A few weeks ago i was interviewed by Cisco about the work i do as a Cisco SME (Subject Matter Expert) for the last 1.5 years.
Today the article appeared on the Cisco Learning Network: https://learningnetwork.cisco.com/blogs/certifications-and-labs-delivery/2015/12/07/what-it-s-like-to-be-a-cisco-subject-matter-expert-an-interview-with-wouter-prins-and-stephen-dollinger
Great stuff!
Typing this post from a freshly installed desktop running Linux Mint on a mac mini from late 2007.
Yesterday i spent some time installing Linux Mint on a mac mini as it was not working well anymore with OSX 10.5 (slow, old safari, broken dvd-writer etc…), so it was time to give it a new desktop OS.
The mac mini is a intel dual core 2 machine and should support 64 bit linux images, after some testing i noticed the following message when using 64 bit boot cd’s and the machine completely froze up:
Select CD-Rom Boot Type:
After some better googling and further testing:
The mac mini is working fine and pretty fast again! No need to buy a new mac mini or desktop system.
These are my notes for chapter two of the Juniper MX Series book.
There are two styles of configuration when it comes to bridging and VLAN mappings:
The enterprise style is easier to configure but less flexible, SP style requires more configuration and offers flexibility.
Trunking options
The configuration of a trunk is done on the IFD. There are a few types of configuration when it comes to a trunk:
set vlan-tagging // configures 802.1q set stacked-vlan-tagging // configures q-in-q set flexible-vlan-tagging // configures the combination of 802.1q and q-in-q
It is recommended to use flexible-vlan-tagging in SP environments.
Encapsulation options
encapsulation ethernet-bridge // normal access-port, untagged vlan, every IFL needs to be added to bridge-domain encapsulation extended-vlan-bridge // can only be applied to IFD. Automaticly adds IFL to bridge-domain encapsulation flexible-ethernet-services // allows each IFL to use a different encapsulation. Like: vlan-bridge, vlan-vpls
protocols {
l2-learning {
global-mac-limit {
100;
}
}
}
[edit bridge-domains bla]
bridge-options {
mac-table-size {
4000;
packet-action drop;
}
}
[edit bridge-domains bla]
interface xe-2/1/1.100
bridge-options {
interface-mac-limit {
4000;
}
}
set interface ge-1/0/0 unit 0 family bridge interface-mode access; set interface ge-1/0/0 unit 0 family bridge vlan-id 100; set bridge-domains vlan_100 vlan-id 100; set bridge-domains vlan_100 routing-interface irb.0; set interface irb unit 0 family inet address 100.100.100.100/24;
This post will display the configuration for the FreeRADIUS server and the Brocade VDX 6740 configuration in distributed fabric-mode.
Add the Brocade VDX radius clients into the following file:
/etc/freeradius/clients.conf
client vdx-1 {
ipaddr = <ip>
secret = <mysecretpass>
}
client vdx-2 {
ipaddr = <ip>
secret = <mysecretpass>
}
This example is for a fabric with two Brocade VDX 6740 switches. If you have more then two units in the fabric, add more clients to this section. The <ip> part should match the mgmt0 interface ip address of the individual unit in the fabric and not the VCS virtual-ip.
The Brocade VDX requires additional radius attributes in the authentication section. Below is the configuration of a user in the file:
/etc/freeradius/users
user1 Auth-Type = pam
Service-Type = NAS-Prompt-User,
Cisco-AVPair = "shell:priv-lvl=15",
APC-Service-Type = admin,
Brocade-Auth-Role = "admin"The highlighted radius attributes are the ones that need to be added. (Your authentication method/setup may be different).
Final config on the server-side is to add the Brocade dictionary file. Create the following file:
/etc/freeradius/dictionary.brocade with this content:
# dictionary.brocade # VENDOR Brocade 1588 # # attributes # ATTRIBUTE Brocade-Auth-Role 1 string Brocade
Reload the freeradius service after this edit.
Add the FreeRADIUS server into the configuration of the VDX:
server host <freeradius ip> protocol pap key <mysecretpass> encryption-level 7
Add the authentication method, here the primary resource for authentication is radius and secondary is local authentication fallback.
aaa authentication login radius local-auth-fallback
Check the authentication, the raslog should display a similar output like this:
vdx-2# show logging raslog reverse count 2 Rbridge-id: 2 NOS: 4.1.3a 2016/01/01-18:16:24, [SEC-1203], 2071,, INFO, <vdx-1>, Login information: Login successful via TELNET/SSH/RSH. IP Addr: 192.168.254.6. 2016/01/01-18:16:24, [SEC-1307], 2070,, INFO, <vdx-1>, RADIUS server 192.168.254.2 authenticated user account 'user1'. vdx-2#
This confirms you have a working Brocade VDX with FreeRADIUS authentication.
Designed for experienced networking professionals with advanced knowledge of the Juniper Networks Junos OS, this written exam verifies the candidate’s understanding of advanced routing technologies and related platform configuration and troubleshooting skills.
