Archive

Author Archive

Configuring Basic OSPF in SROS

This post will cover setting up OSPF as your IGP, IS-IS will be covered separately.

First off we need to enable OSPF.  Make sure you have your system interface configured before this point or your RID will be based on the base MAC of the chassis and will look like a public IP.

A:r2# show router interface "system" | match /32
2.2.2.2/32 n/a

If you forget or need to change the RID you need to config router ospf shut followed by config router ospf no shut. There is no command like clear ip ospf process in IOS.

So once we confirm this in place we can go ahead and enable OSPF so let’s do that.

The router will use the system address as the RID but we will statically configure one anyway.  We will also make the routers an ASBR. This is quite important as simply redistributing prefixes in to OSPF with a policy doesn’t actually send any prefixes to OSPF without the ASBR command in place, the source of many an early days headaches.  We will also enable traffic-engineering extensions so we can run MPLS TE, we will need it later.

BTW configuring something for the first time changes the prompt to $ but as I have already enabled OSPF and am just retyping commands the prompt appears as #

*A:r2# configure router ospf
*A:r2>config>router>ospf# router-id 2.2.2.2
*A:r2>config>router>ospf# traffic-engineering
*A:r2>config>router>ospf# asbr
*A:r2>config>router>ospf#

At this point OSPF will be up which you can verify through show router ospf status. If you failed to set your system interface address you will see your funny RID in here.

*A:r2>config>router>ospf# show router ospf status
OSPF Cfg Router Id : 2.2.2.2
OSPF Oper Router Id : 2.2.2.2
OSPF Version : 2
OSPF Admin Status : Enabled
OSPF Oper Status : Enabled
Graceful Restart : Enabled
GR Helper Mode : Enabled
Preference : 10
External Preference : 150
Backbone Router : True
Area Border Router : False
AS Border Router : True
Opaque LSA Support : True
Traffic Engineering Support : True

Now we want to configure some interfaces in to the process and we will start by creating area 0.0.0.0.  This is where you should place your system interface unless you are a stub area router and not an ABR.  The system interface is broadcast type by default and passive so I will set the interface type to point to point, and passive just to demonstrate the command.

*A:r2>config>router>ospf# area 0
*A:r2>config>router>ospf>area# interface "system"
*A:r2>config>router>ospf>area>if# interface-type point-to-point
*A:r2>config>router>ospf>area>if# passive
*A:r2>config>router>ospf>area>if#

Now lets configure an interface in to area 0 and give it some meaningful configuration such as link cost/metric, bind it to the interface BFD instance and force authentication using the password mypassword

*A:r2>config>router>ospf>area# interface "tor3"
*A:r2>config>router>ospf>area>if# interface-type point-to-point
*A:r2>config>router>ospf>area>if# metric 1001
*A:r2>config>router>ospf>area>if# bfd-enable
*A:r2>config>router>ospf>area>if# message-digest-key 1 md5 mypassword
*A:r2>config>router>ospf>area>if# authentication-type message-digest

Next we will configure a stub area, called area 5. In here we will put a link to r5

*A:r2>config>router>ospf# area 5
*A:r2>config>router>ospf>area# stub
*A:r2>config>router>ospf>area>stub# exit
*A:r2>config>router>ospf>area# interface "tor5"
*A:r2>config>router>ospf>area>if# interface-type point-to-point
*A:r2>config>router>ospf>area>if# metric 10101
*A:r2>config>router>ospf>area>if# bfd-enable
*A:r2>config>router>ospf>area>if# message-digest-key 1 md5 mypassword
*A:r2>config>router>ospf>area>if# authentication-type message-digest

To create a Totally Stub Area then we put the no summaries option under the stub configuration.

MTU obviously plays an important part in OSPF and every network engineer has been mind boggled by it at some stage in their career, exchange start anyone?  To set it under an interface its simply mtu # where # is the value you apply. The maximum you can set is 9198, on my routers anyway.

