rs-2017-dhcpv6.PNG" width="640" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;"><b><span style="font-size: small;">DHCPv6 topology</span></b></td></tr>
</tbody></table>
<br />
<b style="background-color: #f6b26b;">hostname SERVER</b><br />
!<br />
ipv6 unicast-routing<br />
ipv6 cef<br />
ipv6 dhcp pool <span style="background-color: #b6d7a8;"><b>test</b></span><br />
address prefix 2001:DB8:11::/64 lifetime infinite infinite<br />
dns-server AAAA:BBBB:FE10::100<br />
dns-server 2001:DB8::5<br />
domain-name example.com<br />
!<br />
interface GigabitEthernet0/0<br />
ipv6 address 2001:DB8:10::1/64<br />
ipv6 dhcp server <span style="background-color: #b6d7a8;"><b>test</b></span><br />
!<br />
ipv6 route 2001:DB8:11::/64 2001:DB8:10:0:5203:FF:FE02:0 <i>! Static route to reach the clients, via Relay-Gi0/0 autoconfigured IPv6 address</i><br />
!<br />
<br />
<b style="background-color: #f6b26b;">hostname RELAY</b><br />
!<br />
ipv6 unicast-routing<br />
ipv6 cef<br />
!<br />
interface GigabitEthernet0/0<br />
ipv6 address autoconfig <i>! Enabling stateless-autoconfig configures IPv6 addr based on prefixes received in RA</i><br />
ipv6 enable <i>! enable IPv6 on the interface and automatically generate the link-local address using the Modified EUI-64 interface ID</i><br />
!<br />
interface GigabitEthernet0/1<br />
ipv6 address 2001:DB8:11::2/64<br />
ipv6 enable<br />
ipv6 dhcp relay destination 2001:DB8:10::1 GigabitEthernet0/0<br />
!<br />
<br />
<b style="background-color: #f6b26b;">hostname CLIENT-1</b><br />
!<br />
ipv6 unicast-routing<br />
ipv6 cef<br />
ipv6 nd route-owner <i>! inserts Neighbor Discovery-learned routes into the routing table with "ND" status and enables ND autoconfiguration behavior</i><br />
!<br />
interface GigabitEthernet0/0<br />
ipv6 address dhcp rapid-commit <i> ! DHCP client obtain configuration parameters from the server through a rapid two message exchange (solicit and reply)</i><br />
ipv6 enable<br />
ipv6 nd autoconfig prefix <i>! uses Neighbor Discovery to install all valid on-link prefixes from RAs received on the interface</i><br />
ipv6 nd autoconfig default-route <i>! allow Neighbor Discovery to install a default route to the Neighbor Discovery-derived default router</i><br />
!<br />
<br />
<span style="font-size: large;"><b>Verify</b></span><br />
<b>SERVER#</b>show ipv6 dhcp pool<br />
DHCPv6 pool: test<br />
Address allocation prefix: 2001:DB8:11::/64 valid 4294967295 preferred 4294967295 (1 in use, 0 conflicts)<br />
DNS server: AAAA:BBBB:FE10::100<br />
DNS server: 2001:DB8::5<br />
Domain name: example.com<br />
Active clients: 1<br />
SERVER#<br />
SERVER#sh ipv6 dhcp binding<br />
Client: FE80::5203:FF:FE03:0<br />
DUID: 00030001500300030000<br />
Username : unassigned<br />
VRF : default<br />
IA NA: IA ID 0x00020001, T1 43200, T2 69120<br />
Address: 2001:DB8:11:0:2877:6115:D2DA:68<br />
preferred lifetime INFINITY, , valid lifetime INFINITY,<br />
SERVER#<br />
<br />
<br />
<b>RELAY# </b>show ipv6 dhcp interface<br />
GigabitEthernet0/1 is in relay mode<br />
Relay destinations:<br />
2001:DB8:10::1<br />
2001:DB8:10::1 via GigabitEthernet0/0<br />
RELAY#<br />
<br />
<br />
<b>CLIENT-1#</b> show ipv6 dhcp interface<br />
GigabitEthernet0/0 is in client mode<br />
Prefix State is IDLE<br />
Address State is OPEN<br />
Renew for address will be sent in 11:33:23<br />