As it is the beginning of 2016, it is time to set new goals for this year. One goal is to achieve the Juniper JNCIP-SP exam. After the re-certification of JNCIS-SP and JNCIA in Oktober I thought it would be good to start studying on the JNCIP-SP exam as we are going to implement Juniper MX80 boxes this year. The JNCIP-SP exam objectives are listed here: http://www.juniper.net/us/en/training/certification/resources/jncip-sp/
I recommend creating an excel sheet for the topics that are listed on the exam so you can track your progress and see where you need to focus on. The one i created looks like this:
JNCIP-SP Excel sheet
Before starting I have collected study materials for the Juniper JNCIP-SP exam on the Juniper website itself and ordered O’Reilly books from Amazon. Here is a list of the materials I am using right now.
I have made some notes on the Juniper MX Series as I am reading the books chapter by chapter.
Next to taking the official courses, you can order the official course material which is used in the classes. My personal preference is self-study and the official training books are a little bit too expensive to buy. So i decided to start studying without these materials.
As this exam is CLI and syntax intensive I created the topology as listed in the JNCIP Studyguide in VMware ESXi with several Olives. The topology i created in VMware is the following:
JNCIP-SP topology
This is the well-known fish topology and should be suitable for any kind of topic that is present in this exam as it contains a mix of CE, PE, and P routers.
Expect blog posts about the several topics in this exam, just as i did with the CCNP-SP blog posts and hopefully I will be ready within a certain a mount of time.
If you have other suggestions regarding the materials listed please let me know!
This post outlines CLI commands to check the optical attenuation on Cisco and Brocade platforms.
To check the attenuation, you need to have DOM (Digital Optical Monitoring) support in the optics.
catalyst#show int ten 1/1 transceiver
ITU Channel not available (Wavelength not available),
Transceiver is internally calibrated.
If device is externally calibrated, only calibrated values are printed.
++ : high alarm, + : high warning, - : low warning, -- : low alarm.
NA or N/A: not applicable, Tx: transmit, Rx: receive.
mA: milliamperes, dBm: decibels (milliwatts).
Optical Optical
Temperature Voltage Tx Power Rx Power
Port (Celsius) (Volts) (dBm) (dBm)
--------- ----------- ------- -------- --------
Te1/1 42.3 3.27 -1.7 -2.0
catalyst#
brocadevdx# show media interface tengigabitethernet 1/0/42 Interface TenGigabitEthernet 1/0/42 Identifier 3 SFP Connector 7 LC Transceiver 0000000000000010 10_GB/s Name sw Encoding 6 Baud Rate 103 (units 100 megabaud) Length 9u 0 (units km) Length 9u 0 (units 100 meters) Length 50u 8 (units 10 meters) Length 62.5u 3 (units 10 meters) Length Cu 0 (units 1 meter) Vendor Name BROCADE Vendor OUI 00:05:1e Vendor PN XXXXXXXXX Vendor Rev A Wavelength 850 (units nm) Options 001a BR Max 0 BR Min 0 Serial No XXXXXXXXXXXX Date Code 141201 Optical Monitor yes Temperature 54 Centigrade Voltage 3275.1 (mVolts) Current 5.888 (mAmps) TX Power 510.9 (uWatts) RX Power 651.4 (uWatts) brocadevdx#
c7200#show interfaces gigabitEthernet 0/2 transceiver
Static information
ID: SFP transceiver
Extended ID: 4
Connector: LC
SONET compliance: unspecified
Gigabit Ethernet compliance: 1000BASE-LX
Fibre Channel link length: (L) long distance
Fibre Channel transmitter technology: (LC) longwave laser
Fibre Channel transmission media:
(SM) single mode / (M5) multi-mode, 50m / (M6) multi-mode, 62.5m
Fibre Channel speed: 100 MBytes/sec
Encoding: 8B10B
Bit Rate: 1300 Mbps
Single mode fiber supported length: 10 km
Single mode fiber supported length: 10000 m
50 micron-multimode fiber supported length: 550 m
62.5 micron-multimode fiber supported length: 550 m
Upper bit rate limit: unspecified
Lower bit rate limit: unspecified
Date code (yyyy/mm/dd): 2013/08/20
Vendor PN: F24-CI-SFP-GE-L
Vendor revision number: 2.0
Vendor serial number: XXXXXXX
Transceiver status information
Diagnostics calibration is external
Temperature 52 (+/-3 Celsius)
Voltage in transceiver 3264800 uV (+/- 10 mV)
TX bias 26000 uA (+/- 100uA)
TX power 278900 nW / -5 dBm (+/- 3dBm)
RX power 241600 nW / -6 dBm (+/- 3dBm)
UDI(PID + VID + SN):SFP-GE-L V01EA130927108
No Active Alarms
No Active Warnings
Alarm Thresholds:
high low
Temperature 85 C -10 C
Voltage 3600000 uV 2800000 uV
TX bias 90000 uA 5000 uA
TX power 1000000 nW / 0 dBm 63100 nW / -11 dBm
RX power 501200 nW / -2 dBm 3200 nW / -24 dBm
Warning Thresholds:
high low
Temperature 75 C - 5 C
Voltage 3500000 uV 2900000 uV
TX bias 80000 uA 6000 uA
TX power 794300 nW / -1 dBm 79400 nW / -11 dBm
RX power 398100 nW / -4 dBm 4000 nW / -23 dBm
c7200#
asr1k#sh hw-module subslot 0/0 transceiver 1 idprom detail
IDPROM for transceiver GigabitEthernet0/0/1:
Description = SFP or SFP+ optics (type 3)
Transceiver Type: = GE LX (20)
Product Identifier (PID) = GLC-LH-SMD
Vendor Revision = A
Serial Number (SN) = XXXXXXXXXXXX
Vendor Name = CISCO
Vendor OUI (IEEE company ID) = 00.90.65 (36965)
CLEI code = XXXXXXXXXXX
Cisco part number = 10-2625-01
Device State = Enabled.