A couple of miscellaneous commands now.  If you wish to stop advertising subnet routes for an interface you configure no advertise-subnet if that floats your boat.  Finally on the basics, if you have DR set up with type 2 LSAs for some reason (not a fan, it’s just messy), you can set the interface priority to bias the DR election. Simply configure the priority # command

Some useful show commands:

We have show router ospf status which we saw earlier

*A:r2# show router ospf neighbor
===============================================================================
OSPF Neighbors
===============================================================================
Interface-Name Rtr Id State Pri RetxQ TTL
Area-Id
-------------------------------------------------------------------------------
tor5 5.5.5.5 Full 1 0 35
0.0.0.0
tor4 4.4.4.4 Full 1 0 33
0.0.0.0
tor3_b 3.3.3.3 Full 1 0 34
0.0.0.0
-------------------------------------------------------------------------------
No. of Neighbors: 3

(Yep I didn’t actually configure area 5 for tor5 🙂 I’m running some tests at the moment so can’t be messin with that!)

show router ospf interface shows you which interfaces you have OSPF running on, the DR/BDR, area and interface type. Unlike show ip ospf interface brief in IOS it doesn’t give you the interface cost. For that you need to use the detail option, which can be for all interfaces or a single one if you specify it:

*A:r2# show router ospf interface "tor4" detail | match "Oper Metric"
Oper Metric : 100 Bfd Enabled : Yes

show router ospf database -or- show router ospf opaque-database (for the TED) gives you access to the OSPF database, strange huh!? You can use the usual qualifiers to get in to more detail on the LSA contents:

*A:r2# show router ospf database
- database [type {router|network|summary|asbr-summary|external|nssa|all}] [area ] [adv-router ]
[] [detail]

I’m not going to show the output of these commands cos it’s just too much space for a post.

So lets assume I have repeated this on 5 routers in the network. We should now have full reachability.

*A:r2# show router route-table
Route Table (Router: Base)
Dest Prefix[Flags] Type Proto Age Pref
Next Hop[Interface Name] Metric
-------------------------------------------------------------------------------
10.0.0.0/8 Remote OSPF 06d19h45m 150
24.24.24.4 1
1.1.1.1/32 Remote OSPF 01d17h10m 10
24.24.24.4 300
2.2.2.2.2/32 Local Local 31d18h16m 0
system 0
3.3.3.3/32 Remote OSPF 01d17h10m 10
24.24.24.4 200
4.4.4.4/32 Remote OSPF 06d19h45m 10
24.24.24.4 100
5.5.5.5/32 Remote OSPF 01d17h40m 10
25.25.25.5 100
13.13.13.0/24 Remote OSPF 01d17h10m 10
24.24.24.4 300
23.23.23.0/24 Local Local 01d18h11m 0
tor3 0
24.24.24.0/24 Local Local 06d19h45m 0
tor4 0
25.25.25.0/24 Local Local 01d19h55m 0
tor5 0
32.32.32.0/24 Local Local 01d17h51m 0
tor3_b 0
34.34.34.0/24 Remote OSPF 01d17h10m 10
24.24.24.4 200
35.35.35.0/24 Remote OSPF 01d17h10m 10
25.25.25.5 200

And we do…

*A:r2# ping 3.3.3.3
PING 3.3.3.3 56 data bytes
64 bytes from 3.3.3.3: icmp_seq=1 ttl=63 time=5.44ms.
64 bytes from 3.3.3.3: icmp_seq=2 ttl=63 time=3.17ms.
^C
ping aborted by user


---- 3.3.3.3 PING Statistics ----
2 packets transmitted, 2 packets received, 0.00% packet loss
round-trip min = 3.17ms, avg = 4.30ms, max = 5.44ms, stddev = 1.13ms
*A:r2# ping 4.4.4.4
PING 4.4.4.4 56 data bytes
64 bytes from 4.4.4.4: icmp_seq=1 ttl=64 time=8.86ms.
64 bytes from 4.4.4.4: icmp_seq=2 ttl=64 time=3.33ms.
^C
ping aborted by user


---- 4.4.4.4 PING Statistics ----
2 packets transmitted, 2 packets received, 0.00% packet loss
round-trip min = 3.33ms, avg = 6.10ms, max = 8.86ms, stddev = 2.76ms
*A:r2# ping 1.1.1.1
PING 1.1.1.1 56 data bytes
64 bytes from 1.1.1.1: icmp_seq=1 ttl=62 time=42.3ms.
64 bytes from 1.1.1.1: icmp_seq=2 ttl=62 time=3.43ms.
^C
ping aborted by user

---- 1.1.1.1 PING Statistics ----
2 packets transmitted, 2 packets received, 0.00% packet loss
round-trip min = 3.43ms, avg = 22.9ms, max = 42.3ms, stddev = 19.5ms

*A:r2# ping 5.5.5.5
PING 5.5.5.5 56 data bytes
64 bytes from 5.5.5.5: icmp_seq=1 ttl=64 time=4.92ms.
64 bytes from 5.5.5.5: icmp_seq=2 ttl=64 time=3.06ms.
^C
ping aborted by user


---- 5.5.5.5 PING Statistics ----
2 packets transmitted, 2 packets received, 0.00% packet loss
round-trip min = 3.06ms, avg = 3.99ms, max = 4.92ms, stddev = 0.926ms

Next up is enabling LDP which is pretty straightforward. TTFN

Categories: ALU IGPs, SROS

Base Topology for Further Posts

I have been really busy trying to get stuff done in work so haven’t has a chance to post anything and any spare time goes on study or family so it’s time to rectify that.