List of known servers:<br />
Reachable via address: FE80::5203:FF:FE02:1<br />
DUID: 00030001500300010000<br />
Preference: 0<br />
Configuration parameters:<br />
IA NA: IA ID 0x00020001, T1 43200, T2 69120<br />
Address: 2001:DB8:11:0:2877:6115:D2DA:68/128<br />
preferred lifetime INFINITY, valid lifetime INFINITY<br />
DNS server: AAAA:BBBB:FE10::100<br />
DNS server: 2001:DB8::5<br />
Domain name: example.com<br />
Information refresh time: 0<br />
Prefix Rapid-Commit: disabled<br />
Address Rapid-Commit: enabled<br />
CLIENT-1#<br />
<br />
<b>SERVERE#</b> ping 2001:DB8:11:0:2877:6115:D2DA:68<br />
Type escape sequence to abort.<br />
Sending 5, 100-byte ICMP Echos to 2001:DB8:11:0:2877:6115:D2DA:68, timeout is 2 seconds:<br />
!!!!!<br />
Success rate is 100 percent (5/5), round-trip min/avg/max = 4/6/9 ms<br />
SERVERE#<br />
<br />
<br />
<b><span style="font-size: large;">Wireshark</span></b><br />
<br />
<span style="color: #0000ee;"><u><a href="https://www.dropbox.com/s/pbdcjtnphjlgbj6/ccnp-rs-2017-dhcpv6.pcap.pcapng?dl=0">https://www.dropbox.com/s/pbdcjtnphjlgbj6/ccnp-rs-2017-dhcpv6.pcap.pcapng?dl=0</a></u></span><br />
<span style="color: #0000ee;"><br /></span>
<span style="color: #0000ee;"><u><br /></u></span>
<br />
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhEvbcenphCtMb9DoQj5KhjmhGuXSYn3EibGNfTOp6BG4owdJAwX4mupgQjr_7RNKJED9BfWCcJZbrqGZpn9LN9qBJe9hJklTSNM4AKjk7H-SFw_ko4fG2gIMeH1gg8YXufn9QQUA9JxEc/s1600/ccnp-rs-2017-dhcpv6-wireshark.PNG" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" data-original-height="617" data-original-width="1556" height="252" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhEvbcenphCtMb9DoQj5KhjmhGuXSYn3EibGNfTOp6BG4owdJAwX4mupgQjr_7RNKJED9BfWCcJZbrqGZpn9LN9qBJe9hJklTSNM4AKjk7H-SFw_ko4fG2gIMeH1gg8YXufn9QQUA9JxEc/s640/ccnp-rs-2017-dhcpv6-wireshark.PNG" width="640" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;"><b><span style="font-size: small;">Click to expand</span></b></td></tr>
</tbody></table>
<br />
<br />
<br />SChttp://www.blogger.com/profile/04139184178200036747noreply@blogger.comtag:blogger.com,1999:blog-3484822691435303180.post-27970915528040970922017-11-15T12:08:00.000+02:002017-11-15T12:51:05.578+02:002017 CCNP RS, Remote Site Connectivity, VPN, GRE, DMVPN, IPSec, MPLS basics<a name='more'></a><br />
<br />
<b>Tunnel-Based Virtual Private Networks</b><br />
Tunnel is a virtual connection that can physically span multiple router hops.<br />
■ Generic Routing Encapsulation (GRE)<br />
■ Dynamic Multipoint VPN (DMVPN)<br />
■ Multipoint GRE<br />
■ IPsec<br />
<div>
<br /></div>
<br />
<b>Hybrid Virtual Private Networks</b><br />
Rather than just using a single MPLS-based VPN technology or a single tunnel-based VPN technology, you can use select VPN technologies in tandem.<br />
Example: Layer 3 MPLS VPN set up over a DMVPN.<br />
<br />
<b>Overhead</b><br />
Every time you add an encapsulation, you are adding to the total header size of the packet.<br />
With more headers, the amount of data you can carry inside a single packet is decreased.<br />
As a result, you might have to<b> configure a <u><span style="color: red;">lower</span> </u>maximum transmission unit (MTU)</b> size for frames on an interface.<br />
<br />
<b>GRE - Generic Routing Encapsulation</b><br />
- GRE tunnel can encapsulate any Layer 3 protocol, which makes it very flexible.<br />