Date code (yy/mm/dd) = 14/05/18
Connector type = LC.
Encoding = 8B10B
NRZ
Nominal bitrate = GE (1300 Mbits/s)
Minimum bit rate as % of nominal bit rate = not specified
Maximum bit rate as % of nominal bit rate = not specified
The transceiver type is 20
Link reach for 9u fiber (m) = 1xFC, 2xFC-SM(10km) (100)
Link reach for 50u fiber (m) = SX(550/270m) (55)
LX(5km/550m) (55)
LX(10km/550m) (55)
Link reach for 62.5u fiber (m) = LX(5km/550m) (55)
LX(10km/550m) (55)
Nominal laser wavelength = 1310 nm.
DWDM wavelength fraction = 1310.0 nm.
Supported options = Tx disable
Tx fault signal
Loss of signal (standard implementation)
Supported enhanced options = Alarms for monitored parameters
Software Tx disable
Software Tx fault monitoring
Software Rx LOS monitoring
Diagnostic monitoring = Digital diagnostics supported
Diagnostics are internally calibrated
Rx power measured is "Average power"
Transceiver temperature operating range = -5 C to 85 C (extended)
Minimum operating temperature = -5 C
Maximum operating temperature = 85 C
High temperature alarm threshold = +90.000 C
High temperature warning threshold = +85.000 C
Low temperature warning threshold = -5.000 C
Low temperature alarm threshold = -10.000 C
High voltage alarm threshold = 3600.0 mVolts
High voltage warning threshold = 3500.0 mVolts
Low voltage warning threshold = 3100.0 mVolts
Low voltage alarm threshold = 3000.0 mVolts
High laser bias current alarm threshold = 65.000 mAmps
High laser bias current warning threshold = 55.000 mAmps
Low laser bias current warning threshold = 3.000 mAmps
Low laser bias current alarm threshold = 1.000 mAmps
High transmit power alarm threshold = 1.0 dBm
High transmit power warning threshold = -3.0 dBm
Low transmit power warning threshold = -9.5 dBm
Low transmit power alarm threshold = -13.5 dBm
High receive power alarm threshold = 1.0 dBm
High receive power warning threshold = -3.0 dBm
Low receive power warning threshold = -19.0 dBm
Low receive power alarm threshold = -23.0 dBm
External Calibration: bias current slope = 1.000
External Calibration: bias current offset = 0
asr1k#
RP/0/RSP0/CPU0:asr9k#show controllers tenGigE 0/0/2/0 phy
Fri Feb 26 19:36:52.185 CET
SFP EEPROM port: 0
Xcvr Type: SFP
Xcvr Code: SFP-10G-LR
Encoding: 64B66B
Bit Rate: 10300 Mbps
Link Reach 9u fiber (Km): 10000 meter
Link Reach 9u fiber (100m): 10000 meter
Link Reach 9u fiber (100m): 10000 meter
Vendor Name: CISCO-OPNEXT,INC
Vendor OUI: 00.0b.40
Vendor Part Number: TRS5021EN-S101 (rev.: 0000)
Laser wavelength: 1310 nm (fraction: 0.00 nm)
Optional SFP Signal: Tx_Disable, Tx_Fault, LOS
Vendor Serial Number: XXXXXXXXXXXX
Date Code (yy/mm/dd): 14/01/06 lot code: 00
Diagnostic Monitoring: DOM, Int. Cal.,
Enhanced Options: SW RX LOS Mon., SW TX Fault Mon, SW TX Disable, Alarm/Warning Flags
MSA Data
0x0000: 03 04 07 20 00 00 00 00 : 00 00 00 06 67 00 0a 64
0x0010: 00 00 00 00 43 49 53 43 : 4f 2d 4f 50 4e 45 58 54
0x0020: 2c 49 4e 43 00 00 0b 40 : 54 52 53 35 30 32 31 45
0x0030: 4e 2d 53 31 30 31 20 20 : 30 30 30 30 05 1e 00 5f
0x0040: 00 1a 00 00 4f 4e 54 31 : 38 30 32 30 30 31 36 20
0x0050: 20 20 20 20 31 34 30 31 : 30 36 30 30 68 f0 03 24