This is the topology I will be using for most of the build I do here. If I need to add in other links or devices I will state that.

Lab basic

Naming and numbering conventions:

-Routers are called rx with r1-4 being SR1 chassis and r5 is a SR7.
-System addresses are x.x.x.x
-Interfaces are ‘torx’, e.g. the link from r5 to r2 is tor2
-Point to point addressing follows xy.xy.xy.x/24 where x is the lower numerical rx and y is the higher numeric rx, e.g. the above mentioned link is 25.25.25.2 on r2

I have some testers dotted around the place and a few Ciscos/Junipers connected for various bits I’m doing. I will point out where they are if I end up including them in a post.

First up, OSPF

Categories: labbing, SROS

SROS Interface Configuration – 7750

January 29, 2013 7 comments

In this post I will focus on creating interfaces so it will be a short one because there isn’t much to write home about.

The first thing to know about SROS interfaces is they are named and you bind a physical or logical port to them.  The naming of the interface is called in all protocols so you need to make sure you get it right and have a clear convention as deleting the interface will destroy the protocols use of the interface.  If you have an OSPF interface and you remove the router interface then OSPF will drop and your network maybe go a little crazy.

So how do we configure them?  It’s pretty straightforward and there is no need to create here. Good ol’ ALU consistency.


*A:pe1# configure router interface "to_pe2"

And that’s the interface created. We then need to assign our IP address:


*A:pe1>config>router>if$ address 192.168.123.1/24

You can also run ipv6 over interfaces, which is enabled with the ipv6 command. You need to be in chassis mode C at a minimum and I can’t change that right now…You can do pretty much anything standard, icmp6, DHCP, VRRP.

Then we need to bind this to a physical interface:


*A:pe1>config>router>if$ port 2/1/3:123

Next you might want to run BFD over the interface to use very fast failure detection. The 7750 can be configured to support 10ms transmit intervals but it does require configuration relating to the processor. I have never tried it that low so I dont know what impact it will have on processing.


*A:pe1>config>router>if$ bfd 100 receive 100 multiplier 3

You can assign some CPM protection but I haven’t played with this either so I don’t know how it would benefit you. Something for another time when days allow more than 24 hours in them!

If you want, make the interface a loopback but obviously you need to remove your port binding with the no port command.

If you wish to make it an unnumbered interface you simply configure it with unnumbered and specify an interface name or address you want to take the IP address from.

To configure a secondary interface you simply apply secondary x.x.x.x/y

Finally you can configure VRRP with all the standard bits and bobs that entails. Here is a little snippet that creates the interface as the owner, specifies the partner router as .3, sets the priority to 200 so this interface will be the boss unless there is a problem. You can also tell the interface to reply to pings and traces regardless of it’s state as master or backup which is a pretty cool feature. Finally you can set the delay VRRP takes before establishing for situations where you have a link that may be bouncing.


*A:pe1>config>router>if$ vrrp 1 owner
*A:pe1>config>router>if>vrrp$ backup 192.168.123.3
*A:pe1>config>router>if>vrrp$ priority 200
*A:pe1>config>router>if>vrrp$ ping-reply
*A:pe1>config>router>if>vrrp$ traceroute-reply
*A:pe1>config>router>if>vrrp$ init-delay 10

There are some things you can do with BFD in a VRRP instamce but that will have to wait to my Services posts as it’s more relevant here. Anyway today is day 1 of my CCIE SP study so I have to get down to business there.

Categories: SROS

SROS Ethernet Port Configuration – 7750

January 9, 2013 2 comments

In this post I will go over the basics of port configuration on the 7750, going in to some detail on the Ethernet specific parameters you can fine tune.  I will do this on XP type MDA which have DDM (diagnostic ability) built in to them.  This allows you to see light levels and card temperatures and also sends traps in to SAM so you can keep an eye on optics that may be failing or dirty, nice feature.  I don’t really have access to SDH/Sonet type cards but if I dig one out I might try and figure it out and post about it

The first part of configuring your port will cover the usual basics.  Depending on the card type you are using the default values with either be network or hybrid more.  Basically a network port mode allows you to configure a routed interface, IGP and MPLS and is used to connect your SP routers together.  You can’t run services on these ports, for that you need an access port configuration, well except if you have an IMM card (and no doubt others) which allow the configuration of a hybrid mode.  This allows the configuration of core connections but also services.