- GRE by itself does not provide any security for the data it transmits<br />
- GRE packet can be sent over an IPsec VPN, causing the GRE packet (and therefore its contents) to be protected.<br />
- GRE tunnel can encapsulate IP multicast packets<br />
<br />
Configrutation example:<br />
!ROUTER R1<br />
interface Tunnel1<br />
ip address 192.168.0.1 255.255.255.252<br />
tunnel source Loopback0<br />
tunnel destination 4.4.4.4<br />
<br />
!ROUTER R4<br />
interface Tunnel1<br />
ip address 192.168.0.2 255.255.255.252<br />
tunnel source Loopback0<br />
tunnel destination 1.1.1.1<br />
<br />
R1# show interfaces tunnel 1<br />
Encapsulation <b>TUNNEL</b>, loopback not set<br />
<br />
<b>DMVPN</b><br />
- Dynamic Multipoint VPN<br />
- allows a VPN tunnel to be dynamically created and torn down between two remote sites on an as-needed basis<br />
- HeadQuarter - role of a Hub, branch routers take the role of Spokes<br />
- hub-and-spoke topology, with the headquarters acting as the hub<br />
- Multipoint GRE, Next Hop Resolution Protocol (NHRP), and IPsec are required to support a DMVPN topology.<br />
<br />
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiZkxkTAM3nDLZkGjiCa1lkw3kSXMo5aVwTMMz0kXVx5YJdIulxznPnzM6rZuRB8SAFenChHHpQY5Dgi_13tfnuXaswzUUSaa-5dOWknTqBbRtjPZdewKXpxp8XmNS7ku79BdfgbvDkM5g/s1600/dmvpn-example.jpg" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" data-original-height="453" data-original-width="728" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiZkxkTAM3nDLZkGjiCa1lkw3kSXMo5aVwTMMz0kXVx5YJdIulxznPnzM6rZuRB8SAFenChHHpQY5Dgi_13tfnuXaswzUUSaa-5dOWknTqBbRtjPZdewKXpxp8XmNS7ku79BdfgbvDkM5g/s1600/dmvpn-example.jpg" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;"><b><span style="font-size: small;">DMVPN example topology</span></b></td></tr>
</tbody></table>
<br />
<br />
<b>Multipoint GRE</b><br />
- allows a router to support multiple GRE tunnels on a single GRE interface.<br />
- Like traditional GRE, mGRE can transport a wide variety of protocols (for example, IP unicast, multicast, and broadcast).<br />
- in a hub-and-spoke topology, a hub router can have a single mGRE interface, and multiple tunnels can use that single interface.<br />
- An interface configured for mGRE is able to dynamically form a GRE tunnel by using Next Hop Resolution Protocol (NHRP) to discover the IP address of the device at the far end of the tunnel.<br />
<br />
- traditional GRE (sometimes called point-to-point or p2p GRE)<br />
- traditional GRE use P2P connections with many prefixes /30 (for each P2P connection<br />
- mGRE uses one interface (multipoint) with single /24 prefix (same IP broadcast)<br />
- mGRE tunnel is treated as a non-broadcast multi-access (NBMA)<br />
- mGRE tunnel does not have to be configured with a tunnel destination so we need another protocol to take care of the destination addresses. In this case NHRP is used for NBMA environment.<br />
<br />
<br />
<b>NHRP</b><br />
-Next Hop Resolution Protocol (NHRP), defined in RFC 2332, is a Layer 2 address resolution protocol and cache, like Address Resolution Protocol (ARP).<br />
- NHRP is used to map tunnel IP addresses to “physical” or “real” IP addresses, used by endpoint routers.<br />
<br />
NHRP Database<br />
Tunnel IP Physical IP<br />
10.0.0.1<span style="white-space: pre;"> </span>192.0.2.1 Spoke-A<br />