Thresholds: Alarm High Warning High Warning Low Alarm Low
Temperature: +75.000 C +70.000 C +0.000 C -5.000 C
Voltage: 3.630 Volt 3.465 Volt 3.135 Volt 2.970 Volt
Bias: 80.000 mAmps 75.000 mAmps 10.000 mAmps 8.000 mAmps
Transmit Power: 2.23870 mW (3.49996 dBm) 1.12200 mW (0.49993 dBm) 0.15140 mW (-8.19874 dBm) 0.06030 mW (-12.19683 dBm)
Receive Power: 2.23870 mW (3.49996 dBm) 1.12200 mW (0.49993 dBm) 0.03630 mW (-14.40093 dBm) 0.01450 mW (-18.38632 dBm)
Temperature: 41.488
Voltage: 3.267 Volt
Tx Bias: 28.956 mAmps
Tx Power: 0.65170 mW (-1.85952 dBm)
Rx Power: 0.53620 mW (-2.70673 dBm)
Oper. Status/Control:
EEPROM Memory (A2 lower)
0x0100: 4b 00 fb 00 46 00 00 00 : 8d cc 74 04 87 5a 7a 76
0x0110: 9c 40 0f a0 92 7c 13 88 : 57 73 02 5b 2b d4 05 ea
0x0120: 57 73 00 91 2b d4 01 6b : 00 00 00 00 00 00 00 00
0x0130: 00 00 00 00 00 00 00 00 : 00 00 00 00 00 00 00 00
0x0140: 00 00 00 00 3f 80 00 00 : 00 00 00 00 01 00 00 00
0x0150: 01 00 00 00 01 00 00 00 : 01 00 00 00 00 00 00 00
0x0160: 29 7d 7f 9b 38 8e 19 75 : 14 f2 00 00 00 00 00 00
0x0170: 00 00 00 00 00 00 00 00 : 00 00 00 00 00 00 00 00
CLEI Code: COU^C5C^PA
Part Number: 10-2457-02 (ver.: V02 )
Temp/Alarm/Power Flags: COM, commercial 0C to 70C
Minimum Temperature: 0
Maximum Temperature: 70
Calibration Constants:
Product Id: SFP-10G-LR^T
EEPROM Memory (A2 upper)
0x0180: 43 4f 55 49 08 c3 35 43 : 10 41 31 30 2d 32 34 35
0x0190: 37 2d 30 32 56 30 32 20 : 01 00 46 00 00 00 00 b0
0x01a0: 00 00 00 00 48 c3 00 00 : 00 00 00 56 c3 00 5c c3
0x01b0: 00 00 00 00 00 00 00 00 : 70 00 00 00 00 00 aa aa
0x01c0: 53 46 50 2d 31 30 47 2d : 4c 52 94 20 20 20 20 20
0x01d0: 20 20 20 20 a8 32 00 00 : 00 00 00 00 00 00 00 2d
0x01e0: 17 17 20 25 27 2f 23 33 : d0 83 00 00 d8 00 00 00
0x01f0: 00 00 00 00 00 1f 00 00 : ff ff ff ff 00 00 00 00
asr9k#
n7k# show interface ethernet 1/1 transceiver details
Ethernet1/1
transceiver is present
type is 10Gbase-LR
name is CISCO-FINISAR
part number is FTLX1474D3BCL-CS
revision is A
serial number is XXXXXXXXXXXXXXXXXX
nominal bitrate is 10300 MBit/sec
Link length supported for 9/125um fiber is 10 km
cisco id is --
cisco extended id number is 4
cisco part number is 10-2457-02
cisco product id is SFP-10G-LR
cisco vendor id is V02
number of lanes 1
SFP Detail Diagnostics Information (internal calibration)
----------------------------------------------------------------------------
Current Alarms Warnings
Measurement High Low High Low
----------------------------------------------------------------------------
Temperature 27.68 C 75.00 C -5.00 C 70.00 C 0.00 C
Voltage 3.32 V 3.63 V 2.97 V 3.46 V 3.13 V
Current 31.54 mA 70.00 mA 1.00 mA 68.00 mA 2.00 mA
Tx Power -0.32 dBm 3.49 dBm -12.19 dBm 0.49 dBm -8.19 dBm
Rx Power -1.51 dBm 3.49 dBm -18.38 dBm 0.49 dBm -14.40 dBm
Transmit Fault Count = 0
----------------------------------------------------------------------------
Note: ++ high-alarm; + high-warning; -- low-alarm; - low-warning
n7k#
Yet another Brocade VDX post! This time on how to block SSH access on VE interfaces. Sounds pretty simple, but took some time to find out how to do it!