To change a port configuration to any great extent you usually have to shut it down.  By default the port will already be shut but sure here is how you do it anyway and then go in to Ethernet sub-config mode:

*A:pe1# configure port 1/1/1
*A:pe1>config>port# shutdown
*A:pe1>config>port# ethernet
*A:pe1>config>port>ethernet#

Changing some of the Ethernet variables have a habit of defaulting ones you may have already set so I like to configure ports in a specific sequence.
The mode determines how the port will function and also alters the MTU (default 9212 on network). As discussed your three modes of operation are access, network (default) and hybrid using the mode command.

*A:pe1>config>port>ethernet# mode access|network|hybrid

Next I like to change the encapsulation which has three options as well: null, dot1q and qinq.

*A:pe1>config>port>ethernet# encap-type dot1q|null|qinq

Now is probably a good time to talk about tag behaviour in SROS/TiMOS.  Unlike ‘normal’ VLAN behaviour the tag configuration doesn’t put traffic in to a specific VLAN as it would in a LAN set up.  The behaviour is one of a matching criteria only so if we consider we have an interface configured to match tag 100 within service 1234 and the port receives a frame with tag 100 (outer tag) how will traffic be processed?  The tag is popped and put in to service 1234:

-If the service is p2p the traffic is MPLS encapsulated (or GRE) and sent as native Ethernet across the core.  At the far end PE traffic is de-encapsulated (MPLS) and the egress dot1q tag is pushed and the frame transmitted.  If the service is local only then traffic is forwarded out the other local interface without MPLS forwarding.

-If the service is mp2mp the L2 destination address is inspected and a forwarding decision is made by the PE.  The remainder of the forwarding behaviour remains the same.

Tagging types:

Like the name suggests null encapsulation uses no tagging.  You can only have one service or routed port per physical port.  From a service perspective the benefit is tag transparency to the customers tagging as regardless of if the frame is tagged before it gets to your router, the traffic is accepted.

A port configured for dot1q ensures the router must match one tag, of course there are exceptions! In our example with tag 100, if the ingress frame has 100 applied as its outer tag then it is accepted into service 1234.  If it is any other integer then it will be dropped unless another matching tag/service is configured.  The exceptions here are if you configure a dot1q service SAP to expect untagged traffic or match a wildcard which I will cover when I get on to service configuration.

A port configured with dot1q-in-dot1q will expect services to be double tagged (again with exceptions).  Both inner and outer tags are generally matched except where untagged or wildcards are used.  The forwarding behaviour remains the same as above except there is now more granularity in how you can match traffic to services.   This setup is useful for carriers’ carrier type services where another provider is providing the attachment circuit to a remote location.  The outer tag is used for service delimitation on the other carriers network and the inner tag defines the service you are providing over their pipe.

MTU is the next variable I configure.  On the SROS routers the MTU will default to 9212 on a network port but not on an access port (that could be release dependent, I don’t know).  To change the layer 2 MTU use the mtu # command.

*A:pe1>config>port>ethernet# mtu 9212

If you need to change the speed or duplex settings on a port this is done in the Ethernet context too. You use the speed 10|100|1000 and duplex full|half commands.  I won’t spend any more time on these.

That’s it for standard configurations, now on to more case specific ones.

Auto negotiation isn’t anything new but there is a little feature in SROS called limited negotiation.  What this does, or doesn’t do, is participate in actual link negotiation but does transmit a form of keepalive across the link which enables faster link failure detection.  It is enabled using the following:

*A:pe1>config>port>ethernet# autonegotiation limited

Down When Looped

Another nice feature is called down when looped.  This transmits an untagged frame with the source/destination address of the router MAC address with an ethertype of 0x9000. The downside here is the untagged nature of the frame means you cant use this feature where you use a 3rd party attachment circuit as they will be expecting tagged traffic, your frame will be dropped.

0x9000 Capture

If the PE detects it’s own address in a frame of this type it knows there is a loop in the path and disables the port.  This feature is hugely import for VPLS builds as a loop on an attachment circuit can bring down every VPLS with an interface on that port.  DWL is enabled by entering its context and performing a no shutdown.