10.0.0.2<span style="white-space: pre;"> </span>203.0.113.1 Spoke-B<br />
10.0.0.3<span style="white-space: pre;"> </span>198.51.100.1 Spoke-C<br />
<br />
NHRP Registration Process<br />
- When the spokes come online, they each advertise the IP address of their physical interface that is going to be used for tunnel formation,<br />
along with the IP address of the virtual tunnel interface.<br />
- As a result, the Headquarters router populates its NHRP database.<br />
-With the hub’s database populated, a spoke can query the hub to find out the IP address of a physical interface that corresponds to a specific tunnel interface’s IP address.<br />
<br />
example:<br />
- Branch C router (10.0.0.3/198.51.100.1) needs to dynamically form a GRE tunnel with the Branch B (10.0.0.2/?phys_IP)<br />
- Branch C router sends an NHRP query to the hub router asking<br />
What physical interface’s IP address is associated with a tunnel interface’s IP address of 10.0.0.2?<br />
- Hub router (that is, the Headquarters router) checks its NHRP database and responds to the query,<br />
telling the Branch C router that the physical interface’s IP address corresponding to the tunnel interface IP address of 10.0.0.2 is 203.0.113.1<br />
- Having dynamically learned the IP address of the physical interface in the Branch B router, the Branch C router sets up a GRE tunnel with the Branch B router<br />
<blockquote class="tr_bq">
Router# show ip nhrp<br />
192.168.0.2 255.255.255.255, tunnel 100 created 0:00:44 expire 1:59:15<br />
Type: dynamic Flags: authoritative<br />
NBMA address: 10.1111.1111.1111.1111.1111.1111.1111.1111.1111.11</blockquote>
<div>
<br />
<b>IPsec</b><br />
- Security in a DMVPN is provided by IPsec<br />
- Confidentiality<br />
- Integrity<br />
- Authentication<br />
- Antireplay<br />
<br />
- IPsec uses a collection of protocols to provide its features. One of the primary protocols used by IPsec is the Internet Key Exchange (IKE) protocol.<br />
<br />
<br />
- There are two phases to establish an IPsec tunnel.<br />
- During IKE Phase 1, a secure Internet Security Association and Key Management Protocol (ISAKMP) session is established.<br />
<b>Also known as an ISAKMP tunnel.</b><br />
<div>
As part of this phase, the IPsec endpoints establish transform sets (that is, a collection of encryption and authentication protocols),</div>
hash methods, and other parameters needed to establish a secure ISAKMP session (sometimes called an ISAKMP tunnel or an IKE Phase 1 tunnel).<br />
This collection of parameters is called a security association (SA).<br />
With IKE Phase 1, the SA is bidirectional, meaning that the same key exchange is used for data flowing across the tunnel in either direction.<br />
<br />
- IKE Phase 2 occurs within the protection of an IKE Phase 1 tunnel.<br />
<b>Also known as an IPsec tunnel.</b><br />
A session formed during IKE Phase 2 is sometimes called an IKE Phase 2 tunnel,<br />
or simply an IPsec tunnel. However, unlike IKE Phase 1, IKE Phase 2 performs unidirectional SA negotiations, meaning that each data flow uses a separate key exchange.<br />
<br />
- IPsec also relies on either the Authentication Header (AH) protocol (IP protocol number 51) or the Encapsulating Security Payload (ESP) protocol (IP protocol number 50).<br />
Both AH and ESP offer origin authentication and integrity services, which ensure that IPsec peers are who they claim to be and that data was not modified in transit.<br />