After some Cisco Catalyst to Brocade VDX configuration conversions, i was not able to block SSH access to the IP interfaces that existed on the Brocade VDX. Usually some of these options are available:
So i focused on solution 4, but couldn’t get it work. What i tried to use was the following configuration stanza, for this internet facing ve:
vdx-1# show running-config ip access-list ip access-list extended INET-IN seq 10 deny tcp any host <ve 100 ip address> eq 22 seq 20 permit ip any any vdx-1# vdx-1# show running-config rbridge-id 14 interface Ve 100 rbridge-id 14 interface Ve 100 ip access-group INET-IN in ip address x.x.x.x/31 no shutdown vdx-1#
I was still able to SSH to the ip address configured on ve 100.
Apparently there is a Brocade style ACE action, named “hard-drop”. The hard-drop action denies traffic to the CPU of the VDX and also works for ‘transit traffic’.
The access-list INET-IN should be configured to:
vdx-1# show running-config ip access-list ip access-list extended INET-IN seq 10 hard-drop tcp any host <ve 100 ip address> eq 22 seq 20 permit ip any any vdx-1#
Now the ACL is doing what it is supposed to do, dropping SSH access to the VDX VE interface from the big bad interwebz. Eventually pretty easy!
This post will outline how to make a packetcapture in a VDC using a Cisco Nexus device.
The ethanalyzer tool is only available in the Admin VDC, in order to make a packetcapture in a regular VDC some commands are needed to be able to capture the traffic in the Admin VDC.
This can be done by creating ACL’s in the VDC you would like to capture traffic from. If you use the “log” statements per ACE, the packet is punted to the supervisor and you can capture it in the Admin VDC.
Creating the ACL:
nexus-vdc1(config)# ip access-list vdccapture nexus-vdc1(config-acl)# permit ip host x.x.x.x host y.y.y.y log nexus-vdc1(config-acl)# permit ip any any
It is important to permit ip any any at the end of the ACL.
Adding the ACL to a switchport (L2 interface):
nexus-vdc1(config)# interface ethernet x/y nexus-vdc1(config-if)# ip port access-group vdccapture in
Adding the ACL to a routed port (L3 interface):
nexus-vdc1(config)# interface ethernet x/y nexus-vdc1(config-if)# ip access-list vdccapture in
Note that that the packetcapture is unidirectional. If you want to make a bidirectional packetcapture apply it to the appropiate interface with reverse ACL logic.
You can use wireshark’s mergecap to merge the two packetcaptures.
Here is the ethanalyzer capture command syntax. Ofcourse you can use the other available parameters to capture the traffic or even store the pcaps locally on flash for analysis in wireshark.
nexus-admin# ethanalyzer local interface inband capture-filter "ip net x.x.x.x/24" Capturing on inband 1 2016-06-08 15:39:17.028306 x.x.x.x -> y.y.y.y BGP 93 KEEPALIVE Message 2 2016-06-08 15:39:49.893040 y.y.y.y -> x.x.x.x TCP 74 17709 > bgp [ACK] Seq=1 Ack=1 Win=16150 Len=0
This post will outline the configuration needed to backup a Synology NAS to a remote rsync server running Ubuntu server 16.04
edit /etc/rsync/defaults and set:
SYNC_ENABLE=true
edit /etc/rsyncd.conf and set the following vars, path should be edited to where your mountpoint is. Below mount point is a NFS mount.
[backup] comment = Backup NAS Wouter path = /mnt/backup read only = no list = yes uid = <uid> gid = <gid> auth users = <username> secrets file = /etc/rsyncd.secrets incoming chmod = a-rwx,u+rwx
edit /etc/rsyncd.secrets and add the following:
<username>:<password>
This is the username and password you will need to configure on the Synology NAS when setting up the backup target with hyperbackup.
Set the file permissions correctly:
chmod og-rwx /etc/rsyncd.secrets
After this restart rsyncd:
sudo systemctl restart rsync
The configuration below is my own setup and related to the content above.
edit /etc/fstab and add the following entry:
<nfs serverip>:/volume2/wp-backup /mnt/backup nfs noauto,nolock,x-systemd.automount,rsize=16384,wsize=16384,timeo=14,intr 0 0 sudo systemctl daemon-reload sudo systemctl restart mnt-backup.automount ls /mnt/backup
The ls command should now trigger automount:
dev systemd[1]: mnt-backup.automount: Got automount request for /mnt/backup, triggered by 24339 (ls) dev systemd[1]: Mounting /mnt/backup... dev systemd[1]: Mounted /mnt/backup.
While interconnecting two Brocade VDX VCS fabrics using normal ethernet trunks i stumbled on the following interface status during a migration:
TenGigabitEthernet 2/0/17 is up, line protocol down (ISL DOWN)
The interface configuration was configured as follows on both ends:
interface ten 2/0/17 no fabric isl enable no fabric trunk enable switchport switchport mode trunk spanning-tree shutdown no shutdown
Note that ISL is disabled and fabric trunking is disabled as well. No problem to connect two separate fabrics this way you would think….. :)
After some attempts getting this interface up and running, it appears there is a neighbor discovery protocol on the VDX that still checks for the VCS ID configured on the fabrics ( you cant turn it off). When both fabrics that you would like to interconnect are using the same VCS ID you will not be able to get a normal trunk up even if you disable ISL on these links. Solution is to renumber one of the fabrics to another VCS id. Sad thing is that renumbering a VCS id means you will loose the current configuration of the fabric member.