*A:pe1>config>port>ethernet# down-when-looped
*A:pe1>conf>port>ethernet>dwl# no shutdown

The output of this is verified in the show port command:


show port 1/1/1 | match post-lines 2 Down-whe
Down-when-looped : Enabled Keep-alive : 10
Loop Detected : False Retry : 120
Use Broadcast Addr : False

As we can see down when looped is enabled and loop detection is false. If a loop was detected this state would change to ‘True’.

Variables we can configure include the keep-alive # option which defines the interval in seconds between transmission of the DWL PDUs. retry-timeout # allows you to set the time in seconds between a port being disabled due to loop detection and the system trying to recover the port. This is similar to err-disable recovery in IOS. Finally you can set the system to set the destination address to the broadcast address, enabled through use-broadcast-address.

Ethertypes:

You can alter the default ethertypes used by dot1q, q-in-q and PBB if you wish. Defaults for the first two are 0x8100 and provider backbone bridging uses 0x88e7.


show port 1/1/1 | match post-lines 1 8100
Dot1Q Ethertype : 0x8100 QinQ Ethertype : 0x8100
PBB Ethertype : 0x88e7

Changing these values is done using one of the following:


*A:pe1>config>port>ethernet# dot1q-etype 0x0600..0xffff
*A:pe1>config>port>ethernet# qinq-etype 0x0600..0xffff
*A:pe1>config>port>ethernet# pbb-etype 0x0600..0xffff

Miscellaneous:

There are some other variables which you can set that I won’t go in to but you can also enable dot1x, lldp (standardised equivalent to CDP) and various management procotols such as EFM, CFM and ELMI.

A final note on DDM mentioned above.  This displays port specific parameters on the XP or IMM cards. The below output shows you the temperature of the port, power readout and, most importantly from an operational perspective, the transmit and receive rates of the optics. The thresholds are used to trigger alerts to your SAM NMS.


show port 1/1/6 | match post-lines 10 Digital
Transceiver Digital Diagnostic Monitoring (DDM), Internally Calibrated
===============================================================================
Value High Alarm High Warn Low Warn Low Alarm
-------------------------------------------------------------------------------
Temperature (C) +33.9 +98.0 +88.0 -43.0 -45.0
Supply Voltage (V) 3.29 4.12 3.60 3.00 2.80
Tx Bias Current (mA) 6.3 60.0 50.0 0.1 0.0
Tx Output Power (dBm) -5.65 0.00 -2.00 -10.50 -12.50
Rx Optical Power (avg dBm) -6.43 -3.00 -4.00 -19.51 -20.51
===============================================================================

That’s all for this post, good to get the basics (boring bits) out of the way 🙂

Categories: Uncategorized

Unachievable Targets for the Coming Year…

December 31, 2012 Leave a comment

Tis the season to write stuff down on what I hope to achieve over the coming year so that I might laugh at my abject failures in 12 months time.

My primary goal is one of self improvement.  This coming week marks the return of bi weekly squash and I need to be out on my bike cos I’m waaaayyy too fat again.  Regardless of if it’s cold/wet/windy.

Ridiculous one:

1) See Liverpool win the league.  No chance, but some hope all the same.

Professional goals:

2) Complete the NRS2 lab, this one should be achievable.  The issue here is one of cost. $750 worth of cost for a professional level cert!  Plus flights to Brussels and accommodation.  This is where my (lack of) negotiation skills come in to play with work.

3) Complete the SRA lab which includes sitting 5 more written exams.  This one is optional for me depending on completion of the writtens to become eligible.  I have it on good authority I can be at the level required for the lab in a couple of months of consistent practice.

4) Make a decision on whether I continue with my ‘dream’ of the CCIE RS or switch to the SP track, which I prefer.  This will be down to INE in part if they are willing to compromise on what I have already paid for.

5) Do a couple of CCNA levels certs, primarily the SP if INE release some vids as rumoured. As a hater of voice getting that CCNA done would be nice so I have some experience of it.

6) If time allows do the CCNP SP.

Are any of these achievable ?  Only time will tell.

TTFN.

Categories: Uncategorized

SROS System Admin and Security

December 27, 2012 3 comments

This post will cover the basics of system configuration along with some security such as adding user names but also more advanced features including control plane filters.

First a few commands to get around the config files:

Context Navigation and Hierarchy:

exit drops you back to your previous level of the hierarchy,  exit all brings you back to root and back moves you back up one level of the hierarchy.

To enter config mode you simply type configuration (unambiguous commands are self completing)

Typing info will show you configured commands within your present working context, which itself can be viewed with pwc.  Using info detail will show all commands in the pwc including defaults, a very useful one!