<br />
- Both AH and ESP can operate in one of two modes, transport mode or tunnel mode.</div>
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi0SlikT1b7dWdyP0CeSb8UJVxIwPBa1sMsiWTL_jnonLp3g4NoK1nrkfR1EwYotEF-e3GirawimezrbcUS3cziz4h1LckZpQqRb4CB0u6Kiog9JpCauIwDzWlAzSQJbC4M2bqVCVRRKYA/s1600/ipsec-modes.jpg" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" data-original-height="265" data-original-width="620" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi0SlikT1b7dWdyP0CeSb8UJVxIwPBa1sMsiWTL_jnonLp3g4NoK1nrkfR1EwYotEF-e3GirawimezrbcUS3cziz4h1LckZpQqRb4CB0u6Kiog9JpCauIwDzWlAzSQJbC4M2bqVCVRRKYA/s1600/ipsec-modes.jpg" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;"><span style="font-size: small;"><b>IPSec modes</b></span></td></tr>
</tbody></table>
<div>
<br /></div>
<br />
<br />
<b><span style="font-size: large;">MPLS - Multiprotocol Label Switching</span></b><br />
- Technology commonly used by service providers, although many large enterprises also use MPLS for their backbone network<br />
- MPLS makes forwarding decisions based on labels rather than IP addresses.<br />
- MPLS establishes dedicated path known as <b>LSP (Label Switching Path)</b> before data flow.<br />
(IP routing - Do not establish dedicated path , just transmit data gram which will be routed based on IP addresses.)<br />
- Each MPLS router builds LFIB (Label Forwarding Information Base) table using LDP protocol.<br />
(IP routing - Stores IP routing table)<br />
<br />
- 32-bit label is inserted between a frame’s Layer 2 and Layer 3 headers.<br />
- MPLS header is often called a shim header, because it is stuck in between two existing headers.<br />
- MPLS-based VPNs can be grouped into one of two primary categories: Layer 2 MPLS VPNs / Layer 3 MPLS VPNs<br />
- L2 EtherType 0x8847<span style="white-space: pre;"> </span>MPLS unicast<br />
- L2 EtherType 0x8848<span style="white-space: pre;"> </span>MPLS multicast<br />
<div>
<br /></div>
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgdy1DADnkTeceJi_QOJRObGFIeJM5E0icZt7aFwKhWJCqAf5MT2VOFQv2JqOhmmU72Q-p4bEHuu7KAFwWrvpttsKUSJGDzSDExXtJ2p6dABiqJsdZyOGtVrQib2EMIIeNKUnq1AgdtIeg/s1600/MPLS-shim-header.png" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" data-original-height="338" data-original-width="963" height="224" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgdy1DADnkTeceJi_QOJRObGFIeJM5E0icZt7aFwKhWJCqAf5MT2VOFQv2JqOhmmU72Q-p4bEHuu7KAFwWrvpttsKUSJGDzSDExXtJ2p6dABiqJsdZyOGtVrQib2EMIIeNKUnq1AgdtIeg/s640/MPLS-shim-header.png" width="640" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;"><span style="font-size: small;"><b>MPLS shim header and MPLS stack</b></span></td></tr>
</tbody></table>
<div>
<br /></div>
<div>
<br /></div>
<div>
<br /></div>
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjIF9FxL9lx7Ft_hROpFphjd-UqGWi895nsHnV4qJ7HlAVlML8gdsIVKw4PbbMait7sZ1LjO5I70WOBs0N8RYs4ZlLLkrOKc-wjVmbdWv0ICulsMsZFOSuyCNTHeZMMLwHXDEWCZthCGuk/s1600/mpls-header.jpg" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" data-original-height="111" data-original-width="603" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjIF9FxL9lx7Ft_hROpFphjd-UqGWi895nsHnV4qJ7HlAVlML8gdsIVKw4PbbMait7sZ1LjO5I70WOBs0N8RYs4ZlLLkrOKc-wjVmbdWv0ICulsMsZFOSuyCNTHeZMMLwHXDEWCZthCGuk/s1600/mpls-header.jpg" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;"><span style="font-size: small;"><b>MPLS header fields</b></span></td></tr>