I hope this post helps, as it took me some time to figure this stupid thing out.
Cheers!
A small functional python script to generate a lot of static SSM mappings for IOS-XR. The entries of mcast-groups.txt is an excel file (not comma separated).
#!/usr/bin/python
with open('mcast-groups.txt', 'r') as f:
data=f.readlines()
for line in data:
entries = line.split()
print 'ipv4 access-list ' + entries[1]
print '10 permit ipv4 host ' + entries[2] + ' any'
print 'router igmp vrf BLACKZONE interface Loopback1 static-group ' + entries[2]
print 'ssm map static ' + entries[0] + ' ' + entries[1]
I wrote this python script to check for the amount of PPPoE and PPPoA users on a Cisco IOS-XE box. It’s also used by a provisioning system to check whether a PPPoX session came up or not. (Note: still learning Python)
The output will look like this for PPPoA users:
User bcadslb1036568 is connected for 5d03h by using PPPoATM and has ip address: <ip>(Vi103) Interface is: 2/0.16140 VPI: 16 VCI: 140 Rate: 12288 Status: UP Results of ATM ping: Type escape sequence to abort. Sending 5, 53-byte end-to-end OAM echoes, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 12/12/12 ms Total # of PPPoA users: X Total # of PPP users: Y
The output will look like this for PPPoE users:
User bcadslb278805469 is connected for 19:32:46 by using PPPoE and has ip address: <ip>(Vi102) Customer MAC address is: 2465.116f.c298 Vendor-ID: AVM GmbH Customers sessions present on interface: Gi1/0.805 Total # of PPPoE sessions is: X Total # of PPP users: Y
Here is the script, latest version is always on github
#!/usr/bin/python
import sys
import argparse
from netmiko import ConnectHandler
from netaddr import *
ar = {
'device_type': 'cisco_ios',
'ip': 'ip',
'username': 'username',
'password': 'password',
'port' : 22, # optional, defaults to 22
'secret': 'secret', # optional, defaults to ''
'verbose': False, # optional, defaults to False
}
try:
parser = argparse.ArgumentParser()
parser.add_argument("username", help="display information for this username")
parser.add_argument("route", help="route that belongs to the username")
args = parser.parse_args()
except:
e = sys.exc_info()[0]
sys.exit()
net_connect = ConnectHandler(**ar)
userinfo = net_connect.send_command('show users | incl ' + args.username)
routeinfo = net_connect.send_command('show ip route ' + args.route + ' | incl /32')
totalusers = net_connect.send_command('show users summary | incl total')
totaluserspppoa = net_connect.send_command('show users summary | incl PPPOA')
# determine if the username can be found in the show output:
#print userinfo.find(args.username) == -1 and routeinfo.find(args.route) == -1 #username and route not present
#print userinfo.find(args.username) == -1 and routeinfo.find(args.route) != -1 #username is not found, route is present
#print userinfo.find(args.username) != -1 and routeinfo.find(args.route) != -1 #username present and route present
# total users
totalusers=totalusers.split()
#convert to strings
totalusers=[str(totalusers[x]) for x in range(len(totalusers))]
totaluserspppoa=totaluserspppoa.split()
#convert to strings
totaluserspppoa=[str(totaluserspppoa[x]) for x in range(len(totaluserspppoa))]
pppoeusers=int(totalusers[0])-int(totaluserspppoa[1])
if (userinfo.find(args.username) == -1 and routeinfo.find(args.route) == -1):
print "username and route not present... user is offline \n"
sys.exit()
elif (userinfo.find(args.username) == -1 and routeinfo.find(args.route) != -1):
#username is not found, route is present
routeinfo=routeinfo.split()
#convert to strings
routeinfo=[str(routeinfo[x]) for x in range(len(routeinfo))]
print routeinfo[3] + ' is active ' + '\n'
elif (userinfo.find(args.username) != -1 and routeinfo.find(args.route) != -1):
#username present and route present
userinfo=userinfo.split()
#convert to strings
userinfo=[str(userinfo[x]) for x in range(len(userinfo))]
print "User %s is connected for %s by using %s and has ip address: %s(%s)\n" % (userinfo[1],userinfo[3],userinfo[2],userinfo[4],userinfo[0])
# get detailed info from either PPPoE or PPPoA
if userinfo[2]=="PPPoE":
pppoeclient=net_connect.send_command('show pppoe session | incl ' + userinfo[0])
pppoeclient=pppoeclient.split()
#convert to strings
pppoeclient=[str(pppoeclient[x]) for x in range(len(pppoeclient))]
mac=EUI(pppoeclient[2])
oui = mac.oui
ouiorg=str(oui.registration().org)
print 'Customer MAC address is: ' + str(mac) + ' Vendor-ID: ' + ouiorg + '\n'
print 'Customer session is present on interface: ' + pppoeclient[3] + '\n'
print 'Total # of PPPoE sessions is: %d ' % pppoeusers + '\n'
print "Total # of PPP users: %s \n" % totalusers[0]
else:
#Fetch the ATM PVC number
atmclient=net_connect.send_command('show interfaces ' + userinfo[0] + ' | incl Bound')
atmpvc=atmclient.split()
#convert to strings
atmpvc=[str(atmpvc[x]) for x in range(len(atmpvc))]
#fetch more info
atmclient2=net_connect.send_command('show atm pvc interface ' + atmpvc[2] + ' | incl 2/0')
atmpvc2=atmclient2.split()
atmpvc2=[str(atmpvc2[x]) for x in range(len(atmpvc2))]
print 'Interface is: ' + atmpvc2[0] + ' VPI: ' + atmpvc2[2] + ' VCI: ' + atmpvc2[3] + ' PeakRate: ' + atmpvc2[7] + 'Kbps Status: ' + atmpvc2[8] + '\n'
atmping=net_connect.send_command('ping atm interface atm' + atmpvc2[0] + ' ' + atmpvc2[2] + ' ' + atmpvc2[3] + ' end')
print 'Results of ATM ping: %s' % atmping + '\n'
print "Total # of PPPoA users: %s \n" % totaluserspppoa[1]
print "Total # of PPP users: %s \n" % totalusers[0]
This post will outline MPLS LDP label filtering on IOS and IOS-XE. It contains LDP label filtering configuration and belonging output.