As mentioned in my previous post / allows you to parse a command that would otherwise not be available.

tree will show you a tree structure of all available commands within your context

Matching:

The availability of pipe commands is very useful in many OS, SROS being no different.  You can pipe any show, info or tree command to include or exclude variables but you can’t concatenate multiple matches in to one string:

info | match address will display any lines with ‘address’ in it

info | match match-not address will display all lines excluding ones with ‘address’ in it

info| match pre-lines 10 address will show you the 10 lines of config prior to a line with address in it,

info | match post-lines 10 address will show you the subsequent 10 lines of config if ‘address’ is matched.

Both the pre and post line match commands are very useful for locating config lines in large files.  I frequently see files with over 10,000 lines of config, a downside of the granularity of SROS.

You match a string with spaces by using speech marks:

info | match "address 10"  will show you anything with address 10 in the line, such as all network 10 addresses configured.

Who-am-I?

Configuring systems for human identification is crucial in an operational environment for obvious reasons.  Here we look at configuring systems name, location information, banners and NTP


A:7750# configure system name "pe1"
*A:pe1# configure system
*A:pe1>config>system# location "In a rack somewhere"
*A:pe1>config>system# contact "NOC @ 1234567890"
*A:pe1>config>system# login-control
*A:pe1>config>system>login-control# motd text "This is my router"
*A:pe1>config>system>login-control# pre-login-message "Unauthorized access prohibited"
*A:pe1>config>system>login-control# back
*A:pe1>config>system# time ntp
*A:pe1>config>system>time>ntp# server 10.11.12.13 version 3 prefer
*A:pe1>config>system>time>ntp# no shutdown
*A:pe1>config>system>time>ntp# back
*A:pe1>config>system>time# zone [timezone]

Access Security:

I’m not  a security person by any means but it is always something we need to be conscious of.  At  a minimum we should be setting local authentication on a device.  To set up secure access we can configure a local user:


*A:pe1>config>system# security
*A:pe1>config>system>security# password authentication-order tacplus local exit-on-reject

This is pretty straightforward telling the router to use tacacs+ followed by local auth. Should authentication be rejected exit back to the login prompt.

To configure a local user:


*A:pe1>config>system>security# user "myname"
*A:pe1>config>system>security>user# password "mylocalpwd"
*A:pe1>config>system>security>user# access console
*A:pe1>config>system>security>user# console
*A:pe1>config>system>security>user>console# member "administrative"
*A:pe1>config>system>security>user>console# member "default"

To configure tacacs+ return to the system security context:

*A:pe1>config>system>security# tacplus
*A:pe1>config>system>security>tacplus# accounting
*A:pe1>config>system>security>tacplus# authorization
*A:pe1>config>system>security>tacplus# server 1 address 10.12.13.14 secret "mysecretfor1"
*A:pe1>config>system>security>tacplus# server 2 address 10.12.13.15 secret "mysecretfor2"

You can configure stuff for the SAM5620 manager but I won’t go in to hit as I don’t have a test SAM server.

CPM Filters

CPM filters are what protects your processor and it’s protocols for being compromised, such as OSPF neighbours from a specific subnet. These are not available on the SR1. Extreme care should be take as no-shutting the filters before allowing your own access method can disconnect you from the chassis, and there is no remote way to fix it without out of band. In this section we will configure basic SSH access control and OSPF.

SSH:


*A:pe1>config>sys>security# cpm-filter
*A:pe1>config>sys>security>cpm-filter# ip-filter
*A:pe1>config>sys>sec>cpm-filter>ip-filter# entry 10 create
*A:pe1>cfg>sys>sec>cpm>ip-filter>entry# action accept [drop|queue]
*A:pe1>cfg>sys>sec>cpm>ip-filter>entry# match protocol tcp dst-port 22 65535
*A:pe1>cfg>sys>sec>cpm>ip-filter>entry# match src-ip 10.12.13.0/24

OSPF:


*A:pe1>config>sys>security# cpm-filter
*A:pe1>config>sys>security>cpm-filter# ip-filter
*A:pe1>config>sys>sec>cpm-filter>ip-filter# entry 10 create
*A:pe1>cfg>sys>sec>cpm>ip-filter>entry# action accept [drop|queue]
*A:pe1>cfg>sys>sec>cpm>ip-filter>entry# match protocol ospf-igp src-ip 10.12.13.0/24

You should configure all your protocols to be permitted where required and only no shut the CPM filters when you have permitted your own access, e.g. a SSH filter permitting a source subnet you are on.   I will post something on CPM protection when I dabble in it, it’s on my list of ‘to investigate’.