</tbody></table>
<div>
MPLS Header fields:</div>
<div>
<div>
- 20 bits - Label (the actual label value), A label with the value of 1 represents the router alert label.</div>
<div>
- 3bits - Traffic Class</div>
<div>
Traffic Class field for QoS (quality of service) priority and ECN (Explicit Congestion Notification). Prior to 2009 this field was called EXP (Experimental)</div>
<div>
<br /></div>
<div>
- 1 bit - S (Bottom of Stack), If this is set, it signifies that the current label is the last in the stack.</div>
<div>
- 8 bit - TTL (Time to Live)</div>
</div>
<div>
<br /></div>
<div>
<br /></div>
<div>
<br /></div>
<div>
<div>
<div>
<b>MPLS Label Stack</b></div>
<div>
• Usually only one label is assigned to a packet, but multiple labels in a label stack are supported.</div>
<div>
• These scenarios may produce more than one label:</div>
<div>
– MPLS VPNs (two labels): The top label points to the egress router, and the second label identifies the VPN.</div>
<div>
– MPLS TE (two or more labels): The top label points to the endpoint of the traffic engineering tunnel and the second label points to the destination.</div>
<div>
– MPLS VPNs combined with MPLS TE (three or more labels).</div>
</div>
<div>
<br /></div>
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiTHLayEkoObLN_OtqkDZssbKXjqFhRew6XCtkAzpEFP5zYxCARqEC7kIrQabpkQIRfSS9crGJ1FnXgIhP0ti7ddqRZ9XKAM8njKg5hRO6hZv0aIqoO5ILFqFS1ILZZRtOKUy7JvG39lGg/s1600/mpls-label-stack.jpg" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" data-original-height="392" data-original-width="633" height="247" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiTHLayEkoObLN_OtqkDZssbKXjqFhRew6XCtkAzpEFP5zYxCARqEC7kIrQabpkQIRfSS9crGJ1FnXgIhP0ti7ddqRZ9XKAM8njKg5hRO6hZv0aIqoO5ILFqFS1ILZZRtOKUy7JvG39lGg/s400/mpls-label-stack.jpg" width="400" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;"><span style="font-size: small;"><b>MPLS Label Stack</b></span></td></tr>
</tbody></table>
<div>
• The outer label is used for switching the packet in the MPLS network (points to the TE destination).</div>
<div>
<div>
• Inner labels are used to separate packets at egress points (points to egress router and identifies VPN).</div>
</div>
</div>
<div>
<br /></div>
<div>
<div>
Top = Outer = LSP label (per TDP, LDP or RSVP)</div>
<div>
Bottom = Inner = VPN label (per MP-BGP)<br />
<br />
<b>BGP</b><br />
MPLS provider edge (PE) router is also known as an Edge Label Switch Router [ELSR]<br />
MPLS customer edge (CE) router<br />
<br />
The normal version of BGP (Border Gateway Protocol) only supported IPv4 unicast prefixes.<br />
Nowadays we use MP-BGP (Multiprotocol BGP) which supports different addresses:<br />
IPv4 unicast<br />
IPv4 multicast<br />
IPv6 unicast<br />
IPv6 multicast<br />
MP-BGP - multiprotocol BGP, in MPLS used to exchange the VPN labels<br />
<br />
Layer 2 MPLS VPN - as a logical Layer 2 switch<br />
Layer 3 MPLS VPN - SP PE router establishes a peering relationship with a CE router<br />
<div>
<br /></div>
<br />
<br />
<br />
sources:<br />
<a href="http://blog.globalknowledge.com/2010/06/16/mpls-part-10/">http://blog.globalknowledge.com/2010/06/16/mpls-part-10/</a></div>
</div>
<div>
<br /></div>
SChttp://www.blogger.com/profile/04139184178200036747noreply@blogger.com