Recently we migrated two POPs to a MPLS based network coming from VRF Lite. With other non-MPLS POPs left to migrate, we still have quite some prefixes in our IGP.
As LDP assigns labels for IGP based routes we ended up with quite some labels that were generated- and advertised without any purpose. This may impact convergence of a network so we setup LDP label filtering to only generate labels for PE’s that have L3VPN or AToM xconnects. Label filtering can be used to minimize the number of prefixes in the LIB and control which labeled prefixes are advertised using LDP.
There are two ways to control LDP label filtering:
The configurations that follow are based on LDP advertised label filtering. Reason for this is that inbound label filtering is error-prone (lots of config) and if you solve the problem at the source (advertising labels), it won’t effect others. :)
This post assumes the following basic MPLS LDP configuration:
mpls ldp router-id Loopback0 force mpls label protocol ldp ! all labeled interfaces int gig x/y mpls ip
The configuration of advertised label filtering starts with a standard access-list for prefixes you would like to generate labels for. For MPLS L3VPN you basicly only wants labels of the PE loopbacks.
ip access-list standard ldp-loopbacks permit <subnet with your /32 loopbacks> 0.0.0.31
Next you need to configure LDP to use this standard access-list:
mpls ldp advertise-labels for ldp-loopbacks
The result of this config can be obtained with the following commands:
PE1#show mpls ldp bindings lib entry: z.z.z.z/24, rev 9 local binding: label: imp-null lib entry: x.x.x.x/32, rev 10 local binding: label: 16 lib entry: y.y.y.y/32, rev 11 local binding: label: imp-null PE1#
PE1#show mpls ldp bindings advertisement-acls Advertisement spec: Prefix acl = ldp-loopbacks lib entry: z.z.z.z/24, rev 9 lib entry: x.x.x.x/32, rev 10 Advert acl(s): Prefix acl ldp-loopbacks lib entry: y.y.y.y/32, rev 11 Advert acl(s): Prefix acl ldp-loopbacks PE1#
When checking the results on another PE (PE2), it appears that the labels in the LIB are still advertised even though the prefixes do not match the standard ACL of PE1. So the implicit deny of a standard ACL does not work.
There is one missing command on PE1 to fix this:
no mpls ldp advertise-labels
ip access-list standard ldp-loopbacks permit <subnet of all PE loopbacks> <wildcard> no mpls ldp advertise-labels mpls ldp advertise-labels for ldp-loopbacks mpls label protocol ldp mpls ldp router-id Loopback0 ! all labeled interfaces mpls ip
I hope this helps someone out there. If you have any questions, please comment!
This post is about how to configure and run the Ubiquiti unifi controller on a Synology NAS using Docker.
Quite recently I purchased UAP-AC-PRO access-point. Part of the Ubiquiti unifi solution is the unifi controller. I have tried installing the unifi controller on a Ubuntu 16.04 (LTS) system with shared applications but that didn’t work out well because of ipv6 running on this box. The installation of the unifi controller failed because of this. Normally you would dedicate a VPS to the unifi controller function. :)
Then i thought about running the unifi controller on my Synology NAS DS412+. After some investigation I saw that docker was an application that was available and that someone actually published the unifi controller on dockerhub.
Here’s some small steps on what you need to do to get the unifi controller running on a Synology NAS running DSM 6.0.2-8451 Update 6 using the GUI:
1.) Install docker from package center
2.) Open docker and go to Register, search for unifi “https://hub.docker.com/r/jacobalberty/unifi/” and click download.
3.) Within a few minutes (depending on your download speed) the image should be available in the image tab.
4.) Within the image tab click start and choose a wise name to identify your own unifi controller (mine is called wifi-controller).
5.) Set the network settings 1:1 (TCP/UDP ports), make sure you do not have any other applications running on these ports (like SabNZB).
6.) Start the wifi-controller and access it through: https://<nas-ip>:8443
Have fun!
After a successful install of EVE-NG (as a guest) on VMware Server 5.1, a couple of notes:
https://[esx-host-ip]/mob/?moid=ha-host&doPath=capability
vhv.enable = "true"
This post is about terminating PPPoE sessions dynamicly on a Juniper MX. Recently i’ve setup dynamic PPPoE termination succesfully on a MX series, the goal was to migrate PPPoE termination functionality from a Cisco 7206 VXR towards one of our Juniper MX’s.
There is documentation from juniper that describes how to set this up:
I stumbled upon several weird things while testing with PPPoE that i thought may be worth sharing.
There are several ways to setup PPPoE termination on a MX:
When configuring static subscriber management you need to provision a logical interface for each subscriber, this will not scale when you hit more subscribers.
Dynamic subscriber management is the way i wanted to go, because of the amount of subscribers we have.
I started testing on JunOS 13.3R9, some things:
After this experience a new recommended JTAC version was released so i continued with testing on JunOS 15.1R6.7.
Right after the upgrade from JunOS 13.3R9 towards 15.1R6.7, the PPPoE configuration that was previously working stopped completely.
After doing some packetcaptures i could see the PADI coming in from clients, but the MX was dead silent. “show pppoe statistics” were all at 0 confirming the MX was dead silent.
After some debugging i found the following message from auto-configuration:
Sep 9 11:55:53 autoconfd_if_l2_input: dropping request since resources are not available
The reason of this message is that dynamic subscriber management apparently only works on JunOS 15.x and onwards when you run the chassis in enhanced ip mode. I couldn’t find a reference of this in the release notes, but ok… :-)
After setting the configuration as described here PPPoE started working again! So what is this PPPoE configuration about?
The Cisco 7206VXR configuration for PPPoE that I was trying to convert was basicly the following config:
bba-group pppoe pppoe-profile virtual-template 1 sessions per-vc limit 1 sessions per-mac limit 1 sessions auto cleanup interface Virtual-Template1 description pppoe template ip unnumbered Loopback2 ip verify unicast source reachable-via rx no ip proxy-arp ip mtu 1492 no logging event link-status ipv6 enable no snmp trap link-status no peer default ip address ppp mtu adaptive ppp authentication pap ATM ppp ipcp dns <ns-server-ip1> <ns-server-ip2> ppp ipcp mask 255.255.255.255 end
Here is the configuration that i have used to setup dynamic subscriber management using dynamic vlans and dynamic PPP interfaces. The result of this configuration is that end-users can plug-and-play and the only thing you need to do is have a radius account for the happy enduser.
wp@MX> show configuration access
domain-name-server-inet {
<ns-server-ip1>;
<ns-server-ip2>;
}
domain-name-server-inet6 {
<ns-server-ip1>; <ns-server-ip2>;
}
profile radius-profile {
authentication-order radius;
radius {
authentication-server 192.168.254.2;
options {
nas-identifier MX;
}
}
radius-server {
<ip1> {
port 1812;
secret "<hash>"; ## SECRET-DATA
source-address x.x.x.x;
}
<ip2> {
port 1812;
secret "<hash>"; ## SECRET-DATA
source-address y.y.y.y;
}
}
}
wp@MX> show configuration access-profile
radius-profile;
Before applying any dynamic-profile related stuff, I’ve enabled versioning on the MX, this allows a dynamic-profile to be adjusted while subscribers are online.
wp@MX> show configuration system dynamic-profile-options versioning;
wp@MX> show configuration dynamic-profiles vlan-profile
interfaces {
demux0 {
unit "$junos-interface-unit" {
no-traps;
vlan-id "$junos-vlan-id";
demux-options {
underlying-interface "$junos-interface-ifd-name";
}
family pppoe {
access-concentrator <hostname-pe>;
duplicate-protection;
dynamic-profile pppoe-profile;
max-sessions 1;
}
}
}
}
wp@MX> show configuration dynamic-profiles pppoe-profile
interfaces {
pp0 {
unit "$junos-interface-unit" {
no-traps;
ppp-options {
pap;
ipcp-suggest-dns-option;
}
pppoe-options {
underlying-interface "$junos-underlying-interface";
server;
}
family inet {
rpf-check;
unnumbered-address lo0.0;
}
}
}
}
wp@MX> show configuration interfaces xe-1/0/7
flexible-vlan-tagging;
auto-configure {
vlan-ranges {
dynamic-profile vlan-profile {
accept pppoe;
ranges {
100-900;
}
}
}
}Although it looks easy, it took a while before getting things working and to know how the demux interface works (or not ;-)).
I hope this helps other people setting up PPPoE termination on the MX platform, feel free to comment.