The last thing I want to mention under the configure system banner is the chassis mode.  This controls service resources including FIB sizes and can be A, B, C or D.  The SR1 supports mode A only which is somewhat limited.
Mode B allows 128k MAC FIB entries and the same ipv4 ARP entries.  Mode C must be enabled to allow for IPv6 but chassis mode D is the most scalable.  Mode D can support up to 500k MAC and an equivalent amount ARP entries.  The chassis mode you run can only be as good as the line cards you have installed.  If you have IOMv1 or v2 then you cannot run mode D regardless of the amount of higher spec cards.  If you have IOMv3/IMM only then you can run mode D.  Upgrading a chassis mode does not impact service traffic but downgrading, say from C to B, requires a reboot.  It is enabled using configure system chassis-mode [a|b|c|d]

That’s it for this post, the next ones will relate to actual network build.  I will do up a Visio with the topology and start at bringing the physical network up.

Categories: NRS2 Lab, SROS

SROS System Basics

December 24, 2012 Leave a comment

Service Router OS is the operating system that runs on Alcatel-Lucent 7×50 and 7210 routers and switches.  It’s a pretty handy OS and I just love it in the same way Kevin Keegan would love it if we beat them.  It is well structured and very flexible and, once you get used to it, it kicks the pants off other vendors I have used, in my opinion.

There is a distinct lack of information that I have found on the Internet for configuring these boxes, especially considering the 7750 is apparently number 1 or 2 in the PE market in Europe.  In this post I will cover some basic system configurations to get you going.

I will be using SR1 and SR7 routers for config throughout these posts although there are other models available, e.g. SR12.  The SR1 has a single processor and line card with two daughter card slots (MDA) whereas the SR7/12 have dual processors and five and ten line card slots respectively.

In this post I will be using an SR7, its processor slots are named A and B and the line cards are numbered 1-5.  The active processor is indicated by either A: or B: at the CLI prompt. Each daughter slot is labelled x/1 or x/2, e.g. slot 2 sub-slot 2 is MDA 2/2.

Each processor (SF/CPM) holds a male DB9 console connector (with DCE/DTE toggle switch), RJ45 Ethernet management port and three compact flash slots.  The SROS image is stored in cf3 and cf1/2 can be used to store log files etc.

In order to boot the chassis we need to configure the Boot Options File (bof) to locate the image and config files.

To configure the image and config locations point the bof at the directory/file locations.  The A: indicates we are on the processor slot A:


*A:7750#bof
*A:7750>bof# primary-image cf3:\TiMOS-9.0.R11
*A:7750>bof# primary-config cf3:/myconfig.cfg

We then need to set the console speed.  SROS defaults to 115200 so let’s change it to 9600 because everybody loves that one:


*A:7750>bof# console-speed 9600

It’s also a good idea to enable persistent indexing between reboots, especially if you use SAM5620 to manage the devices (a reload is required for it to take effect):


*A:7750>bof# persist on

Finally, you may want to use the RJ45 port if you don’t have an async device available.  It doesn’t register in the Global Routing Table so any configuration here won’t impact on the operation of the router.  Lets set the speed, duplex and an address:


*A:7750>bof# address 1.2.3.4/24 active
*A:7750>bof# speed 10|100
*A:7750>bof# duplex full|half

And that’s pretty much it for the bof, just don’t forget to save your work. If you are in the bof context then it is simply save. If you are in any other context you can use /bof save where the use of / allows the subsequent command to be run from any context.  This also applies to config and admin level commands too.

Finally a word on saving in general.  If the card identifier has a * against it then configuration has not been saved since the last change.  You save the ‘running config’ by parsing admin save, again the / allows the command to be run outside its usual context.  If the * doesn’t disappear after either an admin save or bof save then you will have to parse the other save command. From the config context I will save both the running and bof configs, notice the * disappears:


*A:7750# configure
*A:7750>config# /admin save
Writing configuration to cf3:\myconfig.cfg
Saving configuration ... OK
Completed.
*A:7750>config# /bof save
Writing BOF to cf3:/bof.cfg ... OK
Completed.
A:7750>config#

So that’s it for my first post on this ALU craic.  I plan to build up a network from here on starting at the physical basics all the way up to advanced service configuration.

Happy Christmas.

Categories: labbing, SROS

Upgrading IOS to IOS-XR

I have a 12008 GSR from the early 2000s I want to upgrade to IOS-XR, cheap and cheerful.

I need to write down bits and bobs about it as I dont use them much…

show diag

sho context

upgrade mbus

upgrade fabric

Here is the process i need to use…

http://www.cisco.com/en/US/docs/ios_xr_sw/iosxr_r3.2/upgrade/guide/up32dual.html#wp1105703

EDIT 29/04/13

OK so this box has been nothing but hassle but it stays up long enough for me to forget what I need to do to restore it

So the bootflash got erased somehow, major crash on both RPs, I think it was a faulty LC but whatever.  Also I was going through a wall socket to get to the console port and while that works for EVERYTHING this process didn’t like it, nothing to do with distance I don’t think as it’s just a couple of meters.

So to change the bootup:

unset BOOT
BOOTLDR=bootflash:bootimage
TURBOBOOT=on,disk0 (the process says TURBOBOOT=on, disk0 but there is no space)
sync
reset

Now you’re ready to boot the mini vm image:

boot tftp c12k-mini.vm-4.3.0 10.10.10.1

Once that is complete, and it does take an age, you can go ahead and upgrade the standby RP.  This follows a similar process with a slight difference, you need to unset the turboboot function:

BOOTLDR=bootflash:bootimage
unset TURBOBOOT
sync
reset

Next you need to tftp (or ftp) the standby image on:

boot tftp mbiprp-rp.vm-4.3.0 10.10.10.1

Watch out for inconsistencies with the Cisco process and the file naming convention, e.g. missing -vm. in some commands.

Again the standby RP will go through a major sync process which takes about 30 minutes

OK so now both cards will be ready for IOX.  You need to install some pies for mpls and multicast functionality (or video if you want, I don’t).

Make sure you have these on your tftp server, they come with the tar anyway.  Go in to

admin
install add tftp:/10.10.10.1/c12k-mcast.pie-4.3.0
install add tftp:/10.10.10.1/c12k-mpls.pie-4.3.0

I think you can daisy chain these pie’s in one command but I didn’t try that and I sure as hell don’t want to for the sake of my sanity.

Want to see how progress is moving?  Of course you do: show install request

Once the packages have been added we need to activate them, again I think you can daisy chain but I didn’t:

install act disk0:c12k-mpls-p-4.3.0
install act disk0:c12k-mcast-p-4.3.0

Finally once we get the all clear message we need to commit the packages: install commit

Now try it out, how about this, YEEEEEEAHHHHHHHHHHH

RP/0/0/CPU0:XR1#conf t
Mon Apr 29 14:45:27.971 UTC
RP/0/0/CPU0:XR1(config)#mpls ldp
RP/0/0/CPU0:XR1(config-ldp)#?
  backoff               Configure session backoff parameters
  clear                 Clear the uncommitted configuration
  commit                Commit the configuration changes to running
  default-route         Enable MPLS forwarding for default route
  describe              Describe a command without taking real actions
  discovery             Configure discovery parameters

I really hope I don’t have to read this again, not pleasant…

—————————————————————————————

SDR configuration (I’m doing INE so have the same card layout):

admin
conf t
sdr XR2

 location 0/3/*
 location 0/4/*
 location 0/7/*
commit

Authentication on the non owner:
On owner SDR: aaa authen login remote local
On the non owner SDR login over console with uid admin@admin and password from the owner:
conf t
username blah
secret blahblah
group root-lr
commit

I’m writing this from memory pretty much so there are no doubt mistakes. For the love of jaysus be careful with it, it looks straightforward but your GSR (if it’s like mine) is old and can’t take much more of a beating.

Categories: CCIE SP

Notes IOS-XR Overview INE

admin enters admin mode

conf t enters admin config mode

group root-system allows users into admin group

group root-lr (logical router)

$uid@admin to enter admin from lr

 

CSC controls packet routing

SFC controls switch fabric/backplane

state of both above should be powered

PRP state should be ios-xr run (bringdown normal for standby card)

 

show diag [summary]

show platform

 

admin

conf t

sdr <name>

location #/#/* to allocate cards to lr, eg 0/1/*

 

show install active shows packages active

sho install inactive show packages not active

install activate

install commit to fully commit package to chassis.

 

sho config fail

sho commit

sho run (active config)

sho config (pre commit config)

sho config commit  list (diff changes)

                               changes [since]

                               label <name>

rollback configu 1 (undoes last commited change)

comit confirm # (to set a time by which the commit must be aborted)

sho run | utility egrep <regex>

Categories: Uncategorized Tags: